ATM fraud continues to grow. Take a close look at that ATM machine before you feed it your card. This bank in Texas lost $200,000 to this scam.

Here is a social-networking risk you may not have considered. Hackers may attack your friends if you have access to sensitive data and visit social networking sites.

If you are a Chrome user, make sure you are up to date.

Have I mentioned the importance of keeping browser add-ons up to date? Here is an article about the exploit packs that can be purchased and installed on compromised websites. These exploit packs send barrage of attempted exploits at your browser. If one does not work, the nest one may. It is effective - many of these vulnerabilities have long-since been fixed, but there will always be some folks who are not up to date.

100% accurate spam filtering? Well, for the time being, anyway - turning the spammers dirty tricks against them.

Who pays when a bank account is compromised? There are a number of pending cases in which the account holder has filed suit against the bank for not maintaining adequate security, but this Texas bank has preemptively sued the account holder.

Dennis H in West Virginia, US

January 27, 2009

First, a couple from Micrsoft:

This one dates back no less than 17 years and is related to a virtualization technology that allows 16-bit applications to run on 32-bit Windows platforms (virtualization is NOT a new technology). 64-bit versions of Windows are only minimally affected, but 32-bit versions that have 16-bit execution enabled are vulnerable.

This vulnerability in IE is serious enough to prompt Micrsoft to issue an emergency patch today. Yes - that means it is serious.

If you are a Mac user feeling smug about those MS security woes, you should know that Apple has also issued a security update that addresses a dozen serious security issues as well.

More "stuff you should know" coming soon.....

Dennis H in West Virginia, US

January 21, 2009

You may have noticed that the focus and the format of the Security Corner has changed a bit. I will be posting current news items and short tips twice per week, mostly in the form of links. Two or three times per month, I will post longer articles as well.

The MiFi - cool tool, but, it has a GPS, so your provider has a record of where you are and where you have been. As it turns out, they may not be the only ones that know.

Be careful where you get your Quicktime movies. There is a buffer overflow vulnerability in older versions of QT. A malformed .mov file can be used to execute code. The current version has not been shown to be vulnerable to remote code execution, but may crash. If it can be crashed, remote code execution is usually around the corner.

Not all threats come from the outside. "Trusted" employees can represent even greater threats because they have privileged access.

ATM fraud - more common than you think. Check out this skimmer - complete with a camera to record pin number entries. Pay attention when visiting tht ATM!

The "Google attack" had broad implications. The Chinese attack on Google is one of the biggest security stories in recent months. I have had little to say about it, because it has been so well covered by the media. The broader implication is that even a company like Google (not to mention Adobe and many others) is vulnerable to zero-day attacks. Never ASSUME your clients are safe - check for signs of unusual activity and NEVER, NEVER stop raising their level of awareness.

Dennis H in West Virginia, US

January 18, 2009

Microsoft's "patch Tuesday" was pretty low-key this month (unless you are still running Windows 2000, but Adobe has release some critical patches. Keeping applications, especially those used for internet access, patched is now as important as keeping the operating system patched.

Clients often ask why their anti-virus program failed to catch a piece of malware that infected their computer. Here is one of the tools that malware-writers can use to test their wares to see which AV programs are able to detect them as malware. This company does not hide the fact that this service is for malware writers and the results are NOT reported to the AV vendors. This makes it much easier for the "bad guys" to test their code and stay ahead of the AV vendors.

Depending upon your point of view, these "security researchers" are forcing software vendors to address security flaws quickly, helping the "bad guys" wreak havoc on internet users, or are just plain acting irresponsibly. These folks are release one "zero-day exploit" per day for 30 days - without giving the vendors any advance warning. They say that vendors do not respond unless the exploits are release publicly. The next month could be a busy one.

Want to test a site before you visit it? Here are four sites where you can paste URLs before you visit them to get a report.

Dennis H in West Virginia, US

January 14, 2009

News:

W3C Standard for a Database Engine Within the Browser - Cool, but Will it Create More Security Holes?

The Fix for the SSL Renogiation Flaw Has Been Finalized

Ecryption Keys Will Contunie to Get Bigger (Note that This Refers to RSA Asymmetric Keys - 128-bit Symmetric Keys are Still Strong

Google Chrome Takes the Lead in Browser Sandboxing

Google Loalized Search - Do You Want Google to Know Where You Are (and Have Been)?

