Category Archives: Site Info

Are You in Central Ohio Wednesday January 21st, 2009 ?

A colleague and I are co-presenting at the Central Ohio ISSA chapter on Wednesday morning…

Information Security Awareness Raising – A Example to Critique and Discussion

The aim of this presentation is to provide ISSA attendees with fresh ideas, for increasing the awareness of Information Security issues with their internal customers and partners. The presentation will have two parts. In the first part Justin and Erik will present a Information Security Awareness Presentation which is targeted at an audience of business and IT partners. 

During the second part of the presentation, preliminary information regarding the vital role of Information Security Awareness Raising will be discussed. After this initial introduction, everyone will be asked to participate in a dialog discussing if the materials were or were not effective Awareness Raising materials and to share their experiences and insights.

If you read this post, and then attended the presentation – please let me know. (This will be my tip off that highly un-likely events are occurring in my world, and that I should purchase a lottery ticket… ;-) )

Cheers, Erik

The Internet Never Forgets — your mistakes !

My apologies for this “phantom” posting… “Pro Dev: Who are We? What is Our Role?”

While editing that posting, I published it way prematurely. (Can you say miss-click?)  Now, I corrected this within minutes, but due the magic of Google and Feedburner that fragment was whisked onto the net (and perhaps will live forever… :-( )

Now, you would think that you could just delete the post, and all would be well – Wrong !

So, that fragment (which was on-line for less than 3 min), was cached into the google reader and other blog aggregators, and has (embarrassingly) set a record for views in the first 24 hours. 

The good news is that it looks the like Professional Development series I have planned for AoIS is going to be a hit ! The bad news is I need to find a WordPress plugin that asks for a “are you sure” idiot confirmation on the publish button…

BTW, It appears that 2009 will be the year of the series on AoIS. Currently in the pipeline are:

  • The Secure Your Linux Host Series
  • Professional Development Series
  • Cryptographic Controls Series 
  • Interviews with Infomation Security, Risk Management, and Privacy Luminaries !

I hope to have at least one installment for all of these series posted by the end of January.

Again, my appologies for the draft fragment – the actual posting (Part 1 in the Professional Development series) is being proofed and should be up in a few days.

Cheers, Erik

Got Entropy ?

So I have been planning a series of podcasts on Cryptographic Controls. In the process of this planning, I fell into one of the classic traps that crypto-geeks fall into: obsessing about random number generators (RNGs).

(FYI, for the impatient, click here.)

There are two ways to generate random numbers on computers: (1) use a software program called a Pseudorandom Number Generator (PRNG) or (2) use a hardware random number generator. A Pseudorandom Number Generator uses a seed value to generate a sequence of numbers that appear random. The problem is that the same seed generates the same random sequence. The hardware based RNG observes and samples some physical phenomenon which is random, such as cosmic rays, RF noise, etc. (aka Entropy).

RNGs are important in Information Security because they are used to generate encryption keys, salts, etc. Historically, attacking RNGs has proven effective, such as the defeat of Netscape’s HTTPS sessions.

Most operating systems utilize a hybrid approach, implementing a PseudoRandom Number Generator that has a seed that is regularly updated through the collection of random hardware events. This process is called Entropy Collection or Entropy Harvesting. For most applications, this approach should be completely sufficient. However, one of the key assumptions is that the operating system has been up and running long enough for the seed value itself to become hard to predict through the collection of Entropy. Also, many of the Entropy collecting events come from properties of hardware devices, such as the minor variations in hard drive rate of rotation. As such, there are a few circumstances where the OS RNG may not be good enough for strong cryptographic key generation:

  • Live Boot CD ( The start state of the RNG may be predictable. )
  • Virtualized Hosts ( OS may be dependent on simulated events for randomness. )

( Given the exploding popularity of virtualization, this is an area worthy of research. Stay tuned. )

Design of the Got Entropy Service

Many RNGs (such as the one included in Linux, as well as OpenSSL’s) allow the addition of entropy from outside sources. So I started looking to Entropy sources I could use to bolster the RNGs on my virtual hosts (and other uses…). While I was looking into this, it occurred to me that I had an unused TV tuner card, a PVR-350.

When a TV is tuned to a channel with no local station, the ‘snow’ on the screen is RF noise (the same as the static between stations on AM radios). But, for reasons beyond our scope, you never use a direct physical observation as the RNG. You have to ‘de-skew and whiten’ the data prior to sampling it. Here is the process that I use:

  1. Collect about 3 minutes of video ( about 130 MB data ).
  2. Using a random key and IV, encrypt the data ( using openssl & AES-128-CBC ).
  3. Discard the first 32k of the file.
  4. Use each of the following 32k blocks as samples.
  5. Compress each sample with SHA-256.
  6. Discard the last block.
  • Steps 2 and 3 remove any patterns, such as MPEG file formatting, from the data.
  • Steps 4 and 5 generate a 32-byte random value ( 1024 to 1 compression in the hash ).

Check it out at http://gotentropy.artofinfosec.com

Can an Attacker Broadcast a Signal to Undermine This?

Such an attacker could not remove RF noise from the received signal. Our eyes and brains are good at filtering out the noise in the TV video, but there is a lot of it. Part of the noise comes from the atmospheric background RF, but there are also flaws (noise) in the tuner’s radio and analog-to-digital capture circuitry.

