TrueCrypt Review

Introduction

TrueCrypt Partition Selection

It seems as though I have been on a quite an encryption kick lately. While not foolproof, encryption adds a substantial layer of security to any system. Encryption helps keep secrets secret. This is not new, encryption and cryptography have been around for hundreds of years. In ancient times, Spartan soldiers would write critical orders on a scytale which was a sheet of papyrus wrapped around a staff. The correct size staff would cause all of the letters to be lined up and read.

What is TrueCrypt?

While ingenious, modern computers are extremely good at guessing computations which try to crack algorithms used to encrypt the data. The average user most likely has a need to perform some form of encryption (i.e. payroll, secret recipe, etc), but little idea how to implement it. Public Key Infrastructure (PKI) is daunting. TrueCrypt is a simple tool which allows a user to encrypt and decrypt data on a hard drive, portable hard drive or USB thumb drive as required.
TrueCrypt is an open source project that is extremely simple to configure and use, which is all most people really want. TrueCrypt does not provide boot sector encryption for full disk encryption like DriveCrypt or the upcoming BitLocker in Vista but does allow a user to mount a virtual encrypted volume on a hard drive instead, still very cool.
You can download TrueCrypt from http://www.truecrypt.org/downloads.php.

Features

TrueCrypt Preferences

TrueCrypt allows mounting of virtual encrypted drives. The product can also be used to encrypt an entire partition or a storage device such as USB flash drive to provide a secure location to store files. The encryption is completely transparent.
TrueCrypt also supplies two levels of plausible deniability. I always get a chuckle when I read about this as my mind helplessly slips into cloak and dagger mode. What does this mean? Depending on the password you enter, you can have access to a hidden drive with no files located there or if you enter another password you would have full access to your secret data. That way if you are forced at gunpoint (or a stern look from your wife) to open up and reveal your secrets, you would only have to reveal the non secret drive.
When the TrueCrypt partitions are not mounted, they are invisible to the operating system. They cannot be identified and according to TrueCrypt, they cannot be distinguished from random data.
The product uses a number of selectable encryption algorithms including AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish. You can even use multiple configurations of different algorithms if you want to be super secure.

Usability

The product can create a virtual encrypted partition or a complete encrypted hard drive. The interface is simple and easy to use. One simply selects the device or file they want to mount and click mount. They will be prompted for a password and the utility will mount the drive as a normal looking drive letter. All files in the mounted drive are encrypted and decrypted on the fly effortlessly. Minimal overhead is introduced.
Please Note: The program does let you “auto” remember passwords when mounting an encrypted volume. It will also let you auto start the program on operating system start-up. You may want to avoid both of these scenarios. The security of encryption lies in the fact that you control when it is being turned on and off. If someone steals your computer, it is extremely easy to bypass a username and password prompt when the computer boots to gain access to the system. If your system auto boots with the password combination for TrueCrypt you have defeated the security you are trying to embrace. Remember to layer those security factors.
The preferences are simple to get used to even for a novice user and basically centre around the aforementioned auto start functions.

Conclusion

For a free utility, TrueCrypt is fantastic. In fact it rivals many pay for programs. The algorithms are sound and well tested in the field. The user interface is simple to use and easy enough for a novice but providing enough under the hood mechanics to keep the tinkerer of cryptography at hand as well. TrueCrypt is a welcome edition to any computer requiring simple and effective security and encryption. I give TrueCrypt 4 stars out of 5. If TrueCrypt gets full disk encryption I would lean to 5 out of 5 stars.

Publisher's Site

ID Vault Review - ID Vault from GuardID Review

Protects You from Phishing and Pharming

Like many people, I find myself purchasing a number of items online. Not only for the convenience (I love having boxes arrive at my house in the mail), but also because I now have access to stores and merchandise I wouldn’t ordinarily be able to track down (Thinkgeek comes to mind).

Background

I also do a fair amount (if not all) of my banking online. Being in the security field, I keep apprised of the security risks that exist with online banking and consider myself aware so as not to be caught in a phishing scam. However, being aware is not enough. Being vigilant is not enough. Anyone can be caught. So is online banking safe? It can be. Recently with the advent of such products as Passmark and Symantec Confidence, banks are starting to take the security of their clients seriously. But what can the average consumer use to help protect them online? One such product I have evaluated lately has been ID Vault by GuardID.
ID Vault provides multi factor authentication in the form of a USB security token with an embedded smart card chip. This USB key stores a user’s sign on credentials which helps to prevent having users type in their credentials at risk of having them stolen in the process.

Setup (4.5/5 Stars)

The setup process is simple. Load the software (which is as simple as clicking Next five times), insert the key and you are ready to go. You will notice a new icon on your menu. Right clicking the menu brings up a menu bar with all of the immediate choices to get you started.
View ID Vault menu from the Windows tray
Inserting the key into the USB slot prompts the setup and personalization of the product. The user creates a PIN which is paramount to the security of the device (This is the something you know with regards to multi factor authentication). The next step is the generation of the serial number. The serial number allows you to reset the PIN in case you forget it. DO NOT LOSE the serial number. Write it down and put it in your safe (or Password Safe). Lastly, name the token. The token is updated and ready for use. When all is said and done you will receive a popup that states all is ready. You will also see a couple of popups to let you know that ID Vault has updated to the latest database.

