Secure Access & Authentication for Vital Data

Wednesday, 1 April 2015

How To Break Unbreakable AES Encryption

Posted by Alf Norris (Conseal USB Lead Developer), 14 Feb 2011

The power of 256-bit AES encryption is awesome. To explain just how powerful it is takes numbers far larger than can really make sense to our brains... but it's worth a try.

The "256-bit" part of the name means that the key which provides access to the protected content is 256 bits in length - that is, it is one of 2²⁵⁶ possible combinations.

So imagine you have a a file encrypted using 256-bit AES, and that you can sit just trying combinations to crack it open.

Let's pick a crazy-high number: say you can try a million million million combinations every millisecond. At that rate, it would take about 3 million million million million million million million million years to try every combination. That's older than your grandma; even older than Bruce Forsyth.

It's more combinations than there are atoms on the whole planet. About 70,000,000,000,000,000,000,000,000 times more to be precise.

For it to take "only" as long as the age of the universe to crack, you'd need to type in about 2.8 x 10⁵⁹combinations per second - that's 280,000 with 9 "millions" after it.

That's why AES is considered, for now, an unbeatable encryption. The NSA have approved it to protect information classified as "top secret" - and that is genuinely the top endorsement possible.

...To which the obvious response is: Unbeatable! Well that sounds like a challenge!

How can it be beaten? As we've seen, trying to get the encryption key by brute force is not clever. But can we get hold of it some other way? Surprisingly, this might not be so difficult.

Take a normal encrypted disk: you provide a password and the disk unlocks. Inside, this works in one of two ways:

The encryption key is based on the password itself. So for example it could be the SHA-256 hashof the password, or any other way of mashing it around to generate a 256-bit number.
The password you enter is used to release the encryption key. Note (and this is important) that this means the encryption key is stored on the disk.
Releasing the encryption key almost always works by the password itself being an encryption key which secures the actual key we're interested in.

In both of the above two cases, the password is the weak link. It no longer matters that we're using super-strength 256-bit AES encryption: just figure out the password and you've got the data.

In other words, we've reduced the complexity of the task from "decrypt 256-bit AES" to "crack a password".

As Tom has demonstrated previously, cracking a password is not always difficult, so long as you have the hash to compare it against (or you can do some processing to tell you whether it's the right password or not. Figuring out what processing is out of the scope of this post, but it need not be too complex).

So here's how to break unbreakable 256-bit encryption, on an encrypted disk:

Get the hash of the password used to lock the disk (or figure out what processing you need to do)
Run a dictionary attack against the hash to see if it's a known one.
If not, try combinations one-by-one in an intelligent order, as the entropy of human-chosen passwords is low
Use the password to get the encryption key
Decrypt the disk's contents

...and that's it!

Don't actually do this of course, it's illegal.

Thursday, 12 March 2015

Aggressive Growth in Cloud Security Software Market Forecast Globally to 2019

DALLAS, February 21, 2015 /PRNewswire/ --

ReportsnReports.com adds Global Cloud Security Software Market 2015-2019 research report of 79 pages to its collection of cloud sector data under Information Technology industry intelligence in its research and data library.

The Global Cloud Security Software market is forecast to grow at 48.46% CAGR over the period 2014-2019 based on the fact that cloud security software eliminates connection-related expenditures because it is offered with a wide variety of connection options. Traditional on-site security software has a high total cost of ownership, as it includes high upfront software license and software implementation costs, coupled with high maintenance costs. Cloud security software circumvents these expenses, since cloud vendors are responsible for the implementation, maintenance, updates, and backup of software, thereby reducing the need for internal IT administration. Complete research is available at http://www.reportsnreports.com/reports/344484-global-cloud-security-software-market-2015-2019.html .

This report covers the present scenario and the growth prospects of the Global Cloud Security Software market for the period 2015-2019. To calculate the market size, the report considers revenue generated from the sales of cloud security software solutions. The report consolidates the revenues generated from geographical areas of Americas, APAC and EMEA. This research draws attention towards growing partnerships between cloud service providers (CSPs) and security solution providers. As the market matures, cloud security has become an integral part of cloud services, thereby requiring CSPs to provide cloud security along with their regular cloud services.

Cloud security is projected to become a major buying criterion for customers over the forecast period, which will lead to an increase in the number of partnerships among CSPs and security solution providers. The Global Cloud Security Software Market 2015-2019report has been prepared based on an in-depth market analysis with inputs from industry experts. The report covers the Americas, and the APAC and EMEA regions; it also covers the Global Cloud Security Software market landscape and its growth prospects over the coming years. The report includes a discussion of the key vendors operating in this market.

Companies mentioned in this research include CA Technologies, McAfee, Symantec, TrendMicro, CipherCloud, CloudLock, CloudPassage, Commtouch Software, CREDANT Technologies, CYREN, HyTrust, IBM, Okta, Panda Security, SafeNet, Skyhigh Networks, ThreatMetrix and Zscaler. Order a copy of this report at http://www.reportsnreports.com/Purchase.aspx?name=344484 .

