Man walking in a tunnel making a cell phone call

Agencies showing sudden interest in encrypted comm

Silent Circle, the company that provides end-to-end BYOD encryption, has introduced a Web-based management console to support large deployments of crypto licenses. It was developed largely in response to government demand for a tool to manage enterprisewide licensing, said CEO Mike Janke.

Government was always a primary market for Silent Circle, but the speed of adoption has caught the company by surprise.

“We had no idea that government customers would need a thousand subscriptions,” said Janke, a former Navy SEAL. “We didn’t see any of this coming. We envisioned 10 special ops guys, reporters in Sudan or some individuals around the world.”

Silent Circle’s secure voice, text, mail and video communications have gone in less than a year from being a point-to-point solution to an enterprise tool. There has been strong adoption in the financial industry and with oil companies, but “most of it was from [the Defense Department] and other government agencies,” Janke said.

The company has benefited from current events, particularly recent revelations about the National Security Agency’s surveillance of Internet and telephone communications. Growth, already a strong 100 percent month-over-month, rocketed to 420 percent in the last two-and-a-half weeks. Agencies that were buying 50 subscriptions now are buying hundreds as concerns grow not only about government snooping, but also of government leaking.

Encrypted communications is not new. What Silent Circle has done is make it practical for bring-your-own-device environments by harnessing the computing power of smart phones for crypto key management, cutting the middle man out of the security equation. Keys remain in the hands of the end users rather than a server, eliminating the need for trust in a third party.

Secure peer-to-peer connections with Silent Circle Android and iOS apps use the Zimmermann Real Time Transport Protocol, a crypto key agreement protocol for voice over IP that uses the Diffie-Hellman key exchange and the Secure Real Time Transport Protocol. Encryption is done with NSA Suite B cryptography, a public interoperable set of crypto tools that include the Advanced Encryption Standard, Secure Hash Algorithm 2 and elliptic curve digital signature and key agreement algorithms. The company operates its own network with SIP servers and codecs, but all encryption and security remain on endpoint devices.

Just 35 percent of the company’s business is in North America, with the rest of it off-shore in countries where security has long been a bigger issue than here. “We look at things in a bit of a bubble here compared to the rest of the world,” Janke said. People in Europe and Asia not only have to worry about NSA snooping, but also about their own intelligence agencies.

Although it is available in time to take advantage of the post-PRISM boom in secure communications, the new console was in the works well before the NSA leaks. “It took five months for our team to create this,” Janke said, primarily because of the security required for the portal. The console is a business management tool only and has nothing to do with encryption. It does not hold or manage keys and does not have access to message content. “It in no way, shape or form touches the technology.”

Despite the unexpected growth, Janke said Silent Circle is holding to its course for releasing new products this year, several of which, requested by government customers, now are in beta. These include encrypted file transfer from desktops, secure video conference calling and encrypted voice mail.

Posted by William Jackson on Jun 28, 2013 at 9:41 AM0 comments

Lightning strike from a cloud

Can the cloud provide the best strategy for security?

Security is evolving from a do-it-yourself operation — loading software on a device or attaching a box to a network — to managed, hosted services leveraging the anytime/anywhere scalability of the cloud for large-scale analytics that were not practical before.

No one yet is seriously suggesting getting rid of firewalls and antivirus detection, but it has been painfully obvious for some time that by themselves, they are not adequate protection. Intelligence-based security is being touted as the way to counter more complex attacks against high-value targets, and the emergence of cloud computing now offers a way to gather enough intelligence and analyze big data fast enough to effectively spot malicious activity.

“We do not look for malware, we do not look for exploits,” said Dmitri Alperovitch, CTO of CrowdStrike, which has announced its first cloud-based security offering. “We look at what is being done, rather than how.”

The CrowdStrike Falcon Platform is one of the latest in a growing number of services offering security from the cloud, rather than security for the cloud. Another recent announcement in this field is the integration of global attack data into Risk I/O's cloud-based platform, which uses big data and predictive analytics to help prioritize vulnerability data. Other companies with cloud-based security services include the Appthority, Check Point, Fortinet, Okta, Symantec, Veracode and Zscaler.

Moving security out of the box and even out of the enterprise can help to address a new generation of adversaries using layered attacks to methodically find weaknesses, penetrate systems, escalate privileges and then quietly observe and export data. Intelligence is needed not just to detect these attacks, but to respond to them.

In the past, knowing who you were up against wasn’t necessary to security. You spotted the attack, and you blocked it. But, “if you are being targeted by a determined adversary, they are not going to stop because you block them,” Alperovitch said. “They are going to keep it up until they get in. They can spend years at it.”

CrowdStrike’s approach to active defense has a decidedly military and intelligence flavor. It takes a strategic view with an emphasis on knowing your enemy, not just the weapon. Most of the more than 4,000 organizations tracked for its Adversary Intelligence database are nation-sponsored. Its goal is not to stop every malicious attempt.

“You can’t block every attack,” Alperovitch said. “And sometimes blocking is not the best strategy.” If you spot and identify someone engaged in spying or espionage, the best strategy might be to string him along and watch him, “to better understand his tradecraft.”

The goal is to raise the bar for attackers, making their craft more difficult and expensive. This can mitigate one of the great advantages attackers have; it is dramatically cheaper to launch an attack than it is to defend against it, resulting in a very high return on investment for successful attacks. Recognizing sophisticated techniques “doesn’t eliminate all activity, but it dramatically raises the cost of intrusion,” Alperovitch said.

It is too early to say what impact the cloud and big data analytics will have on security, and it’s a pretty safe bet that it won’t solve every problem. But it is an attractive option for concentrating resources where they are most needed.

