The state of Email encryption: GnuPG, PGP and PGP.Com

Recently, there have been some question about the status of email encryption, both within the Company, and for communication with external users. Currently, the Company has no policy or standards regarding encryption and encrypted email. We do support production processes using encrypted files. Specifically, PGP is used to exchange sensitive information with outside vendors for XXX and certain financial applications.

There are many other useful business tasks facilitated by Public-key cryptography. More information on this technology is available on our intranet server.

IT Audit and the Network and Data Security groups have been using PGP-Freeware with positive results. As explained below, use of PGP-Freeware for business communications is no longer permissible, under PGP.Com's interpretation of the license for that product.

PGP and GnuPG public key queries and key-registration using Internet keyservers will work for HTTP keyservers (after configuration of the client proxy settings, however, registration and queries will not work using LDAP protocol to servers on the Internet. Our team no longer operates an Intranet keyserver, due to a drive failure on our development machine

There are plug-ins for PGP and GnuPG for Outlook and Outlook Express, along with many other email clients. Microsoft has no plans to directly support PGP in Outlook, Exchange or Active Directory, instead, Microsoft provides integrated support for S/MIME, using the X.509 certificate format. Here is a (somewhat dated) comparison between the various protocols:

http://www.imc.org/smime-pgpmime.html

In general, S/MIME is easier to deploy in a Microsoft-centric (Exchange and AD) environment, for purely internal communications, yet PGP/MIME (and now OpenPGP) is the de-facto standard on the Internet.

The commercial PGP division was recently sold by Network Associates. There is a new "PGP.Com" site, with information on products and pricing:
http://www.pgp.com/faq.php

Will You Continue to Support Freeware Products?
Yes. PGP will continue the tradition of freeware products for non-commercial use. The next release of PGP freeware will be in November 2002 for PGP 8.0 for Windows and MacOS X. Customers using freeware products for commercial use - using PGP freeware to communicate with licensed business users - must immediately cease usage and purchase a commercial PGP license. Products can be purchased at https://store.pgp.com/.

Company employees using the "PGP Freeware" unlicensed application must immediately cease usage.

Promotional pricing for the commercial PGP product is available through October 31st. The promotional price for "Corporate Desktop" is $70, "PGP Mail" is $45. Prices are per-seat for any quantity, these prices will increase significantly on November 1st, 2002.
http://www.pgp.com/promo.php

An alternative to purchasing commercial PGP is to deploy GnuPG, the GNU-licensed freeware implementation:

• http://www.gnupg.org/
• http://www3.gdata.de/gpg/

SecurityFocus Article on EAS

Gotta love the FCC.

"Insecurity Plagues Emergency Alert System"
http://online.securityfocus.com/news/613

"Though it's not known to have ever been exploited,
the spoofing risk is one of the factors quietly
driving calls to reform the EAS"

Network World: "Spam filters revealing their darker side"

Last week's "Network World" has an interesting article (excerpts below) on the perils of keyword filters.

In our spam-filtering evaluation, we are taking the majority of the steps (and implementing all of the precautions) noted in the sidebar, with the exception of using IP-based "blacklists" to reject or otherwise limit incoming messages, based on the source IP address. I have tried using lists of "known spam sources" from free or commercial "RBL" services, but have not found any such blacklists that find the right balance between effectiveness and excessive false-positives.


"Spam filters revealing their darker side"
http://www.nwfusion.com/news/2002/0909spam.html

Wireless Network auditing tool

The "netstumbler" (Wireless network discovery for Orinoco) executable is attached, or can be downloaded from http://www.stumbler.net/


I have a small GPS receiver (no display, uses serial port with power from PS/2 keyboard port), if we want to do mapping around the perimeter of the main plant

A few months ago, I drove around the public roads (outside the Company property line) and found many distinct wireless networks, mostly from apartments nearby, however two appeared to be part of the main plant deployment (need to check MACs to be sure).

policy on generic accounts?

We are in the final process of reviewing an update to the policy addressing exactly these concerns -- "generic" shared "role" accounts, service accounts, and automated processes. I have authored an amendment based on feedback from the network managers, IS Audit, and our CSO.

Our manager has received the policy for review.

The long-term solution is the implementation of mechanisms (such as single-sign on, "sudo" on Unix, and group permissions) to remove the necessity to share passwords. We realize that many of these approaches are not feasible in the current budget environment, and the password policy reflects this.

Regarding "role" accounts shared by multiple users, one of the most important requirements in the updated policy is that these passwords be changed every time an employee or contractor who had access to the password leaves (including external contractors after end of contract or when they leave employment with the contract firm, whichever comes first).

Would this "termination clause" in the new policy (over and above the standard change interval) pose an issue for your applications?