Cloud security software offers security to cloud-based services or cloud computing architectures. Cloud security software can be standalone solution or a suite of products. It focuses on key parameters such as data protection, compliance, architecture, governance, as well as identity and access. A typical cloud security solution offers features such as encryption, IAM, endpoint monitoring, vulnerability scanning, intrusion detection, and application and messaging security. Cloud security software helps in protecting the cloud content from unauthorized access and theft of data.

Another research on Cloud Security Market - Global Advancements, Forecasts & Analysis (2014-2019) says security applications delivered as cloud-based services provide a promising platform to manage threat and security concerns. The cloud-based services are gaining popularity because of the unique benefits it provides to the users, such as agility, scalability, reduction in costs, business continuity, and flexibility of work practices. The majority of growth is anticipated in the regions of APAC and EU. In EU, regions such asGermany, Norway are expected to grow at a faster rate as compared to other countries, due to increasing deployment of cloud in both SMB's and enterprises and strict government regulations on Cloud Service Providers (CSPs).

It is predicted that the future growth of this market will be based on increasing adoption of cloud computing by the small and medium size enterprises and proliferation of mobile devices, and Security as a Service (SaaS) applications in business. The top three cloud security services that will contribute as the major market in cloud security services market are cloud IAM, email security and web security (WAF).The cloud security market is expected to grow from $4.20 billion in 2014 to $8.71 billion in 2019 with a CAGR of 15.7% during the forecast period 2014-2019.

The cloud security market is a diversified and competitive market, with a large number of players. The cloud security market is dominated by various players, depending on its core competencies. The key player in this market are CA Technologies (New York), Symantec (California), Fortinet (California), Symplified (Colorado), IBM (New York), Trend Micro(Japan), Zscaler (California), Panda Security(Spain), Sophos (UK), and McAfee (California).

Cloud security software set for boom time

Market to grow at over 48 per cent annually over coming five years, according to analyst

By Doug Woodburn

Cost of security

UK government called on to publish biometrics strategy by end of 2015

The UK government has not explained how it intends to use biometrics as a means of enabling access to government services and what conclusions it has reached on the "associated ethical and legal implications" of doing so, according to a committee of MPs.11 Mar 2015

The Science and Technology Committee called on the government to publish a "comprehensive" strategy to help clarify the issue before the end of this year. It said the government had not fulfilled its commitment to publish such a strategy before the end of 2013.

"Over a year later, there is no strategy, no consensus on what it should include, and no expectation that it will be published in this parliament," the Committee said in a new report. "In its absence, there remains a worrying lack of clarity regarding if, and how, the government intends to employ biometrics for the purposes of verification and identification and whether it has considered any associated ethical and legal implications."

"The government should be developing a strategy that exploits emerging biometrics while also addressing public concerns about the security of personal data and the potential for its use and misuse, with particular reference to biometric data held by the state. We expect a comprehensive, cross-departmental forensics and biometrics strategy to be published by the government no later than December 2015," it said.

Last year the UK government issued guidelines that envisage the use of biometric data in helping to verify individuals' identity prior to authorising individuals' access to government services.

The Committee said that, because of this, it "unfortunately … appears that the prospect of biometric verification has been announced [by the government] without full consideration of how it might be implemented".

The Committee called on the government to detail the "the steps taken to mitigate the risk of loss, or unauthorised release, of the biometric data that it holds" in its response to the report.

To preserve security and privacy, the government should conduct privacy impact assessments when undertaking projects involving, or formalising policies on, the collection, retention or processing of personal data, including biometric data, it recommended. Biometric systems deployed by the state must also not be closed to "human intervention".

The government should further keep "under review" whether existing legislation such as the Data Protection Act provides "adequate regulation in the face of developments in biometric technologies", the Committee said.

In its report the Committee also criticised failings which meant that facial recognition technology was deployed by the police without being properly tested. It said it is "imperative" that the biometric systems are "accurate and dependable" when they impact on individuals' privacy.

"Rigorous testing and evaluation must therefore be undertaken prior to, and after, deployment, and details of performance levels published," the Committee said.

Monday, 17 November 2014

What are your vital signs

Vital signs are used to measure the body’s basic functions.^[1]^[2] These measurements are taken to help assess the general physical health of a person, give clues to possible diseases, and show progress toward recovery. The normal ranges for a person’s vital signs vary with age, weight, gender, and overall health.^[3]

There are four primary vital signs: body temperature, blood pressure, pulse (heart rate), and breathing rate (respiratory rate). However, depending on the clinical setting these may include other measurements called the "fifth vital sign" or "sixth vital sign". Vital signs are recorded using the LOINC international standard coding system.^[4]^[5]

Early warning scores have been proposed that combine the individual values of vital signs into a single score. This was done in recognition that deteriorating vital signs often precede cardiac arrest and/or admission to the intensive care unit. Used appropriately, a rapid response team can assess and treat a deteriorating patient and prevent adverse outcomes.^[6]^[7]^[8]

[hide]

Primary vital signs[edit]

There are four primary vital signs which are standard in most medical settings:

The equipment needed is a thermometer, a sphygmomanometer, and a watch. Though a pulse can be taken by hand, a stethoscope may be required for a patient with a very weak pulse.

