Thursday 27 December 2007

Other encryption headaches

I was supposed to be telling you about issues I've faced recently with customers. I can't say too much, because of course everything I do gets turned into Product Management requests and either turned into new functionality, or we address it with partnerships, etc. either way, all very hush hush.

One other generic example which I have to give however is using encryption in conjunction with 3rd party apps and databases. Many 3rd party apps which use back-end databases connect to the database using just one user login. Of course, this means that anyone able to access the application potentially has access to any encrypted data. This can cause real headaches for me, and will continue to do so as compliance becomes more strict.

At present, PCI only dictates that sensitive data is encrypted, it doesn't talk about the mechanisms of the applications, which is probably where it has potential to fall down the most. A short aside here: I was speaking to a customer last week and they asked whether encrypting a database at the file level was in line with PCI. I replied that PCI was quite vague on this, and before I could go any further he replied "Oh, I find it quite the opposite." I had to bite my tongue quite hard. How irritating it is to be a bitter twisted security commentator AND have customers. I could have spent hours softening him up just to cut him down, but I just listened and realised how simple it would be to tell them I could do everything they need. The truth is, no-one can yet.

Happy New Year?

If I told you what a brutal year I've had no-one would actually want to read what I write about. Just to cap it off, my Mum's house was burgled last night. After nearly 30 years of complete safety, someone forced a back window just to run off with a few bits of jewellery worth no more than a couple of hundred quid on the black market.

I moved into that house aged 3, just as it was being finished off, we've known everyone in the drive since then, my mother is leading light in the local community, a member of the parish church, local WI treasurer, ex-secretary of the village fete, etc. My father and sister both died in that house, which makes it a tragic place as well as a happy place for my mother, but one she would never choose to leave for either reason.

And now she can't sleep at night because some bastard needed a fix, or couldn't be bothered to work for a living, or something equally bland and banal. Criminals are worthless, brainless scum, whether in the real world or the virtual world. What may seem like a harmless act for one can ruin someone else's life.

To the criminals, I vow to track you all down and destroy you, one by one, like Dirty Harry. Make my day. To the security guys, I will be supporting you, now and always.

Just for once, I'd like to have a happy new year. I wish the same to all of you.

Tuesday 25 December 2007

Insecurity by obscurity

Much has been written on the pages of the SBN about application insecurities, we are honoured to have Jeremiah Grossman putting his ideas down in print, and I still have the occasional contact with Mark Curphey - founder of OWASP - even though I stood him up for lunch in his first month back in the UK - which I vow to make up for in the new year. In short, there are better men than I to talk about application holes and how to stop them occurring.

My experience is with data-security, and whilst it is undoubtedly the best way forward, I have grown used to the idea that it will never be complete on its own. Whilst I dislike using firewalls to plug holes, I admit they have their place, especially whilst data security is relatively expensive and applications are such a minefield. And whilst it would be too easy to argue about 'an ideal world', where applications had no holes, and networks had no points of insecurity, even best case reality has issues.

Consider a database, any database, any flavour on any OS from any company, you will all have your favourite. Now encrypt it with your favourite encryption method, encrypt the password files, prevent access to all part of the filesystem that you deem sensitive. You will still need a DBA. That DBA can write triggers. That DBA can write a trigger which, with no access to data himself, rewrites sensitive data to a file whenever a legitimate user accesses it. This is a hole.

How do you start to code around that? Obviously no-one thought of it, or it wouldn't be there. No-one thought to encrypt, so why would they make it harder for the DBA to do his job after all?
Of course, now there are other tools to cover this and many other issues around databases, we partner with them to plug the holes which encryption alone cannot fix. The problem is, with applications smaller than databases (i.e. pretty much every other application ever written), the issues come to light much slower, or rather once an attack is found, it can be kept quiet for far longer - insecurity by obscurity.

Thursday 20 December 2007

Talking turkey

Back when firewalls were all the rage, people talked about encryption like it was panacea. It seemed so far off, so complex and so difficult to achieve that it was revered far too much. Of course, encryption turned out not to be the be all and end all of security. Of course to BE secure, encryption helps, as part of a whole system of in-depth, defense in layers - but there are many more points to security after you've hidden the data.

