Well, here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details of another attack against the beleaguered browser. This time, an attacker “may be able to access files with an already known file name and location.” If that sounds a bit scary, it should. It falls into a class of attacks called “Local File Disclosure” and can be exploited by sending the victim to a malicious site at attempts to access files stored on your computer. The attacks leverage different design features of Internet Explorer that can be combined to do serious damage. Secunia has rated this as “Moderately critical” Read more
In honor of Data Privacy Day (January 28), Cintas published 10 tips for protecting confidential business data. This list is a good starting point to creating your own data security program. I will list the tips below with additional recommendations on each. Many of these tips are written with paper documents in mind, but nearly all apply to digital storage as well. To see the see the original list, see Cintas’ site.
- Implement a document management program. This falls in the category of “identify your treasures.” Make a list of the different types of documents you need to keep – invoices, receipts, contracts, etc. Next determine who needs access to these documents in order to do their job. Identify security measures needed to maintain privacy of the data. Lastly, train all employees on responsible information-handling. Many certifications like PCI and Red Flag require this secure document management training to be compliant. Read more
When you replace your computers, what happens to the data on them? With increased legal scrutiny and identity theft protections, it is important for you to know exactly what happens to the information on your end of life computers. Some companies prefer to keep this responsibility in-house, using tools like Blancco, KillDisk, or dBan. Software drive wiping can take a long time, and if you have a large number of machines to wipe, dedicating an employee to wipe drives can be costly. Read more
Much has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).
In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.
|Windows 2000||Windows XP||Windows Vista||Windows 7|
|Internet Explorer 6||Exploitable||Exploitable (current exploit effective for code execution)||N/A
(Vista ships with IE7)
(Windows 7 ships with IE 8)
|Internet Explorer 7||N/A
(IE 7 will not install on Windows 2000)
|Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7)||IE Protected Mode prevents current exploit from working.||N/A
(Windows 7 ships with IE 8)
|Internet Explorer 8||N/A
(IE 8 will not install on Windows 2000)
|DEP enabled by default on XP SP3 prevents exploit from working.||IE Protected Mode + DEP enabled by default prevent exploit from working.||IE Protected Mode + DEP enabled by default prevent exploit from working.|
In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.
Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.
Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?
I was reading 10 seriously annoying default configurations at TechRepublic today and was inspired to come up with my own.
1. Windows Update
I love the idea of Windows Update, but its implementation drives me crazy. First, every update seems to require a restart of the computer. Coming from a linux background that is extremely frustrating, especially on a Windows server. No I can’t restart the Exchange server 3 times a week, thank you very much. Second, some updates are only visible after prior updates are installed, which compounds the restart problem. Third, there’s no way for 3rd party software developers to latch into this update process. This makes keeping a machine secure much harder, forcing admins to rely on tools from vendors like Secunia to keep their systems up to date.
2. User Account Control (UAC)
Much has been written about UAC, a feature of Windows Vista and later that prompts the user performing risky actions – like installing software. Unfortunately it prompted so much that many simply disabled the messages. I personally feel that UAC was one of the “features” that prevented mass adoption of Windows Vista. Thankfully Windows 7 gives you more granular control of the messages UAC displays.
3. Internet Explorer on Windows Servers
I completely agree with the author of the TechRepublic article. Internet Explorer on a Windows 2003 or 2008 server is virtually useless. Yes, you shouldn’t use Windows server for general purpose browsing, but with nearly all reference guides and support online there are times when you must use a web browser on the server.
Say you are in the server room, working on an Exchange server that’s not working. You need to research an error message from the system log so you hop over to Google. Instead of showing you the website you are prompted to add Google to the Trusted sites list. Click on one of the relevant links, add the site to your Trusted sites. Repeat this a few times and tell me that you don’t want to throw the server through a wall.
4. “Are you sure you want to empty the Recycle Bin?”
The whole point of the recycle bin is to prevent accidental file deletion. You have to interact with the Recycle Bin in order to empty it. Why confirm again that these are files need to be deleted?
5. ActiveX component install process
I know that ActiveX is a major security risk, but do I really need to confirm 3 different dialogs before it will install an ActiveX component in Internet Explorer 7 or 8?
6. Menus that change based on frequency of use
This came into vogue after Office 2000 implemented “Personalized Menus.” The basic idea was that the Office apps had too many options and the average user could not get to the options that they needed quickly. So if an option was not used often, the software auto-hides the option for you. Yeah – great idea. Try walking a friend through a configuration change, only to discover that the menu option is hidden. Here is an idea – if there are too many options in a program, perhaps it is too complex and should be streamlined.
7. Hiding File Extensions
Why design a file system that requires the use of an extension to determine its file type, then design a file browser that hides those extensions. This is the first setting I change on any Windows machine I manage.
8. Hiding System and Hidden Files
If #7 is the first change I make, this one is number two by a few seconds. This one is even cross platform as the Gnome file browser also tries to “help” you by hiding these files from view.
9. Errors cause Copy / Move operations to stop completely.
Ever try to move a bunch of folders from one drive to another – maybe you are backing up your photo collection, maybe you are moving documents from one computer to another. If one file cannot be copied the whole process just stops. Now you have to figure out why the file copy did not work and start all over again. To solve this one, install a 3rd party file copier like TeraCopy.
