June 2008

Just a bit of housekeeping on a lazy Sunday…  we’ve added the ability to subscribe to LiveBolt blog updates via email.  Just use the link in our header, next to the RSS feeds, or click here to subscribe.

And remember… only 2 days left in the IronKey Giveaway!!!  </shameless_plug>  Just click here for more info on the contest…  Thanks to all who have commented thus far!

{ Comments on this entry are closed }

I’ve been working on a new theme for the blog. Please let me know what you think of the new theme!

Thanks!

–Chris

{ Comments on this entry are closed }

When I first read about Twitter I didn’t see much value in it for me. It wasn’t until I started using it last year when I saw the usefulness for me. Twitter is an interesting communicaiton tool. I call it a cross between an IM client and a Bulletin Board. There are a lot of informal groups that use twitter. One of them is the Security Twits.

Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.

If you have not tried Twitter you should. You may just find it useful if not downright addictive.

– Chris

Technorati Tags: Twitter, Security, Security Twits

{ Comments on this entry are closed }

I co-authored with Tony Ucedavelez (Managing Director for Versprite) an article on threat modeling. It is published on the June edition of In-secure magazine.
The intent was to give an holistic view on threat modeling as security activity that can be performed by security practioners in different role and speciality. Threat modeling (TM) is not limited to just modeling threats in applications and the usage is not limited to architects that need to design secure applications. The result of the TM activity can be used by security testers to perform risk based tests as well by information security officers for technical risk analysis. This is because beside modeling threats with the logical, physical and use/misuse case views of the application, TM allows for the identification of vulnerabilities (security flaws) and the countermeasures to mitigate the risk posed by such vulnerabilities. The article also tries to strike the balance from the strategic view of threat modeling with a more tactical one such as way to perform a security assessment on existing applications. We covered the most popular TM methodologies and TM tools available today. We also tried to give best practices on how to use TM as part of the SDLC to build security into the applications independently from the TM methodology being adopted.

{ Comments on this entry are closed }

Indian Government Wants Blackberry Keys

The recent issues between RIM and India bring Smart Phone security under the microscope. RIM offers “secure” email and text messaging. It’s secure because it is encrypted, and because it routes through RIM servers. RIM holds the encryption keys. India doesn’t like that, and it wanted RIM to make the keys available to the Indian government, so that the government could decrypt and read the messages.

To my knowledge this type of encrypted messaging is currently a RIM exclusive. No other cell handset supplier offers this service. And, it’s one of the main reasons corporations are comfortable sending their internal mail to BlackBerrys, and not to the generic phone.

I assume that in the US, at least, the government doesn’t have RIMs encryption keys. Further, RIM might decrypt particular traffic in response to a search warrant, but that warrant would be the extent of the activity.

So, if you are in India and you have a BlackBerry and you are concerned about message security, what can you do? (Likewise, if you are in the USA, and you are paranoid security conscious, what options do you have?) Make the jump…

Well your options are good, but limited. If you use BES, and your organization (or hosting partner) supports it, you are in luck. RIM now offers FREE S/MIME support. That means you can use your own encryption keys. If you only have BIS, S/MIME isn’t an option. A third party encryption solution is required.

A Texas company (and LiveBolt partner), Media Sourcery, specializes in secure distribution and collection of confidential information. They offer a secure smart phone application (Mobile Data Messenger) that currently works with XML form data. The application will allow you to send or receive encrypted traffic entered into a form (the form can look just like an email message, with to, from and body fields) to another Data Messenger user (or system) for retrieval (or processing).

I spoke with Media Sourcery, and they said their upcoming version offers bi-directional, confidential data exchange, does not require forms, and would work with any file type you care to send. They currently have the ability to send encrypted photos (taken by the BlackBerry camera). The newest BB OS includes viewers for .doc and .ppt files, so the capability becomes immediately more useful.

The other good thing about a third party solution like that of Media Sourcery (which is Java based) is that it will work on other smart phones (think Nokia, which has 40% of the market for smart phones). Nokia currently has no secure messaging capability, as far as we know. PGP for Mobile devices only supports Windows Mobile and Blackberry. A good third party security solution will support your organization’s broad mix of endpoints, and make them all secure.

Here’s to hoping that RIM doesn’t give away the keys to the kingdom. But if they do, we have a few options for securing our mobile email — we just have to do it ourselves.

{ Comments on this entry are closed }