June 2001

RESOURCES TO SECURE YOUR BUSINESS ENTERPRISE


zTrace Gold
zTrace
http://www.ztrace.com/
Price: $49.95 per license

Physical locks and alarms may deter a thief from stealing a laptop in a crowded airport or convention hall, but what if the owner of a laptop is the culprit? Never crossed your mind? Well, some people out there may think there's no harm in reporting their company-issued laptop stolen, then sending their kid off to college with it or selling it to a neighbor. Their employer would never know or care, right? Wrong on both counts.

With the zTrace recovery agent, companies remain one step ahead of unscrupulous employees and thieves. Developed by the company of the same name, zTrace transparently sits on the hard drive and is virtually undetectable. There are no icons, directories or items in the program menu indicating its presence. When a computer is registered with zTrace, it's given a unique ID number that's stored in the company's secured database. If the laptop is stolen, the owner either calls a toll-free number or e-mails zTrace to report the theft, and zTrace kicks into gear.

The company offers two versions of its flagship product. zTrace Basic is available as a free download from the company's Web site-offering full functionality of the software, but without the back-end recovery service. A trace is conducted, and the location is given to the user--it's up to him or her to pursue recovery. The Gold service is what makes zTrace (the company) different from its competitors. In addition to the basic tracing service, zTrace Gold includes a physical recovery-assistance service. Users of this service are assisted by a team of on-staff, retired Cambridge, Mass., police officers and detectives, who work with law enforcement in recovering the stolen machine. "Our customers buy our service for recovery of their notebooks, not for some fancy functionality or fancy printout," says Alex Faigel, the company's VP of marketing.

Each time a registered machine accesses the Internet, an alert is sent to zTrace. However, those alerts are ignored until a laptop is reported stolen. An SOS program is activated, enabling the zTrace team to pinpoint where the computer accessed the Internet, either by IP address or Caller ID on a land line. Next time that notebook connects, it'll send its IP address to zTrace, but now, the server will send a transparent message to the stolen machine. This message contains an agent that will drop the laptop's current connection and silently redial the company's 800-number without pop-up boxes or modem tones. The technology allows zTrace to receive all blocked and private calls, enabling it to get the actual phone number through which a stolen laptop is connecting. Meanwhile, the person using the stolen machine would think he's merely lost the connection, and try dialing in again.

The zTrace report contains enough information for police to launch into action. The key to making this service effective is the timeliness of police response. Unfortunately, most police departments place a low priority on laptop recovery, and justifiably so with the number of violent crimes on their blotter. Faigel says that, with the assistance of zTrace's on-staff detectives, there's enough "bandwidth" within any police department to recover a laptop within 24 or 48 hours. However, Det. Sgt. Todd Shipley of the Reno, Nev., police department's financial and computer crime unit says that Faigel's estimation is exaggerated.

Shipley says zTrace's claim that a police department could make the recovery in one to two days is a blanket statement, and that actual response time depends on an individual department's caseload. He also says the reality of law enforcement is that property crime and fraud are secondary and tertiary issues, simply because there's no one immediately harming someone. "I'm not saying these programs aren't valuable....I would encourage businesses to start using these kinds of things to help recovery--but it's only part of the puzzle," Shipley says.

Since its introduction approximately eight months ago, zTrace says it has signed 10,000 users, split between corporations and consumers. During that time, the company says that only three machines have been reported stolen, and all were successfully recovered. One instance involved zTrace pinpointing the IP address to the home of the subscriber's employee, who had reported it stolen.

The company is banking on organizations taking a proactive stand against stolen property. As Faigel puts it, "Some people wait until the house burns down to buy fire
insurance."

zTrace is currently working on a version for handhelds operating on Palm OS and Windows CE platforms. The stolen PDA recovery agent, which works similarly when the handheld is synched, is expected out by Q4 this year.
-Christine St. Pierre


DominoSecurity.org
CHC-3 Consulting
http://www.dominosecurity.org/
Price: Free

If you have an Internet-facing system that isn't covered in the book Hacking Exposed, where do you get information about protecting that system? Well, up until now, those responsible for protecting Lotus Domino servers have lacked centralized information resources. Chuck Connell of CHC-3 Consulting, a Domino/Notes security consulting firm, has addressed that problem by creating a Web site dedicated to Domino security issues.

DominoSecurity.org is a first-generation Web site, consisting of just two levels of lists, and no frames or graphics. While the arrangement is primitive and offers very little of its own content, the site is a good start toward a comprehensive set of Lotus security links.

The first page of links is the "hotlist," an annotated set of links to sites containing information on known or suspected Domino vulnerabilities. It's a pretty small list of links, however, and it isn't clear that all of the listed service providers have specific experience with Notes or Domino. The site also includes a half-dozen links to companies that make security accessory products for Lotus. This list passes my credibility test--it includes links to firms that are probably competitors of Connell's firm. Willingness to include the competition shows me that the site's Web editor is trying to maintain a level of impartiality.

DominoSecurity.org is a simple site that offers links to Domino/Notes security-related Web sites.

