In my earlier post, “Security is Not the Point,” I explained why to most people security is an annoying layer of cost and inconvenience. I said that no one wants security, they want the benefits of security. But if security is not the point, what is?
The last time you had to do some tedious paperwork, you were no doubt muttering under your breath that you’d rather be doing the actual project and not filling out forms and writing a report. We are all like that. Documenting tasks and processes is not fun.
Compliance is like that, too. It is considered the necessary evil, the tedious paperwork required by “the powers-that-be” to meet some basic level of due care. Compliance requirements define the “minimums” for demonstrating that the business is being run responsibly.
However, compliance has a more attractive cousin. Read more HERE.
Is he evil? Ask some manufacturers and they'll say yes, emphatically. Ask privacy advocates, and they'll praise him for exposing the seeds of Big Brother. Chris Pajet didn't stop at cloning your HID prox card while standing next to you in line at the 7-Eleven.* Now he has begun war-driving through San Francisco, gleaning RFID tags from US Passports. This is another assault on the Western Hemisphere Travel Initiative. Read about it here.
White hats like Chris find the holes in our tech infrastructure that the bad guys also find. I'd rather know about it than keep my head in the sand. Besides, these problems are ususally fixable, so let's fix the problems and not ignore them.
*not sure if he ever did that, but the cloning device he showed me sure could have been used that way.
CoreStreet is one of the really cool young technology companies in the security industry, and now In-Q-Tel knows it, too. The beltway-based investment vehicle for the US intelligence community made a strategic investment in CoreStreet. This is the most recent in a long string of victories for the young identity management and access control vendor.
You’ve read about CoreStreet on this blog – about how they dominated a bid in the State of Colorado. Well, other states will follow suit this year, and federal government FIPS 201 initiatives are all over the Corestreet products.
This company, and those like it, are the reason I got into this business. Very cool
Joel Rakow has a fun newsletter. He authorized me to reprint this story. If you want to get on his mailing list, drop him a note at firstname.lastname@example.org
Many security professionals are concerned about IP access control readers being a source of vulnerability. Think about it: A network device on the unsecured side of every door. Remove the cover and you have direct access to the enterprise network. The assumption is that card readers based on the Weigand protocol…you know those HID readers..are secure. If you are one-of those consider the following hack:
Use a proximity card in combination with a small PIC micro-controller chip (a Programmable Intelligent Computer chip). Embed a program in the chip this requests a display of the code on the card of the last card holder that gained access. The PIC chip is spliced between one of three wire lines on the backside of a Wiegand reader. The entire manufacturing cost of the PIC device and wires is less than $3. This hack can also be used to lock all of the doors so that nobody can gain access. , wires to outsmart the Wiegand-based readers communications standard, allowing him to gain access to restricted areas protected by the readers. Franken says he spent 12 hours working on his method, which included
Embed a program onto and programming was about $3. The program is written to replay the code on the card of the card-holder who most recently gained access.
This hack is outlined here to help both security professionals and manufacturers maintain security. Manufacturers need to prevent such simple hacks and professionals need to deploy readers knowing how they might be vulnerable.
Follow this link for the complete story.
Here is a refresher on the four fundamental
categories of security – authentication, authorization, administration and
audit. Each poses a basic question. And each must be addressed before the next becomes fully effective.
Are you who you say you are? Authentication
is the set of tools and processes for identifying people and machines. ID
badges, key cards, passwords, biometrics all deliver information about whether
a person is who they claim to be.
I know who you are, but what may you do?
Authorization technologies limit and control behavior, but also aim to allow
appropriate activities. Locks, entry devices, card readers, antivirus software,
encryption, even fences and guards require or respond to information about
one’s privileges, then ensure that one can perform all the duties of his or her
Lots of you are doing lots of things. How do
I manage it? Administration is both a set of processes and a technological act,
often requiring software and computers or data repositories called directories.
Access control administrator software, provisioning software, the forms you
pass around to managers to get approvals, all allow organizations to add,
delete or modify information about people and their privileges.
