Is he evil? Ask some manufacturers and they'll say yes, emphatically. Ask privacy advocates, and they'll praise him for exposing the seeds of Big Brother. Chris Pajet didn't stop at cloning your HID prox card while standing next to you in line at the 7-Eleven.* Now he has begun war-driving through San Francisco, gleaning RFID tags from US Passports. This is another assault on the Western Hemisphere Travel Initiative. Read about it here.
White hats like Chris find the holes in our tech infrastructure that the bad guys also find. I'd rather know about it than keep my head in the sand. Besides, these problems are ususally fixable, so let's fix the problems and not ignore them.
*not sure if he ever did that, but the cloning device he showed me sure could have been used that way.
CoreStreet is one of the really cool young technology companies in the security industry, and now In-Q-Tel knows it, too. The beltway-based investment vehicle for the US intelligence community made a strategic investment in CoreStreet. This is the most recent in a long string of victories for the young identity management and access control vendor.
You’ve read about CoreStreet on this blog – about how they dominated a bid in the State of Colorado. Well, other states will follow suit this year, and federal government FIPS 201 initiatives are all over the Corestreet products.
This company, and those like it, are the reason I got into this business. Very cool
Joel Rakow has a fun newsletter. He authorized me to reprint this story. If you want to get on his mailing list, drop him a note at email@example.com
Many security professionals are concerned about IP access control readers being a source of vulnerability. Think about it: A network device on the unsecured side of every door. Remove the cover and you have direct access to the enterprise network. The assumption is that card readers based on the Weigand protocol…you know those HID readers..are secure. If you are one-of those consider the following hack:
Use a proximity card in combination with a small PIC micro-controller chip (a Programmable Intelligent Computer chip). Embed a program in the chip this requests a display of the code on the card of the last card holder that gained access. The PIC chip is spliced between one of three wire lines on the backside of a Wiegand reader. The entire manufacturing cost of the PIC device and wires is less than $3. This hack can also be used to lock all of the doors so that nobody can gain access. , wires to outsmart the Wiegand-based readers communications standard, allowing him to gain access to restricted areas protected by the readers. Franken says he spent 12 hours working on his method, which included
Embed a program onto and programming was about $3. The program is written to replay the code on the card of the card-holder who most recently gained access.
This hack is outlined here to help both security professionals and manufacturers maintain security. Manufacturers need to prevent such simple hacks and professionals need to deploy readers knowing how they might be vulnerable.
Follow this link for the complete story.
Here is a refresher on the four fundamental
categories of security – authentication, authorization, administration and
audit. Each poses a basic question. And each must be addressed before the next becomes fully effective.
Are you who you say you are? Authentication
is the set of tools and processes for identifying people and machines. ID
badges, key cards, passwords, biometrics all deliver information about whether
a person is who they claim to be.
I know who you are, but what may you do?
Authorization technologies limit and control behavior, but also aim to allow
appropriate activities. Locks, entry devices, card readers, antivirus software,
encryption, even fences and guards require or respond to information about
one’s privileges, then ensure that one can perform all the duties of his or her
Lots of you are doing lots of things. How do
I manage it? Administration is both a set of processes and a technological act,
often requiring software and computers or data repositories called directories.
Access control administrator software, provisioning software, the forms you
pass around to managers to get approvals, all allow organizations to add,
delete or modify information about people and their privileges.
What’s happening? Is the authentication and
authorization working correctly? The last of the four categories, audit, is
arguably the most important. Cameras, video recorders, monitoring stations,
alarms, IT-SIM and PSIM products, risk assessments and computer audit logs collect
and display the current state to whomever is concerned. The better systems, of
course, correlate and prioritize events to help people respond to the
Security employs technologies and processes
to ask those questions and respond to the information in the most efficient and
What it is:
USB stick with fingerprint
authentication, AES or Blowfish file encryption, secure partition and platform
for hosting and launching applications. Plug this little baby in and launch apps, store files, send emails, and
sign documents all without leaving a trace on the host computer. Capacity
ranges from 256K to 4 Gigs.
n-Trance Security Ltd
How it does it:
n-Tegrity Pro combines a
proprietary biometric authentication application (all properly documented and
publicly discussed in academic papers, of course), file encryption (using your
choice of AES, Blowfish or other popular encryption options), and a logical
partition for secure file storage.
The product is shipping is
currently sold through a few channels in Europe and on Amazon.
Starts at $45, up to $200.
I tested the Pro version with 1 Gig of memory selling for about $90.
