=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== October 19, 2000 | Vol. 1, #10 | http://www.securius.com/ CONTENTS 1. TO LOSE A LAPTOP 2. THE NON-DISCLOSED CARNIVORE DISCLOSURE 3. RIJNDAEL FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- 1. TO LOSE A LAPTOP -------------------------------------------------------- A CEO has his laptop stolen from the podium after a press conference. On that device: the "DNA" -- plans, prices, prospects -- for a major public company in a highly competitive market. A secret service agent puts his laptop down for a moment at a train station; he turns around and it's gone, along with secret information on anti-terrorist operations. Another secret agent goes on a binge in a pub. In the morning, she can't remember what happened to her laptop. The mobile computers known as "laptops" or "notebooks" are a favorite target of theft. In many instances, they represent a target of convenience for street criminals due to their small size and high resale value. But not all laptop/notebook theft is due to street thefts. In some cases, the target is not the computing device itself but rather the data it contains. According to Safeware (http://www.safeware.com), the leading computer insurance company, a total of 319,000 notebook computers were lost in the US due to theft in 1999, for a total loss of $800 million. While Safeware is a reputable company with reputable methods of calculating loss, their numbers are certainly far too low. One reason: it's very difficult to estimate the value of data losses. There's no sure way to know whether the data has fallen into the hands of a competitor or not. Another reason relates to one of computer security industry's most vexing problems -- the disclosure conundrum. The sad truth is that companies lose confidential data every day. In most cases, the companies don't even know they've lost data. If they do know they've lost data, they often don't know how they lost it. If they know they've lost it and know how they've lost it, they don't report the loss. Historically, computer thefts and breaches of data security are not reported because companies find it embarrassing to disclose significant hardware thefts, especially when that hardware has critical data on it. The problem is even more acute for network security breaches. Non-disclosure makes it difficult for security practitioners to calculate risk and for executives to make sound decisions about budgeting for security safeguards and personnel. A total US loss of $800 million is a drop in the bit bucket in the context of an economy worth trillions of dollars. If everyone knew how much everyone else was losing, they could plan and implement appropriate security safeguards and processes. If everyone implemented appropriate security safeguards and processes, the rate of theft and loss would plunge. Criminals would be deterred and -- if the safeguards were tough enough -- some might even take an interest in an easier line of work. While very little can be done about the lack of reporting, security planners and decision-makers can factor underreporting into their planning and risk analysis processes. Calculate the total value of information assets based on the value of both hardware and data, and assign a high probability for the loss of mobile assets like laptop computers. If your company has 2,000 laptops, worth $2,000 each, with $20,000 worth of data on each, your total possible exposure is $44 million. Given that it's impossible to know how many laptops are stolen in a year, assign a percentage based on your users' travel habits, business locations, etc. Two percent loss might be a good guess, leaving your company with an estimated exposure of $880,000. It would be reasonable to spend up to $440 for the security of each laptop. Fortunately, notebook security measures are fairly inexpensive. Most new laptops have security slots that accept lock and cable assemblies. The cable can be looped through any stationary object or attached to common office furniture or cubicle walls. Kensington is a leading brand; it offers a wide variety of office and computer supply products. PC Guardian focuses on high quality computer anti-theft products. The Notebook Guardian(r), for example, includes a PVC-coated galvanized steel cable and a highly tamper-proof lock. See http://www.pcguardian.com/hardware/notebook.html Physical security is only part of the picture. What if the lock and cable are defeated? As part of a strategy of defense-in-depth, PC Guardian also sells encryption software that protects all the system files and data stored on a notebook's hard disk: Encryption Plus(r) Hard Disk. The user must supply a password before Windows starts up. Once activated, the program transparently decrypts files as they're needed: no further user intervention is required. If the notebook is stolen, the thief cannot boot up the system. Even if the thief removes the hard disk and installs it on another machine, the data is encrypted and therefore useless for industrial espionage purposes. For more about Encryption Plus Hard Disk, see http://www.pcguardian.com/software/hard_disk.html Perhaps the easiest and most cost effective approach is purchase a hardware/software bundle. PC Guardian's Road Guardian package includes the Notebook Guardian plus three encryption packages for about $100. See http://www.pcguardian.com/roadguardian/ You may not be able to solve the conundrum of disclosure, but you can take some easy steps to ensure that _your_ company's notebooks stay out of the headlines. For all but the most marginal