Superconductor

There's an interesting debate going on on The Economist's web site. The actual resolution being debated is, "The house believes that we are now in a post-PC world." Most people don't sound convinced: the No votes currently outnumber the Yes votes by a considerable margin. In this particular case, I definitely agree with the majority.

I've used BlackBerrys, Kindles, iPads and other mobile computing platforms from time to time, but I always return to a desktop PC or laptop for serious work. The mobile platforms are great for entertainment and finding random bits of information like how to find a good barbeque restaurant near your hotel, but for serious work they've never been good enough and I don't forsee that changing any time soon. And from the voting on The Economist's web site, it looks like most people have had similar experiences.

I don't doubt that the PC will continue to evolve, but I also believe that whatever it evolves into will still look a lot like the PCs that we have today.

 *** Only 23 spaces left ***

Voltage Security invites you to "Voltage Security Live 2011" at Bridgewaters in New York City on November 9, 2011. This customer summit will focus on data-centric security and will feature several leading Voltage customers, such as American Express, Wells Fargo, State Street and others, who will discuss how they have implemented encryption projects for email encryption, data-centric encryption and end-to-end payment encryption. Also presenting will be Eric Ouellet, research vice president with Gartner Group, who is currently working on a new analysis of how companies use encryption. The goal of the summit is to enable Voltage customers to network with each other and pick up valuable best practices.

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now at www.voltage.com/live

Join Voltage customers including: ADP, American Express, Bank of America, AT&T, Citigroup, Deloitte, Deutsche Bank, Elavon, Fidelity Investments, Heartland, JPMorgan Chase, McGraw-Hill, UBS and Wells Fargo. 
.
Highlights of the agenda include:

• CxOs Panel – Business dynamics for data-centric encryption security – How to get your security project funded
• Key Note – Eric Ouellet, Vice President Research, Gartner Group                      
• How to maximize customer adoption – Kim Mroczkowski, Wells Fargo
• 4. How to structure a data-centric encryption project – Emily Mossberg, Deloitte
• 5. “Birds of a Feather” Networking lunch
• 6. Tracks: Customer and Best Practices – American Express, State Street, Thales, PwC, Coalfire 
• 7. Security Leadership Panel – Gartner Group, State Street, American Express, Wells Fargo

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now atwww.voltage.com/live 

An interesting priviledge escalation hack that can be done to some HTC Android phones was recently discovered. According to the story on androidpolice.com, a quick summary of the hack is this:

[A]ny app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

So if you give an app INTERNET permission, like you might do to let it submit your high scores in a game to the game's web site, it's possiible for a rogue app to take advantage of this permission and extract all sorts of interesting information from your phone - information that you probably didn't expect it to be able to get.

Here's a YouTube video of this hack being carried out.  

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

According to the most recent McAfee Threats Report: First Quarter 2011 (PDF), it looks like that when hackers target mobile devices they target Symbian devices much more frequently than they target other devices. Here's the graph from this report that shows the relative frequency of malware for various mobile platforms:

I don't have a protractor handy so I can't measure the sizes of the pieces of that pie chart, but it looks to me that a bit over 75 percent of all mobile malware targets Symbian platforms. Maybe I just haven't been paying enough attention to hacks of mobile devices, but I was surprised to see such a big fraction of malware targeting Symbian devices.

I've heard lots of discussions today about how clever researchers at Russian computer security company ElcomSoft managed to crack the AES-256 encryption used to protect data on iPhones.

But this wasn't really an attack on AES-256.

Instead, it's an attack on the weak 4-digit PINs that most users use to control access to their keys. If you try to buy the application that does this attack for you, you'll find that this is actually part of the ElcomSoft Phone Password Breaker application.

Controlling access to keys is part of key management, not encryption. That means that this particular attack is really an attack on weak key management, not on encryption. Cracking an AES-256 key is still so hard that it's essentially impossible.

So the lesson learned from this particular attack should be that if you protect a 256-bit key with a 4-digit PIN, you're not getting 256 bits of cryptographic strength. Instead, you're getting more like 13 bits of strength: 10⁴ PINs = 2^13.3 PINs, so a 4-digit PIN gives about 13 bits of cryptographic strength. And because 13 bits of strength isn't enough to resist even an attacker with access to a low-cost desktop PC, it's not really providing a meaningful level of protection at all.   

A couple of days ago, Jon Oberheide and Zach Lanier gave a presentation at SchmooCon about hacking android phones. Since then there's been lots of talk about what the vulnerabilities in mobile phones means.

It looks to me like the mobile phone market is now much like the market for enterprise software was back in the early dot-com era. Back then, there weren't many application-level vulnerabilities known. We knew about buffer overflows, of course, but SQL injection wasn't even described until December 1998. Over the next few years, people found all sorts of clever ways to exploit carelessly-written software.

Vendors, however, weren't keen on following secure coding practices until their customers made passing source code security audits a requirement for buying their software. Once customers started requiring careful reviews, the quality of enterprise software increased dramatically.  

That's where we seem to be today in the mobile world - much like we were for enterprise software back in the dot-com era. We're just starting to learn how clever hackers can exploit mobile devices, and I'd guess that the people who create mobile applications have an outlook that's similar to the one that we had back then - they're probably more interested in getting their products to market quickly than they are in getting them to be secure.

