In other sandbox news, Dell’s KACE systems management division released a free tool which combines Mozilla Firefox browser with Adobe Flash and Acrobat Reader into a virtualized package which allows web browsing to take place within a sandbox isolated from the rest of the Windows environment.  They also offer a management appliance (not free) which will allow enterprises to deploy and manage Secure Browsers on hundreds or thousands of computers.  I have not yet had a chance to play with this tool, but it looks promising.

Oh hai! We're in ur companies steeling ur sekretz

The Russian spy ring seems to be the gift that just keeps on giving in terms of blog fuel.

First… if this story is to be believed, one of the spies set himself up as a consultant, talking to companies about their plans for a post oil economy (a subject of interest to fossil fuel producers such as Russia) and pitching a software package to help companies model the effects of future events on their businesses.  Since this software would be installed on customer networks, it could be used as a vector to plant spyware on clients’ computers.

Another report reveals that a Russian man who may be linked to the spy ring and who was recently deported had worked at Microsoft as a software tester both as an intern and as a full time employee.  He worked in Redmond for less than a year, and Microsoft claims that no software was compromised.  Hmmm.  I hope the boys and girls are putting in some serious overtime looking at what this guy had access to.

If true, these stories point to a new face of state sponsored espionage – one focused on the private sector, which is much less prepared to protect the secrets which are important to their business as well as to the critical infrastructure.  Another good reason for security folks to join their local InfraGard chapter and learn more about protecting their businesses (and their country) against corporate espionage.

lock up those bits!

Interested in Enterprise Rights Management?  In the New York City metro area?  Free on July 14th?   New York Metro InfraGard is putting on an ERM seminar which looks really worthwhile.  I think that ERM is going to be a key tool for security professionals over the next year or two as new mobile devices, as well as devices owned by employees and business partners become more and more integrated with our businesses.  I’m planning to be there and look forward to meeting some readers!

Wanna be friends?

You can never have too many friends – or CAN you?  (Hint: you can).   A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks.  Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles.  “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words).  The result?  In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization.  Trust me – I have seen this happen.  You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex.  I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info.  For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on.  Sigh…

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography.  Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one.  Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.”  Not sure what this says about London.  I guess the morals of the story are:  for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty.  Have you updated your antivirus and plugins lately?

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks.  It seems that some kiosks at “Big W” stores run Windows.  And they don’t run anti virus.  And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print.  You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers.   The company is aware of the issue and is “currently testing” installing anti virus on the kiosks.  Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change.   Take five minutes to protect your online privacy…

- Posted using BlogPress from my iPad

Data protection... Massachusetts style

Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law.  As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information.  And that PII maust be encrypted both when it travels over the wire and when it is stored in systems.  Penalties for violation are quite hefty – $5,000 per violation and per record lost.

The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like.    You can read the entire text of the law here…

It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead.  Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable.    It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.

Bravo, MA!