Now using smart cards for logon, email security and server administration

  Follow me: Follow Bruce Kirkpatrick by email subscription Bruce Kirkpatrick on Twitter Bruce Kirkpatrick on Facebook
Mon, Apr 30, 2012 at 2:55PM

Security is something that can be achieved at varying levels.   I have been raising our security to higher levels recently that go beyond the average protection most companies use to protect their data and customers.

It is possible for people you know to be have their accounts compromised by an attacker.  You may  receive emails from them that ask you to do things that may steal your identity / accounts.  This is called "phishing" or "identity theft".  One of the clients just had that happen to them and it puts everyone they know at risk in addition to causing them to spend time & money reviewing their accounts, changing passwords and being scared of future misuse of the stolen information. This client's attacker sent me a personalized email asking me to give them my aol/yahoo/gmail/hotmail password, which was executed in a way for someone to easily get confused.  I immediately knew it was a scam due to the URL in the address bar and warned the client, but other people wouldn't be able to decipher what is safe or not.

Email security enhancements

One of the improvements to my security is that my outgoing email is now digitally signed and it requires my smart card + password to work. I put this message in my signature now to make people aware of it:

"My email is digitally signed for improved security using a smart card. If you use Thunderbird or Outlook, you will see a seal to let you know the email came from me. If you use webmail, you may see an smime.p7s attachment instead because it doesn't support this security feature.
It is possible to encrypt our communications, please ask me if you'd like to know how to do it."

My smart card cost about $25 and complies with federal standards for high levels of security.  The email certificate was free with Comodo via this url: http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html 

You can also sign emails without a smart card, but your private key (secret) will be able to be stolen by anyone who has access to your system.  However, the private key can't be stolen from a physical smart card since the entire purpose of a properly designed smart card is to put the private key in an inaccessible location.   This is important because Linux, Mac and Windows systems' memory can't be protected 100%.  If someone gains access to your system, they can potentially copy all the memory of the system and locate your private key without you knowing it.  At that point, they can impersonate and gain access to your protected systems.  With a properly designed smart card, the key is never copied into your system memory.  The actual decryption is done inside the smart card encryption chip.  If someone steals your smart card, they are usually designed so that most attacks against them would be ineffective.  It would require a lot more expertise to break into a smart card and may even be impossible depending on the design of your smart card.  For example, some are designed to self destruct when tampered with.

Encrypting emails is also possible with extra steps

If the recipient and sender both have an email signing & encrypting certificate installed and they email each other once, it becomes possible to encrypt their future emails.  The first email without encryption is necessary because the software needs to store a copy of the "public key" before it is able to encrypt data for the recipient.  A public key is always used to encrypt data.  The private key is used to decrypt data.   This same approach is happening behind the scenes when you visit secure (SSL / https) web sites for payments, online banking, etc.

An encrypted email can't be viewed until your smart card (private key) & password have been entered.  When the email is also stored in webmail like gmail, it appears as an smime.p7s attachment and can't be viewed. So the email is encrypted even on google's servers.  This also means you can't use webmail to view your encrypted emails without special add-ons (if they are available).  You would always have to use outlook or thunderbird instead.

Protecting sensitive information is the law & you are obligated to comply

The government and banks both have a variety of requirements for protecting sensitive information.   The definitions of sensitive information may vary by state and there are also different protection compliance requirements for different industries such as data related to credit cards, insurance policies, medical records, government private citizen records and more.   Failure to properly protect sensitive information is usually a failure to meet your obligations regarding a merchant account, cardholder agreements & professional business licensing state/federal requirements. This can result in substantial government administrative fines / penalties, a disruption to your business, a loss of reputation, and possibly even criminal charges if they can prove it was intentional neglect / fraud.  Having good security is more important then many people think.

Encrypted email can enable you to safely include sensitive personal information like driver's license, social security number, financial information assuming you follow the other requirements for the security of your computer, network and physical location.  Failure to encrypt and securely store / transmit this information is illegal.

Digital signature improves customer confidence

Even if you don't encrypt email, a digital signature at least helps customers know its really you without inconveniencing them with certificate setup steps. It also makes sending passwords and accounts between staff/contractors safer. It is more likely that I'd use this with more with contracts / staff then with clients, but if a client is interested in security, we can consult with them to bring higher levels of security to their business.

Email security requires overall network & computer security too

Of course, if your computer's security is breached, your data is still at risk, but this prevents people from getting access to the data by snooping in on the network anywhere between you and the recipient. Email passes through as many as 40 different routers/servers before it reaches the recipient.  Email is also always stored or inspected at many locations in plain text.  If any of those systems are compromised, your email may be captured by the attacker. If you use a wireless internet, that is even worse for security without encryption and good security practices. With the email encrypted, even the NSA (National Security Agency) shouldn't be able to see the contents once encrypted.  In fact a lot of these security systems were developed or audited by the government so the government can better protect itself and inform or provide tools to the private sector.

