Directory —
Technology —
Blog Details for "Technology Security"
Technology SecurityTechnology SecurityTechnology Security is an industry blog that comments on the latest innovations and issues with the information security sector.
Articles:
1, 2
Articles
VA vs USB
2007-06-26 15:25:00 This is a little stale but I wanted to talk about it anyway. With their latest actions, I believe the Department of Veterans Affairs is quickly becoming the poster child for reformed data loss victims. (important to note that, in this case, the data was eventually recovered) The VA announced a few weeks ago that they have purchased 25,000 USB drives with built-in encryption from Kanguru. The built-in AES-256 encryption will help insure that only authorized users can gain access to the USB drive and will prevent another major meltdown if lost or stolen. Also, it should be noted that Kanguru says that they can prevent users from attaching the devices to the network based on a device identification number. I believe that this is a great step but one that must be accompanied by some level of control. I have stated in this blog a number of times that a policy without the means to enforce it, is just window dressing. So, kudos to the VA on a positive st...
Shameless Self-Promotion
2007-06-25 21:07:00 Since I only do this blog for my own narcissistic pleasure, won't you please go to Austin's "Best of" poll and vote for me as the best blogger? Many humble thanks, my friends! http://www.austinchronicle.com/feedback/b estof/07/ Michael Mongold Technorati tags: Michael Mongold, Austin, Best of, narcissism LiveJournal tags: Michael Mongold, Austin, Best of, narcissism IceRocket tags: Michael Mongold, Austin, Best of, narcissism Flickr tags: Michael Mongold, Austin, Best of, narcissism del.icio.us tags: Michael Mongold, Austin, Best of, narcissism BuzzNet tags: Michael Mongold, Austin, Best of, narcissism 43 Things tags: Michael Mongold, Austin, Best of, narcissism More About: Promotion , Romo , Sham , Shame , Mele
Quicken backdoor outed...
2007-06-25 17:45:00 A Russian firm, ElcomSoft, is now selling a password recovery tool that helps you gain access to Quicken , Quicken Lawyer, and QuickBooks for only $99 for a commercial license. ElcomSoft gained access to files encrypted by Quicken's software by discovering a backdoor that Quicken had placed in their software for password recovery scenarios. ElcomSoft discovered that Quicken had implemented a 512-bit RSA key. After factorizing the key, ElcomSoft promptly moved forward with a solution that can instantly remove the passwords protecting Quicken files. The result is, if placed in the wrong hands, this product could potentially open a number of customers to the exposure of very sensitive data to competitors and the public, alike. Quicken has responded that they take this threat seriously and are working on resolving the issue. Until they have provided a work around for the backdoor, make sure you keep a tight hold on any Quicken documents. Michael Mongold 43 Things tags: Michae... More About: Door , Backdoor
Senforce integrates encryption into NAC
2007-06-21 18:43:00 Senforce announced on Monday that they will incorporate data encryption into their NAC offering. Back in March, I suggested that a natural evolution of encryption and NAC would eventually bring the two together. Kind of like chocolate and peanut butter. Now, Senforce is making a play in that direction. I'll spare you the trauma of reading their press release. Suffice to say after they finish huffing about how they are the leader and all that - you know, the usual press release BS. They eventually say a little bit about how they are planning to prevent "thumbsucking". A term that they are a little overly proud of creating. (Thumbsucking refers to data that is "sucked" off of corporate devices and onto USB drives. The term "slurping" has been around longer and refers to programs that automatically search for certain file types on a hard drive and pull them over to an iPod or other removable device when it attaches to the computer.) So, verbiage aside, I am glad t... More About: Encryption , Rates , Rate , Crypt
Government buys encryption
2007-06-20 18:07:00 Can I get an "Amen?" The General Services Administration just announced that they have selected 10 data encryption companies to "guard sensitive, unclassified data that reside on laptops, mobile computing gadgets and thumb drives." The ten companies are: Mobile Armor's Data Armor Safeboot's SafeBoot Device Encryption Information Security's Secret Agent SafeNet's SafeNet ProtectDrive Encryption Solution's SkyLOCK At-Rest Spyrus' Talisman/DS Data Security Suite WinMagic's SecureDoc CREDANT's CREDANTMobile Guardian GuardianEdge's Data Protection Platform It is an interesting line-up of encryption vendors with some of the usual suspects included and then a few that made it from out of left field and then a few notables that were left off. Of the surprises on the list: Information Security A small player who caters to the federal space Encryption Solution Finding information on this company was like pulling teeth. Not much of a presence in the market. However, with go... More About: Government , Crypt
Ohio mess could have been prevented...
