Re: [Fed-Talk] Filevault and FIPS
Re: [Fed-Talk] Filevault and FIPS
- Subject: Re: [Fed-Talk] Filevault and FIPS
- From: Allan Marcus <email@hidden>
- Date: Wed, 17 Dec 2008 11:50:17 -0700
PGP has a fatal flaw, IMHO. If the end user forgets or needs to have
the password changed, the end user calls the help desk. The help desk
simply looks up the end users computer in a database and provides a
recovery password. The end user uses the recovery password and can
reset her own password. Here's the problem, the recovery password is
still valid until the computer connects to the home network and talks
to the PGP server.
This flaw could easily allow a malicious entity to fairly easily gain
access tot he compute. Consider this. Traveler arrives at hotel and
leaves computer in room to go out for dinner. Bad guy accesses
computer and tries to authenticate. Authentication fails and user is
locked out. Traveler returns to room and attempts to log on but cannot
because she is locked out. She calls the help desk and get the
recovery password and changes her own password. Bad guy has phone
bugged and now has recovery password. Traveler goes the breakfast the
next morning and leaves computer in room. Bad guy enter rooms and now
is able to access computer.
May sound a little far fetched, but in the spy game it might very well
happen.
PGP is at the top of our list and we have reported our concern to
them. So far we have not heard that they will resolve this issue.
Until then, CheckPoint is also at the top of our list since we need to
protect all three major platforms.
---
Thanks,
Allan Marcus
505-667-5666
On Dec 17, 2008, at 10:16 AM, James Alcasid Veterans Affairs wrote:
Gary,
Interesting observation regarding CheckPoint. You may look into PGP
Professional. They have a whole disk encryption product using
modules that are FIPS 140-2.
From: "Simon, Gary" <email@hidden>
Date: Wed, 17 Dec 2008 11:59:56 -0500
To: "Marcus, Allan B. (LANL)" <email@hidden>
Cc: fed-talk <email@hidden>
Subject: Re: [Fed-Talk] Filevault and FIPS
We have been told by our Cyber Security folks that we cannot use
CheckPoint due to the fact that it is an Israeli product. We have
been looking at a Mac version of Credant, but my testing does not
show it to be ready for prime time at this point. At this point I
do not see a viable solution for disk encryption on the Mac that
will meet the DOE requirements.
With the situation with cameras in all the new laptops and monitors
(the display is a single unit and Holman’s cannot open it to disable
the camera) and the lack of a disk encryption solution, I can
foresee a ban on Mac laptops coming. I hope I’m wrong.
Gary
On 12/17/08 9:45 AM, "Allan Marcus" <email@hidden> wrote:
That is the current status.
We at LANL have no choice. Since FileVault is not NIST validated, we
are looking at alternatives like CheckPoint (formally PointSec).
There
is a rumor that DOE has some sort of site license with Checkpoint; I
am working to find out more info.
We have a similar issue with secure erase. Apple secure file erase
will not meet DOE standards, so we are looking at ShredIt X. I've
spoken with the developer and he will be added a DOE method to the
ways file can be securely deleted.
As for erasing a partition, we are looking at requiring a 7 pass
wipe,
then a zero data wipe. The reason for the final wipe is because DOE
requires two wipes with random data then one wipe with a known
pattern. The final known patter allows cyber forensics to verify the
erase. Again, neither Apple's secure file erase nor the partition
erase allow for this pattern. :-( I've opened tickets with Apple tech
support to have this changed, but I'm not hopeful.
---
Thanks,
Allan Marcus
505-667-5666
On Dec 16, 2008, at 2:24 PM, Simon, Gary wrote:
> Has anyone heard of any further status of Filevault and FIPS-140
> Certification. The NIST Modules in Process List dated 12/15/2008:
>
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
>
> Still shows it IUT (Implementation Under Test).
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden