Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

MasterCard scandal: More details emerge
Silicon.com ^ | June 21, 2005 | Joris Evers

Posted on 06/21/2005 8:59:47 PM PDT by HAL9000

More details emerged on Monday about the cyber break-in at a payment processing company that exposed more than 40 million credit card accounts to fraud.

The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions, a MasterCard International spokeswoman said. The program captured credit card data, she said.

The malicious code was discovered after a probe into the security of CardSystems' network. That investigation, by security experts from Cybertrust, was triggered by a MasterCard inquiry into atypical reports of fraud by several banks. The trail led to CardSystems, said the spokeswoman.

The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, she said.

MasterCard declined to disclose more information on the breach, citing an ongoing investigation by the FBI. CardSystems did not respond to email messages and phone calls seeking comment. A Cybertrust representative declined to comment on the case.

Online discussion boards, meanwhile, are abuzz about which vulnerable software CardSystems may have been running. The data processor's website runs on Microsoft's Windows 2000 operating system and IIS Server 5.0, which has fuelled speculation that its other set-ups may also be Microsoft-based.

CardSystems said in a statement on Friday that it had identified a "potential security incident" on Sunday, 22 May, and called in the FBI the next day. Visa and MasterCard were also contacted, the company said. MasterCard went public with the CardSystems' breach on Friday after it had identified all the affected accounts, the spokeswoman said.

More than 40 million credit card accounts were exposed by the breach. About 22 million of those are Visa cards and 13.9 million are MasterCard, the companies have said. The remaining accounts were linked to other brands, including American Express and Discover.

While millions of accounts were potentially accessed by the attackers, the investigation into the theft has found that records covering about 200,000 cards were transferred outside the CardSystems network, the spokeswoman said. Of those records, 68,000 are for MasterCards, she said.

The thieves got access to names, account numbers and verification codes that could be used to commit fraud. However, the information did not include social security numbers, addresses or dates of birth, which would be needed for identity theft.

CardSystems is one of many companies that process electronic payments. The company handles more than $15bn in card transactions annually for more than 105,000 small and medium-sized businesses, according to its website.

All the major credit card companies protect their customers against unauthorised transactions on their accounts. Fraudulent transactions are typically reversed. Cardholders should monitor their accounts online and contact the credit card company or card-issuing bank when fraud is suspected, experts said.

MBNA, one of the largest US credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won't contact the individuals affected but is keeping a close eye on the compromised accounts, said an MBNA spokesman. In a case of fraud, an account would be closed and a new card issued, he said.

American Express is still deciding whether to contact its customers. A company spokeswoman said accounts were exposed but she did not disclose how many. In a case of fraud, she said, American Express would bear the financial burden, assuming the merchant has followed all standard card acceptance procedures.

MBNA would also not disclose how many of its customer accounts were compromised.

The CardSystems breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft, including the loss two weeks ago of CitiFinancial tapes containing unencrypted information on 3.9 million customers.

In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

Two recent surveys have highlighted growing worries about data protection. Last Wednesday, the Cyber Security Industry Alliance reported that 97 per cent of the American voters it polled said identity theft was a problem that needs addressing, and 64 per cent wanted the government to do more to protect computer security.

In addition, a study commissioned by Adobe Systems and RSA Security found that eight out of 10 "senior-level professionals" in Washington, DC, thought that lawmakers weren't doing enough to keep consumer data safe.



TOPICS: Business/Economy; News/Current Events; Technical
KEYWORDS: cardsystems; lowqualitycrap; mastercard; microsoft; virus; windows
Navigation: use the links below to view more comments.
first 1-5051 next last

1 posted on 06/21/2005 8:59:48 PM PDT by HAL9000
[ Post Reply | Private Reply | View Replies]

To: Golden Eagle

FYI - More wonderful publicity for Microsoft.


2 posted on 06/21/2005 9:00:17 PM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

Lame.

Blaming your firewall and/or policy failures on *any* OS infrastructure is just plain lame.


3 posted on 06/21/2005 9:03:06 PM PDT by Ramius
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

It's probably more like blaming Ford for someone driving an Expedition into someone's house, or blaming Colt for some gangsta getting capped.


4 posted on 06/21/2005 9:03:33 PM PDT by JustAnotherOkie
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
Ouch.  Usually I defend MS, but I ain't touching this one!

In all fairness though, every OS is vulnerable to attack.  Their have been attacks and breaches on mainframes, macs, Linux, OS2, etc...

5 posted on 06/21/2005 9:05:00 PM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 2 | View Replies]

To: HAL9000
"...eight out of 10 "senior-level professionals" in Washington, DC, thought that lawmakers weren't doing enough to keep consumer data safe."