2007-06-19 21:54:00 This may hard to believe, but experts are saying that IF the data stolen from Ohio would have been encrypted it would have prevented the worries they are going through now. Uh, yea. No kidding. Oh, well. More fodder for the bloggers and newsies to write about. There certainly seems to be no shortage of it. The plus side of this is that these big, very public losses are helping divert attention from the smaller losses that are occurring everyday. So, if your company has any data theft that it needs to report, try to time it around another data theft that is a lot larger. Most likely the news outlets will only run one story on data theft that day and choose to run the other company's screw up. Bonus points if you report this late on a Friday. I should be a political spin-meister. Of note, is Gov. Strickland's stance that Ohio "maybe should have considered encrypting the data". Regardless, he believes the data is still safe because it should be difficult to use the data on the... More About: Vent , Been , Mess
Find the Phish
2007-06-18 18:19:00 My fiancee forwarded an e-mail she received today from a bank that she does not use. The e-mail stated that the bank had locked her online access and needed some information from her. Here is the gist of it: "Dear customer, Your access to Online Services has been suspended. Due to a miss-match access code between your Site key information. To enable you continue accessing your online account it will only take you few minutes to re-activate your account. Click on the link below and you will be taken straight to where you can activate your account." It goes on to provide a link to the bank, which if investigated shows that it actually points to a link at MISIONCRISTIANAELIMHN.com. Performing a quick check at dnsstuff.com shows that it is registered to Solucion Logica in San Pedro Sula, Cortez, Honduras with Julius Barber as the technical contact. Continuing along this path, I visited Solucion Logica's website at www.slogica.net and found that they are currently having prob... More About: Find , Phish
Ohio State Employees Show It All
2007-06-15 21:09:00 An employee for the state of Ohio lost a cd containing the Social Security numbers and "other" personal information for ALL 64,000 Ohio state employees. Now Governor Ted Strickland has stepped in and issued an executive order to change the way data is handled. I did a quick search to look at who had picked up this release. It was on the top of MSNBC's website under the heading "Also Making Headlines". ABC, the Boston Herald, Baltimore Sun, Forbes, Houston Chronicle, and over 130 other news outlets decided that this was important enough to announce. Not the kind of headlines you want to make. So please take a moment and visit this site. It is the Governor office's announcement and a copy of his executive order. I believe they are handling this very well and I completely approve of the steps they are taking and the immediacy they are giving this issue. Among the steps, is a change in their completely BONE-HEAD methodology of storing this data off-site. That alone should get s... More About: Employees , Show , State , Stat
When Richard Clark Speaks...
2007-06-13 18:10:00 ...I hope that your ears perk up. Mr. Clar k has been in the tempest of security on many levels over the past few years. His experience working with four different presidents and the inner-machinations of the federal intelligence network has given him an authoritative perspective to view the legitimate threats that organized and motivated individuals can present to all organizations. Now Richard Clark has come forward to push something near and dear to my heart, data encryption. You can read the article for yourself but I have to point out this one comment by Mr. Clark: "It's about what you don't know, or what you don't see or can't prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn't in front of you doesn't mean it's not a problem." That pretty well sums it up. People are losing data on a scale that they don't even understand. Criminal organizations are di... More About: Lark , Peak , Char
So long and thanks for all the fish!
