Another Internet Explorer Vulnerability (…sigh)

Well, here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details of another attack against the beleaguered browser. This time, an attacker “may be able to access files with an already known file name and location.” If that sounds a bit scary, it should. It falls into a class of attacks called “Local File Disclosure”  and can be exploited by sending the victim to a malicious site at attempts to access files stored on your computer. The attacks leverage different design features of Internet Explorer that can be combined to do serious damage. Secunia has rated this as “Moderately criticalRead more

10 Tips for Protecting Business Data

Data Privacy Day is Jan 28In honor of Data Privacy Day (January 28), Cintas published 10 tips for protecting confidential business data. This list is a good starting point to creating your own data security program. I will list the tips below with additional recommendations on each. Many of these tips are written with paper documents in mind, but nearly all apply to digital storage as well. To see the see the original list, see Cintas’ site.

  1. Implement a document management program. This falls in the category of “identify your treasures.” Make a list of the different types of documents you need to keep – invoices, receipts, contracts, etc. Next determine who needs access to these documents in order to do their job. Identify security measures needed to maintain privacy of the data. Lastly, train all employees on responsible information-handling. Many certifications like PCI and Red Flag require this secure document management training to be compliant. Read more

5 Questions to ask your Data Destruction Company

When you replace your computers, what happens to the data on them? With increased legal scrutiny and identity theft protections, it is important for you to know exactly what happens to the information on your end of life computers. Some companies prefer to keep this responsibility in-house, using tools like Blancco, KillDisk, or dBan. Software drive wiping can take a long time, and if you have a large number of machines to wipe, dedicating an employee to wipe drives can be costly. Read more

Microsoft asks users to abandon IE6, kinda

ie6_smallMuch has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).

In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.

Windows 2000 Windows XP Windows Vista Windows 7
Internet Explorer 6 Exploitable Exploitable (current exploit effective for code execution) N/A
(Vista ships with IE7)
N/A
(Windows 7 ships with IE 8)
Internet Explorer 7 N/A
(IE 7 will not install on Windows 2000)
Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7) IE Protected Mode prevents current exploit from working. N/A
(Windows 7 ships with IE 8)
Internet Explorer 8 N/A
(IE 8 will not install on Windows 2000)
DEP enabled by default on XP SP3 prevents exploit from working. IE Protected Mode + DEP enabled by default prevent exploit from working. IE Protected Mode + DEP enabled by default prevent exploit from working.

In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.

Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.

Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?

Dealing with password fatigue

How many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

Use Electrical Outlets or Lasers to capture keystrokes?

This has been a week of crazy hacking announcements. CIO.com reports that Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path, will demonstrate two new attacks that can be used to record keystrokes entered on a computer at the upcoming Black Hat USA 2009 conference.

The first requires access to a power outlet on the same circuit as the target computer. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical circuit. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. The attacker then filters out other ground signals and is left with the keystrokes entered.

The second attack points cheap lasers at shiny portions of a laptop, like its lid or even the surface of the table near the device and measures the vibration caused by hitting the various keys. The researchers claim that each key has a distinct vibration pattern and by knowing the language used by the typist, the keys entered can be determined. They found the attack works best when pointing at the lid of the laptop, either at a shiny logo or at a spot near the hinges.

The cost of the tools needed for the electrical outlet attack cost around $500 US and the cost of the laser attack cost around $100 US and took about a week to test. While the researchers admit that their tools are currently rudimentary, they feel that given their minimal time committment and relative cheapness of the tools illustrate the potential for expansion by a dedicated team or government entity.

CIO.com – How to Use Electrical Outlets and Cheap Lasers to Steal Data

Hacking the Dot-Matrix Printer

It sounds like something out of a bad spy movie, but researchers at Saarland University have published a paper on a new hack targeted at those old trusty dot-matrix printers. These researchers discovered that by recording the sounds the printers made and running them through a speech-recognition algorithm, they were able to extract the words printed on the page.  They were even successful in running their tests inside an actual doctor’s office – with permission of course, so this is not something that only works in the lab.

So what? No one still uses these dinosaurs, right? Not so fast, in a survey conducted by the same university, 30% of the banks, and 58.4% of doctor’s clinics still use them. In many cases, these devices were used to print out semi-sensitive information like receipts and prescription information.

And why do businesses still use dot-matrix printers? Well, for fairly standard reasons – they cost less than more modern printers, are very durable, and work with older hardware and computer systems. One company I talked to about this study said that it was cheaper to keep these old printers working than to upgrade the systems and software that utilized them.

After reading the paper, it seems the attack would have to be tailored to a particular model of printer, but even with that limitation, some interesting possibilities are available. Will the next Mission Impossible movie include a scene with Tom Cruise planting a recording device in a bank to get account numbers of his target? And what will we find out next, that the contents of a CRT or LCD can be replayed by measuring the radiation output? Oh wait….

Original study: How Printers Can Breach Our Privacy: Acoustic Side-Channel Attacks On Printers

EPC, Inc. Hosts Before Hours Yellow Tie Event

Be sure to take a moment to add a great “Before Hours” networking event June 23rd, 2009 that we’ll be hosting from 7:30am to 9am. Read on below for more details and don’t forget to use the link below to RSVP with Frank Polstion, our Vice President of Retail Services. We look forward to seeing you there!

Come shake some hands where smart business people come for their computer supplies and data security needs.

Enjoy Yellow-Tie networking with breakfast and coffee, and a back-store tour.

What could be better?

Hosted By….  EPC, Inc.

— http://www.epcusa.com

Host Contact. Frank Polston — 636-443-1999 x1013, frank@epcusa.com

Date……… Tuesday, June 23, 2009
Time……… 7:30 to 9 a.m.
Location….. EPC, Inc.
Address…… 3941 Harry S. Truman Blvd., St. Charles, MO 63301

Cost……… Free

Register now at: http://www.yellow-tie.org/events/stcharlesco/june2009handshakes

Buy a used hard drive on eBay, get government secrets for free!

Imagine it, you purchased a computer on eBay, plug it in, and find top secret missle defense secrets. What would you do? This is the situation a research group at Longwood University found themselves in after purchasing a used hard drive from the popular auction site.

This hard drive reportedly contained files from Lockheed Martin, a large US military contractor. The data recovered included: test launch procedures for the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system, security policies, blueprints of facilities and social security numbers for individual employees.

A representative from Lockheed Martin is quoted in the article as saying:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

Fortunately, this drive as purchased as part of a controlled study to see what information could be recovered from used hard drives and did not fall into the wrong hands. The study also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.

A spokesman for the project said they found 34 per cent of the hard disks scrutinized contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization.’

Even though the information in this case did not fall into the wrong hands, this story illustrates the importance of having a controlled data destruction process in every organization. Ask yourself this: can you track every computer, every hard drive after it is pulled from production? Do you know for a fact that every hard drive is wiped or destroyed? If you cannot answer yes to both questions, you owe it to yourself to work with a vendor that can fill this gap.

A hat tip to ExportLawBlog for their analysis of the incident.

Cell Phones Tell Secrets From The Grave!

Recent research, from Regenersis, suggests that close to 100% of all cell phones disposed of contain information that could be brought back to life.

If not removed, all those pictures from Cancun… all the music you’ve downloaded… and yes, all those text messages to your mother can be retrieved! So next time you upgrade to the latest and greatest smart phone, make sure you dust off the manual for the old one and take the time to run through the steps to perform a complete reset of the unit.

On the other hand, you could also take it to a company, such as EPC, who will completely shred the unit to help protect any overlooked data within.