Thursday, January 29, 2009

The TCG Specifications: A Hard Drive Encryption Standard For Us All

Computerworld discusses the Trusted Computing Group's (TCG), disk encryption standards. The TCG includes all of the major hard disk manufacturers, resulting in a standard that can be broadly supported by software, and which will allow enterprise wide encryption and management to be done far more easily.

Thus far, my experiences with this style of disk encryption are limited to Lenovo laptops which appear to be missing one key element: a simple way to check if the drive is actually encryped from a Joe User perspective. The real key to making drive encryption work for users will be making it approachable and usable for everyday users in addition to enterprise administrators.

Have you worked with hardware level FDE? If so, how was your experience?

Monday, January 26, 2009 Announces Security Breach has posted an announcement of a breach:

"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes."

The news has been picked up in various places, including the Consumerist and TechUrbia, and TechUrbia correctly notes that much like the 2007 compromise, users can likely expected targeted phishing attacks to begin now that accounts with access to resume data have been compromised.

As always, this is a great time to remind your users that password re-use is a bad idea.

IT Security Benchmarking: the CIS Benchmarks

The Center for Internet Security, or CIS provides a variety of publicly available benchmarks which can provide an excellent foundation for your own organization's technical security standards. Perhaps more interesting, they also work to develop new benchmarks for various platforms, systems, and software packages. At the moment, an iPhone benchmark is in progress, with version 1.0 for iPhone software version 2.2 in progress right now.

The CIS toolkit also includes a variety of scoring tools, and mailing lists for each benchmark, including those in development.

Friday, January 23, 2009

Heartland Payment Systems Breach Site Published

Heartland Payment Systems has created a website to provide information about their data breach:

A number of their answers in the Q&A section are vague at best, including "What is the extent of the breach?" answered with "We believe the intrusion is contained.".

Heartland is currently advising customers to review their statements, however a list of affected institutions has not been released.

    Email Disclaimers

    Slate's Jack Shafer has a great take on email disclaimers and their legal relevance. While the article is from 2004, organizations and individuals continue to use them. I'm reminded of a friend who slowly changed his company's standard disclaimer to include lines like "throw a pinch of salt over your shoulder and spin widdershins". Nobody reads them, and nobody noticed.

    Thursday, January 22, 2009

    Playing TSA: Playmobil's Security Checkpoint

    Amazon carries Playmobil's Security Checkpoint play set - from the description:

    "The woman traveler stops by the security checkpoint. After placing her luggage on the screening machine, the airport employee checks her baggage. The traveler hands her spare change and watch to the security guard and proceeds through the metal detector. With no time to spare, she picks up her luggage and hurries to board her flight!"

    (Image from Amazon's listing)

    The Amazon reviews are priceless, with lines like "My 5 year old son pointed out that the passenger's shoes cannot be removed." as a starting point, and they quickly go downhill. Sadly, it doesn't come with a line of passengers waiting, nor is there a recording announcing that the security level is orange...

    If this looks familiar, it was posted in a number of places as long ago as 2005, although I seem to have missed it then.

    Wednesday, January 21, 2009

    Disabling AutoRun...Doesn't Disable AutoRun?

    The US-CERT has released advisory TA09-020A, "Microsoft Windows Does Not Disable AutoRun Properly".

    Many organizations disable AutoRun as part of their default domain policy to prevent malicious programs from using autorun capabilities to spread malware. Sadly, Microsoft's current guidelines for disabling AutoRun are not completely effective.

    From the alert:

    The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
    The solution is reasonably simple - inserting the following registry entry will disable AutoRun:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    The US-CERT also recommends rebooting your system to prevent cached AutoRun information from continuing to allow mounted devices to be exploited.

    Analyzing robots.txt: The White House and Search Engine Indexing

    Jason Kottke's has an interesting post about the difference in the robots.txt seen on the website before and after the inauguration. The previous administration used a 2400+ line robots.txt file, which prohibited automated indexing of a wide variety of pages. The new administration's robots.txt has two lines.

    The Bush White House's site robots.txt included lines like this:

    Disallow: /911/911day/text
    Disallow: /911/heroes/text
    While the text of those pages isn't sensitive, some sites may prefer that the data that they deny access to isn't generally indexed and searchable.