2007-06-12 18:48:00 Checkpoint performed some research that shows when most people leave a company, they take some amount of company data with them. This seems to be fairly intuitive. I am sure that a number of people will forward contacts that they want to stay in touch with or maybe examples of their work for their next position. And I suppose, some would take data for malicious intent as well. But as one that has been tasked with insuring the integrity of the data within your organization is kept intact, how do you insure people leaving your company leave the sensitive data behind? Well, quite honestly, that's not an easy task. Without some form of certificate-based access that allows for centralized access and permissions to documents, there are few ways to expire that information once it leaves the confines of your network. There are a few software packages that can allow you to wipe a document after a certain period of time and then there are also the programs that require the documents t... More About: Fish , Long , Hank
The times they are a-changin'
2007-06-07 17:33:00 Today, we are at a point in the technological evolution of encryption that is unparalleled. In the past, encryption was relegated to only government or military organizations due to the cost and expertise involved in the encryption/decryption process. However, now we are seeing the most advanced encryption technology available being used by consumers on a global scale. This could not have come at a better time. Nowhere in our past histories has so much information been so readily available to all that would look for it. And now the problem is becoming apparent that in a number of circumstances, data is too readily available and does not go far enough to insure that proper authorization is given before access is permitted. The pendulum has swung to the other side and organizations find themselves scrambling to reign in the generous amounts of access that once existed. As different organizations have responded to the clamor of their personnel for the ability to have more access ... More About: Times , The Times , Chang , Chan , The Time
Insult to injury
2007-05-10 23:55:00 Ah, the poor, often maligned TSA. It really hurts that they lost a laptop containing the names, Social Security numbers, birth dates, bank accounts, and routing data of 100,000 of their past and present employees. Now, they are being sued by their employee union for being lax on security. It's never a good sign when a government organization that has the word Security in it is being sued by it's own employees for a LACK of security. That is just not very reassuring. But, hey, at least they caught the fact that I had a button fly on my last trip to SF. Just kidding, Kip! I'm probably already going to be audited for my comments on the IRS, I don't want to make my traveling anymore convoluted than it is. So, back to the lawsuit: The American Federation of Government Employees's national president, John Gage, stated today that the TSA's "reckless behavior is clearly in violation of the law." Besides facing a lawsuit (only one so far) and looking incompetent, th... More About: Injury , Insult
The most dangerous device
2007-05-09 17:25:00 Thumb drives have been listed as the top security concern by a resent poll of 370 IT professionals. And for good reason, if your organization fails to frisk and search every person that enters and leaves your buildings for removable media, you may be exposing yourself to a large data loss in the near future. Of course, a trade-off must be made between what is an acceptable level of intrusion into your employees' personal space and the amount of risk you are willing to assume. Some employers would have a difficult time keeping their positions filled if they burdened their employees with complex and aggressive physical security measures. While other organizations, such as Sandia National Labs or the National Security Agency, come with certain expectations that security is going to be taken to another level. Regardless, some measures to address this issue must be taken. According to the market research conducted by Centennial Software (bias alert - they manufacture a soluti... More About: Most , Device , Vice , Dangerous
The Universal Adoption of Encryption
2007-05-08 18:01:00 The magnanimous Nigel Dessau, SVP at Sun, has decided that the world of encryption would be a better place if everyone just agreed to get along. And to show his sincerity, Sun is giving away their Key Management System! Well, technically they are just opening up their APIs so you can connect your encryption product into their KMS, but it's a start. IEEE has been working a number of years on a standard for key management identified as IEEE-P1619. P1619.0 refers to a disk storage standard, P1619.1 identifies a tape storage standard, and P1619.2 addresses wide-block encryption standardization for disk drives. These are, of course, important steps. Encryption will eventually be a ubiquitous technology requiring a heterogeneous environment which will allow all of the different players to work together. We are slowly rapidly approaching an encryption cloud that will encompass all devices and protect any and all sensitive data. This results in... More About: Adoption , Universal , Univ , Opti
TSA Security - Not So Much
2007-05-07 17:49:00 Our government certainly knows how to set an example for its citizens. Ok, maybe more as an example of what not to do, but I'm trying to put a positive spin on this somehow. It appears that the friskers have lost a laptop containing "personal, payroll, and bank information of 100,000 current and former workers" of the TSA. Can I get a "D'oh!"? The laptop contains "employee names, Social Security numbers, birth dates, and bank account and routing information". Obviously, the FBI is not going to be of much help since they lose nearly three laptops a month themselves (a few years ago they lost nearly eleven a month!). Actually, the FBI may need to look at the TSA as an example because at least the TSA knows what was on the laptops they lost. (Of course, I am not sure how confident we can be in the TSA's mea culpa at this point) Funny Scary sidenote: One of the laptops lost in the Boston area included software for creating FBI identification badges. And if we look t... More About: Much
Crossroads / HP Encrypts!
