Blog Posts From Tagged With security

REGISTER NOW FOR TODAY'S EVENT! Deploying Windows* 8 and Touch in the Enterprise

webadmin@intel.com — Wed, 10 Apr 2013 15:20:32 GMT

Intel IT is fully engaged in the process of integrating Windows* 8 into the corporate environment now that the new OS is running on thousands of business Ultrabooks, other mobile devices, and desktop PCs at Intel. Checkout today's live webinar where Intel experts Tiffany Pany and David Scheer will share their team’s insights and experiences on integrating Windows* 8. Register now!

Protecting your Digital Identify Using IPT-PKI

webadmin@intel.com — Tue, 27 Nov 2012 14:24:37 GMT

Currently, the most common way people verify their digital identity is by using a password. Exceptions often times are found with online banking, where most use a second factor for authentication (e.g. OTP token or even a confirmation code sent to mobile phone), that is costly or inconvenient for user experience, but due to the weakness of password versus value at risk, this kind of approach is accepted and the costs justify the investment. However it is not reality for the vast majority of digital services. Passwords are used to sign in to your PC, webmail, social network, and lots of other places. There is a research conducted by Microsoft Research conducted with half million PC users showing that the average person typically has about 25 online accounts.Are you an average user? In fact, the data also shows that the number of unique passwords across those 25 accounts is only about 6, so around 4 passwords are reused across accounts. This is in addition to the tendency of websites to increase password complexities such as mixing lower case with upper case, special characters and numbers. Password reuse probably will increase among websites and cases like those described by Mat Honan (Wired writer) will become even more frequent.

Dealing with username and password leads to a set of interesting challenges. We all want the web to be easy and safe. However, having to remember a dozen of complex passwords generally isn’t easy, and is even harder for websites accessed less frequently. However, using the same easy-to-remember password across multiple sites isn’t safe. The ideal solution here involves somehow finding a way to make it both easy and safe to use all of your different digital identities.

As I already explained in this post in InformationWeek, on how to effectively managing identity in the cloud, I introduced Intel Identity Protection Technology and described about strategies adopted by online banking to increase security and how One Time Password (aka. OTP) as second factor authentication can be used to increase security. However, all these approaches, even those more sophisticated, are based on symmetric key and thereby not resistant against an active man-in-the-middle attack (e.g. phishing).

One alternative is public/private key pairs, i.e. based on Public Key Infrastructure (aka. PKI) – these are the most commonly used methods for protecting network traffic on the Internet today. PKI is based on an asymmetric key – the private key and the public key are different, so the public key should become public in a way proving that it belongs to user and not someone else. Also, the private key must be stored securely where only the user has access. With this method, the website sends a sign-in request to be signed by user’s private key and sent back to website that uses the user’s public key to confirm the user has a private key. So long as the private key is not compromised, this system is resistant against phishing and keylogging attacks. However this method is not widely used on the Internet today due to the high costs associated with having dedicated hardware to protect the private key such as Smart Cards and other associated logistics.

Intel IPT-PKI architecture

Intel Identity Protection Technology (aka. Intel IPT) with PKI uses the Intel Management Engine (aka. Intel ME) and 3rd generation Intel Core vPro processor based systems to provide a hardware-based security solution similar to that of other hardware security modules like Smart Cards. Unlike most hardware security modules, Intel IPT-PKI is designed to be managed as software but hardware resistant against tampering.

The hardware based security is achieved by using the Intel ME to perform all cryptographic operations. This way, the keys are never exposed to software running on the computer’s central processing unit (CPU). Furthermore, all certificates are tied to the platform on which they are created.

As you can see in this diagram, so long as the ME is part of chipset and tied with PC, the user’s PC becomes part of authentication process. Intel IPT-PKI as showed exposes his capabilities as a Cryptographic Service Provides (CSP) via Microsoft CryptoAPI software layer. IPT-PKI can be used to:

Generate a persistent RSA key pair in hardware;
Generate PKI certificates, that can be used to identify user possession and password knowledge;
Perform operation with RSA private key;
And protect key usage with PIN

Intel IPT-PKI can be used to enhance user identity on several applications such as SSL web site authentication, S/MIME with Microsoft Exchange Server/Outlook client or VPN authentication.