Temperature[edit]

Temperature recording gives an indication of core body temperature which is normally tightly controlled (thermoregulation) as it affects the rate of chemical reactions.

Temperature can be recorded in order to establish a baseline for the individual's normal body temperature for the site and measuring conditions. The main reason for checking body temperature is to solicit any signs of systemic infection or inflammation in the presence of a fever (temp > 38.5 °C/101.3 °F or sustained temp > 38 °C/100.4 °F), or elevated significantly above the individual's normal temperature. Other causes of elevated temperature include hyperthermia.

Temperature depression (hypothermia) also needs to be evaluated. It is also noteworthy to review the trend of the patient's temperature. A patient with a fever of 38 °C does not necessarily indicate an ominous sign if his previous temperature has been higher. Body temperature is maintained through a balance of the heat produced by the body and the heat lost from the body.

Temperature is commonly considered to be a vital sign most notably in a hospital setting. EMTs (Emergency Medical Technicians), in particular, are taught to measure the vital signs of: respiration, pulse, skin, pupils, and blood pressure as "the 5 vital signs" in a non-hospital setting.^[9]

Blood pressure[edit]

Main article: Blood pressure § Measurement

The blood pressure is recorded as two readings; a high systolic pressure, which occurs during the maximal contraction of the heart, and the lower diastolic or resting pressure. A normal blood pressure would be 120 being the systolic over 80, the diastolic. Usually the blood pressure is read from the left arm unless there is some damage to the arm. The difference between the systolic and diastolic pressure is called the pulse pressure. The measurement of these pressures is now usually done with an aneroid or electronic sphygmomanometer. The classic measurement device is a mercurysphygmomanometer, using a column of mercury measured off in millimeters. In the United States and UK, the common form is millimeters of mercury, whilst elsewhere SI units of pressure are used. There is no natural 'normal' value for blood pressure, but rather a range of values that on increasing are associated with increased risks. The guideline acceptable reading also takes into account other co-factors for disease. Therefore, elevated blood pressure (hypertension) is variously defined when the systolic number is persistently over 140–160 mmHg. Low blood pressure is hypotension. Blood pressures are also taken at other portions of the extremities. These pressures are called segmental blood pressures and are used to evaluate blockage or arterial occlusion in a limb (see Ankle brachial pressure index).

Pulse[edit]

Main article: Pulse

The pulse is the physical expansion of the artery. Its rate is usually measured either at the wrist or the ankle and is recorded as beats per minute. The pulse commonly taken is from the radial artery at the wrist. Sometimes the pulse cannot be taken at the wrist and is taken at the elbow (brachial artery), at the neck against the carotid artery (carotid pulse), behind the knee (popliteal artery), or in the foot dorsalis pedis or posterior tibial arteries. The pulse rate can also be measured by listening directly to the heartbeat using a stethoscope. The pulse varies with age. A newborn or infant can have a heart rate of about 130–150 beats per minute. A toddler's heart will beat about 100–120 times per minute, an older child's heartbeat is around 60–100 beats per minute, adolescents around 80–100 beats per minute, and adults' pulse rate is anywhere between 50 and 80 beats per minute.

Respiratory rate[edit]

Main article: Respiratory rate

Varies with age, but the normal reference range for an adult is 16–20 breaths/minute (RCP 2012). The value of respiratory rate as an indicator of potential respiratory dysfunction has been investigated but findings suggest it is of limited value. Respiratory rate is clear indicator of acidotic states, as the main function of respiration is removal of CO₂ leaving bicarbonate base in circulation.

Additional signs[edit]

The U.S., in addition to the above four, it is required to record the patients Height, Weight, and Body Mass Index.^[10]

Fifth vital signs[edit]

The "fifth vital sign" may refer to a few different parameters.

Pain is considered a standard fifth vital sign in some organizations such as the U.S. Veterans Affairs.^[11] Pain is measured on a pain scale based on subjective patient reporting and may be unreliable.^[12] Some studies show that recording pain routinely may not change management.^[13]^[14]^[15] Other "fifth vital signs" include:

Glasgow Coma Scale ^[16]

Pulse Oximetry ^[17]^[18]^[19]

Blood Glucose level ^[20]

Sixth vital signs[edit]

There is no standard "sixth vital sign"; its use is more informal and discipline-dependent than the above.

End-tidal CO
2.^[21]^[16]

Gait speed^[24]