Welcome to the SecAware blog

I spy with my beady eye ...

29 Jun 2008

Are you using TPM yet?

Secure Computing Magazine explains what the Trusted Platform Module (TPM) is, and what it can be used for. It stops short of explaining how to use it but has links to other sites that do so.

The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc.

Here's a list of the top 10 uses for TPM, extracted from the article:

1. Multi-factor authentication.
2. Strong login authentication.
3. Machine binding.
4. Digital signatures.
5. Password vaults.
6. File and folder encryption.
7. Strong client/server authentication.
8. Network access control.
9. Endpoint integrity.
10. Trusted client/server security.


28 Jun 2008

New awareness module on infosec risk management

We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure.

Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work.

You'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to put across the essentials of any information security topic (potentially in more depth than any other awareness program we know of), yet short enough to avoid everyone getting totally bored by the same old same old. Next month we'll move on to a new topic (information security governance), hopefully before the eyelids start dropping and the posters disappear into the background.

We're clearly passionate about our approach to security awareness but keenly aware that we don't have a monolopoly on the subject. Please email me (Gary@isect.com) or comment on this blog if you have other security awareness ideas or approaches that work for you. We'll gladly acknowledge your input if we take up your ideas, and maybe something more substantive will find its way to your inbox as our way of saying thanks.

25 Jun 2008

Information cards

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.

Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.

So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.

If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.


'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?

Use "I-Cards" to:

- login to websites with a single click

- create relationships with those you want to do business with

- manage your personal data in one place that only you and those you allow have access.

- wield the claims that other people and institutions say about you.

- prove that you are who you say you are without revealing details using trusted identity providers.

The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.

I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.

The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.

I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.

23 Jun 2008

Password protected =/= Encrypted

At last! Indiana has seen the light!

A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably).

"Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password.

The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system and access all the data. Or they could run one of the 'retrieve lost admin password' utilities, typically booting the laptop from an external boot drive or compromising the system's Firewire connection etc.

Unfortunately, the article doesn't make it clear that brute force attacks might also work against the password/passphrase commonly used to secure encryption keys. Multifactor authentication, for example using biometrics or token in addition to the usual user password/passphrase, would make a significant difference, along with tamper-resistant hardware protection for the keys themselves (e.g. the "Trusted Platform Module" or cryptographic smart card). And even then, there are potential attacks if the attacker has sufficient resources, skills and experience.

I haven't read the statute but I'm curious about how it defines 'encrypted'. For example, does it mandate AES with a 256 bit key or would DES with a 56 bit key, or even a Caesar cypher with key of 5, be considered good enough? Defining such things in law would be tricky since the state of the art is moving along constantly. Caesar's cypher was considered good enough 2 millennia ago.

Continuing this line of thinking leads to the inevitable conclusion that personal data cannot be totally secured on a laptop or other device to which an attacker has unrestrained physical access. So, perhaps businesses that lose encrypted laptops containing personal data should come clean anyway since they can still rightfully state that the data were protected by encryption.

Previous posts on this topic: Password protected =/= hacker proof and "Password protected" again

14 Jun 2008

Lack of awareness in awareness

A survey by CompTIA on security for mobile IT devices reveals the continuing lamentable and rather puzzling lack of investment in security awareness:

"Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced."

So, security awareness works but few organizations are using it. More fool them!

Jay Cline, writing in Computerworld, describes the top five mistakes of privacy awareness programs:

1. Doing separate training for privacy, security, records management and code of ethics.

2. Equating "campaign" with "program."

3. Equating "awareness" with "training."

4. Using one or two communications channels.

5. No measurement.

[Read Jay's piece if these are not immediately obvious.]

I agree with all five issues, particularly his point that "A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year". Multimedia, multiple audiences and multiple activities together make for a more effective awareness program.

3 Jun 2008

Domain name owners being phished

ICANN's Security and Stability Committee has released a 12-page advisory on 'registrar impersonation phishing attacks' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.