Controls – What Kind of Armor Do We Need?

Up to this point, we have classified the types of sensitive data under our care, determined where that data lives, and documented the various channels over which it is transmitted. Now that we have found it, how do we keep it safe? The mechanisms used to protect data are controls. Controls fall into three categories:

Administrative Controls: These are policies and procedures that are designed to let everyone who comes into contact with data know what access and what actions are permissible. These have to be backed up by physical and technical controls.

Physical Controls: These are tangible protections mechanisms, such as locks, video cameras, etc. Physical security is often overlooked by IT professionals.

Technical Controls:, In terms of data protection, these generally fall into two categories – access controls and encryption controls.

Access Controls are used to prevent data from being viewed, transmitted, or printed.

Encryption Controls are used where we cannot control access, or as an additional control in case our access controls are not effective. If data is properly encrypted, it does not matter whether it is viewed, copied, or printed. There are two aspects to maintaining proper encryption controls – encryption strength and key management. These have been discussed in depth in other Security Corner articles.

The types of controls available will vary, depending upon the environment. The cost of controls varies greatly. Cost is sometimes measured in terms of dollars (or Rand, etc.), but more importantly, the cost of a control must be measured in terms of the effort required to implement it and the amount of inconvenience it imposed on those who use the system.

The details of these controls are beyond the scope of this article. They have been the focus of past articles and will certainly be the focus of future articles. The important point in terms of our Information Management Plan is to determine what controls are available and which ones have acceptable costs.

In Part 7 of this series, we will take the three types of information we have gathered – data classifications, data locations and transmission channels, and controls, and use them to generate a matrix. From that matrix, we will generate information protection policies.

Dennis H in West Virginia, US

January 11, 2009

In Part 4 of this series, we asked the question: “Where does the data live?” Sensitive data that is at rest must be protected by access controls and by encryption, according to its classification and security policies. Data does not stay in one place, though – it does not even stay in the many places where it lives. Data moves. That is to say, it is transmitted electronically. In a controlled environment, transmission occurs with our knowledge and our intent. If we lose control over the environment, transmission may occur without our knowledge or our intent. Data that is being transmitted can also be intercepted, captured, or redirected

An effective Information Management Plan includes documentation of when and how data is transmitted. The plan also includes provisions for detection of unauthorized transmission.

Data is transmitted either over wires, using electrical signals, or wirelessly, using radio waves. Transmission takes place between trusted devices within our network, which we **assume** is a controlled environment, and data is also transmitted to un-trusted devices outside our network. To control authorized transmissions of sensitive data:

1. The first step is to document every transmission link across which sensitive data is sent, whether it is transmission to a backup device, file transfer between locations, email messages, faxes, and even print jobs.
2. For each transmission link, we assess the risks based on the classification of the data being transmitted and the type of link. Obviously, transmission links that include public networks carry a much higher risk than those that are limited to the local network. Wireless links carry more risk than wired links.
3. Based on this risk, we then establish a policy for each type of data transmission. That policy determines what measures should be taken to protect the data. The best way to mitigate the risk of having data captured in transit is encryption, so policies typically require that any sensitive data being transmitted over public links must be encrypted. Strong encryption is important because any attacker that does manage to capture transmitted data will have unlimited time in which to attempt to break the encryption.
4. Email deserves some special attention because it is a standard medium for transmitting data. Separate policies regarding what types of information can or cannot be sent via email are necessary for any organization that requires a high level of security. Email security policies are also important for compliance with applicable laws and regulations.
5. Wireless links should be encrypted using WPA or WPA2 (and AES, if possible) encryption, regardless of the type of data being transmitted.