2007-05-04 18:52:00 HP Encrypts! First, let me give a big "Kudos!" to our friends at HP. It is good to see another computer manufacturer "get" the importance of hard drive encryption. Also, congrats to SafeBoot for getting in there and making the deal happen. I know from first hand experience that can be an extremely tough battle to wage. According to the information I've seen, it looks like they are pushing PBA, which I feel is not worth the inconvenience. Kind of like the whole TPM integration, but that's just me. Regardless, I think it's a great step for HP and their customers. Hopefully we will see others follow Lenovo's and HP's lead... ----------------------------------------- ---- Crossroads Last week I had the opportunity to discuss tape backup encryption with a local Austin company, Crossroads. I was very impressed with their line of products and how solid their presentation was. I specifically liked their agnostic approach to encrypting whatever tape backup system a compan... More About: Road , Ross , Roads , Crypt
GSM Encryption
2007-05-01 22:14:00 There have been some high profile cases of eavesdropping or wiretapping involving cellular phones in Italy recently. While this hasn't quite exploded onto the US scene yet, it isn't much of a stretch to envision some organization that would go to those lengths (think Wal-Mart or HP's little faux pas). Of course, I mention this because there is a solution that is available to help head this off before it even becomes an issue. Crypt ophone makes a device that can encrypt all GSM traffic to and from the phone. I suspect that over the next couple years you will be hearing more about this technology and the exploitation of it. It goes without saying that any method of communication that conveys data that is considered sensitive or personal in nature, can and will be exploited. It is only a matter of time... Michael Mongold Technorati tags: Michael Mongold, Cryptophone, GSM, Wiretapping, Wal-Mart, HP, data encryption More About: Encryption
Study shows weak encryption adoption
2007-04-27 17:13:00 Generally, when I see a study come out that is performed by some group or institute for a player in the field that is being surveyed, I am often skeptical of the results. It is just hard for me to see the propriety in it. However, in a recent study by the Ponemon Institute performed for PGP, I found myself shaking my head in disbelief for another reason: There is no way that nine percent of companies have a comprehensive encryption scheme. I would say one in one thousand would be an exaggeration. I must assume that the responding organizations' concept of a comprehensive encryption scheme and mine are far different. I believe that if you looked solely at whole disk encryption on laptops we would still be at a one in one hundred ratio. Once you figure in the other places that sensitive data can reside in an organization, I believe you will find that the ratio starts to really stretch out. That's not to say that many organizations are not pursuing a larger role for the encryption&... More About: Encryption , Study , Adoption , Opti , Adopt
Encryption Cloud
2007-04-25 23:33:00 I have been speaking to some of my clients over the past few weeks about an "encryption cloud". It is the idea that there are many different ways that data can escape from an organization and to protect that data requires a larger approach than just whole disk encryption. Right now, many companies and agencies are just trying to get a handle on all of the laptops they have that leave the relative safety of their offices every day. This is a great first step and one that should not be procrastinated on. However, any security policy is only as good as its weakest link. Unencrypted PDAs, CD-RWs/DVD-RWs, thumb drives, iPods, P2P software, etc. represent paths along which large amounts of sensitive data can quickly appear in the wrong hands. That is why you see different encryption manufacturers producing a wider variety of solutions to try and stem all of the leakage points. Secure E-mail, encrypted network shares, tape and database encryption are all are... More About: Encryption , Loud , Cloud , Crypt
Cancer patients' data stolen...
