Blog | SafeLogic

Blog | SafeLogic

12 Nov 2015

Lockheed Martin’s Bad Stretch Was Still Better Than Yours

Lockheed Martin had a rough few months.

Lockheed Martin’s prototype Joint Light Tactical Vehicle (JLTV).

Lockheed Martin’s prototype Joint Light Tactical Vehicle (JLTV)

In August, Oshkosh Corporation won the contract to build the next generation Joint Light Tactical Vehicles (JLTV) for the Marines and the Army. Lockheed Martin and the incumbent, Humvee manufacturer AM General, were the runner-ups.

In October, Northrup Grumman won the contract to build the Long Range Strike-Bomber (LRS-B) for the Air Force. Lockheed Martin was again the runner-up, this time despite their joint effort with Boeing. [Weren’t we just talking about frenemies?]

The first one hurt. The contract was for $6.75 billion USD, and Lockheed had bought partner BAE Systems’ entire wheeled vehicle production line and literally moved it from Sealy, Texas to Camden, Arkansas in preparation.

The second one was just brutal. The United States Air Force plans to purchase 80–100 of the LRS-B aircraft at a cost of about $600 million each. Add in an estimated $20 billion for research and development, and the total value of the contract could close in on $80 billion USD. Even shared with Boeing, that would have been a massive win for the famed defense contractor.

Artist’s concept of Lockheed-Boeing Long Range Strike Bomber -

Concept art of Lockheed-Boeing Long Range Strike Bomber (LRS-B)

Lockheed Martin is a huge company with net sales over $45 billion USD in 2014. Winning either contract would have been a significant boost and a feather in their cap. Winning both would have cemented Lockheed’s title as the top dog among defense contractors. Instead, they have been forced to sit on the sidelines and exercise their right to a 100 day challenge and review of the contract award.

So why does this matter to you? Let’s do some math.

In the first case, the Hummer replacement contract, Lockheed was one of three finalists. The contract was worth $6.75 billion. Entering the final phase of the bidding, each of the bids had a reasonably equal shot at securing the contract – a 33% win expectancy, if you will.

$6,750,000,000.00 x 33% (three bids) = $2,227,500,000.00

That means that their selection to the final round of proposals was worth over $2 billion.  Obviously the contract was anticipated to be awarded in full to only one of the companies, but probability dictates the equal thirds of expected value.  Likewise, if we assume for the sake of simplicity that Lockheed Martin and Boeing would share the bomber contract 50-50, the math on the second deal is:

$80,000,000,000.00 x 50% (only two bids!) x 50% (sharing with Boeing) = $20,000,000,000.00

Lockheed’s expected contract awards, based on these simplified odds, totaled over $22 billion. While neither came through, it was a huge and worthwhile effort to bid. That calculated $22B, while unrealized, was $22 billion more than the other, unnamed companies eliminated earlier in the procurement process. It was $22 billion more than the companies that didn’t bother bidding and $22 billion more than the companies that weren’t even eligible to bid.

The questions for you: How much projected revenue from federal contracts are you leaving on the table? How big are the contracts being awarded to your rivals? Are you providing competitive proposals? Are you even eligible to bid?

If you don’t take the necessary steps to enter the public sector and provide proposals to bring your solutions to the federal government, your competitors will run wild. Their win expectancy skyrockets if you don’t participate. They can bid whatever they see fit, since you didn’t submit a proposal to keep them honest. Imagine what they’ll do with that padded profit margin – fund more R&D, increase their salesforce and marketing budget, boost their payroll so they can hire away your very best people. It won’t be pretty… except for their shareholders. They will reap the PR benefits of winning the contract, and the earned credibility will fuel efforts to parlay their success in the public sector to other regulated industries.

So yeah, Lockheed Martin had a rough couple of months when they didn’t win either contract… but it was still a better stretch than the rest of the companies who had been sitting on the sidelines all along.

These two contracts have been awarded, but there a lot more currently open and coming soon for a variety of agencies and branches, for nearly every type of technology you can imagine.  If you want to be eligible to bid on these contracts and sell to the federal government, you need FIPS 140-2 validated encryption. SafeLogic provides immediate compliance and a full validation, in your name, in 8 weeks. Let’s get you in the game!