    This is a great reminder to security minded administrators: relying on robots.txt to keep your content obscure only works with well mannered robots - those who read their logs well will note that many spiders do not actually heed robots.txt.

    What would reconaissance of your site reveal if your robots.txt was reviewed, then a web spider tool was told to specifically ignore it and index your data? Would this provide more information than you might like? Some sites rely on the obscuring that not having their data indexed provides for a modicum of security or privacy. Do you?

    Tuesday, January 20, 2009

    Spyware Driven Credit Card Breach May Affect 100 Million

    The Washington Post, via the Consumerist reports that up to 100 million credit card numbers, expiration dates, and names may have been exposed by a breach at Heartland Payment Systems. Heartland processes payments for over 250,000 businesses, many of which are small and mid-size restaurants.

    The breach was caused by "A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients."

    Heartland will not be offering identity theft prevention according to the Post's interview:

    "Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."
    The Post also notes that announcing on inauguration day is a clever, non-5PM on a Friday method of burying the announcement. We'll have to see how this one shapes up!

    Monday, January 19, 2009

    MacOS 10.5 Client Security Configuration Guide released

    Apple has released the second edition of their MacOS 10.5 Client Security Configuration Guide. This guide was created in cooperation with the NSA, NIST, and DISA. It can be found at:

    Friday, January 16, 2009

    Aggressor Mindset: Gothamist Interviews a Shoplifter

    Gothamist has an interesting interview with a shoplifter who primarily targets grocery stores. Security professionals will likely find some of the statements familiar:

    Where do you usually hit? I have a few rotations with Whole Foods, one of the main targets because I’ve figured out the structure, the infrastructure of the place.

    You’ve figured out the infrastructure? Correct. I call them blind spots, there are a lot of blind spots.

    While the shoplifter's value per theft is relatively low - $50 on average, the frequency is disturbing - two or more times a week. These small thefts can bleed an organization quickly, and are a real concern for their store security.

    The shoplifter also offers advice for aspiring shoplifters:

    Do you have any advice for aspiring shoplifters? Yes. First, choose your locations carefully, number one. Don't start right away, go there several times, walk around, get to know the people who work there, especially the ones who don't dress in uniform. Number two, the most important: get to know the camera system. You don’t want to be directly under the camera, you don’t want to be in front of the camera, you want to find blind spots, this is my technical term. Beyond the corner or the bottom reach of the camera.

    Number three, always have an exit strategy. Meaning put things in different places, in your pocket or under your pants. Don’t do it right away. First you take the item and walk with it for a little bit. Then when the moment is right and the inspiration is correct, you put it in there. And you don’t run away right away, you stay and shop in the store for awhile until the energy comes down and then you calmly walk out. But the bottom line is don’t rush, don’t rush.

    These are very similar to the plans a physical security penetration tester would prepare - but in this case, the theft is real.

    Creative Commons Image credit gemteck1

    Layout and Design Changes

    We're changing our layout for the DAS blog - over the past two years of posts, we've found that some posts require a wider format than out existing template allowed. You'll see a series of changes to our design over the next week, all aimed at making the content more accessible and more readable.

    Thanks to our readers thus far!

    Thursday, January 15, 2009

    When Security Professionals Are Like Cheese...

    Jef Mallett's comic Frazz discusses how hackers are like cheese.


    Some, are of course, more like a Limburger than others.

    Information Security: How Does Your Organization Fail?

    Welcome ISC readers! While you're here, you may find our other articles on the security mentality interesting:

    Our original article:

    How does your organization fail at information security? The ISC's Lenny Zeltser breaks down many of the common failures in information security organizations - many of these are familiar.