Posted by William Jackson on Jun 20, 2013 at 6:02 AM1 comments

IT manager filling out forms for computer compliance

Security best practices at the root of FISMA amendments

A bill updating federal information security requirements has passed unanimously in the House and now awaits action in the Senate, raising the possibility that Congress might actually enact some kind of cybersecurity legislation.

The Federal Information Security Amendments Act of 2013 would require agencies to take a risk-based approach to information security, using automated tools for continuous monitoring of civilian, military and intelligence IT systems. It essentially would bring the Federal Information Security Management Act into line with the best practices agencies already are adopting.

Like the current FISMA, it would require annual reports to Congress, and it would be congressional oversight that ultimately would determine its success in improving federal cybersecurity. The question is: Will Congress continue to grade agency performance based on paperwork compliance, or will it measure actual security?

The bill was introduced by Rep. Darrell Issa (R-Calif.) with five bipartisan cosponsors to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “effective governmentwide management and oversight of the related information security risks,” for both civilian and national security systems.

It is technology agnostic, leaving the selection of the appropriate hardware and software up to each agency based on guidance and standards developed by the National Institute of Standards and Technology. It defines “adequate security” as “security commensurate with the risk and magnitude of the harm resulting from the unauthorized access to or loss, misuse, destruction or modification of information.”

The bill gives a nod to cloud computing by including services in its definition of systems. NIST would develop standards in cooperation with security agencies, including the National Security Agency, “to assure, to the maximum extent feasible, that such standards and guidelines are complementary with standards and guidelines developed for national security systems,” although the Defense Department and CIA will continue to oversee their own systems. Each agency would have a chief information security officer, either the CIO or a senior official reporting directly to the CIO.

None of this is radically different from FISMA as it now stands, and nothing in the current law prohibits the use of these tools and processes. But FISMA has remained mired in paperwork documenting compliance within the letter of the law rather than improving cybersecurity. And much of the fault for that lies with Congress.

In the early days of FISMA there was a lot of basic and remedial work to be done. Agencies had to create accurate inventories of IT systems, determine their condition and OK their operation. Not certify that they were secure, but that the agency understood the risks of operating them and accepted those risks.

These were necessary tasks and important steps toward effective security. But FISMA has struggled to get past this stage because it is easier to measure paperwork compliance than security status. Harried administrators and security teams worked diligently to keep Congress off their backs and devoted what resources were left to improving security.

A focus on establishing priorities and automating processes has improved security in recent years, although agencies still struggle to keep up with the bad guys. Codifying these efforts could help if Congress can find a way to measure results rather than process.

Posted by William Jackson on Jun 14, 2013 at 9:39 AM1 comments

Example of a password strength meter

Those meters that rate password strength work, until they don't

We know the limitations of passwords: They are difficult to scale, and managing truly secure passwords is a headache for administrators and end users. We also know that although there are alternate technologies for online authentication, passwords probably are here to stay.

“Passwords are not going to disappear overnight, or in the next 10 years or 20 years,” said Lujo Bauer, assistant research professor in Carnegie Mellon University’s Electrical & Computer Engineering Department.

So how to make the best of what we are stuck with? One tool increasingly common on public- and private-sector websites are strength meters, an alternative to stringent password policies intended to nudge users toward better security by providing feedback when creating passwords. As a user creates a password, it provides feedback, such as whether the password is “weak,” “good” or “strong.”

But a study of these tools at Carnegie Mellon  suggests that you can only push users so far before you hit the point of diminishing returns.

Using the meters resulted in longer, sometimes better, passwords. But, “there seems to be a limit to the stringency that a user will tolerate,” researchers found. “Were meters too stringent, users might just give up.”

 Percentage of passwords broken after 5 trillion guesses

46.7% Created with no strength meter
39.4% Created with baseline strength meter
39.2% Created with meter requiring eight letters, numerals and characters for a top score
33.7% Created with a meter requiring 16 letters for a top score
26.3% Created with a meter awarding only half the score of other meters
27.9% Created with a meter awarding only one third the score of other meters

Source: How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation

The findings are significant not because they are unexpected — they’re not — but because this apparently is the first large-scale study of a technology that is widely used but not well understood.

Bauer and colleagues at Carnegie Mellon conducted the study with 2,931 subjects who created passwords on sites using one of 14 types of meters with different displays and criteria for determining strength. The only requirement was that the password be at least eight characters long. Strength was evaluated using a simulated password-guessing algorithm and the participants returned to the test site two days later to see how well they remembered their passwords.

All of the strength meters resulted in users creating longer, more complex passwords than those created on sites with no meter. But length does not equal strength. Only users at sites using two very stringent meters produced passwords that were significantly more difficult to break.

However, security reached a plateau on the site with the most stringent meter, which gave users very low scores — grading at a rate of one-third of other meters — and required more complexity to get a strong security rating. Apparently the higher requirements frustrated users who gave up trying to please the meter.

Interestingly, the ability to remember a password two days later did not vary significantly according to its strength.

The lesson: Don’t push users too far; take the annoyance factor into account when having users create new passwords.

Bauer, who studies access control systems, had some other practical recommendations for making the most of passwords:

  • Strong passwords do not have to be hard to use. Combinations of words — pass phrases — can provide a high level of security while being easy to remember.
  • Length is a more effective requirement for producing strong passwords than the use of numerals and special characters. Requiring 16 letters tends to produce a stronger password than requiring a combination of eight letters, numbers and other characters.
  • Instruction can have a significant impact on password strength. Explain to users why a strong password is needed and what makes it strong.

Posted by William Jackson on Jun 11, 2013 at 9:39 AM7 comments