[Image credits:]


21 Oct 2015

Worse than Frenemies

You’ve heard the term ‘frenemies’ before, right?  You most likely have if you’ve got kids past middle school, unfortunately.  It’s the mash-up of ‘friend’ and ‘enemy’ with the distinction defined in the helpful illustration below.


Today’s blog post is a public service announcement – Beware of frenemies.  Many of us forget about this life lesson once we are adults and it can really sting.  Frenemies come in several flavors in the business world, but many are friend/competitors.  Maybe these should be called ‘frempetitors’.

Our prime example is Samsung and Apple.  They have been engaged in litigation since 2011, and yet Tim Cook’s braintrust thought it was a good idea to contract with Samsung to produce A9 processors for the iPhone 6S.  Samsung was even accused of engaging in corporate espionage to displace TSMC, who had been slated for the full order.  Even the most forgiving folks would have to be a little suspicious, right?

Now the kicker – Samsung’s version of the A9 chip has been benchmarked for worse heat dissipation and shorter battery life than the alternative version by TSMC.  Was this malicious?  Was Samsung actively trying to undermine the reputation of Apple’s new flagship phone?  Popular Apple-centric blog ‘Cult of Mac’ says maybe they are.  The fact that the two corporate giants have been locked in mortal combat in both the courtroom and for market share automatically throws a shadow on the developing situation.  Despite Apple’s public claims that the variance is only 2-3% and it won’t affect typical use, Samsung doesn’t get the benefit of the doubt, since they are the very definition of ‘frempetitors’.  I’d love to hear the internal discussions in Cupertino on the topic.

So why do you care?  Well, we’ve had a spike lately in inquiries from companies in a specific industry that have been using an encryption product from their frempetitor.  Yes, they licensed a crypto module from [company name redacted] even though they are competing head-to-head against that company’s flagship product.  This boggles my mind.  We’re not talking about complementary offerings, we’re talking about the exact same kind of Apple-Samsung clash of the titans but on a smaller battlefield.  Why would you trust this frempetitor?  It’s not like their product is so fantastic that you had no choice. It’s certainly not that their pricing was so incredible that you couldn’t afford to pass it up.  For comparison’s sake, it’s not even like they provide FIPS 140-2 validation services, Rapid or otherwise.  This is just a head-scratcher.

What happens when their module isn’t working properly or if it is proven to be vulnerable?  Will they step up and patch it in a timely manner?  Or will they prioritize their own products and customers first, and you’ll have to wait until they get around to it?

What if your crypto provider pulls your license in an effort to sidetrack your engineering team and cripple your momentum, because you’ve been taking market share from their primary offering?  Are you prepared to pivot quickly on your competitor’s whim?

Would you be concerned that you are relying upon an internal component that was designed by a competitor?  What if it slows down your product’s performance?  What if it includes tracking capabilities so that they can monitor your install base?

Paranoid?  Sure, but definitely within the realm of possible.

If you ran a restaurant, you would never purchase your ingredients from a competitive restaurant.  You’d rightfully assume that they would cherrypick the best produce, the best cuts of meat, the proverbial cream of the crop, and leave you the rest.

Would your boss/investors/shareholders/customers give you the benefit of the doubt in these scenarios?  Is choosing to work with a frempetitor ever a justifiable position in retrospect?

Skip the heartache and paranoia.  Don’t get stabbed in the back and don’t give a competitor the opportunity to be a part of your supply chain.

If you are currently using encryption provided by a company that would stand to gain from your troubles, contact us immediately and we’ll help you escape from this dysfunctional relationship.  If you are considering them, please think very carefully about it before you move forward.  I don’t promise never to say “I told you so”, but I do promise that SafeLogic will be ready to help when you’re ready.  Plus, we have better modules, greater compatibility and platform coverage, and RapidCert‘s lightning fast validation is just the cherry on top.  Choose wisely!


6 Oct 2015

The Need for Speed

TopGunThe Miramar Air Show was this weekend, a highlight of the year for Southern Californians.  Bay Area flight enthusiasts will get their own dose of the Blue Angels this weekend at Fleet Week San Francisco, before the iconic jet team heads to Oahu and then closes their season with dates in Georgia and Florida.  I like to think that our San Diego event holds a special place in the hearts of these naval aviators, since Marine Corps Air Station (MCAS) Miramar was the setting for the film that still reigns #1 among pilots – Top Gun.  I could have walked up to any of the soldiers on the base and asked if they ‘felt the need for speed’ and gotten a high five, or asked if they had ‘lost that loving feeling’ and gotten serenaded.  Forget that Maverick and Goose first inverted to ‘keep up foreign relations’ years before this generation’s hotshot pilots drove a car, let alone flew a plane; Top Gun is still the most effective two hour recruiting tool in the Navy.

