Enter your email address:

Delivered by FeedBurner

Recent Comments

Sites That Link Here

Five Star Blog!

Ways to stay connected...

June 26, 2007

VA vs USB

This is a little stale but I wanted to talk about it anyway. With their latest actions, I believe the Department of Veterans Affairs is quickly becoming the poster child for reformed data loss victims.

(important to note that, in this case, the data was eventually recovered)

The VA announced a few weeks ago that they have purchased 25,000 USB drives with built-in encryption from Kanguru.

The built-in AES-256 encryption will help insure that only authorized users can gain access to the USB drive and will prevent another major meltdown if lost or stolen.

Also, it should be noted that Kanguru says that they can prevent users from attaching the devices to the network based on a device identification number.

I believe that this is a great step but one that must be accompanied by some level of control. I have stated in this blog a number of times that a policy without the means to enforce it, is just window dressing.

So, kudos to the VA on a positive step and showing corporate America the direction to move in. Just make sure that you keep the momentum going and block access to the unauthorized USB devices out there.

Michael Mongold

Posted at 08:25 AM | | Comments (1) | TrackBack (0)

June 25, 2007

Shameless Self-Promotion

Since I only do this blog for my own narcissistic pleasure, won't you please go to Austin's "Best of" poll and vote for me as the best blogger? Many humble thanks, my friends!

 

http://www.austinchronicle.com/feedback/bestof/07/

 

Michael Mongold

Posted at 02:07 PM | | Comments (0) | TrackBack (0)

Quicken backdoor outed...

A Russian firm, ElcomSoft, is now selling a password recovery tool that helps you gain access to Quicken, Quicken Lawyer, and QuickBooks for only $99 for a commercial license.

ElcomSoft gained access to files encrypted by Quicken's software by discovering a backdoor that Quicken had placed in their software for password recovery scenarios.

ElcomSoft discovered that Quicken had implemented a 512-bit RSA key. After factorizing the key, ElcomSoft promptly moved forward with a solution that can instantly remove the passwords protecting Quicken files.

The result is, if placed in the wrong hands, this product could potentially open a number of customers to the exposure of very sensitive data to competitors and the public, alike.

Quicken has responded that they take this threat seriously and are working on resolving the issue.

Until they have provided a work around for the backdoor, make sure you keep a tight hold on any Quicken documents.

Michael Mongold

Posted at 10:45 AM | | Comments (0) | TrackBack (0)

June 21, 2007

Senforce integrates encryption into NAC

Senforce announced on Monday that they will incorporate data encryption into their NAC offering.

Back in March, I suggested that a natural evolution of encryption and NAC would eventually bring the two together. Kind of like chocolate and peanut butter.

Now, Senforce is making a play in that direction.

I'll spare you the trauma of reading their press release. Suffice to say after they finish huffing about how they are the leader and all that - you know, the usual press release BS. They eventually say a little bit about how they are planning to prevent "thumbsucking".

A term that they are a little overly proud of creating.

(Thumbsucking refers to data that is "sucked" off of corporate devices and onto USB drives. The term "slurping" has been around longer and refers to programs that automatically search for certain file types on a hard drive and pull them over to an iPod or other removable device when it attaches to the computer.)

So, verbiage aside, I am glad to see someone pick up this angle of data security. Right now, everyone I speak to is concerned about USB proliferation in the workplace. For organizations that have sensitive data (i.e. everyone), this is a critical issue.

The beauty of NAC is that it can easily incorporate new technologies and flash points into controllable security policies as they arise. This kind of flexibility and control are what is required as data security evolves.

I always tell organizations that without NAC, your security policies have no teeth. policies are basically words on a paper with no means of observing or enforcing behaviour. NAC gives you the ability to change all of that.

Quite honestly, I'm not sure how CEOs/CFOs/CIOs/CISOs can sleep at night - with all of the current regulatory constraints that are flying around, not knowing what is on the network, and then not having the ability to do anything about what is on your network, even if you did know.

Hmmm - guess I should be glad I'm not in that position.

