ePassports Aim to Add Security, Lessen Lines
A Peach of a WLAN
• Enterprises Spending Smarter on Security • When Spam Attacks
• Thanks, But No Thanks
On September 4, the U.S. State Department began issuing chip-embedded passports in the hopes of improving border security and shortening lengthy airport lines. The new passports, which are being produced by Infineon Technologies and NXP Semiconductors, will be read by electronic scanners at equipped airports and will include an RFID chip containing all of the same data as paper passports, plus a digital photo and, potentially, digital fingerprints, iris scans and other information.
The State Department hopes the ePassports will help prevent data and identity theft, though they create new security concerns of their own. To secure the ePassports, metal is embedded in each passport’s cover and spine to prevent data from being grabbed or “skimmed” from the passport. Secondly, a Basic Access Control (BAC) technology requires that a special key on the passport is read electronically before access to its data is granted. A new Random Unique Identification feature will also help cut down on the risk of a holder being tracked. And lastly, an electronic signature, called a public key infrastructure (PKI), will prevent the alteration or modification of the information on the chip and will allow authorities to validate it.
Enterprise security developer SafeNet protects the chip’s embedded data via a PKI, which ensures that a person’s signature can’t be grabbed—even by the security personnel working with the information. “With SafeNet [and PKI], information goes directly inside the machine and stays there,” says Christopher Holland, director of product management for SafeNet. “No one is aware of it.”
Holland is confident that the implementation will help prevent identity theft and misuse. “The problem with passports today is that as people get more sophisticated, they can copy them,” says Holland. “An ePassport solves that problem, because it’s impossible to forge one. If I took your ePassport, I could still copy your picture and name [by wirelessly swiping data from the chip with a reader] if I got within a few feet of you. However, I wouldn’t be able to copy your signature, and I’d still have to look like you, or have your fingerprint.”
Since the chip’s data is also encrypted, the possibility of misuse is practically zilch, says Holland. “There’s nothing sinister about this [ePassport]. “I think it’s going to reduce the incidence of passport fraud, and I think it’s going to simplify the job of the person verifying the [passport] holder.” Not all passports will contain the technology until it’s fully rolled out—a process expected to begin in early 2007. Existing passports lacking the electronic chips will remain valid until their normal expiration dates.
A Peach of a WLAN
Georgia’s State Capitol building has two IT infrastructures under its dome, one for the legislature and one for the governor’s office. After a drive-by hacker breached security for the legislature’s Wi-Fi network, Governor Sunny Purdue demanded that his office’s Wi-Fi network be re-built from the ground up to ensure total security. He also mandated that every current and newly hired staff person receive individual network security training.
Al Yelverton, director of network administration for the Georgia Technology Authority (GTA), reports that this approach has worked very well. “We’ve had no breaches that we can identify, and there’s no opportunity for unauthorized users to stumble into the back-office infrastructure. If someone tried to hack in, that access point would capture the hacker’s IP address and automatically shut down.
This hands-on approach to training the Governor’s staff ensures that employees are instilled with the proper level of urgency and detail. “Otherwise, you give them the information in their employee handbooks, they just sign the last page saying they received it, but they never read what’s inside,” says Yelverton. Whether enterprises deploy Wi-Fi within the organization, or have mobile workers using devices in the field, involvement by line-of-business managers and senior executives is key to maximizing the value security applications offer.
GTA selected products from AirDefense to meet its security needs. Companies such as AirMagnet, Juniper Networks and Aruba Networks also offer products that address the security of Wi-Fi networks within the enterprise. Nokia’s Intellisync line of products, Safend and SmartLine are three vendors that sell software for remotely managing security on mobile devices.
Enterprises Spending Smarter on Security
With so many highly publicized incidents of identity theft, malware and hacking in the news as of late, it’s no surprise that IT security has become a looming issue in the enterprise. More surprising are the findings of a recent Merrill Lynch study of U.S. chief information security officers, predicting a nearly 9 percent drop in IT security spending over the second half of 2006.
