Entries For: December 2007
December 12, 2007
Friendly Breaches? Not with Oracle IRM and URM, except at Oracle
I do respect Oracle for being an early adopter of their own products internally, including a very large implementation of the latest Oracle E-Business Suite. Unfortunately, it appears that Oracle does not run all their products everywhere.
Today, Billy Cripe of the Oracle Fusion Enterprise Content Management blog discussed Oracle's Information Rights Management (IRM, formerly SealedMedia) and Universal Records Management (URM) products. The IRM product is used to encrypt sensitive information everywhere including desktops, e-mail, file servers, etc.
The ironic part is that today the Breach Blog posted information on a security breach at Oracle due to a lost laptop. A few weeks ago Oracle disclosed to the New Hampshire Attorney General that a lost Oracle laptop contained confidential information on 123 employees at recently acquired Lodestar. Since the New Hampshire privacy statue requires notification when sensitive data is not encrypted, I have to assume the data was unencrypted on the laptop and Oracle IRM was not being used.
Today, Billy Cripe of the Oracle Fusion Enterprise Content Management blog discussed Oracle's Information Rights Management (IRM, formerly SealedMedia) and Universal Records Management (URM) products. The IRM product is used to encrypt sensitive information everywhere including desktops, e-mail, file servers, etc.
The ironic part is that today the Breach Blog posted information on a security breach at Oracle due to a lost laptop. A few weeks ago Oracle disclosed to the New Hampshire Attorney General that a lost Oracle laptop contained confidential information on 123 employees at recently acquired Lodestar. Since the New Hampshire privacy statue requires notification when sensitive data is not encrypted, I have to assume the data was unencrypted on the laptop and Oracle IRM was not being used.
December 10, 2007
Hashing Credit Card Numbers: Revisited Again
I recently had to revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards. Well, a month later I am having to revise the estimates again. Nick Breese of New Zealand has published a paper at Kiwicon on using a PlayStation 3 to crack hashes. His estimates are about 1.4 billion hashes per second for MD5. Our proof of concept code running at about 2 million hashes per second seems kind of slow now. Probably at least 2 billion hashes per second is feasible in the near future with readily available hardware and source code.
Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy. It is just too easy to brute force the credit card numbers if the hashes are compromised. Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations.
Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy. It is just too easy to brute force the credit card numbers if the hashes are compromised. Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.
When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations.
Categories:
