PGP's Universal Server Provides Unobtrusive Encryption

Over the last couple of weeks we've looked at the theory behind public key encryption and public key infrastructure. But how is all of this pulled together into a product that enables you to send or receive encrypted e-mail messages?

If you need encryption in an enterprise environment then the ideal solution is as transparent to those using it as possible. That's because any specific steps that users have to take to encrypt their messages are likely to be forgotten, ignored or carried our incorrectly.

For that reason, many organizations choose to install an encryption gateway appliance which encrypts messages after they have been sent by users from standard e-mail clients like Microsoft Outlook, and which decrypts incoming messages before passing them on to their destinations.

One of the earliest public key encryption applications was called Pretty Good Privacy (PGP), written in 1991 by Phil Zimmermann. PGP, Inc. was bought by Network Associates in 1997, but following a management buyout in 2002 PGP morphed into PGP Corporation, which today is one of the best known vendors of corporate encryption solutions. The company's offerings are based around a set of encryption applications--for e-mail and other targets such as mobile devices or storage disks - that use a common encryption platform, plus a management server called PGP Universal Server that oversees them all.

PGP's Universal Gateway Email

PGP's Universal Gateway Email is the company's gateway encryption (and decryption) application. To build a transparent secure e-mail system an organization runs a virtual appliance made up of PGP Universal Server and Universal Gateway Email. This can run on a hardened version of Linux on one of several specific server hardware configurations from vendors including Dell, HP and IBM, or it can take the form of a virtual machine running on VMware ESX.

The appliance is connected between the corporate mail server and the corporate firewall, and when it receives outgoing e-mail messages from the mail server it kicks in to action. The first things the encryption application has to do is decide which messages to encrypt and find the public keys belonging to the recipients of those messages that need to be encrypted. This information is provided by the PGP Universal Server. Its role is to manage and apply rules and policies for encryption, based on factors including the destination, the sender, or even the contents of the message. Account creation, group management and policy enforcement can be automated by integrating Active Directory, Lotus Notes/Domino directories or other LDAP directories with the Universal Server.

Let's imaging that you want to send an e-mail to someone at another organizations, and the Universal Server determines, by looking at the rules and policies that it has to apply, that your message should be encrypted--perhaps because you are working in a confidential new product group. To encrypt the message the encryption software first needs the intended recipient's public key. So how does it get that?

Universal Server Key Management

Full story

Why the latest IE flaw proves Linux got it right from the start
Sunday, 21 December 2008


You've all heard a major new flaw has been found affecting Internet Explorer all the way back to version 5. Microsoft pushed out a fix out of their regular "patch Tuesday" monthly schedule. The flaw has prompted some commentators to call for the replacement of IE with alternate browsers like Firefox. Just what was so serious? And what do Microsoft say that show Linux has the superior design?

This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7.

It could be critical for previous versions of Internet Explorer too but Microsoft didn't test them because they're no longer supported.

Being a curious type when I saw all the hubbub about a new major critical vulnerability in Internet Explorer I wanted to know just what it was about.

First, the best way to get the fix for your Windows operating system, irrespective of flavour, is Windows Update. Yet, the text accompanying the update is typically brief:

Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Published 18th December 2008
Update type: Important

Security issues have been identified that could allow an attacker to compromise a system running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft.

While that doesn't tell us much, the knowledge base article (or "KB") 960714 referenced does spill the beans.

Fundamentally, it was discovered that program code - of a malicious person's construction - be executed on your computer, if a user views a specially crafted web page with IE.

In particular, a rogue script can allocate a block of memory (an array) then apparently release it without updating the array's length, meaning that the block of memory still remains preserved.

Then, if data binding is enabled (which it is, by default), a rogue web page can take advantage of an incorrect handling of certain XML tags within IE to cause the browser to pass control to the supposedly free memory location.

If the script had pre-filled that memory with actual executable instructions then the author has effectively been able to cause your computer to do something of their bidding, under your user credentials.

You can find a harmless code example over the page which will make calc.exe (ie Windows Calculator) display itself. The code is merely presented in a readable format; it will not actually run.

CONTINUED - PAGE 2

Microsoft Issuing Emergency Fix for Browser Flaw
By THE ASSOCIATED PRESS
Published: December 16, 2008

REDMOND, Wash. (AP) -- Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The ''zero-day'' vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.

