Monday, December 06, 2010
#
The Encarta World Dictionary says that Contrition is “the deep and genuine feelings of guilt and remorse”. Having been involved in information security for 20 years, now, I think I can sincerely say that many security practitioners would say this is how they feel about the early days of their careers.
Why, you ask? Well, in my case, I started my career doing work for large financial institutions and governments. Back then these sorts of customers often had a “security at any price” mantra. While one would need to assess the risk of a system to secure it, these sorts of customers would also plan to mitigate as many of the identified risks as possible.
For these customers this was not necessarily a bad approach, but that had more to do with what was at risk than it did with the approach being a sound one.
Today the world is a different place; security is something that even the smallest businesses need to consider. This change did not occur overnight. It was gradual and I guess this is where the contrition comes in.
You see many applied the same approaches that worked with those financial and government customers with Fortune 500 and later Fortune 1000 companies. While in some cases this was appropriate, in most cases it was not.
The modern security practitioner needs to take a more holistic look at the business and platform they are servicing to understand its schedule and technological needs along with what the immediate business risks are.
Beyond that, the breadth of the role has changed and expanded. Security practitioners are now commonly responsible for Compliance, Reliability and Privacy, as well.
This puts the security practitioner in an interesting position; with this more complete view they can now help improve:
- time to market, by recommending solutions that are risk-appropriate for the business;
- engineering efficiencies, by identifying areas where work is being done inefficiently;
- systems and processes, by identifying gaps and potential failure points that can negatively impact the business;
- how teams allocate their scarce resources, by identifying opportunities where they’ll do the most good, based on risk vs. return.
This represents a significant shift from a decade or two ago, and requires the security practitioner to no longer simply be an outside expert but become part of the development team they support.
This is one of the reasons the Security Champion model is used in many teams here at Microsoft. While it has its challenges, as a member of the feature team a champion has the opportunity to have and share these more holistic insights as I called out above.
A good example of this is the application of cryptography to solve business problems. Cryptography is a powerful tool, but it’s often misapplied, introducing fragility and operational overhead that can be avoided; I think this is best summed up by this quotation:
If you think cryptography will solve your problem, then you don't understand cryptography… and you don't understand your problem. -- Bruce Schneier
So, my ask of you as an engineering manager is to have a formal Security Assurance program for your team and as a software engineer incorporate your security specialists early and often. They either have direct experience in the areas I discussed here, or are in the position to bring those resources to your aid … to not only help you secure your offerings, but to do so in record time, as well.
Wednesday, April 21, 2010
#
One of the things I love about working at Microsoft, and working in Windows, is your ability to influence so many areas.
This article at PC World discusses a number of areas (as you can imagine it's just a partial list) that I was able to directly influence or work on during the Windows 7 release, the mentioned ones include:
- DNSSec
- Extended Protection for Authentication,
- Bitlocker To-Go
- Better Cryptography
- Direct Access
Pretty cool if you ask me!
Ryan
Friday, April 09, 2010
#
In the PC ecosystem, when a new device (say mass storage) technology is introduced, commonly there is little standardization, vendors produce proprietary software stacks for interacting with that device, they have custom hardware interfaces for interacting with the device, custom software for managing those devices, etc.
As a device picks up in popularity common platform programing interfaces typically emerge, sometimes these are commercial in nature, other times they are standards based; in either case the goals of these interfaces are simple: abstract out the variety in the hardware ecosystem for the application developer allowing them to write software that can run on any machine regardless of which vendor manufactured a given device. These abstractions also commonly allow the sharing of devices so that multiple applications can use them at the same time.
The next phase in a devices maturity is normally the definition of a class interface for interacting with hardware, it’s this last phase that allows the “no driver needed” story that users like so much; we all reap the rewards of this with flash drives today, plug in the device and it just works (the same is true for display technologies like VGA).
These class drivers commonly cater to the lowest common denominator when it comes to functionality, but vendors are always able to add additional capabilities that are exposed when their drivers and custom software are present (again think about display technologies here as a good example).