There are several chief reasons for the forecasted slowdown, says Khalid Kark, senior analyst at Forrester Research. First, many products now offer security, even products that aren’t necessarily considered “security” products—cell phones, routers, servers and zip drives—and the cost of these items wouldn’t be included in a security budget. “Security is now considered part of a product’s functionality, so it [usually] comes embedded in the product,” says Kark.
Also, prior to 2004, enterprises spent a greater amount on a wider range of products that weren’t able to deliver the desired outcome—hence the surplus of security breaches in the news these days—so companies are being more cautious. “Executive management is growing skeptical,” says Kark. “They want quantifiable, justifiable numbers and budgets to show them results.”
However, the decrease in budget numbers may be temporary, since many businesses are carefully planning security upgrades to ensure reliability. “Software suites tend to be more cost-effective, so we’re seeing most security managers investigating ‘bang for their buck,’ as well as the easiest [security system] to integrate into their business. Management has realized that maybe we need to tighten the purse strings a bit. There won’t be a significant increase, but there’s going to be some increase [once the upgrades begin],” adds Kark.
Although the study might initially appear shocking, its bottom line is that businesses are attempting to spend IT funds more effectively—and hopefully making fewer mistakes. “At a glance it looks like pretty contradictory data,” says Kark, “but it’s really because [the enterprise] wants more value for their security dollar.”
When Spam Attacks
“SPAM was something tolerated in the pre-digital era,” says Vince Kadar, CTO of AirWide, a company whose products secure more than 110 million mobile devices globally. “It was the unwanted flyer left of the doorstep, the deluge of paper coupons in the mailbox, the inserts in your favorite magazine.”
In the digital world, SPAM started as a plain text email—a message created to push the recipient to a Web site and hopefully close a transaction. But as technology became more sophisticated, SPAM became more than just a nuisance—it became dangerous.
Today, viruses can attack a mobile device in a number of ways: via the mobile operator’s data network; through messaging mechanisms such as MMS, email and downloads; by way of Bluetooth; and, in the near future, via Wi-Fi and WiMAX.
Fortunately, companies such as AirWide and McAfee are hip to the plight of mobile users. McAfee’s VirusScan Mobile, which currently supports more than 100 mobile devices on the Symbian 60, UIQ and Windows Mobile 2003 and 5.0 platforms, automatically scans and cleans in-bound and out-bound emails, Internet downloads, text messages and attachments with a reported impact of under 200 milliseconds.
AirWide’s Kadar urges customers to attack fraudulent activities from the three major points in the messaging chain. The battle begins with value-added service providers (VASPs). AirWide Solutions enables mobile operators to better control VASPs, ensuring that they respect service-level agreements and use mobile infrastructure within predefined boundaries. Next they take the fight to the mobile operators’ infrastructure by monitoring traffic to detect abnormal patterns, confirm legitimate senders, filter content and block suspicious messages. Finally, AirWide focuses on subscribers by allowing mobile operators to share spam control with their subscribers, allow them to black-list certain phone numbers and block messages coming from those phones.
Thanks, But No Thanks?
This August, SMobile Systems launched VirusGuard (see page 43 for more details), a product with the valiant intentions of protecting BlackBerry users from viruses.
“By working closely with wireless operators, device manufacturers and enterprises around the world, SMobile can deliver a solution to protect millions of BlackBerry users, without limiting the full BlackBerry experience,” said Neil Book, president of SMobile, after discussing malware attacks to BlackBerry demonstrated at the DEFCON hacker convention in Las Vegas.
Research In Motion, however, is doubtful it needs the helping hand.
“It is inaccurate to suggest that a virus, or any application in general, can be passed through an email attachment to an unsuspecting BlackBerry user,” says Scott Totzke, director of RIM’s Global Security Group. “The BlackBerry software does not allow the user to download applications sent as attachments to email messages. Further, the BlackBerry Enterprise Server converts (i.e., transcodes) attachments into a format that is viewable on a BlackBerry handset, thus the native file is never delivered to the handset and risks associated with attacks such as macro viruses are eliminated.” Depending on whom you listen to, you can ignore the virus warnings at your risk, or your leisure.