June 2007

Since I only do this blog for my own narcissistic pleasure, won't you please go to Austin's "Best of" poll and vote for me as the best blogger? Many humble thanks, my friends!

http://www.austinchronicle.com/feedback/bestof/07/

Michael Mongold

A Russian firm, ElcomSoft, is now selling a password recovery tool that helps you gain access to Quicken, Quicken Lawyer, and QuickBooks for only $99 for a commercial license.

ElcomSoft gained access to files encrypted by Quicken's software by discovering a backdoor that Quicken had placed in their software for password recovery scenarios.

ElcomSoft discovered that Quicken had implemented a 512-bit RSA key. After factorizing the key, ElcomSoft promptly moved forward with a solution that can instantly remove the passwords protecting Quicken files.

The result is, if placed in the wrong hands, this product could potentially open a number of customers to the exposure of very sensitive data to competitors and the public, alike.

Quicken has responded that they take this threat seriously and are working on resolving the issue.

Until they have provided a work around for the backdoor, make sure you keep a tight hold on any Quicken documents.

Michael Mongold

Senforce announced on Monday that they will incorporate data encryption into their NAC offering.

Back in March, I suggested that a natural evolution of encryption and NAC would eventually bring the two together. Kind of like chocolate and peanut butter.

Now, Senforce is making a play in that direction.

I'll spare you the trauma of reading their press release. Suffice to say after they finish huffing about how they are the leader and all that - you know, the usual press release BS. They eventually say a little bit about how they are planning to prevent "thumbsucking".

A term that they are a little overly proud of creating.

(Thumbsucking refers to data that is "sucked" off of corporate devices and onto USB drives. The term "slurping" has been around longer and refers to programs that automatically search for certain file types on a hard drive and pull them over to an iPod or other removable device when it attaches to the computer.)

So, verbiage aside, I am glad to see someone pick up this angle of data security. Right now, everyone I speak to is concerned about USB proliferation in the workplace. For organizations that have sensitive data (i.e. everyone), this is a critical issue.

The beauty of NAC is that it can easily incorporate new technologies and flash points into controllable security policies as they arise. This kind of flexibility and control are what is required as data security evolves.

I always tell organizations that without NAC, your security policies have no teeth. policies are basically words on a paper with no means of observing or enforcing behaviour. NAC gives you the ability to change all of that.

Quite honestly, I'm not sure how CEOs/CFOs/CIOs/CISOs can sleep at night - with all of the current regulatory constraints that are flying around, not knowing what is on the network, and then not having the ability to do anything about what is on your network, even if you did know.

Hmmm - guess I should be glad I'm not in that position.

So, while I can't recommend Senforce's offering yet since I haven't had a chance to play with it, I will say that I like the thought they have put into the features listed and look forward to seeing more of it (and the offerings from other NAC vendors) in the future.

Michael Mongold

Can I get an "Amen?" The General Services Administration just announced that they have selected 10 data encryption companies to "guard sensitive, unclassified data that reside on laptops, mobile computing gadgets and thumb drives."

 The ten companies are:

Mobile Armor's Data Armor

Safeboot's SafeBoot Device Encryption

Information Security's Secret Agent

SafeNet's SafeNet ProtectDrive

Encryption Solution's SkyLOCK At-Rest

Spyrus' Talisman/DS Data Security Suite

WinMagic's SecureDoc

CREDANT's CREDANTMobile Guardian

GuardianEdge's Data Protection Platform

It is an interesting line-up of encryption vendors with some of the usual suspects included and then a few that made it from out of left field and then a few notables that were left off.

Of the surprises on the list:

• Information Security
  • A small player who caters to the federal space
• Encryption Solution
  • Finding information on this company was like pulling teeth. Not much of a presence in the market. However, with government contracts, it's always fun to see who has been doing the most lobbying

Of the surprises OFF the list:

• Utimaco
  • With about a quarter of all of the encryption licenses in the world, their absence is definitely noteworthy. Perhaps because their German?
• Pointsec
  • The other 800 pound gorilla in the encryption market. Recent purchase by Checkpoint should have made them more palatable to the government, but I guess they're still too Swedish.