And just like enterprise software vendors didn't take application security until their customers forced them to, I'd guess that the developers of mobile applications won't take security seriously until they're required to by their customers. That's what the discovery of vulnerabilities in Android phones tells me.

One of the speakers at last week’s National Cyber Leap Year Summit was Jeff Jonas, the founder of the company that became IBM’s Entity Analytic Solutions in 2005. He talked about the amount of location data that’s available and what you can do with it. It was a very interesting talk. It seems that the funding for Jonas' technology originally came from In-Q-Tel, the organization that essentially acts like the venture capital arm of the CIA. You'll soon understand why they funded him.

It’s easy for wireless companies to track the location of the devices on their network. In the case of cell phones, for example, the E911 system provides both caller location and identification. Other technologies have similar capabilities, and it turns out that databases of location and caller identification are routinely sold to third parties. The data is anonymized (if that’s really a word) before it’s sold, but that apparently doesn’t really provide much protection because there are technologies available that can easily identify who caller 0123456789 really is, even though his true identity has been replaced with 0123456789.

It’s also apparently possible to identify a person from just a few pieces of location data. By tracking where your cell phone is during the day, for example, it’s easy to get a very good idea of where you live, where you work, and other similar information. With just a few pieces of such data it’s possible to determine who the person carrying the phone is.

It seems that every day we see more and more proof that Scott McNealy was right when he said, “You have zero privacy anyway. Get over it.”

There’s lots of talk these days about the potential for data-centric security and how it will revolutionize the field of information security. While it’s true that data-centric security is a good solution to some problems, it doesn’t solve all problems, and it’s almost certain to coexist with existing security technologies instead of replacing them. It does this in a way that makes it particularly useful in dealing with data breaches, so it should provide a good tool to help fight the massive losses of sensitive data that we're seeing today.

Data-centric security focuses on protecting data rather than protecting the network where the data lives. Traditional security technologies like firewalls establish a security perimeter that's designed to keep hackers out. Everything inside the security perimeter is considered to be more-or-less safe while everything outside the perimeter is considered suspect. Perhaps not exactly Evil, but certainly Bad.

Trends like mobile computing and tighter integration of business partners are making it more and more difficult to define exactly where a security perimeter is. This makes enforcing the traditional model more and more difficult. It's almost impossible to enforce a strong perimeter, after all, if you can't really say exactly where the perimeter is. Because of this, data-centric security is often proposed as an alternative.

With data-centric security, you protect the data instead of the network where the data lives. This is typically done with encryption. In the ideal data-centric model, sensitive date is encrypted and only authorized users can get the cryptographic key needed to decrypt it. To unauthorized users, data looks like a bunch of random bits, and because they can’t get the key needed to turn these random bits into useful information, the data isn’t useful to them.

If a hacker manages to penetrate a network that’s protected by data-centric security, any data that he manages to get will be useless to him. Doing key management correctly is needed to make this a reality, but let’s make a huge leap of faith and assume that that’s possible. This means that a hacker can’t get the decryption keys that he needs to make sense of the encrypted data.

This certainly sounds good, but it probably doesn’t describe a scenario that’s likely to happen, and probably doesn’t describe one that people will pay for. Although they’re far from perfect, existing technologies can create fairly strong security perimeters, after all. So why should we be interested in data-centric security at all?

The real reason that data-centric security will probably become popular is because it provides a way to extend the security perimeter to where it needs to be. Sensitive data is extremely difficult to keep control of. It’s carried outside the security perimeter on a routine basis by people who need to use it. Laptops are routinely lost or stolen. CDs containing sensitive data are lost in the mail. USB drives are also. So keeping sensitive data inside a protected perimeter is virtually impossible. It’s also probably not worth trying to do. People need access to sensitive data to do their jobs, and not letting it leave a protected network probably isn’t practical.

On the other hand, if sensitive data is encrypted, then losing control of it won’t cause any problems because data-centric security extends the security perimeter to wherever the data is. That’s assuming that key management is done correctly, but we’ve assumed that to be the case. The most important use of data-centric security probably won’t be as an additional layer of protection against hackers that manage to penetrate a protected network. Instead, it will probably be used to protect data that leaves the network for legitimate purposes.

The big problem with protecting sensitive data isn’t that hackers get in, it’s that data gets out, and data-centric security has the potential to eliminate the problems that data getting out can cause.

Last June, along with many BlackBerry addicts I rushed out and bought the brand new BlackBerry Curve. This was a beautiful smartphone - memory slot, video and music playback, push email and a nice camera with flash and GPS - plus it did email too. About 28 days later I went out and bought the new Apple iPhone and with one swipe of my credit card turned my back on the BlackBerry - handing it casually to a friend who needed a new phone.

Well, today I got a call from my friend, informing me that having switched from a corporate BES plan to a personal BIS plan, his phone was now receiving personal emails from my (supposedly defunct) BIS account which I had set up to forward to my BlackBerry - and had forgotten to switch off when I switched devices.

Just goes to show that you can never be too careful with your personal data - much as I would like to blame my cellular carrier, it really was my fault for not being aware of how BIS was spraying my personal emails into the ether. So if you are moving devices or carriers or even ISPs be careful and make sure you are not leaving behind a trail of personal emails for innocent passersby to stumble upon.

- Wasim