Bottom line – the air show was awesome.  My son had a blast (the Shockwave jet truck was a big hit) and I was left with the same patriotic awe and inspiration as years past.  I’m still thunderstruck by the engineering feats that we have achieved, as a country and as a species.

I’m also equally blown away by our continually jaw-dropping idiocy.  Chatting with one of the aforementioned millennial pilots (I’m no senior citizen, but this kid was definitely born during the Clinton administration), he told me that while some of his superiors had received iPads for flight plans, he had not.  When I pressed him, he admitted that he used his own personal iPad… with a handy app that he had downloaded from the App Store, of course.  I was flummoxed.  Yes, the app (which shall remain nameless) has an excellent reputation and yes, it has a specific setup for military usage, including a worldwide library of Department of Defense Digital Flight Information Publications (D-FLIP) terminal procedures, airport diagrams, enroute charts and publications.  Very handy.

But who is authorizing this?  Or rather, who is looking the other way on this?  I’m not suggesting that the app is corrupt (although they fail to include FIPS 140-2 validation).  I recognize that the pilots are supposed to download their relevant data before takeoff and disable cellular signal while in flight.  Good rules of thumb.  But how about that GPS chip in the tablet?  That’s a major tracking beacon that has not been officially sanctioned. Or what if someone has hacked the app and is enjoying a MITM attack, collecting all user destination data?  In that case, they could theoretically isolate the military users, even the type of plane and originating location.  Gee, that wouldn’t be helpful information at all.

top-gun-2iPads have been a huge boost to efficiency and modernizing the habits of pilots, both the military and civilian.  I’m not disputing that.  In fact, I’ve been a major advocate.  That doesn’t mean that unbridled BYOD is okay, let alone encouraged.  It’s a tight margin for error and it’s shrinking.  We need to address it, because it’s not just the 20-something pilots that want it yesterday already, it’s every customer, big and small.

New solutions are a balancing act and always have been.  We constantly have to be vigilant, weighing the advantages of the technology with the compromises that we recognize in the current version before we can feel comfortable deploying it in sensitive environments such as the military.  This is a recurring theme in our CEO’s talks nationwide at security and technology conferences.  It’s just not enough to build something better – it has to be secure.  And it’s not enough to build something secure – it has to be ready faster.  And if it’s secure and fast?  Yes, it’s gotta be better than what’s already out there.

As a technology vendor, you need to enter production faster.  Getting bogged down in the FIPS 140-2 process is a fools’ errand, but we definitely have it figured it out.  Build your product, add CryptoComply, move fast, beat your competitors, and win market share.

If you’ve got the need for speed, then you need RapidCert.

P.S. – Top Gun 2 is in the works, bringing back Tom Cruise as Maverick.  Seriously.


30 Sep 2015

Recap: CTIA 2015

CTIA Super Mobility 2015Ever notice that when you go to Las Vegas, the flight there is always faster than when you’re coming home?  Or worse, if you’re driving back to California, you start to lose the will to live somewhere between Stateline and Baker on the I-15 South.  It doesn’t matter if you won or lost, the journey home is usually brutal.

This was different.  As the SafeLogic team parted ways on the last day of Super Mobility, there was an electricity in the air.  Sure we were tired; it was a long week.  We were excited, too, and for good reason.  With some time to catch up and reflect, here are my thoughts on CTIA’s flagship conference.

1) The Good

CTIA remains one of the best places to network.  We got to spend quality time with delegates from customers, partners, analyst firms… some planned meetings, some spontaneous.  The Sands Expo at the Venetian and Palazzo resorts is a strong draw, especially for the west coast folks, so there were a lot of people in attendance that we wanted to see.  That was great.

