Filed under CPR, Certichron by Todd Glassey on August 13, 2010 at 9:29 am
no comments
SecureNTP DES for Cities™ and the vLEO™ Evaluation Program
As a part of Certichron’s new vLEO working group efforts Certichron is pleased to announce the availability of DES for a 90 day trial period for Cities using secure time services as a new evidence anchor for the Law Enforcement and City Operations services.
SecureNTP for Cities program
SecureNTP for Cities profides a secure source of time for City IT Operations which is provable. SecureNTP for Cities provides a City Manager with a secure source of time which is provable to the point of court admissibility. With this service the City Manager working to produce a court-admissible evidence workflow will have the time-base trust anchor to prove the synchronization of the local time service as well as any servers which peering was setup for.
SecureNTP with DES
Additionally DES offers the City Manager the ability to create their own Digital Evidence Policy and IT Practice for its creation in the form of NTP based content-timestamps. Most IT people are unaware that NTP has two optional payloads which can be used to carry additional hashes which can be used to represent events in time. Certichron’s SecureNTP DES does exactly this and allows for the time-stamping and archival storage through the Peering Program component of SecureNTP.
DES provides its adopters an unprecedented Audit and Evidence Practice Enablement
This capability allows a City Manager and IT Director to provide a Time-stamping practice which can be used like a Cash Register Receipt only one which can contain any number of event or practice types. The service is an audit designers dream because they can create third-party timestamps which are provably created through the use of the NIST(UTC) time standard itself. No other time management and evidence creation/management process offers this level of capability.
DES for Cities is a new program to implement new digital evidence practices atop existing and emerging city-operations work flows. This key practice adds supporting value to existing work flows and can be used as the basis of a virtual Law Enforcement Operations (vLEO) system.
vLEO and Law Enforcement or Court Practices
vLEO uses Certichron’s patent applied for OpenTDI and Ceremonies in Software™ process which allows for the virtualization of a Law Enforcement Officer’s commission through the NCCSL eNotary Provisions now on the books in all fifty states. If your Camera System or Redlight Service is down now, this vLEO service may be just what you need. Call Certichron at 800−511−2301 or email us at Sales@Certichron.COM
Filed under Certichron, Digital Evidence by Todd Glassey on July 23, 2010 at 10:54 am
no comments
Police and Sheriff’s Departments have a new hurdle to leap and that is in meeting the new constraints Khaled placed against their existing evidence capture and management practices
To make it possible for Law Enforcement (LE) to protect our culture and to deal with the rising costs of insuring that security Law Enforcement processes are turning to both outsourced or remotely operated surveillance systems which depend on virtualization of internal LE and many of the field-based LE Data Capture Operations which would ultimately lead to some form of prosecution and settlement-fine.
Traditional Evidence has been first-person in form
Traditionally in these matters any citations issued through those processes would generally need to be issued by the Police Officer or Sheriff’s Deputy who was operating that system under the commission of their office as a law enforcement officer. Some States actually have law limiting the issuance of citations to requiring the office of a commissioned Law Enforcement Officer to issue which complicates many surveillance and automated traffic management practices.
Certichron’s “Ceremonies in Software” allows for the virtualization of Law Enforcement Functionality
Certichron’s Virtualized Law Enforcement Officer, a Ceremony in Software Practice based on already-approved eNotary practice addresses this requirement fully meaning with Certichron’s system existing Law Enforcement Agencies are ‘good-to-go’ to restart their traffic enforcement practices immediately.
The use of the Notary statures amplifying the Law Enforcement commission creates a new and powerful electronic signing resource with the integrated $15,000 bond all notarized signings create. This system fully meets California and other State requirements since these states already ratified the specific portions of the Notary Practices Act’s as UCC making the Certichron model already approved for rollout across all 50 states.
In fact with proper implementation of a new evidence-capture mindset, many if not all existing systems can be brought into alignment with the new control requirements to maintain their admissibility into US and California Courts.
The Virtualized LEO
The virtiualized LEO allows for Intentional Evidence from each stage of each process to be created under the commission of the officer attesting to the issuance of the citations. The capture of the data can be certified by adding a hashing timestamp for each event. The reporting or containment receipt can be properly acknowledged with a timestamp request showing each component movement of evidence content, and when that content is ephemeral in form this is the only way to properly document controlled management of that data.