What the h*ll are politicians supposed to do about flawed software? Are they personally now supposed to fix the security holes in Microsoft software?

(Why does everything that's broken need a new law in order for it to be fixed??)

6 posted on 06/21/2005 9:05:37 PM PDT by LibFreeOrDie (L'chaim!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

I am thinking it is time to sell my MS shares...


7 posted on 06/21/2005 9:05:46 PM PDT by philz
[ Post Reply | Private Reply | To 2 | View Replies]

To: HAL9000
Come on, Hal.  I've seen you post a lot of anti-MS stuff before ... are you saying NO other OS would have a security breach.  Bit of a stretch, don't you think?
8 posted on 06/21/2005 9:07:03 PM PDT by softwarecreator (Facts are to liberals as holy water is to vampires)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

The credit card companies are very explicit about what data you can hold onto, and what data you cannot retain. I do not keep a record of my customer's CC info (I do recurring billing) on ANY machine that is EVER connected to the Internet. Period.


9 posted on 06/21/2005 9:07:26 PM PDT by ikka
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
MBNA, one of the largest US credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won't contact the individuals affected but is keeping a close eye on the compromised accounts, said an MBNA spokesman.

This ought to be flat-out illegal. Victims, or potential victims of fraud should be notified.

10 posted on 06/21/2005 9:07:30 PM PDT by CurlyDave
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

Just the latest in a string of security f**kups. Bank of America, Wachovia, LexisNexis, and more.

The problem isn't Microsoft, though their swiss cheese software contributes. No one takes security very seriously, except of course when they're the victim of a lapse, in which case they always get enraged and blame everyone except themselves.

Meanwhile, it pays to be paranoid. Very paranoid.


11 posted on 06/21/2005 9:09:53 PM PDT by Terpfen (New Democrat Party motto: les enfant terribles)
[ Post Reply | Private Reply | To 1 | View Replies]

To: CurlyDave
I think perhaps the reason for this /unfortunately/ is there are potential opportunistic fraudsters in the compromised accounts
12 posted on 06/21/2005 9:14:05 PM PDT by chariotdriver (I feel more like I do now than I did a few minutes ago)
[ Post Reply | Private Reply | To 10 | View Replies]

To: LibFreeOrDie

All we need is John McCain lecturing us on the need to download the latest M/S Service Pack! :-)


13 posted on 06/21/2005 9:15:47 PM PDT by 6SJ7
[ Post Reply | Private Reply | To 6 | View Replies]

To: HAL9000
Are guns responsible for murders?

Microsoft software is a tool. In the proper hands (someone very Microsoft savvy), IT CAN BE SECURED.

14 posted on 06/21/2005 9:21:42 PM PDT by xrp (Fox News Channel should rename itself the Missing Persons Network)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Terpfen
No one takes security very seriously

That's the truth. I know first-hand that many, MANY large corporate companies will slash security spending first when it comes to IT budget crunch time.

Ironically most of these same companies have no problem shelling out big bucks for 2 flat screen monitors per employee.

15 posted on 06/21/2005 9:24:19 PM PDT by xrp (Fox News Channel should rename itself the Missing Persons Network)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ramius

Hmm, blame the firewall. How about the operators?


16 posted on 06/21/2005 9:25:50 PM PDT by television is just wrong (http://hehttp://print.google.com/print/doc?articleidisblogs.blogspot.com/ (visit blogs, visit ads).)
[ Post Reply | Private Reply | To 3 | View Replies]

To: LibFreeOrDie

"(Why does everything that's broken need a new law in order for it to be fixed??)"

Because we've become a nation of pu**y*.


17 posted on 06/21/2005 9:27:17 PM PDT by John W
[ Post Reply | Private Reply | To 6 | View Replies]

To: HAL9000

Due to the nature of the information available at CardSystems, the OS is irrelevant. The data being sought was highly treasured by the criminals, and they would have tried to find a way in no matter what OS was being run.


18 posted on 06/21/2005 9:27:43 PM PDT by nhoward14
[ Post Reply | Private Reply | To 1 | View Replies]

To: xrp

You're right. You can always insure yourself against the (relatively) inexpensive fraud. But an employee complaint for an ergonomic violation? HA!


19 posted on 06/21/2005 9:29:17 PM PDT by xroadie (sarcasm always engaged)
[ Post Reply | Private Reply | To 15 | View Replies]

To: xrp
Microsoft software is a tool.

Microsoft operating systems are defective products. They should not be used in environments that require high security.