Ease of Use (4.5/5 Stars)

Using ID Vault is very simple. In fact, I must commend Guard ID for taking the pain of security out of the product. All is very simple for the average user who has no need to understand the complexity of smart cards or secure tokens. To get started, simply open Internet Explorer and navigate to your favourites. You will notice a new Secure Favourites added to the menu. This is where all of the frequent places you visit will be stored.
Clicking Create a Secure Financial Favourite starts the vault process and you are prompted to choose a financial institution. Unfortunately the software is only geared towards American financial institutions with no mechanism to add a financial institution. However, in fairness you can add a secure website of your favourite bank under the Secure Favourites menu; it just doesn’t appear under the financial institutions menu which may confuse some users. It’s a minor point though and easily worked around.

Select the bank, and enter your credentials using the onscreen keyboard to thwart keyboard loggers!
If the site connects you simply select Next from the menu and the information is stored to your key. The key is updated and you now have an entry under secure favourites. You can have ID Vault automatically pass the credentials if you like each time you visit the site.

Cost (4.5/5 Stars)

Well worth the $49. Period.

Conclusion

ID Vault monitors the financial sites continuously and constantly updates their database to ensure users won’t become caught with a pharming or phishing attack. The use of smart cards is suggested by many financial institutions and the ease of use for the end-user is a welcome site. I would recommend this product to anyone who banks or shops online. This is a great product for non security people to help protect them from phishing and pharming attacks. Simple yet effective.

Vendor's Site

IPCop Firewall Review

Great Open Source Firewall
IT Manager: “We spent a lot of money on our infrastructure. Are we secure”?
IT Support: “Sure…we have a firewall”.
The Support Specialist is perpetuating the myth that having a firewall is the be all and end all for security. But a firewall is an important part of any defence in depth strategy to protect your network. MS’s Ten Immutable Laws of Security, number one states that if the bad guy can change anything on your computer, it is not your computer any more. So, yes, we need firewalls.

Selecting Firewalls

What firewall is best for you is a subject of debate. Your needs, your staff and your budget will play a huge determining factor into what type of firewall you will purchase. Some people swear on hardware based firewalls, while others are strong proponents of software based firewalls. Personally, having installed many of both types, the decision comes down to what is best for your company. A smaller company obviously does not have the staff and budget to support a Cisco PIX firewall so in many cases it would be overkill. What is a small business owner to do? Many times a software based firewall will be a better choice. They are configurable, easily updated and much simpler to support. This review will look at an open source firewall called IPCop. We’ll examine it from various angles including ease of setup, configurability and reliability. It wouldn’t be fair to talk about cost – as it is freely downloadable from SourceForge and was the second runner up in the security category in the 2006 SourceForge.net Community Choice Awards.

IPCop the Linux Distribution

You do not need to know anything about Linux in order to install and manage IPCop. If you have a networking background, even from the Windows world you can get IPCop running in a very short timeframe. Many of my Microsoft skilled networking friends use IPCop for many reasons and most of them are not what you would call Linux users. IPCop is a lean and mean Linux distribution designed to be a firewall. Many small businesses may worry about installing and supporting Linux in their environment. IPCop has simplified the overall experience to the point you don’t even know you are running Linux. IPCop is packaged in a way that there is a single bootable CD (you download the CD image called in ISO) and it installs everything you need in one quick installation routine then you manage the firewall from a web interface. No command line and you don’t need to know anything about Linux. This is very powerful for a small business as they can have the power of a Linux based firewall and the simplicity of a web interface.

Feature Set (4 Stars)

The downloadable ISO is only about 50 MB. The ISO is then burnt to a CD and used to boot the computer and start the installation. The good news is that it will run on almost any computer new or old. You probably have enough spare parts lying around your shop to build a computer that will run IPCop. The feature set is long and great for a SOHO business owner. Such things as IPChains-based firewall and the ability to have the outside interface a modem, an ISDN modem, or an ADSL modem adds some flexibility. DMZ support is built in if you require a safe location to allow web access to your servers. Access is gained by port forwarding rules which are simple to configure.
Features include:

• Firewall
• Intrusion Detection System
• IPSEC VPN
• Caching DNS
• Web Proxy
• DHCP Server
• Time Server
• Traffic Shaping
• NAT

So when examining the feature set for a small or home based business they can take an old or new PC, install IPCop and have a full functional network server with many of the base services a small business needs. All of the features are managed though IPCop’s web based interface and is a cinch to navigate – even for the novice.

Setup (4.5 Stars)

© 2006 by Tom Eichstaedt

Once the product has been downloaded, the user can expect 15-30 minutes from start to finish setting it up. There are a number of documents to help setup the product by visiting IPCop Install Docs. The only questions you will have to answer is the type of network cards you will be installing, how many interfaces you want to configure, and their IP addresses. IPCop does a good job of discovering most network cards…even obscure ones. IPCop colour codes its interfaces making installation even simpler. Red is the external interface (usually used to connect to the Internet) and is completely protected. Green is the internal interface and allows all outbound traffic. Orange is for the DMZ which allows the internal interface to talk to it, but no other network traffic. There is also a Blue interface for wireless configurations. The only caveat you may encounter is if you are using different brands of network cards. If all cards are identical, then IPCop sees them all as active. If you have different cards you will have to tell IPCop to add them.
The system can be easily configured from the web interface once all is configured. The network interface screen shot is a view of the web interface for a system with three network cards.