SecurID and new pseudo security

Read:

• http://www.networkworld.com/news/2011/062911-kenneth-weiss-securid.html?t51hb&hpg1=mp

Anyone can invent any new methodology or technology to provide protection and security. For SecurID's case, it's the compromised servers that is the root of the issue instead of the SecurID authentication itself. You can create some new authentication or whatever protection mechanism but it relies on a server. All it needs is the server to be compromised yet again to see the same issues re-surfacing.

What RSA and SecurID inventor should do is to really look into securing the backend first as the main issue have always been insecure servers holding really important information in a highly insecure and careless way.

Ensure proper administration, C2 auditing enabled and reviewing of logs , encryption of information on all servers, assignment of rights and roles, seperated domains so that if a small domain of secured data gets compromised, it won't spread the impact across and finally re-evaluate your servers and staff efficiency frequently and conduct frequent penetration testing.

Data encrypted on databases on the backend should usually be done whereby an encryption secret key is responsible for a small small group of data it needs to be secured. So in an event of an attack, a compromised key would not compromise other keys (if the keys are secure de-linked and made unpredictable from one another).

The master key for encryption should be made up of more than 2 person's encryption secret key (bosses holds the secret keys). Imagine it's like a nuclear launch silo where you need many keys to be turned together to launch a nuclear missile. This would give more security. The master keys should be seperated from each other whereby if one key is compromised, it doesn't affect the others and can be regenerated

Last but not least, make sure the roles and administrative privileges are properly administered whereby power is not consolidated in one person's hand.

LulzSec Goodness

Read:

• http://www.net-security.org/secworld.php?id=11231

I agree that LulzSec's attacks shouldn't be taken into view in a one sided manner. It has the good points of exposing many of the "supposedly security and unbreakable" notions we have. It's a good and much appreciated wake-up call LulzSec have done. Only fools would simply deny it and be afraid of the truth.

RSA Shot In The Head

Read: 

• http://www.net-security.org/secworld.php?id=11122

Seems like RSA's SecurID and systems are compromised and not trusted anymore. A better, more resistant system, needs to be in placed to handle such situations. It took RSA a long time to acknowledge their mistakes. 

You are not safe at US Customs

Read:

• http://www.boingboing.net/2011/01/12/wikileaks-volunteer-1.html

What it shows is that you should NEVER EVER bring electronic gadgets to the US. They would be paranoid and be all over you.  You are better off properly setting up a SECURE SSH server and then use computers and internet available to SSH in to your server and work there.

Obviously the agents weren't happy when they found nothing. They were expecting to find a huge trove of juicy items..... some exciting challenges like an encrypted volume with AES 256 on it with a RSA 4096 key and all the good jazz (especially for the computer forensics guy who love nerdy challenges) so that they could do rubberhose cryptoanalysis on Jacob to find out the decryption keys.

They couldn't even extract the Bill of Rights from the portable device Jacob was carrying.

The best case is to totally avoid travelling to the US for a holiday or if there are business contracts, it's better off using conference calls than to travel there to avoid all the hassle if possible.