Microsoft said it plans to ship a security update, rated ''critical,'' for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Full story

Microsoft sees 'huge increase' in IE attacks

Thousands of hacked sites, including porn URLs, exploit unpatched IE bug

December 14, 2008 (Computerworld) Microsoft warned Saturday of a "huge increase" in attacks exploiting a critical unpatched vulnerability in Internet Explorer (IE), and said some originated from hacked pornography sites.

Other researchers confirmed that attacks were increasingly coming from compromised Web sites.

Microsoft noted the upswing in attacks on the company's Malware Protection Center blog late Saturday. "The trend for now is going upwards," said researchers Ziv Mador and Tareq Saadecom on the blog. "We saw a huge increase in the number of reports today compared to yesterday."

Hackers have been exploiting a data binding bug in IE for more than a week, according to researchers who first noted in-the-wild attack code on Chinese servers. The vulnerability, which exists in all versions of the Microsoft browser, including IE5.01, IE6, IE7 and IE8 Beta 2, has so far been exploited only by attack code that targets IE7, the most widely-used edition.

Full story

---

FYI, I have implemented ssh rate-limit firewall rules in addition to using Denyhosts. The change to rate-limit it turns out has been quite effective.

--Dietrich

Thieves Winning Online War, Maybe in Your PC 

SAN FRANCISCO -- Internet security is broken, and nobody seems to know quite how to fix it.

Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.

As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race.

"Right now the bad guys are improving more quickly than the good guys," said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group.

A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency. That was driven home in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Mass., discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of so-called zombie computers remotely controlled by an online gang.

In October, researchers at the Georgia Tech Information Security Center reported that the percentage of online computers worldwide infected by botnets -- networks of programs connected via the Internet that send spam or disrupt Internet-based services -- is likely to increase to 15 percent by the end of this year, from 10 percent in 2007. That suggests a staggering number of infected computers, as many as 10 million, being used to distribute spam and malware over the Internet each day, according to research compiled by PandaLabs.

Security researchers concede that their efforts are largely an exercise in a game of whack-a-mole because botnets that distribute malware like worms, the programs that can move from computer to computer, are still relatively invisible to commercial antivirus software. A research report last month by Stuart Staniford, chief scientist of FireEye, a Silicon Valley computer security firm, indicated that in tests of 36 commercial antivirus products, fewer than half of the newest malicious software programs were identified.

There have been some recent successes, but they are short-lived. On Nov. 11, the volume of spam, which transports the malware, dropped by half around the globe after an Internet service provider disconnected the McColo Corporation, an American firm with Russian ties, from the Internet. But the respite is not expected to last long as cybercriminals regain control of their spam-generating computers.

"Modern worms are stealthier and they are professionally written," said Bruce Schneier, chief security technology officer for British Telecom. "The criminals have gone upmarket, and they're organized and international because there is real money to be made."

The gangs keep improving their malware, and now programs can be written to hunt for a specific type of information stored on a personal computer. For example, some malware uses the operating system to look for recent documents created by a user, on the assumption they will be more valuable. Some routinely watch for and then steal log-in and password information, specifically consumer financial information.

Full story

IETF committee calls for a simple system for DNS security

24.11.2008 12:46

The Internet Architecture Board (IAB), the central committee of the Internet Engineering Task Force (IETF, a standards organisation), is calling for a simple system for signing the DNS root zone, and for the interest groups of the Internet Corporation for Assigned Names and Numbers (ICANN) to be given a say in a number of operational questions. That would give the ICANN community an influence on, say, the continuous rollover of keys for signing the root zone. The IAB makes these requests in its feedback to a Notice of Inquiry from the US National Telecommunications and Information Agency (NTIA). It also calls for caution: "Care should be taken that DNSSEC deployment remains about data, integrity, and authenticity, and not about control."

The way the root zone should be signed has been a topic of serious debate for almost two years. This is the IAB's feedback in response to a Notice of Inquiry from the NTIA regarding "Enhancing the Security and Stability of the Internet's Domain Name And Addressing System" with DNSSEC. The IAB writes that the IETF's DNS Security Extension (DNSSEC) protocol "is the only standards-track mechanism to prevent corruption and replacement of the DNS data on its path through the Internet" (See also: RFC 4033 DNS Security Introduction and Requirements). If correctly implemented, therefore, the protocol could ensure more trust in the network. The IAB believes in particular that phishing attacks and the vulnerabilities discovered by Dan Kaminsky can be prevented.

