Security Watch

RSA Musings

Something old, something new, something quite innovative at this year's security show.

• By Roberta Bragg
• 03/08/2004

I may have looked a bit disheveled Wednesday morning, but Jonathan Schwartz, Executive Vice President, Software Group, Sun Microsystems, looked positively out of it in the afternoon. Oh, I don't mean there was anything wrong with his physical appearance, just with his announcement of new products: I thought for a minute I'd fallen through a space/time warp. His announcements looked a lot like things we've had in Windows for more than four years now. Schwartz first damned Windows authentication processes, then announced centralized authentication on Sun using smart cards. Even worse, he claimed that future Sun products would provide the ability to provide centralized security configuration for thousands of Java desktops. Hello! Hasn't he heard of Windows Public Key Infrastructure and Group Policy?

On a brighter note, I managed to find some true innovation on the show floor. Guidance software, http://www.guidancesoftware.com/, whose EnCase forensic software is the forensics tool to own, has some wonderful security management tools embedded in all that response stuff. Their specialty has been providing tools for investigators when computers, alleged to have been involved in criminal activities, must be dissected. And now you can use EnCase to monitor Snort and Internet Security Systems' Real Secure Alerts. Truly, real-time forensics is here.

As interesting as the use of this new capability may be, I was also pleased to find that EnCase has an Encrypting File System (EFS) module. Its purpose is to help investigators access encrypted files. Presuming the legal issue of accessing an employee's encrypted files is resolved, the EnCase EFS module will attempt to open encrypted files by locating and using the user password and EFS encryption keys. This process doesn't break EFS encryption; if you or I have the user account and password information, and the EFS keys are present and not corrupted, we can do the same thing without EnCase.

But what's really cool is that EnCase may work where the native technology doesn't. For example, if the computer's operating system has been reinstalled, a legitimate user will lose access to their encrypted files, unless they remembered to back up the encryption keys. Even though the encryption keys may remain on the hard drive, and the files are undamaged, the account profile association with a valid account is lost and the files become inaccessible. However, EnCase stands a very good chance of recovering the files.

RSA Security announced tight integration of their SecurID tokens and Active Directory. That's great—but not earth-shattering—news; the use of these tokens and Windows has been available for years. I hate it when announcements make it seem like something it's not. Still, to those of you struggling with AD and RSA IDs, this is good news. To many who wouldn't even take a look at SecurID in the past, now's your opportunity to develop a superb alternative to passwords. Just remember to also look at smart cards and biometrics. May the best alternative lifestyle win.

RSA did have something really innovative out on the show floor—a mock pharmacy from which you could order happiness, wisdom and intelligence pills. The pills, of course, were all from the same jar of jellybeans; no drugs were provided. But the idea was to give you experience with the new Radio-Frequency Identification (RFID) tags. An RFID tag—a tiny microchip capable of transmitting a unique serial number—could soon permeate life's little experiences. When you obtain your prescription drugs, for example, the label on the bottle will contain the tag. This makes it easy for your pharmacy to provide refills.

A potential downside is that any RFID scanner can also read the label. As you walk down the street, anyone with a scanner could get data about your psychological or physical health. I don't know about you, but I don't want that kind of personal information broadcasted. Thus, "blocker" tags can be placed on a bag into which the pill bottle is placed, preventing such intrusions.

But the blocker tags couldn't be used by shoplifters to escape detection as they leave a store with stolen goods. They can only block scanning of deactivated RFID tags, which would be deactivated after making a purchase. While a blocker tag could be made for active tags (those on products not yet purchased), apparently the blocking of a deactivated tag can be distinguished from the blocking of an active tag. The scanner may not know what the thief took, but it knows he took something.

In the biometric field, fingerprint products are getting to be a dime a dozen. The problem now is convincing users this is isn't a dangerous technology, since none of us likes the thought of our personal digital data stored in some database.

One solution may be the BPID Security Device. It provides an answer to the major adoption stumbling block of those databases. This fingerprint reader application (which is about the size of a vehicle remote-entry device) stores the personal information in the reader, so there's no database. You carry your personal info with you, on a keychain. To authenticate, you still expose your fingertips to the device, but instead of matching information with some massive corporate database, you match it with the information recorded to the device earlier. More information can be found at www.privaris.com.

The best security demonstration at the show, however, was the conference wireless network. To use it, you were actually required to obtain a user ID and password, and configure your wireless connection to use Protected EAP (PEAP) and 802.11x. The conference folks staffed a help desk throughout the conference and had easy-to-follow instructions printed up as well. While some attendees didn't have the required capability on their laptops, many others did. This is the way wireless networks at conferences should be run. Granted, there's nothing in the wireless network configuration to protect you from other legitimate attendees, but it does make it impossible for those not attending to use the wireless Internet for Internet access, thus reducing the strain on bandwidth, or to attack wireless clients by connecting to the access points.