That covers the transmission of data that is authorized. Sometimes, though, there can be unauthorized transmission of sensitive data. This can be done unintentionally by users who do not understand or do not follow policy, or intentionally, by malicious users or unauthorized applications (a.k.a. malware). To guard against unauthorized transmissions of sensitive data:

1. Keep antivirus signatures, operating system patches, and application (especially those exposed to the internet) patched. This it the BEST protection against unauthorized applications.
2. Regular port scanning – most unauthorized applications open high-numbered ports for communications. Periodic port scanning will often detect these open ports.
3. Regular vulnerability scanning – vulnerability scanners look for a number of thing, including open ports, rootkits, and other indications of unauthorized applications.
4. Monitor outgoing traffic – periodic checks of outgoing traffic can be run using a protocol analyzer (a.k.a. a traffic “sniffer”). This should be done if there is any reason to suspect unauthorized traffic. Any unexpected encrypted traffic (SSL or otherwise) merits investigation – many unauthorized applications that send out data send it over an encrypted link to avoid detection
5. Install DLP (Data Loss Prevention) software. This software is specifically designed to analyze outgoing traffic for sensitive data.

Dennis H in West Virginia, US

December 24, 2009

Once data has been classified and we know what types of sensitive data a system stores or processes, we have to locate the data we want to protect. Data exists in one of two states – it is either at rest or in transit. We have to ask two questions:

1) Where does the data live?

2) Where does the data go?

In this installment, we will focus on the first question. In part 5, we will focus on the second one.

Any data that is stored, even data stored in RAM during processing, is at rest. Data at rest can be found:

1) On hard drives, in the working file structure
2) On backup tapes or other backup media
3) On removable media, such as CDs, DVDs, floppy disks (remember those?), and USB storage devices
4) On “hard copy” – printed copies in file cabinets, in brief cases, in desk drawers, or in trash cans
5) On LAPTOPS, which are mobile devices with hard drives. This is a MAJOR concern – for obvious reasons. There will be an installment in this series devoted to laptop security.
6) On other portable devices, such as phones and PDAs. This is a growing concern. Gone are the days when the only concern was the contact list. Smarphones are computers that can make phone calls and the data they carry with them must be included in the Information Management Plan.

These are the areas of concern in most business environments. We should be aware, though, that data at rest can also be found in some other places. In highly secure environments, we also have to concern ourselves with data:

1) On hard drives, in “non-working” file structures, such as temp files or time-save files
2) On hard drives, outside the file structure - in files that have been “deleted” from the file system, data in hard drive sectors that not been completely overwritten (the “slack space”), and in hibernation files.
3) In memory while it is being processed.
4) In fax memory.

When the system includes servers, workstations, multiple faxes and printers, and many users, documenting all these locations can be a substantial task.

In order to more effectively manage and protect sensitive data, we want to consolidate it into as few locations as possible. The more we can reduce the number of folders or directories that contain sensitive data, the more easily we can control access and apply encryption where appropriate. This is one of the BEST reasons for installing a server and maintaining all user data on server shares.

If sensitive data cannot be consolidated onto shares on a single computer, this should at least be done on each individual computer. All sensitive data should be consolidated into one or more folders to which access is controlled. Files requiring encryption should be consolidated into encrypted folders or volumes. Access controls and encryption will be discussed in later installments of this series.

All of this requires careful planning, documentation, and review.

Individuals will still require access to unencrypted data to do their jobs, and this always presents a risk that they will intentionally or unintentionally copy this data to locations other than those designated. There are four controls that we can use to mitigate this risk:

1) Education, training, and awareness – everyone has to be aware of data classifications, the importance of protecting sensitive data, and the methods used.
2) Policies – written policies MUST be in place to ensure that EVERYONE knows what is and is not acceptable use of systems and what procedures must be followed. Effective policies include signed acknowledgments and consequences for failure to comply.
3) Endpoint security – software can be employed to limit or prohibit the use of USB devices, mobile devices, and removable media
4) Information audits – period scans of hard drives and other devices should be done to check for certain types of sensitive information outside of the designated locations.

As we can see, the answer to “Where does the data live?” can be fairly complex. In the next installment, we will look at the second question – “Where does the data go?”



Dennis H in West Virginia, US

December 16, 2009

Protecting sensitive data requires an expenditure of money, time, and effort. We want to protect all of our client's sensitive data, but we don't want to waste resources on data that is not sensitive . In addition, some kinds of data require more protection than others. We need a way to identify and classify sensitive data.

