[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Encryption

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Share tech news, updates, or what's on your mind.

Sign up to Post

In Windows 2012 R2 with SQL 2014, I would like to setup traffic over 1433 to use IPSEC. I have ready multiple article on the setup by need clarification on the following.

1) Are certificates on both servers required
2) Is just setting the Firewall rule to access connections over IPSEC the only thing that is needed?
0
HTML5 and CSS3 Fundamentals
LVL 12
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Application using ssl3 version of ssl library in server side for security purpose. How to enable SHA512 algorithm instead of SHA256 while encrypting data?

Shall I set SHA512 from SSL* apis?
0
I would like some advice on security.  I have recently purchased a Microsoft Surface Pro 6.    Due to the nature of my work, I store a lot on it.

I use Google Drive to sync all documents and I am looking for the following solutions:

1) I am looking to find a solution to protect all of my data that is stored on the hard drive (synced with Google Drive), so if the laptop is stolen - the data is safe
2) I am looking for advice on how to protect log on - I am using Face ID - is that enough
3) I am looking for advice on recovery and tracing the laptop if it is stolen

Thanks

Angus
1
Suddenly, 1,000s of files have been encrypted on our network drive.  DO WE PAY THE RANSOME?

Thousands of files in our ShareFile directory were encrypted between 12:01 PM and 12:59 PM yesterday. Of course in a matter of hours the encrypted files updated the good files on every laptop and employee's home machines that were running ShareFile.

The following string has been added to the name of every encrypted file:

.crypted_hoboblin@torquechat_com

Removing this string from the end of the filename does not help. Regardless of the type of file, .doc, .xls, .pdf, etc. the file will not open. Depending on the opening program says the file is damaged.

One file in the root drive of the ShareFile directory, named how_to_back_files.html, does open and reads like this when opened (the wording is exact):

YOUR FILES ARE DECRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm.
Without a secret key stored with us, the restoration of your files is impossible

----------------------------------------------------------
To start the recovery process:
Send an email to: hoboblin@torquechat.com with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
---------------------------------------------------------
Your personal ID:
93 C7 AC 4B ... (This goes on for several lines!)

Do we contact them? Obviously, they are going to want money. Do we pay? Go to …
0
I am running the Mint 19 Tara OS on my laptop and I have an issue with my startup (boot) sequence.  Something is telling the system to encrypt my swap partition but I do not have a swap partition...  The "job" tries to run but it times out and fails.  It repeats itself numerous times during the boot sequence and wastes a lot of time during startup.

I need to identify what application is trying to run this job and why?  Then I need to figure out how to stop it from occurring.  I have no need for encryption on my computer at this point in time.  I am attaching a copy of the boot.log file so that the event in question can be viewed & identified.  It starts out with the line: "[* ] (1 of 2) A start job is running for dev-mapper-cryptswap1.device (8s / [** ] " and it appears that it is trying to encrypt two drives but I am not sure.

I'm attaching the boot.log file, any help with this would be appreciated.
Ken_bootlog.pdf
0
I got the error when I installed php-mcrypt below:
sudo apt-get install php-mcrypt

----
sudo apt-get install php-mcrypt
Reading package lists... Done
Building dependency tree      
Reading state information... Done
Package php-mcrypt is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'php-mcrypt' has no installation candidate
------

Background:
php -version
PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.10-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies

in Oracle Virtualbox with Ubuntu. I saw someone installed it with
sudo apt-get install php7.0-mcrypt

However, no good for me.

Are any gurus shed some light to it. Greatly appreciate it.
0
I am in the process of disabling medium ciphers in order to satisfy our PCI scan.

But i am running into some discrepancy on 2 different Win 2012 R2 servers which is really weird.

Server 1
Before  - Grade B

Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK       256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK       128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK       112
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE       128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE       128

After removing those i got grade A


Server 2
Before - Grade A even with weak ciphers


Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK      256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK      128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK      256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK      128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK      112

After removing the same ciphers i got a Grade B complaining about this
This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B

Sure enough the scan on the 2 servers shows that Server 2 is missing these 2 ciphers

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS       256
0
Hi guys

If someone asks, how do you encrypt data in transit, then how would one answer that? That question is quite vague, no? I mean, we have VPN connections from site to site. We also have an MPLS network. Along with that, we have an email system with SSL certificates installed for the OWA, but then I wonder whether that means Outlook data is not encrypted but only encrypted when using OWA?

Any help is appreciated
Thanks
Yash
0
hi guys,

If someone asks 'do you encrypt your data at rest'? on a Windows 2012 Fileserver, then how would you implement that? We also have Sophos AV  on all machines in case that helps?

Thanks for helping
Yash
0
Hi

We have a laptop and due to GDPR, i have to encrtpt the laptop with Veracyrpt.
The staff had kept very valuable data on the Hard disk  desktop and didn't back it  up...

The laptop was not booting poperly and i removed the hardisk and and connected to the hardisk caddy to see if i can recover the data and unfortunately it detects the disk if i open , it says i need to format the disk before i use it.

