High-assurance data loss protection is achievable using Dynamic Access Control and TPM remote attestation (also known as BIOS Integrity Measurements). Find out more in the JW Secure Informer newsletter.

No Comments » Permalink

New, free questionnaire here from Microsoft Trustworthy Computing that runs through a short list of questions about IT processes. Then it spits out a pretty report with tailored guidance, including an automated mapping from your industry to the regulatory guidance/framework (e.g. ISO; HIPAA) that probably makes the most sense for you.

No Comments » Permalink

I’ll be presenting on network security at the Seattle Technical Forum event Cases of Network Technology II in Bellevue, WA on November 14, 2012 at 7pm. You don’t even have to mark your calendar – when you signup for the event, meetup.com will do it for you. So simple!

No Comments » Permalink

I’ll be presenting Hacking Measured Boot and UEFI at ToorCon San Diego on Saturday, October 20, 2012 at 3pm. Yes, it’ll be sunny outside, but you can come inside the hotel for just one hour in order to learn about the future of protecting computers from malware. It’s worth it.

No Comments » Permalink

Looking for a fresh approach for classifying and prioritizing IT investment in security technologies? Check out our Four Pillars of Endpoint Security for BYOD in the September edition of the JW Secure Informer newsletter.

No Comments » Permalink

Introduction

The proliferation of smart phones and tablets has created a population of users that have come to expect that they can have immediate access to any data anywhere that they might be. The popularity of smart phones lead to their sales exceeding all PC’s in 2011 and that was before the impact of tablet computing had really taken off. Every public location that encourages users to linger provides WiFi access, otherwise customers look elsewhere for a coffee and a connection.

In the enterprise, the pressure to enable fully mobile access to corporate resources is significant. Enterprise IT needs to get out in front of this trend in order to support mobile access in an orderly and secure manner, since users are inevitably pushing for quicker adoption than can be safely deployed for certain key applications. And we are talking about support across the full spectrum of applications: today’s pressure to enable email and sharing will morph into tomorrow’s demand for mobile access to systems used for SCADA and national defense.

Mobile devices all have limitations that require fundamental rethinking of IT requirements. This post describes the Four Pillars of Endpoint Security as an enablement tool for mobile devices in the enterprise, followed by a list of specific steps that you can take today to be prepared for the pressure to deliver tomorrow.

What kind of mobile devices will IT support?

The US Dept. of Defense found that the mobile communications of their warfighters in the Middle East was badly outclassed by the insurgents using cell phone for both intelligence and triggering bombs. Enterprise IT departments are facing a similar gap between their services and public experience with consumer on-line service. While the consumer driven approach championed by Apple and Android is dominant today, look for enterprise-class security features to be come increasingly important in the coming device generations.

The Four Pillars of Endpoint Security

Every enterprise has compliance criteria that have been imposed by internal or external regulations. The deployment of a new device technology does not free IT from compliance requirements. New devices must be adapted to the existing requirements. Over time we have developed the Four Pillars of Endpoint Security strategy to focus on the best practices for applying controls and achieving compliance.

• Endpoint Hardening
• Endpoint Reliability
• Network Prioritization
• Network Reliability

For more information on the Four Pillars strategy for BYOD, please see our upcoming September edition of the JW Secure Informer newsletter.

No Comments » Permalink

We’ve just released our smart card fuzz testing tool, SCFuzz, including full source code, on CodePlex. The purpose of SCFuzz is to find bugs in smart card middleware, the software that allows a commercial operating system such as Windows to communicate with a vendor-specific card. Smart card middleware makes an interesting target because it runs as Local System on Windows, so it’s high-value, and yet is frequently overlooked.

Also, while launching a smart card based attack generally requires physical access to the host, and is therefore less compelling than remote attacks, keep in mind that smart cards are used in many security-sensitive environments. One can imagine the creation of a rogue card that can be inserted into a reader, inflicting its damage, and then removed without a trace, all within a couple of seconds. The next user of that host would have no idea that the compromise had occurred.

More generally, SCFuzz demonstrates that fuzzing works, even against mature protocols and APIs with existing functional test coverage. Check out this article in The Register for proof, as well as the video of my 2008 ShmooCon presentation (skip through the really long intro).

No Comments » Permalink

Beta 2 of SecurEntity, our encryption library for Entity Framework, is now available here, along with full source code. Closed-source licensing and support contracts are available.

The most notable change in this release is the addition of a sample client project so that it’s easier to see how everything works. Also, we refactored some common code into the encryption library so there’s even less to do on the application side.

Seamless SQL row encryption and data integrity protection, as implemented by SecurEntity, is a compelling approach for several reasons. The main benefit is that you can store sensitive data in hosted SQL, since plaintext never leaves the application tier. Use of hosted services increases business velocity, which translates to increased revenue.

From a technical perspective, SecurEntity is integrated into an existing toolkit – namely, Entity Framework – so it’s easy to use, and minimally invasive to the application business logic, and hence easier to maintain.

No Comments » Permalink

Thanks, ToorCon folks, for another great event…and for the opportunity to present to l33t h@x0rs!

For anyone who didn’t experience ToorCamp, the Radio Free ToorCamp Facebook page gives a small sample. Oh, and by the way, if you’re looking for a beautiful twisty road to drive to a beautiful beach resort, drive Hwy 112 to Hobuck.

No Comments » Permalink

(In fact, even though I’m back in the office, I suspect that DefCon is still being awesome for lots of people. I mean, why leave Vegas before the weekend is even over?)

I’m grateful for the opportunity to have spoken to such an esteemed audience of hackers, security professionals, and the eternally curious at DefCon 20 this year. My slides can be found here: Hacking Measured Boot and UEFI.

No Comments » Permalink