I opened the box and
installed it in seconds. Within five or
six minutes I was a power user (after I figured out that I have to swipe my
finger three times to enroll instead of just one). The software running on my device is n-Pass
Pro 126.96.36.1996. I inserted it in a USB
port of my old IBM ThinkPad T42 running Windows XP (updated) and was pleased at
how quickly the n-Tegrity Pro was detected. After registering two fingers using
the biometric reader, a navigation window offered me options to launch the
embedded applications like Skype or Miranda instant messaging. I selected Internet Explorer and surfed away,
hardly detecting any latency given the fact that the app and its caches were
being completely housed on the stick. At
one point, mid operation, I ripped the stick out to see what would crash. Nothing did. The n-Tegrity Pro icon in the system tray simply disappeared. When I
reinserted the device in the USB port I counted to ten and was presented with
the fingerprint authentication request, slid my left thumb across the reader
and was instantly back in action. Encrypting was just as easy. I dragged a file into the reader and right
clicked. I found the functions of this
powerful device and its elegant software to be intuitive and supremely
useful. The device has an integrated
cover and comes with a lanyard – an important protection for me because I lose
Other capabilities listed
on the website are
- n-Pass Pro – biometrically
enabled VPN and RDC connection
- n-Crypt –shell-integrated
biometrically-enabled cryptographic application for files and folders
- Encrypted Virtual Disks
- FIPS 140-2 Level 1
- Selectable cryptographic
algorithms from the list of 7 most powerful (such as RSA-2048 key pair, AES-256, etc)
I mentioned IE, Miranda and
Skype, but there are many apps you could launch from the flash disk. A list of
compliant applications is available HERE.
USB sticks combining secure
file storage are a dime a dozen these days. Well, maybe $500 a dozen, but you get the idea. The n-Trance solution combines applications,
secure files, password storage, and so many other uses neatly contained in a
form factor with its own secure biometric authentication and encryption engine.
Not much to gripe about at
this point. It does what it claims. The Quick Start Guide is not written as
clearly as it could be. And I look
forward to support of Linux and Mac.
How to Buy:
Europeans can go to their
local UniEuro Market in Italy, Netherlands, Hungary and Russia where you’ll likely find the
products displayed next to new computers.
Everyone else can go to
Imprivata bridges the IT side of authentication and
credential management with physical security. The company’s flagship product, OneSign version 3.6, now integrates with Honeywell
ProWatch Access Control Systems and can support National ID cards built on the Dutch UZI card
platform. It also just extended support for 64-bit Citrix and
Terminal Server as well as Windows Vista platforms (32 bit). This week the company announced ProveID™ for OneSign that
cleverly allows developers to insert Imprivata strong authentication into
I’ve always been a fan of this scrappy company. Founder
David Ting is an articulate champion of collaborative authentication
management, and the company has been very smart, I’d say, by betting on the
convergence story as a way of differentiating it from the soupy identity
The company boasts over 150 Imprivata resellers in 32
countries, and over 600,000 seats sold, but that’s a far cry from Passlogix‘s 6
million seats. However, Imprivata sells
its a solution with pricing and deployment options suitable for even small and
mid-sized large organizations.
Last year we were all concerned about Sarbanes Oxley. This year it’s PCI. PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information. The VISA Cardholder Information Security Program (CISP) is one specific standard in this category. Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of US businesses – from online customer-based transactions, to data storage, to document retention.
My buddy, Ben Rothke, just wrote a very intelligent article on the topic in CIO Magazine. The only thing I’d add is that PCI is commonly thought of as an "information" security problem when in fact it has a heavy physical security slant.
There are over twenty specific statements in the PCI requirements that pertain to physical security. For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.
A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently over lunches that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy, and business continuity. Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements. PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program.
[This popular post first appeared on SecurityDreamer in November 2006]
Articulating the Value of Security…
It’s an uphill battle to convince the decision-makers in any business that they need to invest in security. Why? Because deep down, all professional businesspeople think security is an annoying layer of cost and inconvenience.
If you walk in and tell them, “We need more security,” they hear, “We need a more annoying layer of cost and inconvenience.”
Getting the buy-in for security products and services today means understanding what drives your company’s security purchase decisions—basically, what is going on in the mind of your bosses. Fear, uncertainty and doubt are not the cleverest tools to use anymore. The security industry is undergoing changes as it adjusts to the convergence of IT with physical security, and businesses are changing, too. Now businesses want something that sometimes seems like a foreign concept to the security profession: value. If you don’t adapt and start answering the questions your business is really interested in, you’ll never get the green light on new projects and upgrades.
Remember, nobody wants security; they want the benefits of security. That means that the housewife doesn’t want the finest deadbolt on the front door because of the excellence of its engineering or its impact resistance. She wants a comfortable, happy place to raise her family.
