• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • An Encryption Horror Story

    August 23, 2010 Dan Burger

    The auditors are knocking at the door. You knew this day would come. Preparations were in place. When the PCI audit team looked for cross-platform data security measures, your bases were covered. The point of sale (POS) software was taking care of everything for you. But then, just a few days ago, it was discovered that credit card information that was encrypted on Microsoft SQL Server could not be decrypted on the IBM Power Systems i.

    “This year we’ve had five or six incidents where this has happened,” says Patrick Townsend, chairman of the board and chief technology officer of the security software company that bears his name Patrick Townsend Security Solutions. “It pretty much follows a common path.”

    Walking this path can make the hair on the back of your neck stand up on end. It can make your blood run cold. Those auditors can make it seem like you’re in a bad horror flick called Night of the Living Dead–the Auditors’ Revenge.

    On the path that Townsend describes, there’s a company with an IBM i platform along with Windows servers that are part of the credit card authorization network. Data is flowing through the credit card authorization network. Transaction logs are being captured by point of sales terminals and converted to flat files that are moved to the credit card authorization system. Eventually this data comes to the business computer, Power Systems hardware running the i operating system.

    Data that is unencrypted during this stage is vulnerable. The PCI regulations have noted that and companies are expected to comply by applying encryption.

    In this horror story, the vendor acquired application source code to add standard AES encryption to its Windows-based POS software. It tested fine in the Windows environment for both encryption and decryption.

    However, the challenge comes when moving data cross-platform, Townsend warns. It could be a Windows-to-i move or to any other non-Windows platform. It could be from the DB2 for i database to Oracle databases or any other mix of platforms and systems software.

    When encrypted information can’t be decrypted, you’ve got a problem.

    So Townsend gets the call from a company struggling to get this encrypted data onto the IBM i platform and decrypt it.

    PTSS examined the code by running it through a test environment used to NIST-certify the security company’s own code. NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce.

    “We found it wouldn’t run properly. Every test we ran showed errors,” Townsend told IT Jungle in a telephone interview last week. That led to a closer examination of the source code where PTSS found the problem.

    “A couple of things jumped out,” Townsend says. “This code was written with non-standard block sizes for the encryption. The person who wrote it and the people who implemented it didn’t understand there could be variations in the standard. As long as they stayed within their sandbox on the Windows platform, they could encrypt and decrypt using the non-standard algorithm.”

    In other words, it looked and performed like good code.

    “This points out that when some component in the encryption strategy is not built to standards, you may not have what you think you have,” Townsend says. “In this case they thought they had cross-platform capability, but they didn’t. This becomes the sand in the gears that grind projects to a halt. And, it costs a lot of money because it takes extra time to solve problems. Compliance deadlines add pressure, because there is the threat of becoming out of compliance. It becomes a snarly mess sorting out the issues.”

    Out of the box software that is incompatible with existing standards is not unusual, at least when it applies to encryption, Townsend says. And moving unencrypted data on an internal network is not unusual either. But things are changing in that regard.

    “Auditors are now asking more specific questions,” Townsend says. “They are fairly well educated on this [protecting unencrypted data on internal networks] and would not miss looking for it during an audit. As recent as three years ago, auditors missed this kind of issue.”

    Beware of the encryption curse. It will make the fleas of a thousand camels curse seem mild by comparison.

    RELATED STORIES

    Pat Townsend Claims Industry First with Tokenization Offering

    Pat Townsend Now Shipping Encryption Key Software

    Pat Townsend to Supply Encryption Technology to Quantum

    AES-256 Attacks Get More Sophisticated, But Security is Maintained



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: mtfh_rc, Volume 19, Number 30 -- August 23, 2010

    Sponsored by
    DRV Tech

    Get More Out of Your IBM i

    With soaring costs, operational data is more critical than ever. IBM shops need faster, easier ways to distribute IBM applications-based data to users more efficiently, no matter where they are.

    The Problem:

    For Users, IBM Data Can Be Difficult to Get To

    IBM Applications generate reports as spooled files, originally designed to be printed. Often those reports are packed together with so much data it makes them difficult to read. Add to that hardcopy is a pain to distribute. User-friendly formats like Excel and PDF are better, offering sorting, searching, and easy portability but getting IBM reports into these formats can be tricky without the right tools.

    The Solution:

    IBM i Reports can easily be converted to easy to read and share formats like Excel and PDF and Delivered by Email

    Converting IBM i, iSeries, and AS400 reports into Excel and PDF is now a lot easier with SpoolFlex software by DRV Tech.  If you or your users are still doing this manually, think how much time is wasted dragging and reformatting to make a report readable. How much time would be saved if they were automatically formatted correctly and delivered to one or multiple recipients.

    SpoolFlex converts spooled files to Excel and PDF, automatically emailing them, and saving copies to network shared folders. SpoolFlex converts complex reports to Excel, removing unwanted headers, splitting large reports out for individual recipients, and delivering to users whether they are at the office or working from home.

    Watch our 2-minute video and see DRV’s powerful SpoolFlex software can solve your file conversion challenges.

    Watch Video

    DRV Tech

    www.drvtech.com

    866.378.3366

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    The Power System Malware Problem, and a ‘Perfect’ Solution PHP and JavaScript Come Together in Zend Studio 8

    Leave a Reply Cancel reply

TFH Volume: 19 Issue: 30

This Issue Sponsored By

    Table of Contents

    • IBM Ducks i Pricing on Most Entry Power7 Servers
    • BladeCenter S Express i Edition Gets a Power7 Upgrade
    • The Power 795: Cheaper Performance, Expensive Software
    • As I See It: The Once and Future HP Way
    • An Encryption Horror Story
    • IBM Makes i Solution Editions From Power 720 and 740 Servers
    • Dataram Delivers Memory for Power7 Servers
    • Unemployed Developers Eligible for Education Grant
    • IBM Cuts Power Systems Shops a Linux Price Break
    • IBM Ships Fat Memory for Power 770 and 780 Systems Early

    Content archive

    • The Four Hundred
    • Four Hundred Stuff
    • Four Hundred Guru

    Recent Posts

    • Meet The Next Gen Of IBMers Helping To Build IBM i
    • Looks Like IBM Is Building A Linux-Like PASE For IBM i After All
    • Will Independent IBM i Clouds Survive PowerVS?
    • Now, IBM Is Jacking Up Hardware Maintenance Prices
    • IBM i PTF Guide, Volume 27, Number 24
    • Big Blue Raises IBM i License Transfer Fees, Other Prices
    • Keep The IBM i Youth Movement Going With More Training, Better Tools
    • Remain Begins Migrating DevOps Tools To VS Code
    • IBM Readies LTO-10 Tape Drives And Libraries
    • IBM i PTF Guide, Volume 27, Number 23

    Subscribe

    To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

    Pages

    • About Us
    • Contact
    • Contributors
    • Four Hundred Monitor
    • IBM i PTF Guide
    • Media Kit
    • Subscribe

    Search

    Copyright © 2025 IT Jungle