News about fingerprint

• biometric information cannot be lost, stolen or forgotten
• organizations can verify users' identities with a high degree of confidence
• used in conjunction with smart cards, biometrics can provide strong security for [public key infrastructure] credentials held on the card
• users aren't required to present a card or to remember passwords or personal identification numbers
• biometric systems eliminate the overheads associated with password management
• organizations can implement recognition systems, not just simple authentication systems

 USB storage devices can be good for security                      

Some companies put glue in the USB ports of their computers to prevent staff stealing their secrets. Here, Memory Experts International's Chief Technology Officer argues for using USB storage devices to actually improve security.

The development and adoption of removable USB mass storage is truly remarkable. Never before has it been so easy to move gigabytes of information around on a portable device that is small enough to clip onto a key chain.

These devices have large capacities and they can copy data at lightning speed. It’s hard to buy a USB flash drive these days with less than 128MB of storage and some devices can achieve data rates greater than 20MB per second. The technology is so convenient and powerful that we wonder how we could have lived without it. It’s unthinkable to use floppy disks for the amount of data that we need to carry around today. While the capacity of a CD-RW might be sufficient, the procedure of inserting and 'burning' simply can’t compete with the ease of plugging a flash drive into the USB port.
 
On the other hand, most security officers wish that this technology didn’t exist at all.

First of all it is a medium that can carry computer viruses and software that shouldn’t be used in the corporate environment. Probably more disturbing is that the shear volume of proprietary information that could leave the corporate environment undetected through these devices is an enormous exposure for corporations.

Corporate executives are losing sleep not knowing how much intellectual property is lost or stolen through this wide open channel. “In interviewing Fortune 500 company CIOs and CSOs we found that they have no visibility into the quantity of information that leaves the organisation through portable devices such as laptops and USB memory sticks”, according to Sean Wray, VP of Security Solutions at MobileSecure.

To deal with this issue, some organisations have disabled USB ports through the BIOS, while others have gone to the more extreme measure of filling the USB connectors with a thick epoxy adhesive. While this solves the problem it also prevents any beneficial uses of USB mass storage to be garnered. But what other functions are there for USB mass storage devices? Besides moving large amounts of data around at lightning speed what else could we be missing by banning their use? Surprisingly, there are very compelling advances to be gained in the security industry by properly harnessing the power and protocol of USB mass storage.

As any technology evolves we always see more features and functionality being added to newer models of devices. Sometimes these features are born out of convenience, while other times they stem from necessity. Cameras on cell phones for example, are not necessary but they really are handy. On the other hand, a SIM (subscriber information module) is a necessary feature to enable the interchangeability of phones without losing the subscriber identity.

USB mass storage devices are evolving and we are starting to see many new features and behaviors that were never conceived when the USB mass storage specification was written.

For example, many devices today offer encrypted storage so that if you lose your device, the information on it remains safe. Some flash drives even have fingerprint sensors and processors built in so that biometric authentication of the owner is required before the storage can be accessed.

These are examples of some security-driven extensions to the basic functionality of mass storage. The on-board capabilities of strong cryptography and authentication that we see on some of the more advanced devices are the prime ingredients for a new direction in the evolution of USB mass storage. That direction is portable identity management and secure storage.

Digital identities take many forms. They can be simple credentials such as usernames and passwords, or more complex forms such as PKI-based X509 certificates or claims based assertions in SAML tokens. To be really useful in today’s identity infrastructures an identity device must be more than a secure store of static credentials. It must also be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore, it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn’t normally associate these operations with USB storage. In fact, digital identity functions are very different from mass storage; but that doesn’t mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors such as smart cards and yes, USB key fobs. These could easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device. The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

The USB mass storage interface itself has a number of desirable properties. First, it is ubiquitous. Practically every PC and operating system in use today supports it natively and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn’t matter which vendor or brand of USB memory stick you have, as long as the device implements the specification it will work.

Portability has been the Achilles’ heel of smart cards and USB tokens. Wouldn’t it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that the smart card just won’t work. In fact the situation is worse than that. Even when you have deployed a smart card solution with all of the required components and middleware, you’ll probably find that the solution won’t work with another brand of smart card without swapping in new middleware components. The US Government has addressed these interoperability challenges by developing GSC-IS (Government Smart Card Interoperability Specification) so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider. Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from the lack of widespread adoption of a common specification.