Encryption is addressed broadly in 4 areas now, email, the file system, the application, and the database:
  • Email encryption has been possible for years, but there are new mechanisms being designed all the time for some reason. I often wonder how much mileage there really is in this.
  • File system encryption is so simple that storage companies are building it in.
  • People write their own applications, databases of course are just reasonably complex applications.
What needs addressing is the management of keys used by these applications, and the security of the applications themselves. Most applications are too small to be an issue, secure because they are:
  • written that way (it occasionally happens),
  • protected by WAFs, or
  • propietary code which no-one cares about enough to attack - security by obscurity.
But what I'm seeing now, as I am called to a number of sites around Europe to handle keys for encrypting inside databases, is that the databases themselves are badly designed, inherently insecure, and need a whole lot of extra help.

Encrypting a database can only do so much. I thought it would be interesting to go over a few of the issues I've seen recently, so I'll do that over the Christmas turkey, and hope someone reads it.

Tuesday 18 December 2007

More UK data losses

Answer the following question.
To get a position in the UK government you need:

a) a degree
b) to be patriotic and dedicated to your country
c) a sexual perversion
d) to be good at apologising
If you answered d), give yourself a pat on the back. If you managed to pat yourself on the back, give yourself a hug monkey-boy. Actually, any of the above are acceptable, except a), which is most definitely not a requirement.

Yes, Our Illustrious Leaders have gone and done it again. It seems like only a few days ago I was crying with laughter, safe in a Paris hotel, as the home secretary apologised to the nation for losing, oh, I don't know, millions of people's tax details. Oh, hang on, it WAS only a few days ago.

This week the DVLA (Driver and Vehicle Licensing Agency) has lost, oh, a few million drivers details. The former was on CDs, I cringed a bit between gasps for air and thought that actually, it was just embarrassing, anyone could lose a CD with millions of people's personal records on. Err...? If anyone HAD a CD with millions of people's personal records on that is. Why was this ever out of the building?

This time it was 2 hard drives. How do you go about losing a hard drive? And how do you lose 2? Again, WHY was this ever out of the building, or the computer?

And in either case, why wasn't the data encrypted? I know I'm a bit of an encryption nut, I work for an encryption company, have worked for or with every encryption company under the sun (except NeoScale of course, that one wasn't my fault) and would encrypt my underpants to stop unauthorised people seeing my private details. But maybe that's because I realise how important it is when I'm carrying something so sensitive?

Now, who would want the details on my laptop? A competitor would, for sure. Are the government so blind as they think they don't have any competitors or people who could benefit from their information?

To be honest, I'm waiting for the call from Downing Street:

Gordon Brown:"We've been losing quite a lot of information recently and it's making me look like a bit of a prat who can't control what's going on under his own nose"
Your Humble Author:"Oh, I wouldn't say that"
GB:"Yes, it does, although that's very kind of you to say so. You're very tall and handsome by the way"
YHA:"Thanks, but I'm happily married"
GB:"Oh. Well, what about this data thing? Can you stop people losing it all the time?"
YHA:"No, but I can stop them using it."
GB:"How do you do that?"
YHA:"Easy Mr. B, you encrypt it."
GB:"Hallelujah, you are a god-like genius, have a job and some money."
YHA:"No thanks Prime Minister, I'm doing it for my country, and I don't want to work for you."
Well, maybe that's what'll happen?

[Unrelated side note which just came to mind: Last week the Regional Sales Manager was staying in the Paris Hilton. That ought to get me a few more page hits.]

Saturday 15 December 2007

More statistics and security confusion

When this report came across the wire yesterday:

Report: Security becoming business tool


I was reasonably happy. Until I read the tag-line that is:
Compliance, privacy and data protection, and meeting business objectives are top three drivers for security
"Strange", I hear you say, "for a security vendor to dislike business drivers in the press..."

And you'd be right. With my vendor hat on, this is great news for me. This story was sent to me by the Senior PM at Ingrian in fact, and he knows a good driver when he sees one. But, take the hat off, and there's a security guy underneath it banging his head on the table.

But why? This is all positive for the industry isn't it? Yes... and no. It's all true, and it's all relevant and it's right that security gets publicity, but this is what I object to:
"Eight out of 10 organizations said security has helped improve IT and operational efficiencies, and six out of 10 said it helped with the organization's strategic initiatives. And compliance has played a bigger role than a checkbox: Eighty percent of the respondents say compliance has improved their organizations' security."
First off, security and compliance do not make easy bedfellows. Ask your dyed-in-the-wool security guy what he thinks of compliance, and that isn't the only c-word you'll hear. 80% of respondents may say that compliance has improved their security, but then they would, they're probably being filled in by the marketing department, sorry, Executives.

