Underwriters Lab (UL) ahead for security solutions

Peiter Zatko had left Google to respond to a request by the Whitehouse that he develop a cyber UL, a concept described in a paper published in 1999 by Tan from the L0pht.  The paper reads in part

“Just as in the late 1800’s, the consumers have little understanding of
the inventions they are purchasing. They are presented with claims by
the product’s marketers and have no way of proving those claims to be true or false. Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety. In the late 1900’s, nobody has stepped up to the plate to expand the UL’s role into computer security products or to take that role as their own. To some extent, groups like Nomad Mobile Research Center and L0pht Heavy Industries have acted as modern day Merrill’s, publishing non-biased findings to this affect.

…

Product certification needs to be performed on every version of a
product. Small changes that could ripple through traditional
technologies causing safety problems are at least ten fold when
applied to computer software. Many similarities may be drawn between the certification of computer security products and the listing of alarm systems and components that UL performs today.”

I think this is a great idea.  I also think they have made a start getting the right people to work on the project.  Let’s hope major security solutions vendors sign up.  If this is just something pushed by the government, it’s likely to die: no matter how potentially effective it might be.

Cisco and OpenDNS: Nothing changes for current users

As a user of OpenDNS for several years, I’ve been very satisfied with the protection provided to my systems.  Cisco obviously sees the value of OpenDNS, since they have decided to acquire the company.  Fortunately, OpenDNS announced their free personal service will continue.  Further, existing paying customers will see no change for the period of existing agreements.

Laptop encryption under attack

In a recent post by Bruce Schneier, he quotes a paper and Wired article in which researchers claim to be able to capture decryption keys.  The capture uses a device, buildable for about $300, that can extract keys from electromagnetic radiation emanating from a laptop.  The device, however, must be within 50 cm (19.68 inches) of the target machine.  So using the device means access to a targeted office or theft of the laptop.

According to the paper’s authors,

“Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power. The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.”

We’ve been relying for years on encryption to protect our laptops, and it’s still a good idea.  The researchers write that this attack doesn’t necessarily work across all computers or on other algorithms other than the GnuPG solution tested.  Further research is required.

Manage Stale Accounts

It’s always a good idea to scan Active Directory accounts for unused or anomalous user accounts.  The SANS Internet Storm Center provides one way with PowerShell.  Stale account management is an important part of any security program.

Another government “Oops!”

The OPM breach is just one more instance of a government bureaucrat standing in way of risk mitigation.  Congress is getting this one right by asking for the resignations of those responsible.  However, it isn’t enough.  This is a systemic issue.  This article is short but says it all…