Townsend Security Data Privacy Blog

Robbn Miller

Recent Posts

Alliance Key Manager and Meltdown/Spectre

Posted by Robbn Miller on Jan 12, 2018 2:19:14 PM

The security vulnerabilities known as Meltdown and Spectre involving speculative execution logic in a variety of Intel and non-Intel architectures also affects the Townsend Security product Alliance Key Manager through the SUSE Linux operating system. Exploitation of this vulnerability is primarily accomplished through user access to the server environment. Alliance Key Manager does not provide user access to the server. Therefore, the risk of exploitation of this vulnerability is considered low. However, Townsend Security is providing a software update to address this issue.

If you wish to apply this update please contact Townsend Security support. 

A customer service representative will provide you with information on installing the update.

As has been widely noted, you may experience some performance degradation related to the resolution of the Meltdown/Spectre software fix. This will not affect most Alliance Key Manager customers. However, if you process a large number of keys (thousands or more) you may wish to apply the patch to a failover server first and test the performance. Townsend Security will assist you with any performance proof-of-concept if needed.

Please be advised that customers using Alliance Key Manager in virtualized environments (cloud, VMware, etc.) also run some risk related to any hypervisor that is subject to this vulnerability. Please contact your cloud service provider or virtualization software provider for more information.

 

Topics: Alliance Key Manager

How Secure are Your Passwords?

Posted by Robbn Miller on Jan 8, 2013 9:42:00 AM

Data Privacy for the Non-Technical Person

LinkedIn Podcast

Download the podcast "Data Privacy for the Non-Technical Person"

Click Here to Download Now

Password: (noun) a variable length combination of characters, numbers and special characters, that gives their user a false sense of security.

We hear it all the time: a business was hacked, a database compromised, accounts ransacked, notification and liability, password cracked, blah blah blah. “How can this happen?” “Why didn’t they create a stronger password?” Well before you get too indignant, how well are you protecting your own data?

Is your password sufficient to stop the minions of organized crime, bored fifteen year olds killing time, or other ne’er do-wells intent on accessing your data?

It is difficult to remember different passwords, which is why 60-65% of people use the same password or similar passwords.  This translates into it being more convenient to use your cat's name plus the month number and something about the website itself, then just change it every month.  And that would look like this:

Amazon: (Puddy06Amaz) then (Puddy07Amaz) then (Puddy08Amaz)
Comcast (Puddy09Com) then (Puddy10Com) then (Puddy11Com)

And before you blame the cat for having an insufficiently difficult name, just think how silly it would be standing outside and calling “Here BH-jk!nhb#$@$n_8.”

So you can see it's just a matter of time before they get to your bank. How do they figure out the pattern? Look at your Facebook page, your Twitter, How often do you post about your favorite sports team, your pets, your kids, your hobbies? After they look at that, it's just a matter of time before they figure you out, and they have all the patience in the world.

You might slow the attackers down by using a passphrase instead of a password. Use a phrase from your favorite book, movie, or song. (1 phrase will rule them all!!) (I ain't never birthed no babies b4) (8 Days a Week)

Alternatively, have a password pattern for general accounts and a very different pattern for more sensitive accounts. Preferably one that you don’t plaster all over Facebook!

Then of course there are the other attacks, such as dictionary, malware, phishing and brute-force.

One way to help protect yourself is to get a password vault. With these you only have to remember one password or passphrase to unlock the vault and have access to your passwords. 

Once you set it up, these vaults will randomly generate unique passwords for each website or account making it easier for you to reset passwords on a regular basis (a good practice to get into) and you don't have to make them up or remember them!

I'm not saying that businesses don't have responsibility in this; they need to get on board as well. How many sites do you go to where the passwords are restricted and:

  • Has to be between 6 and 10 characters long
  • Has to start with a letter
  • Has to have at least 1 number
  • No spaces or symbols

Really? That limits you so much and, again, just a matter of time with the right computer program to figure that one out.

And then you forget your password anyway, so you call them.  Customer service tries to be as helpful as they can be: "Well, your password is a word and number." And when you still don't quite get it: "It's a place you might like to vacation and it starts with H" and by feigning forgetfulness, injected with humor, chatting up the Help Desk, you can get it narrowed down even more.