With this system any existing system can have transparency and the certifying process added to the process by the LEO signing into the Session Manager and attesting that they are applying their commission as a LEO to that operating session. The practice also can be facilitated against the Camera Operations Models today for any and all systems (RedFlex and Lockheed, or ATS operated in form). For all of these control practices the Certichron DES infrastructure allows the creation and application of the human commission in a virtual sense
to these existing systems.
For more information on our services and technologies, please email Certichron with your requirements or contact the sales office directly at 800−511−2301 (9−5 PST). Certichron, Inc. © 2009, 2010
Filed under Certichron, Hotel Surveillance by Todd Glassey on July 9, 2010 at 7:08 pm
no comments
Certichron and Relify Security annoucnce the availability of Certichron’s SecureNTP services to Relify Security customers.
Certichron announces its partnership with Relify Security. Relify is a well established provider of commercial consulting and security review services for banking, credit union and other PCI-DSS type clients as well as other Financial Providers.
To quote Relify Security’s managing partner:
“Relify Security has recently launched a partnership to deliver what Relify believes is a pretty unique and needed service. It address a problem that we often don’t think about… Where do you get your time?”…
“Today the global evidence requirements create new levels of provable integrity that must be demonstrated continuously to meet today’s compliance requirements. For example, one of the primary goals of PCI DSS 10.4 is to ensure a strong and reliable evidence model that can be used to prove the timing of transactions. In most instances log management or SIEM vendors will not tell you if the time on your critical devices is out of sync. Even though every record they process has a time stamp, they do not analyze this data to identify anomalies, because most of the detailed time stamps are unreliable or inconsistent.”
“However, accuracy is not the only attribute you should be concerned with when it comes to time, especially in the commercial context. Time needs to be reliable and always available. Your time source is like any other third party that provides critical services to your organization. Time distributed over NTP without other controls is not provable and is subject to any number of attacks that make it impossible to rely on NTP as a control resource.”
Relify Security has partnered with Certichron to deliver SecureNTP Time cloud services. SecureNTP is a NIST(UTC) service provided from Certichron and Relify Security operations centers as a Trusted Digital Intermediary. The SecureNTP’s delivery service is based on a fully integrated suite of NTP, logging, packet filtration and log-event validation services, and the related system and network integrity tools needed to create a complete evidence model in the sourcing, transfer and tracking of time.
“SecureNTP provides one time source for all uses: What this means is that there is one time source for everything finally — from Building, Power, Security, IT Operations and at last uniform evidence across the entire entity. In most cases SecureNTP requires no installation of hardware or software, since your business is likely already running the NTP protocol. Once you have registered with Certichron, it only takes a few minor configuration changes and installation of the digital key, along with setting up audit logging and key management practices.”
Mike Pearson, CISSP
Managing Partner
For more information contact Relify Security, LLC
O/F: 866.897.6900
M: 813.523.0151
www.relifysecurity.com
Reliable and Verifiable Advanced Security Solutions
Filed under Certichron, Khaled by Todd Glassey on July 4, 2010 at 8:34 am
no comments
Certichron announces DES, its Digital Evidence Service. DES is a bolt-on time-centric content/infrastructure synchronization and time-evidence service. Certichron’s third-party DES offering is the missing piece of that puzzle to make their previously weak evidence meet all of the existing and emerging evidence qualification hurdles for Digital Evidence. DES is available as a service for existing systems and as a turn-key appliance type system to meet all architecture requirements and deployment needs.
As just one example of its utility, for those operating Red Light Camera Systems which have gone dark based on Khaled The Khaled ruling from the California Appellate Court thas opened the door to the need for a trusted third party in all public evidence systems and for them the DES service is a complete solution. The DES solution provides a system whic can be engineered to produce enduring evidence for all uses. The deployment model can be either a local resource which can be operated as a shared service between multiple uses and users or one which can be operated onsite for larger users. This creates a time-stamp repository service model for all users which is easily documented as “a method of timestamping and validating the content from virtually any digital event source to the legal US Time Standard”.