If i clcik cancel it says F:| is not acessible, the volume dosent contain a recogonised file system.Please make sure that all the required file system are loaded and that the volume is not corrupted.
I tried mounting the hard disk through Vera crypt software and also using the rescue disk still it doesn't work.

Please help , the staff will be the most happiest if the data is recovered.
Any help will instructions will be great.

Thanks
0
Why Diversity in Tech Matters
LVL 12
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Hello,
We are an small independent financial institution that has grouped together with similar sized FI's in our region to take advantage of group security solutions.
Currently it is recommended by our 3rd party solution provider that we encrypt all laptops and PCs.
The majority of our PCs have roaming profiles with no sensitive or private information contained on the local PC.
I'm just sending this out as a general question to experts if you think encryption is necessary on roaming profile PCs.
My concerns are:
-If the PC reboots, in order to log in, the user has to have logged into that computer before to get past the preboot McAfee log in. We have a  lot of staff that move around, hence the roaming profiles. This can be cumbersome.
-I'm not sure how encryption affects roaming profiles
-lastly has anyone experienced issues with cloning encrypted PCs?

Any insights appreciated.
0
So I’ve installed a new win 10 op sys

Can I encrypt my hdd ?
1
By "no co-mingling of tenants data", what are the things we look out
for in a cloud and a cloud service provider (CSP)?

a) encryption of database or the VM sits in an encrypted storage?
b) tenants' VMs can't reach each other, ie there' s microsegmentation
    or sort of 'virtual firewall' that blocks a tenant's VM from reaching
    to or being reached by another tenant's VM?
c) backups are encrypted?
d) CSP is certified ISO 27017/018 or PCI-DSS or ?
e) or the CSP has to be on private or hybrid cloud?
f)  or the CSP can offer a dedicated hypervisor to a tenant
    or a 'special storage' to ensure
   ... pls correct me or add on ...

Does AWS meet the above criteria?
0
Hi, we plan to deploy bit locker in various 10 and 20 user environments.  Should we use Acronis or something similar prior to utilizing BitLocker on workstations?  What are you feelings towards utilizing it on servers? Are there any other deployment ProTips ?   Is encryption already on the iOS ?  What should we use for encryption on these mobile devices ?
0
0
Our customer needs to have strong encryption for o365 emails. The CEO told me that he believes that o365 has only 128bit AES cipher when sending to Gmail. Is there a way to force the cipher to be 256 bit when sending to Gmail (and/or any mail system)?

Additionally has found out that when sending between Outlook clients the cipher is 256bit
( Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)

Thanks in advantage.
0
Those who administer bitlocked networks with pre-boot authentication know how unpleasant it can get if you would like to start a device in the absence of the user. I will remind you of a well-known way that lets you boot up and/or recover these machines at ease and help you to use it safely.
2
I am an independent consultant and I work with multiple clients.   Some of these clients provide me with a laptop and ask me to use their kit.

I use Google Drive to store all my data.  I find it extremely useful and powerful.  How can I protect the data being accessed by the IT department?  Can I encrypt the data on Google Drive so only I can view it?  I am concerned that my personal file on my clients (very nice laptop) can be viewed by them.  

I am looking for a nice easy solution - for example, is there any way of using the standard microsoft encryption solution - I am not familar with them.

Thoughts?

Thanks
A.
0
I have a PGP Universal Email Gateway that is used to encrypt and decrypt emails.
The workflow is as followed.
  1. Email is sent from my email server and there is a send connector rule to route a handful of domains to our PGP UGS to be encrypted then off to the archiver service
  2. Inbound emails are routed to  the PGP UGS from the Archiver service and if the email is encrypted it will be decrypted and sent to the email server to be processed.  

I did a Key Exchange with a client and this was one of the most difficult ones I have dealt with so far.  They have two options. PGP or TLS mandatory.
TLS option was rejected due to my spam/email protection (SaaS) is the  first hop after my email server.  Being that this is a third party that the email is being processed the client rejected this method so I had to go down the PGP route.  

I have a PGP UGS in my environment already and it has been working great for the most part.  This new client requirements are stricter than prior clients that I used this method with. They  mandate that the email be encrypted with a MDC (CHECKSUM), even though the initial tested passed and were acknowledge as a valid means to transmission.

I am not sure exactly what part of the PGP MDC is. I am encrypting to the client's key and do not know how to apply MDC to the emails.  Any insight, suggestions or alternative options is what I am looking for.  They gave me 4 weeks to resolve this.
0
CompTIA Security+
LVL 12
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Hi,

I have Dell Optiplex 7050 and has Window10 running on this pc. We use BitLocker for disk encryption. After I have  BitLocker encryption running and reboot It asks BitLocker recovery key.  Then I found the following steps seems to work:

Deactivate the TPMAutoProvisioning within Windows via the Administrator PowerShell:
1. Right click on the Start menu.
2. Type powershell, right click to run as admin
3. Type the command Disable-TpmAutoProvisioning and press Enter and make sure autoprovisioning is disabled.