I think this is a pretty strong RNG, and I have provided an interface for pulling just the values.

Also, I have written a script ( getEntropy.sh ) that will pull Entropy from the service and seed it into /dev/random on Linux.

Results from ENT

Here are results, from a sample run of the Got Entropy, analyzed by ENT ( A Pseudorandom Number Sequence Test Program provided by John Walker of http://www.fourmilab.ch – Thanks, John! ).

  • Entropy = 7.999987 bits per byte
  • Optimum compression would reduce the size of this 13366112 byte file by 0 percent.
  • Chi square distribution for 13366112 samples is 233.85, and randomly would exceed this value 82.48 percent of the time.
  • Arithmetic mean value of data bytes is 127.4767 (127.5 = random).
  • Monte Carlo value for Pi is 3.143054786 (error = 0.05 percent).
  • Serial correlation coefficient is -0.000078 (totally uncorrelated = 0.0).

Resources for the Curious…

Cheers, Erik

Cincinnati ISACA Feb 12th Meeting

I am going to be giving a lunch-time presentation on Enterprise Cryptography for my local ISACA chapter this Tuesday. My presentation is part of an Enterprise Cryptography workshop that Dan Houser and I have organized on short notice. (The previously planned workshop was canceled 10 days ago due to an unforeseen crisis…) My understanding is that walk-ins are welcome, but that advance registration is appreciated.

Here is the link to Cincinnati ISACA Feb. 12 meeting and workshop information page.

Thanks, Erik

Erik T. Heidt, CISA, CISSP

Episode 2 and Beyond – A Few Teasers…

It has been one month since the release of Episode 1, and it has been downloaded over 215 times and FeedBurner is reporting over 80 subscribers to the feed (RSS and Podcast combined). This is much more attention than I expected Episode 1 to generate. Thanks !

But don’t think I am going to ‘rest on my laurels’…

The last month has been incredibly busy, and I have a ton of content that I want to work on but I keep getting pulled in different directions. Episode 2 is going to be an audio only podcast which I hope to have released over the weekend…

I have a number of topics that I am mulling over for Episodes 3 and beyond, which include:

- Basics of Information Security and Risk Management series

- Quick intro to some of the open source host protection tools I have been working with

- Discussion of my favorite open source security tool… (openSSL)

- and I am dying to start discussing some real world cryptography topics…

(Just to name a few…)

What I would really like to do is find out what topics you are interested in, so that Art of Information Security can have relevant and compelling content. To address this need I have created a feedback section on the site, located in the main menu bar (or click here). Also, your comments, posted either on Art of Information Security or via email, are always welcome.

BTW: Last week I participated in a webinar entitled Getting More Encryption for Less with Paul Stamp (Forrester Research), Jim Porell (Chief Architect IBM System z), and Paul Turner (VP, Product and Customer Solutions, Venafi). (Click here to listen to a replay.) Also, I will recap the Q & A portion of the webinar in Episode 2.

Best regards, Erik

Are you attending RSA Europe 2007 ?

RSA Promo Image If you are attending RSA Europe 2007, please consider attending my presentation which is at 1:00 PM on Monday (which is the first day of the conference). The presentation is a part of the Professional Development track (PROF-103) and is titled:

Basics of the Quick Business Case:

How to Champion Your Next Information Security Initiative

The primary goal of the presentation is to help technologists, like myself, become better at influencing change and championing innovation in their organizations. That said, I also hope there is a lot of valuable information for executives, managers, and line of business stakeholders who can use these concepts to coach and prepare the individuals who are presenting innovative ideas to (or for) them. It is truly my hope that there is ‘something for everyone’ in this presentation.

Here are more details from the conference site…


Session Abstract:   This session will focus on creating and presenting Quick Business Cases: brief, six-part presentations documenting particular opportunity for innovation and seeking organisational buy-in and support. The entire enterprise benefits from better communication about innovation, and this presentation’s goal is to better enable every participant’s abilities to champion it.

Detailed Description Attendees will be presented with a set of ideas and tools focused around making them better Champions of innovation in their organizations. The presentation will begin by discussing why it is difficult to influence change and innovation, including a discussion of some of the specific problems Information Security and Risk Management professionals face. The presentation will then focus on how to construct a Quick Business Case, and how to use the Quick Business Case as a tool not just for communication but also to validate and refine the business case itself. The Quick Business Case itself is a six-part presentation that can be used as a tool to both overcome the “blank page” problem and quickly start documenting the innovation as well as structure the presentation to overcome common business communications challenges. In addition to the preparation of the document itself, we will also discuss strategies for using the Quick Business Case to develop a communications plan to validate your current ideas, learn more, and build consensus for the business case. The Quick Business Case is not intended to replace a full Business Case or Business Plan, but is a tool to document an opportunity and determine organizational interest. Of course for some initiatives or organizations, the Quick Business Case may prove sufficient for a final decision. A key goal of the presentation will be to make these techniques accessible to small teams, not requiring large budgets.

Cheers, Erik

Hello world!

Every technology adventure begins with a “Hello World” moment, whether it is getting that first computer program to run, or the first LED to blink, we always start small and build from there.

This posting is a placeholder. While it is meant to help me test out the site, look for more to come in the weeks leading up to RSA Europe 2007. In addition to presenting at the conference, I am also planning on posting some trip report information.

Until then…

Cheers, Erik