endeavors, simple notebook security is an easy buy. -------------------------------------------------------- 2. THE NON-DISCLOSED CARNIVORE DISCLOSURE -------------------------------------------------------- In the last two issues I discussed the Federal Bureau of Investigation's Carnivore system (the archive of back issues can be found at http://www.securius.com/newsletter/archive/). This Internet/intranet attack system is installed on Internet Service Provider networks when the FBI wishes to intercept the Internet communications of criminal suspects. While few would doubt the need for the authorities to collect evidence of serious criminal wrong-doing, many organizations and individuals have raised serious concerns about the design and implementation of Carnivore, which is capable of wantonly capturing information about the communications of law-abiding citizens. In an effort to review the privacy and legal implications of the Carnivore system, the Electronic Privacy Information Center (EPIC) filed a Freedom of Information Act lawsuit for documents pertaining to Carnivore. The FBI released the first set of declassified documents on October 2, including items relating to the evolution of Carnivore, its purpose, and its testing. The release includes extensive coverage of Carnivore's predecessor, the Omnivore. If you're the kind of person who enjoys reading declassified secret documents, surf to http://www.epic.org/privacy/carnivore/foia_documents.html and print out the scanned versions of the documents. Make sure your printer has plenty of black ink, however. The FBI blacked out huge sections of the document prior to release, presumably to protect against disclosing any substantive information. One of the primary rules of computer security states that "security by obscurity" doesn't work. If the design of a security system relies on secrecy or hiding operational details, it's only a matter of time before the secret is revealed and security is lost. This is especially true given the widespread dissemination of security information on the Internet. There's general consensus that a secure system should remain secure even if the details of how the system is implemented are exposed. See my brief essay on this at http://www.albion.com/usst/intro-9.html When it comes to Carnivore, the FBI is clinging hard to security through obscurity. It may be concerned that full disclosure will expose the system's vulnerabilities. If so, then the system hasn't been designed properly. The entire Carnivore specification, design, and source code corpus should be publicly released. The security community could then vet the FBI's work, find vulnerabilities, and suggest improvements. This is, after all, a system that's deployed unattended in the field: the chances of maintaining design secrecy over time is nil. Also, Carnivore is not rocket science. The techniques and technology for packet sniffing and eavesdropping are well-known and implemented in many open source UNIX and Linux distributions (hint: libpcap). Nothing in the FBI's history or public statements about Carnivore suggest there's even a remote chance that they'll release the Carnivore source code. I still think there's hope, however. Not only would full disclosure be in the public's interest, it would also provide the FBI with an inexpensive and quick opportunity to improve the security of their systems. Somewhere in the depths of the Quantico research labs, I imagine, there's a tech or two who would agree. It's only a matter of time before the truth is outed, either by leak or by legal discovery process. The FBI has an opportunity to seize the initiative if it acts quickly. -------------------------------------------------------- 3. RIJNDAEL -------------------------------------------------------- A reporter called in the other day with the rather open-ended query: "What's new in encryption?" The encryption market has always been on government time. If Internet time is seven Internet days to one calendar day, government time is one government day to seven calendar days. After twenty-five years, the federal government has finally chosen an encryption standard to replace the venerable Data Encryption Standard (DES). It's called Rijndael (pronounced "rhine doll") after its Belgian progenitors, and it's news. By all accounts, the selection process lead by the National Institute of Standards and Technology (NIST) was thorough and even-handed. Rijndael has been deemed to be secure, fast, and portable. While it's hard to judge how much impact the new standard cipher will have, at least one vendor, RSA Data Security, promptly announced support for Rijndael. While this gives RSA something to talk about besides its recently expired patent, there's no immediate reason for either the producers or consumers of encryption technology to abandon the many tried-and-true ciphers currently implemented on the Internet and in commercial products. Time will judge Rijndael. Hopefully, we won't have to wait another 25 years for the next major standard. For the official line on Rijndael, see http://www.nist.gov/public_affairs/releases/g00-176.htm See you next month. 'Til then, keep your guard up! =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published monthly by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ You can find our archive of back issues at http://www.securius.com/newsletter/archive/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US SPECIAL THANKS TO Emily Navarre, editor extraordinaire =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2000 PC Guardian. All rights reserved.