20 posted on 06/21/2005 9:34:39 PM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 14 | View Replies]

To: television is just wrong

I'm not blaming the firewall... I *am* blaming the operators... :-)


21 posted on 06/21/2005 9:35:14 PM PDT by Ramius
[ Post Reply | Private Reply | To 16 | View Replies]

To: HAL9000
Microsoft operating systems are defective products. They should not be used in environments that require high security.

Sorry, but you can replace 'Microsoft operating systems' with Linux, Solaris, HP-UX, IRIX, AIX, FreeBSD, OpenBSD (barely! OpenBSD is pretty solid), MacOS, IPSO (barely!) and the statement would still be just as true. Again, they are all tools. In the hands of the proper craftsman (ie, someone how knows how to secure them), they are fine. In the hands of a cluebie (majority of sysadmins/server admins/desktop admins/network admins) then you have what we've experienced for the last 10 years.

The big problem is that we as a society have been conditioned to be compliant with those who ask things of us (we give out info easily and freely).

22 posted on 06/21/2005 9:40:58 PM PDT by xrp (Fox News Channel should rename itself the Missing Persons Network)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Terpfen
Just the latest in a string of security f**kups. Bank of America, Wachovia, LexisNexis, and more.

It may seem as though there has been a rash of these kinds of incidents. In fact, the main driver behind it all is a law in California that mandates disclosure of such incidents. 3 years ago, an incident like that mentioned in the article would have been kept quite quiet. Neither you nor I would ever have heard of it.

On a side note, while any computer system is vulnerable to a degree, IMO, placing that kind of information on a W2K system with IIS 5.0 that is internet facing should make them criminally liable for extreme damages. Note that they don't mention how long this breach has been occurring.

23 posted on 06/21/2005 9:42:09 PM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 11 | View Replies]

To: zeugma
Agreed completely, if they weren't forced to disclose it, they wouldn't. And I know it's been going on for longer than we know about, which just annoys me even further. Good on California, though.

As an aside, what's your take on this?
24 posted on 06/21/2005 9:47:56 PM PDT by Terpfen (New Democrat Party motto: les enfant terribles)
[ Post Reply | Private Reply | To 23 | View Replies]

To: HAL9000

Before anyone bashes MS or anyone else Cardsystems voilated Visa/MC rules under their card holder security programs. They kept data on cardholders that thyey weren't allowed to keep or even see !


25 posted on 06/21/2005 9:51:54 PM PDT by america-rules
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
On a side note, while any computer system is vulnerable to a degree, IMO, placing that kind of information on a W2K system with IIS 5.0 that is internet facing should make them criminally liable for extreme damages.

Their webserver is IIS on Win2k, which tells us nothing about the breach - I really, really doubt they had any of their payment systems running on their webserver, and nobody knows what they've got inside yet.

26 posted on 06/21/2005 9:53:27 PM PDT by general_re ("Frantic orthodoxy is never rooted in faith, but in doubt." - Reinhold Niebuhr)
[ Post Reply | Private Reply | To 23 | View Replies]

To: HAL9000
CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, she said.

doh!

27 posted on 06/21/2005 9:59:57 PM PDT by stainlessbanner
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000; zeugma; xrp; Ramius; xroadie; nhoward14; John W; Terpfen; CurlyDave

In the time of the "Wild West", a horse thief would be hung. The rational being that if you stole a man's horse, you took away his ability to feed himself.

In this day and age, your credit is the way you feed, clothe, house, and get medical care (just the short list). So why aren't the bastards doing this hung? This is what the politicians need to address.

And for every instance of credit theft, the company that didn't take security seriously should have to pay $10,000. to each of the victims. Forty million customers x $10,000. = a whole lot of incentive to tighten up security.


28 posted on 06/21/2005 10:09:42 PM PDT by anonsquared
[ Post Reply | Private Reply | To 1 | View Replies]

To: anonsquared

In those days, to steal a man's horse was tantamount to killing him. To be without a horse in the expanse of the west was to be as good as dead. That's why horse theivery was a hanging offense.

I'd like to see grand theft auto held to a similar standard nowadays.


29 posted on 06/21/2005 10:18:55 PM PDT by Ramius
[ Post Reply | Private Reply | To 28 | View Replies]

To: Terpfen
Saw that earlier. No way to fully guard against brain dead users who write their password down though. Also, I'd like to look at it and see if it can be brute forced. People are really horrible about picking bad passwords. I have a program to keep track of the dozens of passwords I use regularly. I use the password generator in FireFox to generate good ones. It's the only way to go. I'll be interested in seeing if Bruce Schneier has anything good to say about Seagate's system. 3DES should be pretty strong. I suspect the user will be the weak link with this.