For the most part, people like you and me understand we are taking a risk, but we are still not willing to give up convenience.

How do you respond when your bank or other account calls you? Sometimes they ask for your zip code, date of birth, or address maybe to confirm they are indeed speaking with the owner of the account. But how do you know with whom YOU are speaking? You could call them back but that's inconvenient. Simon Davies of Privacy International suggests putting a nonsense word in the special instructions field on your account. Then when they call you, you ask them to read you that word. If they indeed are the bank, they have that word and can confirm it.

Technology is moving away from passwords and towards those things easier for us to remember and recognize on a personal level. We've seen pictures, for example, used with a pattern swipe, or face recognition. Right now that is still tied to a password or PIN and those are used as back up - so still hackable. But it's a move in the right direction.

Fingerprint recognition is accepted as highly secure and practically impossible to fool.  But a Japanese cryptographer got past such a device by using Gummi Bears.

Kevin Mitnick, a famous hacker turned good guy, got around a voice authentication by using a program that fakes his phone number on caller ID. He then made sure that each number was represented, and, calling the CEO of the company he was testing with, asked the CEO if he had the "new" phone number and would he read it off to confirm it displayed properly. Now he had the CEO's voice with every number and broke in.

As data thieves get smarter and your one-size-fits-all password becomes less secure, it is important to routinely change your passwords and not use the same password on multiple sites. Being in the security industry, we see plenty of preventable data losses. While there isn't much you can do to prevent the next big breach, you can at least make it hard for data thieves to take your lost information and use it to access your other accounts.

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CEO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

Click me

Topics: Data Privacy, password

Cancer - Not Just a Zodiac Sign for Townsend Security

Posted by Robbn Miller on Oct 4, 2011 10:01:00 AM

Cancer, directly or indirectly, affects everyone somehow.  It cares not about age, sex, wealth, your faith (or lack of it).  Cancer can develop in almost any organ or tissue in your body.  

Townsend Security's team has been struck three times by cancer.  So in true Townsend spirit we don't just sit around and do nothing, we FIGHT BACK and support each other and our communities!   

Walk for HopeOctober is national Cancer Awareness Month, so to support those we love and those who have been afflicted, a few of us from Townsend Security flew to Chicago to participate in the City of Hope's 2011 Walk for Hope.  The City of Hope is an independent biomedical, treatment and education center.  Founded in 1913, and driven by compassion, researchers and caregivers at the City of Hope strive to bring the world closer to a cure.

We joined Sharon Kleinerman, one of our Account Managers, and her team at The Glen Town Center for the start of our 5k walk/run!  The Glen Town Center has been transformed from a naval base into a beautiful outdoor shopping ceCommunity Givingnter that includes a park with a lake and walking trails.  The shopping was tempting, but we were here to raise money to fight cancer.  Just as the walk was about to begin, a light drizzle began falling all around us and we became dubious about what the weather conditions might be for the rest of the day.  Fortunately, just as the walk started, the rain let up.  We began to think that we might actually have a dry walk after all.  However, half-way through...the rain was back with a vengeance.  The rain refused to let up but it couldn't dampen ours' (or any of the participants') excitement and enthusiasm.   Finally, an hour later, we finished - a team of 8 soaking wet WINNERS!!

While participating in the Walk for Hope we learned facts about cancer that are  good for everyone to know.  Did you know that the four most common cancers in the United States are breast, prostate, lung, and colon cancer?   Did you know there are simple ways to protect yourself against these types of cancer - things you can start doing today?

The Mayo Clinic offers 7 Tips to Reduce Your Risk of Cancer:

  • Don't use tobacco
  • Eat a healthy diet (THINK COLORS!!)
  • Exercise is your friend. Maintain an healthy weight and keep moving.
  • Protect your self from the sun - even in rainy Olympia, those nasty rays are everywhere and they get through the clouds.  Just because you can't see the sun doesn't mean it is not there. Use sunscreen!!
  • Avoid risky behavior
  • Get immunized
  • Perform regular self exams - KNOW what to look for!!
Screening increases the chances of detecting certain cancers early, when they are most likely to be curable.