Our CEO, Ray Potter, was featured as a speaker at the 151 Advisors’ App-Solutely Enterprise seminar, providing a solo talk on mobile security, setting the tone before joining the panel discussion on the same topics.  It was a lively session, to say the least, with five opinionated panelists and frankly not enough time for everyone to put in their piece.  Luckily, the discussion was carried forward down the hallway and into cocktail hour.

Ray was also invited to speak at Wireless U., a co-located event coordinated by CTIA and the NCSL (National Conference of State Legislatures).  So Friday morning, Ray presented to a room full of State Senators and Representatives.  While not directly fueling SafeLogic’s efforts, the feedback and questions from the group were invaluable.  Attendees were insightful and curious, despite their candid and often refreshingly self-deprecating general lack of expertise in technology.  The fact that these state congressmen and congresswomen were investing their time to better understand the hurdles facing their constituents and our nation as a whole was very encouraging as well.

2) The Bad

The downside is that the event is becoming increasingly saturated with cellular retailers and accessory vendors.  Somewhere along the line, the complementary industry of rhinestone-encrusted cases and external battery packs became a primary draw for the CTIA exhibit hall instead.  Add in the hands-free Segways, and you have the definition of “mobile” stretched a bit thin.

The MobileCon section of years past was essentially disbanded, incorporated into the rest of the exhibit floor.  I preferred the designated area of enterprise-focused software vendors who could focus their message on the enablement and empowerment of mobile workers.  Now, it is much more of a free-for-all (which is tougher for my marketing peers).  Gone along with it was the App-Solutely Enterprise stage, which was central to the exhibit floor in 2014.  Plenty of folks complained about the noise and bustle inherent to locating the stage directly on the main floor, but it was preferable to this year’s isolated ballroom on the second floor.

3) The [Not-So] Ugly

Maybe it’s Vegas, maybe it’s because CTIA is starting to converge on CES as a consumer-driven show, or maybe it’s just in contrast to the more buttoned-up atmosphere found at both security conferences and government-related events… Super Mobility really knew how to throw a party though!

Between the rave music punctuating attendee hangovers with serious subwoofers in the hallways and the efforts of the exhibitors, you definitely knew that this was an event to be explored.  We counted not one, but two BMW i8’s, as well as several non-electric supercars (Ferrari and Audi convertibles spring to mind), countless hired guns working the booths (not just babes, but Booth Bros as well), and a ridiculously talented balloon artist.

If the goal was to make a splash, then mission definitely accomplished.

The Bottom Line

While CTIA’s national conference is not what it used to be, it remains a strong destination for mobile security folks.  Would it be better if it was spun back out to a stand-alone event that caters better to enterprise technology?  Yeah, probably.  But until they do that, you’ll still see plenty of SafeLogic at Super Mobility.

Share your thoughts on the conference with us on Twitter!



23 Sep 2015

Changing Seasons

Credit: Jean-Pol GRANDMONT

Credit: Jean-Pol GRANDMONT

Happy Autumnal Equinox, everyone!  Yes, it’s the first day of fall for the northern hemisphere (and by proxy, the first day of spring for everyone down under) and I’m back blogging.  Football is back and playoff baseball is nearly here. (Go Dodgers!) Leaves are turning, pumpkins are growing, and there’s a lot to catch up on.

It’s been a long, hot, El Niño summer here in San Diego, where I’m based. While I spent some time at the beach like every San Diegan, the big chunk of time was devoted to working with the awesome SafeLogic team, reviewing and polishing key details of great things to come.  While I cannot yet reveal what’s in store, I will say this – we’ve worked hard to align each piece of the puzzle to best benefit our existing and future customers alike.  Our goal is to display our unwavering commitment to disruption on behalf of our clients.  The current model of FIPS 140-2 certification is broken and we are doing our best to insulate our customers and keep blazing new trails.

So why do you care?

Well, if you want to have a validation completed by the end of the calendar year, you should definitely reach out asap.  Along with official announcements in this space, we will be rolling out some new blog posts pertaining to specific verticals and solutions, as well as recaps and commentary related to this season’s industry events.  It’s going to be a busy Q4, let’s just say that. Stay tuned!




27 Mar 2015

Security on the Road

Travelling isn’t easy. I’ve been hitting the road more often lately, and even beyond the normal complications (Did I remember to turn off the thermostat? Did I lock the door?), security concerns rear their ugly head the minute that you walk out the door.  Here are a few thoughts on my own best practices for travel security.

