• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • An Encryption Horror Story

    August 23, 2010 Dan Burger

    The auditors are knocking at the door. You knew this day would come. Preparations were in place. When the PCI audit team looked for cross-platform data security measures, your bases were covered. The point of sale (POS) software was taking care of everything for you. But then, just a few days ago, it was discovered that credit card information that was encrypted on Microsoft SQL Server could not be decrypted on the IBM Power Systems i.

    “This year we’ve had five or six incidents where this has happened,” says Patrick Townsend, chairman of the board and chief technology officer of the security software company that bears his name Patrick Townsend Security Solutions. “It pretty much follows a common path.”

    Walking this path can make the hair on the back of your neck stand up on end. It can make your blood run cold. Those auditors can make it seem like you’re in a bad horror flick called Night of the Living Dead–the Auditors’ Revenge.

    On the path that Townsend describes, there’s a company with an IBM i platform along with Windows servers that are part of the credit card authorization network. Data is flowing through the credit card authorization network. Transaction logs are being captured by point of sales terminals and converted to flat files that are moved to the credit card authorization system. Eventually this data comes to the business computer, Power Systems hardware running the i operating system.

    Data that is unencrypted during this stage is vulnerable. The PCI regulations have noted that and companies are expected to comply by applying encryption.

    In this horror story, the vendor acquired application source code to add standard AES encryption to its Windows-based POS software. It tested fine in the Windows environment for both encryption and decryption.

    However, the challenge comes when moving data cross-platform, Townsend warns. It could be a Windows-to-i move or to any other non-Windows platform. It could be from the DB2 for i database to Oracle databases or any other mix of platforms and systems software.

    When encrypted information can’t be decrypted, you’ve got a problem.

    So Townsend gets the call from a company struggling to get this encrypted data onto the IBM i platform and decrypt it.

    PTSS examined the code by running it through a test environment used to NIST-certify the security company’s own code. NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce.

    “We found it wouldn’t run properly. Every test we ran showed errors,” Townsend told IT Jungle in a telephone interview last week. That led to a closer examination of the source code where PTSS found the problem.

    “A couple of things jumped out,” Townsend says. “This code was written with non-standard block sizes for the encryption. The person who wrote it and the people who implemented it didn’t understand there could be variations in the standard. As long as they stayed within their sandbox on the Windows platform, they could encrypt and decrypt using the non-standard algorithm.”

    In other words, it looked and performed like good code.

    “This points out that when some component in the encryption strategy is not built to standards, you may not have what you think you have,” Townsend says. “In this case they thought they had cross-platform capability, but they didn’t. This becomes the sand in the gears that grind projects to a halt. And, it costs a lot of money because it takes extra time to solve problems. Compliance deadlines add pressure, because there is the threat of becoming out of compliance. It becomes a snarly mess sorting out the issues.”

    Out of the box software that is incompatible with existing standards is not unusual, at least when it applies to encryption, Townsend says. And moving unencrypted data on an internal network is not unusual either. But things are changing in that regard.

    “Auditors are now asking more specific questions,” Townsend says. “They are fairly well educated on this [protecting unencrypted data on internal networks] and would not miss looking for it during an audit. As recent as three years ago, auditors missed this kind of issue.”

    Beware of the encryption curse. It will make the fleas of a thousand camels curse seem mild by comparison.

    RELATED STORIES

    Pat Townsend Claims Industry First with Tokenization Offering

    Pat Townsend Now Shipping Encryption Key Software

    Pat Townsend to Supply Encryption Technology to Quantum

    AES-256 Attacks Get More Sophisticated, But Security is Maintained



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: mtfh_rc, Volume 19, Number 30 -- August 23, 2010

    Sponsored by
    PERFSCAN

    Revolutionary Performance Management Software

    At Greymine, we recognize there is a void in the IT world for a dedicated performance management company and also for a performance management tool that’s modern, easy to use, and doesn’t cost an arm and a leg. That’s why we created PERFSCAN.

