Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

My first contribution to YouTube has been made - http://www.youtube.com/watch?v=WgYI-7eSueE. Unfortunately, we missed the first minute or so of my segment. But, hey, we’ll get it next time!

Permalink | Comments (0)
The University of Washington Center Center for Innovation and Entrepreneurship announced today that "IndEx - Agri Exchange of India" won the $25K grand prize.  See http://bschool.washington.edu/cie/bpc/.  I was fortunate to have been a judge for the competition this year; there were some great ideas.

And IndEx is certainly one of them … with the potential to benefit several thousand rural Indian farmers by helping to ensure that they get a fair price for their goods.  The basic premise is to match buyers and sellers via SMS over mobile phones!

Permalink | Comments (0)

It came to my intention that this sample code - which shows how to plug-in a new symmetric algorithm (e.g. Twofish) via CNG (Crypto API: Next Generation) and CMS (Cryptographic Message Syntax) - has a usage error in the CMS portion.

http://download.microsoft.com/download/f/1/2/f12dbbb5-d164-4e7c-b42d-aaca3efb85dc/CNGSample.EXE

Specifically, the BCryptSetProperty BCRYPT_CHAINING_MODE call is supposed to be made against the provider handle, and not the key handle. Also, the property data input length should correspond the length of the whole property string, and not just the size of the pointer. In other words, this code:

CHECK_DWORD((DWORD) BCryptSetProperty(

*phCNGContentEncryptKey,

BCRYPT_CHAINING_MODE,

(PBYTE) BCRYPT_CHAIN_MODE_CBC,

sizeof(LPWSTR),

0));

should actually be this:

CHECK_DWORD((DWORD) BCryptSetProperty(

hAlgorithm,

BCRYPT_CHAINING_MODE,

(PBYTE) BCRYPT_CHAIN_MODE_CBC,

sizeof(WCHAR) * (1 + wcslen(BCRYPT_CHAIN_MODE_CBC)), 0));

Now, to be clear, I haven’t tested the latter. Furthermore, I was told that the former, while technically incorrect, is allowed (at least in the Vista RTM version of CNG).

Permalink | Comments (0)

Just got back from CT/ST 2007 (http://www.ctst.com/CTST07/) in San Francisco. I think the coolest demo (certainly from a consumer perspective, anyway) was Sony FeliCa - http://www.sony.net/Products/felica/ctst_2007.html. (Is anyone else vaguely weirded out by that product name?)

The demo showed a payment system based on Sony’s embedded RFID chip. None of it is new technology, but it was executed with style. Here were the scenarios, each of which was demo’d with live hardware:

* Walk past an ad-enabled poster with a FeliCa-enabled cell phone. A coupon for the product gets sent to your phone (via RFID). Now, when you go to the POS terminal at the store, not only can you scan your phone to make the payment, but you also redeem the coupon.

* Buy groceries via any of a variety of available payment systems (the I rep I was speaking with said that some POS terminals in Japan now support as many as three competing RFID-based payment systems. He also said that self-service checkout is rare in Japan.). When you pay for the groceries, a parking payment voucher is uploaded into the device (card, phone, or FOB).

* Use the same device, cell phone in this case, to enter the subway. The demo included an RFID-enabled turnstyle.

* Finally, buy a USB RFID reader and plug into your Playstation 3 (first time I’d actually seen that console in person - pretty slick)! Now you can trade money/credits from your cellphone into PS cash to download new games, etc.

Permalink | Comments (0)

Had great fun at ToorCon Seattle (http://seattle.toorcon.org/) last weekend! I was not dissappointed - all of the talks I saw were cool and delivered by people who were clearly experts.

My slide deck and demo notes have been posted here - http://seattle.toorcon.org/talks/dangriffin/. Unfortunately, I couldn’t do live demos since my StinkPad wouldn’t work with their projector at the last minute. Still, I narcissistically video taped my delivery, and will hopefully soon have an upload ready for YouTube …

 

Permalink | Comments (0)

Five new sample code projects, created by JW Secure, have recently been posted by the Microsoft Developer Marketing team. The purpose of the samples is to show off some of the hot new security-related technologies in Vista, and to give external developers a head start in adapting working code for their own purposes. A summary of what’s available:

1.  Crypto API: Next Generation (CNG) sample code, demonstrating how to plug-in a new symmetric cipher (Twofish, in this case) at the CNG and CMS application layers. An example of a CMS-based application that could leverage this capability is Outlook - in case you want to encrypt email with your own crypto algorithm! A full walk-through article accompanies the code. Link - http://blogs.msdn.com/onoj/archive/2007/05/10/windows-vista-security-series-adding-a-cipher-algorithm-to-windows-vista.aspx.

2.  Windows Firewall sample code, demonstrating the proper way to programmatically configure the firewall, for example for a custom socket-based server app. A full walk-through article accompanies the code, discussing how to make custom firewall rules as tight (i.e. secure) as possible, and how to test them. Link - http://blogs.msdn.com/onoj/archive/2007/05/09/windows-vista-security-series-programming-the-windows-vista-firewall.aspx.