Kevin

IT Sec Spending Ratios

Little luck so far finding a ratio. Well, there is a Gartner report that they want $5K for that might have that figure...

http://www3.gartner.com/1_researchanalysis/focus/security2002.html

And I found these:

• http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html
• http://www.landfield.com/isn/mail-archive/2001/Jun/0051.html

This is interesting:

Only 0.4% of a company’s revenue, on average, is dedicated to information security in the U.S. By 2011, however, that figure will accelerate tenfold to 4% of revenue for U.S. companies, according to Gartner Inc.’s total cost of ownership model for information security.

AT&T Managed Instant Messenger

The AT&T MIM offering appears to be a managed Jabber server, hosted on an AT&T server in their Internet facility, using an AT&T branded version of the commercial JIM client.

The AT&T pricing appears reasonable (compared to the software license quotes we have from Jabber). The AT&T offering appears to be for a "virtual server", where different customers share not only the same hardware, but also the same Jabber server instance. This presents security and performance issues.

Many of the key benefits of corporate IM are derived from hosting the messaging server(s) in-house (LDAP integration, security, reliability, etc). Outsourced IM service hosted on the Internet negates many of these benefits.

Adtran "sbox" vs Check Point SMB

We have not received the Adtran unit for evaluation. This week I am finishing evaluation of PIX, Nortel, and two AT&T products (one of which we have proven to have serious security exposures), and we need to make our decision very soon.

We have serious qualms about the security of any Check Point product, but we realize that a SOHO box is not going to provide "perfect" security. It appears that the Safe@Office is the minimum configuration for our purposes.

Help -- Problems with new TrackerPod

I just received my TrackerPod+Camera last week, and have a problem with the TrackerPod ceasing function intermittantly. The QuickCam Pro 3000 works great. (Odd that the standard Logitech base/stand was not included?)

I followed the directions to install the TrackerCam 3.01 software from CD and all the drivers to a Windows 2000 machine, start up the software, and it works, for about two minutes. Then the TrackerPod stops Tracking or moving at all, and every click on the movement buttons brings up a new IE window showing the flash demo -- VERY annoying, pops up several windows at once!

So I exit and re-run TrackerCam, and this time it reports an error at startup,a popup stating "TrackerPod not found!".

Reboot, and the cycle repeats, everything works for the first two minutes, then the 'pod stops functioning but the camera keeps going fine. Reboot again, and the pod doesn't work at all this time. Or sometimes it will work for a second (move slightly) then stop.

This is on a Toshiba Tecra laptop with two built-in USB ports, the TrackerPod and camera are the only devices connected to the two ports, using the supplied cable for the TrackerPod. When the 'pod stops working, both the built-in info page in the TrackerCam software and the system settings page show the second USB port as unused, nothing connected, 500ma used by the camera and 500ma available for additional USB hardware.

Lastly, I tried using a powered hub, thinking that the TrackerPod was drawing more than the rated 500ma. This works just a bit better, with the Trackerpod being able to pan/tilt a few degrees, then stop. But it does not resolve the problem.

Strange video noise with "Quickcam Pro USB" and TrackerCam 3.01?

We have a QuickCam Pro (older model), attached to an IBM Netfinity server
with built-in S3 video card.

The camera works in all modes including 640x480, with the software from
Logitech, and with third-party software from other vendors, with no "noise".
Under TrackerCam 3.0 or 3.01, the display always has "noise". The noise does
not appear in saved frames, only on the display.

If set to size "2" (176x144), there is a small white horizontal stripe on
right side of one of the first scan lines. At size 3 and above, there is
continuous video noise throughout the displayed image, primarily seen as two
fast-moving vertical stripes of video "noise", in the center and far-right
side of the displayed video window.

The PC is an IBM Netfinity with only the on-board S3 (Trio3D) video card.
Is this "noise" an expected effect of using the on-board video card in this
PC?

Network Monitoring Tools

Realtime monitoring is a particularly difficult application to implement, many monitoring products themselves can have a detrimental effect on the systems being monitored. This is one reason that WAN monitoring instrumentation needs to be implemented by our team, to avoid disruption to the WAN/routers.

Our team currently uses a combination of HP Openview, VitalNet, and other software for our network "health" information and alerting. In other enterprises (Ameritech) I have previously used Concord (http://www.concord.com/) products to the same effect. All of these solutions provide useful statistics (but not mapping) and are limited their ability to detect and deal with dependencies.


There are applications which provide a map display such as Don envisions, some in real-time, these are generally among the more expensive products. I have been working on a limited open-source application (http://sourceforge.net/projects/netmap/) providing some of this functionality, and the graphing and display issues involved are just the tip of the iceberg.

There are several map-capable products that could be considered, I've heard good things about these three:

• http://www.ipswitch.com/Products/WhatsUp/monitoring.html
• http://www.lanware.net/NetworkManagment.asp
• http://www.intermapper.com/

The most recent NWFusion buyers guide for Network Monitoring I can find (http://www.nwfusion.com/bg/netmon/netmon.jsp) was published in 1999, and is sorely out of date. They still list NetMetrix and other non-existent products, and there are probably many new products in this arena which are not included. Perhaps there are other, better, resources for locating vendors?