The May 15 eWeek has a good survey of trusted computing solutions being implemented by several key OS vendors.
It’s a good read, but I couldn’t find the article on the website.
I recommend subscribing to eWeek. I’ve enjoyed it:
http://www.eweek.com/
In the April 24 issue of eWeek ran two articles of interest.
The first (p14) reported on two aspects of Microsoft’s vulnerability policy. One, Microsoft does not to disclose internally discovered software vulnerabilities. Two, Microsoft’s failing to disclose all the vulnerabilities being addressed in a given patch.
The second (p30) reports that malware threats are on the rise. The article reports that McAfee Avert Labs has received a 700 percent increase in reported rootkit attacks during the first quarter of 2006 as compared to Q1 2005.
Virus and malware writers have a distinct advantage over security professionals in this environment. Fundamentally, malware writers can focus all of their attention on detecting an attack vector for a specific product or technology. For example, a particular virus writer may focus specifically on Outlook vulnerabilities.
The security professional, on the other hand, generally has a much bigger footprint to defend. He not only has to worry about his Outlook users, but the web servers, email servers, firewall boxes, print servers, etc.
In order to balance the scales, a slew of security products have been added to the security professional’s toolkit. Antivirus, antispiware, rootkit detection tools, firewalls, are all commonplace.
Microsoft’s failure to disclose internally discovered vulnerabilities keeps the security industry from being able to protect its IT infrastructure. Microsoft claims the opposite. Microsoft contends that disclosing the vulnerabilities decreases security.
If Microsoft adopts a policy of disclosing vulnerabilities it discovers, proactive security solution providers will be able to take immediate action. Virus definitions could be written, firewall rules configured, software systems temporarily disabled or modified.
Instead, Microsoft leaves known vulnerabilities un-patched, and as the result, leaves its customers at the mercy of malware writers.
Bill
Pennsylvania has begun a program that will allow the notarization of documents using digital signatures. http://www.nationalnotary.org/news/index.cfm?Text=newsNotary&newsID=851
The program is called the Electronic Notary Seal (ENS) and relies on public key cryptography to perform the notarization function.
This program is interesting for two reasons:
First, this is a profound step in the acceptance of a digital signature as a legally binding. If I’m not mistaken, the validity of digital signatures in lieu of actual signatures, or notarization, has not been legally challenged.
Second, the use of legally binding digital signatures provides a path for increased transaction authentication.
Notaries currently perform the function of certifying copies, or of witnessing the signing of a document. Digital signatures can provide both functions. When a copy is made, if the digital signatures of the two documents match, they are identical. If an individual uses his private key to sign a document, it can be independently verified that he, and only he, signed the document.
Employing public key cryptography in the realm of notarization has the potential of decreasing the time and hassle of obtaining notary services without loss of security.
The logical extension of this kind of system is the general acceptance of individual digital signatures as a means of authenticating a digital item, without the need for a notary.
A secure Public Key Infrastructure (PKI) is required for any public key encryption scheme to work. The PKI must ensure that digital signature keys are distributed securely.
It is not clear how the ENS system tackles the PKI issue. It is also an open problem for how to deploy a PKI sufficient for the general public. Though vendors such as Verisign exist for this purpose, I don’t imagine the average Joe running out for a Certificate.
As digital signature systems become more widely used, fine grained transaction processing becomes a possibility. If users have easy access to a device that has their private key, each transaction the user initiates can be signed. Unless a thief obtains both private key and transactor (credit card, for example), unauthenticated transactions will become a thing of the past.
The ENS system is a good first step, and I’ll be excited to see where it leads.
As I’ve recently graduated with my Master’s Degree in Information Security, I thought I’d better start contributing to the cause.
Please feel free to comment, and if you’d like to post on a topic, please email me.
Bill