Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Cool-looking cross-discipline lecture series at the University of Illinois at Champaign:  “Science and Technology in the Pacific Century” (STIP).

The event archive, including some video and audio, is here - http://www.business.uiuc.edu/STIP/eventarchive.html.

Permalink | Comments (0)

I stumbled onto this when it was cited in the Wall Street Journal this past Saturday - http://www.breakingviews.com/.  Seems like a good free/online source for financial news, anyway.

Which reminds me, now that Rupert Murdoch owns the WSJ, didn’t he say he was going to kill the Sat edition?  I hope so, because it stinks.  I had actually meant to buy the Friday ed…

Permalink | Comments (0)

Doing some research lately on the new certificate enrollment client API (that is, the CertEnroll COM interfaces) in Windows Vista. In the process, I found some bugs in the Windows SDK sample code, and I wanted to ensure that others don’t get stumped by these.

The code in question is actually referenced from multiple SDK sample projects. By default, you can find it in the “Samples\Security\X509 Certificate Enrollment\VC\enrollCommon” sub-directory of the v6.0 version of the SDK.

In that directory, see enrollCommon.cpp!findCertByKeyUsage in the “for” loop:


if (!CertGetIntendedKeyUsage(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
pCert->pCertInfo,
&KeyUsage,
1))
{
break; <= Should be 'continue'
}

Otherwise, that loop, which is intended to search the user MY store for a cert with the indicated key usage, will fail prematurely if you happen to have a cert that doesn’t have a Key Usage property.  Such a cert is indeed valid, and allows all key usages.  In fact, such a cert is technically a trivial match for this function, regardless of what the caller requested!

The findCertByEKU function in the same file has the same bug.

Permalink | Comments (0)

This looks pretty cool! Team together with other local folks with various backgrounds from the Seattle area and create an idea, and fully-incoporated company to run with it, in one weekend.

http://startupweekend.com/seattle-startup-weekend/

Now, in my experience, companies take years to build, not just one weekend. But I think the real purpose is professional networking. And, as the Startup Weekend Founder’s Bill of Rights puts it (be sure to read that document before you sign-up, by the way), an open exchange of ideas.

Permalink | Comments (0)

Cell phone forensics

December 17, 2007

Saw a cool talk recently on cell phone forensics. One interesting takeaway was the claim that GSM phones leave the user access PIN for the SIM card stored in memory. Thus, for example, if a forensic analyst can obtain access to an unlocked, powered-on phone, imaging the device is likely to recover the PIN.

But that means that a bad guy can do the same thing, for example, with a phone stolen out your pocket. Recover the PIN, take the SIM, and now they can make calls as you in via any GSM phone. Of course, once they stole your unlocked phone they get to make calls as you anyway, but obtaining the PIN is an interesting twist.

Microsoft ran into a similar problem with smart card applications on Windows. Namely, if the user is repeatedly performing actions which require privileged access to the smart card, then having to retype the PIN each time is a real bummer. An example would be an organization that requires digitally signed email, and the signature certificate is card-based.

The fix, then, was to create an in-process PIN cache. That is, a copy of the user PIN that can be sent to the card instead of prompting the user to manually type it in again. Nervous yet?

I’ll say up front that there are tons of ways to get that wrong, and many vendors have done just that, so please don’t try to implement your own. I’ll also state that, for one thing, this is definitely a situation in which a tradeoff between security and usability has been made, and for another thing, security-sensitive applications can opt out of the PIN cache behavior.  That is, those apps can force a re-prompt. Finally, in any case, the in-memory PIN is encrypted, although a short-lived plaintext copy must be made when the card is requesting authentication. The goal is to keep the plaintext PIN out of the page file.

The point is that GSM phone vendors might wish to figure out a way to protect the SIM PIN. Perhaps an encrypted channel between the key pad and the SIM card. That would be pretty cool!

Anyway, here are some links from the forensics talk:

Permalink | Comments (1)

If you’re writing plug-ins for Network Access Protection, check out my article here, and a recent blog post from the NAP product group here.

Permalink | Comments (0)

‘Tis the season to upgrade to a new laptop, apparently.  A few friends and family members have been asking me for hardware recommendations, and have also been wondering about the perils of upgrading to Windows Vista.  Based on my own experience, given that they’ll be buying a tested configuration from a top-tier OEM, I don’t think Vista is likely to cause them too much difficulty.  Drivers for some consumer hardware, such as older video cameras, can be a problem.  But aside from that I don’t think the overall learning curve will be an issue.

However, the interesting thing has been when I casually ask whether they’ll also be buying the Office 2007 pre-load.  A couple have said, “Yes, why do you ask?”  Because - that’s where the real learning curve is going to be.  I’ve been using various versions of 2007 for almost a year now, and I can say two things:  one, some changes to the product really frustrated me.  And two, it was worth it!