Your phone and laptop should always have a password lock enabled, but even if you insist on skipping that precaution at home, please do yourself a favor and enable it on the road. I can’t count how many times I’ve heard the horror stories of leaving a device in a taxi. (or Uber. Or Lyft. Pick your poison.)

This is just hilarious.

This is just hilarious. No, it’s not me.

If you’re flying, TSA poses a hurdle as soon as you hit the airport. I always remind myself to be 100% vigilant at the luggage x-ray machine and metal detector… not because I think I need to stop the next hijacking plot, but because anytime my phone, keys, passport, laptop and everything else are exposed and out of my immediate control, I need to be on my game. If you have travelled with me before, you noticed that I’m completely willing to be ‘That Guy’ who holds up the line. Why? Because there’s not a chance in hell that I’m walking through the body scanner before my personal items have been gobbled up by the conveyor belt to the x-ray machine. No, I don’t trust the TSA agents or anyone else to ensure that my laptop makes it through. Especially when the next three people in line have identical MacBooks to mine. Maybe I should add a SafeLogic sticker to differentiate it on the road. Or I should register for TSA Pre, so I can leave it in my bag.  Note to self.

Once you’ve made it to the gate, whether you’re at the airport, train station, or friendly local HyperLoop stop, the dilemma inevitably arrives before your boarding call.

Free, open WiFi. Do you connect or not?

I’ve asked that question of a lot of smart people that I respect, and the answers vary. Sometimes the folks that I expect to be most paranoid admit that they use every Starbucks hotspot that they can find, without hesitation. Others eschew any connection that has not been provided and approved by their employer, lest they inadvertently cause a data breach. It’s about the liability. Me? I take precautions, but I’m more usually worried about the weirdo sitting next to me trying to eyeball my screen than getting singled out and sniffed among the thousands of connected devices on the network.

biztravelI’m forced to be more accepting of dodgy WiFi locations if I’m traveling abroad for pleasure though. When I’m on vacation outside of the States, I usually just remove my SIM card. It protects me from unwanted phone calls while I’m relaxing. More importantly, it protects me from unwanted roaming charges. Nobody likes a 5-figure mobile bill when they get home. It does require me to leverage WiFi when offered at the corner boulangerie or pub so I can plan my next destination, but usually well worth the trade-off. (Pro tip: load a local map on your phone app while you are connected… then even without WiFi, your GPS beacon will appear and give you a fighting chance to navigate accurately.)

But I digress. Once you arrive at your location, plastic is your lifeline. Better hope your credit or debit card doesn’t get stolen, forgotten, eaten by a rogue ATM (yes, that actually happened!) or possibly more aggravating, disabled by a fraudulent use flag. The founders of Final give a great example in their origin story and built a product with potential to save us from similar future issues. In the meantime, make a solid contingency plan for if your go-to card is unavailable. (No, panhandling is not a viable contingency plan.)

Technology can be your friend with the sheer volume of traveling documents, too. I like to use the Apple Passbook for my airline boarding pass whenever possible. Removing the paper slip from circulation means one less thing I need to keep safe. This is true for your itinerary, train tickets, directions, and many other items. The only catch is knowing whether your app of choice is secure.  Naturally, I gravitate towards solutions from trustworthy sources, especially those that I know have prioritized data security with strong encryption.  SafeLogic customers, if I have the option!

Centralize and travel light. I’ve even eschewed the use of a wallet, choosing to carry the bare minimums – ID, cash, debit card and credit card – in a specialized case for my phone. Thanks Speck. Just one more thing that I no longer have to keep safe.

Lastly, you must cover your tracks like a trained assassin.

• Used the WiFi at your AirBNB flat? Disavow the network on your devices.
• Used a smartlock system like Kēvo to access your rental? Delete delete delete!
• Used the Bluetooth connection to play Pandora or Spotify tunes in your rental car? Make sure to remove your phone from the ‘paired devices’ list on the vehicle console. (I’m looking at you, Kevin Chiu who paired his Samsung Galaxy S5 with that blue Toyota Camry in San Jose before I rented it!)

If you consider the repercussions of every byte you receive and packet you send, plan for worst-case scenarios that could leave you stranded, and memorize at least one phone number to call collect from a pay phone, you’re in good shape. Or at least hopefully better than you were 10 years ago.


8 Feb 2015

On Encryption Keys (and Anthem) – Part 2 of 2

SafeHealth_option2_orangeThe Anthem breach encouraged me to wrap up this blog series and talk about key management in a genuine security context. When the Anthem breach first was public, it looked as if patient records were accessed because of lack of data encryption. Then Anthem stated the real reason for the breach: they only encrypt data in flight to/from the database(s) and rely on user credentials for access to data in the database. Why didn’t they encrypt the data in the database? Well, per Health Insurance Portability and Accountability Act (HIPAA) requirements, they don’t have to as long as they provide protection of the data via other means. Like elevated credentials.

That worked well, didn’t it?

They were compliant, but obviously not secure. To add more security to compliance programs like HIPAA, there have been some cries for enterprises to implement encryption. So how do you encrypt data properly? Well, it all depends on your environment, the sensitivity of the data, the threat models, and any tangible requirements for regulatory compliance. Here are some general guidelines:

  • Use validated encryption.
  • Use strong, well-generated keys.
  • Manage the keys properly.

Use validated encryption. Federal Information Processing Standard (FIPS) 140 is the gold standard. The Advanced Encryption Standard (AES) is one of the FIPS-approved algorithms for data encryption, and it is a better encryption algorithm than what Joe the Computer Science Intern presented in his thesis project. It just is. Plus, part of the FIPS 140 process involves strenuous black box testing of the algorithms to ensure they’re implemented properly. This is crucial for interoperability, and proper implementation of the AES standard also provides a measure of confidence that there aren’t leaks, faults, etc. Always look for the FIPS 140 certificate for your encryption solution.

Use well-generated keys. A password-based key (PBK) is crap. Here a key is derived from a password after it’s hashed with a message digest function. PBKs are crap because most passwords are crap. They’re subject to brute-force attack and just should not be used. Password-Based Key Derivation Function v2 (PBKDF2) makes password-based keys a bit stronger by conditioning the digest with random elements (called salt) to decrease the threat of brute force. But the threat is still there.

Keys should be as unpredictable and “random” as possible. Unfortunately in software environments it’s difficult to obtain truly random data because computers are designed to function predictably (if I do X, then Y happens). But let’s say you can get provable random data from your mobile device or your appliance. Use that to feed a conditioning algorithm and/or pseudorandom number generator. Then use that output for your key.

Use strong keys. The strength of a key depends on how it’s generated (see above) and how long the key is. For example, the AES algorithm can accommodate key sizes of 128-bits, 192-bits, or 256-bits. Consider using a key size that correlates to the overall sensitivity of your data. In Suite B, 256-bit keys can be used to protect classified data at the Top Secret level. Is your data tantamount to what the government would consider Top Secret?

Also consider the environment. Constrained and embedded environments (think wearables) may not have the processing power to handle bulk encryption with 256-bit keys. Or maybe data is ephemeral and wiped after a few seconds and therefore doesn’t need “top secret level” encryption. Or maybe there’s just not enough space for a 256-bit key.

Use a key that is strong enough to protect the data within the constraints of the environment and one that can counter the threats to that environment.

Manage your keys properly. You wouldn’t leave the key to your front door taped to the door itself. Hopefully you don’t put it under the doormat either. What would be the point of the lock? The same applies to information security. Don’t encrypt your data with a strong, properly generated data encryption key (DEK) then leave that key under the doormat.

Consider a key vault and use key encryption keys (KEK) to encrypt the data encryption keys. Access to this key vault or key manager should also be suitably locked down and tightly controlled (again, many different ways to do this). Otherwise you might as well just not encrypt your data.

While we’re at it: rotate your keys, especially your KEKs. Key rotation essentially means “key replacement” … and it’s a good idea in case the key or system is compromised. When you replace a key, be sure to overwrite with Fs or 0s to reduce any chance of traceability.

Store those DEKs encrypted with KEKs and protect those KEKs with tools and processes. And remember to balance security with usability: rotating your KEK every 2 seconds might be secure, but is your system usable?

Anthem wanted the data to be useful, which is why it wasn’t encrypted at the database. But that usability came at a high cost. The good news is that it is possible to encrypt data and have it be usable.


