by Carrington on June 30, 2008
in SBN
Two recent Blog posts (by Kearns and JBohren) refer to a damning number - the high percentage of orphan accounts that exist in most applications and most large organizations. An “orphan” is an account that belongs to some person who’s left the organization (or never existed in the first place). It can’t be associated with a real person with a real need for access.
The usual concern here is for corporate assets: The “ex” employee can still be logging in and looking at data after he’s gone to work for your competitor. We have many examples where automation has exposed and eliminated this back-door.
But what about you and your personal liability? If you leave a company, and your ID stays behind, and stays active, are you liable if it’s used for bad purposes? Personally, if I were doing something “prohibited” I’d much rather be using an ID belonging to a departed employee or contractor.
As a consultant, I deal with this issue a lot. On multiple occasions, I have returned to a client months or years after leaving, and discovered that my old accounts IDs and passwords were still valid! So, my current policy is to send the company an email, (receipt requested) telling them that I am leaving, and formally request that they de-provision the accounts. If I could put the account in a shredder myself, I would. If only there WERE a virtual account shredder I could use!
Typically, I receive what are known as “privileged” accounts. My “heebie jeebie” meter goes way up, whenever I get one of these accounts, and it pegs the meter when I leave a gig. Someone else, using this account, in essence in my name, can do tremendous damage, and I’d have a very hard time proving it wasn’t me.
So, what do you do to make sure your accounts die when you leave?
by Craver on June 29, 2008
in SBN
Just a bit of housekeeping on a lazy Sunday… we’ve added the ability to subscribe to LiveBolt blog updates via email. Just use the link in our header, next to the RSS feeds, or click here to subscribe.
And remember… only 2 days left in the IronKey Giveaway!!! </shameless_plug> Just click here for more info on the contest… Thanks to all who have commented thus far!
Folks,
Just a reminder — we’re giving away a FREE 1GB IronKey Personal USB thumbdrive ($80 value). Really a cool device — check out the geeky specs.
You need to enter before noon, on July 1st. Just make sure to read our “Personal Metadirectory for Passwords” article, and leave a comment there with your response to our questions for a chance to win!
And don’t forget to tell your friends!
by Chris Harrington on June 26, 2008
in SBN
I’ve been working on a new theme for the blog. Please let me know what you think of the new theme!
Thanks!
–Chris
by Chris Harrington on June 26, 2008
in SBN
When I first read about Twitter I didn’t see much value in it for me. It wasn’t until I started using it last year when I saw the usefulness for me. Twitter is an interesting communicaiton tool. I call it a cross between an IM client and a Bulletin Board. There are a lot of informal groups that use twitter. One of them is the Security Twits.
Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.
If you have not tried Twitter you should. You may just find it useful if not downright addictive.
– Chris
Technorati Tags: Twitter, Security, Security Twits
by trustedconsultant on June 25, 2008
in SBN
I co-authored with Tony Ucedavelez (Managing Director for Versprite) an article on threat modeling. It is published on the June edition of
In-secure magazine.
The intent was to give an holistic view on threat modeling as security activity that can be performed by security practioners in different role and speciality. Threat modeling (TM) is not limited to just modeling threats in applications and the usage is not limited to architects that need to design secure applications. The result of the TM activity can be used by security testers to perform risk based tests as well by information security officers for technical risk analysis. This is because beside modeling threats with the logical, physical and use/misuse case views of the application, TM allows for the identification of vulnerabilities (security flaws) and the countermeasures to mitigate the risk posed by such vulnerabilities. The article also tries to strike the balance from the strategic view of threat modeling with a more tactical one such as way to perform a security assessment on existing applications. We covered the most popular TM methodologies and TM tools available today. We also tried to give best practices on how to use TM as part of the SDLC to build security into the applications independently from the TM methodology being adopted.
by Carrington on June 25, 2008
in SBN
Indian Government Wants Blackberry Keys
The recent issues between RIM and India bring Smart Phone security under the microscope. RIM offers “secure” email and text messaging. It’s secure because it is encrypted, and because it routes through RIM servers. RIM holds the encryption keys. India doesn’t like that, and it wanted RIM to make the keys available to the Indian government, so that the government could decrypt and read the messages.
To my knowledge this type of encrypted messaging is currently a RIM exclusive. No other cell handset supplier offers this service. And, it’s one of the main reasons corporations are comfortable sending their internal mail to BlackBerrys, and not to the generic phone.
I assume that in the US, at least, the government doesn’t have RIMs encryption keys. Further, RIM might decrypt particular traffic in response to a search warrant, but that warrant would be the extent of the activity.