And of course they're going to say it has helped improve IT and operational efficiencies, for the same reason, but this is the thing: SECURITY IS IMPROVED IT AND OPERATIONAL EFFICIENCIES. This annoys me because it is the one thing that anyone in security should understand from the moment they sign up - security is not just encryption, not anti-virus and not some worthless device, for firewall's sake (sorry to use the F-word and the C-word, but I'm angry).

Security is confidentiality, so yes, encryption and everything that comes with it, but also physical protection of the same. Security is integrity, making sure processes don't have to be repeated because information is lost or incorrect. And security is availability, making sure that processes work the way they are supposed to, access to information. This is what security has always been. Just because businesses have only just realised what it is doesn't mean that it is suddenly a magical driver, it just means we're all putting the same name to it.

I look forward to making a few easy sales now the budget will be available. 80% you say...

Tuesday 11 December 2007

nCipher buys NeoScale.

For $1.95bn. For your mental picture, I am sitting here goggle-eyed in amazement.

### UPDATE: Tyler informs me that it's million, not billion. My eyes have popped back in. I'm leaving the story up as a warning to others of how not to jump to conclusions. ###

What the hell just happened here?

I've stayed away from commenting on this because of the nature of my business and the fact I am a competitor of both companies, but... er, what?

Co-founder Alex Van Someren (brother of other founder Nicko VS) left nCipher a couple of weeks ago, it seems that someone else is in charge of the product decisions now. This is a huge move for nCipher.

They were also looking for a new VP of Professional Services last month, in either Cambridge, UK or Boston, MA. All of this points to huge expansion. But on what basis?

My only guess is that nCipher are wanting to play more on their Key Management portfolio, because they've seen how well it does for... well, us, actually. And it just so happens that NeoScale have a device based approach. Oh well, I suppose it was bound to happen sooner or later.

But where did they get all this money from? I have to ask: Will they have enough left over to hire the developers to put it all together?

Sunday 9 December 2007

Expansion in EMEA

I'm fighting a losing battle at the moment. Not just with my waistline, but with my diary. It seems that every time I think we're slowing down for Christmas, we get yet another customer calling up and asking for more of my time. I'm actually quite pleased to be able to go and talk to people about their encryption and key management issues, and the nearer we get to Christmas, the more wining and dining seems to be involved, so I can't exactly complain.

On the flip side of this, being on the technical side of operations in EMEA, I also get more involved in support calls than I should - because I genuinely care that any company I am involved with appears to give a good service, and because our support team wakes up around 4pm our time - not ideal. I am responsible for the technical service we deliver as a whole after all. We currently back off first-line support to a distributor who are not delivering to the level which I require. As a result I am relegated to a support function when I should be out drumming up technical interest. Often these days I also end up being farmed out to resellers to explain 'how it works', when this is something else the disti should be picking up by now - or if I'm doing it, I shouldn't be doing the support and the evangelising too. Fortunately after Christmas I am getting someone else on board, and who knows what will happen with the disti if things don't pick up.

Expansion is a luxury, both in terms of stomach and corporation. So, I may get a little flustered, and I appreciate that my output has dropped here recently, but early in the new year this balance should be restored. EMEA's looking busy right now, the UK especially has found deeper pockets for new technologies. I look forward to having time to blog about this more from all over Europe next year... and to ditch the technical support woes.

Tuesday 4 December 2007

MI5 blames the Chinese

Sam sent me a link to this today. I particularly liked the James Bond reference. Well, it does sound a bit like we're regressing to the same playground tactics of blaming it on the Russians and Chinese. Bond would have been proud. He would have been blowing stuff up and shagging anything that moves, just to try and control the little buggers. Makes you proud to be British.

What made me laugh was "Dutch Shell uncovered a Chinese spying ring in Houston, aimed at pilfering confidential pricing information for the oil giant's operations in Africa", that must have been pretty tough to pin down, but it must be true, because "security sources" said so. I guess if you're a Dutchman living in Houston it's pretty easy to spot the Chinese guys stealing your African secrets, they're the only ones who look like they know what's going on.

But silliness aside, doesn't the rest of this article read like FUD to you? I've been in this game for a while now, and this sounds almost like a sales pitch, but with no point to it. It looks a little like publicity for Sophos to me, Graham Cluley is very high profile over here anyway, but he seems to appear in an awful lot of Jeremy Kirk's stuff. Must be useful for them both I guess, although hasn't anyone told Graham that blogs are the new magazines?

MadKasting