Jul 14

russian spies with a distinctly capitalist bent

By alberg best practices, hacks Comments Off
Oh hai! We're in ur companies steeling ur sekretz

Oh hai! We're in ur companies steeling ur sekretz

The Russian spy ring seems to be the gift that just keeps on giving in terms of blog fuel.

First… if this story is to be believed, one of the spies set himself up as a consultant, talking to companies about their plans for a post oil economy (a subject of interest to fossil fuel producers such as Russia) and pitching a software package to help companies model the effects of future events on their businesses.  Since this software would be installed on customer networks, it could be used as a vector to plant spyware on clients’ computers.

Another report reveals that a Russian man who may be linked to the spy ring and who was recently deported had worked at Microsoft as a software tester both as an intern and as a full time employee.  He worked in Redmond for less than a year, and Microsoft claims that no software was compromised.  Hmmm.  I hope the boys and girls are putting in some serious overtime looking at what this guy had access to.

If true, these stories point to a new face of state sponsored espionage – one focused on the private sector, which is much less prepared to protect the secrets which are important to their business as well as to the critical infrastructure.  Another good reason for security folks to join their local InfraGard chapter and learn more about protecting their businesses (and their country) against corporate espionage.

Share
Jul 10

enterprise risk management seminar in nyc 7/14

By alberg best practices, useful stuff Comments Off

lock up those bits!

Interested in Enterprise Rights Management?  In the New York City metro area?  Free on July 14th?   New York Metro InfraGard is putting on an ERM seminar which looks really worthwhile.  I think that ERM is going to be a key tool for security professionals over the next year or two as new mobile devices, as well as devices owned by employees and business partners become more and more integrated with our businesses.  I’m planning to be there and look forward to meeting some readers!

Share
Jul 08

robin sage ain’t your friend…

By alberg best practices, online security, worst practices Comments Off

Wanna be friends?

You can never have too many friends – or CAN you?  (Hint: you can).   A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks.  Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles.  “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words).  The result?  In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization.  Trust me – I have seen this happen.  You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex.  I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info.  For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on.  Sigh…

Share
Jul 05

porn and malware redux

By alberg best practices, online security Comments Off

Did they have it all wrong?

A few weeks back, I blogged about some research on the economics and potential malware risks posed by Internet pornography.  Well, a *new* study from Avast Software finds that non pornographic sites serving up malware outnumber pornographic sites serving malware by a factor of almost 100 to one.  Furthermore, Avast contends that there are more malware infected domains containing the word “London” than there are containing the word “sex.”  Not sure what this says about London.  I guess the morals of the story are:  for every study claiming fact x, there will be one claiming fact y and that the internet is as dangerous a place for the vituous as it is for the naughty.  Have you updated your antivirus and plugins lately?

Share
Jul 05

photo kiosks dispense prints and extra bonus virii

By alberg best practices, worst practices Comments Off

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks.  It seems that some kiosks at “Big W” stores run Windows.  And they don’t run anti virus.  And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print.  You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers.   The company is aware of the issue and is “currently testing” installing anti virus on the kiosks.  Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

Share
Jun 30

truecrypt (and good passwords) 1, fbi 0

By alberg best practices, hacks, Paranoid Peeps, useful stuff Comments Off

Daniel Dantas did...

Looks like open source disk encryption software TrueCrypt has shown its mettle in a cybercrime case out of Brazil.   The Brazilian police seized 500 TrueCrypt protected drives from the apartment of Daniel Dantas, a Rio banker accused of financial crimes.  In Brazil, there is no law compelling defendants to reveal passwords to encrypted evidence, so the Brazilian crime lab attempted to break the encryption for five months with no success.  They then turned to the US FBI, who ran dictionary attacks against the encryption for another year.  No joy.  As a result of the banker’s good password practices, the 500 drives with potential evidence were reduced to really ugly paperweights.

While this was a loss for the good guys, it does provide security professionals with some valuable information.  First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice.  Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program  is a good and cost effective choice for protecting personal data as well as in small business environments.  The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.

Share
May 20

it’s (not always) nice to share…

By alberg best practices, online security Comments Off

Now that Facebook has made their privacy settings just a bit less complex than, say, the US Tax Code or particle physics, now would be a really good time to check your privacy settings and make sure that you are not sharing more personal information with the world (or at least to the Internet connected portion thereof)  than you intended to.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change.   Take five minutes to protect your online privacy…

Share
May 13

i’m invincible! (you’re a looney!)

By alberg best practices, online security, worst practices Comments Off

We security professionals tend to underestimate our own vulnerability to threats like phishing. Here is a really good article by Cory Doctorow, who is most definitely not an Internet novice explaining how all of the wrong stars came into alignment to make him fall for a phishing attempt. Worth reading, especially if you think you are “smart enough” to recognize and avoid phishers’ bait.

- Posted using BlogPress from my iPad

Share
May 02

massachusetts kicks data protection butt!

By alberg best practices, CSO, online security Comments Off

Data protection... Massachusetts style

Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law.  As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information.  And that PII maust be encrypted both when it travels over the wire and when it is stored in systems.  Penalties for violation are quite hefty – $5,000 per violation and per record lost.

The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like.    You can read the entire text of the law here…

It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead.  Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable.    It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.

Bravo, MA!

Share
Apr 23

a data breach story with a twist…

By alberg best practices, worst practices Comments Off

Public enemy #1?

Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.

Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release

The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ.  The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info).  However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.

Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.

These types of data breaches are eminently avoidable;  Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents.  By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.

So, what are the takeaways for security professionals?

First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.

Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.

Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.

Now, add these devices to the list of things with blinking lights that are examined during security assessments.  While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities.  Are you patching your multifunction devices?

Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.

As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers.  As an infosec professional, they should be more interesting to you – before your organization makes the news.

Share
Tagged with:
Previous Entries Next Entries
preload preload preload