DARPA’s afraid of NSA style implants coming from China

March 17th, 2014 by alex

Officially “New program seeks tool that authenticates electronic components at any step of the supply chain” here, but read the list of the requirements and you know what’s up (highlight mine):

Successful development of SHIELD technology would provide 100 percent assurance against common threat modes:

  • Recycled components that are sold as new
  • Unlicensed overproduction of authorized components
  • Test rejects and sub-standard components sold as high-quality
  • Parts marked with falsely elevated reliability or newer date of manufacture
  • Clones and copies, which may be of low quality, or may include hidden functionality
  • Components that are covertly repackaged for unauthorized applications

With NSA’s widely publicized miniature hardware implants  one could only wonder why DARPA did not ask for this stuff earlier. I guess someone could attribute this development to the good that Snowden did. But then if every chip has an RFID like SHIELD tag, or something similar for tracking purposes, we are not better off in terms of privacy anyway.

Comments: no comments. add »

IBM Security Portfolio

November 4th, 2011 by alex

Ever wanted a quick, no nonsense explanation of what IBM security products are and where they came from? Well, here it is:

  • ISS – network and host security (X-Force acquisition)
  • TIM – identity management (access360 acquisition)
  • TAMesso – desktop single sign on (Encentuate acquisition)
  • TFIM – federation of access (homegrown)
  • TDI – data transformation (Metamerge acquisition)
  • TAMeb – web app access control (Dascom acquisition)
  • TSIEM – security event management (Q1 Lab acquisition)
  • TCIM – compliance dashboard (Consul Risk Management acquisition)
  • DataPower – XML gateway
  • i2 – crime prevention
  • BigFix – patch management
  • Guardium – database security
  • Openpages – governance risk and compliance
  • Algorithmics – financial risk management

Tagged with: , . Comments: no comments. add »

In high demand

August 24th, 2011 by alex

The old adage says: “keep your friends close, but your enemies closer”. In this day and age, the IT department of your organization does not have to worry about the second part. The enemies are already at the gates. And keeping them out is an increasingly challenging task.

A recent study sponsored by Juniper Networks showed that not only there has been a dramatic rise in the number of security breaches in the past year, but the targets also got bigger. The CIA, the FBI, the U.S. Senate, and various state police agencies had their systems under attack. In the first half of 2011 security and data breaches have cost U.S. enterprises almost $96 billion. At this rate the cost for the whole 2011 will be almost twice as much as it was in all of 2010. Consider the fact that 2010 saw 90% of businesses compromised with least one security breach. More than 50% of the compromised businesses had at least two breaches.

Another problem is that “the gates”, where the enemies are trying to get through, are everywhere now. The entry points are in the software employees use. They are in files, emails, web apps, web sites, databases, in everything that is on the information highway. The number of incidents related to malware went up from 4 million in the first quarter of 2010 to 6 million in the first quarter of 2011. It is expected that last year’s record $63 billion that companies spent on security will be $75.6 billion in 2011. As the study showed, the enemies get smarter and the attacks get more complicated in every year. Throw all your defenses up, get every firewall ready, the host and network intrusion protection and detection system, anti-virus, anti-malware, application firewalls and it will still be not enough, because the enemies are a step ahead. The solution? “Know yourself and know your enemy” (Sun Zhu, “Art of War”). Get the right security talent on board and use the right strategy.

The correct strategy, rooted in the governance, risk management and compliance methodology can go a long way. Consider the governance, a system by which an organizations controls and directs security development, as a backbone of the approach to managing security and how it relates to the business. (http://www.cert.org/governance/ges.html). Then, focus on the compliance and regulations, a key to proactive defenses and enforced regulations of a company’s behavior as it pertains to security for a specific nature of the business. Governance is strategic, while compliance is tactical and specific. Addressing compliance and security regulations allows business to focus on particular challenges and vulnerabilities specific to the business type and the vertical it operates in. Finally, adjust risk management, a set of technologies that address day-to-day security work, and includes mature components of security such as penetration testing, application security analysis, firewalls and intrusion prevention systems. The success of the security strategy depends on the attention to all three components.

The talent is a different thing. With the increase in the demand for the security experts, in response to the increased attacks, the security talent is becoming more expensive and harder to find. So far, the number of colledge students with who focus on cyber-security has not been keeping up with the demand. There are even less opportunities in finding experienced security consultants who are up to par with the criminal masterminds of the security underground. Security may be on the radar for around 1.9 million people, but there are only around 346,000 fully dedicated security professionals.

There are, however, security consulting firms, like Prolifics Security Practice (http://www.prolifics.com/business-solutions-security.htm) that can help you both with the talent and the strategy. They bring the best and the brightest security personnel on site to analyze, architect, develop and implement proper defenses and policies to address modern security threats. They help set up proper strategy, so you protect the flanks, tie up the loose ends and govern smartly.

With the increasing number and the caliber of the security breaches you can not afford to sit around and wait. Find what others are doing, go to conferences, ask consultants, bring help, but do something, because enemies are at the gate.

If you want to read more on the recent rise of the cyber attacks look here: http://articles.latimes.com/2011/jul/05/business/la-fi-hacking-security-20110705

Tagged with: . Comments: no comments. add »

Enterprise Single Sign-On tug of war

March 4th, 2011 by alex

A desktop based Single Sign-On solution is a joy to have, if you are a desktop user. Equally, it is a pain to have if you are in an IT department that supports it. The middle line is very thin in many organizations. The slant it has often determines success of an Enterprise Single Sign-On implementation. Here is a quick list of the typical gripes and the responses that one can provide to pull the rope in the ESSO’s favor.