To learn more about how you can help:
The City of Hope
The American Cancer Society
St. Jude Children's Research Hospital

We invite you to take a look at all of our community sponsorships that we are a part of.  You can also follow us on Facebook, Twitter, and LinkedIn to see what we are up to next.

 

facebook  Twitter  LinkedIn

Topics: Giving, Community

Townsend Security 2011 Partner Training

Posted by Robbn Miller on Mar 15, 2011 9:19:00 AM
partner trainingI invited a partner to come down from Seattle to learn about our key management appliance, Alliance Key Manager. It started innocently enough, we planned to meet on February 21st and discuss our encryption, key management and system logging solutions in the context of PCI compliance.  A week later, I received a call from an Australian partner asking to come by our office for training on Feb 21st. They were going to be in Seattle after the RSA Conference. I told them they were in luck, we were coincidentally conducting a training session on that very day, come to our office, we would love to host them. 

We had two partners confirmed, why not ask a few more? Turns out some others were available as well.  Voila! The first annual  Townsend Security Partner Training was underway!!

The day started with a tour of our new offices- a must-see when in the Seattle area!! Training began with an overview of FTP Manager and PGP encryption.  Our latest release of FTP Manager, our managed file transfer offering, brings support for encrypted PDF and encrypted ZIP files as well as PGP administrative enhancements

Break! After a fabulous lunch at a local Italian restaurant, we delved into the world of encryption key management, database encryption, and system logging.

Patrick Townsend, Founder & CTO, addressed the importance of encryption & key management as a means of protecting data and meeting PCI compliance. The renewed focus on "Dual Control" and "Separation of Duties" by QSA auditors is forcing many IBM i customers to move from homegrown key management to a better method of securing encryption keys.  He explained how compliance auditors requirements have evolved from "you must encrypt" to "don't store your keys with your encrypted data" to "protect keys with a key manager" and are now converging on the message "that key manager should be FIPS-140 certified."

Finally, partners were introduced to what an end-user sees when we work with them.  We took them through a pre-sales walkthrough and through a post-sales support ticket.  Eppy Thatcher, one of our senior support engineers, walked everyone through a demonstration of Alliance Key Manager and LogAgent.  A few of our partners were surprised to learn that some compliance regulations require collecting system logs. Eppy showed  them how Alliance LogAgent can communicate with any SIEM solution and help satisfy system log requirements.

By the end of the day, everyone walked away with a solid understanding of how our solutions work and how they can help meet compliance regulations.  Our partners saw the benefits of being able to offer their customers NIST and FIPS-140 certified encryption and key management solutions. They realize that these certifications will guarantee encryption and key management is done correctly.

If you are interested in becoming a partner or attending the next partner training session, please let us know.

Robbn Miller, Channel Manager

Topics: Alliance Key Manager, Partner

Don't Just Love Us Because We Do Encryption & Key Management!

Posted by Robbn Miller on Mar 11, 2011 8:56:00 AM

Power-of-PurseTownsend Security heartily supports non-profit organizations in our community. So it comes as no surprise that several Townsend Security employees were spotted at the annual United Way “Power of the Purse” fundraiser last week.

The event raises money to help disadvantaged women, young and old, become more financially stable and self-sufficient.  This is a cause that speaks to the hearts of the strong women of Townsend,  how could we not show our support? 

Over 100 women (and a few men) from all backgrounds and professions joined together to meet new friends and support a wonderful cause.  We strolled the silent auction, enjoyed a wonderful meal and participated in the bidding frenzy of the progressive auction.  Funds raised from the auction went directly to support the financial stability of women and girls of Thurston County, where Townsend Security has its headquarters.
    
The evening was a success in so many ways. Over $10,000 was  raised to create scholarships and help fund the overall program. We were able to visit with old friends and make new acquaintances.  And as the Ladies of Townsend packed up our purses and treasures from the evening we couldn't help but feel fortunate to have been in such good company while  supporting a wonderful cause.

For the month of March, 2011 Townsend Security is asking you to help us support the United Way.  Join the conversation and collobarate with fellow IT Security Professionals, we'll donate $1.00 for each new follower on Facebook, Twitter, or LinkedIn.

Topics: Giving, United Way