Re: AES-256 and Sensitive Documents

[William Clark <wclark () WEBER EDU>]

 Admin learned a lesson,15 yrs. ago -- cusp of Computer Security and
Management. Our University had a financial aide to D.C. break-in by a
German hacker group (thank you German Lang. Dept. for the transcripts of
German). We recorded nearly 62,500 financial aide applications data
transfers, over seven years of financial info of students and parents
stolen. Had them caught at packet 1 on the drives and monitored their board
for weeks in German. We, as the Network Group had grown tired of patching
together Windows PC's all night. We started a very useful (but unfunded)
security program w/o department or higher up support.  I had recorded all
the break-in's on six 250GB drives on a BSD (now ancient) Unix sniffing IP
PC and turned it over to the FBI. They monitored the black web for the
data. Sadly, the administration wanted to cover it up to the affected
students and faculty. Even had the OK from the University counsel to hush
it. Our board of regents was contacted by me (a simple Network Eng.) and
they were appalled at the lack of integrity in the school admin. The I.T.
(Phd Education V.P. of I.T.) said "Education should never be hampered by
I.T." Make it as transparent as possible! Bad idea! The result of a third
party security audit ordered by the state regents: no formal I.T. security
rules, hand coded security code in place (YEP! DID IT -- DO IT AGAIN!),
auditing had no I.T. proficiency, and the network staff saved the butt and
a lot of grief on the behalf of students and faculty though it became a
front page story in the local city paper. Financial Aide Dept. had to send
out notices at great expense and cover credit watches for years. The
result? The Network Manager was retired early. The I.T. Vice President
fired, and School President asked to leave. Ahh, the good 'old days. I was
promoted to asst.Professor in Data Networks and transferred to the C.S.
dept. in a deal where the kept all my years at the University intact
dictated by the regents. I designed a new Computer Security Track then
retired triumphantly and with clear conscious. This is the first time the
entire story has been told.Please learn by it. wc

On Wed, Nov 28, 2018 at 12:30 PM Ronald Loneker <rloneker () cse edu> wrote:

> Good Afternoon All -
>
> Our Financial Aid office would like to have students and their parents,
> when e-mailing financial aid documents containing sensitive information, to
> comply with federal regulations saying the documents should be e-mailed
> with AES-256 encryption.
>
> Since TLS 1.3 was released and is now in use in Chrome, the TLS 1.3
> protocol uses only AES-128 encryption so we're considering asking our
> students and their parents, if e-mailing sensitive documents, to encrypt
> them with a yet to be decided encryption application at the AES-256 level
> and attach the encrypted file to the e-mail being sent to our Financial Aid
> office.  We would provide links to easy to use, free encryption software
> and provide directions on how to download, install and use it.  We are also
> considering adding this software to our computer lab images for those
> students who want to e-mail documents but don't have access to a computer
> at home.
>
> Right now, the other web browsers seem to be using TLS 1.2, currently
> operating at the AES-256 level, with Firefox and Safari saying they expect
> to move to TLS 1.3 in the near future at some point.
>
> I'm curious as to what other schools are doing, and whether they are
> putting any sort of language on their website saying that documents like
> this should be encrypted to prevent unauthorized access to the data.
>
> *Please note that I am not looking for vendor solicitations.*
>
> Ron Loneker, Jr.
> Director, IT Special Projects
> College of Saint Elizabeth
> Henderson Hall, Room 202C
> 2 Convent Road
> Morristown, NJ  07960
>
> Phone:  973-290-4229
>
> e-mail:  rloneker () cse edu