In order to avoid operating system attacks keylogging user’s PIN and replaying automatically this PIN in a MiTB attack, a second IPT building block, Intel IPT Protected Transaction Display (aka. IPT PDT) can be used to create a secure channel between user’s interfaces. (I.e. keyboard, mouse and video, in order that operation system is not able to hook, as I explained in this Brazilian bank case in a previous post.)

If you are looking on how to start using IPT-PKI and IPT-PDT, there is an excellent Use Case Reference Design that explains majority of scenarios and how to configure. The only requirement from client side is a Intel vPro machine with 3^rd Core generation and Windows operating system homologated for this particular machine.

Best Regards!

Taking Control of Security: Key Log and Pin Pad Screen Scraping

webadmin@intel.com — Fri, 05 Oct 2012 21:24:45 GMT

Manage vulnerability with Intel® vPro™ technology built-in security features and McAfee software for multilayered protection against stealth attacks. Take a look at the video below to learn more about the combination protection offered by Intel hardware and McAfee software.

Taking Control of Security: Key Log and Pin Pad Screen Scraping

SecureDisable* based on Intel® Anti-Theft Technology addresses the data encryption vulnerability in S3 state

nikhil.jain@intel.com — Thu, 04 Oct 2012 14:10:21 GMT

The advantages of using encryption to protect data are well known. Typically all full disk encryption solutions require users to authenticate in a pre-boot environment (PBA – Pre-Boot Authentication). After the successful authentication, the encryption keys are unlocked and disk is unencrypted. The machine then goes on to boot the OS and require users to authenticate in Windows* by providing login/password credentials.

In our fast paced lives, we all hate the inconvenience of first entering the encryption credentials in PBA then Windows credentials at Windows login screen. Few may realize that while it’s inconvenient to enter credentials in PBA, it’s an important step in ensuring security of the data on a laptop. When a laptop is starting up (from shutdown state) or resuming from hibernation state (hibernation state – memory contents are dumped to a hibernation file on the disk), user is asked to authenticate in PBA. If the laptop is resuming from the sleep state (also known as S3 state), the user doesn’t have to go through the authentication step in PBA. In S3 state, the memory of the laptop is still active. OS, Applications, data including the encryption keys are loaded in the memory. That’s where the vulnerability creeps in.

In a typical usage scenario, a user just close the lid of the laptop after work, let the laptop go to sleep state, open the lid and resume quickly when need to work again. It sounds convenient but is data secure while the laptop is in sleep state? As I mentioned above, the memory is still active in the sleep state and encryption keys are in the memory. If a laptop is stolen while in sleep state, the data on the laptop is susceptible to breach.

Intel® Anti-Theft Technology (Intel® AT) addresses this vulnerability and allows IT administrator to strike a balance between convenience and security. Intel AT includes a hardware based S3 timer which kicks-in as a laptop enters the S3 state and transition the laptop to hibernation state after the expiry. The timer value is defined by an IT administrator. It allows users to keep their laptop in sleep state for quick resume say, when moving between meetings, but it secures the data when the laptop has been in sleep state for longer duration. Since the timer is implemented in hardware and value defined by IT administrator, users won’t be able to sacrifice security over convenience.

SecureDisable* is an Intel AT solution offered by Softex Inc. The SecureDisable solution offers the asset and data protection features of Intel AT and it also provides other capabilities such as seamless plug-ins to existing enterprise IT consoles (Microsoft SCCM* and BMC Remedy*) for easier deployment and management, flexible service delivery model allowing enterprises to host the solution themselves, service providers (ITOs/MSPs) to host it either as standalone service or part of security service portfolio, or the service to be hosted in cloud.

