Over the next few weeks I’ll be migrating my security writing to SecurityShelf.com and shutting down this site. The new site includes up-to-date security headlines and will be the home to other security resources. See you there!
If you’re a security pro who enjoys writing, I’d love to hear from you! (We are happy to provide documentation to support CPEs for publishing security articles.)
I was chatting with a colleague the other day and the topic of Skype came up. Many people are still under the impression that Skype offers end-to-end encryption. According to this Ars Technica article Microsoft has full access to the content of Skype chats. The H reported similar results.
Wired has a great article on the NIST SP800-90 Dual Ec Prng debate. Government backdoor or just really bad cryptography?
While the debate is interesting, from a practical perspective the issue is how to identify and update products using the standard. While RSA is providing notice to developers using their toolkit, it’s difficult to know how many other libraries implement this NIST standard and where they are used.
When evaluating products many potential customers ask about key lengths. There is a longer list of questions we should be asking about any cryptography we are buying:
- Details of all algorithms used and associated key lengths. Most products combine asymmetric and symmetric cryptography, so there will normally be at least two, often three: An asymmetric encryption algorithm, an asymmetric signature algorithm, and a symmetric data encryption algorithm. Ask for detailed information on the algorithms, key lengths, and modes used.
- A list of hash algorithms used and their purpose. Digital signatures and message authentication require cryptographic hash algorithms.
- A description of the random number generator including the standard upon which it is based. All cryptography requires a quality random number generator. A poor one can undermine the entire cryptosystem.
- A description of all certificates used for protocols such as TLS/SSL including how the certificate is generated, managed, and validated. For example, does the product use the existing operating system certificate store or does it use its own private certificate store? Does it install its own root certificate or use an existing one?
- The name and version number of all cryptographic libraries used. There are several common commercial and open source libraries of acceptable quality. Very few organizations have sufficient expertise to implement their own.
- Any FIPS and Common Criteria evaluations to which the library and product as a whole have been subjected.
If a software vendor is unable or unwilling to provide this type of detailed information my advice is to assume that the encryption capability in their product provides minimal, if any, real security value. Details about the crypto used in products should form part of your organization’s Certification and Accreditation process and be maintained in a central repository to facilitate review as issues are identified in standards, algorithms, and specific libraries.
Scammers are sending email that appear to be in INTERAC e-Transfer to you. However, when you click on the link you are sent to their web site instead of the INTERAC one, presumably to steal your credentials.
If you receive an “e-Transfer” that you’re not expecting I recommend that you confirm it with the sender prior to clicking on any links.
If you’re interested in how phishing works, the full text of the email is here. It’s easy to see how it displays one URL but links to a totally different target.
The New York Times has a great article today on how intelligence agencies are able to bypass Internet security controls. Access to emails, texts, etc. provide a lot of valuable intelligence. However, the question is, what is the impact on business?
Years back, during the clipper chip debate, I attended the annual RSA conference. I heard one representative of the FBI speaking essentially on how important it was to limit the availability of encryption. I heard another FBI speaker refer to it as essential for “crime prevention.” When asked about the conflicting presentation he replied, “The FBI is a big place.”
I also heard a speaker from Germany on clipper. He began his presentation by stating that it was his country’s position not to criticize the Government of the United States on this issue. Then he proceeded to do exactly that, including indicating that his country would likely ban the import of products containing the clipper chip because allowing the US government to spy on German citizens was a violation of German sovereignty.
So perhaps the big question we should be asking is how long will it be until other countries ban the import and use of US-controlled cryptographic products and services, and what damage will this do to the US economy?
One of the challenges faced by security practitioners preparing Threat and Risk Assessments(TRA) for Canadian federal government departments (and private sector entities that need to comply with GC security requirements) has been the a lack of standards with respect to security controls. The author of each TRA was left to assess the adequacy of controls based upon their personal experience and what I’ll politely call “tradition”.
In November 2012, the Communications Security Establishment released ITSG-33, IT Security Risk Management: A Lifecycle Approach. In addition to outlining a better approach to information security, this document also includes a security control catalog and three suggested control profiles, available in HTML, PDF, and Excel format.
While the profiles are intended for customization by individual Government of Canada departments, the net effect is that — for the first time — the Government of Canada has issued solid guidance on security controls required to protect electronic information at various classification/designation levels.
According to On Device Research, Facebook is costing 16-34 year-olds jobs. One in ten young people have been rejected for a job because of their social media profile. However, two-thirds are not concerned that their use of social media may harm their future career.
While the study only included 6000 people across six countries, it does suggest that we are not doing a good job of helping young people prepare for a successful career and use social media wisely. It also serves as another reminder that employers may see things that one intended only for their friends.
Earlier in my career I had the opportunity to work with some of Canada’s brightest crypto guys and learn first hand how difficult is it to get it right.
Here’s a great article I wish every developer would read. It illustrates how some solutions that look perfectly reasonable contain serious security flaws.
On the heels of releasing a patch to address a vulnerability so serious that some users uninstalled Java, Oracle has again released a “Critical Patch Update” to address about fifty vulnerabilities, one of which is being actively exploited.
Yet, despite their horrible track record, Oracle continues to tell users that it “provides safe and secure access to the word of amazing Java content.”
Software security has few absolutes – and Java is a living (or perhaps dying) example of how poorly a lot of software is designed. It’s time for Oracle to wake up and smells the