EYE ON SECURITY

The World of Secure Development.

June 2007

Making a pitch to public officials, Diebold Election Systems (DESI) will preview its new "Assure" election system software to election officials at the upcoming International Association of Clerks, Recorders, Election Officials and Treasurers (IACREOT) Conference -- and the focus, as you might expect, will be on security.

Assure election system software implements SHA1/RSA digital signatures on software installation files, and requires the activation of a variable password-based administrator card to complete the installation process. This software feature authenticates the integrity of software installation files and the person loading the system software.

The software also includes strong cryptography to digitally sign the AccuBasic reporting script on the AccuVote-OS optical scan system memory card to detect attempted tampering, similar to the protection used in the AccuVote-TSX touch-screen system. Assure also includes encryption of the Global Election Management System (GEMS) database.

Previous versions of Diebold's software used Advanced Encryption Standard (AES) data encryption and SHA1/RSA digital signatures to secure election data and results. Assure adds, what Diebold claims, is a higher level of protection to election equipment software installation files and the AccuBasic scripts.

"The same advanced security software that has guaranteed the integrity of election data and results can now be used to secure installation files and additional components of the system," said Diebold's Dave Byrd.

According to Diebold, the only other security you need to complete a secure election process involves "locks and tamper evident tape and seals, chain of command processes and procedures, election oversight by poll workers and party representatives, and sound election operations management and auditing procedures."

Posted by Jon Erickson at 09:16 AM  Permalink |

According to a survey conducted by Emedia, an e-mail research/marketing company, virtualization is moving into the mainstream with 50 percent of IT professionals who responded already using the technology, or planning to do so within the next 18 months. However, 52 percent also responded that virtualization systems are introducing new security challenges.

Interestingly, says Emedia, the later the implementation of the technology is scheduled for, the more apprehensive respondents seem to be. The survey indicated that 51 percent of current users think that virtualization poses some new risks, 57 percent amongst those planning to use the solution within the next 6 months, and 66 percent among those adopting it within the next 6 to 18 months.

Survey respondents generally think that they can overcome these threats by taking safety measures such as staff training/improving understanding (51 percent), patching/updating/hardening servers (38 percent), using firewalls (30 percent), and separating networks/subnetting/routing (25 percent).

David Clark, managing director at Emedia, concludes that "the advantages of virtualization appear to be tantalising but it seems that IT managers approach it with caution."

Posted by Jon Erickson at 09:31 AM  Permalink |

If you have anything to do at all with security and federal information systems (or even if you don't), you will probably find the National Institute of Standards and Technology's recently released Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans interesting, if not useful.

The 387-page publication serves as a guide for assessing the effectiveness of security of controls in federal information systems and its content is expected to be incorporated into automated tools that support the information security programs of federal agencies.

"The assessment requirements presented in this latest draft are intended to make compliance with FISMA easier, more efficient and ultimately to produce better computer and information security for the federal government," noted NIST's FISMA Implementation Project Leader Ron Ross.

One of the changes to the document since the previous draft involves new guidelines for establishing policies, procedures, and responsibilities for those conducting penetration testing.

Posted by Jon Erickson at 10:44 AM  Permalink |

The Computer Security Institute (CSI) has released the results of its research into Web security researchers, and what CSI found isn't pretty.

According to the report that was released at CSI's annual NetSec conference, security research by experts is being hampered by the fear of prosecution.

In the report, which was authored by a working group of Web researchers, computer crime law experts, and U.S. Department of Justice personnel, researchers said that even if they stumble across a web-site bug accidentally, they worry about disclosing it to the site's owner for fear of prosecution.

"Security researchers are able to identify and publicly disclose software vulnerabilities or further write proof-of-concept exploit code without fear of criminal prosecution," said Jeremiah Grossman, CTO of WhiteHat Security and a contributor to the group. "But Web security researchers' aren't so lucky: under some laws, a researcher could find himself prosecuted for simply looking for Web site vulnerability, much less disclosing it publicly." He added that this "means only people that are on the side of the consumer are being silenced for fear of prosecution.".

Grossman went on to say that "this report serves as a meeting of the minds, bringing together ideas and concerns from the developers, security researcher and law enforcement communities making it a unique touch point for everyone caught in the frenzy of Web 2.0," added Grossman.

Specifically, the report said that:

• A matrix of Web security research methods (on a scale of least-invasive to most-invasive), assessments of how the law may interpret these actions and gauges of the likelihood a Web researcher will be criminally prosecuted for such actions.

• Discussion of how the law may be changed, including how liability is assigned, how "damage" is quantified and how disclosure and criminal intent factor into sentencing.

• Endeavors the industry may create to improve Web security within the current letter of the law, such as: better secure Web development standards, better Web site security certifications, anonymous vulnerability disclosure tip lines and a service that invites registered researchers to hack "dummy" Web pages, which are modeled off typical Web sites but contain fake data.
  

According to Sara Peters, CSI editor and author of the report, "[Web] researchers are terrified about what they can and can't do, and whether they'll face jail or fines," says. "Having the perspective of legal people and law enforcement has been incredibly valuable. [And] this is more complicated than we thought."

CSI is part of CMP Media, as is Dr. Dobb's Journal.

Posted by Jon Erickson at 12:30 PM  Permalink |

Need help in securing your web servers? If so, you might want to take a look at a draft paper released by the National Institute of Standards (NIST) entitled Guidelines on Securing Public Web Servers, written by Miles Tracy, Wayne Jansen, Karen Scarfone, and Theodore Winograd.

The publication is intended to help organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. It also makes suggestions on using authentication and encryption technologies to protect information.

Posted by Jon Erickson at 09:00 AM  Permalink |