Friday, February 22, 2013

Mission Acellus – Reforging the Core of America Through Education


School Administrators from across America have gathered together today in Los Angeles for the National Conference on Education, sponsored by the American Association of School Administrators (AASA).  Some of the featured speakers include Dr. Linda Darling-Hammond, Professor of Education at Stanford University, and Dr. Deb Delisle, US Department of Education, Assistant Secretary for Elementary and Secondary Education.

The International Academy of Science has a large exhibit at the conference featuring the rapidly expanding Acellus Learning System.  Acellus is now being utilized in all 50 states in both public and private schools.  Adoption of the interactive learning system is rapidly expanding as students using the courses see improvements in year-end test scores.  Acellus makes a Science of the learning process, and allows students to receive Special Customized Instruction intended to reinforce their understanding of specific concepts.

The new Acellus video presentation, “Mission Acellus – Reforging the Core of America Through Education” is being shown to attendees of the conference.  It describes the Acellus Learning System and some of the ways it is being utilized by schools to help students succeed.  The new video can be viewed over the Internet at the following link:

http://www.science.edu/Acellus/

I hope you enjoy the video.

Tuesday, February 12, 2013

GoldKey Secure Web Finding Success in the Market

We are having good success with the deployment of GoldKey Secure Web.  The need for a very secure way to protect access to key websites is expanding daily.  As more and more important functions and transactions are accomplished online, the number of websites being compromised is a serious industry problem in need of urgent resolution.  The problem is not just limited to unfriendly parties getting into a website.  There are also the problems associated with users being misdirected to a counterfeit site where they might unknowingly divulge sensitive information. 

The idea of using security tokens to protect remote login has been around a long time, and has limited acceptance.  Upfront, this approach has the challenge of getting tokens distributed and users properly registered.  In addition, the idea that a user would carry around multiple tokens to access multiple sites is just not practical and is cost-prohibitive.  Furthermore, many of the token solutions that have hit the market have proven to be vulnerable to the various types of security attacks.  At the same time, customer support costs have skyrocketed as users have lost their tokens or forgotten their PINs.

The GoldKey entry into this market began over ten years ago, and was careful and methodical.  We started with the preconceived notion that something needs to happen, and when all of the elements are put together just right, the opportunity exists not only for a major deployment, but also for and the emergence of a de facto security standard.  To make all of this a reality, a solution is needed that combines military-grade security with the elements of easy deployment, user self-help, universal usage of a single device, and some sort of a history tracking system that would establish credibility with long-term usage similar to the rating system of sellers on eBay.

Now that a significant volume of users are beginning to depend on the system, we are becoming confident that GoldKey Secure Web is a winning proposition.  We are finding less and less new-product resistance from users as they begin to realize that the single GoldKey token can secure their local computer, protect and encrypt their files in the cloud, while also providing secure login to their favorite "GoldKey Ready" websites.  A common scenario is that a user will initially obtain a GoldKey token to provide access to a specific website which requires a GoldKey login.  From there, usage grows.

Websites wishing to add GoldKey Secure Web are easily able to do so by deploying a rack-mounted GoldKey Secure Portal to their datacenter.  By adding a few lines of code to their web servers' login sequence, they are able to immediately begin taking advantage of the enhanced two or three-factor authentication protection of the system.  To distribute the authentication and access privileges required by GoldKey to the website's users, various options are available, due to the fact that GoldKey tokens are hardware Managed by Master and Grand Master tokens. 

Among these options are onsite administration, such as requiring a customer to show up at a branch with proper photo ID and a GoldKey token; sending out email links; or even allowing existing customers to log in with their existing user name and password, then adding the GoldKey token authentication to secure the account once they are logged in.  The good news is with GoldKey it does not matter.  Each organization can choose just how rigorous a process is appropriate for the nature of the access being protected.

GoldKey security was specifically designed so one token would provide all of the security needs for a user.  This is a mandatory feature for any solution having even a modest chance for widespread deployment.  Using the GoldKey core technology (patents pending), it is possible for a user with just one token to securely log in to millions of unrelated sites, each with a separate and unique credential.  To my knowledge, this important capability is currently only available through GoldKey.

The other part of this whole system – that has already been deployed and is now in commercial usage – is the integration of the user history aspect.  Each user is issued a unique, personal GoldKey ID.  Through goldkeyID.com, users are able to recover forgotten PINs, deactivate lost or stolen tokens, and even make duplicate tokens when needed.  The GoldKey ID also provides subscribers with the ability to access user historical information to determine how much access will be given and to also obtain alerts issued by other subscribers to know immediately that a user ID may have been compromised.

Where does this all head?  I believe that a security revolution is at hand, forced upon us by necessity, but at the same time, providing to users new features and advantages that will quickly catch on.  We are soon to announce a line of GoldKey-based door locks which will allow users to gain access to secured buildings using the same GoldKey token they use to access their computer.  The units we are working on also keep track of access history, catch a photo of the user, and provide an easy way to change a user's building access privileges.  We are also working on the GoldKey credit card feature.  If things go the way I expect, it will not be long before you will see a USB port at grocery store checkout credit card scanners and on gas pumps.  Using the GoldKey credit card feature will be much safer than credit or debit cards in use today, and just one GoldKey token will handle all of your credit card and bank accounts.  Further down the road comes "Gold Bank."  That is when things all begin to get really exciting, but will need to wait for a later post.