Delete the TPM within the BIOS using the Clear option :
1. Restart the system and go to BIOS setup
2. Select "Security".
3. Click on "TPM Security".
4. Choose to Clear the TPM and then click yes to removing all keys from the TPM. (TPM will need to remain active).
5. Then exit and reboot into BIOS again to verify that the TPM is still seen as active.
6. Exit and reboot into the Window.

Activate the TPMAutoProvisioning again with the following PowerShell operation:
1. Right click on the Start menu.
2. type powershell and right click to run as admin
3. Type the command Enable-TpmAutoProvisioning and press Enter.

Under the tpm.msc make sure TPM management provided TPM status as ready to use, with reduced functionality.T hen
1. Turn OFF Bitlocker. Wait for  the hard drive to decrypt.
2. Turn ON Bitlocker. Reboot and no more ask Recovery Key.

It seems work after restarting the pc several times and it did not ask Bitlocker key until I shut it down…
0
Given the recent news around hardware encryption on some SSDs, I am looking to make a change both to my home network and suggest the change in our enterprise network, to disable hardware encryption in the Bitlocker GPO.

What I am unsure of, is what the impact of this change is on already-encrypted drives and what is the most effective way to manage any transition in that regard.

It's something we will likely look to test, but I thought I would ask the question in case someone else has already done so.
0
https://www.michalsons.com/blog/what-is-a-national-critical-information-infrastructure/17701
https://publicwiki-01.fraunhofer.de/CIPedia/index.php/Critical_Information_Infrastructure

I have to draft a guideline for systems that interface with a CII system & need inputs:
currently, the interfaces concerned are limited to 3 types only:

1. files transfer
============
I can only think that the generally practices ie:
 a) encryption of data in transit (eg: using sftp instead of ftp/mapping a drive or NFS)
 b) encryption of data at rest if it's sensitive (tampered with)

2. API
=====
how do we secure these (in particular APIs using microServices)??
I've heard of API needs to be certified so before requesting for it, need to be certain
else applications developers may question its relevance/usefulness

3. DBLink
========
Those sqlconnect  esp Oracle links to extract / update data.
Will need to define if the non-CII system is
   a) updating into CII, will have to be extra stringent but how?
   b) extracting from CII, just encrypting the sql calls
 

Oracle databases, weblogic are involved in the critical systems
while the less-critical systems may be Windows, Linux on
various apps (including mobile apps).

Editing thread to add Oracle as it relates to DBLink.
0
https://www.ru.nl/publish/pages/909282/advisory.pdf
Solid State Disks (SSDs) often implement hardware full-disk encryption in a way known as Self-Encrypting Drives
(SEDs). Several implementations of SEDs have been analysed by reverse engineering their firmware. Many have security vulnerabilities that allow for full recovery of the data without knowledge of any secret when you have physical access to the drive.
BitLocker, bundled with Microsoft Windows, relies exclusively on hardware full-disk encryption if the drive indicates support for it. Thus, for these drives, data protected by BitLocker is also compromised.

Sweet, isn't it? Now go check your drives... all of them.
manage-bde -status c: | findstr /i hardware && msg * You are possibly affected!

Open in new window

1
LVL 63

Author Comment

by:McKnife
Andrew, it's batch code, not powershell code. Run it on an elevated command prompt. If you get a popup, verify your drive model. If the output is empty, you are safe to go.

[batch code can usually be run on the powershell, too, but not all batch code and the operator "&&" ("continue if last result is success") is unknown to powershell - that's why you see an error]
1
LVL 24

Expert Comment

by:Andrew Leniart
Andrew, it's batch code, not powershell code.
Doh! <blush>

Run it on an elevated command prompt. If you get a popup, verify your drive model. If the output is empty, you are safe to go.
Cool! I ran it on both my SSD drives and no output, so I guess I'm safe :-)

Many thanks for your help McKnife. Very much appreciated.

Andrew
0
Running Windows 7 Professional SP-1 32-bit.  I have a folder with millions of files, most of which are encrypted with Windows EFS.  The folder, itself, is encrypted, but some of the files within it are not. I would like all the files to be encrypted, but I don't have a way of isolating the ones which still require encryption.  If I select the folder's security properties, and tick "Encrypt", to be applied to all the folder contents, I'd like to know if Windows needs to re-apply encryption to the files which are already encrypted, or only to the unencrypted files.  Changing the attributes of the entire contents would take weeks.
0
We have a Microsoft PKI hierarchy with one offline standalone Root CA. We alos have an enterprise Subordinate issuing CA.  recently we started getting errors as below when we are requesting new certificates.
Error: An error occurred while enrolling for a certificate. A certificate request could not be created.
Error: The revocation function was u nable to check revocation because the revocation server was offline. 0x80092012 )-2146885613 Crypt_E_REVOCATION_OFFLINE)
The CRL for the root CA are published in the AD and also in a URL on the CA server.
The CRL of the subCA will automaticattly be published in the AD as I understand.
Could the ROOT CA CRL be the ISSUE. I want to be sure as it’s a big process of approvals to start the ROOT CA and get a new CRL.
I want to be sure that its not a local issue in my site before I contact the HQ ROOT CA admin to request the new Root server CRL’s.
Any help appreciated
0

Encryption

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.