NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY 09/07/04 Today's focus: An iron vault for passwords
Dear [EMAIL PROTECTED], In this issue: * Ways to manage multiple passwords * Links related to Security * Featured reader resource _______________________________________________________________ This newsletter is sponsored by Microsoft(r) Go to the Microsoft(r) Security Guidance Center for the latest in security tools, guidance, and training. * Download and evaluate Microsoft(r) Windows(r) XP Service Pack 2. * Complete the free Online Self Assessment. * Get free Security Tools. * Sign up for free Updates and Alerts. Visit http://www.fattail.com/redir/redirect.asp?CID=79184 _______________________________________________________________ DEFENSIBLE MESSAGING ARCHITECTURE Acceptable-use policies. SPF and SMTPi. Are you fluent in the new language and best practices of sophisticated content management? Get up to speed fast and stay ahead of the spammers at at Strategy & Management for Messaging & Spam, the sophisticated new Network World Technology Tour event coming to Atlanta, Dallas, Denver and New York in September. http://www.fattail.com/redir/redirect.asp?CID=79697 _______________________________________________________________ Today's focus: An iron vault for passwords By M. E. Kabay How do your users handle so many passwords? Badly, I'm sure. I recall one poor, overworked system administrator whom I met on a security assessment of a large corporation some years ago; he sheepishly admitted that he had 15 administrator passwords - and kept them written in plaintext on a piece of cardboard in his wallet. One of the oldest social engineering tricks around is for a criminal hacker to make a sys admin drunk or sleepy and rifle through his or her belongings in a search for such a list. It's known as a bingo card because finding it makes the hacker say, "Bingo!" Some users store their passwords in files. Putting passwords in an unencrypted, unprotected file is little better than writing them on cardboard, and so people have been turning to a more sophisticated approach: using special password storage programs that provide encryption and access controls. When a user visits a Web site, the password utility fills in the right user ID and password; some products go further and fill in names, addresses and even credit-card numbers. Examples include: * Advanced Password Manager <http://www.rayslab.com/password_manager/password_manager.html> * Internet Explorer's own AutoComplete and Profile Assistant ��functions ��To manager these functions in IE v6, use Tools | Internet ��Options | Content * KeyPass from Dobysoft �� <http://www.dobysoft.com/products/keypass/> * LoginWallet for Macintosh �� <http://www.public.asu.edu/~cjfoste/LoginWallet/> * My Password Manager 0.1 for Mac and Unix �� <http://www.nwfusion.com/nlsec564> * Norton Password Manager (part of the Norton SystemWorks suite) http://www.symantec.com/passwordmanager/> * Opera browser's own Wand function ��To manage this function in Opera v7, use Tools | Preferences | ��Security | Manager Wand passwords * PasswordLock �� <http://www.internetpeace.com/pwlman/password_wallet.htm> * Password Manager XP �� <http://www.cp-lab.com/> * Password Wallet from InfoCard �� <http://www.winsite.com/bin/Info?4000000037217> * Password Wallet from TigerSoft �� <http://www.inet.hr/tigersoft/pwallet.htm> * PasswordWallet for PalmOS and for Macintosh �� <http://www.selznick.com/products/passwordwallet/> * RoboForm �� <http://www.roboform.com/> Naturally, with all this ultra-sensitive information in a single location, the password file is a tempting target for attackers. Lark Allen is executive vice president of Wave Systems. He recently wrote to me about protecting centralized password files using hardware controls. The following is an edited version of Allen's comments: * * * Although existing systems use software security to protect logon information, we know that security breaches involving software vulnerabilities are a constant worry. To respond to this class of vulnerabilities, the Trusted Computing Group (TCG) has developed new security hardware specifications. A Trusted Platform Module (TPM) is a hardware security chip based on open industry specifications developed by the TCG. The TPM provides important new security functions such as: * Secure storage - A place to protect secrets in hardware, ��including encryption keys for data and credentials for users and ��platforms. * Authentication - The ability to determine that a user or a ��platform really is who they claim to be. * Binding data to a platform - Assuring that sensitive ��information cannot be moved to other platforms without ��permission. * Platform trustworthiness measurement - Determining whether a ��PC can be trusted or has