2007-04-20 18:17:00 Thieves have no conscious and this is definite proof of that. I believe it also shines a light on the fact that we have a tendency to minimize the risk of having unencrypted devices that may not seem so portable. What is more likely to have sensitive data on it? A laptop or a server? The answer will typically be a server. Of course a laptop has a higher likelihood of being lost or stolen, but those are usually more a crime of opportunity whereas someone that steals a server is out to perform some serious damage. I believe that you need to prioritize your devices by sensitivity of data and probability of loss. If you weigh both elements you might find that certain segments of your mobile workforce AND certain segments of your desktops/servers need to be addressed first. If you have groups within your organization that are at an elevated level of exposure or have information that is significantly more sensitive then consider deploying a solution that address... More About: Cancer , Data , Stolen , Patients , Patient
Encrypted world
2007-04-12 21:27:00 I initially wanted to write today's blog about Disk Encryption and Pre-Boot Authentication but quickly realized that I would never get it published today due to my preperations to be in Galveston this weekend and Detroit all of next week. So, I will just hit on a point that is beginning to ring louder and louder for many organizations. All information is becoming electronic. Yea, everyone know that. However, it's not just that more devices are now mobile and have the capability of carrying more information, but it is also the fact that more information now resides in an electronic format than ever before. As Richard Moulds points out in his article today, everything from gambling machines to new projectors in movie theaters deal only with digital information. What's the security spin? Before we started storing all of our documentation in digital media, someone needed physical access to the information in order to aquire it. I couldn't steal a document off of your desk at y... More About: World , Crypt
Encryption and Live CDs
2007-04-11 20:30:00 I was reading a great article this morning written by Dr. Eric Cole titled "The Secrets of Laptop Encryption ." I think that the article is a great place to start if you are trying to bring yourself up to speed on encryption and how it works. Also, it discusses some of the caveats of encryption and where some of the pitfalls (in what I call encryption confidence) can get you burned. One example of encryption confidence that Dr. Cole produced was of an executive that lost a briefcase with an encrypted laptop inside. Initially the security team at the executive's organization was happy to dismiss the lost device because they had the foresight to encrypt the hard drive. But then they discovered that a PDA was also in the briefcase, unencrypted, with the same passwords that the executive used on his laptop. Thus the PDA became a potential threat vector for the data on his laptop. Most organizations do not see the PDA as a high enough threat to warrant attention at this phase of t... More About: Live , Crypt
Burn me twice, shame on me...
2007-04-10 19:43:00 IT Policy Compliance Group has released a report showing 68 percent of companies lose sensitive data each year and have sensitive data stolen six times a year. Sadly, twenty percent of those companies lose sensitive data... (are you ready for this?) - twenty-two times OR MORE per year. Hmmm. To quote the Captain in Cool Hand Luke, "What we have here is, a failure to communicate." Apparently, quite a few organizations do not look at data protection as an essential business practice. The first part of a solution for data protection is the technology. Anyone who has worked on their car or had to perform some handy work around the house knows that having the right tool makes all of the difference. Data security is no different. The second part to the technology is the resources. Without people to confirm that the technology is implemented properly, the solution is incomplete. Assessments and processes are what separate the chaff from the wheat in th... More About: Twice , Sham , Shame , Burn
Whoa there, encrypted traffic!
2007-04-09 18:11:00 So for quite some time now, Rogers Communications in Canada has been shaping their traffic and that should be no real surprise to anyone. QOS is a common process in MSOs and this is how it has been for a number of years. But Rogers is now on a path to make traffic shaping become much more well-known to our neighbors to the North. P2P networks generate beaucoup traffic and suck up a lot of bandwidth for organizations like Rogers, Time Warner, Comcast, etc. To combat this issue, a number of years ago they started de-prioritizing packets that looked like P2P traffic. In response, this led P2P organizations to begin encrypting their traffic to obscure its content from prying eyes. So, to beat the miscreants at their own game, Rogers has decided that their response is to de-prioritize (thus slow) encrypted traffic. Jeepers! Apparently Rogers' zeal for cleansing its network of P2P traffic has blinded them to the collateral damage that might be generated by... More About: Traffic , Here , There , Whoa , Crypt
Dangers of working mobile
2007-04-07 01:30:00 Just a little tidbit from "News of the Weird" before you get out there on the roads for the Easter weekend... "California Highway Patrol officers at the scene near Yuba City, Nev., said the 28-year-old driver that crossed into oncoming traffic and fatally crashed into a Hummer in February was, perhaps, working at his laptop computer while driving. Though the screen was shattered in the crash, the computer was open in the seat beside him and plugged into his car's cigarette lighter. [Los Angeles Times-AP, 2-27-07]" The perils of the mobile workforce continue to grow. SO, make sure you practice safe computing and have a safe and happy Easter weekend! Michael Mongold Technorati tags: Michael Mongold, safe computing More About: Mobile , Danger , King , Working , Mobi
Who will audit the auditors?
