Toolbars and Privacy

Digital Trust has always advised clients to restrict or forbid toolbar use in corporate environments and on personal computers. The insidious nature of software has led to several failures in security stemming from toolbar installation. Simply put, 1) your computing activities have value 2) useful appearing software can be a Trojan horse for insidious software gaining access to your machines.

Given the value of our privacy and the value of our data, it is only natural that evil forces will try to gain access to our systems. Further, given the nature of programming, it is only to be expected that even the best toolbar coders will make mistakes that compromise our expectation of privacy. Google, arguably the smartest tech company in existence, fell on its sword with their search toolbar when it was found that turning it off didn’t keep it from reporting back to the mother ship.
And industry is seeing an uptick in corporate espionage, which means a single workstation on your network that installs a bad piece of code can result in catastrophic failure of your security measures. It is imperative that organizations begin whitelisting practices to restrict what can be run on corporate computers, and access controls to restrict who can communicate with the network.
It all has value to someone, and the more competition heats up, the more likely it is that your company will be targeted. A layered security implementation that properly addresses the risks and asset protection needs of your company is a requirement; to not pursue a measured, reasonable response begs being labeled as negligent, and failing your customers.
Digital Trust, can, of course, help with all of this, but more importantly, find someone you can work with to secure your corporate assets, and don’t neglect your personal home computers.
Evil people are hunting your data, sometimes more, sometimes less, depending on what you do, but they’re out there. If for no other reason, your computing assets have value as a platform from which to launch attacks against a target of value. So protect yourself. It’s much more enjoyable to have a security professional tell you about an exposure than it is to talk through the incident with the FBI. Do your risk assessments. Be secure.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.


Recent hacking efforts, which may or may not have been the Chinese, led me to suspect that we’re about to enter a phase of computer espionage unlike anything since the 1600’s when private pirates roamed the seas in pursuit of foreign vessels with the (concealed) blessings of the monarch of the port they called home. These Privateers plied the seas for 300 years in private wars of sorts, when the world was divided into many powerful independent countries, not unlike the Internet is today.

We used to say the Internet was like the Wild West, but that was then, this is now. The West was a homogeneous frontier, with independent law meted out without necessarily following legal precedent. Nowadays, we have several powers crossing International borders. Similar to Mexican bandit raids, when they were fashionable, but more closely mirroring the Privateers. In time, this too shall pass, and my guess is we’ll see a cold digital war. History has a way of doing that.
So assuming that Privateers are the blossoming security threat, and setting aside the moral issue for philosophers and ethics professors, what does it look like, and what should we expect?
For starters, we’ve got to quit blaming the source country. Any security professional will tell you that the origin you think you see is in all likelihood not the true source. A cyber cafe is the perfect place to plant a set of utilities for hacking, creating a false harbor/port for use in attacks. Anyone can get code put on just about anything anyplace. It may not stay there for long, but if you are funded, many new options open up. One could, for example, blow $300 on low end laptop with wifi and an extension cord. Sneaking that into a company perimeter is child’s play (in fact, kids do it all the time, pirating wireless in their neighborhoods). It may not last the week, but in that week, a pro can use that jump point to create 100 new jump points. Universities are another obvious infection point. And once a base of operations is established, its not a terrible problem to create a chain of compromised hosts in various countries allowing you to engage the real target with impunity.
Given funding, or at least a blind eye by the host country, a hacker can attempt to accumulate monetary or intellectual property with no fear of reprisal. The host country claims ignorance, as long as they are getting their piece, and the privateer gets to keep at least part of the loot.
On the international scale, you have an additional complication. If a hacker breaks into a company and steals money, or blackmails them, or any of a dozen ways to get money, the company may not be keen on reporting the situation. If your business could be adversely affected by admitting you’ve been hacked, hiding the issue is good business, in some situations. Which is why the US regulates some cyber attack scenarios to force admission.
The point is, if anyone with the experience can do it, and some outside agency is willing to participate or at least ignore the efforts, Cyberteers can accomplish a great deal, just like their past relatives, people like Sir Francis Drake. They are more motivated than casual hackers, so the normal rule of thumb, “just be safer than the next guy” doesn’t apply. If you’re a target, you need to be very safe. Above the norm. Well above, depending on your risk.
Update your risk models to include this class of threat, if you haven’t got it listed already. We’re bound to see more of these folks until anther Treaty of Paris is signed.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

Video Games Ate My Data Center

Video games are a threat to my corporate security? If only it was a joke. Video games, both PC based as well as console games, and even phones, are a threat. Not one that you as the asset protector can necessarily deal with, but awareness of a growing threat can’t hurt.

We (in the security industry) are well aware of the use of console systems for brute forcing passwords on encrypted sources. The Air Force and other governmental agencies have made large quantity purposes, for various “missions”. But aside from the massive computational power, modern console games have a dark side almost nobody is talking about yet: harnessing them for a botnet. If some enterprising hacker figures out a way to harness one or more console types in a persistent botnet, we could have a serious problem. And none of the consoles is equipped with security features anywhere near the PC platforms. You’d think that would make them natural targets. At least they tend to use private networks for connectivity, although a good examination of the protocols should reveal the usual collection of weaknesses and exploitable problems.

If you look at a modern console game platform, you’ll find all the necessary hardware to support malware. Processors, persistent memory, and a network connection. Several platforms are readily hackable, in ways that the manufacturer won’t be able to detect without knowing what to look for, assuming anyone is even looking. Better yet, most of the console OS’s bear close resemblance to an existing OS platform, making it easy to transition to coding for the consoles. Getting the information necessary to pervert the console OS might be difficult, but definitely not impossible, since most of the code necessary for programming the console is available, the actual OS code can’t be far out of reach.

We are reviewing the EULA to see if we can conduct some tests on our console without angering some corporate lawyers or “bricking” the unit.

Games that run on consoles are another issue. Assuming the same level of security awareness in game programmers as found in corporate software would seem to imply that there are quite a few bugs out there waiting to be exploited. Thankfully, the cycle of game popularity means there is a shorter window of availability to use any particular game as a point of entry to a console. PC games have similar concerns. The protocol streams of both types of games reveal some interesting artifacts that may lead to exploitable services. Who would have thought of using a MitM attack against an Xbox?

PC games are more of a security challenge though, as many of, if not all, corporate alpha geeks, and many company males in general, either take laptops home where user PC’s get access to them on the home network, or users directly install games on the corporate hardware. Two vectors to gain access inside your firewall, bypassing most, if not all, of your security.

Bill, in Sales, loads a popular game on his corporate laptop, and if that game is compromised, the hacker has a clean, invisible pipe into your corporate network. Or it could just turn into a simple botnet zombie that, when he innocently brings it to the office, infects all the rest of your company PCs.

If hackers are willing to exploit Adobe and Word, what makes you think they won’t exploit Madden NFL 10?

In any corporate environment, be sure you are restricting users abilities to install programs, or connect uncleared devices to a secured network.

Digital Trust, LLC

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

Secure Use of Smart Phones in Business

Passing business information to a mobile phone increases a risk of loss for the information, we all know this, so why do we permit it to happen? Risk management: sometimes the payoff is worth it. But what is the big deal, anyhow?

First, there is the direct loss issue. If a user loses a phone with business information and someone finds the phone they can access the business information. The business can avoid this risk by restricting what information can be transferred to mobile devices, and including policy for proper use by users. This is very restrictive, however, and should a business model indicate mobile phone risks are possibly justified, additional options must be examined.

Second, is a control issue. Once the business determines that phone use is acceptable, how to minimize the risk of loss or compromise? Policy, both paper and electronic, can ensure that a phone is locked and password protected. This prevents loss through misplacing the phone or theft, in most cases. Encryption of the device, encryption of the business information, and secure erasure are all additional protective measures that can be implemented. But the platform must support the security requirement, or the policy is moot.

Currently, Blackberry is the only secure phone on the market with adequate controls for use as an extended business network. Companies should properly configure and restrict the Blackberry so that users don’t inadvertently expose their phones to hostile software. Likewise, companies should observe the phone behavior, just as they would a user PC in the office, to watch for abnormal activity, such as browsing to international web domains or similar. Anything that can be observed to detect a compromised device should be tracked and alerted on. eTracker from Prism is a good choice for log management and alerting.

But a Blackberry alone does not guarantee better security, the device must be configured properly and audited for any compliance issues. If you are, for example, passing patient data to a device, then that access must be logged for HIPAA compliance. And users who own their own phones are a greater risk of loss than users of phones controlled through a Blackberry Enterprise Server (BES). Through the centralized control of a BES, auditing and security settings are maintained by the business. Trusting the end user to perform these activities is increasing the risk that a mistake will occur and information will be compromised. Only through the use of the BES can a company be confident it has properly addressed security concerns for mobile devices.

Furthermore, proper selection of a BES is vital to maintaining the security protections. If you elect to have a RIM BES in house, you’ve got all the responsibility and capability. If you elect to use RIM external BES options, you have transferred some control, but keep all the responsibility. It may be easier on your IT shop, but you’ll have to trust RIM. Finally, there are third party options, including functionality for non-Blackberry phones, similar to a BES. Again, you’ll have to trust these 3rd parties.