For a City Manager with Camera Networks: The DES supported Camera Network registers each picture and time it was created with the master Time Service Center serving those systems. The time-service model creates intentional evidence which is fully court-admissible. The DES evidence-recordation or timestamp service actually runs over the IETF NTPv4 data transport seamlessly as time-service requests. The same is true of a corporate CIO or CFO who needs to create provable evidence with a party who will prove their coördination to a NIST(UTC) timescale in thefirst-person.
Easily Shared — a private time service can be shared or the Public Service can be used The service model for DES can be built as a shared or private resource. So this means a group of City Managers can band together to put a shared service model together for managing all of the evidentiary timestamps for any use as an Official Governmental Entity. They would purchase a secure system and share its operations across a number local jurisdictions.
Timestmaping done right… The DES type of NTP4v request has a diital hash for the event or other digital object which it uploads to its reference time-server and through this process the time-server responds to the requestor with (and registers in its own logging system) both the request and the response tokens, at this same time the Service Bureau is registering those tokens in its own cryptographically secured logging system to insure no changes to those evidence attestations are possible.
Federally Certified Since NIST is the calibrating agent this service model provides a provable instance of a digital data object secured through timestamping to the US National Time Standard, a digital object who’s integrity or content cannot be refuted under today’s evidence rules. Why this is important is that NIST is the ONLY LEGAL SOURCE OF TIME IN THE US per 15 USC sections 271 and 272
SecureNTP as an Evidence Transport This set of features and service is 100% contained within the exended use model Certichron built for the Network Time Protocol (NTP). Certichron’s reliance on the standard NTP Service to provide these features means that there is zero security-risk implication from this systems use. DES is today one of the only process-services capable of certifying a digital object to the NIST(UTC) timescale in a legally provable manner.
15 down and counting: Without DES today 15 States are already either dark or going dark meaning their investment’s in their digital evidence capture systems are now standing in limbo, and in many instances there is a cost to turn these systems off as Burlingame California found out. SecureNTP is the optimum solution since a City Operations Center can contract for DES from our Internet-based service centers or through our hard-wired DirectConnect service centers. The service subscription model is low cost and can be setup for a single site or multiple uses on a per-use charge model or enterprise-wide license model.
For Applications like the following which all pertain to Court Admissible Evidence, DES and its SecureNTP basic service create the basis of a strong and reliable audit model around the evidence of time
- For Camera System Operators likeRedFlex and ATS who’s systems are now dark because of Khaled, and for
- Other Surveillance System Operations including but not limited to
- Court or Official Facility Access
- Police Department Access and calibration of field data units and other devices
- Banking or Financial Institution Access logging including physical and data-level access to the Instution or its ATM’s
- Pharmacy or Medical Facility Access, and of course for
- Casino or Hotel Access
One size fits all As it happens there are only certain ways to produce legally provable evidence which meets forensic guidelines for evidentiary comptence, and DES gives you a single solution which can be operated for any and all evidence creation needs. DES comes complete with a yearly SecurenNTP subscription and can be deployed as an inplace service/unit under lease from Certichron or as client-placed services on a per-use basis. This charge model creates the best possible solution for all uses and especially official ones to allow the services most economic use possible.
DES records are stored either in Certichron’s site or optionally in the clien’s off-site providers possession to insure proper competence in the records. For more information on DES see the DES page or send us an email telling us about your needs for evidence.
Certichron provides secure and auditable time services that allow companies to provably synchronize their desktops and transaction servers with regionally deployed, Federally-traceable time servers (using the Internet or a private extranet). For more information on our services and technologies, please email Certichron with your requirements or contact the sales office directly at 800−511−2301 (9−5 PST). Certichron, Inc. © 2009 Privacy Policy Terms of Use
Filed under CTO's Blog, Certichron by Todd Glassey on May 9, 2010 at 4:29 pm
no comments
Customer Provisioning
Certichron has updated the basic Customer Provisioning Form with this new release.
Client’s purchasing or evaluating SecureNTP will need to fill this form out for each site or system supported/registered to use the SecureNTP service.
Submit By Email
Please download, fill out and email this form to SUPPORT@CERTICHRON.COM to register that system with the SecureNTP program with the subject “PROVISION” to queue that system for security-rule provisioning.
