Tuesday, April 29, 2008

Secure Computing announces VM based security gateway devices

Secure Computing, who recently renamed their Sidewinder line of firewalls as Secure Firewalls has announced that they will be making their security gateway appliances available as VMs - something I've been waiting for vendors to start doing for a while. In Secure's case, this makes even more sense, as their hardware has historically been relatively standard server hardware with a highly customized and hardened base OS.

From the release:

Through its relationship with VMware, all of Secure Computing's security gateway appliances can be deployed as preconfigured virtual appliances onto new or existing hardware without the cost and space required of traditional security implementations. Customers can deploy different Secure Computing appliances, each on its own virtual machine, on a single server.
This also allows competition with products like Cisco's FWSM and other vendors' products that support in-device virtual firewalls.
For example, customers or managed service providers can deploy up to 32 separate firewalls, each running on its own virtual machine on a single server, and manage all of them from a single point.
It will be interesting to see how quickly other vendors match this announcement - virtual datacenters in a few hosts using virtual switches, virtual appliances, and VM servers are just around the corner.

Wednesday, April 16, 2008

A FIPS certified thumbdrive: Kingston's Blackbox drives

Electronista reports that Kingston has announced FIPS certified thumbdrives in 2, 4, and 8 GB capacities. Specifications include 256 bit AES, 20 MB/s write, and 24 MB/s read speeds. More details are available on Kingston's Blackbox page.

Monday, April 14, 2008

Panda: Boot Sector Viruses Set For A Comeback?

Ars Technica recently covered Panda's malware report for Q1 2008 - and they note that Panda makes a surprising prediction that boot sector viruses will become more popular again.

Panda's list is interesting - they mention mobile phone and device viruses, a market which has had AV solutions for quite a while, but which hasn't seen a real widespread threat. They also cover the Storm worm, which has been one of the most visible and largest of the recent widespread viruses. Then, surprising to both myself and the Ars Technica writing staff, they spend quite a few pages covering boot sector viruses.

Many newer IT workers likely haven't dealt with boot sector viruses - they haven't been a serious mainstream threat in almost a decade. We're used to seeing worms, and email borne viruses, and even those haven't been a major threat to most organizations since company wide AV, mail server malware filtering, and firewalling became common.

Will we see boot sector viruses make a comeback? My feeling is that it won't make a significant comeback in most organizations. Social networks, browser exploits, and social engineering seem likely to remain our highest threats, as widespread AV use and better network layer protections are making user interaction a more common requirement for the spread of malware. I also expect to see more viruses spread by removable devices and via wireless, both 802.11 and Bluetooth.

Thursday, April 10, 2008

Good Disclosure Practices: RedBox announces a skimming exploit the right way

Skimming by placing a device on an existing reader to read credit card magstripes when they're swiped isn't new - it has been seen in the past at ATMs and other locations. It continues to happen, with varying levels of sophistication.

What is noteworthy is that Redbox reported it in a useful advisory including pictures of what the skimmers looked like - thus taking advantage of an issue to educate customers. They also show the attached blocks that help prevent identity thieves from attaching skimmers to the systems - addressing the question "what are you doing about it". The blocks are not a total solution, but they'll help prevent normal sized reader devices from being attached. Hopefully, monitoring the locations where the devices were found also leads to arrests.

Details of the discovery, and what the devices looked like can be found on Redbox's website at:

Wednesday, April 9, 2008

Server AV? Maybe you do need it...

The Register's report on AUSCert's advisory regarding virus laden thumbdrives sent out by HP for some Proliant servers points out a flaw in a statement I hear quite often. Many system administrators tell me "We don't need AV on our server, because we don't browse the web or do other risky things".

Most of the same administrators would use the provided thumbdrive to install drivers or to transfer files, and while the Fakerecy and SillyFDC viruses aren't a major concern, the habits that lead to one virus making it onto a server could result in something much worse in the future.

Do servers need antivirus software, and is the overhead worth it?