Two examples - one positive, one slightly negative - both based on Word.  The positive one is regarding the application of outline-numbered headings.  Since I write a lot of technical documents, and I find them easier to read with numbered headings, I use that feature all the time.  But it got moved!  It used to be buried in some menu tree somewhere - actually, I don’t even remember now!  But now, in 2007, it’s a button right there on the main ribbon tool bar.  Very cool!  I guess I’m not the only one who uses that feature ;)

The slightly negative example of the 2007 learning curve concerns the document properties menu.  Sorry to say that the so-called “advanced properties,” such as document title and company name, are totally buried off of a combination of the new “Office button” and a separate toolbar menu that appears subsequently.  That’s no fun.

Still, dedicated MS Office users are going to plow through all of the new intricacies of the product and really like it.

The one hitch - and I think this was really an interesting calculated risk on Microsoft’s part - is office environments in which less computer-savvy staff are going to have to be retrained before 2007 can be widely deployed.  Why retrained?  Well, when you change something in the software or workflow, you have to retrain the office staff - it’s that simple.  And that makes deploying 2007 pretty expensive.  So the question is, over the long run, will 2007 make the day-to-day efforts of that staff easier?

One positive indication is the new ribbon toolbar.  Although I’m sure it looks unfamiliar and intimidating the first time around, I think it will indeed prove to be easier to use and hence will save time over the long run.

Permalink | Comments (0)

Virtualization is the future.  And the near future belongs to the kind of virtualization where you take a machine image as-is, and instead of running it directly on the bare metal, you run it within a VM host.  In other words, you don’t change the configuration of the hosted operating system (OS), or of the applications it’s running, at all.

Contrast that arrangement with two other approaches.

The first alternative is this:  some folks ask why the industry doesn’t instead push for scalability by running multiple instances of an application within a single instance of the OS.  That arrangement is ‘virtual’ in that each instance of the app should believe that it’s the only thing running.  Such apps are designed with the fundamental assumption that every resource (disk, RAM, CPU) is virtual.

That model is a great one to shoot for in the long term.  But in the short run, the problem is that so few of the critical line-of-business applications are designed that way.  Many such apps are designed with the fundamental assumption that there can only be a single instance.

The second alternative is based on the following question:  if we’re going to run all of these instances of some OS on a single piece of hardware, why not just collapse them into a single instance which runs all of the applications?  The answer is that, in the IT world, each server ideally has a single role.  The mantra has been:  get this machine to do one thing correctly, and then don’t mess with it again.  Note here that virtualization isn’t typically an end unto itself, but rather a means to greater efficiency, greater resource utilization.

Thus, the quickest way to achieve higher resource (power consumption, primarily) utilization is to take multiple existing server instances and run them, unchanged, on a single piece of more powerful and efficient hardware.

Anyway, check out this linkIn summary, SAP now fully supports its applications on 64-bit Windows, running on VMware infrastructure. 

Permalink | Comments (0)
The report is actually already a year old, but they had some thoughtful things to say, and it’s interesting in that it’s targeted primarily at technology companies and ISVs.  Link is at the bottom.  Some security-related comments on various sections of the report:

“Reinventing the user interface” – the report doesn’t say this specifically, but user-interface complexity in security-related software remains an unsolved problem.  For example, how do you ask a user to decide if a given website is trusted, or if it’s been spoofed or hacked? 

“Heeding the hidden costs of storage” – again the report doesn’t state the security implications directly, but one big difference between digital and paper storage is that a thief can, all too often, obtain offsite access to the former.  That’s rarely the case with paper storage.

“The business case for biometrics” – an interesting, and clearly security-related, section of the document.  I’m not exactly sure what their agenda was in including this – it’s almost like they thought 2007 might be ‘the year of biometrics’.  That would have made me a little skeptical.  On the other hand, HSPD-12, the US Government access card directive which includes requirements for biometric support, has pushed domestic adoption of the technology forward somewhat.  And security-sensitive, technology-friendly industries such as military, financial, and oil have been deploying. 

“The rising cost of free technology” – this section talks about free email, IM, and VoIP services.  It does bear mentioning that the actual usage cost of those technologies is rarely zero – the various kinds of spam being the most notable ‘tax’.  I wholeheartedly agree that customers are willing to pay a premium for solutions which reduce spam over those communications media.

http://www.deloitte.com/dtt/cda/doc/content/us_tmt_2007_Technology_Predictions_160106.pdf

 

 

Permalink | Comments (0)

Check out SCARE - the Source Code Analysis Risk Evaluation tool - at http://www.isecom.org/scare. It analyzes code (currently only C) to determine a Risk Assessment Value, based on metrics also described at that site - primarily, "reliance on external variables which a user can manipulate as input".

The authors are looking for help in producing a Windows port.

Here’s the original bugtraq post - http://www.securityfocus.com/archive/1/484405/30/0/threaded.

Permalink | Comments (0)