    A few of my favorites, with some commentary:
    • Create security policies you cannot enforce. Or enforce security policies that make no sense, or are so egregiously bad that even your own security staff won't follow them.
    • Assume that being compliant means you're secure. This is particularly common in organizations that have recently implemented PCI-DSS security requirements.
    • Hide from the auditors - or better, provide incomplete information, or simply don't provide information at all!
    • Let your anti-virus, IDS, and other security tools run on "auto-pilot." A common trap for understaffed organizations that do have funding for hardware or software is to buy solutions, but to then discover that they don't have enough time to maintain them. Increasing the number of security solutions, but not the time allocated to maintenance is a deadly trap for security.
    • Make someone responsible for managing risk, but don't give the person any power to make decisions. This often makes system administrators unhappy - they're told that they're responsible for the systems and their security, but are told that they must provide any services that their clients desire. They're left with all of the responsibility, and none of the rights.
    • Assume you don't have to worry about security, because your company is too small or insignificant. One of the worst threats I've seen to smaller organizations, or those with data that they perceive as unimportant. I ask "The question is not 'is your data important to them', it is 'Is your data important to you?'. If it isn't, then why are you in business, or why do you keep it?
    • And finally, Dr. No syndrome: "Say "no" whenever asked to approve a request." One of the fastest ways to fail is to be seen as a hindrance, rather than a partner. Yes, information security must know how to say no, but no is not the default answer.
    As organizations mature, the mistakes they make tend to change. As policies and procedures become more ingrained, the mistakes made due to lack of knowledge or worries about security are likely to develop into issues with complexity, familiarity, or organizational habit.

    Wednesday, January 14, 2009

    Aisle 3: Personal Hygeine and IEDs. (Improvised Explosive...Deodorant?)

    This South Bend Tribune article is a great reflection of the culture of fear we have become accustomed to in the U.S. An entire WalMart was shut down because a suspicious package was found in the deodorant aisle. The package's contents? A shrink wrapped two pack of deodorant which was suspicious because "attached to the bottom of one was what appeared to be a piece of machinery, possibly from the plant where it was manufactured.". We cannot dismiss domestic terrorism as an impossibility, but we also need some level of rationality in our response - or we will be defusing deodorant in the personal hygeine aisle while other, more realistic security threats go unnoticed.

    The line between caution and fear is a difficult one, and awareness can create unnecessary worries. As information security professionals, our responsibility is to ensure that our awareness efforts do not result in overreaction. How do you ensure that your awareness efforts don't backfire?

    In this environment, the security version of Godwin's law becomes: "As an we implement more security measures, the probability of using terrorism as a justification approaches one".

    Tuesday, January 13, 2009

    High Tower: A Google Sites Site?

    For those who have been following the ongoing saga of High Tower's disappearance, the change in their site says interesting things. The site is now hosted by Google Sites, and is simply a logo with no detail.

    The SIM vendor's site had remained up until now. Does this mean that the vendor's servers have been turned off? What comes next for customers?

    Monday, January 12, 2009

    Protect Files: Making MacOS Encrypted Spaces Easier

    SecurityMonkey author of "A Day in the Life of an Information Security Investigator" wrote a brief piece on Protect Files, a MacOS a $14.95 application that make Encrypted Spaces significantly easier to use. I'll continue to use TrueCrypt for my own use, but for users who prefer MacOS native tools, this may be a good candidate.

    Saturday, January 10, 2009

    Sentry Safe's Unsafe Survey

    Sentry, maker of a wide range of safes, requests some interesting information on their new safe owner's registration form. The form requests a surprising amount of information for a warranty registration form, including a number of details that would concern any security minded individual.

    A few of the more sensitive bits of information that you'd be mailing off are:

    • Your address
    • Who you purchased the safe for
    • Where you will locate it (garage, basement, den, bedroom)
    • How many guns you own
    • How you stored your guns previously
    • How much you make
    • The other members of your household and their age
    All of this is placed in a handy postcard sized fold out survey, ready to be mailed out. Individually, none of this information is particularly dangerous, however when taken as a whole, it provides a profile of a potential target - who, happily, gave you the model number and possibly the location of their safe!

    Is this a huge threat? Probably not, but would new safe owners want to disclose the location of their safe, their income, and how many firearms they have? Probably not. Sometimes, security by obscurity isn't so bad.

    Friday, January 9, 2009

    Another Good Security Blog: the 451 Group's Plausible Deniability

    Plausible Deniability, the 451 Group's security blog is another security blog with broad coverage of the information security space. Well worth a read - if only to determine the best infosec name for a kitten.

    Thursday, January 8, 2009

    High Tower Topples?

    High Tower Software, a SIM/SIEM vendor, hit the news (further coverage on Xconomy and Anton Chuvakin's Security Warrior site) in late November due to a shutdown. Various rumors came out of the company, and Brandon Dunlap's writeup on Brightfly tells a lot of the story. ArcSight jumped in immediately with Google ads, which Dunlap's article shows. LinkedIn showed a flurry of title changes from High Tower employees, as well as a number of recommendations, both of which are often seen when a company shuts down.