Filed under News, Products by Todd Glassey on March 17, 2010 at 9:06 pm
no comments
Lock Down
Certichron’s private time server’s are locking down and will now all require symmetric key tokens to be issued for each authorized user. This will provide full logging and peering information for your timesetting events.
In the next two weeks all Private TS1 systems will go symmetric key. TS0 systems are non-keyed but controlled by RESTRICT statements so all users of those systems need to be registered from this point onward.
Why you would want to use these systems is that in addition to its NIST servers Certichron operates a chain of secured time service centers across the US. It can easily provide a multipoint access model for NIST-calibrated services which are fully audited. No other service offers customer or Certichron private networking services for NIST calibrated timing services anywhere.
Please contact your sales person at 800−511−2301 for more information our to sign up for the SecuredNTP service. Contact Sales@Certichron.COM or Support@Certichron.COM for more information.
Filed under CTO's Blog, Gaming by Todd Glassey on January 13, 2010 at 9:17 pm
no comments
NGC Regulations say Gambling Systems need secured time services
In today’s gambling terminals and area controllers the time management services need special attention. Linux and other systems which run NTP natively are more easily configured but many of them only run SNTP meaning that they are not capable of reasonable strength authentication in their time-setting process and as such the evidence value of the time setting event is questionable.
In infrastructure where distributed or group gaming practices are run, this has direct implications especially in instance or reaction based games where the when of &9;when’ an event happens is measured in an instance locally and generally transferred into a multi-event scheduler which is the core of the multi-terminal gaming system. There are of course many variants, but the goal and the real win is in unifying the evidence model such that real-automated inline controls are effective.
The following are examples of the language (comments are in italics):
Regulations:
http://gaming.nv.gov/stats_regs/all_regs.pdf
Operation of Gaming Establishments 5.108.2.(f) At the request of the chairman, an operator shall provide and maintain, at its sole expense and at such location as the chairman may designate, a terminal and printer for the purpose of monitoring information regarding the system including, but not limited to, the current progressive payoff schedules, reset funds, the real-time date and time, the number and location of gaming devices and games connected to the system, the names of persons accessing the main computer or data communication components of the system, the identification of functions being performed by such persons, the audible notification of any progressive payoff schedule won, and the identification of the location, machine number, and amount of any progressive payoff schedule won.
5.200.3.(b) Establish a log that contains the name of each salon patron of the gaming salon, as well as the times each salon patron enters and leaves the gaming salon. The log shall be maintained for a period of not less than two years.
Surveillance Standards 2.010.7. The surveillance system must include date and time generators which possess the capability to display the date and time of recorded events on video tape recordings. The displayed date and time must not significantly obstruct the recorded view.
Digital Video Recording Standards: 5. All digital video disks or other storage media produced from the DVR system must contain the data with the time and date it was recorded superimposed, the media player that has the software necessary to view the DVR images, as well as a video verification encryption code (also known as a watermark).
Technical Standards for Gaming Devices and On-Line Slot Systems: 1.050.2.(b) For the system portion of the system supported game, gambling event server or system component must reside in a secure area where access is limited to authorized personnel. Logical access to the system supported game shall be logged on the server component and remotely on a logging device which resides outside the secure area and is not accessible to the individual accessing the secure area. Logged data shall include: time and date of the access and the identification of the accessing individual(S). The resulting logs shall be retained for a minimum of 90 days.
1.066.5. A system supported or system based game must log each remote access on the server or system part of the gaming device and on the secondary logging device. The log must include time and date of the access and a list of programs transferred or changed.
1.084.5. System supported games must provide a log entry anytime an individual causes a software component to be added, removed or altered in the server or system portion of the device. Each log entry must contain the date and time of the action, identification of the component affected, the identification of the individual performing the modification, the reason for the modification and any pertinent validation information. (See similar language in 1.084.6, 1.086.5 and 1.086.6,)
The requirements are likewise enumerated throughout all of the NGC Standard for all other devices in the Casino or Gambling Terminal operations. L1 GPS systems alone don’t cut it anymore, proof demands evidence which will stand the test of time.