2007-04-06 18:29:00 There is an alarming interesting report that has been published by the Treasury Department. This report details how the Internal Revenue Service lost or had stolen nearly 500 computers over a three year period (2003 to 2006). The document continued by stating that in a separate investigation conducted by Treasury Inspector General for Tax Administration, revealed out of 100 IRS laptops, 44 contained unencrypted sensitive information. There are other issues that were evident to the Inspector General, such as the fact that sensitive data was not always encrypted on flash drives, CDs, and DVDs, a lack of education and awareness of encryption policies, and incorrect configurations on the devices that allowed the inspectors to bypass the current security controls. And for the sake of brevity, I will not even go into the issues found involving securing backup media and user provisioning. Once again we find a large organization that is overwhelmed by the burden of controlling sensitive ... More About: Audit , Will , The A , Auditor
NAC it in the bud
2007-04-04 18:32:00 Purely on the merits of prose alone - Stiennon 0 Hoff 1 Of course, I have to wonder what Richard was thinking when he wrote his self-congratulatory post on Tuesday. Now, I will not be able to wax as poetic as Christofer Hoff. Alan Shimel has already differed to the points made in the verbose retort at Rational Security. However, I would like to add a word or two to the fray. First - I do not think that the steps made in the exploit were "trivial". Roecher and Thumann followed a sound methodology to spoof the CTA and followed that process to include even reporting false information regarding the state of Trend Micro on the device. Great job, guys! Second - Cisco has known about this vulnerability and has responded that through 802.1x this issue goes away. Hmmm, yes, but that doesn't really help the vast majority of organizations out there, does it? That was a rhetorical question. Third - although Cisco has received some negative press for this, I would like to s...
Where's Waldo?
2007-04-04 00:48:00 Lately, I have started to hear more noise around tracking lost mobile data devices. I know of a few very large deployments of Absolute Software's Computrace that have worked well integrated with Utimaco through Dell. zTrace provided a similar service to their customers but for some reason, is not running in the US, Canada, UK, Germany, or Australia anymore (if anyone knows what the story is, let me know). I mention mobile tracking because there is an interesting article about how the U.S. Department of Energy's Counterintelligence Directorate is "missing 20 computers that may contain classified data." Now for any sufficiently large organization, losing 20 laptops is no big deal, just look at the average of forty a year that the FBI loses. Luckily, the FBI can confirm that only 10 contained sensitive data and that another only 51 others may have contained secret data. Whew, that's a relief. Considering they lost 317 laptops from 2002 to 2004, it appears they have really gotten a ... More About: Here , Where , Wald , Aldo
Where do you stock your silver bullets?
2007-04-03 16:11:00 Continuing a steady stream of articles written on the TJX data loss extravaganza, Lisa Vaas expresses her belief that encryption is not a silver bullet in her article "Why Encryption Didn't Save TJX". For starters, I suppose there should be few members of the technology industry shocked to find there is not a silver bullet that solves the problem of thieves trying to abscond with user data. While I do not want to minimize the difficulty, delicacy, and expertise that is involved in securing the backend processes involved in an organization as large as TJX, I believe that is where the issue resides. I do not believe an informed security analyst will arrive at the conclusion that encryption is at the bottom of this whole mess. Ultimately this was a failure of processes not being properly designed and/or implemented. The thieves had the decryption key! That tells me something broke somewhere and in a very important way. That doesn't tell me that encryption is the problem, but that in... More About: Silver , Stock , Your , Bull , Bullet
Disk Encryption and NAC
More articles from this author:2007-03-30 22:40:00 The integration of disk encryption and network access control is something that I have been preaching for awhile and I thought we were starting to see a little bit of that here. Unfortunately I don't see anything with that combination that isn't already available from a number of other encryption vendors. Ultimately, we will see network access control providers that are able to allow/disallow devices that are connecting to the network based upon the encryption status of the hard drives. Why? Because encryption is hot right now and if NAC providers can piggy-back onto that techonology they might be able to push a few more sales. At some point organizations are going to want to insure that all their devices that are connecting to their network are encrypted. NAC can easily provide that functionality. This will allow organizations the ability to segment non-encrypted devices to areas of the network that are free of sensitive data. I'm calling it out, let's see wh... More About: Encryption , Disk , Crypt 1, 2 |
