Referring to my post about TrueCrypt, I mentioned a disadvantage of using this software — you cannot use it on a computer without administrative rights.

Actually, there is a third-party GUI interface program that can be run on a computer without administrator rights, and you are still able to access the container file of TrueCrypt upon supplying the correct password.

This software is called TCExplorer, and you can access it for free here:

http://www.codeproject.com/KB/files/TCExplorer.aspx

I have been testing this for a while and I think it’s a great piece of software, especially if you want to use a TrueCrypt file on a public computer.

Here are some notes about using this software:

1   TCExplorer cannot manage the TrueCrypt file created by the latest version. I tried this software on a container file made with Version 6.0a without success. Based on information in the author’s release information, I tried the earlier version of TrueCrypt back to 2007, such as Version 4.3a, and it works fine.

2   Fortunately, Version 4.3a’s container file can still be managed by the latest TrueCrypt program, v6.0a. So what you need to do is create a v4.3a container file using the old version of the TrueCrypt program by running it once (you can download the old version of TrueCrypt here: http://www.truecrypt.org/pastversions.php) and use the latest version to manage the file, like mapping this old version container file as a drive to your computer with administrative rights.

You might wonder why the official TrueCrypt project does not offer this feature to the program. Actually, this is a common drawback of all so-called “on-the-fly” real time data encryption programs. One of the main intentions of this kind of real-time data encryption program is to use system drivers to embed all encryption processes in the system so that the user will not need to take care of the encryption/decryption process when they add or extract data files from the container file. The whole process can be made transparent to the users.

And to be able to install and use the specially created system drivers, you must have the administrative rights.

If the on-the-fly feature is not needed, then we definitely do not need to install the system drivers and hence there is no need to have the administrative rights. But then you have to take care of another security concern. The user needs to set up a temporary place to store and process the encrypted/decrypted file from the container file as now there is no real-time process to help encrypt/decrypt the file directory to the system. This place is prone to data leakage as the user must remember to clean it up after using the program.

Take the TCExplorer as an example. It automatically creates a temporary directory either in the USB thumb drive you are using or it sets up a temporary directory in your computer, such as: C:\Documents and Settings\YourUserName\Local Settings\Temp.

After using the program, you need to clean the temporary data there or risk that the decrypted files will be left there without encryption. This program does provide a feature to delete the temporary directory as shown:

But the user still has to remember to use this feature.

So perhaps this explains why the official TrueCrypt project does not provide this feature, because it introduces a security weakness to the program if we allow the user to use this program on a computer without administrative rights.

So use this program carefully if you think it can help. As the author of TCExplorer commented, there are advantages and disadvantages of using this program. The author’s intention is to provide a truly portable solution for people with documents that are not highly confidential but don’t want others to view their documents (for instance, if a thumb drive is lost). If this is what you’re looking for, then perhaps TCExplorer is right for you.

Tags: on-the-fly data encryption, USD Data Encryption, Encrypting data without administrative rights, USB Data Encryption and Decryption without administrative rights

Technorati Tags: TCExplorer, TrueCrypt, on-the-fly data encryption, USD Data Encryption, Encrypting data without administrative rights, USB Data Encryption and Decryption without administrative rights

As I promised in the post about a data encryption utility called TrueCrypt, I am going to show you another utility that can be used to encrypt portable data on a USB drive. Unlike TrueCrypt, in which you must have administrative rights to activate the program for accessing the encrypted data, this program allows you to operate it on a public computer on which you do not have administrative rights.

To get this free program, go to this link:

http://www.rohos.com/free-encryption/

Similar to TrueCrypt, you must create a container file to store your encrypted files. Therefore, first use a computer that you do have administrative rights on, get the installation file, and install it on that computer.

Follow the program’s instructions to create a container file. After the file creation, you will find a system folder (_rohos) in your USB thumb drive with the container file named “rdisk.rdi” as shown below:

Please note this free version allows you to create a virtual container file with maximum volume of 1 GB.

Now map this Rohos mini drive as drive “R” in your system (“R” is the default drive letter that you can change) and load it with the data files you want to securely store. (Just copy and paste those files to the drive file by ordinary file copy process.)