Also, what do you do about backing up your data? Another issue might be if there is anything that ties the drive to the motherboard. That would mean that if you fry the board, you lose your data that would otherwise be recoverable.

30 posted on 06/21/2005 10:21:39 PM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 24 | View Replies]

To: general_re
Their webserver is IIS on Win2k, which tells us nothing about the breach - I really, really doubt they had any of their payment systems running on their webserver, and nobody knows what they've got inside yet.

Good point. Agreed. If they are running it on their webserver though, they need to be boiled in oil!(slowly)

31 posted on 06/21/2005 10:23:13 PM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Ramius

of course


32 posted on 06/21/2005 10:36:46 PM PDT by television is just wrong (http://hehttp://print.google.com/print/doc?articleidisblogs.blogspot.com/ (visit blogs, visit ads).)
[ Post Reply | Private Reply | To 21 | View Replies]

To: HAL9000
In addition, a study commissioned by Adobe Systems and RSA Security found that eight out of 10 "senior-level professionals" in Washington, DC, thought that lawmakers weren't doing enough to keep consumer data safe. How in the world do these wunderkind expect Congress to do what is, essentially, a technical issue outside of their purview?
33 posted on 06/21/2005 10:46:30 PM PDT by Frumious Bandersnatch
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Let's assume the HD is used in conjunction with a laptop that has a fingerprint scanner, like some IBM Thinkpads. What about that scenario?


34 posted on 06/21/2005 11:25:22 PM PDT by Terpfen (New Democrat Party motto: les enfant terribles)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Terpfen
Let's assume the HD is used in conjunction with a laptop that has a fingerprint scanner, like some IBM Thinkpads. What about that scenario?

That would be useful for the most part. If it were just a fingerprint scan, that would be less than optimal IMO, as they can be subverted (fairly easily from what I understand). I'm not really that familiar with the values returned by fingerprint scanners. If you could create a hash of the values, that would be a starting point to use as the basis of your crypto-key. You'd want a password too, even though users are stupid.

I'd be interested in seeing what different failure modes are like with these systems. For instance, let's say you have to replace the fingerprint scanner. Does it still return the same hash as the previous one? Suppose it is more sensitive than the previous model? Is it still the same? If not, then your data is even more vulnerable to hardware failure than it would ordinarily be.

I've used encrpted partitions from time to time. They can be useful if you understand their limitations. Do you really want to encrypt your programs and OS? On Windows, you're probably better off doing so, as your data is harder to separate from your programs in many cases than it is on Unix derivatives. If you encrypt all of the drive, do you take a performance hit? If so, is it acceptable?

There are really a lot of questions that surround such things, many of which are answerable on a case-by-case basis.

35 posted on 06/22/2005 5:43:12 AM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 34 | View Replies]

To: HAL9000

I don't know if anything MS was involved, but I for one don't want IIS 5 anywhere near my personal data. I might accept IIS 6 in a heavily locked-down configuration though.


36 posted on 06/22/2005 6:42:45 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

"FYI - More wonderful publicity for Microsoft."

Having some inside knowlege about this, I can tell you that it was not the fault of any vendor in particular, it was the fault of the negligence and incompetence of their own employees.


37 posted on 06/22/2005 10:47:48 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: america-rules

"Before anyone bashes MS or anyone else Cardsystems voilated Visa/MC rules under their card holder security programs."

Besides penetration testing, the consultancy I work for is also on the various credit card issuers list of vendors who can perform regular security testing for their periodic compliance certifications.

We have yet to have one merchant pass the first time, and most fail the 2nd 3rd and 4th time, too.

Here is a good rule of thumb: If it's something you don't want anyone else to ever know, make sure it's not stored in electronic format anywhere ever. period.


38 posted on 06/22/2005 10:53:09 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: antiRepublicrat

"I don't know if anything MS was involved, but I for one don't want IIS 5 anywhere near my personal data. I might accept IIS 6 in a heavily locked-down configuration though."

If I were you I'd be more worried about bugs in web apps than in web servers.

It's often possible to steal everything from a database directly through the web app without ever compromising the web server it's self.


39 posted on 06/22/2005 10:55:33 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 36 | View Replies]

To: adam_az
Having some inside knowlege about this, I can tell you that it was not the fault of any vendor in particular, it was the fault of the negligence and incompetence of their own employees.

That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center.

eEye Digital Security has announced that they are working on the problem.

40 posted on 06/23/2005 6:54:34 PM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 37 | View Replies]

To: HAL9000

" That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center."

I disagree.

