Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
- Subject: Re: [Fed-Talk] Malware targeting ActivIdentity smart cards
- From: William Cerniuk <email@hidden>
- Date: Fri, 13 Jan 2012 15:56:24 -0500
Good point, layer on the pieces and increase the number of points of vulnerability. It is just the KISS rule not being applied to engineering. Call it a liability, vulnerability or just a "joint" in the part where failure can more easily occur. Reduce the complexity and reduxe the liability / improve the design.
I had decent success with using the built in smart card support for signing encrypting email under Snow Leopard. Now that it is open source and having to be added under Lion, is that a new part? It is the old part, just removed for the majority who don't need it.
Hmmm... :-)
Best,
Wm.
On Jan 13, 2012, at 15:49, David Emery <email@hidden> wrote:
> All true... But I think there's a different "sense of trust" between getting all of your IA/security stuff built into the OS, versus having to obtain and install some 3rd party package (even if you download it from a .mil site.) Note both Windows and Macs have this problem; I have to run Thursby PKard to get my CAC to work (and that package has given me some non-IA problems with potential for finger-pointing between Thursby and Apple, because the Thursby software causes an Apple process to crash.)
>
> dave
>
> On Jan 13, 2012, at 3:43 PM, William Cerniuk wrote:
>
>> It might be argued that any input to a computer is a point of vulnerability.
>>
>> How easy is it to design a wedge driver for USB or Bluetooth? Essentially capture everything in the flow in from the analog world to the digital world. It does not matter how NIST certified your crypto is on that hard drive or that CAC/PIV card; as long as the interface to the device does not have a direct connection to the encrypted device, it is an easy point of attack.
>>
>> The only way a PIV or a CAC card can be secure from electronic data capture at PIN entry is to have a membrane keypad on the CAC/PIV card itself. But... then it could be argued that a RF monitor embedded below the desk surface, sufficiently close to the PIV card, could pick up the RF leakage and determine the codes bases on keypad voltage variations and the resulting RF output from key presses.
>>
>> The most secure system is a system that is not used... which frequently is the result of attempts at risk elimination vs mitigation ;-)
>>
>> Best,
>> Wm.
>>
>>
>> On Jan 13, 2012, at 15:11, David Emery <email@hidden> wrote:
>>
>>> Independent of the problems Windows has with vulnerabilities, this highlights the problems in depending on a 3rd-party add-on as an element of what should be your Trusted Computing Base!
>>>
>>>> ...
>>>>> With ActivIdentity as the target, the attacks are clearly aimed at U.S. defense departments, the Times added. But it's as yet unknown what information the hackers have so far been able to capture.
>>>
>>>
>>> dave
>>> -----
>>> David Emery, 703 298 3473 (c) 703 272 7496 (fax)
>>> Supporting PdM Software Integration
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>
> -----
> David Emery, 703 298 3473 (c) 703 272 7496 (fax)
> Supporting PdM Software Integration
>
>
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden