best practices

Jul 05

photo kiosks dispense prints and extra bonus virii

By alberg best practices, worst practices Comments Off

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks. It seems that some kiosks at “Big W” stores run Windows. And they don’t run anti virus. And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print. You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers. The company is aware of the issue and is “currently testing” installing anti virus on the kiosks. Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

Jun 30

truecrypt (and good passwords) 1, fbi 0

By alberg Paranoid Peeps, best practices, hacks, useful stuff Comments Off

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil. The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes. In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success. They then turned to the US FBI, who ran dictionary attacks against the encryption for another year. No joy. As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information. First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice. Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program is a good and cost effective choice for protecting personal data as well as in small business environments. The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

May 20

it’s (not always) nice to share…

By alberg best practices, online security Comments Off

Now that Facebook has made their privacy settings just a bit less complex than, say, the US Tax Code or particle physics, now would be a really good time to check your privacy settings and make sure that you are not sharing more personal information with the world (or at least to the Internet connected portion thereof) than you intended to.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change. Take five minutes to protect your online privacy…

May 13

i’m invincible! (you’re a looney!)

By alberg best practices, online security, worst practices Comments Off

We security professionals tend to underestimate our own vulnerability to threats like phishing. Here is a really good article by Cory Doctorow, who is most definitely not an Internet novice explaining how all of the wrong stars came into alignment to make him fall for a phishing attempt. Worth reading, especially if you think you are “smart enough” to recognize and avoid phishers’ bait.

- Posted using BlogPress from my iPad

May 02

massachusetts kicks data protection butt!

By alberg CSO, best practices, online security Comments Off

Data protection... Massachusetts style

Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law. As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information. And that PII maust be encrypted both when it travels over the wire and when it is stored in systems. Penalties for violation are quite hefty – $5,000 per violation and per record lost.

The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like. You can read the entire text of the law here…

It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead. Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable. It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.

Bravo, MA!

Apr 23

a data breach story with a twist…

By alberg best practices, worst practices Comments Off

Public enemy #1?

Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.

Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release.

The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ. The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info). However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.

Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.

These types of data breaches are eminently avoidable; Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents. By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.

So, what are the takeaways for security professionals?

First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.

Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.

Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.

Now, add these devices to the list of things with blinking lights that are examined during security assessments. While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities. Are you patching your multifunction devices?

Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.

As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers. As an infosec professional, they should be more interesting to you – before your organization makes the news.

Tagged with: copier assessments

Apr 18

don’t want to make an ash of myself…

By alberg CSO, best practices, travel security Comments Off

One of my responsibilities at work is to make sure that our employees are safe while traveling. Until today, this week’s Icelandic volcanic eruption was a no brainer… flights in the affected area were cancelled for safety reasons. Now, the airlines and the EU have been performing test flights to see if it is possible to restart flights in Northern Europe in spite of the continuing eruption. KLM flew a plane (with no passengers on board) from Duesseldorf to Amsterdam on Saturday without incident, although at lower altitude than normal. Similar flights by BA, LH and AF also landed without incident. Given the magnitude of the economic losses and travel chaos being caused by the cessation of air traffic, I can understand why folks are anxious to get planes back into the air. However, not everyone is a fan of this plan… the Finnish airforce ran their own tests using F-18 fighters and concluded that even short term exposure to the ash cloud caused damage to the planes’ engines. And tests run by NASA showed that even very thin clouds of ash could significantly damage jet engines.

So… what if the EU decides to reopen Northern Europe’s airspace? What travel advice do I provide to my colleagues? Should people currently stuck waiting for flights to or from the region take one of the first flights? Personally, I would not be ready to get on a flight to LHR today if the air space were to reopen whilst Eyjafjallajökull is still being uppity. And I would be hesitant to get on a plane which had flown through the ash for some time after the eruption ceases, since damage to engines may manifest itself over time. For now, the airways are still closed, so this is a hypothetical question. But if the EU and airlines decide that the risks are acceptable, people are going to want to get home or make trips for business. Coming up with a travel policy which balances risk with the need to conduct business is going to be a challenge – especially if this eruption continues for a long period of time or if it is a precursor to a much larger volcanic event. Stay tuned…

Apr 17

the lies are in the eyes

By alberg best practices, online security Comments Off

Look into my eyes... to see if I am telling the truth

It seems that scientists found some evidence for the proverb “The eyes are the windows of the soul.”

In experiments conducted by researchers at University College London 11 volunteers were asked to answer a variety of personal questions with some truthful answers and some lies. While they were interviewed, the volunteers wore special eye tracking glasses which recorded their blink rate, where they were looking and for how long, and the sizes of their pupils. The scientists then created videos of computer generated avatars speaking the answers given. In half of the videos, the avatars’ eyes were fixed on the listener. In the other videos, the avatars’ eyes moved and reacted using the data from the eye tracking glasses.

The result? Of the 27 people shown the videos, 88% were able to identify truthful statements when eye movement was present, as opposed to a 70% detection rate when the avatars’ eyes were fixed. When asked to identify untrue statements, 48% of viewers had success when eye movement was present versus 39% when the avatars’ eyes were fixed.

While the researchers are not sure how the eye movements helped viewers in telling truth from lie, they did note that truth-tellers tended to hold the interviewer’s gaze for longer than fibbers and that the speaker’s pupils dilated more when they were prevaricating. The pupil response may be linked to the increased cognitive load needed to tell a lie.

