We security professionals tend to underestimate our own vulnerability to threats like phishing. Here is a really good article by Cory Doctorow, who is most definitely not an Internet novice explaining how all of the wrong stars came into alignment to make him fall for a phishing attempt. Worth reading, especially if you think you are “smart enough” to recognize and avoid phishers’ bait.
- Posted using BlogPress from my iPad
Data protection... Massachusetts style
Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law. As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information. And that PII maust be encrypted both when it travels over the wire and when it is stored in systems. Penalties for violation are quite hefty – $5,000 per violation and per record lost.
The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like. You can read the entire text of the law here…
It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead. Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable. It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.
Bravo, MA!
Public enemy #1?
Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.
Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release.
The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ. The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info). However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.
Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.
These types of data breaches are eminently avoidable; Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents. By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.
So, what are the takeaways for security professionals?
First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.
Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.
Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.
Now, add these devices to the list of things with blinking lights that are examined during security assessments. While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities. Are you patching your multifunction devices?
Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.
As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers. As an infosec professional, they should be more interesting to you – before your organization makes the news.
One of my responsibilities at work is to make sure that our employees are safe while traveling. Until today, this week’s Icelandic volcanic eruption was a no brainer… flights in the affected area were cancelled for safety reasons. Now, the airlines and the EU have been performing test flights to see if it is possible to restart flights in Northern Europe in spite of the continuing eruption. KLM flew a plane (with no passengers on board) from Duesseldorf to Amsterdam on Saturday without incident, although at lower altitude than normal. Similar flights by BA, LH and AF also landed without incident. Given the magnitude of the economic losses and travel chaos being caused by the cessation of air traffic, I can understand why folks are anxious to get planes back into the air. However, not everyone is a fan of this plan… the Finnish airforce ran their own tests using F-18 fighters and concluded that even short term exposure to the ash cloud caused damage to the planes’ engines. And tests run by NASA showed that even very thin clouds of ash could significantly damage jet engines.
So… what if the EU decides to reopen Northern Europe’s airspace? What travel advice do I provide to my colleagues? Should people currently stuck waiting for flights to or from the region take one of the first flights? Personally, I would not be ready to get on a flight to LHR today if the air space were to reopen whilst Eyjafjallajökull is still being uppity. And I would be hesitant to get on a plane which had flown through the ash for some time after the eruption ceases, since damage to engines may manifest itself over time. For now, the airways are still closed, so this is a hypothetical question. But if the EU and airlines decide that the risks are acceptable, people are going to want to get home or make trips for business. Coming up with a travel policy which balances risk with the need to conduct business is going to be a challenge – especially if this eruption continues for a long period of time or if it is a precursor to a much larger volcanic event. Stay tuned…
Look into my eyes... to see if I am telling the truth
It seems that scientists found some evidence for the proverb “The eyes are the windows of the soul.”
In experiments conducted by researchers at University College London 11 volunteers were asked to answer a variety of personal questions with some truthful answers and some lies. While they were interviewed, the volunteers wore special eye tracking glasses which recorded their blink rate, where they were looking and for how long, and the sizes of their pupils. The scientists then created videos of computer generated avatars speaking the answers given. In half of the videos, the avatars’ eyes were fixed on the listener. In the other videos, the avatars’ eyes moved and reacted using the data from the eye tracking glasses.
The result? Of the 27 people shown the videos, 88% were able to identify truthful statements when eye movement was present, as opposed to a 70% detection rate when the avatars’ eyes were fixed. When asked to identify untrue statements, 48% of viewers had success when eye movement was present versus 39% when the avatars’ eyes were fixed.
While the researchers are not sure how the eye movements helped viewers in telling truth from lie, they did note that truth-tellers tended to hold the interviewer’s gaze for longer than fibbers and that the speaker’s pupils dilated more when they were prevaricating. The pupil response may be linked to the increased cognitive load needed to tell a lie.
The researchers state that their work could be helpful in making virtual worlds such as Second Life more useful for interactions like business meetings, where a level of trust between participants is required. My takeaway, of course, is that a cyber savvy virutal con man could make use faked avatar eye movements to gain his cyber victims’ trust. Back here in the real world, when the used car salesman tells you that the little beauty you are looking at was only driven by a little old lady to church on Sundays, watch those pupils!
So after meeting Bob Maley, the former CISO of the Commonwealth of Pennsylvania, at this week’s CSO Perspectives conference in Santa Clara, CA, I am having some second thoughts regarding my earlier posting regarding his firing. While I still feel that the Commonwealth was technically within its rights in firing him, it seems to me that the people of Pennsylvania were done a disservice by the Commonwealth’s actions. Bob seems very passionate about the responsibilities of stewardship of citizens’ information and it sounds like he implemented a number of impressive initiatives to better protect that data. Yes, he did speak at RSA in spite of being told not to, but it seems to me that his heart was in the right place and that he took a calculated risk in order to highlight the need for application security in e-government. There also seems to be a political element t0 all of this (transition of administration stuff) as well. In the end, after meeting the guy, I came away impressed that he was willing to gamble his job (and lose that gamle with grace) in an effort to make e-gov initiatives safer for us all.
The nice folks at CSO Magazine published a good article on the topic… read it and decide for yourself.
Disclaimer to those of you reading this at my place of employment: Nothing in this post indicates a change to any existing corporate infosec policies… it is simply my first step in trying to figure out how to deal with those meddling kids and their durn iPads!
