Many types of cryptographic solutions can be applied from the Application layer all the way down to the Physical layer. Often, a pen test will uncover the use of protocols that are blatantly insecure. Examples include File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), and Telnet. All these applications pass information in cleartext. The applications and protocols discussed here are all solutions that the ethical hacker can recommend to clients to help them build a more secure infrastructure.
Banks Need Encryption Too!
The use of cryptography is no longer a privilege reserved for governments and highly skilled specialists, as it is becoming available for everyone. For hundred of years, secrets have been kept in many forms. For electronic information, math is the underlying tool to keep a secret. People use secrets for privacy, trust, access control, electronic payments, corporate security, and countless other items.
The bottom line is that, everyone, everyday, needs a way to securely communicate over open hostile channels with the use of plaintext. Secrets make up a large part of our daily activity. For example, I work online with my banker. Recently, she sent me a plaintext email message over a clear, hostile, open channel on the Internet. My bank balance was in the message. Not a huge security risk, but a risk nonetheless. It was information I intended to keep secret, and she made my private information public.
I helped myself and her when I asked if she could make our correspondence a secret. She said she had never had that requested before, which was unusual because she works for a well-known bank. I explained how we could use a shared secret password to encrypt the information, and she agreed; now she has a way to keep private client information secret.
Solutions such as PGP and password-protected documents are easy to use and implement. Take time to share your security knowledge. Help those without the benefits of computer security exposure and experience.
This "in the field" segment was contributed by Sondra Schneider. She is an 18-year security industry veteran and the CEO and founder of Security University.
Figure 12.12. SSH Handshake.
Enabling EFS file system encryption at the folder level will prevent attacks against the efs0.tmp file. A good place to start would be the MyDocuments folder, as it would encrypt documents on-the-fly when they are saved to the folder.
Encryption Cracking and Tools
Part I: Exam Preparation
The Business Aspects of Penetration Testing
The Technical Foundations of Hacking
Footprinting and Scanning
Enumeration and System Hacking
Linux and Automated Security Assessment Tools
Trojans and Backdoors
Sniffers, Session Hijacking, and Denial of Service
Web Server Hacking, Web Applications, and Database Attacks
Wireless Technologies, Security, and Attacks
IDS, Firewalls, and Honeypots
Buffer Overflows, Viruses, and Worms
Cryptographic Attacks and Defenses
Physical Security and Social Engineering
Part II: Final Review
Part III: Appendixes
Appendix A. Using the ExamGear Special Edition Software