In many cases, server antivirus is simply another layer of protection. Antivirus, particularly AV with centralized reporting can help detect threats that go beyond viruses. Many rootkits include tools that AV detects, meaning that an alert sysadmin can catch a major compromise through a simple AV detection.

The overhead on a server can be relatively significant, particularly if the antivirus software isn't configured to match the server's purpose and usage model. On a heavily utilized server - such as one doing high performance computing with high processor and disk loads, AV may create too much of a resource drain. In those cases, alternate controls may be appropriate.

In the meantime, remember to scan your thumbdrives, LCD photo frames, and any other device you plug into your PC for viruses - you never know what surprises you may find.

Tuesday, April 8, 2008

"Password Protection" Safe Harbor - in Indiana the ship is sailing

As most of you are aware, data breaches happen all the time. So much so that almost all the states in the union have enacted laws requiring notification to affected parties when their personal identifiable information is in harms way. Soon we may see a national law. Further driving the point home are a myriad of laws that govern how data are to be protected, not to mention private industries governing themselves such as PCI DSS.

While I do enjoy seeing social controls being placed that might ultimately protect my well-being, I find too often that these laws are followed in a minimum necessary manor. Case in point, the NIH lost a laptop that had identifiable and protected data stored on it. Unfortunately, the data were not encrypted even though they should have been per departmental policy. While admitting that they were in the wrong, it seems that the NIH is taking refuge in some of the legislation that offer a password protection safe harbor. In other words, as long as the device is password protected, then you are OK. Read through the third paragraph from the story, quoted below, and tell me what is wrong:

“The [National Heart, Lung and Blood Institute] recognizes that such information should not have been stored in an unencrypted form on a laptop computer,” said Elizabeth Nabel, director of NHLBI, a division of NIH. However, at the time of the theft, the laptop was off and protected by a password that would take “considerable computer sophistication” to crack, she said in a March 24 statement.
Considerable computer sophistication - a few minutes with an alternative O/S and the data are owned. I brought the story to the attention of my staff and asked them to find a way to get to the data. We played capture the flag with a "password protected" laptop and a specific file. It took no more than a few minutes before the file was retrieved and the contents mailed back to me...I didn't even give them a file name or location either - just that it might have data in the format of a social security number.

What's the moral of the story? We know better, but we often don't do better. As security professionals (or anyone with stewardship over sensitive data) we should act with a suspicious mind. I see all too often people that have become immune to the effect of having sensitive, private information of others around them. To help them, I ask why their purse is locked up, but these files are not? Or, I ask for their drivers license and a voided blank check. This is pretty shocking to them, but it drives home the point that they are protecting themselves, while not affording the same type of protection to those that have placed their trust in our services.

Moving forward, the state and federal government are beginning to see the light too. In fact, House Bill 1197 in Indiana was approved and will change IC 24-4.9-2-2 to remove the password safe harbor and replace it with encryption. What this might mean for you is if data of and Indiana resident are accessed in an unauthorized manner on a portable electronic device and the data were not encrypted you or your company can face civil penalties of up to one hundred fifty thousand dollars ($150,000). Disclaimer - I'm not a lawyer and this is not legal advice.

What to do? Look into full volume encryption for laptops and desktops. These have been discussed at length here, and be sure to follow the best practices for them to mitigate the now open source RAM harvesting techniques. Second, train the staff at your place of employment. The more they know, and the more accessible you become, the more enmeshed security can become into business processes. Consider providing alternative methods for file storage and transfer. I like the Kanguru USB 2.0 flash drives - they feature AES hardware encryption and can be had in up to 16GB capacities. Last, check your policies and procedures with legal counsel to verify that they are in step with the laws for the areas you do business in.

Monday, April 7, 2008

Bad Architecture Diagrams: N-Tier, where N is an imaginary number

N-Tier? The good news is that this design doesn't require clients!

A lot of security work is based on understanding architecture design, and how systems interact. To that end, I ask for diagrams - and I typically receive the diagrams that vendors include in their documentation. Much to my chagrin, they often look like this recent example.