    PERFSCAN is designed to make your job easier. With revolutionary technology, an easy-to-read report and graphics engine, and real time monitoring, tasks that used to take days can now take minutes. This means you will know your system better and will be able to provide better service to your customers.

    OUR FEATURES

    PERFSCAN is full of robust features that don’t require you to take a three-day class in order to use the product effectively.

    Customizable Performance Reporting

    Whether you are troubleshooting a major system problem or simply creating a monthly report, PERFSCAN lets you select any combination of desired performance metrics (CPU, Disk, and Memory).

    User Defined Performance Guidelines

    No matter if you are a managed service provider managing complex systems in the cloud or a customer analyzing your on-premises solution, PERFSCAN gives you the flexibility to define all mission critical guidelines how they need to be.

    Understanding The Impact Of Change

    Tired of all the finger pointing when performance is suffering? PERFSCAN’s innovative What’s Changed and Period vs. Period analysis creates a culture of proof by correlating known environmental changes with system performance metrics.

    Comprehensive Executive Summary

    Creating performance graphs is easy. Understanding what they mean is another thing. With one mouse click, PERFSCAN includes an easy-to-understand executive summary for each core metric analyzed.

    Combined Real-Time Monitor And Performance Analysis Tool

    With PERFSCAN’s combined built in enterprise real-time monitor and historical performance analysis capability, you will always know how your mission-critical systems are performing.

    Cloud Performance Reporting Is Easy

    Managing performance for production systems in the cloud can be a black hole to many system administrators. The good news is PERFSCAN analyzes all core metrics regardless of the location. That’s why MSPs and customers love PERFSCAN.

    Detailed Job Analysis

    PERFSCAN shows detailed top job analysis for any desired period. All metrics are displayed in two ways: Traditional Report and Percentage Breakdown Pie Chart. This toggle capability instantly shows the jobs using the most system resources.

    Save Report Capability

    Your boss lost the report you gave to him on Friday. Now what do you do? With PERFSCAN’s save report capability, any report can be retrieved in a matter of seconds.

    Professional PDF Reporting With Branding

    Creating professional looking reports for your customers has never been easier with PERFSCAN. Branding for our partners and service provider customers is easy with PERFSCAN.

    Check it out at perfscan.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    The Power System Malware Problem, and a ‘Perfect’ Solution PHP and JavaScript Come Together in Zend Studio 8

    Leave a Reply Cancel reply

TFH Volume: 19 Issue: 30

This Issue Sponsored By

    Table of Contents

    • IBM Ducks i Pricing on Most Entry Power7 Servers
    • BladeCenter S Express i Edition Gets a Power7 Upgrade
    • The Power 795: Cheaper Performance, Expensive Software
    • As I See It: The Once and Future HP Way
    • An Encryption Horror Story
    • IBM Makes i Solution Editions From Power 720 and 740 Servers
    • Dataram Delivers Memory for Power7 Servers
    • Unemployed Developers Eligible for Education Grant
    • IBM Cuts Power Systems Shops a Linux Price Break
    • IBM Ships Fat Memory for Power 770 and 780 Systems Early

    Content archive

    • The Four Hundred
    • Four Hundred Stuff
    • Four Hundred Guru

    Recent Posts

    • IBM i Delivers Sizable Benefits, Forrester Consulting Reports
    • SBOMs Will Come to IBM i, Eventually
    • IBM i Backup Provider Storagepipe Snapped Up By Thrive
    • Four Hundred Monitor, June 7
    • IBM i PTF Guide, Volume 25, Number 23
    • Power10 Boosts NVM-Express Flash Performance
    • Fortra Completes Postmortem Of GoAnywhere Vulnerability
    • Guru: Binding Directory Entries
    • How Does Your Infrastructure Spending Stack Up To The World?
    • IBM i PTF Guide, Volume 25, Number 22

    Subscribe

    To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

    Pages

    • About Us
    • Contact
    • Contributors
    • Four Hundred Monitor
    • IBM i PTF Guide
    • Media Kit
    • Subscribe

    Search

    Copyright © 2023 IT Jungle