8 January, 2010, 08:12 by Glen Salmon
The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations — and this is the case for all USB Flash drives of this type.
Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program’s RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.
Full Story >> Schneier on Security: FIPS 140-2 Level 2 Certified USB Memory Stick Cracked
10 September, 2009, 20:05 by Glen Salmon
I am returning from a set of customer meetings and took the opportunity to conduct a few experiments. The city where I was staying was well connected and more often than not, I was able to locate a free WiFi connection. While that was good for checking person email and staying in touch with family, it didn’t allow me access to my business applications.
In an emergency response and deployment scenario, your network connectivity may be anything but “industrial strength”. You may have a cellular data connection or get access to random Wi-Fi services. In most cases, they won’t be secure.
The solution is to have a VPN strategy in place BEFORE the crisis strikes. It’s important that your strategy include mobile devices as well as mobile computers. As any recue responder will vote, given the choice, they’d rather carry a 5oz PDA with 8-12 hours than a 6lb computer with 3-4 hours of battery. If you’re applications are web enabled and you can establish a secure connection, most portable devices can fill the need.
What’s important is a flexible VNP strategy – one that supports a wide range of devices from portable computers and personal devices to servers and mobile stations.
IBM’s Lotus Mobile Connect was a great fit for my test. Not only did it maintain a consistent interface to my enterprise services – even as I roamed form Wi-Fi, to cell to Ethernet, but it also gave me a client-less option for my mobile device. I was as connected as I wanted needed to be … and perhaps equally important, I was able to respond quickly to changing conditions – both in the environment and on the job.
What’s your mobile strategy and is a VPN part of your arsenal of tools ?
30 August, 2009, 05:54 by Glen Salmon
 |
| credit: JulianBleecker |
Cloud computing has many interpretations and one of them is a rebranding of "hosting". In reality, cloud computing tends to get broken into three layers:
- Software as a Service SaaS) – hosted solutions, individual applications, and integrated packages of capability targeting end users
- Platform as a Service (PaaS) – a packaged set of services onto which tenants (customers) build their own solutions for their own end users
- Infrastructure as a Service (IaaS) – raw platform infrastructure such as operating system or even just CPU, along with storage; giving the tenant (customer) the responsibility of building their system and then deploying it to the IaaS.
How secure is the data in the cloud environment ? That depends of three factors:
- how secure is the storage
- how secure is the access
- how many people have permitted access
There are known quantities and technologies for storage and access. A recent announcement by IBM demonstrates the importance of these issues and the continued research into improvements …
IBM researcher Craig Gentry has proposed a method for manipulating data while leaving it encrypted. That could be big news for cloud computing, for antispam solutions, and for health care providers … [it] enables encrypted data to be manipulated so that, when decrypted, the result is as if the operation had been performed on the unencrypted data — an approach that makes it especially suitable for some types of security."
The third dependency – how many people have access – may be variable and outside the control of the customer. If the Service Level Agreement (SLA) does not stipulate separate and isolated infrastructure then the number of people with permitted access to the service is equal to the total population of all tenants. One solution is for a tiered SLA, allowing the customer to opt for more isolation as a high price point. Of course, this starts to negate the benefits of cloud for the provider, hence the need for pricing tiers that go along with the SLA isolation tiers.
In the end, the consumer needs to make a conscious decision on how much control they retain in the cloud vs the benefit of the outsourced responsibility and resources.