What's missing here? A lot.

I normally look for:
  • Directionality of traffic - which system initiates a connection, and to which other system(s).
  • Ports and protocols - at least a destination port or range of ports, and details on which ports are TCP and which are UDP.
  • Real tiering, and the ability to separate functions - a favorite question for vendors is "in your claim of an n-tier architecture, what values of N do you mean?" Often, you'll find that the system hasn't been tested with a true 3 tier model, or that the vendor recommends a monolithic installation.
  • Administrative interfaces - How do you control the system?
I also ask about operating systems, software versions, and firewall rules.

What's the worst architecture diagram you've seen recently?

Thursday, April 3, 2008

Is your VMX password worth $13,000?

I normally stay in touch with security trends and happenings through the many groups and lists I belong to. However, a story jumped out at me today that was listed on Fark. Yes, I prefer to get my news from an aggregator - and Fark is one of my favorites. Here's the headline that caught my eye (link to the original story):

Motivation #1345789 for changing the default password on all devices: The $13,000 bill you get stuck with when someone changes your voicemail greeting to "Operator, I will accept the charges."

Now, people have been abusing telephone systems for years to make calls on someone else's dime. However, this is the first time I had read about a voice mail greeting being used to fraudulently accept charges for a collect call. Should this have been anticipated? Frankly yes, if your job includes the mindset of a security professional.

In the world of Information Security we know that to prevent systems from being abused, controls need to be placed and validated. In this case at least a couple layers of controls were missing. First and foremost, a good (and well enforced) password policy would take into mind all systems including voice mail passwords. Most phone systems now allow for up to eight digit passwords and have a complexity filter. User education is important in this area, and in my last job I taught users to spell a phrase for their voice mail password. For example - IHATEVMX equates to 44283969.

Further, most phone systems allow for limiting and accounting of calling options (such as international long distance) with the requirement of a user password that is different than that of the voice mail password. While this might be a burden to some, a clear example like this story can help users understand why they need to take the extra few seconds for each call.

In all, I am a bit glad and a bit frustrated that the business owners got the charges reversed on their bills. In some ways, the scare alone may have been enough of a lesson - however a precedent is being set that if your automated systems are not configured properly, you won't have to pay for it.

Creative Commons image credit: richardandgill

Wednesday, April 2, 2008

Followup: Craigslist whole house looting

The Craigslist based looting I mentioned a few posts back resulted in a subpoena of Craigslist records, and the arrest of the couple who had posted the ad - apparently to cover the theft of saddles and other items. The Smoking Gun has mugshots and more details.

Investigators were lucky this time - the couple didn't use an anonymizing proxy or otherwise cover their tracks well enough to avoid being discovered. If this becomes a more common event, we'll likely see better concealment in the future.

Tuesday, April 1, 2008

FERPA updates: Recommendations for Safeguarding Education Records

On March 24th, the Department of Education released 34 CFR Part 99, "Family Educational Rights and Privacy; Proposed Rule". This is a proposed update to FERPA (the Family Educational Rights and Privacy Act of 1974).

The document lists a number of recent incidents, ranging from grade exposures to SSN and personally identifiable information disclosures, and suggests that a number of steps are available to organizations after exposure. Most organizations should have similar steps in their incident response plan - if you don't, this provides at least a basic overview of the steps you'll want to take.

Remember, FERPA does not have a specific requirement regarding notification of students in the event of unauthorized release or theft of their education records - but organizations are required to maintain a record of each disclosure. This is very different many existing SSN and other PII disclosure laws.

As noted in the document, the Office of the Inspector General does provide a student focused identity theft resource site: http://ed.gov/about/offices/list/oig/misused/idtheft.html as well which includes a list of steps to take for victims: http://ed.gov/about/offices/list/oig/misused/victim.html. The FTC's identity theft guide is still an excellent resource as well: http://www.ftc.gov/bcp/edu/microsites/idtheft/