bill's blog

Just another WordPress weblog

Browsing Posts tagged PGP

Data Encryption is an often-overlooked aspect of computer usage. For many years encryption was looked at as a technology to protect your data as it transverses the Internet. But what about the data that is at rest on your computer? We’ve all read about the VA’s data loss 26.5 million individuals were exposed. An analyst had taken home the database of veterans’ names, dates of birth, Social Security numbers, and some health records to work on a project, according to the VA (Gross, 2006). One key aspect to protecting data is employee education. Employees need to respect the data they are dealing with. Complacency is a big issue. Like anything else, the more you use something the more comfortable you become with using it. Picking up a chainsaw for the first time and using it you know the potential hazards of its misuse and treat it with kid gloves… the more you use a chainsaw the more comfortable you are. The device is no less hazardous but the precautions you took, as a novice seems to make way for more nonchalant use.

So what to do about this? Well There are varying schools of though on this. One way is to encrypt the entire hard drive. When the user first turns on their computer they need to enter a password to unlock the drive and begin the boot process. The nice thing about this is the end-user only needs to worry about unlocking the computer with a password and then everything stored on the computer is encrypted. The bad thing is it the password to unlock the drive is lost… So is everything on the computer. The latest release to the PGP® Encryption Platform, PGP Whole Disk Encryption 9.9 adds pre-boot authentication to the proven PGP Corporation data encryption technology for Intel-based Mac OS X systems “Tiger” and “Leopard,” providing protection for data on desktops, laptops, and removable media (pgp.com, 2008).

The other school of thought is to only encrypt the user space. There are various ways to accomplish this and Apple provides a number of solutions right out of the box. The Ponemon Institute is an advocacy group that deals with the information and privacy issues. According to their findings in 2007, the cost of a data breach was approximately $197 per record, an increase of more than 40 percent since 2005 (Bocek, 2008). Now that may not seem like much but if you figure that number into the amount of records exposed in the VA breach, that’s 5.2 trillion dollars. Ouch! SO how has Apple made it easy to protect data that resides on your computer? Apple has two technologies that can be used to both store and securely erase data on your hard drive. They are:

1. FileVault
2. Encrypted Disc Images

FileVault

The main premise behind File Vault is that each users’ home directory is stored on an encrypted disk image. The disc image is created using the users password. The image is only unlocked when the user logs in. This eliminates the possibility of accident data loss due to bad file permission of the users’ part in environments where users share machines. One feature that is different from traditional whole disk encryption schemes is that in addition to the users’ password being used to encrypt the image, you can set up a master password for all FileVault images stored on your machine. Some may see this as a security whole BUT in enterprise based Environments this is a godsend! How many times during a typical week are you called for a password reset?

de_figure1
Figure 1 Security Preference Pane

Turning on FileVault is extremely simple. In System Preferences, select the Security Pane; you are now presented with everything you need to get the process stated. Clicking on the “Set Master Password…” button with present out a dialogue sheet to set the master password for the machine. Fill is the password and then verify, as this dialogue will display “•” when entering character into the password fields. One may be tempted to add a password hint. This is generally NOT a good idea!

de_figure2
Figure 2

Additionally, Apple provides a password strength tool. By Clicking on the key next to the “Master Password:” field (see figure 3) the tool will be presented.

de_figure3
Figure 3. Password Assistant Tool

Note: The password is presented in clear text. The better the password the further to the right the green bar extends.
Once this is completed your all set up with encrypted home directories. When setting up FileVault accounts for the first time, some time is required to do the actual encryption. Depending on how large your existing home directories are will determine how much coffee you’ll need to drink.

Encrypted Disc Images

Encrypted disc images are very similar to FileVault directories with two major differences. One they are portable. You can copy the image from machine to machine. The contents of the images are encrypted, so if you happen to put the image onto a flash drive and loss it your data is protected. Two… There are no master passwords to help you out should you forget your password. So you can forget the magic bullet to help you out. Your data is lost!

To create an encrypted disc image open Disk Utility. It can be found in /Applications/Utilities. Select “New Image” from the toolbar across the top of the main window. This will present you with a dialogue box where you can indicate where you want the image saved, how big you want it, what type of file system to lay down and most importantly in terms of this discussion, how strong you want the security to be. If you’re in an environment that makes of PKI using PGP, you can leverage the power of PGP’s whole disc encryption to encode the entire flash drive. Then when you insert the flash drive into your machine PGP will automatically open the image and display it on your desktop. You can accomplish the same thing by adding the password of the encrypted image into you Keychain. This will yield the same results but it’s more tedious in so far as you need to load the password onto all the machines that the flash drive will be used on. This is very labor intensive if your dealing with 500 flash drives and 500 computers.

de_figure4
Figure 4

For all of those in the government sector, selecting 256-bit encryption will yield a FIPS -140-2 compliant disc image (see figure 4).
Encrypting data at rest is simple… And not as expensive as the loss of data can be. Recently, the case of the 2006 Department of Veterans Affairs data loss resulting from the theft of an unencrypted laptop containing the names, birth dates and Social Security numbers of approximately 26.5 million veterans was settled.
“The settlement with the Department’s members and families over their alleged invasion of privacy should be a severe warning to any organization that isn’t using encryption on its laptops and other portable devices capable of data storage,” said Michael Callahan, vice president at encryption specialist Credant (Thomson, 2009).