Businesses also want something other than security. If a bank manager has a mandate to reduce expenses related to bank tellers, she has a couple of options. She could fire all the tellers and lock up all the bank branches, but then the bank would have no interface with its customers. Or she could take all the money, put it in piles on the street corner under a clipboard that says, “Take what you want, but write it down so we may balance your account.” That wouldn’t work either, obviously.
The best solution for reducing teller expenses is to take the money, put in on the street corner locked in a box with a computer attached, and give customers a plastic card for authentication and auditing.
Security was never the point. The bank had a business objective and achieved it by using some security. That is how we all should think of security: as a way of helping our companies achieve the goals or value they seek.
Business managers, especially executives at the highest levels of an organization, have a very simple view of security: It is a tool in the corporate toolbox for enabling business. But they don’t even think of it as security.
The manager responsible for an online ecommerce business wants a few things. He wants to know who is using his Web site. He wants to ensure that each one can do everything on that site they need to do. He has a lot of people doing a lot of things, so he needs an easy way to manage it. And at the end of the day or the end of the quarter, he needs a report that tells him what has happened so he can improve customer satisfaction, reduce errors and increase profits.
In that example we have all four fundamental categories of security—authentication, authorization, administration and audit—but the manager doesn’t think of security once! That’s because security is not the point.
Focus on Value
I have suggested many times that, whenever possible, security professionals should purge the word “security” from their vocabulary. Instead, answer the questions inside your boss’s head, and don’t simply spout the ways security keeps bad things from happening.
Your upper management thinks in terms of money, not security. What people will be needed? What headcount can we reduce? How much will it cost? How much will we save? What new revenue can we earn as a result of this investment? And they think not in terms of security risks, but in terms of credit risk, market risks and operational risks. That’s where you can shine.
One U.S. company spent $35 million on physical security upgrades after 9-11, and $4 million on IT security upgrades. Last fall they failed their Sarbanes-Oxley audit because of poor security. How? Visitors were given a badge for the day, but they could still walk unescorted past cubicles with unattended computers logged into financial systems. At that moment the audit no longer had confidence in the integrity of the numbers. Anyone could have moved a decimal point or added a zero.
If you know your facilities need more security, tell your managers how it will help them measure or achieve compliance to regulations like Sarbanes-Oxley: You audit employee behavior, or lock up financial systems, or shred financial documents, or do background checks, or secure backup tapes. For any business problem, you should be prepared to help your management identify the ways that the authentication, authorization, administration or audit solutions you’re proposing will solve their problem, or help customers make the gains they hope for.
Remember, it is not our job to secure the building. Our job is to secure the business.
Finding some confident-sounding source of biometric blather on the Internet is easy. Everyone and their brother, it sometimes seems, has a half-baked opinion about the return on investment of biometric technologies, the value proposition of biometric readers, or that the market will finally arrive for retinal scanners. That’s the way it seems, until you talk to Maxine Most, founder of Acuity Market Intelligence.
Max has put together the definitive view of the current state of the biometrics industry titled The Future of Biometrics: Market Analysis, Segmentation & Forecasts. The report is described as "Insight into the Trends, Drivers & Opportunities that will Shape the Industry through 2020." I think her research is just what the doctor ordered – bringing cool, well-researched facts into a conversation that is downright Pentacostal in its emotional fervor.
The report covers important questions such as:
- What are the forces – like globalization, population mobility, and proliferation of mobile devices – shaping the evolution of the market?
- Which industries and applications hold the most promise for biometric development?
- How will the technology evolve and impact overall market development?
- How will the most substantial opportunities for industry players evolve?
The report’s market segmentation is mapped across four key areas: physical
access, logical access, identity confirmation and surveillance. I think that’s the right approach for understanding the importance and impact of biometrics, as well as putting the vendor hyperbole in context.
from our Geeks Who Love To Poke Fun At Marketing People department
Schlage sent out this mailing recently. Can you guess why Locksmith Mike was so
Problem #1 (simple math)
26 bit standard card format: pnnnnnnnnxxxxxxxxxxxxxxxxp
65,536 possible card IDs
16,777,216 possible unique IDs if you use included the
facility code but that’s weak…
Problem #2 (the really annoying one)
Proximity isn’t encrypted. It’s just transmitting a unique ID. It is subject to man in the middle attacks, play backs, etc…
So does this mean that if I sniff their communications, I
can remotely send their unlock command by doing a play back? That would suck…
Do I want to trust a company that doesn’t understand a
simple prox card or a partial reason why the industry is moving towards smart
cards? Do I want to be the bozo who buys
a product like this thinking it’s accurate?