Next try the Rohos drive in a computer for which you do not have administrative rights. (You can also simply log into the same computer with a limited privileges account.) You can now double click the “Rohos mini.exe” file (shown as yellow icon above) in your USB thumb drive and the program will ask you to input the password to access your container file under “_rohos” folder.

Supply the correct password used previously for the container file. Rohos will return with a browser window containing all your encrypted files.

You can double click any file to open it in its associated program. Rohos will temporarily decrypt the file and load it into the temp directory it creates on your USB memory device in order for the system application to access it.

You can save any file within the Rohos Disk Browser to the local computer by accessing the File→Save function. The software will prompt you to enter the designated folder location to store the decrypted file.

To copy any file from your local computer to this container file (and encrypt it at the same time), just drag and drop any file from any file directory to the Disk Browser Window.

To shut down the program, simply close the Browser Window. The software will prompt for confirmation to clean up any decrypted files in the temporary directory.

The beauty of this program is you can use it anywhere on any computer, even if you do not have administrative rights. It also offers both AES 256 bit and Blowfish encryption technology to protect the data. Both are world-class encryption technologies that we can depend on.

However, please note the following limitations of the program:

• You can only create a container file with a maximum capacity of 1GB for the free version. Also, you can only create one container file per USB thumb drive’s partition.
• Nothing is known about the random number generator the program uses to create the encryption key. Is there any weakness in the random number generator it is using? Unlike TrueCrypt, it does not ask for the user’s input to help create the random number to generate the encryption key.
• The program is not developed under Open-Sourced effort. Therefore, the code is proprietary and closed. Nothing is known about any possible inherent weakness in the program design because it has not been reviewed publicly by security and programming experts.

This software provider does provide a paid version with enhanced features such as storage size exceeding 1GB, allowing more than one encrypted virtual drives on single USB drive, and more.

If you have any comments and ideas about using the Rohos Mini Drive, leave me a message here.

Tags: Blow Fish, USB Data Encryption

Technorati Tags: TrueCrypt, Rohos mini drive, AES, Blow Fish, USB Data Encryption

Do you worry about your data from being stolen if you lost your USB thumb drive or other portable data storage? Here is a free solution.

Try TrueCrypt.

TrueCrypt is an open sourced project providing a simple solution to encrypt your USB data (or actually data in any other movable or internal storage of your computer). The encrypted data container (let’s call it a container file) can be treated as an ordinary drive in your computer. This program mounts the container file as an ordinary drive. The container file can be made into a single standalone file or cover an entire hard disk partition on your local or remote drive.

To illustrate this, here is a screen capture of how I mapped my 68.4GB container file on one of my hard disks as P drive. After mapping, I can open my P drive as if it were an ordinary drive to store and retrieve files. All the files that are stored in this container file are encrypted.

The file container can be named with any name and any extension. So you can disguise a container file by naming it something like “song.mp3” or “picture.jpg” to make your container look, at a glance, as if it were just an mp3 or jpg file. This serves as a concealment to hide the true identity of this container file. When ordinary people browse your hard disk, they may not notice that it is an encrypted TrueCrypt container file.

You can also copy or move this container file to any storage place you want. This enhances the mobility of your data.

The encryption used to protect your data is AES, which is one of the strongest encryption methods in contemporary encryption technology.

The only price you need to pay is to manage your password carefully to access this drive. For instance, do not disclose your password to others, and choose a password that is difficult to guess. Also, use a longer password with a combination of characters, digits, and symbols.

There is an extra feature of this software that you should not miss. TrueCrypt offers the option to create a hidden volume in your container file. This is actually an invisible volume in your encrypted drive that you cannot normally view. If create this hidden volume with a different access password, when you mount your container file to your system using this different password, the mounted volume will unveil the hidden volume to you instead of the normal volume, allowing access to this hidden volume.

One reason you may need this extra hidden volume is that if someone were to force you to open the encrypted drive, you can reveal the contents within the normal drive without revealing the truly important contents inside the hidden volume.

Is TureCrypt portable? Yes or no. On one hand, it can be run without installing in a computer, allowing you to map your file in any computer that that does not have this software installed. However, you must have administrator rights on that computer in order to mount and decrypt the container file. Therefore, you cannot bring your encrypted file to a public computer and decrypt the container files there.

