=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== February 5, 2001 | Vol. 2, #01 | http://www.securius.com/ CONTENTS 1. LEARN TO FORGET 2. THE TRUSTED PC 3. MICROSOFT REDUX 4. ENCRYPTION PLUS(R) PERSONAL FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- 1. LEARN TO FORGET -------------------------------------------------------- Last December 22, Internet retailer Egghead.com made an alarming announcement. Someone or some group had broken into their network and accessed stored credit card records for 3.7 million customers. If you live or die by online sales, here's a note that you NEVER want to send out: Egghead.com has discovered that a hacker has accessed our computer systems, potentially including our customer databases. As a precautionary measure, we have taken immediate steps to protect our customers by contacting the credit card companies we work with. They are in the process of alerting card issuers and banks so that they can take the necessary steps to ensure the security of cardholders who may be affected.[1] This isn't the first report of intruders stealing credit card information from an ecommerce company. It doesn't seem to matter how many times companies get burned: they keep on storing customer credit information where bad actors can access it. The security of credit card numbers has been an albatross for the Internet industry since the first merchants starting accepting credit cards back in 1994. As soon as credit-accepting systems went up, the idea that eavesdroppers could steal them during transmission spread like wildfire. The industry responded by embracing an inexpensive and reasonably effective standard for encrypting web browser sessions: Secure Sockets Layer (SSL). SSL is a solid security technology. But it's the right solution to the wrong problem. Credit card information is far more at risk while stored than while in transmission. Think about it from the attacker's point-of-view. You could risk detection by eavesdropping on the line and laboriously picking up one credit card number after another as they're sent. Or you could break into Egghead's system, scoop up millions in one fell swoop, and run. The best way to avoid this threat is to not store the credit card numbers in the first place. Ecommerce companies have been extremely aggressive in collecting and storing information about their customers -- whether their customers consent or not. While storing a credit card number for a future transaction may save the customer a few seconds, is the minor convenience worth the liability and risk of theft? Internet retailers should learn to forget. Instead of retaining every bit of data on every customer, they need to keep clean and orderly data warehouses that only store low-risk and absolutely necessary customer information. Once the transaction is completed, they should purge the sensitive info and securely store the rest. Not only will observing this basic protocol protect customer security and privacy, but it will protect merchants from extremely damaging blows to their reputation. A couple of weeks after its initial disclosure, Egghead.com put out a release that said, essentially, "Nobody got the credit card numbers." Supposedly, only 7,500 credit card accounts showed fraudulent activity during the time period in question; a number within the expected range. According to the company: Our internal investigation, led by Kroll Associates, has uncovered evidence which suggests that Egghead.com's existing security systems interrupted this intrusion while it was in progress. Moreover, reports from the credit card companies we work with suggest that fewer than 7,500 credit card accounts that appear in our system have shown suspected fraudulent activity. This number represents only about two-tenths of one percent of the approximately three million credit card numbers in our database at the time of the attack. It is possible that this activity may be related to credit card theft elsewhere. The evidence Kroll Associates and our team have gathered to date suggests that neither these, nor any other credit card numbers, were obtained from our site.[2] The wording of this statement is strange. If existing security systems interrupted the intrusion, why did it take Egghead.com two weeks to figure that out? While there might be clear evidence if the credit card numbers were stolen, how can Kroll or Egghead.com know for sure that they were NOT stolen? Maybe the thieves are laying low for a while. Given the weasel language at work here, it's hard to know which is more damaging to Egghead.com: the original announcement or the cryptic retraction. A disgruntled Egghead.com customer summarized the situation quite nicely on ZDNet: "Any company that's going to do something as stupid as maintain a credit card online on a vulnerable server that long after the transaction, I have no reason to trust them at all. That goes against every industry best practice that's out there."[3] -------------------------------------------------------- 2. THE TRUSTED PC -------------------------------------------------------- A couple of weeks ago I attended a two-day meeting of the Trusted Computing Platform Alliance (TCPA) on the Microsoft campus. The TCPA is a initiative promoted by Compaq, Hewlett-Packard, IBM, Intel, and Microsoft to create and promote a specification for a "trusted PC". The group's goal is to formulate a set of hardware and operating system security capabilities that customers can use to enhance the trust and security in their computing environments. In this context, a computer can be trusted if it always behaves in the expected manner for the intended purpose. Last Tuesday the TCPA announced that version 1.0 of the specification was approved by a vote of all members attending the meeting. The vote was 24 for, one against, and four abstentions. The spec is dense and long (340 pages). It addresses two major areas: (1) traditional security building blocks such as persistent storage of cryptographic keys, platform authentication (signing of data), and hardware random number generation; and, (2) new capabilities such as platform integrity metrics (self-inspection of the BIOS, master boot record, and OS loader in the PC) and anonymous/multiple identities to better address privacy concerns. The TCPA will provide a low cost way