So, while I can't recommend Senforce's offering yet since I haven't had a chance to play with it, I will say that I like the thought they have put into the features listed and look forward to seeing more of it (and the offerings from other NAC vendors) in the future.

Michael Mongold

Posted at 11:43 AM | | Comments (0) | TrackBack (0)

June 20, 2007

Government buys encryption

Can I get an "Amen?" The General Services Administration just announced that they have selected 10 data encryption companies to "guard sensitive, unclassified data that reside on laptops, mobile computing gadgets and thumb drives."

 The ten companies are:

Mobile Armor's Data Armor

Safeboot's SafeBoot Device Encryption

Information Security's Secret Agent

SafeNet's SafeNet ProtectDrive

Encryption Solution's SkyLOCK At-Rest

Spyrus' Talisman/DS Data Security Suite

WinMagic's SecureDoc

CREDANT's CREDANTMobile Guardian

GuardianEdge's Data Protection Platform

It is an interesting line-up of encryption vendors with some of the usual suspects included and then a few that made it from out of left field and then a few notables that were left off.

Of the surprises on the list:

  • Information Security
    • A small player who caters to the federal space
  • Encryption Solution
    • Finding information on this company was like pulling teeth. Not much of a presence in the market. However, with government contracts, it's always fun to see who has been doing the most lobbying

 

Of the surprises OFF the list:

  • Utimaco
    • With about a quarter of all of the encryption licenses in the world, their absence is definitely noteworthy. Perhaps because their German?
  • Pointsec
    • The other 800 pound gorilla in the encryption market. Recent purchase by Checkpoint should have made them more palatable to the government, but I guess they're still too Swedish.

It was good to see WinMagic make the list. They're a good group of guys and I'm sure they worked hard to get this deal.

It appears that Guardian Edge may be back in the good graces of the government after winning and then losing the VA deal. Word is that they are having a lot of problems financially so we'll have to see if this keeps them afloat for awhile longer.

Also, good to see Mobile Armor. I have been hearing a lot of good things about their software and look forward to getting my hands on some of it soon.

To put things into perspective, the deal is worth at least $79 million dollars over the next five years.

On top of all of the government agencies that can get in on this deal, state and local governments can get the same pricing through the winning vendors for their various organizations. This represents a tremendous opportunity for local and state authorities to provide encryption for their user's data at greatly reduced costs.

So if you are a local or state agency, jump on this deal because it is unlikely you will find better pricing on your own.

Michael Mongold

Posted at 11:07 AM | | Comments (4) | TrackBack (0)

June 19, 2007

Ohio mess could have been prevented...

This may hard to believe, but experts are saying that IF the data stolen from Ohio would have been encrypted it would have prevented the worries they are going through now.

Uh, yea. No kidding. Oh, well. More fodder for the bloggers and newsies to write about. There certainly seems to be no shortage of it.

The plus side of this is that these big, very public losses are helping divert attention from the smaller losses that are occurring everyday. So, if your company has any data theft that it needs to report, try to time it around another data theft that is a lot larger. Most likely the news outlets will only run one story on data theft that day and choose to run the other company's screw up. Bonus points if you report this late on a Friday.

I should be a political spin-meister.

Of note, is Gov. Strickland's stance that Ohio "maybe should have considered encrypting the data". Regardless, he believes the data is still safe because it should be difficult to use the data on the hard drive.

I hope the Ohio voting populace feels better about their tech-savvy governor telling us how it is.

Perhaps the car that the data was stored in maybe should have been harder to break into as well.

Michael Mongold

Posted at 02:54 PM | | Comments (0) | TrackBack (0)

June 18, 2007

Find the Phish

My fiancee forwarded an e-mail she received today from a bank that she does not use. The e-mail stated that the bank had locked her online access and needed some information from her.

Here is the gist of it:

"Dear customer,

Your access to Online Services has been suspended. Due to a miss-match access code between your Site key information. To enable you continue accessing your online account it will only take you few minutes to re-activate your account. Click on the link below and you will be taken straight to where you can activate your account."

