Ray Potter | SafeLogic

All posts by author

15 Oct 2014

Putting a Muzzle on POODLE

SafeLogic is not vulnerable to POODLEYou may have seen the news about POODLE recently.  The good news is that it’s not as severe as Heartbleed, which affected server-side SSL implementations and had repercussions across most web traffic. The bad news is that it’s still seriously nasty.

POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption and essentially allows an attacker to decrypt SSL v3.0 browser sessions. This man-in-the-middle attack has one major constraint: the attacker has to be on the same wireless network.

That renders POODLE irrelevant because everyone locks down their wireless networks, right? Oh yeah, except those customer-friendly coffee shops with public wifi. In places like Palo Alto, you can bet there is a *lot* of interesting information going over the air there. Or at conferences, where diligent employees handle pressing business and aggressive stock traders log in to their account to buy the stock of the keynote speaker (or short it if his presentation lacks luster).  The threat is real – session hijacking and identity theft are just the tip of the iceberg.

It’s worth noting that this is a protocol-specific vulnerability and not tied to vendor implementation (such as Heartbleed with OpenSSL and the default Dual_EC_DRBG fiasco with RSA). That makes it a mixed bag. The issue affects a wide variety of browsers and servers (Twitter, for example, scrambled to disable SSLv3 altogether), but users do have some control.  This is because SSLv3 can also be disabled in the client within some browser configurations, so check your current settings for vulnerability at PoodleTest.com and install any patches when available for your browser.

Some browser vendors have already made moves to patch against this threat and permanently disable SSLv3.  Meanwhile, others have dubbed server-side vulnerability “Poodlebleed” and offer a diagnostic tool to assess connectivity.

From a government and compliance perspective, Federal agencies should be using TLS 1.1 according to Special Publication 800-52 Rev 1. TLS 1.1 is not susceptible to POODLE. FIPS 140 validations and SafeLogic customers are not affected.

If you’re interested in a deep dive, I recommend this fantastic technical post by Daniel Franke, which also provides a great history of SSL and its challenges.

BlogFooter_Ray

6 Oct 2014

It’s Q4 Already?

It’s hard to believe we are in Q4 already. If you’re in the Bay Area, it still feels like summer!  But here we are, rapidly approaching Halloween and the holidays, watching football and playoff baseball.

I don’t really do quarterly company updates on the blog; in fact, I think Walt would argue I don’t write enough blog posts in general. But I’m just too excited. SafeLogic has had a great year and I’m really proud of the work that the team is done. A more detailed recap will happen towards the end of the year – Walt will be sure of that!

I’m on the way to Orlando now to talk at Gartner Symposium about security and compliance with Paul DePond of Globo, one of our customers in mobility. If you follow us on Twitter (and why wouldn’t you?), you’ll notice that I’ve been on the road speaking quite a bit recently. The content has been a blend of education and evangelism. I’m trying to get developers in emerging areas of technology to think about building security in to their solutions. I know it’s no easy task but I want to be sure folks are thinking about emerging threats. It’s easier with SafeLogic, but that’s another story. I want folks to understand the need for and value of strong encryption built with compliance in mind.

We have talked to customers and potential clients in some very cool new spaces, and it’s encouraging to see a more mature comprehension of the advantages offered by validated crypto.  Questions from analysts and press are becoming more sophisticated, and end users are really adapting to the landscape.  It’s gratifying to see folks genuinely care about how their data is being protected.

It’s been a very fun and very busy year… and we have some cool surprises in store, in both the short and long term. I can’t wait to share more.

BlogFooter_Ray

3 Jul 2014

Happy Independence Day!

Stars and StripesWow.  It feels like just yesterday that I blogged about the importance of our freedom and opportunity, and how thankful I am to be thriving in the USA.  That was a year ago.  In ‘SafeLogic Time’, where we try to compress a month’s work into a week, and a year into a month, this feels more like a decade!

Much has happened since the summer of ’13.  I encourage you to go back and re-read some of our blog posts to recap.  It’s really pretty interesting to harken back to the challenges that we were facing last year and how we have solved some, while others are very much still threatening.  We will be selecting certain posts as suggested reading for what the Twitterverse likes to call #ThrowbackThursday… although I know that Walt really enjoyed X-Men: Days of Future Past, so that might be contributing to the retro theme too.