Encryption is a critical, necessary piece of a system’s overall security posture. But it’s not the sole answer. In Anthem’s case, records were accessed via those “elevated user credentials” … which means that malicious hackers were able to get in to the authentication server and raise privilege levels of user credentials (usernames/passwords) that they either knew or gleaned from the auth server. So in this case, it’s irrelevant if the breached data was encrypted; the hackers had authenticated and authorized access to it.

So what’s the answer?

When this was first reported I tweeted this:

Editing_Encryption_Keys — Part_1__What_Are_Keys_Exactly_

Defense in depth means providing security controls to address all aspects of the system: people, process, and technology. Technology is the most difficult pillar to lock down because there are so many layers and threats, hence so many products such as firewalls, IDP, APT, IDS, SIEM, 2FA, AV, smart cards, cloud gateways, etc.

Encryption is a fundamental element for security of data at rest and data in motion (control plane and data plane). Even the strongest encryption with proper key management won’t protect data that is accessed by an authorized user, because it has to be usable. However, encrypted data and tight management of keys provides a critical, necessary piece to a robust security posture.

I hope this provides some guidance on how to think about encryption and key management in your organization.



3 Feb 2015

Privacy, Liberty & Encryption

David Cameron

David Cameron

It is unfortunate, that in the aftermath of the Charlie Hebdo murders and hate crimes in France, rallying cries for freedom of speech were twisted to interpret “free” speech as the opposite of “private” speech.  A few weeks ago, British Prime Minister David Cameron spoke out, radically saying that “we must not allow terrorists safe space to communicate with each other,” going on to suggest that there should be no means of communication which the government cannot read.  I’m in no way sympathetic to extremists or rebels who leverage privacy to plan nefarious and destructive acts, but I am certainly sympathetic to all of the innocent, law-abiding citizens whose civil rights would be trampled by such a policy.

It was just a few short months ago that certain US government officials cried foul when Apple solidified their encryption capabilities to the point that consumer data could not be deciphered, even under federal subpoena.  As Matthew Green wrote on at the time, “Designing backdoors is easy. The challenge is in designing backdoors that only the right people can get through. In order to maintain its access to your phone, Apple would need a backdoor that allowed them to execute legitimate law enforcement requests, while locking hackers and well-resourced foreign intelligence services out.”  For this, among a myriad of other reasons, Apple relieved themselves of the headache and built the ‘Secure Enclave’ instead.  Individual iPhones encrypt extended data using a unique key, mathematically derived by combining their passcode with a set of secret numbers that are built into the phone.  Tim Cook himself couldn’t decrypt it without the user’s passcode and physical access to the device.  By extension, Apple is now rid of thousands of subpoena requests and pressure from a variety of global governments.

Despite the claims that law enforcement’s hands would be tied by this development in time sensitive situations such as kidnapping cases, Bruce Schneier asserted in a CNN editorial that “of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping.”  So much for that theoretical importance of maintaining access to user phones.  More importantly, Schneier points out that phone data “can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments.”

This is another complication.  Even if the FBI and other US law enforcement agencies were the absolute pinnacle of tech-fueled crime-fighting and the removal of communication intercepts truly shackled their efforts… at least it closes the door to other, more suspect governments.  Apple, Samsung and others can’t really play international favorites, after all.  If they were able to, and willing to, provide backdoor access to the USA, they would have obligations to North Korea as well.

Apple washed their hands of the encryption problem by abdicating their role as a middle man and gatekeeper, and the internet didn’t break.  Law enforcement and other agencies seem to still be solving crimes, even without their former favorite toy.  Possibly most important, the ship has sailed, before another government flexes their muscles.  Just like Iran banned WhatsApp.  Just like India forced Blackberry to provide a law enforcement backdoor.  The UK has long been a supporter of citizens rights and privacy.  Thankfully, Apple ended this conversation long before the Prime Minister’s kneejerk reaction, wishing out loud for a technology-driven vaccination from terrorism.  We can only hope that other phone manufacturers follow suit quickly.

I sympathize with the victims in France.  I understand the sentiments of David Cameron.  But now, more than ever, it is crucial that we protect our liberty by protecting our privacy.  If we are forced to sacrifice our rights, we have already lost the war.


24 Jan 2015

On Encryption Keys – Part 1 – What Is a Key?