Currently only the RIM Blackberry and BES server stand alone at the top of the security risk prevention chart for organizational smart phone use. Any organization selecting an alternative solution should be prepared for potential problems, including justifying why you elected to use the higher risk option. Until an alternative enterprise option has been vetted by a qualified security organization, electing to use anything but the Blackberry BES is accepting additional risk that companies must justify to be compliant with risk management requirements in regulated environments.

Finally, there are issues with smart phones that you as a user may not know, that bad guys are gleefully searching for and vendors will not bring up for fear of losing sales. Did you know that iphones log screen shots of all user activity? Imagine that, a record of your activity on your phone.

Digital Trust, LLC

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

Business Continuity: Chinese Hackers

Northrup Grumman was kind enough to publish, or maybe the government was kind enough to release, a report on Chinese Cyber Warfare capabilities for the USCESRC.

Most people are apt to dismiss the report outright unless they have a direct interest in government affairs. What’s a dry cleaner in Allentown got to do with Chinese hackers? It depends. But in the interests of keeping this short, lets just say there are some implications that the disaster prepared, savvy business person should understand.

1) The Chinese are serious about cyber warfare. Probably more serious than the US. But who knows. All that matters is, the Chinese have official plans, and official doctrine, for waging cyber war against US interests. Which brings us to…

2) US Interests are government facilities and supply chain components, not your average dry cleaner or Arby’s owner. Well, think again. The Chinese might not target the dry cleaner or fast food joint, but they are targeting infrastructure, possibly large scale. That means the dry cleaner isn’t going to get deliveries, and may be without power for an extended period of time. If they’re smart, they’ve already planned for this contingency and have some money set aside, for severe accidents like the North East power outage a few years ago. Or not. Prior planning prevents poor performance. As for our fast food owner, they aren’t getting shipments either. And an extended power outage kills what limited freezer storage they have. Can’t cook it, can’t store it, and we’re running out. Anything could have done it, Chinese Hackers are just one interesting way it happens. So prepare now.

OK, so why bother bringing it up? Either businesses are prepared or they aren’t. Telling them it’s Chinese Hackers isn’t going to motivate them to better prepare.

It might.

Unlike various natural disasters that *might* occur once in a decade, we know from the report that active Chinese incursions in cyberspace are ongoing. They’re testing. Surely, the US is as well. The Chinese have even built their own operating system; no Windows 7 there. Uh, oh. Do you know how serious you have to be to build your own national operating system for increased protection? That’s serious.

So, why recommend businesses devote a little extra time on business continuity because of Chinese Hackers? Because they don’t only target the US Defense systems. They test. And if they want to know if something works, testing on the dry cleaner is a lot safer than testing on 1600 PA Ave. They target you. Especially if you’re in some sort of support capacity, like a fuel pumping station. Cyberwar is all about disruption.

Besides, the Russian crime syndicates are already targeting small businesses, so we all need to just step up preparedness a tad. Talk to your friendly local computer geek that works for beer and food. He’s cheap, and you’ll get some idea of how vulnerable your systems are. Discuss what you’d do if hackers 1) destroyed your computer 2) emptied your bank account (bank won’t cover it) 3) used your computers as a stepping stone to an assault on the US Gov. Won’t that be an interesting visit from a bunch of guys in black…

And if you want to get more serious about disaster recovery and business continuity, risk assessments, or even regulatory computer security compliance, give us a call at Digital Trust.

Digital Trust, LLC
We read government reports so you don’t have to.

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

The Problem With Full Disk Encryption

One of the fun jobs we get in security is the recovery of digital forensic evidence from hard drives. There’s a real feeling of achievement when you have teased apart the hidden files, the slack space, and the partial fragments to reveal a clear picture that proves guilt or proves innocence. The practice had become relatively standardized, until recently.

Company’s and persons of interest have been increasingly using Full Disk Encryption to protect their interests, legitimate or suspect, and there’s a problem with this.

In at least one case, the encryption requires a partial boot from the evidence disk in order to obtain an unencrypted disk on which to perform forensics. That little bit about booting from the disk is where the trouble starts. Attorney’s hate it when we boot from the disk, especially into Windows, as its normally impossible to not change the disk, which can affect the admissibility of evidence. Various techniques and equipment have been brought into the practice to get around this simple effect of changing the source data, even if you can show no important data changed, because 1) its expensive to prove nothing important changed and 2) its terribly difficult to sway a jury regarding the changed data. Case evidence comes down largely (nearly entirely) on the “do not alter the source data” side of the house.

So booting off that disk is very problematic, but not impossible to work around, if you have the time and money to perform the science dance, and there’s a possibility of convincing a jury. Once enough case evidence exists to support the maneuver, it will be much more “jury friendly”.