There is one device in particular that has not entirely followed this flow that I wanted to talk about and that is Smart Cards; as a concept was they emerged in the 1970s, the first cards went into production in the late 70s. Here we are 40 years later and there is no clear “class driver” for these devices, that is not to say there have not been attempts, some even with success, but those that have had success have been closed system solutions, for example the PIV interfaces used within the US Federal Government.
In the commercial space however, no class specification that has been attempted really was viable, there are lots of reasons for this but I am cautiously optimistic that there is now a candidate.
One of the projects I was working on over the last few years was the specification of the Generic Identity Device Specification, this attempts to build on the success of the government based card specifications and extend it to commercial applications as well.
I had opportunities to work with some great folks on this effort, we all had the same goal make smart cards as reliable, cost effective and accessible as possible; I believe this work does just that.
This specification has now been released by Microsoft under the Microsoft Community Promise, that means it is available royalty free for anyone to adopt; this is a big win for our partners and above all the customers who will benefit the most from it.
So what does this mean for you? Well if you’re a customer looking to deploy smart cards you should seriously look for vendors who produce cards that are compliant with this specification, it means lower cost of deployment, makes it easier for you to multi-source cards and in the end it will likely reduce the overall cost of cards as volumes go up based on function of scale.
For a card manufacturer there are a number of benefits as well, it is possible to develop a GIDS card that is compatible with the PIV card-edge, this means you can develop a single card stock get it evaluated for FIPS (or whatever other standard) that can be sold into commercial or government applications (reducing cost) and these cards will have a great experience in Windows.
If you are a platform or operating system developer you now have a specification you can use as a baseline for testing card scenarios, a way to (hopefully) support a large number of “real” cards that will exist on the market (soon I hope), if this happens we can experience driver coverage numbers similar to other device classes.
For those of you not in this segment, this last point is super important, there is so much fragmentation in the market no solution has over a couple percent of card coverage in-box, if this specification gets adopted that number can start to look more like other device classes where the number is in the 90 percentile range.
In any event, I am pleased to see this out there, here’s hoping it gets adopted broadly…
Thursday, March 11, 2010
#
In the past I wrote a blog post on how one can protect themselves from How to protect yourself from (financially related) identity theft, one of the ways I talk about protecting yourself is via identity theft insurance. I still think this is a good strategy but ran across an article today titled “LifeLock fined $12 million over lack of life-locking ability“.
As I said in my last post the devil is in the details, as with all insurance policies you need to understand what promises are actually being made and who is it that will stand behind those promises…
Wednesday, March 03, 2010
#
This week is RSA, the largest security conference in the world; this is the 1st year in a very long time I won’t be there but, this year Scott Charney included a focus on the Isolation of Infected Machines in his keynote.
The timing of this is excellent (for me) because a specification I worked on in the IETF around standardizing an evolution of one of the core protocols used in the Network Access Protection (NAP), the Microsoft uses in its product (and its own Networks) to isolate infected hosts on the network will be published tomorrow, in the meantime the final draft is here.
Friday, June 19, 2009
#
Like all good geeks as soon as a software update for one of my toys comes out I apply it, so when the 3.0 update for the iPhone came out I was right there.
I had hoped that it would resolve some issues I had been having with my phone, it did not, but Apple did replace the phone for me when I took it to them.
The problem is that when I had upgraded the phone (even before the hardware switch) my backup did not restore the applications I had on my phone, for the most part that was fine because they were still available; the thing is NetShare (a socks proxy to enable tethering with the phone) was not.
With that in mind I was left looking for an alternative, it’s not that I used it frequently but there have been times where that’s been supper useful.
Being a gadget hound I follow Engadget, they recently had a post about how to enable the native tethering support of iPhone 3.0; I followed the steps and viola, tethering showed up in the UI.
I paired the device with my Windows 7 machine and I saw a new device, but no driver was found; its HW ID was:
BTHENUM\{00000000-deca-fade-deca-deafdecacafe}_VID&000205ac_PID&1292.