Connell also provides links to other security Web sites, stating that the sites are generally wider in scope, but can still offer valuable information on Domino/Notes. Links to SecurityFocus.com and CERT.org present lists of bugs and vulnerabilities, while SecurityPortal.com and Information Security's site provide security-related information and news.

The discussion forum isn't tremendously active, but it's still fairly new, so presumably the volume will pick up. Discussion topics currently include authentication, key escrow and the potential for digital signatures on Web forms. Finally, the site also contains a link to the DominoSecurity mailing list, used for security alerts and new postings to the site.

This is a small site, but that's partly due to its novelty. Perhaps it's also a reflection of the market interest in this particular subject area. Still, Domino is one of the leading Web servers, and it provides built-in workflow and collaboration capabilities used to enable a type of Web server that continues to grow in popularity. Those who have taken the plunge and are currently using Domino to make sensitive information available on the Internet certainly need to share their security expertise, and this site should become a good forum for that. But please, lose the pink and green logo--it looks like a watermelon with a padlock.
-Jay Heiser


SiteRecorder v1.0
Lockstep Systems
http://www.lockstep.com/
Price: $795

Online enterprises often discount the value of Web-site backup applications, thinking they're merely for cleaning up after Web defacements. Lockstep Systems, maker of WebAgain, suggests that comparing current postings to archived copies is useful in recovering from accidents and natural disasters, as well as auditing the validity of posted information and correcting human error. The company's new product, SiteRecorder, was designed with these functions in mind.

This Web-site backup application and change notification utility works for on- and off-site servers

Currently in version 1.0, Lockstep Systems' SiteRecorder backs up a Web site on predefined schedules and sends automatic notifications to sysadmins when content changes. "If a hacker hacks your site, you'd get a change notification, but the intent of this product really is for people who need auditing and a backup in their normal course of business," says Lockstep president Karl Forster.

SiteRecorder isn't the first of its kind. However, Lockstep says it varies from other backup applications because it doesn't require the server to be local. Traditionally, tape drives and servers are either physically or loosely attached on the same network, providing for easy in-house backups. If you outsource your Web hosting or site development, you're relying on your hosting company to perform backups--and you can only hope they do. SiteRecorder allows you to keep a complete backup at your location and creates a revision history of the site as it changes.

When SiteRecorder backs up a site, it scans content for any changes that have been made. Two different admin-defined scans are offered: One checks time/day stamp changes and file site changes; the other does a binary comparison of each file. Lockstep recommends performing a frequent "fast scan" that puts very little load on a Web server--it's hardly noticeable and is considered background noise. Because a thorough, binary-comparison scan is time consuming--it transfers every file on site, eating up lots of bandwidth--this scan should be performed less frequently. To minimize the drain on resources, Lockstep incorporated in SiteRecorder a bandwidth throttle, allowing admins to specify the drain rate of bandwidth during a scan.

If a change is detected during a scan, a hyperlink list of the new content is e-mailed to a designated number of contacts. (E-mail is currently the only means of notification.) The notifications and the revision history data provide a digital audit trail of a company's Web site. The hyperlinks provide easy access to the page so it can quickly be changed on the production server. An archive within SiteRecorder brings up a user interface that lists the dates when file changes occurred. At any point in time, a site could be rolled back and re-published with the correct archived files.

SiteRecorder follows in the footsteps of the company's flagship product WebAgain, an anti-defacement utility that concentrates on repairing a hacked site. WebAgain acts as a staging server, where content flows through the application. With SiteRecorder, no data flows through it, but it monitors the end result. Both products can be used in conjunction with each other, as part of a proactive/reactive relationship.

Gary Best, Webmaster at Boston, Mass.-based Capital Crossing Bank, was a beta tester of SiteRecorder and is a current user of both products. He uses WebAgain for protection against hackers and SiteRecorder for his bank's internal audit process for FDIC requirements. While SiteRecorder is a niche product--only one component of a large enterprise security plan--Best says it met his expectations. When asked about shortcomings of SiteRecorder, Best simply said, "It works. It does everything it's supposed to do."

SiteRecorder can back up on-site or third-party located Web sites running under Windows, Unix or Linux, without altering the configuration of the Web server. A free 30-day trial version is available for download from Lockstep's Web site. A single license costs $795 (a license is required for each additional Web site).
-Christine St. Pierre


Authentify Register
Authentify
http://www.authentify.com/
Price: $15,000 initiation fee; $.60-$3 per transaction, depending on volume

Anyone who's called the bank has been asked this question: What's your mother's maiden name? It's the second half of the loose two-factor authentication method that usually begins with a PIN or account number, followed by a (presumably) private piece of information.

The system seems foolproof since few people will know both your PIN and your mother's maiden name, but it has a few problems. First, it's expensive since it requires large call centers staffed with trained (and hopefully courteous) operators. Second, a maiden name and other such personal data is becoming less and less private in the information age.

Authentify believes it has a solution that addresses both problems--Authentify Register, a new automated identification verification system that provides online multi-factor, real-time authentication through a single phone call.

Register works as a native authentication application. Authentify will modify a customer's Web page to include a Register interface, making its authentication process transparent to both the user and company. Depending on a company's requirements, users will log into the corporate or e-tail Web site using either a password, token or digital certificate. Once the process reaches the Register stage, the company's Web server will send an authentication request to Authentify's centralized service.

This is where things get interesting. After verifying a few basic facts through the browser--such as the user's name and phone number--the Register system will give the user a unique, one-time ID number. Within minutes, Register will call the listed phone number with an automated voice recording instructing the user to key in the number displayed on the browser. If correct, the Register phone interface will tell its client's Web-based system that you are who you say you are, allowing you to proceed to the restricted information or application.

If, by chance, the Register system reaches the wrong phone number--as might happen when dialing through an auto-attendant--it will do two things: announce that it's calling for a particular extension; or, if it's reached the incorrect line, ask to be transferred to the correct extension. The ultimate fail-safe is its automatic lockout if a user enters three incorrect access codes.

Authentify CEO Peter Tapling says Register is a way of making technology reach out and touch users. Because it's automated, the system eliminates the need to staff a 24/7 call center. And, the system has both B2B, B2C and internal IT management capabilities, providing a system for authenticating users to a network, verifying IDs for self-service password management, distributing tokens, activating digital certificates and verifying online transactions.

It sounds like Authentify has thought of everything, but the product has a few shortcomings. First, Authentify only manages the automated phone system, relying on its subscribing companies to provide the names and phone numbers for each transaction. The arrangement makes sense since database management would prove too difficult and inefficient for Authentify to handle. But the poor state of corporate network security opens the potential for the phone numbers being compromised or spoofed.

Verifying the identity of employees and business partners isn't much of a problem since Authentify's clients will already have user names and phone numbers on file. However, Register isn't as efficient when dealing with unknown parties. For B2C transactions, the system can be configured to allow users to enter their names and phone numbers for a call back, which makes it possible for malicious users to enter bogus contact information. Tapling admits this is a weakness, but says Register will still capture a phone number that can be traced back to the offending party. Because authentication is as much about auditing as it is about verification, Register logs the outgoing phone number and contact information, creating an audit trail. The deterrent, he says, is that criminals will still have to reveal a traceable phone number.

Currently, the only real way of getting around Register's verification process is to use a pre-paid disposable phone or calling card account, which are virtually untraceable. Authentify plans to improve Register to recognize the type of phone number--land line, cell phone, pre-paid account, etc.--and the geographic location of the call. This will add an extra layer to the authentication process, verifying that a user is calling from the correct location.

Authentify makes no claim that Register is a silver bullet. Tapling says Register is only a piece of a well-designed, layered security system. What Authentify does boast is a reliable, cost-efficient means of authentication that will deter most script-kiddiez and phone phreaks.
-Lawrence M. Walsh


Recent Releases

SSL-100
Galea Secured Networks
http://www.galeasec.com/
Price: Under $5,000
SSL acceleration sub-system on a PCI card handles up to 2,000 full 1,024-bit RSA keys per second or 600 Mbps of raw data.

AVX Virus Protection
Central Command
http://www.avx.com/
Price: Free
Free availability of virus-protection products for AVX for ICQ, MSN Messenger, NetMeeting, mIRC and Yahoo! Messenger.

AppGate 3.3
AppGate
http://www.appgate.com/
Price: Contact vendor
AppGate's access-control software is now available for HP-UX 11.0 platforms.

PitBull LX
Argus Systems Group
http://www.argus-systems.com/
Price: Contact vendor
Intrusion prevention system is now available for the Solaris 8 platform.

MultiSecure Wireless/Guard
Ubizen
http://www.ubizen.com/
Price: Contact vendor
Application-level security product allows user to securely access information from wireless devices.

InoculateIT 6.0 for Windows
Computer Associates
http://www.ca.com/
Price: Contact vendor
New updates to this AV solution include real-time detection with automatic cure, incremental signature updates, digitally signed binaries and an LDAP-enabled data repository.

Total Enterprise
Security Service (TESS)
SecureInfo
http://www.secureinfo.com/
Price: Annual subscription
Web-based security intelligence service for protecting critical corporate data.

PrivateArk Network Vault
Cyber-Ark Software
http://www.cyber-ark.com/
Price: Starts at $15,000
This new e-mail add-on product incorporates security, tunneling and storage options into existing e-mail security applications.

Iris 2.0
eEye Digital Security
http://www.eeye.com/
Price: Contact vendor
Data and network traffic analyzer collects, stores, organizes and reports on all network traffic.

Hark!
Camelot
http://www.camelot.com/
Price: Contact vendor
This automated access-control product includes an engine that analyzes network events to refine user-defined security policies.

RSA Security's Official
Guide to Cryptography
RSA Press
http://www.rsapress.com/
Price: $59.99
Guide to understanding and using cryptography includes descriptions of techniques, overview of standards and case studies.

Sentinel 7.1.1
Digital Rights Management, a div. of Rainbow Technologies
http://www.rainbow.com/
Price: Contact vendor
Newest version of this software distribution and management product now supports Windows 2000 and Unix platforms.