of delivering security functionality. It will also offer improved access control, going beyond mere authorization or authentication. Under the TCPA spec, a series of integrity checks during the boot process can ensure that the operating system loads in a known state. A TCPA-compliant computer might deny access to data if the operating system is in an inconsistent state or if rogue software, such as a virus, is running. The availability of persistent storage and signing will improve applications and services such as Public Key Infrastructure (PKI) deployments, web browsers using SSL, and email use of S-MIME. The PC industry is a strange animal. Many of the engineers and security architects who attended the meeting were very collegial in creating, discussing, and approving the specification. Toward the end of the meeting, the participants discussed adoption of the standard as well as structural changes to the group. That's where cooperation broke down, with representatives from rival firms expressing divergent standpoints and goals. One representative cut off any adoption discussion with the company line, "You ALL know that WE don't discuss unannounced products," capturing the strange combination of cooperation and competition (coopetition) that drives the industry. To date, not a single company has publicly committed to actually building and selling TCPA-compliant machines. Nor have any software application developers committed to building TCPA-compliant security applications. A "trusted PC" will be useless without applications that use the add-on security properties. The companies backing the TCPA seem serious, but even the best-intentioned industry alliances have failed in the past. It should be interesting to see if this is the start of a major security push for the PC platform or just another technological dead end. Stay tuned and I'll keep you posted. In the meantime, you can find out more at http://www.trustedpc.org/ -------------------------------------------------------- 3. MICROSOFT REDUX -------------------------------------------------------- Several readers questioned the paranoia that informed the "Warm, Gushy Microsoft" feature in the last issue. See http://www.securius.com/Features/Operating_Systems/38.html Perhaps I'm paranoid but I'm not alone. In December, the Center for Strategic and International Studies (CSIS), a Washington think tank, released a report titled "Cyber Threats and Information Security: Meeting the 21st Century Challenge" that specifically cites the Microsoft break-in as a threat to US national security. For the full report, see http://www.csis.org/homeland/reports/cyberthreatsandinfosec.pdf Here's an excerpt: There are several recent examples of how formerly industry- specific concerns have risen - or have the potential to rise - to the level of national security concerns. Perhaps the most recent example is the admission by Microsoft that hackers had broken into their systems and accessed next-generation Windows software that was not only unreleased, but not yet even announced. A profound concern to both private and public entities becomes whether or not any of these products will be trustworthy once they are released. It is doubtful that the millions (sometimes billions) of lines of code required to power Microsoft's products could readily be sanitized. More troubling still is the admission that the hackers used a relatively unsophisticated program (the QAZ Trojan Horse) to penetrate the security perimeter of the world's most powerful software company. With most military and government systems powered by Microsoft software and more generally reliant on COTS [Commercial Off-the-Shelf products], this recent development can pose grave national security-related concerns. Note that this report came out before the recent spate of security breakdowns at Microsoft. See "More Egg on Microsoft's Face" at http://www.thestandard.com/article/display/0,1151,21690,00.html and "Microsoft admits blame for inaccessible Web sites" at http://www.infoworld.com/articles/hn/xml/01/01/25/010125hnadmit.xml -------------------------------------------------------- 4. ENCRYPTION PLUS(R) PERSONAL -------------------------------------------------------- Ease-of-use is the most persistent problem with encryption software. Most encryption packages sport cumbersome interfaces and complex, multi-step procedures. Even when program designers attempt to make encryption software accessible to ordinary users by deploying graphical interfaces, they often fail. PGP, the grandfather of personal encryption software, is a case in point. Despite a notable attempt to make things simple, many people are unable to complete even basic tasks with the program. For a report on this phenomenon by Alma Whitten and J.D. Tygar, see "Why Johnny Can't Encrypt" at http://www.cs.cmu.edu/~alma/johnny.pdf I've looked at a lot of encryption software over the years. PC Guardian's Encryption Plus Personal is the only one that adheres to the Keep It Simple Stupid (KISS) mandate. The program's functionality can be summed up in two quick sentences. Pick a password, select a file or group of files, and encrypt. Double-click an encrypted file, provide the password, and decrypt. There are no key pairs to maintain, key servers to connect to, or options to set. The program relies on the Blowfish algorithm and uses a 192-bit key. It can even encrypt files on a mounted network drive. For more info, see http://www.pcguardian.com/software/file_g.html See you next issue. 'Til then, keep your guard up! NOTES: [1] Full text at http://www.prnewswire.com/cgi-bin/micro_stories.pl?ACCT=149958 &TICK=EGGS&STORY=/www/story/12-22-2000/0001392597&EDATE=Dec+22,+2000 [2] Full text at http://www.prnewswire.com/cgi-bin/micro_stories.pl?ACCT=149958 &TICK=EGGS&STORY=/www/story/01-08-2001/0001399063&EDATE=Jan+8,+2001 [3] See http://www.zdnet.com/zdnn/stories/news/0,4586,2669672,00.html =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published monthly by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ You can find our archive of back issues at http://www.securius.com/newsletter/archive/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US SPECIAL THANKS TO Emily Navarre, editor extraordinaire =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2001 PC Guardian. All rights reserved.