EYE ON SECURITY

The World of Secure Development.

September 2006

IBM has announced what it claims is a first-of-its-kind encryption technology and services for enterprise-class security and privacy.

The centerpiece of the solution is the introduction of the industry's first fully encrypting data drive, bringing security to small, medium and large businesses. The open-standards-based drive is designed to protect the data in the event that it is lost or stolen, rendering it unreadable to anyone who finds it. With this option, customers can encrypt the large files intended for remote recovery sites, or for data archiving, at tape hardware speeds. It will also provide customers with the ability to share encrypted tapes with their business partners.

IBM's Security and Privacy Services practice within IBM Global Technology Services will provide the necessary framework, architecture and support to execute an enterprise security program and leverage IBM's encryption solution to resolve data security issues. Additionally, IBM Business Continuity and Resiliency Services (BCRS) have IBM's data encryption drives installed at their worldwide recovery locations. IBM BCRS will also offer services to execute recovery procedures and operations that include use of tape hardware encryption.

The IBM System Storage TS1120 is supposedly the first encryption drive in the market that addresses the requirements of security compliance legislation. According to IBM, there are significant advantages to performing encryption in the tape drive. Early measurements show no appreciable degradation to performance during the reading and writing of encrypted data. Encryption in the drive also allows data compression, reducing potential impact on the media, and the encryption-enabled tape drive can also process non-encrypted workloads.

In addition to providing high-performance encryption in the drives, IBM's approach is designed to allow customers to ensure that the tape can only be decrypted by authorized parties, and the decryption keys are available when and where they are needed. The IBM tape encrypting solution leverages the proven encryption technologies of the IBM mainframe. Mainframe centralized key management provides a single point of control for the tape encryption keys, with high security and availability, long-term key management, and excellent disaster recovery capabilities. System z servers also use tamper-resistant hardware features for further protection of the keys.

"Public-key cryptography gives customers a tool set that allows them to radically simplify the process of key management. A unique key can be used with each tape cartridge, and by using public key cryptography, customers can conceal these unique keys and leave them right with the tape cartridge," said Marianne Mostachetti, Director of IBM System z Software. "The public-key infrastructure that's inherent in the IBM z/OS is the ideal way for tape cartridges to be opened up."

Encryption comes standard on all newly ordered TS1120 tape drives and clients with installed TS1120 drives can upgrade to include this feature for a fee. The IBM Encryption Key Manager for the Java platform -- free as part of IBM's Java software development kit -- can help generate and communicate encryption keys for tape drives across the enterprise. Finally, key management software supports the encryption tape drive on a wide variety of configurations, such as z/OS, i5/OS, AIX, HP, Sun, Linux and Windows.

The TS1120 drives support three different encryption management methods: Application, System, or Library Managed. For System or Library managed encryption, the IBM Encryption Key Manager for the Java platform -- included, at no additional charge, as part of IBM's Java Virtual Machine -- will generate and communicate encryption keys for tape drives across the enterprise. This encryption capability is supported when the TS1120 Tape Drive is integrated or attaches in the IBM System Storage TS3500 Tape Library, IBM System Storage TS1120 Tape Controller Model C06, IBM TotalStorage® 3592 Tape Controller Model J70, IBM TotalStorage 3494 Tape Libraries, IBM TotalStorage C20 Silo Attach frame, and stand-alone environments.

For Application managed encryption, IBM Tivoli Storage Manager -- IBM's enterprise-level back up and recovery software -- can generate and communicate encryption keys to the TS1120 drives. Tivoli Storage Manager's policy management capabilities automatically determines if TS1120 encryption is to be used, and if so invokes encryption and provides the necessary encryption keys. TSM support for TS1120 encryption capabilities is the newest addition to TSM's encryption capabilities for securing data-at-rest. Tivoli Storage Manager is the only backup/archive software that supports encryption keys, offering customers one-stop shopping for backup, archiving and encryption, all from IBM and managed by Tivoli.

Posted by Jon Erickson at 07:55 AM  Permalink |

PandaLabs has detected a vulnerability that affects the PlayStation Portable (PSP) gaming console.

This flaw is a buffer overflow that allows malicious code to be run on these devices. It is important to mention that a proof of concept already exists that exploits this flaw and works on all versions of PSP firmware that can view TIFF files. In view of this situation, it seems that it would not be too difficult to program malicious code to exploit this security hole.

According to Luis Corrons, director of PandaLabs: "The vulnerability detected is particularly dangerous, as it could be exploited through malicious code programmed for this purpose or even directly by hackers."

This is not the first case of an attack on gaming consoles. Last year, PandaLabs detected malicious codes designed to target these devices. To be more specific, these were the Format.A and Tahen (variants A and B) Trojans. These Trojans were extremely dangerous as their attacks deleted critical files, and could even irreversibly render the console unusable, in the case of PSP.

"It is highly recommended not to install software that does not come from reliable sources on consoles. Before doing so, it is advisable to scan it first with an updated antivirus solution. Similarly, external communication (USB, IrDA or WiFi) should not be established with untrustworthy consoles or computers that could transfer unwanted information," concludes Luis Corrons.

Posted by Jon Erickson at 10:13 AM  Permalink |

Researchers at Carnegie Mellon University's CyLab have come up with an anti-phishing tool to protect users from online transactions at fraudulent Web sites.

The research team, led by Adrian Perrig, has created the Phoolproof Phishing Prevention system that protects users against network-based attacks, even when they make mistakes. The security system provides strong mutual authentication between the Web server and users by leveraging a mobile device, such as the user's cell phone or PDA.

The system designed by Perrig and engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if users lose their cell phone, the keys remain secure.

Posted by Jon Erickson at 09:24 AM  Permalink |