Just about everyone at my workplace carries around a notebook (of the dead-tree variety) to take notes during meetings. I’m sure that in the wrong hands, access to said notes could reveal information about the company that would better be left unrevealed to those outside our little commercial cabal. However, I have not (and would not, for fear of snickering) sent out an email warning employees not to use unauthorized paper based storage devices in the course of their work. As much as I would love to have a data leakage protection client (in this case, a security guy reading everything written in said notebooks as it is written and tearing out offending pages) and remote data destruction capabilities (security guy who sets notebook on fire if it is stolen), both the company and the employee might have some legitimate concerns about such an arrangement.
Which brings me to the iPad. I have using my shiny new iPad for the past few days to take notes at the CSO Perspectives 2010 conference and have come to the conclusion that it is a great device for the consumption of media as well as a great note taking tool. Which begs the question: How are notes taken on an electronic device (iPad, non company phone, non company laptop) different than those ensconced in dead-tree notebooks?
In some ways, a properly configured electronic device (one with a password required for access) seems to be a more secure note taking device that the trusty Moleskine. Should a nefarious person acquire my Moleskine, the only barriers between them and any juicy secrets contained therein are my atrocious handwriting and my use of eccentric and non standard abbreviations. Should the same evildoer swipe my spiffy new iPad, they would get 10 tries to guess my device passcode, after which all data on the device would be erased. Now, the passcode is only a 4 digit number, but the odds are that it would take more than 10 guesses for our evildoer to come up with the code.
Add the cloud, in the form of Evernote and other such services, and the issue gets a bit more complicated. Evernote has a great iPad app which allows you to take written and audio notes on the iPad, attach files to those notes and sync them with servers somewhere in the cloud. I love Evernote for personal stuff – it allows me to access notes from multiple devices and serves as an upgrade to my meatware memory. Of course, as a security professional, I know better than to save anything work related in my Evernote account. The web based Evernote client means that our hypothetical evildoer could access all of my notes (and search for the good stuff) if they could guess my password. I am not so sure that all of my colleagues would make the same risk/benefit calculation that I have.
So, as a paper notebook replacement, iPad seems to provide a reasonably secure place to take and keep personal notes if it is properly configured with a reasonable passcode and data erasure feature. It is important to understand that the protection provided by this configuration is not absolute… a variety of tools exist for the iPhone/iPad platform to extract data from these devices sans passcode, so a determined attacker will be able to get at your notes. My plan for the iPad as a notebook replacement?
Next step… how to communicate this use case to business people whose main focus is doing business… I feel another blog entry coming on here… but my next iPad piece will focus on another aspect of the device – as a way to carry around (and share) content. Stay tuned.
We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!
As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.
Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!
I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.
I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.
The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.
I’m using LastPass, and I’m prettay, prettay paranoid..
OK, before I get started with this blog entry, I want to be up font with you. I have become a cliche… I am writing this from Starbucks whilst sipping a cafe mocha and leeching off their free ‘lectricity. I have truly become one of those stereotype bloggers. Shoot me now. Anyway, on with the post…
It seems that the German government is getting together with ISPs to set up a help line for citizens whose PCs are infected with malware. The ISPs will watch network traffic for signs of communications between zombie computers and their evil controllers. When the ISPs detect malware activity, they will direct users to a website with instructions on getting their computers free of viruses, worms, back doors and the like. For users who need additional help, 40 government employees will staff a call center dedicated to helping out. (This truly sounds like a job from hell…).
This is a great idea, which other countries should consider with one twist; vendors such as Microsoft, Apple, Adobe, and the like should be required to kick in some funding for this type of work. After all, it is their software which opens the doors to cybercriminals and (potentially) cyberterrorists. Maybe pegging the amount they have to pay to the number of security advisories issued by the CERT about their software would make sense. It would be pretty easy to gauge the success of this type of an effort by tracking and publishing stats on the numbers of infected machines before and after. As for the cost beyond the vendor kickins, there are a lot of places in the US federal budget to get the money from…
What do you think?
Read more
Germany pays to clean malware from Windows PCs.
You know those “private, internal emails” that get sent around within your organization, never meant to be seen by outsiders? Well, one day, they may in fact be seen – and this is an example of what could happen.
The exposure of what appear to be email messages from the Climate Research Unit of the University of East Anglia show conversations between leading climate change researchers which were obviously not meant for mass distribution. The messages exposed include:
Of course, the critics of the theory that human activity are having a field day with this: “‘This is not a smoking gun; this is a mushroom cloud,’ said Patrick J. Michaels, a climatologist who has long faulted evidence pointing to human-driven warming and is criticized in the documents.” According to the Times article, “The evidence pointing to a growing human contribution to global warming is so widely accepted that the hacked material is unlikely to erode the overall argument. However, the documents will undoubtedly raise questions about the quality of research on some specific questions and the actions of some scientists.”
Whether or not you believe that human activity is messing with the climate, there is a lesson to be learned here. Unlike the ephemeral casual hallway conversations we have with our coworkers, electronic communications like email, instant messages, and in some cases phone calls leave artifacts which can surface long after they are written and which may, when viewed in isolation, provide a very different picture than what was intended. And hackers are now the only threat… emails may also be exposed in the course of legal discovery during litigation. Yikes!
The moral of the story? When writing an email or IM, you need to think about what message it would give when read by an outsider, out of context, months or even years after the events which prompted it. Another way that life is getting just a bit more complicated in our modern age…
Social Links