• Corporate desktop image
  
• Outlook 2003
• Symantec AV
• PGP-8.1
  

1. Install PGP-9.6
2. reboot twice per instructions
3. Find that my networking completely doesn't work.

1. regsvr32 /u PGPfsshl.dll
2. Run a Registry merge on c:\WINDOWS\system32\PGPlspRollback.reg
3. Reboot

Steps are now being taken, rather faster since Dan Kaminsky came up with a really effective DNS poisoning attack, to secure DNS by using DNSSEC.

The basic idea of DNSSEC is that when you get an answer from the DNS it will be signed by someone you trust. At some point the “trust anchor” for the system will be “.” the DNS root, but for the moment there’s just a handful of “trust anchors” one level down from that. One such anchor is the “.se” country code domain for Sweden. Additionally, Brazil (.br), Puerto Rico (.pr), and Bulgaria (.bg) have signed their zones, but that’s about it for today.

So, wishing to get some experience with the brave new world of DNSSEC, I decided that Sweden was the “in” place to be, and to purchase “cloudba.se” and roll out my first DNSSEC signed domain.

The purchase wasn’t as easy as it might have been — when you buy a domain, Sweden insists that people provide their identity numbers (albeit they have absolutely no way of checking if you’re telling the truth) — or if a company they want a VAT or registration number (which are checkable, albeit I suspect they didn’t bother). I also found that they don’t like spaces in the VAT number — which held things up for a while!

However, eventually they sent me a PGP signed email to tell me I was now the proud owner of “cloudba.se”. Unfortunately, this email wasn’t in RFC3156 PGP/MIME format (or any other format that my usually pretty capable email client understood).

The email was signed with key 0xF440EE9B which was reassuring because the .se registry gives the fingerprint for this key on their website here. Rather less reassuringly footnote (*) next to the fingerprint says “.SE signature for outgoing e-mail. (**) June 1 through August 31.” (the (**) is for a second level of footnote, which is absent — and of course it is now September).

They also enable you to fetch the key through a link on this page to their “PGP nyckel-ID” at http://subkeys.pgp.net.

Unfortunately, fetching the key shows that the signature on the email is invalid.

Since the email seems to have originated in the Windows world, but was signed on a Linux box (giving it a mixture of 0D 0A and 0A line endings), then pushed through a three year old copy of MIME-tools I suppose the failure isn’t too surprising. But strictly the invalid signature means that I shouldn’t trust the email’s contents at all — because the contents have definitely been tampered with since the signature was applied.

Since the point of the email was to get me to login for the first time to the registry website and set my password to control the domain, this is a little unfortunate.

Even if the signature had been correct, then should I trust the PGP key?

Well it is pointed to from the registry website which is a Good Thing. However, they do themselves no favours by referencing a version on the public key servers. I checked who had signed the key (which is an alternative way of trusting its provenance — since the email had arrived to a non-DNSSEC secured domain). Turned out there was no-one I knew, and of 4 individual signatures, 2 were from expired keys. The other signature was the IIS root key — which sounds promising. That has 8 signatures, once again not people I know — but only 1 from a non-expired key, so perhaps I can get to know some of the other 7?

Of course, anyone can sign a key on a public key server, so perhaps it makes sense for .se to suggest that people fetch a key with as many signatures as possible — there’s more chance of it being signed by someone they know. Anyway, I have now added my own signature, using an email address at my nice shiny new domain. However, it is possible that I may not have increased the level of trust

Wednesday.

That is all.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Most Attractive Targets: SaaS | GNUCITIZEN
2. Microsoft patch resolves patching blockage | Heise
3. Instant trojan to worm toolkit sighted | The Register
4. PGP Source Code Book on eBay | Infosecurity dot us
5. Why most WAFs do not block | Jeremiah Grossman
6. VoIP providers to get full 911 access with bill’s passage | Ars Technica
7. Being a Government Security CISO: Life in the Fishbowl | Bloginfosec
8. Current cyber-security defences ‘ineffective’ (deduct 10 points for use of “cyber”) | vnunet

Tags: News, Daily Links, Security Blog, Information Security, Security News

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

Authors note: Dr. Jan Hruska, co-founder of Sophos wrote me off line and gave me permission to publish this comment: 2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

In October last year we prepared for a float on the London Stock Exchange. As a part of the exercise we had analysts from the three sponsor banks produce their projections for revenue etc for the next three years. We did better that their projections for 2007/08.

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

But the US is not alone. British customs agents search laptops for pornography. And there are reports on the internet of this sort of thing happening at other borders, too. You might not like it, but it's a fact. So how do you protect yourself?

Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won't work here. The border agent is likely to start this whole process with a "please type in your password". Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.

You're going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk . TrueCrypt is also good, and free.

While customs agents might poke around on your laptop, they're unlikely to find the encrypted partition. (You can make the icon invisible, for some added protection.) And if they download the contents of your hard drive to examine later, you won't care.

Be sure to choose a strong encryption password. Details are too complicated for a quick tip, but basically anything easy to remember is easy to guess. (My advice is here.) Unfortunately, this isn't a perfect solution. Your computer might have left a copy of the password on the disk somewhere, and (as I also describe at the above link) smart forensic software will find it.

So your best defence is to clean up your laptop. A customs agent can't read what you don't have. You don't need five years' worth of email and client data. You don't need your old love letters and those photos (you know the ones I'm talking about). Delete everything you don't absolutely need. And use a secure file erasure program to do it. While you're at it, delete your browser's cookies, cache and browsing history. It's nobody's business what websites you've visited. And turn your computer off - don't just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing. Some companies now give their employees forensically clean laptops for travel, and have them download any sensitive data over a virtual private network once they've entered the country. They send any work back the same way, and delete everything again before crossing the border to go home. This is a good idea if you can do it.

If you can't, consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it's easy to lose something that small. Slip it in your pocket, and it's likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: "I don't know what's on there. My boss told me to give it to the head of the New York office." If you've chosen a strong encryption password, you won't care if he confiscates it.

Lastly, don't forget your phone and PDA. Customs agents can search those too: emails, your phone book, your calendar. Unfortunately, there's nothing you can do here except delete things.

I know this all sounds like work, and that it's easier to just ignore everything here and hope you don't get searched. Today, the odds are in your favour. But new forensic tools are making automatic searches easier and easier, and the recent US court ruling is likely to embolden other countries. It's better to be safe than sorry.

This essay originally appeared in The Guardian.

Some other advice here.