Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

I’m planning a Vegas double header this July, attending both Security B-Sides and DefCon.  I’m planning to blog/tweet during the festivities and would love to meet up with any of my readers… dm me (@alberg) when you are there… and if you are not planning to attend, consider it – both of these events are great places to learn security-fu, meet your peers (as well as many people whom you would not typically meet up with), and for the corporate types amongst us (myself included), they are very cost effective uses of your training budget dollars.

Nickel slot machines, here I come!

This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release.   According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.

So, is Microsoft helping the NSA get access to millions of computers worldwide?  Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak.   But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions.  Maybe it is time for the government to separate the jobs of protecting information and gathering information.

One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets.   After all, widget production figures don’t need the same level of protection as the nuclear launch codes.  I think a lot of security professionals pass the NSA documents by because of this perception.  What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency.  For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:

• Home users
• Educational institutions
• Small and medium sized businesses
• Large enterprises
• Critical Infrastructure Providers
• Financial Institutions

I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet.  Having some very basic standards (and some teeth to back them up) would do two things:

• Provide incentives to enterprises to secure their systems
• Provide a generally accepted security baseline
• Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.

I think that there would need to be private sector involvement in developing these documents, of course.  It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.

DANGER!

I take this as a good omen for the starting of my blog… today, Apple Insider reports on a gentleman from St. Louis, MO who filed a 128 page lawsuit against Apple Computer – and with good reason! It seems that the Mafia and Apple conspired to placed devices in his iPod to not only track his location, but also to inject threatening messages into his music. All of this was allegedly in furtherance of a plot dating back to 2000 in which the plaintiff was threatened by the Mob that if he didn’t go to New York and get into fashion modeling for them, he would be killed.

I for one applaud this brave American’s willingness to take on Apple… and the Mafia… and reality. It is about time that we iPod owners can stop having to worry about being forced to become fashion models! Power to the paranoid!