What’s happening? Is the authentication and
authorization working correctly? The last of the four categories, audit, is
arguably the most important. Cameras, video recorders, monitoring stations,
alarms, IT-SIM and PSIM products, risk assessments and computer audit logs collect
and display the current state to whomever is concerned. The better systems, of
course, correlate and prioritize events to help people respond to the
Security employs technologies and processes
to ask those questions and respond to the information in the most efficient and
What it is:
USB stick with fingerprint
authentication, AES or Blowfish file encryption, secure partition and platform
for hosting and launching applications. Plug this little baby in and launch apps, store files, send emails, and
sign documents all without leaving a trace on the host computer. Capacity
ranges from 256K to 4 Gigs.
n-Trance Security Ltd
How it does it:
n-Tegrity Pro combines a
proprietary biometric authentication application (all properly documented and
publicly discussed in academic papers, of course), file encryption (using your
choice of AES, Blowfish or other popular encryption options), and a logical
partition for secure file storage.
The product is shipping is
currently sold through a few channels in Europe and on Amazon.
Starts at $45, up to $200.
I tested the Pro version with 1 Gig of memory selling for about $90.
I opened the box and
installed it in seconds. Within five or
six minutes I was a power user (after I figured out that I have to swipe my
finger three times to enroll instead of just one). The software running on my device is n-Pass
Pro 188.8.131.526. I inserted it in a USB
port of my old IBM ThinkPad T42 running Windows XP (updated) and was pleased at
how quickly the n-Tegrity Pro was detected. After registering two fingers using
the biometric reader, a navigation window offered me options to launch the
embedded applications like Skype or Miranda instant messaging. I selected Internet Explorer and surfed away,
hardly detecting any latency given the fact that the app and its caches were
being completely housed on the stick. At
one point, mid operation, I ripped the stick out to see what would crash. Nothing did. The n-Tegrity Pro icon in the system tray simply disappeared. When I
reinserted the device in the USB port I counted to ten and was presented with
the fingerprint authentication request, slid my left thumb across the reader
and was instantly back in action. Encrypting was just as easy. I dragged a file into the reader and right
clicked. I found the functions of this
powerful device and its elegant software to be intuitive and supremely
useful. The device has an integrated
cover and comes with a lanyard – an important protection for me because I lose
Other capabilities listed
on the website are
- n-Pass Pro – biometrically
enabled VPN and RDC connection
- n-Crypt –shell-integrated
biometrically-enabled cryptographic application for files and folders
- Encrypted Virtual Disks
- FIPS 140-2 Level 1
- Selectable cryptographic
algorithms from the list of 7 most powerful (such as RSA-2048 key pair, AES-256, etc)
I mentioned IE, Miranda and
Skype, but there are many apps you could launch from the flash disk. A list of
compliant applications is available HERE.
USB sticks combining secure
file storage are a dime a dozen these days. Well, maybe $500 a dozen, but you get the idea. The n-Trance solution combines applications,
secure files, password storage, and so many other uses neatly contained in a
form factor with its own secure biometric authentication and encryption engine.
Not much to gripe about at
this point. It does what it claims. The Quick Start Guide is not written as
clearly as it could be. And I look
forward to support of Linux and Mac.
How to Buy:
Europeans can go to their
local UniEuro Market in Italy, Netherlands, Hungary and Russia where you’ll likely find the
products displayed next to new computers.
Everyone else can go to
Imprivata bridges the IT side of authentication and
credential management with physical security. The company’s flagship product, OneSign version 3.6, now integrates with Honeywell
ProWatch Access Control Systems and can support National ID cards built on the Dutch UZI card
platform. It also just extended support for 64-bit Citrix and
Terminal Server as well as Windows Vista platforms (32 bit). This week the company announced ProveID™ for OneSign that
cleverly allows developers to insert Imprivata strong authentication into
I’ve always been a fan of this scrappy company. Founder
David Ting is an articulate champion of collaborative authentication
management, and the company has been very smart, I’d say, by betting on the
convergence story as a way of differentiating it from the soupy identity
The company boasts over 150 Imprivata resellers in 32
countries, and over 600,000 seats sold, but that’s a far cry from Passlogix‘s 6
million seats. However, Imprivata sells
its a solution with pricing and deployment options suitable for even small and
mid-sized large organizations.