Notice the strange service ID in the HW ID, (looks like someone needs to get a copy of GENGUID), in any event with some research on the web and some help from some folks I work with I discovered this is ID maps to something called “Wireless iAP” which is supposedly an Apple proprietary Bluetooth profile for a Wireless Internet Access Point.
The problem is that that there is no profile for this in Windows 7 and I have not been able to find a third-party profile I can load; I may get there, and if I do I will update this post but for now it looks like I may be out of luck.
I wonder why they did not use the standard profiles for this stuff, oh well.
[Update 6/22/09 11:00AM] I am a idiot, yes; turns out I did not have Tethering "ON" when I tried this; once I did that it worked just fine... 100% user error; just tried the connetion via speedtest.net and I was getting .60 down and .20 up.
This begs the question what is this "Wireless iAP" thing, its clearly not required for this scenario.
Wednesday, January 14, 2009
#
I will use this post to catalog public resources on the Windows Biometric Framework.
If you run across any that I miss please let me know, I should reliably catch the technical content ;)
TECHNICAL
EDITORIAL
Saturday, January 10, 2009
#
For security reasons the default setting in Windows is to prevent the the direct access to removable media over Remote Desktop sessions.
In my case I almost never use my main Media Center pc directly and instead I connect in using RDP, as a result this default causes me grief.
To change the setting all one needs to do is:
- Open GPEDIT.MSC
- Navigate to: “Local Computer Policy\Computer Configuration\Administrative Templates\System\Removable Storage Access”
- Find the “All Removable Storage: Allow direct access in remote sessions” option and enable it.
Now you can right click and eject the DVDs in Remote Desktop sessions.
Tuesday, December 30, 2008
#
Those watching the advances in crypto-analytics over the last couple years (since 2004 If I recall correctly) have had interesting ride, well as interesting as crypto-analytics is.
A group of researchers just published the 1st "practical" MD5 attack, they created a rouge CA certificate that matches that a trusted CA, read this for more information.
Some highlights of the attack include:
- Attacker was able to take advantage of CAs that uses predictable serial numbers that issues certificates within a predictable amount of time
- Attacker has full control of the first 500 bytes of the colliding certificate, which means they can generate a subordinate CA certificate with a serial number unknown to the commercial CA
- The attack generates RSA keys that can be used to produce valid signatures
- The amount of time needed to generate a RSA key pair that will produce a collision is around 3 days (using a cluster of 200 PlayStation 3 machines running Linux)
- Certificate revocation cannot be used as a mitigation, unless the key being attacked is associated subordinate and the issuer is willing to revoke that certificate (affecting all children, even the legitimate ones).
- This is not a 2nd order pre-image attack and does not affect previously issued certificates
This means that they can trivially mint certificates (or any other signed object) of their choosing's that will be accepted as trusted by any entity (most commonly browsers and certificates) that trusts this key.
It sounds as if they are being responsible researchers by withholding the details of their attack until the affected Certification Authorities have had some time to re-issue those certificates.
In the end though, this is really the death-knoll of MD5, its now officially no better than a CRC.
As an application and protocol developer I have always strived to make my designs crypto-agile and agnostic to accommodate for varying customer needs, later in life when I started to appreciate the life-cycle of a cryptographic algorithm I also started to attribute those design decisions to algorithm sunseting as well; the hard part though is not design, its the operational and legal implications of such a transition.
As I said, those watching things advance over the last few years should have been preparing for this, and hopefully have action plans in place or already executed mitigating the implication of the result of the attack in question; the longer term implications though require us to move away from MD5 and the algorithms that have similar properties to it (even SHA-1 even though currently its still generally considered safe)
This is why NIST has spun up the Hash Workshop, one of my co-workers, Niels Ferguson [warning PDF link] has a horse in the race with some of his fellow cryptographers, only time will tell how this will turn out.
Tuesday, December 23, 2008
#
We just recently published a new White Paper that provides a great Introduction to the Windows Biometric Framework.