SecureDisable release 2.5 is now available and contains the following new features -

Support for 3^rdGeneration Intel® Core™ and Intel Core™ vPro™ Processors
Close the data encryption vulnerability in S3 state. If Windows* login is not completed before S3 timer expires, the laptop will gracefully enter S4 (hibernate) state. When resuming from S4, the users will be asked to provide encryption passphrase credential in PBA.
Enhanced multi-tenancy support for ITO hosted anti-theft service. A new user class for help-desk has been created that can be attached and thus gain administrative rights to multiple hosted organizations.
License management features - ability to allocate licenses on a per-organization level, and license tracking.
Various UI and usability changes in the administrative web pages.

Visit – Laptop Security with Intel® Anti-Theft Technology for more information on Intel AT or visit http://www.softexinc.com/ for more information on SecureDisable

McAfee® ePolicy Orchestrator™ Deep Command™ - How it Works Video

webadmin@intel.com — Fri, 28 Sep 2012 14:10:21 GMT

McAfee® ePolicy Orchestrator™ Deep Command™ employs Intel® vPro® Active Management Technology for automated, beyond the operating system management. ePO Deep Command helps organizations using Intel® vPro® to get more value out of the features of Intel® vPro® by allowing access to PCs whehter powered off or disabled.

This animation will show how this offers benefits IT to help reduce operational costs, enhancing security and compliance and enabling “green’” practices for idle PCs.

Click here to view the animation: http://www.intel.com/content/www/us/en/enterprise-security/core-vpro-mcafee-epo-deep-command-video.html

Check out this blog on McAfee's site about the new features in the latest version of ePO Deep Command: Get The Most Out Of Your Intel vPro-based PCs With McAfee ePO Deep Command

McAfee Whitepapers Illustrate Need for Deeper Security

webadmin@intel.com — Wed, 22 Aug 2012 17:03:46 GMT

McAfee and Intel are working to transform the security industry by combining the power of hardware and software to create more sophisticated ways to help prevent attacks and better protect every segment across the compute continuum. The combination of McAfee and Intel brings fresh innovation to secure the future of computing and the Internet.

Today's threat landscape requires a deeper level of security to protect and stop the advanced threats that are being created on a daily basis. From industrial based attacks to hackavism to embedded based threats, you must be vigilant in deploying a security strategy that is broad and comprehensive. Check out these updated whitepapers describing the need for a deeper level of security to protect against these advanced threats.

The New Reality of Stealth Crimeware Whitepaper
- http://www.intel.com/content/www/us/en/enterprise-security/new-reality-of-stealth-crimeware-paper.html
2012 Threats Predictions
- http://www.intel.com/content/www/us/en/enterprise-security/mcafee-2012-stealth-threats-predictions-paper.html
McAfee ePO Deep Command Technology Blueprint - No Sleep for Security
- http://www.intel.com/content/www/us/en/enterprise-security/vpro-mcafee-epo-deep-command-no-sleep-for-security-brief.html
Technical White Paper: McAfee Deep Defender
- http://www.intel.com/content/www/us/en/enterprise-security/mcafee-deep-defender-deepsafe-rootkit-protection-paper.html

McAfee ePO Deep Command Demo Video

webadmin@intel.com — Thu, 16 Aug 2012 14:00:58 GMT

You might have heard of McAfee ePO Deep Command and how it enables McAfee customers using Intel vPro based PCs to manage security remotely at the hardware level. Utilizing Intel vPro Active Management (AMT) to take control or access vPro based PCs will enable customers to more efficiently and cost effectively manage security on PCs in their environment.

This in-depth video examineshow McAfee ePO Deep Command uses the Intel vPro technology to provide security management beyond the OS. This video will drill into the popular use cases of McAfee ePO Deep Command, such as deploying security ahead of an attack, remote remediation and wake and patch.

http://www.intel.com/content/www/us/en/enterprise-security/mcafee-epo-deep-command-use-case-video.html

Take user-authentication to the next level.

webadmin@intel.com — Tue, 10 Jul 2012 14:03:46 GMT

Today's hackers have moved well beyond the viruses and Trojan horses that attack at the operating system level. Recent rootkit attacks and other new techniques have suddenly made tokens and smart cards insufficient at blocking unauthorized access to the client's IT system. This has become a critical issue as remote users and cloud computing are becoming commonplace. So how can you combat these cutting-edge hackers?