Some things have definitely remained the same.  SafeLogic still pursues innovation in security and encryption, prioritizing the safety, privacy and liberty of our customers, and our customers’ customers.  I’m still thankful and proud to be an American, and I’m still planning to grill, watch fireworks and put away a few cocktails.

In a landscape strewn with failed companies, startups deeply in the red, and ousted executives, I’m excited for Independence Day.  I have a lot of pride as I continue to lead this company, as SafeLogic continues to operate independently, at a profit, and with no venture debt.  It’s the most clear, direct way that I can say definitively that we will be here when you need us.  Next month, next year, or whenever you’re ready.

Happy Independence Day!

BlogFooter_Ray

18 Jun 2014

Tizen, Connected Cars and Buggy Whips

Two weeks ago, I had the privilege of giving a presentation at the 2014 Tizen Developer ConferenceSafeLogic_Tizen_Logos

The first thing that you should know is that this was a fantastic event.  Most of us will hear “user group” or “developer conference” and reminisce about our own early experiences, the coffee-and-donuts geek meetups, complete with a folding chair for each wannabe Wozniak.  This was much more.  With a variety of speakers tackling an equally diverse set of topics over a three day stretch, and a significant investment of time, money and energy from Intel and Samsung, I highly recommend attending in 2015 if possible.  It was a very smooth and well-coordinated conference, for speakers, attendees and exhibitors alike.

The second thing that you should know is that my session rocked.  ‘Security-Centric Development for IoT and Wearables’ was one of the few talks that had a specific focus on data protection.  My hope is that I was able to influence attendees to consider security as a non-negotiable aspect of their development efforts, and maybe next year we will see more like-minded sessions on the agenda.  At the very least, I had fun launching SafeLogic footballs into the audience and nobody got a concussion.

To be honest, I was blown away by the ideas bouncing among the audience.  There were developers from seemingly every corner of technology, all with a vision of success based on the same operating system.  It was inspiring to see how many different folks saw potential in the same place.  Since the conference, it has felt like everywhere I look, there is another potential application for Tizen, another opportunity to join the Internet of Things and another chance to connect.  The scary part is that it all has to be secured.  Remember, IoT is only as strong as the weakest link.

One session at the Tizen Developer Conference included a discussion of the connected car collaboration efforts of the Linux Foundation, IBM, Intel and Local Motors.  It made me think of the article I had just read on CNN, aptly titled ‘Your car is a giant computer – and it can be hacked’.  Scary stuff, and spot on.

GoogleCarThe Toyota Prius has solidified its place in the garage of everyday Americans based upon efficiency, not horsepower, and has been immortalized as the test mules for Google’s self-driving car project.  Tesla’s fully electric Model S was the top selling full-sized luxury sedan in 2013… not bad for a vehicle designed by tech geeks.  Google has pushed the envelope even further now, internally developing prototypes for an all-new self-driving vehicle that incorporates features of both.  The landscape is clearly changing – and quickly.

Steering wheels are the next buggy whip, and data security will be more important to safe transportation than seatbelts.  Driver error will be replaced by the threat of compromised communications.  Could you imagine arriving at your destination, only to find yourself at a location chosen by a malicious hacker?  Or having your vehicle overridden and driven into a wall, off a cliff, or into a lake?  There is serious potential in self-driven cars, but even more serious potential for disaster.

The Tizen platform is not uniquely vulnerable to these threats.  All of IoT inherently is.  A smart toaster in your kitchen has to be as secure as your car, even though it isn’t 3000 pounds of metal going 70 miles per hour.  Until developers begin treating all devices with the same level of respect, I encourage all of us to tread carefully.  Hackers relish the challenge of creating mischief as much as they value the results, so assume that you may be a target.  We all are.

If you are a developer in IoT, please check out CryptoCompact.  We have begun our pilot program, so consider it an open invitation to integrate military-grade encryption within your project.  We’re all in this together, so let’s stay safe.

