Security Watch
RSA Musings
Something old, something new, something quite innovative at this year's security show.
- By Roberta Bragg
- 03/08/2004
I had fun at the recent RSA conference. It was great to catch up with
friends, argue with some, eat lunch with others, be disappointed by some
presentations and intrigued by others, get soaked, lose my cell phone
and break my glasses.
I may have looked a bit disheveled Wednesday morning, but Jonathan Schwartz,
Executive Vice President, Software Group, Sun Microsystems, looked positively
out of it in the afternoon. Oh, I don't mean there was anything wrong
with his physical appearance, just with his announcement of new products:
I thought for a minute I'd fallen through a space/time warp. His announcements
looked a lot like things we've had in Windows for more than four years
now. Schwartz first damned Windows authentication processes, then announced
centralized authentication on Sun using smart cards. Even worse, he claimed
that future Sun products would provide the ability to provide centralized
security configuration for thousands of Java desktops. Hello! Hasn't he
heard of Windows Public Key Infrastructure and Group Policy?
On a brighter note, I managed to find some true innovation on the show
floor. Guidance software, http://www.guidancesoftware.com/,
whose EnCase forensic software is the forensics tool to own, has
some wonderful security management tools embedded in all that response
stuff. Their specialty has been providing tools for investigators when
computers, alleged to have been involved in criminal activities, must
be dissected. And now you can use EnCase to monitor Snort and Internet
Security Systems' Real Secure Alerts. Truly, real-time forensics is here.
As interesting as the use of this new capability may be, I was also pleased
to find that EnCase has an Encrypting File System (EFS) module. Its purpose
is to help investigators access encrypted files. Presuming the legal issue
of accessing an employee's encrypted files is resolved, the EnCase EFS
module will attempt to open encrypted files by locating and using the
user password and EFS encryption keys. This process doesn't break EFS
encryption; if you or I have the user account and password information,
and the EFS keys are present and not corrupted, we can do the same thing
without EnCase.
But what's really cool is that EnCase may work where the native technology
doesn't. For example, if the computer's operating system has been reinstalled,
a legitimate user will lose access to their encrypted files, unless they
remembered to back up the encryption keys. Even though the encryption
keys may remain on the hard drive, and the files are undamaged, the account
profile association with a valid account is lost and the files become
inaccessible. However, EnCase stands a very good chance of recovering
the files.
RSA Security announced tight integration of their SecurID tokens and
Active Directory. That's greatbut not earth-shatteringnews;
the use of these tokens and Windows has been available for years. I hate
it when announcements make it seem like something it's not. Still, to
those of you struggling with AD and RSA IDs, this is good news. To many
who wouldn't even take a look at SecurID in the past, now's your opportunity
to develop a superb alternative to passwords. Just remember to also look
at smart cards and biometrics. May the best alternative lifestyle win.
RSA did have something really innovative out on the show floora
mock pharmacy from which you could order happiness, wisdom and intelligence
pills. The pills, of course, were all from the same jar of jellybeans;
no drugs were provided. But the idea was to give you experience with the
new Radio-Frequency Identification (RFID) tags. An RFID taga tiny
microchip capable of transmitting a unique serial numbercould soon
permeate life's little experiences. When you obtain your prescription
drugs, for example, the label on the bottle will contain the tag. This
makes it easy for your pharmacy to provide refills.
A potential downside is that any RFID scanner can also read the label.
As you walk down the street, anyone with a scanner could get data about
your psychological or physical health. I don't know about you, but I don't
want that kind of personal information broadcasted. Thus, "blocker"
tags can be placed on a bag into which the pill bottle is placed, preventing
such intrusions.
But the blocker tags couldn't be used by shoplifters to escape detection
as they leave a store with stolen goods. They can only block scanning
of deactivated RFID tags, which would be deactivated after making a purchase.
While a blocker tag could be made for active tags (those on products not
yet purchased), apparently the blocking of a deactivated tag can be distinguished
from the blocking of an active tag. The scanner may not know what the
thief took, but it knows he took something.
In the biometric field, fingerprint products are getting to be a dime
a dozen. The problem now is convincing users this is isn't a dangerous
technology, since none of us likes the thought of our personal digital
data stored in some database.
One solution may be the BPID Security Device. It provides an answer to
the major adoption stumbling block of those databases. This fingerprint
reader application (which is about the size of a vehicle remote-entry
device) stores the personal information in the reader, so there's no database.
You carry your personal info with you, on a keychain. To authenticate,
you still expose your fingertips to the device, but instead of matching
information with some massive corporate database, you match it with the
information recorded to the device earlier. More information can be found
at www.privaris.com.
The best security demonstration at the show, however, was the conference
wireless network. To use it, you were actually required to obtain a user
ID and password, and configure your wireless connection to use Protected
EAP (PEAP) and 802.11x. The conference folks staffed a help desk throughout
the conference and had easy-to-follow instructions printed up as well.
While some attendees didn't have the required capability on their laptops,
many others did. This is the way wireless networks at conferences should
be run. Granted, there's nothing in the wireless network configuration
to protect you from other legitimate attendees, but it does make it impossible
for those not attending to use the wireless Internet for Internet access,
thus reducing the strain on bandwidth, or to attack wireless clients by
connecting to the access points.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.