Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Would You Prefer To Send Sensitive Data?

Posted by samzenpus on from the by-armored-truck dept.

sprkltgr writes "Our HR department is implementing new software. The HR Director has tasked me with sending our data out of our network to the consultant that's loading it in to the new package. Obviously this data includes items such as SSN, name, birth date, etc. Upon being told that I would not email this data to her, the consultant asked what my security requirements were for sending the data. What would be on your wishlist for the best way to send sensitive data to someone outside your firewall?"

4 of 542 comments (clear)

  1. Re:PGP by Foldarn · · Score: 5, Informative

    If it's data to be processed and used with a database or something similar, then I'd suggest either SFTP or set up a site-to-site VPN between your 2 offices and either provide them with instructions for FTPing it off of your server or the other way around. A simple link would work as well: ftp://10.10.10.10/yourfile.csv that way it's almost dummy proof.

  2. Re:PGP by Foldarn · · Score: 5, Informative

    Correction:  ftp://user:password@10.10.10.10/yourfile.csv is the proper example link.

  3. Re:PGP by andy.ruddock · · Score: 5, Informative

    From DSA-1571-1 :
    Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

    --
    God: An invisible friend for grown-ups.
  4. Re:PGP by WuphonsReach · · Score: 5, Informative

    Yes. The Russian mafia. They have much more than sufficient resource - not merely access to supercomputers, but also access to large botnets of other people's PCs. Cracking encryption is a task well suited to distributed computing.

    Yes, these people can and routinely do crack military grade encryption, if the data is valuable enough. This data is valuable enough.

    Highly unlikely.

    What they (the attackers) are probably doing is either:

    1) Man in the Middle (MITM) attack where the source/destination players (Alice & BoB) don't properly authenticate their encryption keys. Which lets them read all of the traffic by pretending to be the other end of the stream to each player.

    2) Attacking the weak point of any encryption system - key management. Either by keylogging to obtain the passphrase, or other rootkit / cracking work to steal the private keys. Which then allows them to decrypt the messages. Getting key management correct is HARD (the devil is in the details).

    3) Suborning either Alice or Bob (i.e. bribery or social engineering). Or simply via the lead lined rubber hose attack.

    There's an awful lot of very very smart people out there who are looking at the current algorithms in use (AES, RSA, etc). If there were known weaknesses in the algorithms, we would have heard about them. Something that is encrypted with today's 256bit symmetric encryption algorithms is extremely secure for the foreseeable future (40+ years?). At least, as long as the encryption key is not leaked through some other fashion.

    --
    Wolde you bothe eate your cake, and have your cake?