BlogFooter_Ray

8 Apr 2014

SafeLogic Responds to Heartbleed

We just issued an advisory notice for customers regarding the recent Heartbleed vulnerability in OpenSSL.

The issue doesn’t reside within our CryptoComply module; it’s in the higher level OpenSSL libraries that (can) call into our CryptoComply module. This means there is no FIPS impact to our customers… however, there is a security impact.

Folks, this is serious stuff. Key material is subject to being disclosed to attackers. Even if you’re using another crypto module with your vulnerable OpenSSL implementation, patch it immediately. But just patching it isn’t enough. Consider this the right time to update your keys and certificates. You should assume that an attacker knows them by now. 

I have to say that I’m very proud of the SafeLogic team here. We responded and had new builds commencing within a few hours of the notice. We provide upstream OSSL stack as a value to our customers, and it’s important to all of us that they run securely. Builds run through smoke testing and functional testing to ensure proper operation for FIPS, and builds are available on our support portal.

We’ll continue to stay on top of this. We’re not only looking to help our customers… we want to help protect the industry at large. This is that big of an issue. Security awareness becomes key, so let’s keep this at top of mind.

26 Mar 2014

Are We Ready for IoT?

As an industry, we’re not over the hump for mobile security yet. We’ve gone from protecting the device to protecting the app to protecting the data. We’ve come a long way in terms of security for mobility, and we still have a long way to go.

And yet a new challenge looms.

I’m talking about the Internet of Things (IoT).  IoT is a connected, well, everything. Cars, wearables, home automation, industry-specific devices, etc. It will all be connected. The Internet of Things market will be huge. Even data centers are prepping for its rise. Some folks have justifiably begun calling it the Internet of Everything.

So are we ready for IoT? Well, at SafeLogic, we are. Over the next few weeks you’re going to see some new blog posts and an exciting announcement. We’re going to talk about risks, challenges, and solutions. Because after all, we are only as secure as our weakest link.  In IoT, there are so many links that we don’t have a choice – we have to get it right from the start.

10 Mar 2014

What a Week: Part Two

Last week, I had the honor of talking security at the first ever Wearables DevCon. After my successful presentation on security in constrained devices at the RSA Conference with Whit Diffie, I was excited to focus specifically on wearables.  It was an excellent show, and I want to summarize a few key points.

WearablesDevCon

This conference was very well attended. I’m not always the best judge of numbers, but there had to be a couple hundred people there easily. It’s very cool to see that kind of energy and traction, especially for a first-time conference.

Consumer vs. Enterprise. That seemed to dominate a lot of hallway discussions. Certain sessions focused on developing wearable apps that consumers would embrace, while others talked about solving challenges in the enterprise. As the race for finding and building the “killer app” for Glass heats up, it’ll be interesting to see in which area it falls. One thing that was accepted across the board:  the wearable and IoT market will be HUGE; it’s just a bit nascent at this point.

There was only one session focused on security. I have to admit, I’m happy that we had a chance to speak at this event. Not just for press or publicity, but because I want to get the community thinking about security from the beginning. It’s not as glamorous as UI design, API leverage, etc., but it needs to be  a core component, especially concerning the enterprise and other data-sensitive verticals.

I really enjoyed my talk, mainly because of the excellent engagement from the audience. It was a very interactive session, and I loved the energy in the room! We talked about compliance, risks, CryptoCompact, the need for security in different verticals, why the wearable market will face challenges when it comes to security, and what we can do about it. We talked about lessons learned from the mobility side and how we can apply them in wearables and IoT early on… before we potentially see a BYOW movement take root.  (Yes, that’s ‘Bring Your Own Wearable’.) We covered a lot of ground in an hour!

Thank you to the conference organizers for putting on a great show and giving us the opportunity to speak. And thanks again to everyone in our session! I’m looking forward to continuing the discussion.

3 Mar 2014

What a Week!

On Friday, I headed home.  The lobby at the St. Regis was eerily quiet and the hotel staff looked rather relieved to see all the conventioneers gone.

I learned a few key things at the RSA Conference this year.

RSAConference

1)   Even when Mobile World Congress and HIMSS are scheduled at the same time, we can still get a ridiculous number of security-conscious folks to assemble in San Francisco.

