Thursday, April 12, 2007
TrueCrypt Open Source Encryption - Awesome!
A few weeks back, two of our sales people were out for the week (one on vacation, the other recovering from surgery), so I had several computers to play around with. I figured I'd test the security of our "encrypted" database, including personal data and credit info, by trying to hack a backup. I was going to break up the decryption process over several workstations, and hopefully crack the database in a day or two. It turns out I didn't need the extra computing power, though...
DeCrypto-K was able to find the cipher key saved right in the program directory where the database is saved. It blew up the 8-bit PKZIP1 encrypted database into a delimited text file, in less than a minute, on a 1.1GHz laptop. Weak! That's the downside of our sales software. It was designed in 1989 by a 3-person company, using mostly open source technology, to the tune of $3000 for the source code. It would have been insecure, even when it was new, but relied on the fact that our various sales-servers have all been completely inaccessible from beyond our in-house hardware. Our entire sales-entry and bookkeeping hardware is closed off.
So, while inherently secure from hackers, it just bugs me. Since it was a slow week for phone calls (none of our ads are in circulation yet), I worked in more-modern encryption into our system without any hit to performance. I've had three of our laptops and one unused desktop trying to decrypt the database since Monday, to no avail. I figure I'll let it go till Friday (or, until the power goes out here AGAIN).
I have TrueCrypt to thank for easily implementing modern cryptology into our system. TrueCrypt frickin' ROCKS. Oh, and it's TOTALLY FREE OPEN SOURCE!
If you're looking to secure files and folders, give the TrueCrypt client a try. You make an encrypted volume, and hide it as a file somewhere on your system. When you want to access it, you can then (with a strong password) mount the encrypted volume as a hard drive. It supports AES, Blowfish, CAST5, Serpent, TripleDES, and Twofish and can even cascade them for additional security. What's even COOLER is that you can encrypt hidden volumes inside other encrypted volumes. You have two passwords, one for the outer volume and one for the hidden volume. You enter one password for the outer volume. Enter the other password, and it mounts the hidden volume instead. What's cool about this is that you can hide secured data in the hidden volume, and put diversionary files in the outer volume. Nice!
Click here for CNET's review, or to download TrueCrypt
DeCrypto-K was able to find the cipher key saved right in the program directory where the database is saved. It blew up the 8-bit PKZIP1 encrypted database into a delimited text file, in less than a minute, on a 1.1GHz laptop. Weak! That's the downside of our sales software. It was designed in 1989 by a 3-person company, using mostly open source technology, to the tune of $3000 for the source code. It would have been insecure, even when it was new, but relied on the fact that our various sales-servers have all been completely inaccessible from beyond our in-house hardware. Our entire sales-entry and bookkeeping hardware is closed off.
So, while inherently secure from hackers, it just bugs me. Since it was a slow week for phone calls (none of our ads are in circulation yet), I worked in more-modern encryption into our system without any hit to performance. I've had three of our laptops and one unused desktop trying to decrypt the database since Monday, to no avail. I figure I'll let it go till Friday (or, until the power goes out here AGAIN).I have TrueCrypt to thank for easily implementing modern cryptology into our system. TrueCrypt frickin' ROCKS. Oh, and it's TOTALLY FREE OPEN SOURCE!
If you're looking to secure files and folders, give the TrueCrypt client a try. You make an encrypted volume, and hide it as a file somewhere on your system. When you want to access it, you can then (with a strong password) mount the encrypted volume as a hard drive. It supports AES, Blowfish, CAST5, Serpent, TripleDES, and Twofish and can even cascade them for additional security. What's even COOLER is that you can encrypt hidden volumes inside other encrypted volumes. You have two passwords, one for the outer volume and one for the hidden volume. You enter one password for the outer volume. Enter the other password, and it mounts the hidden volume instead. What's cool about this is that you can hide secured data in the hidden volume, and put diversionary files in the outer volume. Nice!
Subscribe to Posts [Atom]