I'm not a big fan of Microsoft, but it's not any worse than anything else.

What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area.

My understanding is that they knew where the problems were for a long time, knew how to fix them, and just plain old didn't apply the patches or make the configuration changes that they knew needed to be made.


41 posted on 06/23/2005 9:07:10 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 40 | View Replies]

To: adam_az; HAL9000

"What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area."


Left out the part 'tell them what to fix to keep the bad guys out' :)


42 posted on 06/23/2005 9:08:48 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 41 | View Replies]

To: zeugma
No way to fully guard against brain dead users who write their password down though. Also, I'd like to look at it and see if it can be brute forced. People are really horrible about picking bad passwords. I have a program to keep track of the dozens of passwords I use regularly.

Okay...so if you don't write 'em down, how do you store the passwords for use? And don't tell me you remember dozens of randomly-generated passwords....

43 posted on 06/23/2005 9:11:52 PM PDT by paulat
[ Post Reply | Private Reply | To 30 | View Replies]

To: adam_az
Left out the part 'tell them what to fix to keep the bad guys out' :)

We'll have to disagree about whether Microsoft is the worst, but good luck to you white hat folks!

44 posted on 06/23/2005 9:19:34 PM PDT by HAL9000 (Get a Mac - The Ultimate FReeping Machine)
[ Post Reply | Private Reply | To 42 | View Replies]

To: HAL9000

The reason I say that is because the OS is a tiny part of an enterprise security posture.


45 posted on 06/23/2005 9:23:41 PM PDT by adam_az (It's the border, stupid!)
[ Post Reply | Private Reply | To 44 | View Replies]

To: HAL9000
The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form...

Then why did they have the business? In other words, they outsourced the work and had absolutely zero control over how the transactions were being processed and how the data for same were stored. This mishap is  just the tip, tip, tip of the iceberg, just the tip.

46 posted on 06/23/2005 9:34:51 PM PDT by Chief_Joe (From where the sun now sits, I will fight on -FOREVER!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: paulat
Okay...so if you don't write 'em down, how do you store the passwords for use? And don't tell me you remember dozens of randomly-generated passwords....

Like I said in my previous message, I have a program that keeps track of all that stuff for me. I have a master passphrase that is used to unlock the datafile used for this program. My passphrase for this program is around 30 or so characters in length, with letters, numbers, and punctuation. You can think of it as one big lock to guard lots of little secrets. You'd be amazed at how fast you can type a phrase that you use regularly.

There are a number of programs that you can use for this, that will keep track of the website, username, password, and comments for any number of sites. One of the best for Windows users is Password Safe". On my Linux boxes, I use gpasman.

These programs will let you copy/paste passwords in such a way that you never actually see the password you are using. Pretty cool IMO.

NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.

47 posted on 06/23/2005 10:37:16 PM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 43 | View Replies]

To: zeugma

Still doesn't answer my question...how can these programs "handle" your passwords when they are as hackable as anything else?


48 posted on 06/23/2005 10:46:13 PM PDT by paulat
[ Post Reply | Private Reply | To 47 | View Replies]

To: zeugma
Also...your words....

NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.

So...what do you do...WRITE IT DOWN???

49 posted on 06/23/2005 10:47:51 PM PDT by paulat
[ Post Reply | Private Reply | To 47 | View Replies]

To: paulat
They are only hackable in the sense that any file can be brute forced. A file encrypted with 3des and a good key is as good a safe as anything you can imagine. To date there are no known attacks against 3des, blowfish, or the current AES standard. From what I've seen of the academic attacks, AES may well fall to cryptonalysis within 10 years, at least I wouldn't be suprised as some current lines of attack look promising.

I could send you a copy of my password database and it wouldn't do you any good at all. Now, if someone were to hack my system and install a keylogger, they could capture my passphrase and my data, but that is something that you can do nothing about. Sure, you run a hardware firewall, and don't open unneccesary ports, and check for trojans and the like, but someone could come up with a zero-day exploit that allows them to root your box and you are toast no matter what you do.

The most important thing IMO is to backup as often as you can, and be as careful as is reasonable. Don't log in as root or a user with "administrator" privileges. And never ever use IE to browse the internet. Windows users have a lot more stuff they need to have a box be reasonably safe like an additional software firewall, virus scanners and stuff.

My advise, if you're concerned about safety and security is to use Linux or get a MAC. You can never be completely safe and secure, but nothing else is either, so why should computers be any different?

50 posted on 06/24/2005 8:42:57 AM PDT by zeugma (Democrats and muslims are varelse...)
[ Post Reply | Private Reply | To 48 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson