EYE ON SECURITY

The World of Secure Development.

October 2006

If slow encryption has been a problem for you, don't worry--NeoScale Systems is coming to the rescue with the introduction of its 4-Gbit/s security appliance.

The CryptoStor FC712 is an enterprise-class tape security device that supports native 4-Gbps interfaces, letting you double the number of tape drives secured on a single channel. In addition to fast encryption, the CryptoStor Tape 712 provides:

• Data confidentiality. Hardware-based AES-128 or AES-256 encryption
• Optimized tape utilization. Hardware-based LZS compression
• Data integrity. Cryptographic authentication of tape data
• Secure management. Web management with optional two-factor authentication and division of responsibility among the administrator, security officer, and recovery officer
• Centralized key management. Integration with CryptoStor KeyVault for centralized backup and sharing of encryption keys
• High-availability designs. Clustering supports automatic sharing of security policies and key catalog across a data center or remote locations
• Reliability. Hot-swappable power supplies and fans for continuous operation
• Secure hardware appliance. FIPS 140-2 Level 3 platform including key zeroing when tampering is detected

And, oh yes, it sells for around $45,000.

Posted by Jon Erickson at 01:59 PM  Permalink |

The Computer Security Resource Center at NIST has found an attack on some implementations of RSA digital signatures using the padding scheme of PCKS-1.

A paper describing the attack in details is available.

A similar attack could also be applied to implementations of digital signatures as specified in American National Standard (ANS) X9.31. Note that this attack is not on the RSA algorithm itself, but on improper implementations of the signature verification process.

Posted by Jon Erickson at 11:15 AM  Permalink |

Payment Processing Inc. has announced that it will be offering credit-card data security services to software developers. Services include support for both Payment Applications Best Practices (PABP) for packaged applications, and Payment Card Industry (PCI)Compliance for Software-as-a-Service (SaaS) applications.

This program is offered through PPI Developer Services and includes:

• Security Education Service which explains the nuts and bolts of PABP and PCI requirements and provides recommended strategies for an organization to become compliant. The path to PABP compliancy begins with attending a PPI online educational seminar.
• Diagnostic Readiness Review which assesses an organization’s current level of readiness and provides a customized statement of work for bringing an application or system closer to compliancy.
• Facilitated Compliance Plan which engages a VISA Qualified Data Security Company (QDSC) to provide PABP validation or PCI certification.

"So many of the software developers we speak with are at a loss as to where to start," says Chuck Riegel, PPI vice president of software products. "We help developers decipher the process and assess their application so they understand exactly what needs to be done to reach compliancy, and can build the requirements into their development schedule. Plus, we streamlined the entire certification process so developers can rely on us to do much of the work, thereby reducing the overall cost to the developer."

"There is a great deal of confusion regarding credit card data security and best practices within the software community. PPI has structured this program to provide our software partners with the services they need to make sense of it all, " Riegel added. "It’s difficult for software developers to decipher the current best practices, so PPI has assembled a team of experts and services to offer its qualified Advantage Partners free PABP and PCI security consultation and education services."

PPI has also prepared a whitepaper, "Ten Things Application Developers Need to Know About Credit Card Data Security." which provides more information on credit-card data security services.

Posted by Jon Erickson at 10:01 AM  Permalink |

Having trouble differentiating your accreditation package from your accreding authority? Or your object identifier from your online certification status profile? Or, for that matter, your one-way hash from your optional topography?

What all of these terms have in common are that they all deal with security. But these are the a tip of the iceberg, so to speak, of basic security terms. To help you keep all these terms straight, and to ensure that you and others are on the same frequency, the NIST has published its Glossary of Key Information Security Terms, a glossary of basic security terms for the security industry.

The terms included are not all inclusive of terms found in these publications, but are a subset of basic terms that are most frequently used. The purpose of the glossary is to provide a central resource of definitions most commonly used in NIST security publications.

Each entry in the glossary points to one or more source NIST publications, and in addition, supplemental sources where appropriate. A list of the supplemental (non-NIST) sources is also provided.

Finally, the glossary will be updated with new definitions as needed, and updated versions will be posted at Computer Security Resource Center .

Posted by Jon Erickson at 10:25 AM  Permalink |

If you're a Windows XP user and worried about security, you might want to take a look at the paper "Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist">.

Published by the Computer Security Divisionof the National Institute of Standards and Technology, the paper is explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security.NIST maintains that the settings make a substantial improvement in the security posture of Windows XP Home Edition computers.

The publication is partially based on SP 800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals", which in turn is based on material developed by the National Security Agency (NSA), DISA (Defense Information Systems Agency), U.S. Air Force (USAF), Microsoft, and other members of the security community.

Posted by Jon Erickson at 11:34 AM  Permalink |