The most familiar data classification system is that used by many government and military organizations: Top Secret, Secret, Confdential, Restricted, and Unclassified. This is not the best fit for most businesses. A more appropriate classification is Confidential, Private, Sensitive, and Public. The first three are different types of "sensitive" data, and the fourth is data which is not "sensitive".

Confidential data includes proprietary information that the organization owns - company financial records, customer or client lists, formulas, recipes, processes, and any other data that could harm the company directly if improperly disclosed.

Private data is data for which the company serves as custodian, but does not necessarily own. In other words, data about other individuals or organizations. This includes employee records, patient records, and the financial records of others. Improper disclosure could harm the individuals or organizations. This data is typically subject to legal or regulatory requirements, such as PIPEDA in Canada, HIPAA or GLBA in the US, or the PCI DSS, which applies to vendors in all countries.

Sentsitive data is not specifically subject to legal or regulatory requirements, but its disclosure could cause harm to others. An example is medical records maintained by an attorney in the US. Only medical providers are subject to HIPAA regulations. However, non-medical providers can still be held liable for any harm caused by unauthorized disclosure of information. As data custodians, they have a legal obligation to exercise due diligence in protecting the property of others, including data.

Public data is everyting else - that data that would cause no appreciable harm if publicly disclosed.

Any data that your business cleint would not want posted on a bulletin board in the lobby falls into one of the fist three categories.

The legal requirements are different for each country, and there may be additional state or provincial laws. You have to be familiar with the laws that apply to your client's business.

Next: Where does (or should) your client's sensitve data live?



Dennis H in West Virginia, US

December 7, 2009

What is "Sensitive Information"?

This second part part of a multi-part series on creating an information management plan for business clients.

Basically, any information that your client would not want posted on the bulletin board is potentially sensitive information. Many clients will say that they to not have that much sensitive data on their systems. This may be true, but there are some questions we have to ask them.

Do you have sensitive information?

- Do you process any "keyed" credit card transactions or take any credit card information over the telephone? If so, is the credit card information ever written on a piece of paper? What happens to that paper after the transaction is processed? (The PCD DSS requires that the paper be shredded immediately in a crosscut shredder) What controls (written policies, supervision, etc,) are in place to ensure that this happens?

- Is any credit card information kept on file, either on paper or in an electronic form? The PCI DSS requires that access to such records be controlled. The PCI DSS also clearly states that the 3-digit security code on the back of the card MUST NOT be recorded or stored - it should not be written down in a paper file or stored electronically, even in an encrypted form.

- Do you process payroll or keep any employee files (practically every employer does maintain employee information, even if they contract payroll to a third-party)?

- Do you maintain customer or client lists that you do not share with all everyone in the business and/or the public?

- Do you maintain financial records for clients or business partners?

- Do you maintain client or patient records that you are required by law to protect (examples would be PIPDEDA in Canada, HIPAA for health information in the US, GLBA for financial records in the US - every country has laws requiring protection for certain types of records. You need to research laws in your country)?

- Do you maintain records about ongoing projects, bids, company process, or other information that you have developed, "company secrets", ways that you do things, etc. that you would not want to be made public?

- Do you have internal or external correspondences or documents (emails, internal memos, etc.) that you would not want to share with everyone in your organization?

Most businesses clients will answer "yes" to one or more of these questions. If there are no controls in place to protect sensitive data, it should be assumed that ANYONE who wants to could access that data. All businesses have SOME controls in place - our job is the determine what controls ARE in place and what controls SHOULD be in place, based on the answers to the questions above.

Next: Data Classification

Dennis H in West Virginia, US

November 26, 2009

Jail-breaking an iPhone handset invalidates the warranty says Apple.

A second worm to hit the iPhone has been unearthed by security company F-Secure.

It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.

It redirects the bank's customers to a lookalike site with a log-in screen.

The worm attacks "jail-broken" phones - a modification which enables the user to run non-Apple approved software on their handset.

The handsets at risk also have SSH (secure shell) installed.

Many people use SSH so other programs can remotely connect to an iPhone and, among other things, transfer files. It comes with a default password, "alpine" which should be changed.

Only users who have installed SSH and not changed the password are at risk.

The new worm is more serious than the first because it can behave like a botnet, warns F-Secure.

This enables the phone to be accessed or controlled remotely without the permission of its owner.

Read more about this

Source: BBC News