3.  IPsec sample code, demonstrating winsock secure socket extensions. In fact, this project doubles as a useful IPsec debugging tool ("IPsecPIng"), allowing policy and key negotiation to be tested (with detailed display of the results) between peers. This tool was co-developed with V6 Security, Inc. (http://www.v6security.com/).  Link - http://blogs.msdn.com/onoj/archive/2007/05/10/windows-vista-security-sample-ipsecping.aspx.

4.  Windows Filtering Platform sample code, demonstrating the proper way to configure a kernel mode filter/callout, with optional context supplied from user mode. Link - http://blogs.msdn.com/onoj/archive/2007/05/09/windows-filtering-platform-sample.aspx.

5.  Remote Differential Compression sample code. This project wraps the builtin RDC COM API with a web service (and includes a test client). Not security-related, per se, but RDC is a neat technology and this is a cool demo! Link - http://blogs.msdn.com/onoj/archive/2007/05/10/windows-vista-sample-remote-differential-compression.aspx.

Note - everything you need to build and run these samples is free (including the latest Windows SDK, and the Visual Studio Express SKUs for C++ and C#) … (okay, Vista itself isn’t free, but you can just buy a new computer!)

Anyway, we had a lot of help in preparing this content, both from the Dev Marketing team and from various experts in the product groups. Looking forward to your feedback …

Permalink | Comments (0)

I’ve recently had the need to do some experimenting with a TPM (http://en.wikipedia.org/wiki/Trusted_Platform_Module). I’ve got a ThinkPad T60, and was fairly confident heading into this process that it included the necessary hardware, but I wasn’t able to get the chip to be detected (the last paragraph below describes the problem I was seeing). Anyway, for posterity, here’s how I got it working:

1. Install the latest BIOS from Lenovo. Be careful - during my search, I found some live links to old versions of the BIOS, and the actual revision of the BIOS payload contained therein is not clearly spelled out. Best to start from the initial support page and search for the latest updates for your model. For the record, I’m now using BIOS version 2.12. This link got me started down this path - http://msmvps.com/blogs/mika/Default.aspx.

2. Enable the TPM in the BIOS. To get there, press the blue ThinkVantage button during boot, select the BIOS option, and then navigate to the Security subsection. TPM support is turned off by default.

3. At this point, Vista may still not recognize the TPM device. In my case, it didn’t. This link - http://www.infosecnews.org/hypermail/0611/12425.html - clued me into the problem: the driver isn’t getting installed. The solution: run devmgmt.msc and right-click on one of the "Other devices" listed in the tree without driver support installed. In my case, that was the one not-installed device that wasn’t the Biometric Coprocessor, since the latter refers to the builtin fingerprint reader. Select update driver, and have it search automatically via the web. After driver install, the "Trusted Platform Module 1.2", device type Security Devices, is listed.

4. Then run tpm.msc from Start | Run. If the above worked, you’ll be able to click on the Initialize TPM option in the right pane. If the above didn’t work, you’ll see something to the effect of "No TPM 1.2 compatible device can be found" and you’re back to square one. Hopefully that won’t happen …

 

Permalink | Comments (3)

A number of news sources (including a page one article in Wall Street Journal on Friday, 4 May) have reported on a security breach at TJX, parent company of the TJ Maxx department store chain, resulting in the compromise of more than 45 million credit card numbers. In terms of credit data theft, that’s a new record!

http://www.theregister.co.uk/2007/03/29/tjx_credit-card_debacle/

http://www.msnbc.msn.com/id/17853440/

One humorous aspect of the WSJ article (free online link not available) accompanies an assertion that the attackers may have initially penetrated TJX security via the poorly-secured (at best) WiFi network deployed at various store locations. The wireless network was used to connect employee hand-held computers, which at times would transmit passwords that could be used to access the corporate network. Anyway, the Journal included an image of a sizeable high-gain, directional wireless antenna (sort of like this one - http://www.cantenna.com/), with a caption to the effect of "this may or may not have been what the attackers used," as though what they really wanted to say was, "look at this scary bazooka that the mean hackers were pointing at the innocent merchant."

Not that the hackers are innocent. They should go to jail. But what really irks me is that the merchant has no official liability in these cases. Apparently, legally, the cost of credit card data theft is shared by the card company (Visa/MasterCard), the issuing bank, and the consumer (up to $50 or whatever). Of course, TJX is going to get sued, but the laws protecting financial data against negligence can and should be more clear on this.

Why on earth does TJX need to store 45 million credit card numbers anyway? I don’t understand what sort of retail data mining or down-stream usage requires preserving the actual card number once the transaction is complete. One exception - the Amazon.com one-click shopping thing. But if a seller is going to elect to offer that kind of feature, they should be held fully liable when their big card database gets compromised. And TJ Maxx doesn’t even seem to have an ecommerce presence …

 

Permalink | Comments (0)