Amy Doescher, Enterprise Security Product Marketing Engineer at Intel, and Marty Jost, senior manager of product marketing at Symantec, will explain how you can take authentication to the next level. Register for our webinar to learn how embedded, hardware-based authentication solutions can help you:

Fend off attacks that circumvent traditional software-only-based security measures.
Step up authentication with embedded hardware-based storage of authentication tokens and certificates.
Prevent screen scraping and other malware attacks by verifying a human presence at the PC.
Reduce costs associated with lost smart cards or tokens, and minimize IT staff time associated with traditional token and smart card provisioning.

Intel IT Center Talk to an Expert webinar series
IT Security and Cost Control without Compromise: A Fresh Look at Authentication
Thursday, July 19, 2012
9 a.m. Pacific Daylight Time

Register now >

Take user-authentication to the next level!

webadmin@intel.com — Mon, 02 Jul 2012 14:03:46 GMT

Fend off attacks that circumvent traditional software-only-based security measures.
Step up authentication with embedded hardware-based storage of authentication tokens and certificates.
Prevent screen scraping and other malware attacks by verifying a human presence at the PC.
Reduce costs associated with lost smart cards or tokens, and minimize IT staff time associated with traditional token and smart card provisioning.

Marty and Amy will also discuss how our new solutions can assist you in disaster recovery scenarios.

They'll even be answering questions live, so be sure to bring a question or two to ask. It's a great chance to get answers directly from industry experts on IT security. L

Intel IT Center Talk to an Expert webinar series
IT Security and Cost Control without Compromise: A Fresh Look at Authentication
Thursday, July 19, 2012
9 a.m. Pacific Daylight Time

Register now >

Remotely unlock McAfee encrypted drives using Intel AMT

webadmin@intel.com — Fri, 15 Jun 2012 15:00:44 GMT

Are you using McAfee Endpoint Encryption for PC (EEPC) today?

Then you are very familiar with the following screen (For those who are not - this is the default McAfee EEPC preboot authentication screen that occurs at system start-up before the host operating system loads)

Later this year, McAfee EEPC v7 will be released. In connection with McAfee ePO Deep Command and Intel AMT, you will have the ability of remote unlock, reset passwords, and set location based unlock policies.

To put that in context - you can power\patch systems with a real-time secure unlock of the pre-boot environment without using the EEPC bypass feature of old. (For those who are wondering - the bypass feature refers to a policy\setting that MUST be applied when the system is on\operational and policies synchronized. What if the system is already off and you need to perform a power\patch immediately? This is where the remote unlock feature is very much needed... and will soon be available )

If you are not already familiar with McAfee ePO Deep Command, please see http://www.mcafee.com/deepcommand. This product includes a gateway\proxy service to connect to Intel AMT over the internet. Overlay the upcoming McAfee EEPC v7 and yes - you also will have the ability to unlock or password reset encrypted drives both inside and outside your enterprise )

Like to see and read more? Check out https://community.mcafee.com/docs/DOC-3921. Be sure to view the two demonstration videos at that link.

One last item - what if you are using a different Intel AMT capable solution for daily Life-Cycle Management of the systems? If the Intel AMT configuration is compatible with McAfee ePO Deep Command, you have the ability to power-on via that non-McAfee solution and still have the secure remote unlock capabilities of McAfee.

Ask two Intel experts about the built-in security features and key capabilities of 3rd generation Intel® Core™ vPro™ processors!

webadmin@intel.com — Wed, 13 Jun 2012 15:05:59 GMT

Learn about embedded security features that come with new 3rd generation Intel Core vPro processors for client PCs. Join Intel processor architect Yasser Rasheed and John Mahvi, client product line manager for Intel IT, as they reveal how these distinctive built-in features were designed to address the key concerns of IT security management. From threat management and identity and access, to data protection and monitoring and remediation, learn about embedded security technologies to help you:

Protect against unauthorized remote access.
Improve two-factor authentication to protect sensitive data.
Stop malware and rootkit attacks below the operating system level.
Ensure strong client encryption.
Automatically protect missing mobile assets.