    High Tower customers, however, were not so well informed, and continue to remain largely in the dark about their disposition of the company. The High Tower website hasn't seen an update since November, and the company's pending release of their newest software version is has not occurred.

    High Tower met needs across the SIM/SEM spectrum, and competed with companies like TriGeo and with the industry heavyweights like ArcSight. Where does this leave customers? For the moment, they are left in limbo, albeit with functioning systems.

    Wednesday, January 7, 2009 - ColdFusion Security, blog style

    12Robots is a great blog that frequently covers ColdFusion security and secure web coding topics. Take a look - Jason Dean covers things like input validation and cookies, and those posts make a great reference for ColdFusion developers.

    Tuesday, January 6, 2009

    Twitter Hack Targets High Profile Users

    The BBC and other news outlets are reporting a hack of Twitter accounts via an email change utility. The hacked accounts, including those belonging to Britney Spears and Barack Obama were used to post various false Twitters.

    The Huffington Post has screenshots and further details, including the post made to the Fox News Twitter feed.

    Twitter hacks present an interesting attack vector, as many Twitter users use TinyURL to post links, thereby potentially obscuring the location. In addition, most Twitter users believe that they know the person posting, leading to a higher default level of trust. A hacked Twitter account from a trusted source such as a news agency or a well known individual would be an excellent attack vector for future attacks.

    Creative Commons image courtesy of carrotcreative.

    Monday, January 5, 2009

    Do You Have The Orange Book?

    A co-worker pulled his copy of the Orange Book out today - a familiar sight to many security practitioners. When is the last time you saw a copy of the TCSEC standard in its bright orange glory?

    Saturday, January 3, 2009

    Shades of Y2K - The ZY2K9, or New Years Zunicide

    Most of the world remembers the worries around Y2K and the potential (and real) bugs that were expected to shut down or harm information processing systems that night as we entered the new millennium. In the end, very little happened, much to the relief of the world.

    The end of 2008, however, had a surprise in store for Zune owners. 30 GB Zunes worldwide stopped working due to a year end bug. Microsoft's response doesn't promise a bug fix - rather, users were asked to wait until the 1st, and to reboot their Zunes using the following process:

    1. Disconnect your Zune from USB and AC power sources.
    2. Because the player is frozen, its battery will drain—this is good. Wait until the battery is empty and the screen goes black. If the battery was fully charged, this might take a couple of hours.
    3. Wait until after noon GMT on January 1, 2009 (that's 7 a.m. Eastern or 4 a.m. Pacific time).
    4. Connect your Zune to either a USB port on the back or your computer or to AC power using the Zune AC Adapter and let it charge.
    If the Zunes were a critical medical device, or Internet infrastructure systems, this would have been a huge issue. As it is, Zune owners are upset, and may be questioning what happens at the next 4 year changeover if they're still using their players.

    Friday, January 2, 2009

    How Does Your Browser Stack Up?

    Chapin Information Services tests of mainstream browsers point out that there are numerous issues in how password storage in browsers works.

    CIS notes that the password storage features on many of these browsers have three issues:

    1. The destination where passwords are sent is not checked.
    2. The location where passwords are requested is not checked.
    3. Invisible form elements can trigger password management.
    These issues stack up to a bad day for Google's Chrome browser, but the rest of the browsers that are in common use don't fare particularly well either. For those interested in this form of browser attack, the tests themselves should provide some useful ideas for starting points.

    For now, your best option is to never use the built in browser password store - instead use an application like Password Safe, or KeePass.

    Thursday, January 1, 2009

    Rogue CA Certificate Using PlayStations and MD5 Collisions

    Alex Sotirov and Jacob Appelbaum presented "MD5 Considered Harmful Today: Creating a rogue CA Certificate" at the 25th Chaos Communication Congress (or 25C3). Their process, which relied on a cluster of 200 PS3 consoles creates a valid rogue CA certificate that will be accepted by major browsers. The only real fix for this is for browsers to move to SHA-1, which will avoid the known collision errors in MD5. In the short term, this is unlikely to be exploited, but the proof of concept does point to a need to move to a more secure verification method.

    ZDNet has more, including details from Sotirov and Appelbaum, as well as a link to their demo site which uses a backdated CA from 2004 to demonstrate the issue.