Certichron’s SecureNTP anchor’s gambling networks so that their timestamps are provable. Self-attested timestamps are no longer provable and since fraud in eTransactions happens in an instant, the proper timeline correlation in prosecutions and surveillance systems is key.
See also Certichron’s press release about the new Las Vegas SecureNTP™ service center opening up there.
Filed under News, Products by Todd Glassey on December 29, 2009 at 5:19 pm
no comments
Certichron’s NTP Service called SecureNTP™ is the answer to the problem of relying on self-operated or unauthenticated third-party time sources in use pretty much everywhere in the unauthenticated world.
Today the ability to produce proof of your actions which will stand the test of a Court has a new set of hurdles and time-stamping and the ability to show that time can be correlated across any number of systems and any numbers of locations is key in creating uniform digital evidence.
For people needing real proof which will stand the test of years, only Certichron’s third-party time management practices and digital evidence trust-anchor works. All of the other solutions are based on GPS or other unreliable and easily spoofed time-solutions, ones which were designed for use in a nicer, more gentile time. Unfortunately hacking and the digital barrage being what it is — digital evidence is important, so intentionally creating evidence in which the time-data is easily disproved is silly and self-destructive. service addresses this and as CI’s CTO I strongly suggest you look at it as a bolt on for existing systems which need provability and as a core component of new ephemeral trust models.
//TSG
Filed under News, Products by Todd Glassey on December 29, 2009 at 5:11 pm
no comments
Certichron’s Extranet services called DirectConnect™ may be just what you are looking for in a third-party time source solution. Certichron’s DirectConnect Extranet service allows private (non-Internet based) connections to Certichron’s NIST-calibrated timing service centers so you are immune from Internet-based Denial of Service Attacks in your reliance on the NIST time services so critical to US and global commerce.
For more information on DirectConnect check out the link above or contact our sales office at 800−511−2301 or through email at Sales@Certichron.COM
Filed under News, Products by Todd Glassey on December 23, 2009 at 11:30 am
no comments
Certichron and JTime!® MEINBERG USA Partner to Offer Certichron’s Provable SecureNTP Services to Meinberg Customers!
Of the various global producers of network clocks and time servers, Meinberg in Germany has always stood out as a leader in reliable, precision time keeping systems. And it is for that reason that I’m particularly pleased with the recent announcement that Certichron and Meinberg’s US distributor (JTime!® MEINBERG USA) are partnering to offer Certichron’s SecureNTP services to Meinberg customers. For further information on this important announcement, click here.
As the press release states:
“Meinberg LANTIME system owners already know how important accurate time is. Certichron’s SecureNTP™ service enhances their time management practices by creating “provable” time – independent verification as to the accuracy and source of time settings. If internal investigations, exposure to litigation or compliance with regulations or industry standards are important risks in your business, then your time settings must be provable. This includes compliance with industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) and the FINRA Order Audit Trail System (OATS) and such laws as HIPAA, GLBA and SOX. You should be able to demonstrate to auditors, regulators, law enforcement or the courts that the time settings on your electronic records support your assertions. If you can not substantiate “when” an event occurred, then the data as to “who” and “what” will likely be discredited or, in the worst case, thrown out in court as unreliable, unprovable digital testimony. SecureNTP creates third-party initialization and tracking events to provide forensic assurance that your Meinberg precision solution was working properly and that the network was properly synchronized.”
And all of this can be implemented on existing Meinberg NTP and PTP LANTIME systems without significant changes in operational procedures or the need for new software.
Consider the possibilities when you combine a highly precise and reliable time source such as one of the Meinberg LANTIME systems with Certichron’s provable time keeping services, especially in such areas as automated securities trading or SCADA control systems where there are stringent sub-microsecond timing requirements coupled with the need for an evidentiary trail of proper-time-management practices.
“I have talked for years in various forums about the need for more stringent time keeping practices to ensure that the time stamps in digital records can qualify as reliable digital evidence in litigation. But let’s face it, up until now implementing a robust time setting practice was mostly a build it yourself effort and one where there were few guaranties of success. Now with the combination of Meinberg’s time keeping systems and Certichron’s services we have taken a big step to addressing these problems with one simple solution. And this is only the beginning.” — Todd Glassey — Certichron Chief Scientist and CTO
//TSG