The cost… $20 million… certainly less than the cost of encryption.

Resources:

Bocek, K. &Ma, T., (2008), Data Encryption for Dummies, Indianapolis, IN: Wiley Publishing

Gross, G., (2006, May 5), VA data loss could prompt federal privacy law, Retrieved on Feb 3, 2009 from http://www.networkworld.com/news/2006/060506-va-data-loss-could-prompt.html

Thomson, I., (2009, Jan 28), US veterans win $20m payout over lost laptop, Retrieved on Feb 3, 2009 from http://www.vnunet.com/vnunet/news/2235300/va-fined-million-breach

Unknown, (2008, June), PGP Corporation Delivers Pre-Boot Authentication to PGP Whole Disk Encryption for Mac OS X Users Retrieved on Feb 3, 2009 from http://www.pgp.com/newsroom/mediareleases/wde_for_mac_osx.html

As I mentioned in the last installment, the real problem with PKI is the distribution of keys. This week we’ll explore some of the ways keys are managed. There are several methods to distributing keys. They breakdown into four categories:

  1. Public announcement
  2. Publicly available directories
  3. Public-key authorities
  4. Public-key certificates

So let’s take a closer look at the four.

Public announcement

This method requires the user to manage and distribute their own keys. It works well in so far as if I want to communicate securely with an individual all I have to do is ask for their key.  To a certain extent this creates a problem… Are you really ‘communicating’ with the individual you intend? Anyone can create a public key and publish it as someone else. There is no verification that the individual’s key is truly that on the individual. Sure this is a possibility BUT if an individual presents you with their key and you use it to encrypt your data and send it back to the same email address you got it from you can be reasonable sure that you are communicating securely with the individual that sent you the key. It may or may NOT be the individual whose name is attached to the key. I know from past experiences, that the more people consistently ‘publish’ their key (whether it is appended to emails or USENET postings), the more you can trust that the key is for the intended individual. Why? Check your emails and their postings… Is the key always the same? YES? NO? Care is always required when communicating over insecure mediums. Get to know the individuals you are dealing with. This method however doesn’t really do when dealing with an unknown individual. PGP solves this problem through its ‘Web of Trust’. This is where one individual signs the key of other known and trusted individuals. Eventually, as the web grows, individual keys will be signed and trusted by others you trust. Unfortunately, this solution doesn’t scale very well.

Publicly available directories

This solution scales a bit better. It relies on a trusted third party having control over which keys get published to these directories. Individual can publish their keys to a publically available server. Additionally it has the benefit of offering a more secure solution BUT certain requirements are necessary to achieve this!  The question still remains… How are users registered to the directory securely, as well as providing proof they are who they say they are. This would allow users who have never communicated secure before to send encrypted data. One of the problems with public keys is that they can be set to expire after a specific period of time. Additionally, key could be compromised and need to be revoked. Searching USENET posting and old emails could provide expired or revoked keys. Public Directories could eliminate this problem. They would have revocation notices. Users would be able to search for individuals a number of different ways.

Public-key authorities

In this scenario, users must have the public key to the server. In theory, this could provide a much more secure environment because all users need to be allowed access and are considered part of the ‘club’ (directory).  This is because all users in the club ARE trusted! Users can trust they are getting valid keys because they are part of the organization. This may work in corporate environments where keys can be controlled…  In practice, this is no more secured that using the ‘web of trust’. The directory is the trusted third party verses trust you have in others you know ‘personally’ to verify the validity of an unknown users key! The only real difference between this arrangement and a publicly available directory is that the transfer of keys is encrypted as well. The downside to this method is the high overhead!  At minimum seven messages are required in order to encrypt and deliver the data.