One of the tricks we use to avoid altering the data is a write blocker; a bit of hardware that maintains the source disk read-only. We are currently running a series of tests to determine if write blockers can be used and if the hardware dependency of some encryption utilities affects the outcome.

What would be remarkably useful is a utility for mounting encrypted disks outside the normal system, as if they were a Volume in Truecrypt parlance and not an entire disk. As part of our investigation we are talking to manufacturers and looking for these utilities to be made available or created.

So far we’ve only had one case where it’s an issue, but anticipate many more and hopefully the issue will be resolved before something really important comes along.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

New Fraud Alert

There’s a new (to us) version of the Send Money scam floating around. A company with a web commerce site gets a probing email, typically something like “do you ship to Australia”. When someone responds, they then ask for product lists and send a large order. The request comes in the form of a payment that will only work if the company deposits money or sends money or what have you. Of course, anything sent is gone for good, but some people see that big purchase order and lose all common sense. Businesses are usually better off than people at dealing with these, but since a lot of ecommerce is individual, we thought it best to put something out to warn people.


Thanks to 2600 for letting us know about this.

PCI DSS Failures

We’re going to keep seeing Payment Card Industry security failures. This isn’t because the Data Security Standards are weak; they’re quite good. But they fail on implementation. At least they do if you are using one of the “sanctioned” certification tracks.

Because PCI recognized early that many industries were not capable of adequate testing and preparation, they authorized a number of companies to do certification testing for companies that couldn’t handle it, or in some cases, simply to offer a streamlined solution to charge card processing entities. And that’s where the failure is.

At least one of these “certifiers” (who shall remain nameless to protect the inept) is using a methodology to certify an organization as PCI compliant that utterly fails to validate security in the tested organization.

The method works like so: 1) point a vulnerability detection utility at said company’s external gateway. 2) document any failures. 3) answer some questions on paper about what’s going on inside said organization.

It may be streamlined, but perhaps a little too streamlined. There is no validation except on paper of anything internal, and there is no serious effort to inspect external security. There certainly isn’t any investigation of what genuine hardworking threats will do to obtain PCI information.

While the paper test asks about such things as password strength, encryption, and patching, it fails to validate the claims. While it examines the accessibility of the organization via their primary gateway, it fails to check for anything more complicated than open ports.

Given that the vast majority of compromises come from attacks originating from spyware brought in via email and http traffic, how does any of this testing provide a valid indication of how secure an organization is? It doesn’t.

All it’s going to do is annoy organizations that practice real security, miss organizations that simply don’t care, and locate only organizations that are utterly inept. Of which there should be very few.

What it doesn’t do is increase the security of PCI data. The organizations themselves are already doing that, so what’s with the pointless testing? Test for real problems, validate actual configurations, or don’t do anything. Because failing after creating a false sense of security is still failing.

And after so much work to create a really nice standard, wouldn’t we want it done right? Implement genuine validation efforts at the inspection level.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.

It Outta Be A Crime

It outta be a crime, sharing user accounts, in this day and age. Failing to track audit trails and alert on network security events outta be a crime, too. Failing to encrypt laptops, letting USB sticks run rampant, and not watching what goes out you email server, outta be a crime. Any business big enough that you can’t keep your eye on all the computers all the time, should be using layered security: anti-virus, firewalls, IDS. To not do so, outta be a crime.

And the law-makers are finally getting around to it. After how many billions of dollars have gone the way of the Dodo? At least they finally get it.

HITECH is one of the biggest impact laws to roll out of the beltway. It finally makes HIPAA security and privacy a serious concern for business entities, and not just hospitals, but everyone hospitals do business with. It makes security failures a nightmare for healthcare companies, and better yet, it permits local enforcement, so not everything has to go back to DC to get fixed. More interesting is its pinning of responsibility on management. Personally. An example of this is the supervisor that blindly permits her reports to bring in memory sticks and plug them in to company computers. In violation of policy, of course. When one of them looses a virus that allows a bad guy in to download medical records and abuse patient finances, that supervisor is going to share some of the responsibility. So will the organization, of course, since they weren’t educating enough (obviously) and they weren’t watching for it. But the supervisor is still going to be responsible, and so will the employee. HITECH pushes responsibility down so that people have to start taking a personal interest and not blindly going about their day unconcerned about security problems.

Now it gets interesting. Like, blood in the water interesting. Finally, what outta be a crime, is.

Digital Trust is, of course, one of many companies that can make your business more compliant. We can help you erect shields to protect you from the sharks. We can do it without breaking the bank and minimizing disruption. We know, because we’ve done it. Let us help you fix/expand/enhance your security program, like we’ve done with other clients. We can even work with your business partners to make sure they don’t get you in trouble.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.