Thursday, February 7, 2013

GoldKey SecurID Alternative



Password Compromized Authenticating a user on the network or over the Internet is one of the cornerstones of all security systems. Traditionally, authentication has been accomplished by asking for a username and password. In spite of the fact that this simplistic approach has been repeatedly compromised, it remains to be the predominant approach in use today. There are many weaknesses that have been exploited to compromise the username/password authentication model, including using the same password for multiple sites, using passwords which are easy to remember and therefore easy to guess, finding the place a user has written down the password, or a complexity of man-in-the-middle attacks where a user’s password is obtained and therefore compromised.

A superior method of authenticating a user involves the utilization of two factors or, as it is often called, two-factor authentication. In these types of systems, a user is given some kind of a security token or device, which is used along with a password to authenticate, resulting in the common adage “something you have and something you know.” In the realm of two-factor authentication, there are three basic strategies that represent the majority of the market. Each of these has its advantage and disadvantages and should be considered when choosing a two factor authentication system for deployment.

RSA SecurID
RSA SecurIDAlthough SecurID is by far the most popular two-factor authentication system in use today, it is an old technology with serious weaknesses.
Earlier this year, the entire RSA system was compromised by a security breach which compromised sensitive data and forced RSA to reissue millions of one-time password security tokens. The security industry is now exploring other options to replace this aging technology. The most popular two factor authentication system today is SecurID marketed by RSA. The SecurID method of two factor authentication involves issuing a card or a token to each user of the system.

These pocket sized tokens each contain a small battery powered electronic system that has been programmed with the algorithm of the one-time password strategy being utilized. Each time a user logs onto a securID system, a unique password is read from the device and keyed into the login computer by the user.

Smart Cards
Smart CardAnother increasingly popular strategy for two-factor authentication utilizes a smart card issued to each user.  The smart card, which could be a credit card shaped device or a smart card installed into a USB device, operates essentially the same in that they store security certificates, which can be read from the smart card when inserted into a computer at the time of log-in. The concept of using a security certificate to securely sign into a system is based on the notion or concept that certificates, which are a block of digital information, can be signed by a trusted authority at the time they are created.

Many systems utilize smart card technology. One of the most popular is the PIV System deployed by the United States government. Other enterprise organizations utilize smart cards issued to their users as a two-factor authentication method of log-in to Active Directory. The Achilles’ heel in smart card certificate authentication is the vulnerability of the trusted authority protecting the chain of creating signed certificates. This vulnerability has been underscored by a series of recent breaches, including the major breach of the Comodo signed certificates in 2011.

Gold ID
GoldKey and Master TokensThe third method of providing two factor authentication is Gold ID. This technology is based on a hierarchical hardware key management system developed by GoldKey Security Corporation. Rather than relying upon a one-time password algorithm or a reliable chain of signed certificates, the Gold ID system utilizes a process of registering hardware tokens to hardware management and grand management tokens. This approach has significant advantages as compared to the earlier technologies.

Gold ID greatly reduces the cost of initial deployment. The security function can be managed by non-computer personnel, bringing the matter of security back to the security department and out of the hands of programmers that already have access to the system. Since the process is managed entirely in hardware, it is much more flexible, giving the organization the ability to lock out disgruntled employees, recover lost credentials, and to control access of critical information assets by multiple users, even when the assets are stored encrypted at-rest.

To date, Gold ID is the only two-factor authentication system that has not been compromised. Gold ID is thoroughly implemented in the GoldKey offering by GoldKey Security Corporation. GoldKeys are not powered by internal batteries and therefore do not have end-of-life failures as batteries wear out. There is not an annual licensing fee for each user, and the initial cost of deployment is substantially less than other options. Most importantly, GoldKey Security tokens also contain a full deployment of the PIV Smart Card system, allowing users to continue utilization of their current Smart Card system while building the capability of transitioning all or part of the system over to Gold ID at some future date.

Additional information on Gold ID can be found at GoldKey.com.

Advanced Authentication for CJIS Compliance


Effective September 30, 2013, Advanced Authentication is required of all law enforcement personnel accessing CJIS, a computerized information system that is for the FBI’s National Crime Information Center. CJIS provides state, local, and Federal law enforcement and criminal justice agencies with access to centralized information such as fingerprint records, criminal histories, and crime reporting systems.

Law enforcement agencies throughout the country are scrambling to find the best security token solution to satisfy the FBI requirements. The first law enforcement agency to contact GoldKey, looking for an advanced authentication solution, was the Marysville Police Department of Washington State. GoldKey is an excellent choice for agencies desiring to comply with the FBI regulations. Not only does it provide advanced authentication, including dual factor authentication, but it also comes equipped with numerous additional security features and capabilities.

As one example, by utilizing GoldKey with internal secure flash storage, it is possible to store information downloaded from the FBI System onto the GoldKey rather than onto the disk drive of the computer. Since the place where this information is stored, according to the new requirements, must be encrypted, using GoldKey in this way eliminates the very cumbersome need of total disk encryption systems, the only alternative.

Working in conjunction with GoldKey Security Corporation, Marysville Police Department prepared and submitted a GoldKey solution option to the FBI for approval. Now that the FBI has approved this solution, other law enforcement agencies throughout the state of Washington and the nation are lining up to deploy the solution.

This is yet another market niche satisfied by GoldKey and Gold ID Security. The strategy of GoldKey is to become a single integrated security solution that will satisfy all of the authentication and security functions required by a user. What the market really needs is a single, robust yet simple solution that is secure, yet manageable, and affordable, yet resilient. One thing is very clear — better security technology will be required in the years ahead. GoldKey is the first and, so far, the only security system to come forward with hardware management of encryption keys and security tokens. So far, no alternative technology has emerged with the capabilities that future security challenges will demand.