Thursday, December 20, 2007

DHS: CFATS - have you accounted for your chemicals?

Many higher education institutions will be preparing their lists of "chemicals of interest" for the Department of Homeland Security early next year. The rule stipulates that listings be delivered 60 days after the release of the final rule meaning lists will have to be provided by January 19th unless you request and receive a 60 day extension. Chemicals range from chlorine to aluminum chloride to propane, meaning that many departments on campus will likely have to report their totals.

If you haven't thought about what the chemicals on your campus could be used for, take a look. Each chemical lists what it would be potentially useful for, providing a convenient overview of what risks your campus might face.

The Chemical Facility Anti-Terrorism Standards require a variety of things, ranging from risk assessments to reporting of chemical amounts on hand . These apply to many higher education institutions, and responsibility for detailing may have fallen to risk management or facilities staff. If you're an information security staffer, you may want to check with the appropriate department at your school to see how that data is being stored and secured.

Where did all of this come from? It is part of the Department of Homeland Security Appropriations Act of 2007, which President Bush signed in October, 2006. Section 550 of the Act gave DHS the authority to enact the rules above. The Act defines the covered entities as "chemical facilities that, in the discretion of the Secretary, present high levels of security risk." More details can be found in the final rule here.

Monday, December 17, 2007

OSXCrypt - TrueCrypt for OS X status update

Frequent readers may recall me posting about a donation funded port of TrueCrypt for OS X. The group just published their first update.

It sounds like they're taking on a bit more than a simple TrueCrypt port, as the post notes that:

...we realized that this project will not be a simple port of truecrypt to Mac OS X, but this will provide a multiple enciphered disks support encryption platform for the Apple operating system.
Right now the project has a simple XOR'ing kernel module, but progress is being made. I continue to hope that TrueCrypt support of OS X becomes a practical endeavor through this project.

Monday, December 10, 2007

Soft-R's CD Cryptex

Soft-R, maker of "Self Recordable Media Technology" is looking for OEM and industry customers for it's latest ware - the CD Cryptex. The CD Cryptex is a CD-R that aims to bridge the gap between users' knowledge of encryption software and the need for data on CD-R's to be encrypted. Soft-R claims that the device, loaded with it's own burning and encryption engine can be used without mastering complicated encryption software. Perfect since they are only supported on Windows 2000 and greater platforms.

On the technical side, AES256 in CBC mode is used to encrypt a container that houses all of the data files/folders sent to the disk via the on board burning engine. Keys are managed via pass phrases (limit 64 bytes) using SHA-256 hashes - which after the fact are needed to access, edit or view the files. Interestingly, Soft-R has included a virtual keyboard that one assumes is for use on machines that cannot be trusted. To aid in lingering copies of data, all temp files are wiped after the disk is burned. They even include a "secured photo viewer."

I can't wait to play with one of these to see if they live up to the claims. Would you trust one of these with your data versus PGP encrypted files burned to a CD?

Thursday, December 6, 2007

The Rule of Two

The group I work with has a simple rule that pays off in spades.

Any time a security recommendation is made, we check it against another team member. Thus, any decision follows our rule of two. The second person's job is to play the devil's advocate and to check for assumptions, mistakes, and to provide a second viewpoint on the recommendation.

Often we take into account the other team members' history and other specialties to best choose the person to look at our recommendation. That allows us to make sure we're not missing out on crucial tidbits of institutional knowledge or expertise.

The rule of two also gives us better depth - while a documented recommendation is made and archived, having two people who know about it on staff means that more people will actually remember the recommendation and know what it was and why it was made. With the shades of grey approach that security often has to take to make business work, that knowledge can be critical.

MacOS Password Safe

I recently wrote about a community effort to fund a MacOS port of TrueCrypt. I was delighted to find out that another favorite program has been ported to MacOS - Password Safe is available for MacOS at:

Keepass is also available for MacOS/Linux in X, and is an excellent alternative.

Tuesday, December 4, 2007

Solving the wrong problem...

For those of you who are not familiar with Gene Spafford from Purdue's CERIAS (the Center for Education and Research in Information Assurance and Security) or his blog, I would encourage you to check them both out. I've had the great pleasure of working with Spaf and one of his latest posts is absolutely on target, albeit from an altruistic standpoint.

In "Solving Some of the Wrong Problems" Spaf points out that most of our efforts in information security are pointed only at treating the symptoms created by the very nature of the unsecure products we or our companies use. Simply put, we know how to create more secure software, databases, networks and systems in general - however our vendors or we don't do it.

"We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.

Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised..."

"I’m not trying to claim there aren’t worthwhile topics for open research — there are. I’m simply disheartened that we are not using so much of what we already know how to do, and continue to strive for patches and add-ons to make up for it...

Let’s start using what we know instead of continuing to patch the broken, unsecure, and dangerous infrastructure that we currently have. Will it be easy? No, but neither is quitting smoking! But the results are ultimately going to provide us some real benefit, if we can exert the requisite willpower."

It's a great read and don't blame me if you get sucked into reading for quite a while with some of his other posts. Speaking of which - check out his view on passwords. These both put my day of HIPAA policy review in perspective!

Monday, December 3, 2007

Wireless insecurity: keyboards

The folks at Hack A Day link to dreamlab's analysis of Microsoft Wireless 1000 and 2000 keyboards. There's a nice whitepaper in PDF form for further information. We've seen issues with wireless keyboards typing on other systems before, but this is one of the first public exposures of an "encrypted" keyboard link.

Disclosure of the type of encryption used for wireless devices is going to be a must, and lightweight encryption for devices will become ever more important. The same rules that you use for wireless network security end up applying to your wireless devices.