Security is also improved when people on both sides are making an SSL connection to their email host, but the email is not encrypted when it sits on google's servers or your hard drive.  Also just because you are using SSL, you don't know if the person on the other end will use it. Further, google would send email to other servers without SSL. So when the email goes from google to yahoo, there is no protection unless you encrypt the email.

Smart cards protect more then email

The same smart card also is able to protect:
The windows logon
The firefox/chrome/internet explorer web site logins (when a web site is setup to request a client certificate)
linux server SSH login (including Secure FTP) - requires smart card certificate instead of password.  This also protects the database and application server via SSH Tunneling.

Upgrades to our web site manager logins coming soon

Our web site administrative features will soon have the option to require a certificate to login. I have been thoroughly planning a secure login system.  This security will be equivalent to the client using a 40 character randomized password to login plus the attacker would need access to the client's computer to break in to their account if the client chooses the most secure option.  Here is an example of what such a password would look like:

AUIHN3290ANASHO893240182KQPNVKAUQH018NF

That number when converted to the decimal system is something like billion * billion * billion possible password combinations.  If our entire database was stolen, the number of accounts that could be stolen in a reasonable amount of time would be extremely small and it may even be impossible for an attacker to decrypt the data.  It depends on how many resources they have and how long they try.  It could take them years just to get the password for one account.  If clients use a smart card instead of a file on their disk for the certificate, they are protected even better since a hacker gaining access to their system wouldn't be able to do as much damage.  If someone gains access to your system, you definitely need to fix that though.  You must be able to trust the security of your computer before accessing or storing sensitive information.

Your account might not have much sensitive data on it, but the reality is that many people use the same passwords for all their accounts.  So if our database was stolen, someone might be able to log in to your other accounts (bank, amazon, paypal, ebay, your computers, etc).   This is the main reason why I'm going to great length to protect our passwords in the future.  There is always a trade off of convenience vs security.   Your password can never be recovered, only reset.  The login process may take slightly longer to load later.  This is intentional because if we use algorithms that are designed to be slow, an attacker will have to attack them exponentially longer to be able to gain access.   Our accounts already prevent more then a certain amount of failed attempts, so this extra security is really about protecting the database on our server with advanced encryption techniques.

A more comprehensive security plan

If the client goes through the process of having better security through the use of a smart card, it is wise to also protect their  windows logon and to use full disk encryption software like bitlocker in Windows 7 Ultimate. This makes the computer protected when it is physically stolen.  You also want to buy a computer that has a TPM chip on the motherboard.  This prevents the hard drive from functioning on another computer without having a 42 character recovery key.  The TPM chip can also be configured to require the recovery key after multiple failed login attempts.  The 42 character password generated by bitlocker is far more secure then what most people use to login, so this security is quite good since most people will be unable to guess your password given just 10 or fewer chances before the 42 character one is required.  It is recommended you print out the recovery keys and store them in your bank safety deposit box so that they are not in your home or office at all.

It is highly recommended for anyone using computers at an office or laptops to encrypt the hard drives & backup drives with strong passwords since your physical security risks are much higher with these devices.  Adding a smart card makes it impossible to guess the system password since you need the smart card inserted before a password can be accepted.   If someone does discover your smart card password, they still need to steal your smart card and have access to your computer at the same time.   If your smart card is stolen, you would usually know that quickly since it is on your key chain.  You would want to take action to revoke your certificates and setup a new smart card quickly.  In most cases, you should be able to do this before someone is able to gain access to the system.   Due to all the other protections on the system, a breach of security should be limited in how much data someone can acquire.  I am working hard to make the attack surface area as small as possible so that any unusual behavior will quickly be discovered.

Your smart card can be on your key chain and a duplicate in your bank safe.  If you lose the smart card, the copy in the bank can be used to make a new duplicate and reset your password and get new certificates.  If you leave a computer at the office, it is also possible to logon remotely with the smart card.  You'll also have greater confidence that someone breaking in won't be able to maliciously use your data.

It is also helpful to use online password managers such as lastpass.com.  When properly configured, it becomes more difficult for someone to get all your passwords.   Usually, when you save a password in your browser when logging into a web site, it is not protected at all.  Someone gaining access to your system would be able to easily view all of your account passwords in just seconds.   When you install lastpass, it has the ability to delete these passwords.  You can also set the browser to no longer store them.   This lets you protect the lastpass.com software with a password that unlocks your other password.   It is also easier to use complex passwords since last pass remembers them and types them in for you.  Having strong passwords not only protects your accounts on your computer, but can also protect your data if someone steals the database of the service provider.   Often the people who have their identity stolen in a data breach are using passwords that are too easy to guess.   Want to see how strong your password is?  Check out this simple form which calculates the time needed for someone to guess your password:  http://howsecureismypassword.net/

Computer security consulting services

If you are interested in the security technologies listed above and would like to learn how to implement these across your organization, please contact us today.


Bookmark & Share



Popular tags on this blog

Performance |