So, if you are in India and you have a BlackBerry and you are concerned about message security, what can you do? (Likewise, if you are in the USA, and you are paranoid security conscious, what options do you have?) Make the jump…
Well your options are good, but limited. If you use BES, and your organization (or hosting partner) supports it, you are in luck. RIM now offers FREE S/MIME support. That means you can use your own encryption keys. If you only have BIS, S/MIME isn’t an option. A third party encryption solution is required.
A Texas company (and LiveBolt partner), Media Sourcery, specializes in secure distribution and collection of confidential information. They offer a secure smart phone application (Mobile Data Messenger) that currently works with XML form data. The application will allow you to send or receive encrypted traffic entered into a form (the form can look just like an email message, with to, from and body fields) to another Data Messenger user (or system) for retrieval (or processing).
I spoke with Media Sourcery, and they said their upcoming version offers bi-directional, confidential data exchange, does not require forms, and would work with any file type you care to send. They currently have the ability to send encrypted photos (taken by the BlackBerry camera). The newest BB OS includes viewers for .doc and .ppt files, so the capability becomes immediately more useful.
The other good thing about a third party solution like that of Media Sourcery (which is Java based) is that it will work on other smart phones (think Nokia, which has 40% of the market for smart phones). Nokia currently has no secure messaging capability, as far as we know. PGP for Mobile devices only supports Windows Mobile and Blackberry. A good third party security solution will support your organization’s broad mix of endpoints, and make them all secure.
Here’s to hoping that RIM doesn’t give away the keys to the kingdom. But if they do, we have a few options for securing our mobile email — we just have to do it ourselves.
by Jacob Gajek on June 23, 2008
in SBN
by Carrington on June 23, 2008
in SBN
Yesterday, I was fed up with my password mess. I had too many passwords, and despite my “method,” I was losing track of them all. I decided to work on upgrading my method. I started out looking for a replacement “password vault.”
Here are my requirements:
- is highly secure, using accepted standards (i.e. - PKI, DES, etc)
- works on/across multiple platforms (PC, Mac, Linux, BlackBerry)
- synchronizes across multiple instances/platforms (as automatically as possible)
- easy to access/use (i.e. - retrieve and use a credential, without too many hoops)
KeePass meets all those criteria, but the interface isn’t great.
I asked some friends and posted to a newslist. Answers came back including:
- KeePass
- vim -x
- Other encrypted text files (ex. Word doc, plus external encryption)
- Use a regular thumb drive with TrueCrypt
- Use a secure/encrypted thumb drive, like the Ironkey
This got me thinking along related lines.
Personal Meta-Directories
1. We all have these. Outlook, Notes, Thunderbird all have our email address books. We have our cell phone address book. We probably have a paper address book for holiday cards. Your spouse, children, boss and peers also have theirs.
2. Why don’t we keep our “Passwords” in the Address Book? Obviously because it’s not secure. Passwords should be expanded to include any required credentials (certificates, tokens, keys, etc.). But companies keep our credentials in corporate directories. Why shouldn’t individuals keep theirs in their own personal directory?
3. The KeePass is a file store with some directory-like characteristics. But it’s no real metadirectory. The address books I have are not real directories either. And in any case, many meta-directories have poor security.
But, wouldn’t it be nice to have a metadirectory with all your access credentials, as well as all your contact data? This is essentially all the data necessary to set up and negotiate the various types of communication channels you personally need and use.
What do you use?
We at LiveBolt would like to know what YOU, the reader, use for securing your “bits.”
We’ll select a user at random on July 1st from the comments below and send them a new IronKey Personal, 1GB Secure (not to mention waterproof) USB Flash Drive, by IronKey. (To the winner: we just ask that you write back and let us know what you think of it!)
To enter the contest, just reply with a comment to this post (before noon CDT on 7/1) and include your answers to the following questions:
1) How do you manage your passwords?
2) What software/hardware/methods do you use?
3) What would be your idea of a killer-app for personal “attribute” management?
Comments will be locked at noon CDT on 7/1 so we can pick a winner. Make sure to include your email address in your comment so we can contact you if you’re a winner. Good luck!!!
Edit: 1 entry per email address and/or IP address, duplicate entries will be disqualified.
by princess of antiquity on June 23, 2008
in SBN
(Notes: Continuing the series of articles on cryptography, here I will discuss the two early cryptographic techniques to better prepare readers for succeeding topics where I plan to cover symmetric key cryptography that will run up to the Russian One-Time Pads and the German Enigma which are the highlights of the second world war.) Spartan [...]