Another advantage of the USB mass storage interface is the bandwidth. The USB 2.0 standard specifies a data rate of 480 Megabits per second for a high speed device. This opens up a whole new set of possibilities for security operations as much more data can be sent and retrieved than what was previously possible on devices such as smart cards. For example, instead of sending a hash of a document to be signed, the entire document could be sent to the device for processing.

The widespread native support and high bandwidth of the USB mass storage interface enables a digital identity device to be truly portable and accept high level application messages through a protocol that is as simple as reading and writing to a file.

Work in developing open specifications to exploit this new direction has already begun. In partnerships with key device manufacturers, Microsoft is currently developing a specification called PSTS (Portable Security Token Service), which will enable file system based communication to USB devices that can be used as portable credential carriers and generators of SAML tokens in response to WS-Trust requests. This is part of a digital identity metasystem that will enhance privacy and security of digital identity transactions on the web. WS-Trust, along with other WS-* specifications are already submitted to OASIS for standardisation. With the adoption of InfoCard in new Microsoft operating systems and popular browsers, it will be possible for you to roam to any machine, say at an Internet café, and perform a digital identity transaction using your USB digital identity device.

There are still challenges to be addressed to make this direction a reality. Device manufacturers need to design for portability. The installation of drivers and middleware to assist in some of the digital identity computation is not an option. The device itself must be able to process high level messages, perform cryptographic operations and handle user authentication internally, otherwise portability will be lost. The development and adoption of standards must continue relentlessly otherwise we will fail to achieve interoperability. Finally, the industry must be assured that these new devices are secure. The same types of security validations that are being applied to smart cards and other security modules will be needed.

Now that we have seen the new digital identity direction of USB mass storage devices and what it could mean for portability and interoperability, organisations should rethink their decisions to disable USB mass storage. There are good solutions appearing on the market that can control the use of USB mass storage without disabling them completely. For example, many offerings allow you to prevent any unwanted devices from being used except those that are issued or approved by the corporation, and you can even monitor the files that move on and off a device.

Digital identities play a key role in many security applications from single sign-on, to PKI, to the emerging systems of federated identity. By keeping USB mass storage enabled, corporations can leverage the new breed of USB mass storage-based digital identity devices to enhance and simplify their deployments of digital identity security solutions.

Larry Hamid is the Chief Technology Officer, Secure Products Division at Memory Experts International. The company is exhibiting at Infosecurity Europe 2006, held 25–27 April 2006 in the Grand Hall, Olympia, London.

Don't use regular words as computer passwords
Can your computer network or online banking password be found in the dictionary?

If someone knew your mother's maiden name, pet's name or your Social Security number, or even a common term from your industry, would your work or personal computer be compromised?

Most computer users create simple passwords and stick with them. If the news Web site or banking login site requires six characters, they'll use their name, maybe with a string of numerals at the end. They'll then write the "code" down on a piece of paper taped to the wall or stashed in their wallet.

That's just what hackers or password thieves hope they'll do, said Frank Peluso, president of Centuric LLC, a Fort Lauderdale IT consulting firm.

"Half the programmers know how to substitute just enough characters to break through. To them, that's pretty standard stuff," Peluso said.

Security experts advise that passwords should not be "words" at all, but a code created with a process that only the user knows. Passwords should be at least eight characters, and include a combination of letters, numbers and punctuation

As a rule, passwords or codes should not include such elements as a user's computer login name; first or last name; spouse's or children's names; or numbers derived from a Social Security card, date of birth, vehicle license plate or street number. Hackers can find much of this information online.

Peluso's strategy for creating the perfect password begins with a short phrase of two or more words, like "madcowdisease," "blueangels" or "gonefishing." It should be something memorable, but not as obvious as a term from your industry or your favorite pastime. Then create a pattern of substituting characters for letters, like "!" for "i" or "3" for "e" or "$" for "s." Peluso noted these may be commonly used, so create your own pattern.

Change the root word every 30 to 45 days. This will help stymie "shoulder surfers" who watch as you enter your password, or keystroke logging spyware designed to capture passwords, he said.