There are similar open sourced solutions, such asFreeOTFE. This software offers an extra feature of mapping your container file to a preferred drive letter that you assigned beforehand. However, the user interface is less appealing.

We’ll talk more about installing portable data encryption solutions without administrator rights. Stay tuned to this blog.

If you know any similar software that can do this job, leave me message here.

Tags: USB Data Encryption

Technorati Tags: TrueCrypt, FreeOTFE, portable data encryption, USB Data Encryption

I have been using Gmail, Yahoo! Mail, and Hotmail for very long time. My general feeling is that the super-powerful spam filtering capability of Gmail is unprecedented. It can eliminate almost 98% of spam emails while at the same time maintaining an almost zero error rate of filtering legitimate emails. It definitely outperforms the other two free email systems.

I am always curious how it achieves this phenomenal success rate, but I find no clue at all. Having had no success in finding its algorithm, I turn to a very practical question: How we can make use of its powerful spam filtering capability to handle our daily corporate email reception task?

The first solution is to use Gmail for receiving emails from your contacts. That sounds easy and straightforward, but the downside is that you have to give up the corporate email address that signifies your corporate identity. How can we preserve that?

Here is a quick solution you can try. Since Gmail allows email received to be forwarded to another email address, you can follow these steps to set this up.

First, you’ll need to create the following three email addresses for each staff member of your company:

1. The primary corporate e-mail, which is shared with contacts. Say, for John Doe of your company XYZ Inc., you can john.doe@xyz.com.
2. A second corporate e-mail, called john.doe_filtered@xyz.com. (You’ll see the use of this second e-mail in a few minutes.)
3. A Gmail account, with an address similar to: john.doe-xyz@gmail.com

Next, configure the first, primary email address to forward email to the Gmail address.

In the Gmail account settings for the Gmail email address, select the option “Forwarding and POP/IMAP” as shown below:

You will see the following screen:

Set this to forward to the second corporate email address of your staff (i.e., the john.doe_filtered@xyz.com address, as shown in the above screen capture).

Now John Doe can configure his email client to read spam filtered email from the second email account. Those emails are originally addressed to his primary email address, filtered by Gmail, then automatically forwarded to his second corporate email account.

What John needs to remember is to make sure the email address john-doe_filtered@xyz.com is hidden from his contacts. He only uses it as a tool to receive the filtered emails.

If you really want to own the Gmail account as a private labeling service to your company (and that entitles you to own the big storage space of Gmail for each of your private corporate email account and also the spam filtering service), you can register for a private label email program through Google Apps here:
http://www.google.com/a/help/intl/en/index.html

However, this involves pointing all your corporate emails to Google’s Server for storage and processing. I am not so sure if this is a good idea for your company, although this service is basically free with an option to pay a small fee to receive technical support service.

Technorati Tags: Gmail, Yahoo! Mail, Hotmail, spam filtering, spam, Google Apps

The accountability portion of security control refers to holding system users responsible for their actions by constantly monitoring all activities within the system.

Consistently logging and auditing activities are ways that we monitor the system to ensure proper tracking of computer misuse. For example, as part of the auditing process, the following activities should be logged for effective control and accountability:

• User identification information
• System access time
• Information on system objects being accessed
• Failure login attempts
• System warnings and error messages
• Repeated users’ mistakes

Considering that a system that ensures accountability requires a strong system of authentication, a good access control system should be implemented. If the system has no access control system, logging the above activities could become meaningless.

Keep in mind that system logging must take into account numerous daily network activities. These valid activities need to be distinguished from activities that appear suspicious.  For this reason, an effective clipping mechanism should be in place. This mechanism, which includes setting clipping levels to define acceptable system activities, acts as a baseline for determining system violations.

The goal of monitoring, auditing, and clipping levels is to discover problems before major damage occurs, and to be alerted when a possible attack is underway.  Theoretically, when the clipping mechanism detects that the baseline has been exceeded, an alarm is generated and the system records further information regarding the detected changes in activity. In other words, as soon as the system detects that activities are occurring that fall outside of the predefined acceptable threshold, it notifies the security administrator via e-mail or pager, and generates a log of further activity. This log can then be used to investigate the suspicious activity.

