Quantum-Ready: Critical Documents for Your PQC Migration Strategy

1.    As quantum computing progresses, it becomes a vulnerability that needs to be addressed to traditional cryptographic systems. Migration to Post-Quantum Cryptography is no longer an abstract future event but a present imperative for many. Yet, when and how to start such a migration process can be a bit tricky. 

2.    One of the most important first steps would be to know what is in the current cryptographic environment and what assets are the most important ones to focus on migrating first. In this post, we will be discussing four important documents that each organization should set up as part of their Quantum-Vulnerability Diagnosis: 

• Risk Assessment, 
• Inventory of Cryptographic Assets
• Inventory of Data Handled
• Inventory of Cryptographic Asset Suppliers. 

3.    All these documents would help organizations measure their preparedness, point out potential risks, and set up a smooth migration to quantum-resistant systems.Lets discuss one by one:- 

• Risk Assessment: The Risk Assessment is a very important document that will help organizations evaluate the threats that may arise from quantum computing. It analyses the current security posture, identifies critical assets, and determines exposure to future quantum risks. This document should assess the types of data handled, system dependencies, and the use of vulnerable cryptographic protocols. It predicts quantum-related threats and their potential impact, allowing organizations to prioritize assets and establish realistic timelines for migration.

• Inventory of Cryptographic Assets : Lists all cryptographic systems, algorithms, and protocols in use. It helps identify assets vulnerable to quantum threats and prioritize those for migration to post-quantum alternatives. The inventory should also assess the lifespan of each asset, highlighting those at risk of obsolescence or quantum vulnerability.

• Inventory of Data Handled by the Organization : This inventory of data handled catalogs all sensitive data types, including customer information, financial records, and intellectual property. It helps an organization identify what data is most vulnerable to quantum threats and prioritizes protection efforts. Highly sensitive or mission-critical data should be prioritized in the migration plan to ensure maximum security against quantum computing risks.

• Inventory of Suppliers of Cryptographic Assets: This inventory tracks third-party vendors and service providers who supply cryptographic tools. It enables organizations to understand the potential quantum vulnerabilities in third-party systems, allowing for joint work with suppliers to ensure solutions are quantum resistant. This document also helps to manage external dependencies and ensures that there is a coherent and consistent PQC migration strategy.

4.    These four core documents are set up: Risk Assessment, Inventory of Cryptographic Assets, Inventory of Data Handled, and Inventory of Suppliers. This forms the basis for a strong PQC migration strategy. Careful cataloging and assessment of the current systems in place will point out vulnerabilities and allow for the prioritization of critical assets that will be safely transitioned into quantum-resistant solutions. This proactivity will provide protection against the future risks from quantum computing.

Malleability of Privacy: How Technology and Society Shape Our Boundaries

1.    In a world where digital technology is evolving at lightning speed, the concept of privacy is becoming more and more malleable. What was once considered a rigid, inviolable boundary is now subject to constant change, influenced by a variety of factors. The malleability of privacy refers to how our expectations of what is private and what is not are fluid, adaptable, and continuously shaped by social, technological, and legal forces.

2.    The "malleability of privacy" refers to the idea that privacy is not a fixed or rigid concept, but rather something that can be shaped, adjusted, and influenced in response to various factors, contexts, and technological advancements. Essentially, it suggests that the boundaries and expectations around privacy are flexible and can change over time.

3.    Key aspects of the malleability of privacy include:

• Technological Change: As new technologies emerge, they can reshape the way personal information is collected, stored, and shared. For example, social media platforms, mobile devices, and smart home technologies have altered what is considered private and how easily private data can be accessed.

• Cultural and Social Norms: Different societies and communities have different attitudes toward privacy. What is considered private in one culture may not be seen the same way in another. As societies evolve, their expectations about privacy also shift.

• Legal and Regulatory Frameworks: Laws governing privacy (e.g., GDPR in Europe, CCPA in California) can also change over time. These laws may expand or restrict the level of privacy protection individuals have, depending on the legal environment and political pressures

• Personal Choices and Behavior: Individuals themselves play a role in how their privacy is shaped. Some people may willingly share more personal information online, while others may be more protective. Privacy settings on digital platforms can be adjusted, and the choices individuals make affect the level of privacy they maintain

• Surveillance and Security: Government policies and corporate practices around surveillance, data collection, and security also influence privacy. For example, as governments increase surveillance or corporations collect more personal data for marketing, the overall sense of privacy can be diminished, making it more malleable.