US warned of China 'cyber-spying'

There are concerns that China has been accessing sensitive US databases

China has stepped up computer espionage against the US government and American businesses, according to an influential Washington congressional panel.

In its annual report to Congress, the panel warned that China was gaining increasing access to sensitive information from US computer networks.

It said China was aggressively pursuing cyber-warfare capabilities to gain an advantage over the US in any conflict.

There has been no comment so far from the Chinese on the report.

The US-China Economic and Security Review Commission was set up by Congress in 2000 to advise, investigate and report on US-China issues.

China is stealing vast amounts of sensitive information from US computer networks Larry Wortzel Commission chairman

It alleges that the Chinese are looking for diplomatic and military secrets in government databases, and potentially lucrative industrial secrets held by American corporations.

The report said the US government and economy were critically vulnerable to cyber-space attack since both depended heavily on computers and the internet.

The panel of six Democrats and six Republicans said China would continue to target the US using cyberspace as it was cheaper and less risky than traditional espionage activities.

Full story

---

Folks, take it from Me and Tim, the "N'er do Wells" are out there 'knocking on the door' every day. Take the maximum of protection measures possible on your DMZ and external Web Servers.  Here's a link to additional 'rate limiting' I have in place which has effectively brought the ssh 'brute force' attacks to a screeching halt.

Be Safe!
--Dietrich

Still sending naked email? Get your protection here

Buckle your seatbelt, encrypt your bits

By Dan Goodin in San Francisco 14th November 2008 20:22 GMT

Security How-to In this age of brazen, warrantless wiretaps and never-ending data breaches, you'd think email encryption would be considered de rigueur. Alas, even among the digerati it's rarely given the time of day because encryption is seen as an exotic undertaking that brings more hassle than benefit.

To be sure, incorporating a robust encryption regimen into a routine that involves sending and receiving hundreds of emails each day won't happen by accident. If you've never done it before, there's a modestly steep learning curve that's necessary not only for you, but for all the people you correspond with. No wonder few people bother.

Jon Callas, CTO of encryption software provider PGP, likens encrypting email to wearing a seatbelt, which a few decades ago was so unpopular that many people only did when they were required by law to do so.

"You only need to wear a seatbelt on the day you get in a crash and you only need to encrypt the one email that's going to get lost," he says. "The way that you make sure you encrypt that one mail that needs to be encrypted is the same way you make sure you wear your seatbelt on the one day you get in a crash and that is you do it all the time."

Your writer was forced to confront his own encryption apathy about a year ago, when asked for a public key by a source promising a juicy scoop. Two days later, the key was proffered, but the experience made it clear that the road to encryption Nirvana - at least for us Windows users - is paved with solutions that are confusing, incomplete, or impractical.

For those so inclined, PGP sells products such as PGP Desktop Email that Callas says "literally passes the my-75-year-old-mother-can-use" test. Your writer, on the other hand, opted for Gpg4Win, a free Windows implementation of the open source Gnu Privacy Guard (GnuPG). Used with the Enigmail add-on for Mozilla's Thunderbird email client, it offers everything needed to generate, store, and manage digital keys for email encryption.

What follows is a step-by-step tutorial for Windows users. (Linux geeks looking for help should seek out Brenno de Winter's excellent how-to here.)

Full story

November 6, 2008 12:37 PM PST

WPA wireless encryption cracked

Posted by Robert Vamosi

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week.

According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router.

TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption.

Some elements of the crack have already been added to Beck's Aircrack-ng Wi-Fi encryption hacking tool used by penetration testers and others.

Tews is no stranger to cracking Wi-Fi encryption. In 2007, he broke 104-bit WEP (Wired Equivalent Privacy) (PDF) in 2007. WEP was used by TJX Corp. to secure wireless cash register transmissions from its stores but criminals were able to exploit weaknesses in its encryption to commit the largest data breach in U.S. history.

Given that WEP and WPA are not secure, experts recommend using WPA2 when securing wireless networks.

Original story