  • Desktop support team: Man, it replaces the Microsoft Gina. We need to provision it to all of the existing desktops, test it on our gold build, communicate with all the user population affected…It’ll take more than you think to implement it.
  • Business: Ok, so let’s see how well you manage your assets. If you know them, can provision them and keep them homogeneous you should not have too many problems. If not, let’s work on the asset management first.
  • Infrastructure: Users want to be automatically logged in to an enterprise app that is not covered by ESSO yet.  Now we’ve got to develop another profile. This is not easy. The development, testing and support will take a lot of time.
  • Business: Yes, it is the on-going cost of the ESSO. Either engage the vendors, get the training and do it in-house, or outsource it.
  • Infrastructure: Now we have to have staff to support another server, another database and a bunch of desktops.
  • Security: Hey, but no more sticky notes under keyboards with passwords.
  • Help desk: We are getting more calls about desktop apps incompatible with the ESSO.
  • Business: The incompatible apps will have to be worked through with the desktop support and the vendors.
  • Security: We do not want to accept the responsibility for accidentally exposing all personal logins people may store in ESSO, like passwords for web-mail, Internet banking, shopping, forums, you name it.
  • Consultant: Set ESSO up with a personal, per-user key encryption. The downside though is if a user changes their passwords and then forgets their response to a challenge question, they will loose their stored passwords.
  • Help desk: Everybody is forgetting their responses to the challenge questions. People are unhappy about having to lose their stored passwords.
  • Consultant: Set ESSO up with a global key, and let the Security department worry about an appropriate use policy and the privacy policy.
  • Security: We do not want to send people their on-boarding passwords plain-text in an e-mail or print them out.
  • Consultant: Integrate your ESSO with an identity management solution and have it automatically distribute passwords to people’s wallets.
  • Infrastructure: All the setup, configuration and support takes so much time!
  • Business and End Users: Hey, it is nice not to have to type enterprise passwords every time. Helpdesk is getting less calls about recovery of forgotten passwords. It saves so much time!

The end of the story is that for every gripe, there is a good response demonstrating the value and the benefit of having an ESSO solution.


Tagged with: , . Comments: no comments. add »

OpenID Vulnerabilities

October 13th, 2009 by alex

OpenID is an identity sharing and a single sign on protocol, that is becoming more and more popular on the net. OpenID allows us to use a single authenticating source (aka an identity provider) to login into any site that accepts OpenIDs (aka a service provider) without the need to create an account on that site. Yahoo!, Google, AOL, SourceForge, Facebook and many others now support it now. A great idea, but unfortunately it comes with some big holes. Read the rest of this entry »

Tagged with: , , , . Comments: no comments. add »

Good design and usability principles

October 1st, 2009 by alex

I am a big proponent of usability. After all, regardless of how good something is, or how many cool features it has, if it is unusable – it is worthless. A hard to use application, website or in fact anything that interacts with a human, will not be popular, will lose out to competition or be ignored altogether. There are many articles on the web with examples and lists of usability principles, so I would not go into that here.

It seems, however, that many sites, like ss64.com or useit.com, suffer from a common pitfall in usability design, sacrificing design by going too far. They subscribe to the lowest common denominator in an effort to make it usable to the biggest possible crowd. This makes them very plain and downright ugly. Sure, they cover the 99% of the crowd out there, not the 95% a good design would cover, but in the push for these extra 4% they lose much in the beauty and attractiveness. Read the rest of this entry »

Tagged with: , , . Comments: no comments. add »

Authenticating in Ubuntu with a fingerprint

May 31st, 2009 by alex

I had a free fingerprint scanner laying around (see below, thank you, digital persona) and thought of making it work with Ubuntu. Turns out, it could not be easier.

sudo apt-get install pam-fprint
Then add the the following line to the PAM module (etc/pam.d/common-auth):
auth [success=2 default=ignore] pam_fprint.so and changed another to read auth [success=2 default=ignore] pam_unix.so nullok_secure

This way all Ubuntu authentication (logging in, sudo, gksu, etc.) requires only a fingerprint, and falls back to the standard password based authentication in case of an incorrect fingerprint.

Ok, cool, it works! Now, there are couple things worth mentioning.

  1. The fingerprint recognition is one of the oldest and probably weakest forms of biometric authentication. Think of this – when you use your fingerprints in leu of passwords, you are essentially leaving your passwords on everything you touch. Even worse, if somebody lifts your fingerprint and uses it for nefarious purposes, you can not change it. Ever.
  2. The U.are.U devices from DigitalPersona are image scanners, and as such, can be fooled by a simple image of a lifted fingerprint. They can not distinguish a real finger from a carefully crafted print out of a fingerprint. UPEK fingerprint readers, built into many ThingPads, are of a different type. They are capacitive scanners that look for actual groves on the finger, making them harder to fool with an image, but not with a silicon mold.

Withl that that said, it is still nice to save couple seconds every time you log into your home computer with just a touch of a finger (quite literally). However, I would not recommend using this approach as a security measure  for sensitive information.

Tagged with: , , . Comments: 2 comments »

Ivkin.Net :: where tech and candy come together