Perhaps a more effective solution would be the use of software that automates the detection of a violation. The most common installation related to system violation is the Intrusion Detection System(IDS). IDS is software customized to collect and analyze system activities. It alerts system administrators of suspicious system activities by using a pre-installed database specifically built to record clipping levels and patterns of system misuse.

Any good system monitoring and auditing process should allow the user to work unimpeded. For security purposes, the user should not know what or how monitoring and auditing is being conducted. However, of course the issue of privacy should also be considered. The monitoring system should comply with local personnel and data privacy laws when carrying out monitoring activities. It is strongly advised that users be notified in advance of possible logging and analysis of their system activities.

Tags: Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System

Technorati Tags: accountability, monitoring, logging, auditing, authentication, access control, system logging, clipping mechanism, clipping levels, system violations, IDS, system monitoring, data privacy laws, Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System

Now we’ll cover some of the administrative aspects of Operations Control.

1. Separation of Duties is a preventative measure that prevents one person from performing a full function from beginning to an end. This policy reduces the possibility of any one person committing an act against policy unless there is collusion amongst two or more people. Since collusion involves the actions of more than one party, an unwanted action is less likely to occur.
2. Job Rotation refers to the policy of constantly changing each person’s role within the business process. This method helps to identify reoccurring mistakes or fraudulent activities, since such activities can be identified and/or corrected by the new person assigned to the same task.  You could consider this policy as a type of “detective control.”A strategy that complements the job rotation tactic is mandatory vacation. This policy allows the administrator to detect potential activities of abuse by forcing staff to leave their current post or capacity on a temporary basis. Again, the worker newly assigned to the task is in a position to identify traces or clues leading to the discovery of abuse by the prior worker assigned to the task.
3. Least Privilege is a policy that requires each individual to be granted the least amount of permission and rights necessary to perform only their assigned duties. In this method, the administrator prevents individuals from performing tasks outside of their assigned duties, which could lead to actions that jeopardizes the security of the company’s system.According to Saltzer and Schroeder [Saltzer 75], every program and every user of the system should operate using the least set of privileges necessary to complete the job.  Primarily, this principle limits the damage that can result from an accident or error.Sometimes, this policy is called  “need-to-know.”   In this scenario, a person is not given access to information unless he or she has a specific need to know it.  In other words, access to the information must be necessary to conduct that person’s official duties.

There are several other controls that should be addressed as well. However, the three fundamental methods we cover here are important administrative controls generally overlooked by many organizations.

Reference:
Saltzer, Jerome H. & Schroeder, Michael D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975): 1278-1308.

Tags: Operations Control Techniques, Operations Security

Technorati Tags: Operations Control, Separation of Duties, Job Rotation, mandatory vacation, Least Privilege, need-to-know, administrative controls, Operations Control Techniques, Operations Security

Before we can fully understand operations security, let’s define what we mean by “operations.”

Operations refer to the continual, day-to-day usage and maintenance of the system.

Operations Security covers all the measures necessary to keep the entire system— including the network, computer system(s), and applications—running in a secure and protected manner.

Operations Security includes the following aspects:

• Physical and Environment Protection
• Production
• Input/Output Controls
• Emergency and Contingency Planning
• System and Data Backup
• Software Maintenance Control
• System Documentation
• System Change Management

Among these aspects, the Input/Output Controls cover the proper handling of media for input/output data, such as print-outs, disk cartridges, and mass-storage devices.

The Operations Department is responsible for the operations security of a system. This department ensures that the daily activities of the system run smoothly, and that any issues that may arise are handled quickly and efficiently.

The key role of the Operations Department is to exercise due care and due diligence in the security of the system. The determining factor in shaping the best courses of action for ensuring the security of a system involves the concept of “the prudent person.” What would a prudent person do in a particular situation?

Finally, the Operations Department staff should not be allowed to access the development environment, or to the security management functions within the system. This could cause an increase in the risk of security breaches.

Technorati Tags: operations security, System Change Management, Input/Output Controls, Operations Department, due diligence