Last week I met with a customer to help solve, among other things, some challenges around key management and key lifecycles. I thought I’d kick off a blog series on keys: what they are, their generation, use, recommended strength, etc.

First, let’s briefly address what a key is: a key is what protects your data. It’s a (hopefully!) secret parameter fed into an encryption algorithm to obfuscate data in a way that only someone with the same key can decrypt the data and read it as intended.*

Here’s how I explained it to my 10-year-old daughter:

Think about the door to our house. When the door is locked, only someone with a key can get inside. (Ok sounds more like authorization but stay with me). When inserted and turned, the key hits the pins that triggers the locking mechanism and unlocks the door. That key is the only key that can lock and unlock our door.

While quite elementary in my mind, it’s a relatively good example of the value and importance of the key lifecycle, which I briefly discussed with my daughter after she asked the following questions:

  • What if someone copies the key?
  • What if our neighbors lose our spare key?
  • How do we know if someone else used our key?
  • Does someone else’s key work in our lock?

All are relevant questions in relation to cryptography as well. Over the next couple of weeks, we’ll talk about how keys should be generated, ideal key sizes, and general key management issues and best practices.

Fair warning: there is no single, correct answer. We’ll use this series to address dependencies and variables such as environments, data sensitivity, and threat models.

*This is known as symmetric encryption, where one key encrypts and decrypts data. In asymmetric encryption a public key is used to encrypt data and only its associated private key can decrypt the data.



5 Jan 2015

My Worry and Optimism for Cybersecurity in 2015


Let’s face it – 2014 was pretty bad from an information security perspective, and I believe we will see a rise in the frequency, severity, and publicity of malicious hacks and breaches in 2015.

I’m worried that as a community, hell, as a society, we won’t see enough progress in this uphill battle of infosec. I’m not blaming anyone or pointing fingers. Security is hard because every organization is different: different people, different policies, different network topologies, different vendors, different missions, etc. (and that is why there is no silver bullet for security). In general, I’m worried about some SMBs that lack the resources to set up a proactive security posture. I’m concerned about some large enterprises that will continue to lag and not fully embrace security.

But… I’m optimistic. Security is at the tip of everyone’s tongue now. It’s “cool” … and cool is good.

SMBs have options for cloud productivity and storage solutions with security built in – at the very least, better security than what they could do themselves. Larger organizations can integrate many different solutions to enable their security posture.

Security is about defense-in-depth, which is to say having security at all layers, from policy and training to two-factor auth and encryption. Aggregate organizational differences can be met with the right technologies in the right place.

I’m optimistic because there are so many good and talented people working very hard to stay ahead of the bad guys. There are new technologies and new ways of thinking. There are VCs willing to fund such companies. There is more adoption and acceptance of security in the marketplace. There are companies with an assigned CISO to keep their business focused on security and out of the news.

So how do we make 2015 better to ease my worrying and reinforce my optimism?

Everyone: keep evangelizing. We have to keep talking about security and encouraging it. We need to think about security in new and emerging markets like wearables and IoT. I think after all the news in 2014, stakeholders are starting to get it. Perhaps we need better / tighter regulations. We need to talk about what’s real, what’s viable, and what’s manageable.

Product vendors: build security into your lifecycle. It’s doable. Microsoft initiated the Security Development Lifecycle with impressive if not astounding results. Cisco is doing it, along with many others. Security is a process. Bake it in to your software development. It’s good for you and your customers.

Buyers: check for the right encryption. Not all encryption is equal. Is your vendor using homegrown encryption written by Joe the Intern? Or is it standards-based? Just because a vendor says they implement AES doesn’t mean they do it correctly. Encryption needs to be correct to be true and interoperable. Look for FIPS 140 validation on your preferred vendor’s encryption library or ask for the certificate number.

All businesses: Assess the value of your data and where it resides. Then deploy the right products. Security is a process. Organizational security starts with security risk management, which guides the organization in protecting its assets. Before selecting security controls, the organization must know what data it needs to protect, the value of that data, and the lifecycle of that data. Whether protecting credit card numbers, user files, intellectual property, internal emails, provocative Mardi Gras photos, product roadmaps, money… all of that needs to be protected in an organized and actionable way.

Over time, we’ll explore more in each of these areas. In the meantime, this worrier is optimistic that we will stay focused, deliver, and do our best to make 2015 better.