It goes on to provide a link to the bank, which if investigated shows that it actually points to a link at MISIONCRISTIANAELIMHN.com. Performing a quick check at dnsstuff.com shows that it is registered to Solucion Logica in San Pedro Sula, Cortez, Honduras with Julius Barber as the technical contact. Continuing along this path, I visited Solucion Logica's website at www.slogica.net and found that they are currently having problems with their mail because one of their servers is being used for Spam.

Of course, they say that they are investigating who the culprit is and once that account has been discovered, it will be suspended. Also you are welcome to call 9982-8141 if you have any questions, but you better be fluent in Spanish.

I guess where I'm going with this is the fact that this should not be happening. Organizations which allow people to spam from their servers should be held liable for any damage that it does. And let's face it, this is not just spam but an attempt to illegally gain someone's banking information.

No less than an outright attempt to steal money from someone and it should not be tolerated.

I am a strong proponent of what the Electronic Frontiers Foundation represents and I believe an open Internet allows for the most advances. However, allowing people to attempt such flagrant scams should not be tolerated. And yes, there are other things that occur over the Internet that are even more disturbing but our law enforcement personnel are already pursuing those individuals.

I guess I find it hard to believe that in this day and age, someone can feel so brazen as to attempt something like a phishing scam and not be concerned about the repercussions.

Let us hope that someone will put into effect a mechanism to block those that attempt scams such as these.

Here's a thought: If a government body ran a DDOS, after judicial approval similar to a wiretap proceeding, against one of these creeps, it would force ISPs to be much more diligent about the junk they allow through their networks.

Of course, the ISP would need to be given prior knowledge and a chance to work the issue out themselves, but at least we would have some recourse.

Right now, we solely place the burden of protecting yourself on the end user which is sounds like money to a phisher.

What do you think?

Michael Mongold

Posted at 11:19 AM | | Comments (2) | TrackBack (0)

June 15, 2007

Ohio State Employees Show It All

An employee for the state of Ohio lost a cd containing the Social Security numbers and "other" personal information for ALL 64,000 Ohio state employees.

Now Governor Ted Strickland has stepped in and issued an executive order to change the way data is handled.

I did a quick search to look at who had picked up this release. It was on the top of MSNBC's website under the heading "Also Making Headlines". ABC, the Boston Herald, Baltimore Sun, Forbes, Houston Chronicle, and over 130 other news outlets decided that this was important enough to announce. Not the kind of headlines you want to make.

So please take a moment and visit this site. It is the Governor office's announcement and a copy of his executive order. I believe they are handling this very well and I completely approve of the steps they are taking and the immediacy they are giving this issue.

Among the steps, is a change in their completely BONE-HEAD methodology of storing this data off-site. That alone should get someone fired. Storing this kind of information at some employee's apartment? Are you kidding me? Folks, if any of you are doing this then count yourself lucky that you are still employed and hire someone today that can securely and legitimately store the data.

Next, the assessment is so important. They need to know what data is important to secure and what data is not. They need to insure all points where the data is handled is done so properly.

Lastly, the push to have this occur within seventy-five days is extremely aggressive for any government body so I'll cut them some slack on the timeframe. 

Also, I like the fact that they have setup a website so the state employees can have a place to get the latest info on the breach.

Of course, credit monitoring (and the associated costs with that) is de rigeur at this point.

It is unfortunate that the disc (or device depending on where you get your information) was "contained on a specialized medium" and that "it is highly unlikely that the data could be accessed by someone without the knowledge of how to do so."

I say unfortunate because it doesn't really mean squat in this situation. They are still being run through the ringer because they can't say authoritatively that they disc is encrypted and completely worthless to anyone that doesn't have the key.

So take a good look at how Ohio is addressing this problem. They are doing a great job of trying to clean up a mess they could have prevented in the first place.

In fact, I would just keep this site handy in case you don't have your own ducks in a row. Ohio might become a good template for your company. And on that sarcastic note, I sincerely wish you a fun and safe weekend!