Yasser and John will also share some new innovative form factors with consumer-friendly capabilities and business-grade security and manageability. Bring your questions about the new features of the 3rd generation Intel Core vPro processor for Yasser and John to answer live during the moderated question-and-answer portion of the webinar.

Intel IT Center Talk to an Expert webinar series
Client Security: New Intel Processors Come with Embedded Security
Thursday, June 21, 2012
9 a.m. Pacific Daylight Time

Register now >

e92plus Adds Value with Intel® Anti-Theft Technology

webadmin@intel.com — Fri, 24 Feb 2012 17:45:05 GMT

Download Now

“There has been an increasing need to strengthen security for laptop users,” said Neil Langridge, marketing manager for UK-based value-added distributor e92plus, which specializes in security technologies. “Every year, about 200,000 laptops go missing at European airports alone. Add to this the fact that 71 percent of lost or stolen laptops result in some sort of data breach and it’s clear that laptop security needed to be strengthened.”

For e92plus, the solution was 2nd generation Intel® Core® i5 and i7 vPro™ processors with Intel® Anti-Theft Technology (Intel® AT).

“Thanks to Intel AT, laptops protected by this hardware-based technology are no longer worth stealing,” explained Langridge. “As soon as a laptop has gone missing or is stolen, it can be shut down remotely. The operating system won’t start up and all the data is protected. It even supersedes the need for encryption because a thief just can’t get into the computer.”

For all the details, download our new e92plus business success story. As always, you can find many more like this on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.

Orange and Green Builds New Revenue Streams Based on 2nd Generation Intel® Core™ i5 vPro™ Processor

webadmin@intel.com — Thu, 05 Jan 2012 21:22:31 GMT

Download Now

Declining margins on hardware sales were undermining Orange & Green, a Czech reseller. Customers were increasingly asking for IT services like PC management. Orange & Green activated Intel® vPro™ technology, a component of 2nd generation Intel® Core™ i5 vPro™ processors, for remote IT management. It also used this technology to launch a new line of business focused on IT services, strengthening the service by using Intel® Anti-Theft Technology (Intel® AT), which protects data if a computer is lost or stolen. Ultimately, Orange & Green was able to offset losses from hardware margin decreases and deliver a new line of business—and is looking forward to a profitable future.

“We have certainly grown the business and more than offset falling revenues experienced by declining margins on hardware sales,” notes Pavel Kraus, CEO of Orange & Green. “In fact, we are anticipating 20 percent growth and return on investment within 12 months.”

For all the details, download our new Orange & Green business success story. As always, you can find many more like this on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes. And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.

Why consider TLS within Intel AMT configuration?

webadmin@intel.com — Fri, 09 Sep 2011 14:30:37 GMT

If you are concerned about securing communications on your internal network, here are a few items you should know. Be sure to share these insights with those you might not be concerned. This blog provides a few more insights beyond to the statement "Risks of not using TLS" found in the vPRO Security FAQ .

Two key security risks should be considered in regards to Intel AMT network traffic:

Risk of data exposure to an eavesdropper
Risk of machine being hijacked by an eavesdropper

Key points to consider for these risks:

Intel AMT authentication method used (i.e. Digest or Kerberos)
Encryption of Intel AMT network traffic (i.e. no-TLS or TLS)

Focusing in on the risk of data exposure, if no encryption is used communications to Intel AMT are in the clear on the network. An eavesdropper can see data sent back and forth. The majority of the data will be Intel AMT messages over HTTP or WS-Management traffic. In addition to Intel AMT traffic, the eavesdropper will see other communications between the client and the infrastructure. (Side note: This assumes the eavesdropper has placed a network sniffer between the client and infrastructure connection AND that they know when to capture packets specific to Intel AMT. If the eavesdropper is capturing packets between the server and network infrastructure, they will likely be looking for more than Intel AMT related traffic)

To address the data exposure risk, use TLS with the Intel AMT configuration. The method of authentication (i.e. Digest or Kerberos) will not address the data exposure risk.