2)   Corporate acquisitions inspire equal parts excited speculation and cynical skepticism.

3)   People are tired of hearing the same spiel from familiar faces, but the new exhibitors got a ton of exposure.

4)   The NSA booth was an extremely popular photo location… and the various “Booth Babes” really weren’t. People seemed to care more about content than flash.

5)   Between the Snowden controversy, RSA-NSA cooperation, and now the Apple TLS/SSL snafu, people just don’t know where to turn.

 

The latter is an issue that will require more attention next week and will be addressed in this space.  Right now, it’s time to decompress and process everything.  The names, the faces, the suggestions and requests for our product roadmap, the potential partnerships – I can’t articulate how excited we are for the coming weeks.  The feedback at the conference was spectacular.

Thanks to all of you who shared your time with us, whether talking on the expo floor, having a drink with us at the SafeLogic hospitality suite at the St. Regis, or even just chatting in the elevator.  We know how valuable every minute is while on site, so thank you.  Your insight and perspective is a huge part of how we continue to refine our roadmap and goals.

If you missed my presentation with Whit Diffie on ‘Crypto for Constrained Devices’, stay tuned for the video on demand.  Or if you are local to the Bay Area, come see my related talk ‘Security Challenges in Wearables’ this Thursday at Wearables DevCon.

Cheers!

12 Feb 2014

Lee Kestler Joins SafeLogic Advisory Board

I’m very pleased to announce that Lee Kestler has joined the SafeLogic advisory board.

If you’re looking for the official statement, you should check out the press release. These are my thoughts, unfiltered, about bringing Lee into the fold.photo

I’ve known Lee for over 10 years, going back to my days at Cisco. Since then he’s been a trusted colleague.  He’s one of the most honest and humble people I know, and he’s one of my Go-To guys when it comes to business development, building relationships, and asking tough questions.

Above all that, he’s a friend. Always willing to help, give advice, be a mentor, and share thoughts without asking for anything in return. I’ve always enjoyed our business conversations, and each one has given me something to ponder. I’m so happy we could make this advisory position official!

Lee, it’s great to have you on the team. Thank you for everything that you’ve already contributed, and I’m looking forward to growing SafeLogic, disrupting new areas, and kicking ass with you.

Let’s do this!

 

 

30 Jan 2014

The Internet of Things (To Protect)

SmartFridgeThe Internet of Things is under attack already, say researchers.  A smart refrigerator was hacked and used to disperse malicious code, for example.  So why are we not properly teaching folks that devices are vulnerable immediately upon connection?  Education on these topics will save us a lot of heartache and headlines in the next few years… and it might even save some lives.

In recent posts, Symantec’s Vince Kornacki and Bob Shaker point to some disturbing potential outcomes from building the connected home without properly factoring in security.  Sure, the hacked toaster oven is fairly innocuous, but burglars really could case entire neighborhoods by tracking homes’ thermostat activity.  Hackers more interested in anarchy and panic really could manipulate fridges to spoil food and use unsupervised ovens to start fires.  Kornacki points out that by simply disabling a home’s heater could produce disastrous effects in frigid climates, and the inverse is true as well.  Denying air conditioning to a desert dweller in August could quickly turn cruel or even fatal.

We have seen what happens in other sectors when we let technology develop too far without factoring in security.  Unfortunately, many manufacturers will ignore security as long as possible, until their consumer audience demands it.  So let’s stop, take a deep breath, and educate the public.

Rules to Remember

  • If it’s connected to the internet, it can be hacked.
  • If it can be hacked, it can be manipulated.
  • Everything that has data in transit or at rest should be encrypted.
  • Encryption is not all created equal, so it should be verified.
  • If it has a camera, someone might be watching you.
  • If it has a camera, someone might be watching your internet traffic instead of you.
  • If it has a password, change it to a strong code.
  • If it doesn’t have password protection available, ask why not.

 

Manufacturers will drag their feet until we, as buyers, make it clear that we want secure devices.  We should not be buying any connected devices that do not have privacy safeguards available.  Speak with your wallet and be patient until viable options are on the market.  And then, it will be game on for the Internet of Things!