The researchers state that their work could be helpful in making virtual worlds such as Second Life more useful for interactions like business meetings, where a level of trust between participants is required. My takeaway, of course, is that a cyber savvy virutal con man could make use faked avatar eye movements to gain his cyber victims’ trust. Back here in the real world, when the used car salesman tells you that the little beauty you are looking at was only driven by a little old lady to church on Sundays, watch those pupils!

Apr 07

the maley affair take two

By alberg CSO, best practices Comments Off

So after meeting Bob Maley, the former CISO of the Commonwealth of Pennsylvania, at this week’s CSO Perspectives conference in Santa Clara, CA, I am having some second thoughts regarding my earlier posting regarding his firing. While I still feel that the Commonwealth was technically within its rights in firing him, it seems to me that the people of Pennsylvania were done a disservice by the Commonwealth’s actions. Bob seems very passionate about the responsibilities of stewardship of citizens’ information and it sounds like he implemented a number of impressive initiatives to better protect that data. Yes, he did speak at RSA in spite of being told not to, but it seems to me that his heart was in the right place and that he took a calculated risk in order to highlight the need for application security in e-government. There also seems to be a political element t0 all of this (transition of administration stuff) as well. In the end, after meeting the guy, I came away impressed that he was willing to gamble his job (and lose that gamle with grace) in an effort to make e-gov initiatives safer for us all.

The nice folks at CSO Magazine published a good article on the topic… read it and decide for yourself.

Apr 06

of notebooks and ipads

By alberg CSO, best practices Comments Off

Disclaimer to those of you reading this at my place of employment: Nothing in this post indicates a change to any existing corporate infosec policies… it is simply my first step in trying to figure out how to deal with those meddling kids and their durn iPads!

Just about everyone at my workplace carries around a notebook (of the dead-tree variety) to take notes during meetings. I’m sure that in the wrong hands, access to said notes could reveal information about the company that would better be left unrevealed to those outside our little commercial cabal. However, I have not (and would not, for fear of snickering) sent out an email warning employees not to use unauthorized paper based storage devices in the course of their work. As much as I would love to have a data leakage protection client (in this case, a security guy reading everything written in said notebooks as it is written and tearing out offending pages) and remote data destruction capabilities (security guy who sets notebook on fire if it is stolen), both the company and the employee might have some legitimate concerns about such an arrangement.

Which brings me to the iPad. I have using my shiny new iPad for the past few days to take notes at the CSO Perspectives 2010 conference and have come to the conclusion that it is a great device for the consumption of media as well as a great note taking tool. Which begs the question: How are notes taken on an electronic device (iPad, non company phone, non company laptop) different than those ensconced in dead-tree notebooks?

In some ways, a properly configured electronic device (one with a password required for access) seems to be a more secure note taking device that the trusty Moleskine. Should a nefarious person acquire my Moleskine, the only barriers between them and any juicy secrets contained therein are my atrocious handwriting and my use of eccentric and non standard abbreviations. Should the same evildoer swipe my spiffy new iPad, they would get 10 tries to guess my device passcode, after which all data on the device would be erased. Now, the passcode is only a 4 digit number, but the odds are that it would take more than 10 guesses for our evildoer to come up with the code.

Add the cloud, in the form of Evernote and other such services, and the issue gets a bit more complicated. Evernote has a great iPad app which allows you to take written and audio notes on the iPad, attach files to those notes and sync them with servers somewhere in the cloud. I love Evernote for personal stuff – it allows me to access notes from multiple devices and serves as an upgrade to my meatware memory. Of course, as a security professional, I know better than to save anything work related in my Evernote account. The web based Evernote client means that our hypothetical evildoer could access all of my notes (and search for the good stuff) if they could guess my password. I am not so sure that all of my colleagues would make the same risk/benefit calculation that I have.

So, as a paper notebook replacement, iPad seems to provide a reasonably secure place to take and keep personal notes if it is properly configured with a reasonable passcode and data erasure feature. It is important to understand that the protection provided by this configuration is not absolute… a variety of tools exist for the iPhone/iPad platform to extract data from these devices sans passcode, so a determined attacker will be able to get at your notes. My plan for the iPad as a notebook replacement?

Configure a passcode and data delete policy as well as auto locking of the device.
Using the device only for notes that I would be comfortable having written in my old Moleskine.
Being aware that the security of notes in the cloud is outside of my control and not entrusting corporate info to cloud services.

Next step… how to communicate this use case to business people whose main focus is doing business… I feel another blog entry coming on here… but my next iPad piece will focus on another aspect of the device – as a way to carry around (and share) content. Stay tuned.

Previous Entries Next Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Scam preys on required TweetDeck update 2010/09/06
Russian Trojan blamed for credit card losses at US diner 2010/09/06
Privacy in iTunes Ping 2010/09/06

Links

Wired: Threat Level

Twitter

back on the bike after too long away... 45 mins and 11.7 milesSeptember 6, 2010 10:04
testing, 1, 2, 3, oopsie! http://is.gd/eXG6ySeptember 6, 2010 4:07
damn... since I left tokyo the other day, i'll miss the parade... http://bit.ly/a9dSYRAugust 29, 2010 9:40
ceo, cfo, pants on fire? http://is.gd/eJ1vmAugust 29, 2010 12:42
@carlohartelucci Since I am in Tokyo at the moment, had to subcontract to the yakuzaAugust 27, 2010 1:50

FYI

Housekeeping

Tools

Links

Social Links