Dan Kaminsky posted on twitter the following: http://eprint.iacr.org/2010/006.pdf Is it time to deprecate 1024bit RSA for, say, 1276bit? (2048 has perf issues.) The link Dan provided is a research paper which reports the successful factorization of the 768-bit number from the original 2001 RSA challenge. I responded to him that NIST had already deprecated the use of 1024-bit RSA in the government, and it was time for industry to follow suit. Since I posted that, I’ve been surprised that a number of people don’t understand the upcoming changes in key lengths and algorithm strengths that have been mandated by NIST. So, this post offers some information about why I can confidently say the U.S. government has deprecated certain algorithms and[…]
Category: regulations
As a recent slashdot article points out, Amazon has honestly admitted that it is impossible to attain PCI Level 1 compliance on an application built on their EC2 (computing) and S3 (storage) services. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. We wrote a short whitepaper covering a brief security overview of cloud computing, and this is one of the[…]
On Wednesday, while the virtualization and cloud computing topics were continuing to see a lot of coverage, I began to focus my attendance in some different areas. The first Wednesday keynote included a brief discussion of the 60-day cybersecurity review by Melissa Hathaway, Acting Senior Director for Cyberspace for the Obama administration. While she did not tip her hand regarding what would be in the final report, she spent a lot of time discussing the importance of the report and the work which will come out of it. You can read her speech by following the word document link on this article in The Atlantic. Also on Wednesday was a panel discussion on the increasing prominence of legal and audit[…]
In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing. According to this letter(pdf) from Yahoo to Senators Durbin and Coburn: Principles on Freedom of Expression and Privacy […] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency Along with[…]
We’re constantly looking over, analysing, and adhering to narrowly defined security standards in the IS field. These standards are focused on large companies, yet what is there for the little guy? Websites slap on labels like “Hacker Safe”, which we don’t trust and there are countless blogs vulnerable to a number of security holes, gaps, and simple poor configuration. What we need is an open-source set of general security recommendations and guidelines for a host of applications – encryption, blogs, and even social networks. The formula for these guidelines to work, be useful, and adopted are, Keep Them General – Don’t include specific instructions on how to configure a setting. Have Input From Independent Security Experts – The people that[…]
Cisco unveiled a blueprint to address Payment Card Industry data security for the healthcare industry. The blueprint is intended to provide healthcare organizations with a model for safeguarding patient financial transaction data and other personally identifiable information that is captured and processed within a healthcare facility or retail pharmacies. Called PCI for Healthcare Solution, it offers design and implementation guidelines to protect credit card, patient demographic and employee information. Stats collected by Cisco are showing that external data security related attacks on the healthcare industry have increased 85% between January 2007 and January 2008. One in four healthcare executives do not know where their sensitive data is located, the vendor says. Also, many organizations do not have a security framework[…]