Michael Mongold

Posted at 02:09 PM | | Comments (0) | TrackBack (0)

June 13, 2007

When Richard Clark Speaks...

...I hope that your ears perk up. Mr. Clark has been in the tempest of security on many levels over the past few years. His experience working with four different presidents and the inner-machinations of the federal intelligence network has given him an authoritative perspective to view the legitimate threats that organized and motivated individuals can present to all organizations.

Now Richard Clark has come forward to push something near and dear to my heart, data encryption.

You can read the article for yourself but I have to point out this one comment by Mr. Clark:

 

"It's about what you don't know, or what you don't see or can't prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn't in front of you doesn't mean it's not a problem."

 

That pretty well sums it up. People are losing data on a scale that they don't even understand. Criminal organizations are discovering that at an alarming rate. Malicious purposes follows the path of least resistance for the greatest payoff.

Once organizations take this more seriously, the criminal components of our society (both one-offs and organized) will move along to an easier prey.

It is unreasonable to expect this to go away until it becomes unprofitable for them. Thus, as more organizations push for higher standards of data protection, it will force those seeking the information illegally to look at an increasingly smaller subset of companies and institutions that do not have adequate data protection deployed. Additionally, those performing these invasions will hone their technics to further perfect their processes.

The end result: The longer you wait, the more likelihood you have of being exposed.

Here's a little formula (let's call it Mongold's Formula of Data Vulnerability for narcissistic reasons) that I threw together to help represent this:

 

P = (Gb - Ga) * Ch+1 * t

 

P = Probability that an incident will occur

t = Time

Ga = The organizations that are increasing their security

Gb = The organizations that are not increasing their security

C = Criminal attempts

h = multiplier representing criminal learning curve

 

Thus - the longer you wait to protect your sensitive data, the less organizations will be standing with you, the more criminal attempts (that are becoming increasingly more successful due to their experience) will be launched, over time which will result in a much greater probability that you will be successfully attacked.

Yea, that's oversimplified but it hopefully helps explain why every organization should have a certain sense of urgency.

You don't want to be one of the last targets in the shooting gallery.

Michael Mongold

Posted at 11:10 AM | | Comments (0) | TrackBack (0)

June 12, 2007

So long and thanks for all the fish!

Checkpoint performed some research that shows when most people leave a company, they take some amount of company data with them.

This seems to be fairly intuitive. I am sure that a number of people will forward contacts that they want to stay in touch with or maybe examples of their work for their next position. And I suppose, some would take data for malicious intent as well.

But as one that has been tasked with insuring the integrity of the data within your organization is kept intact, how do you insure people leaving your company leave the sensitive data behind?

Well, quite honestly, that's not an easy task. Without some form of certificate-based access that allows for centralized access and permissions to documents, there are few ways to expire that information once it leaves the confines of your network.

There are a few software packages that can allow you to wipe a document after a certain period of time and then there are also the programs that require the documents to connect to a centralized location to insure the person attempting access is allowed. But no organizations that I am familiar with are deploying anything like this on a grand scale.

The problem always starts at identifying the data that needs protected. This must be the first step in the road to securing sensitive data. If you do not know what to protect, then you are wasting cycles on data that might not need protecting and possibly missing the data that does need securing.

Once you feel comfortable with what you know and don't know, then you can proceed to defining access roles and implementing control mechanisms.

This is where things tie back into where I began.

This study by Checkpoint was performed to sell Pointsec's Device Protector which allows organizations to define which USB devices are allowed to connect to corporate assets and how data is allowed to be transferred between the two.

This is important because users have always taken data with them when they've left their company.

What may have been just some notepad with a few bits of information jotted down on them thirty years ago can now be a million files on an eight gigabyte hard drive in someone's pocket.

The potential for problems dwarfs the past possibilities. (that's an alliteration, folks)

WinMagic, Utimaco, and Guardian Edge, to name a few, are also manufacturing similar products to Device Protector to help organizations reign in USB access.

 All of these manufacturers know that there is a need for their products and that it's only a matter of time before every organization comes to that same conclusion.

Michael Mongold