It was good to see WinMagic make the list. They're a good group of guys and I'm sure they worked hard to get this deal.

It appears that Guardian Edge may be back in the good graces of the government after winning and then losing the VA deal. Word is that they are having a lot of problems financially so we'll have to see if this keeps them afloat for awhile longer.

Also, good to see Mobile Armor. I have been hearing a lot of good things about their software and look forward to getting my hands on some of it soon.

To put things into perspective, the deal is worth at least $79 million dollars over the next five years.

On top of all of the government agencies that can get in on this deal, state and local governments can get the same pricing through the winning vendors for their various organizations. This represents a tremendous opportunity for local and state authorities to provide encryption for their user's data at greatly reduced costs.

So if you are a local or state agency, jump on this deal because it is unlikely you will find better pricing on your own.

Michael Mongold

This may hard to believe, but experts are saying that IF the data stolen from Ohio would have been encrypted it would have prevented the worries they are going through now.

Uh, yea. No kidding. Oh, well. More fodder for the bloggers and newsies to write about. There certainly seems to be no shortage of it.

The plus side of this is that these big, very public losses are helping divert attention from the smaller losses that are occurring everyday. So, if your company has any data theft that it needs to report, try to time it around another data theft that is a lot larger. Most likely the news outlets will only run one story on data theft that day and choose to run the other company's screw up. Bonus points if you report this late on a Friday.

I should be a political spin-meister.

Of note, is Gov. Strickland's stance that Ohio "maybe should have considered encrypting the data". Regardless, he believes the data is still safe because it should be difficult to use the data on the hard drive.

I hope the Ohio voting populace feels better about their tech-savvy governor telling us how it is.

Perhaps the car that the data was stored in maybe should have been harder to break into as well.

Michael Mongold

My fiancee forwarded an e-mail she received today from a bank that she does not use. The e-mail stated that the bank had locked her online access and needed some information from her.

Here is the gist of it:

"Dear customer,

Your access to Online Services has been suspended. Due to a miss-match access code between your Site key information. To enable you continue accessing your online account it will only take you few minutes to re-activate your account. Click on the link below and you will be taken straight to where you can activate your account."

It goes on to provide a link to the bank, which if investigated shows that it actually points to a link at MISIONCRISTIANAELIMHN.com. Performing a quick check at dnsstuff.com shows that it is registered to Solucion Logica in San Pedro Sula, Cortez, Honduras with Julius Barber as the technical contact. Continuing along this path, I visited Solucion Logica's website at www.slogica.net and found that they are currently having problems with their mail because one of their servers is being used for Spam.

Of course, they say that they are investigating who the culprit is and once that account has been discovered, it will be suspended. Also you are welcome to call 9982-8141 if you have any questions, but you better be fluent in Spanish.

I guess where I'm going with this is the fact that this should not be happening. Organizations which allow people to spam from their servers should be held liable for any damage that it does. And let's face it, this is not just spam but an attempt to illegally gain someone's banking information.

No less than an outright attempt to steal money from someone and it should not be tolerated.

I am a strong proponent of what the Electronic Frontiers Foundation represents and I believe an open Internet allows for the most advances. However, allowing people to attempt such flagrant scams should not be tolerated. And yes, there are other things that occur over the Internet that are even more disturbing but our law enforcement personnel are already pursuing those individuals.

I guess I find it hard to believe that in this day and age, someone can feel so brazen as to attempt something like a phishing scam and not be concerned about the repercussions.

Let us hope that someone will put into effect a mechanism to block those that attempt scams such as these.

Here's a thought: If a government body ran a DDOS, after judicial approval similar to a wiretap proceeding, against one of these creeps, it would force ISPs to be much more diligent about the junk they allow through their networks.

Of course, the ISP would need to be given prior knowledge and a chance to work the issue out themselves, but at least we would have some recourse.

Right now, we solely place the burden of protecting yourself on the end user which is sounds like money to a phisher.

What do you think?

Michael Mongold