10. Desktop Cleanup
Everybody uses the desktop a little differently, I tend to use mine as a scratch pad. I keep files that I am currently working on the desktop, and move them to other locations when they are no longer needed. The Desktop Cleanup wizard is like a maid that comes in behind you and starts putting files into random cabinets.
I know it seems like I was picking on Windows with this list, I know there are just as many annoying system defaults on other platforms, but these are the first ten I could think of. Chime in with your list in the comments section.
How many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.
It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.
One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.
The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.
An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be. One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.
The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.
Choosing Memorable Passwords
A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.
One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’
While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.
How do you deal with the many passwords in your life?
There were some great articles on CIO.com this week relating to Data Security. Here they are plus a selection of the best IT Data Security articles in the last week:
- Heartland CEO: QSAs Let Us Down
In the review of what led to the Heartland credit card breach, Heartland’s CEO Robert Carr points to the PCI compliance auditors that passed the company before the breach – “PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
- Opinion: Heartland CEO Must Accept Responsiblity
A counter point to the previous article. Mike Rothman asserts that by attempting to blame the QSAs for the data breach they are learning nothing, and not addressing the root issue – “To be clear, you cannot outsource thinking. You cannot outsource security.”
- 8 Dirty Secrets of the IT Security Industry
Are IT Security vendors really interested in improving your network’s security? Joshua Corman from IBM’s Internet Security Systems division details 8 trends in the IT Security market that help undermine a network’s security.
- Social Engineers’ 9 Favorite Pick-Up Lines
Social Engineers leverage the trust people have in the familiar to gain access to facilities and networks. These 9 examples illustrate how easy it is for that trust to be abused. How many would you (or your employees fall for)?
- Hackers have Social Networking sites in their crosshairs
In a recent study Breach Security, hackers are attacking Social Networking sites with increased frequency, accounting for 19% of online attacks in 2009.
- Twitter used to control botnet
It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance?
In an effort to help parents with the costs of sending their students back to school, Missouri has established this weekend as a Sales Tax Holiday. From 12:01 a.m. on Friday August 7th to midnight on Sunday the 9th, certain back to school items are deemed tax exempt.
Included in these tax exempt back to school items are personal computers and computer peripherals. To enhance this tax holiday, EPC is opening our warehouse to the public for a huge sale. All items will be at least 15% off of our already low prices in addition to the discount from the exempted tax.
On Saturday, August 8th, from 8am to 2pm only, customers can browse through the thousands of laptops, desktops, servers, printers and every other computer-realted hardware and peripherals that can be found in our warehouse – a space that is about the size of two football fields.
For more information about the Missouri Sales Tax Holiday stipulations, you can check out the Department of Revenue’s website.
The school district of Philadelphia is launching a probe into how one of their monitors was found in a landfile in Ghana. After the monitor was spotted in a PBS Frontline documentary and repeated inquiries were made by Technically Philly, the school district announced it would launch an investigation.
“The School District of Philadelphia does not encourage or condone the illegal dumping of any school district property anywhere in the world,” read the statement issued by the district. “As a result… [we are] currently investigating the source and disposal record of the equipment found in Ghana.”
The computer was one of many visible in the Frontline report and illustrates the ongoing problem of e-waste dumping into developing countries. Millions of tons of e-waste are dumped into the West African country, China, and others.
The school district has maintained a “green” policy regarding the disposal of electronic equipment since 2006, and is unsure if this is an isolated incident or just one example from the hundreds of pounds disposed by the district each year. The district had partnered with a recycling company that provided pickup and recycling services at no charge to the district.
This report illustrates the trouble many companies have in identifying responsible computer recyclers for their end-of-life hardware. You owe it to yourself to personally view a companies recycling processes, and ask about their export policies. While your at it, ask if they are a Basel Action Network e-steward. The BAN e-steward pledge is for a zero-landfill, zero-export approach to recycling.
This has been a week of crazy hacking announcements. CIO.com reports that Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path, will demonstrate two new attacks that can be used to record keystrokes entered on a computer at the upcoming Black Hat USA 2009 conference.
The first requires access to a power outlet on the same circuit as the target computer. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical circuit. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. The attacker then filters out other ground signals and is left with the keystrokes entered.
The second attack points cheap lasers at shiny portions of a laptop, like its lid or even the surface of the table near the device and measures the vibration caused by hitting the various keys. The researchers claim that each key has a distinct vibration pattern and by knowing the language used by the typist, the keys entered can be determined. They found the attack works best when pointing at the lid of the laptop, either at a shiny logo or at a spot near the hinges.
The cost of the tools needed for the electrical outlet attack cost around $500 US and the cost of the laser attack cost around $100 US and took about a week to test. While the researchers admit that their tools are currently rudimentary, they feel that given their minimal time committment and relative cheapness of the tools illustrate the potential for expansion by a dedicated team or government entity.
- Combating the Recycling Crisis: The Lies, the Truth, and EPC’s Promise to YouSeptember 16, 2020 - 9:58 am
- Mobile Repair: Not Just Phones and TabletsJuly 22, 2020 - 11:22 am
- A Different Kind of VirusJuly 13, 2020 - 3:06 pm
- Fireworks and Computers: How Modern Programming Revolutionized PyrotechnicsJuly 2, 2020 - 3:26 pm
- E-Waste Disposal is About More Than Just CleaningJune 23, 2020 - 10:30 am