Public-key certificates

Now we are talking… This is the most attractive scenario of the lot! In this method… Users are provided keys/certificates that are issued by a trusted third party. In all the previous scenarios, the users themselves can create the keys. Here the user appeals to a certificate Authority of their keys. Very often the CA’s are installed as part of the base OS and thus certificates issues by these third party CA are trusted by default. The downside here is that users need to be a where of the methods that these Certificate Authorities use to establish trusts and to what extent the trust is implied. In actuality, anyone with access to an email account can get a certificate. As long as the ‘owner’ of the account has access to the email address trust can be established. As anyone who has ever set up a gmail account knows…. This doesn’t prove that I am indeed the name on the email address. All it does is establish that the person requesting the certificate is indeed using the email address that is trusted! Practically speaking, we normally establish trust based on the fact the we converse with someone… they give use their email address… we converse some more using said email address… thus the email address MUST belong to that individual. There are a lot of assumptions made here. More times than not this is a valid assumption BUT sometimes it’s not. Due diligence is ALWAYS required on the Internet! 

Learning from your mistakes is critical to pushing past and benefiting from these mistakes.

  1. Critical machines connected directly to the Internet.
  2. Don’t ignore the obvious – look at the bigger picture.
  3. Don’t set and forget! Security is on going.

The big take away from these three scenarios can be broken down as follows:

Never surf the Web with a privileged account.

This really is a common sense thing. Unfortunately many OS vendors make the first account that is set up on the box an administrative user (privileged account). Microsoft does it, Apple does it, and even Ubuntu does it. Fortunately many of these same vendors see the problems associated with this and have disable root by default. However, many versions of Linux enable root by default. Take the time to set up a non-privileged account and use it. NEVER surf the web as root or an admin!

Make sure your machine is up-to-date (OS, App, and AV).

Make sure that you machine is patched and up to date. From an OS perspective one needs to have a change management plan in place. There’s nothing worse that patching a critical machine only to find that upon rebooting it your services won’t start. Many users get Anti-Virus as part of the machine purchase but these vendors only provide a very short period of free AV definition updates. This is where ISP could come into play. One thing that I think many Internet providers should be making mandatory is AV software… Include the cost as part of the users monthly access charge. In addition, users should regularly check for rootkits. In many was a machine compromised by a rootkit is much worse off than one infected with a virus. Even if it does wipe your hard drive clean… You do have backups? Make sure that you’re really running that application you intend to. Kernel rootkits could hide the running of compromised applications as well as hiding whole parts of the file system making it impossible to truly know what applications are running on your machine.

Know where your data resides.

Perhaps a better way of looking at is it… Know what data is on your machine. More and more these days we hear of private data being lost. It seems as if it’s on daily basis. Protect your hard drives! PGP offers whole drive encryption. Yes is does mean setting up a PKI but one substantial loss could cost more in lawsuits than the time, effort and money needed to set this up. Let’s look at the latest in military data loss… January 3rd, 2008, An Air Force band member at Bolling Air Force Base reported a laptop, containing personal data on 10,501 Air Force members missing from his home (trustedid.com, 2008). Now that tops all, a musician with sensitive information. He’s someone who may have secretly clearance… but really what does a musician need with social security numbers.

Check you logs or run a syslog server.

UNIX logs have a vast amount of data and depending on the verboseness that is set it can be overwhelming. Setting up a syslog server and then filtering the data is important. Splunk is a great tool for this but be forewarned… there is a pretty steep learning curve. Make sure that the syslog server continues to run. Can tell you how often the emails just stop and you’re lulled into a sense of false security because you’re not getting emails. Email notification needs to be tuned. You don’t want emails for every little thing, as it won’t take long before you start ignoring those emails. And before you know it the truly important ones have slipped passed you.

Insecure service running in an insecure place.

Double-check you configurations make sure that the services you are running on your box are truly needed to what the server is intended to do. There’s no reason to run NFS on a publicly available machine. If you have to have shares set up do it in a secure fashion. Tunnel your file transfers over ssh or use scp. Make sure you look over your config files before placing your machine on the Internet. We all have fat fingers from time to time. It’s best to find out BEFORE you run into trouble.

Conclusion

One thing to always keep in mind is…Trust your instincts. You know your machine better than anyone else. You know how they react day to day. You know the ‘quirks’ of the machine (It slows down every day just before lunch). Have an emergency response plan written out and available. Who do you call and when? How much time are you allotted to fix a mission critical machine before calling for help? Along with the previous statement goes an understanding from management that blame will be assessed The Internet is truly the Wild West. It’s been said that the Internet mimics the real world BUT it actuality it can be far more dangerous. The anonymity that the Internet provides is vast and tracking down perpetrators can be exceedingly difficult not to mention when found dealing different jurisdictions there are in the world can make it extremely hard to prosecute

Resources:

Unknown, (January 23rd, 2008), TrustedID Identity Theft Data Breach Alerts » stolen laptop, Retrieved on March 8th 2008 from http://breachalerts.trustedid.com/?cat=118