been compromised. A TPM is currently being shipped in some PCs from Fujitsu, HP, IBM and Intel. Many companies are working on applications that take advantage of the hardware security of the TPM. Wave Systems' Private Information Manager (PIM) is the first TPM-protected wallet for managing personal information, including identities and passwords. The PIM wallet uses the TPM hardware to protect the keys for encrypting the sensitive information held in the wallet. In addition, the TPM is used to authenticate the user as part of the wallet's access controls. Strong multifactor authentication, including the use of a biometric fingerprint, with or without an associated password, can be specified and applied to individual wallets for different people. Some attacks install a keystroke logger on the user's PC to collect passwords, PINs, and other personal information as users enter their account and password data. Wave's PIM wallet does not allow the login information being automatically filled in for the user to be captured by keystroke-loggers. The TCG is continuing its work to improve security on cell phones, personal digital assistants, peripherals, and other devices. Trusted computing should not only increase protection of user information but also simplify the user's life in dealing with the new electronic world. * * * As a matter of record, I have no financial interest whatever in any of the products or companies mentioned in this article. Inclusion of a product does not imply endorsement or recommendation; exclusion does not imply criticism. - Mich RELATED EDITORIAL LINKS Trusted Computing Group http://www.trustedcomputinggroup.org/ The Password Is... Confusion http://www.technewsworld.com/story/18937.html _______________________________________________________________ To contact: M. E. Kabay M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Division of Business and Management at Norwich University in Northfield, Vt. Mich can be reached by e-mail <mailto:[EMAIL PROTECTED]> and his Web site <http://www2.norwich.edu/mkabay/index.htm>. A Master's degree in the management of information assurance in 18 months of study online from a real university - see <http://www3.norwich.edu/msia> _______________________________________________________________ This newsletter is sponsored by Microsoft(r) Go to the Microsoft(r) Security Guidance Center for the latest in security tools, guidance, and training. * Download and evaluate Microsoft(r) Windows(r) XP Service Pack 2. * Complete the free Online Self Assessment. * Get free Security Tools. * Sign up for free Updates and Alerts. Visit http://www.fattail.com/redir/redirect.asp?CID=79183 _______________________________________________________________ ARCHIVE LINKS Archive of the Security newsletter: http://www.nwfusion.com/newsletters/sec/index.html Breaking security news: http://www.nwfusion.com/topics/security.html _______________________________________________________________ FEATURED READER RESOURCE CHECK OUT NW FUSION'S NEW WHITE PAPER LIBRARY NW Fusion's White Paper Library was recently re-launched with new features and improved capabilities! Sort NW Fusion's library of white papers by Date and Vendor, view white papers by TECHNCIAL CATEGORY, mouse over white paper descriptions and take advantage of our IMPROVED white paper search engine. CLICK HERE: <http://www.nwfusion.com/vendorview/whitepapers.html> _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.subscribenw.com/nl2 International subscribers click here: http://nww1.com/go/circ_promo.html _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: <http://www.nwwsubscribe.com/Changes.aspx> To unsubscribe from promotional e-mail go to: <http://www.nwwsubscribe.com/Preferences.aspx> To change your e-mail address, go to: <http://www.nwwsubscribe.com/ChangeMail.aspx> Subscription questions? Contact Customer Service by replying to this message. This message was sent to: [EMAIL PROTECTED] Please use this address when modifying your subscription. _______________________________________________________________ Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: <mailto:[EMAIL PROTECTED]> Inquiries to: NL Customer Service, Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 For advertising information, write Kevin Normandeau, V.P. of Online Development, at: <mailto:[EMAIL PROTECTED]> Copyright Network World, Inc., 2004 ------------------------ This message was sent to: [EMAIL PROTECTED] ------------------------ Yahoo! Groups Sponsor --------------------~--> Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar. Now with Pop-Up Blocker. Get it for free! http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/BCfwlB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/kumpulan/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