For users who prefer to write or save passwords, PINS and account codes, password managers like CodeWallet and KeePass Password Safe store codes in one location. Look for solutions that are easy to use, provide data encryption, include search functions and even rate the strength of the password itself, said Darren Miller, owner of Paralogic LLC, a Plantation corporate computer security consulting firm.

Alternatively, use a multifactor device that requires several levels of authentication to gain access to sites. For example, passwords can be stored on USB flash drives with built-in biometric fingerprint scanners. After plugging the drive into the computer and dragging the thumb across the reader, stored data authenticates the user and provides access to Web sites or passwords, Peluso said. Look for a device that also encrypts the biometric signature, he added.

Jeff Zbar is a freelance writer. Reach him at jeff@jeffzbar.com.
 

Laptop Security, Part 2

Tips on protecting your data, should fate--or a criminal--separate you and your notebook.
By James A. Martin

My guess is that your notebook is worth several thousand dollars. I'd also guess that the data stored on it is worth much, much more--and that you'd be entering a world of woe if your notebook were stolen or lost.

Last week I offered tips on how to protect and physically secure your notebook when you're out of the office. This week, I've got tips on protecting your data, should fate--or a criminal--separate you and your notebook.

Windows XP gives you the option of requiring a user password to log on. Though certainly far from bulletproof, a relatively complex password provides more protection than none at all.

A complex password includes upper- and lowercase letters, numbers, and one or more special characters. For example, suppose your name is Pat. You wouldn't use "Pat" as your password, would you? (You would? My, aren't we feeling lucky?) A better password would be something not easily identified with you.

The more complex your password, the more difficult it is to crack--and, potentially, for you to remember. Don't make your password so complex you can't remember it. Or, if you must store your passwords, keep them somewhere safe. Some software programs for PCs and PDAs give you the ability to manage and secure passwords.

To create a password for your account in Windows XP, go into Control Panel, then open User Accounts. Select the account you want to protect with a password and click the "Create a password" button.

For more about passwords, read Scott Dunn's June "Windows Tips."

Some laptops now come equipped with biometric fingerprint scanners, as an alternative or enhancement to Windows password-protection. For more on this, see number 3, below.

Another option is to encrypt any files on your notebook that contain sensitive data, such as customer Social Security numbers. (Of course, as I said last week, it's best not to place any sensitive data on a mobile system.)

In essence, encryption scrambles data into code that only an authorized user can access. However, encrypting files, or your entire drive, can be time-consuming, slow system performance, and increase the likelihood you'll lose access to the data.

Windows XP Professional (but not XP Home) includes an option that lets you encrypt files on an NTFS-formatted hard drive. After encrypting a file, you can open it just as you would any file or folder. However, someone who gains unauthorized access to your computer cannot open any encrypted files or folders.

To encrypt a folder in Windows XP Professional, right-click it in Windows Explorer, choose Properties, click Advanced, select the "Encrypt contents to secure data" check box, and click OK twice. In the Confirm Attribute Changes dialog box, do one of the following: To encrypt only the folder, click "Apply changes to this folder only," and click OK; to encrypt the folder contents as well as the folder, click "Apply changes to this folder, subfolders, and files," and click OK.

Some third-party security applications offer stronger, additional encryption tools and features. One example is Folder Lock, a free download that's available from us.

New security tools are appearing on a regular basis, so it's a good idea to keep up. Here are a few examples:

Seagate has developed a hard drive for laptops that automatically encrypts data with a minimal drag on performance. Read "Seagate, Secude Show Encrypted Laptop" for details.

Portable USB flash drives, designed to prevent data loss, are becoming increasingly popular.

Also, some notebooks now come equipped with a biometric fingerprint scanner. In essence, the scanner uses fingerprinting to prevent unauthorized access to your files. The Fujitsu LifeBook P7120, for example, offers a fingerprint scanner as an extra-cost option. For more information on biometric fingerprint readers, read Andy's May 2006 "Privacy Watch."

Before taking your notebook out of the office, always back up your most important files. Think twice about leaving your notebook unattended, even for a moment. Be on guard in airports, hotel lobbies, train stations--anywhere there are others moving about. And, of course, look both ways before crossing the street.