By Osvaldo Callegari
That is why the basic need to have the information secured promises to be preponderant in the field of communications, precisely because of this need is that encryption, a model with different branches of application, has been of vital importance in the protection and control of data. Because there are currently new threats and modalities of information theft, we will show in different installments the existing forms of protection.
Digital signature
In order to understand the digital signature, we offer some concepts of the undersecretary of PKI information in Argentina. Following this we cite a case study in the city of Salta, Argentina.
What is the digital signature? This is a technological tool that guarantees the authorship and integrity of digital documents, allowing them to enjoy a characteristic that was only typical of paper documents. A digital signature is a set of data associated with an electronic message that guarantees the identity of the signer and the integrity of the message. The digital signature does not imply ensuring the confidentiality of the message; a digitally signed document can be viewed by other people, just like when it is signed holographically.
How does it work? The digital signature works using complex mathematical procedures that relate the signed document with the signatory's own information, which allows third parties to recognize the identity of the signatory and ensure that the contents have not been modified. The signer generates, through a mathematical function, a fingerprint of the message, which is encrypted with the signer's private key. The result is what is called a digital signature, which will be sent attached to the original message. In this way, the signatory will attach to the document a mark that is unique to that document and that only he is capable of producing.
To verify the message, the receiver will first generate the fingerprint of the received message, then decrypt the digital signature of the message, using the signer's public key and thus obtain the fingerprint of the original message; if both fingerprints match, it means that there was no alteration and that the signatory is the one who claims to be.
In the elaboration of a digital signature and in its corresponding verification, complex mathematical procedures based on asymmetric cryptography (also called public key cryptography) are used. In an asymmetric cryptographic system, each user has their own key pair. These two keys, called private key and public key, have the characteristic that although they are strongly related to each other, it is not possible to calculate the first from the data of the second, nor from the documents encrypted with the private key.
The system operates in such a way that information encrypted with one of the keys can only be decrypted with the other. In this way, if a user encrypts certain information with their private key, anyone who knows their public key can decrypt it.
Consequently, if it is possible to decrypt a message using a person's public key, then it can be claimed that the message was generated by that person using their private key (proving their authorship).
Case Study
The newspaper La Gaceta of Salta, Argentina, reported an important advance that occurred in that city in the face of the issue of digital signatures, "Salta will take an important step in technological matters when, soon, it implements the digital signature of the decrees. In this way, it will become the first province in Argentina to use this novel system. The announcement was made by Governor Juan Manuel Urtubey during the opening of the Third International Meeting on Broadband and Cablemodem, which is being held at the Sheraton hotel in that capital." {mospagebreak}
We can say that the digital signature guarantees the origin and validity of a message or certain information, but it does not ensure that it cannot be stolen. In some ways it is the way to go of the data with procedures approved before certifying authorities.
There are also other systems, equipment and companies that allow to provide security to the information, in such a way that only authorized persons can access it. To touch on this specific topic, we will present a case study to see what companies do and what tools are available to protect information from different threats.
Protecting us from Phishing
Company analyzed: Macroseguridad.org
Product: BioPass 3000 Token
It is a biometric device for portability of digital certificates and univoca authentication of users, with the addition of the functionality of cryptographic devices called USB Token as a decisive tool in the fight against identity theft, phishing and pharming.
Antidote: Defense against phishing
Phishing is a form of scam designed to obtain critical information from unwary users. Different virtual criminals are increasingly using so-called botnets (groups of computers over which they have control) to launch untraceable spam phishing attacks. The number of phishing and pharming scams is growing overwhelmingly day by day.
Main functions:
•Full support in Spanish in Latin America of software and manuals
•Microsoft platform support ®
•PC access with biometrics
•Support for LINUX® platform
•Remote desktop authentication by biometrics and PKI
•Imports certificates in PFX, P12, P7B, CER format, supports any PKI application based on the X509v3 standard.
Recommendations:
1)-Never respond to emails requesting financial information and personal data, in any case contact the institution by phone.
2)-Visit the sites of the banks by typing the URL in the address bar of the browser
3)-Keep a record and carry out a regular check on your accounts
4)-Check that the website being visited is safe.
5)-Keep your PC safe and install all corresponding updates to improve security.
6)- Inform the banking institution about any type of suspicious activity.
7)-Start requesting a robust method of authentication and digital identity portability.
8)-Further reading.
Composition:
The BioPass3000 Token has a security mechanism of three (3) levels of fingerprint scan (fingerprint scan) high, medium and low, which the administrator can adjust according to the characteristics of the user, it also has a "Fingerprint Tour" tool that facilitates through examples the realization of a comparison to know if a correct registration of the In addition, it has two LEDs to be able to visualize when you ran the registration of a fingerprint, or when I check the status of the token.
Another important feature of the device is that it does not need batteries, its power source is the USB port of the PC. Connecting the device to the PC is done via a Mini USB (USB adapter cable provided by Feitian Technologies). It has an anatomical design in a shock-resistant plastic and of a size that would allow you to carry it on a keychain.
Commentary with technical support:
"Criminals are using combined attacks — which bring together various e-crime techniques — to steal identities and hijack systems, often deceiving even the most experienced users. Financial services sectors are the most affected by these types of tactics. Many times these criminals create sites that almost perfectly imitate the legitimate portals of banks, causing users to fall into a trap in order to provide sensitive information such as password, user ID or other information on this portal. " Diego Laborero, RPM of MacroSeguridad
The brands and products mentioned are registered brands and products of their own companies.
The contribution of the Undersecretary of Public Management of Argentina in PKI, Diego Laborero RPM of Macroseguridad.org and the SANS organization is appreciated. Org. For promotion or advertising of products in the field communicate with the publisher of the magazine.
*If you wish you can write to the author at the email: [email protected]
Organizations dealing with the problem: Sans Org
According to SANS there are several cases of decoys for phishing that we are going to cite below.
The case of email
The Lure: An email or drop-down message that claims information from a company or organization to which you are related, it can be an Internet provider, a bank, an online payment service, or a government agency.
The message may require you to update your details, your bank account, confirm your information or it will have unpleasant consequences.
Deception: This is an Internet fraud where the primary intention is the theft of information from your personal data, bank accounts and / or credit cards.
Security policies: It should be your policy to never reply to emails of these characteristics or accept drop-down windows. Do not use the cut-and-paste message links within the browser. Do not call the phone numbers shown in the notice. Using an antivirus and antispyware combined with a firewall and keeping them up to date can help. Phishing emails can be sent for analysis in [email protected] and the organization listed in the link.
The case of "Work at Home"
The lure:
Promises of a work of high profitability and minimum effort. With drop-down windows that include offers like quick money, minimal work, plus tips on why working at home is convenient for you.
The deception: Advertisements don't tell you that you should work long hours without pay or the hidden costs that come with the promotion of photocopying, placing advertisements or buying items to start work at home. Once all the time and money is invested, you claim them from the promoters, who refuse to pay you because you do not meet the required quality standards.
Security policies: The process commission has not yet found people who have become rich by sending letters or assembling magnets at home, which is why before making a work agreement you must be clear about the following premises:
You should know: exactly what the program is and its scope, how much you will be paid, the tasks you will perform, the totality of the costs of the program. Verify the veracity of the information of the current workers listed in the proposal.
Leave your comment