4.    As we move further into the digital age, privacy will continue to be a malleable concept. Technology will advance, new laws will be enacted, and cultural attitudes will shift. For individuals, it’s crucial to stay informed and be proactive about managing privacy settings and understanding the potential consequences of sharing personal information.

5.    As our understanding of privacy becomes more fluid, it’s important to consider not only the technological innovations that influence our privacy but also the ethical, legal, and social implications of those changes. The question isn’t whether privacy will continue to evolve—it’s how we can protect ourselves and maintain control over our most sensitive information as these boundaries shift.

6.    Ultimately, the malleability of privacy is a reminder that privacy is not just a static right, but something that requires constant vigilance and adaptation. How we navigate these shifting boundaries will shape the future of privacy for generations to come.

Need of Encryption : Your files - Your Data

1.   In today's times when every spying eye,every hacker on the web is eyeing your info.... apart from hardening your OS and configuring your system securely what else can you do to secure your info after some one gate crashes into your system?.....I mean after someone gets your root privileges via remote access...what are the options to save your self from sharing your critical data with him?The answer is ENCRYPTION...

2.   Encryption is the process of encoding your information) in such a way that hackers cannot read it, but that authorized parties can.So without getting into the nitty gritties of what is Encryption and how it works..i am focusing here of what all opensource and free applications are available for encryption...

3.   First I would mention about TrueCrypt,this is the one I have been using for years...the reliability of this application can be gauged from the fact that in 2008, the FBI attempted to break encryption on hard drives using a program called TrueCrypt, but the equipment was finally returned after a year of failed tries.(Source : http://www.webcitation.org/query?url=g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html)

4.   The other strong opensource software's available for encryption are :

    - E4M ie ENCRYPTION for MASSES)
    - Free OTFE
    - Scramdisk

5.   TrueCrypt remains the best bet for all present users.The popularity can be gauged from another fact that this is being used by cyber criminals to!!

Cloud Computing : A dummies over view!!!! - 1

1.   Cloud computing is ALREADY the next stage in evolution of the Internet. The cloud in cloud computing provides the means through which everything from computing power to computing infrastructure,applications, business processes to personal collaboration — can be delivered to you as a service wherever and whenever you need.Cloud computing is offered in different forms:

- Public clouds

- Private clouds

- Hybrid clouds, which combine both public and private

2.   In general the cloud is similar to fluid that can easily expand and contract. This elasticity means that users can request additional resources on demand and just as easily deprovision (or release) those resources when they’re no longer needed. This elasticity is one of the main reasons individual, business, and IT users are steadily moving to the cloud.In the traditional data center it has always been possible to add and release resources but we all know how much effort generally goes in. 

3.   This doesn’t mean that all applications, services, and processes will necessarily be moved to the cloud. Many businesses are much more cautious and are taking a hard look at their most strategic business processes and intellectual property to determine which computing assets need to remain under internal company control and which computing assets could be moved to the cloud.

4.   The cloud itself is a set of hardware, networks, storage, services, and interfaces that enable the delivery of computing as a service. Cloud services include the following :

- IaaS(Infrastructure as a service) : Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis.

- PaaS(Platform as a Service) : Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

- SaaS ( Software as a Service) : Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.

5.    Besides these services,new delivery models such as Crimeware as a Service are also building up in the parallel...for that just google else from the name u can make out it is crime ware as a service as I mentioned in one of the posts in my blog about two years back here.....

6.   Now that goes as the most simple intoruction for a cloud computing over view...the main part starts now...how about the security aspects for each of these...that will be in slightly more detail in subsequent posts...

7.    Thanks http://searchcloudcomputing.techtarget.com

DEEP FREEZE : II

In continuation with the earlier post here....would like readers to read this for info and value addition

http://forums.techguy.org/all-other-software/708554-other-progams-like-deep-freeze.html

Google vs Bing : On Data retention policy change

1. Ever wondered about privacy policy of search engines specifically about Google and Bing...i came to know of this recently while i read at http://www.bing.com/community/blogs/search/archive/2010/01/19/updates-to-bing-privacy.aspx on the subject.

2. In case of Bing,the amount of time IP addresses are stored from searchers is 18 months which the claim now to reduce to 6 months. Generally, when Bing receives search data ,the following things undergo action

First, steps to separate the account information (such as email or phone number) from other information (what the query was, for example).

Secondly , after 18 months another additional step of deleting the IP address and any other cross session IDs associated with the query.

3. Under the new policy, all the steps will continue as were applied previously except that now IP address will be completely removed at 6 months, instead of 18 months. Rival Google had cut retention time to 9 months from 18 in August 2008.Notwithstanding, Microsoft executives arrogates their initiative go much further than Google , because Microsoft intends deleting all parts of the IP (Internet Protocol) address after six months, while Google still retains part of the address after its self-imposed nine-month cut-off point.

4. Thanks http://microsoftontheissues.com

Are you secure at your friendly neighbourhood CYBER CAFE ?

1. This one comes after I have read a wonderful article in the DIGIT Carnival issue Jun 09 on Cyber café Security. This article covered how few Cyber Cafe’s with notorious intentions can play with crucial, critical and confidential information of the user who might have accessed his e-mail accounts or would have booked a flight ticket with his credit card or might have done some personal work on the cyber cafe’s PC.In the following paragraphs I would just go over the preventive measures in brief as outlined in that article. Genuine Informative CREAMY INFO THAT IS!!!!!!!!

2. PORTABLE WEB BROWSER : A portable web browser as the name suggests would be able to allow you to take bookmarks and passwords with you while not writing any information on the host computer. This allows to bypass key loggers who would be expecting that all that you type would be logged in one separate file unknown to the user. So this feature of the portable browser would allow you to access your accounts without typing and thus preventing from leaking your crucial info. But at the same time you have to be aware that PENDRIVE would be equal to your most precious thing in life….so don’t ever try and attempt loosing it.Mozzilla,Opera have these free softwares ready for download at the click of a button and Chrome is working still!!!!!

3. Another thing about the key logger software’s available in the market, yes they include OPEN SOURCE TYPE ALSO………so all the more vulnerable the user becoming a quarry. Key logger can be of two types :

a. Hardware Type – By using a small chip in the keyboard which makes by passing impossible.As shown in the figure below,we see a normal CPU rear from back and another PC with the malicious chip placed in between the cable.

b. Software Type – Can be activated with the help of a Trojan or with the help of a simple installation.

4. A software based key logger can either keep a record of what is being typed or would be able to take periodic screen shots while the user is using the PC.All this being sent to a remote server without the knowledge of the bechara user.Hai na kamaaal ke baat!!!!!!!!!!

5. VIRTUAL KEYBOARD : Although the endeavor of the cyber cafe PC user should be to ensure that in no circumstance, credit card details should be typed,but if at all it is marta kya na karta wali baat,then use of virtual keyboard should be exploited. This would be available as Start > Accessories > On Screen Keyboard.Although there are ways and means to even break this,but then there would never be a guarantee of sort…after all U R ON THE WEB BHAISAAAB…..every thing is accessible.

6. I would like to mention one more thing here….VIRTUAL KEYBOARDS/ON SCREEN KEYBOARDS are not a guarantee for ensuring safety. There are key loggers which are even configured to log only details from on screen key boards. There is a solution to this also and that is OBFUSCATION.

7. OBFUSCATION : This basically allows key loggers to log a certain combination of keys,while keying in different combination. There are some programs that are targeted at different obfuscation algorithm and thus by pass typing in the meat thing. Obfuscation is actually the deliberate hiding of the software's behavior, is used by malware authors as well as legitimate software developers. They both use code obfuscation techniques to keep curious souls from understanding how their software works and what it is doing to the computer on which it runs.A complex thing in itself but who needs to know that….aaam khao….not to worry of guthli!!!!!!!!!!!How to use it?Pl BING or Google.

8. Another important thing to be ensured is to protect your USB drive from Viruses.The first thing to do when you plug in your USB Drive into a public computer is to identify and disable malicious processes running. Process Explorer is a good utility for doing this.This is actually like windows task manager but with few more good options to work on. A Screen Shot from my lap top shown below.

9. Securely deleting data : Last but not the least…ensure using a good software that ensures that no trace of activity on the used computer is left behind.I recommend using ERASER and Free Commander ……tried and tested……………