Focusing on the risk of hijacking requires a little more understanding of Intel AMT authentication. If Kerberos authentication is used, no username or password are sent on the network. Instead, Intel AMT authentication is handled via a Microsoft Kerberos sequence with the Intel AMT device acting as a network service. If Digest authentication is used, the majority of Intel AMT use cases require an MD5 digest authentication. In this scenario, the username for authentication is sent in the clear but the password is a hashed nonce (i.e. hashed value calculated based on that specific session using among other items the password value known by server and client). The exception is redirection scenarios (i.e. IDE-Redirect and Serial-over-LAN). In these scenarios, if digest authentication is to be used the username and password are sent in the clear.

To help reinforce the above points, there are 3 images below of various network traces.

The first image shows a network capture of an MD5 Digest authentication to Intel AMT for a power-on event. Note that the username is seen, but the password is a nonce value. (which cannot be repeated\replayed)

The second image shows network capture with digest authentication during an IDE-Redirect session. Note that the username and password are in clear text.

The third image shows network capture with digest authentication and TLS enabled. What you see is the TLS session being established followed by garbled data due to the encryption.

The following chart may be a useful summary:

Authentication \ Encryption	TLS	No TLS
Kerberos	Data cannot be read. Machine cannot be hijacked	Data can be read. Machine cannot be hijacked
Digest (Username/password)	Data cannot be read. Machine cannot be hijacked	Data can be read. Username can be captured. If using redirection, password can also be captured.

Authentication \ Encryption

TLS

No TLS

Kerberos

Data cannot be read. Machine cannot be hijacked

Data can be read. Machine cannot be hijacked

Digest (Username/password)

Data cannot be read. Machine cannot be hijacked

Data can be read. Username can be captured.

If using redirection, password can also be captured.

A few additional points to consider:

If you are not planning to use Intel AMT redirection and want best performance, a Digest with no-TLS situation may be preferred.
From a performance standpoint, a simple digest authentication with no-TLS (i.e. no encryption) will be the best situation.
The longest latency will occur with TLS added to the Intel AMT configuration.
Both Kerberos and TLS will require the FQDN of the Intel AMT device to be synchronized with the operating system hostname and correctly resolved within the infrastructure.
Adding TLS configuration to Intel AMT will require an internal Certificate Authority with the root certificate applied to all systems accessing the Intel AMT device
If you want to ensure that only certain management systems are able to communication with Intel AMT systems, a mutual TLS configuration is recommended (note: this is very rare and may not be supported by all Intel AMT capable applications)

Intel® Core™ vPro™ Processor Gives CHEC Efficient Desktop Terminal Collaborative Management

webadmin@intel.com — Fri, 17 Jun 2011 15:31:03 GMT

Download Now

There are over a thousand computer terminals at China Huadian Engineering Co., Ltd. (CHEC) headquarters and its 12 branch companies. But the IT operation and maintenance for the entire CHEC Group is monitored by a team of just 15 people. With such a low IT-staff-to-assets ratio, CHEC faced numerous challenges and a lot of pressure to keep its IT operations running smoothly. Challenges included reliable management of IT assets, efficient IT maintenance, network security, and various other issues related to keeping the company’s IT resources operating efficiently with few manpower resources.

To meet the challenges, CHEC deployed an Intel® Core™ vPro™ processor-based desktop terminal integrated management solution that included a Lenovo* manageable PC and GeneralSoft* network abnormality investigation system. The result? Greater efficiency and accuracy in collecting statistics on IT assets, improved IT maintenance efficiency, and enhanced defense against network anomalies.

To learn more, read our new CHEC business success story. As always, you can find this one, and many more, in the Intel.com Reference Room and IT Center.