Tuesday, September 2, 2008

Return on security investment - article by Bruce Schneier

Bruce Schneier puts some economic background to expenses on security measures taken by the company, and explains how those security measures should be justified to the top management.

Monday, September 1, 2008

The evolution of the rootkits

An interesting reading regarding how rootkits for Windows evolved.

Thursday, May 22, 2008

7 business advantages of offering data security


1. Protection of Valuable Information

Valuable information must be protected. Information is one of the most valuable assets of any enterprise, no matter what kind of product you are developing to handle it: a custom software or in-house automation solution. Its protection is a vital part of IT infrastructure. Make your life easier by integrating security into the solution.


2. Keeping Ahead of Competitors

Stay ahead of competition. Be in the first row of software manufacturers, who build their applications with security in mind. Any software is more welcome, when it fits into existing business processes. Adding another level of data protection is always viewed as a benefit, while its lack is a serious disadvantage.


3. Expanding Into New Markets

Adding security to typical applications is a way to expand the business into new markets. For example, adding a security to you LAN communication application may give you an access to government or military market.


4. Caring About Clients

Offering security drives sales. When you offer security in your software as a bonus, your clients will feel that you really care about their well-being.


5. Reduced Costs of Development

Plugging security into your application beforehand reduces development and support time. Sooner or later you will face the necessity to add security features to your solution. The later you do this, the more code you will have to modify. Inadvertent data loss caused by insecure software may cost you significant money and time lost in courts. This will make you think about adding security anyway.


6. Software Interoperability

By adding security you will improve different software systems interoperability. Some developers choose custom data storage and exchange formats, thinking that they are faster to implement. Later it turns into additional expenses, when proper communication with other applications becomes a must. A lot of resources will be spent on changing formats or creation of data converters. Use of standard security enabled data storage formats and data exchange protocols ensures widest possible interoperability.


7. Meeting Current Standards

In order to be reliable and up-to-date, a software needs to follow current standards. One of the widespread and important standard is requirement of software security. In the majority of industries data protection is a must, and your software should follow these standards to be adequate to current demands.

Tuesday, April 29, 2008

Alternatives/replacements for ReiserFS

ZDNet has a blog post regarding alternatives to going-to-die ReiserFS . The review mentions several open- and close-source file systems which can be used as the OS' main filesystem.
Why am I mentioning this in the security blog? First of all, file system is a place to hold the data, and modern file system must include security functions built into the core. Our Solid File System with it's built-in encryption and compression features is perfectly suitable for embedded appliances and other custom tasks for which you could be looking for a file system. Next, if you are looking at implementing file system, or you have a task to virtualize access to files across several devices, you will find Callback File System, a component for creation of virtual file systems, indispensable for your tasks.

Thursday, February 28, 2008

Buzz and reality about cold boot analysis of computer memory

I can hardly remember so widespread coverage of any computer security issue, that the recent analysis report has got. From the first glance the attack is very serious. But is it really that serious?

Bruce Schneier has published his review of the question with references to other discussions. This saves me a couple of keyboard clicks that I would have to do in order to explain the problem.

So ... if the bad guy has stolen your notebook, he can get access to the encryption key for whole-disk encryption software. No remedy so far. In fact, there's no remedy for the particular problem, where the parts of the problem are (a) physical access to the device and it's memory, (b) applications that store the keys in memory.

Neither of these parts are key parts. Physical access is not necessary, the rootkit will do the job perfectly. You have much bigger chance to catch a malware, than to be attacked by the thief hunting for your data. The best attack is the one that remains undiscovered by the legitimate user, and stealing the notebook is probably not the best way to hide the attack. And if the thief is that serious about physical actions, then thermorectal cryptoanalysis will work quite efficiently - with a bit of brute human force or other methods of conviction you will tell all the passwords the thief wants to know.

Applications that store the keys in memory are not a problem at all - just don't use them. It's not that hard to not keep the keys in memory unprotected. The vendors already announced that the keys are kept in memory which is not flushed to disk, but this is just a part of the solution. The application can easily use some encryption on the key and decrypt the key for the tiny period of time when this key is used. Decryption would be made to specially allocated memory, whose location is random and changing for each operation. The key for encryption can be derived from the data, specific to the process that does encryption. Such approach will make it much harder if not impossible for the attacker (both thief of the RAM and various malware) to get access to the key itself.

There's one more solution available, but it's too slow nowadays. The solution is to keep the session key in some hardware device, which doesn't give it away. I am talking about my favorite USB tokens and smartcards. The problem with this hardware is that one security operation can take a second or two, making it very slow for use with whole-disk encryption solutions. But I think one needs to try.

Our Solid File System product can be used to create secure virtual disk solutions. We are going to introduce key protection in one of the upcoming builds of SolFS (both Standard and Driver editions). And it is possible to plug the above mentioned harware protection of the key to Solid File System if needed. More detailed information about the above listed techniques can be obtained by contacting me privately.

Wednesday, February 27, 2008

Strong authentication for OpenID

I loved this one ...

I really like the hardware cryptograhic devices and I feel that they add very strong security measures to overall protection of the data.

As known, OpenID is used to login on some site that you trust and let other sites that you use (various community places, forums, commercial services) and where you need to login, use that OpenID login. There's a bit of cryptography in OpenID, but not much.

The problem is with the OpenID login itself. Most OpenID providers (the sites which you trust and where you obtain your OpenID login credentials) use username/password approach which is far from being very secure.

TrustBearer offers you to login using your smartcard or USB token. If you don't have one, you can purchase it directly from them (and the price is very moderate, I must say).

Unfortunately my Aladdin eToken is not listed among the supported devices, and it didn't work. However, they have a good choice of supported devices, so if you decide to get one, you can choose from the listed ones. Also, I will test their service with other devices that we have here (by Entrust and Rainbow). I will then update this post.

BTW our company provides support for cryptographic hardware in it's SecureBlackbox product.

Good introduction to digital cryptography in Windows

Recently there appeared an article on CodeProject, which is a good overview of cryptography basics and cryptography implementation on Windows.

Even when you know the basics, you will find it interesting to review the reference list at the end of the article. It is quite impressive and contains many useful references.

The article can be found here.

Saturday, February 2, 2008

State of e-mail authentication

Authentication And Online Trust Alliance has published a report that reviews current situation of e-mail authentication among large companies and ogranizations. The report says that more than a half of all e-mail is authenticated. What does this mean?

Authentication of the sender is an important step in fight against unauthorized e-mail. Now, when so much e-mail is authenticated, it's vital that the verification takes place on all stages of e-mail processing, and that e-mail is handled properly (this includes acceptance of the valid authenticated e-mail and lowering the weight of other factors when e-mail is authenticated right).

The most widespread authentication mechanisms are Sender ID (formerly SPF) and DKIM (formerly DomainKeys).

The report itself can be found here.

You will find lots of useful information, related to authentication schemes, their supporters etc. in this report.

MIMEBlackbox package of SecureBlackbox includes both signing and verification of DKIM-signed e-mails.

Friday, January 18, 2008

Obsurity in security

Here's the good article "for dummies" why obscurity is not always bad.