» 2009 » December - Roger's Information Security Blog

Archive for December 2009

Use Facebook Apps? Time for a Password Change

December 28, 2009, 1:45 pm

RockYou was hacked a couple of weeks ago and over 35 million passwords were stolen. RockYou may have your password if you’ve played any of their Social Networking Applications on sites like Facebook or MySpace. Their applications include

Slideshow
Uploadphoto
Photofx
Glittertext
Funnotes
Countdown
Superhug
Myspace layouts
Stickers
Superwall
Pieces of flair
Speedracing
Likeness
Hugme
Birthday cards

Pieces of flair seems like one I’ve seen my friends using. Depending on the application, RockYou may have had your Facebook or Webmail password. RockYou recommends that you change passwords for any online service where you’ve used the same password disclosed to them.
In the last day, I’ve seen a massive spike in the number of friends who have had their Gmail account hacked and spam sent to contacts in the address book. Its not necessarily connected to the RockYou attack, but its worth mentioning. The hacker briefly posted the full database online for anyone to download. So its not surprising that people would get hit.

Tags: Facebook, Passwords, Spam
Category: Hacks | 1 Comment

Do you have backups?

December 28, 2009, 2:15 am

You dont have backups unless you have successfully recovered from them. Sometimes you just have to learn lessons the hardway if you dont take the time to learn them from others.
I’ve heard a lot of commercials lately pushing Mozy or Carbonite that pretty much guarantee that everyone has a hard drive failure at some point. This month the hard drive in my Dell Optiplex 755 at work gave up the ghost. Two weeks short of its end of lease. Very frustrating. But it was about to get more frustrating.
The enterprise desktop backup product we use is configured to backup the user profile, c:\data and c:\lotus. Unfortunately Vista is not a standard supported operating system at work, and the backup admin made a mistake when he configured the backup product to backup c:\users. It didn’t backup my user profile at all. So all I have is the backup I made in July when I migrated from XP to Vista. So I’m out quite a bit of work.
This really makes me wonder about all of my data. The trust is just gone right now. For my work computers, Should I be using Windows Easy Transfer to backup my files on a regular basis. Should I just take a ghost image on a scheduled basis, so I can recover easily? Hmmm, side note, I should check the software inventory for evidence of users performing rogue backups with Carbonite/Mozy etc.
For my home computer, I realize that only using Mozy’s free service I have a lot of mp3s and photos not backed up. That is important stuff to me. I also have never tested recovering even one file from Mozy. Need to do the due diligence.
Well, anyway if you’ve read all this and you want to check out Mozy for your home backups click on this link. We’ll both get 256MB extra storage space once you start using Mozy. Like I said though, I”d suggest verifying even a rudimentary recovery.
Its so easy to assume that things work correctly. Most of us dont have the time to verify that other people have done their jobs correctly. But when its going to really hurt if backups fail, it doesn’t take that long to do a test restore. Particularly if you have access to initiate the restore yourself.

Tags: Backup
Category: General | 1 Comment

Antivirus Exclusions

December 27, 2009, 1:37 am

For many years Microsoft has had an exclusion list of files and folder that antivirus should not scan. I’ve seen similar knowledgebase articles from antivirus venders. For some reason this became blogworthy over at TrendMicro. That has set off the usual echo chamber of anti-Microsoft handwringing. (wait a second an echo chamber of handwringing? exactly how loud is that? Stop mixing metaphors).
A lot of people have the knee-jerk reaction “oh no the virus writers will start putting their viruses there.” The TrendMicro blog entry isn’t as worried about the exclusions as he is about the public knowledge of the exclusions. “Now, although it actually makes sense to stop checking …we are concerned by the fact that this was released publicly.” I laughed out loud when I read that. Security through obscurity is no security at all. If you don’t tell antivirus administrators what to exclude from scanning just who are you going to be sharing this mystic secret with?
All the articles I’ve read imply that the only reason to make antivirus exclusions is performance. Exclusions can also be necessary to allow a product to work correctly. Data integrity is a valid reason for antivirus exclusion, I think.

Unlike what some people think, exclusions aren’t just for the performance of scheduled scans. On the contrary they more needed for real-time scan exclusion. Lots of files created in a folder and deleted, etc. That is a real time scan situation.
Microsoft’s KB is clearly aimed at system administrators not home users, in this writers opinion. Excluding a file from scanning is not a white flag of surrender. Endpoint security suites may still have IDS, proactive and firewall components. The malware will need to beat the antivirus to get on the system in the first place.
I guess I got my hand wringing out of the way on this one five years ago. Strangely TrendMicro did too. Their own knowledgebase has instructions with some recommended exclusions to solve problems with shaddowcopy and sql

Tags: Antivirus, Microsoft
Category: Antivirus | Comment

Mozilla Firefox 3.5.6

December 16, 2009, 12:47 am

Another Christmas gift from a software vender.
Mozilla has released updates for Firefox. The current version is now 3.5.6 and 3.0.16.
Their security advisories are here.
There are three updates rated as critical.

Tags: Firefox
Category: Uncategorized | 1 Comment

Facebook Google Indexing Tempest in a Teapot

December 15, 2009, 12:13 am

Earlier today I started getting status updates from friends that read

If you don’t know, as of today, Facebook will automatically index all your publicly available info on Google, which allows everyone to view it. To change this option, go to Settings –> Privacy Settings –> Search –> then UN-CLICK the box that says ‘Allow indexing’. Facebook kept this one quiet. Copy and paste onto your status for all on your news feed.

Facebook’s chain letter detection kicked in (not sure if that was an automatic or manual process) to deter future exact duplicates of that status update. This made people all the more suspicious about why Facebook would be blocking their attempts to warn about Facebook privacy.
If you did wander over to the Facebook privacy page you’d see the following message from Facebook.

Worried about privacy? Your information is safe.
There have been misleading rumors recently about Facebook indexing all your information on Google. This is not true. Facebook created public search listings in 2007 to enable people to search for your name and see a link to your Facebook profile.

Security hoaxes have been around forever. Misconceptions about genuine security threats are tough to deal with. While Facebook has made some debatable privacy changes lately, I believe Facebook is right that the search settings are hardly new. What really matters is the security settings you place on you data.
When someone asks you to share information with everyone you know, as this dire warning did, unless its the Gospel of Jesus, I think your crap detector should be sounding the alarm. If the source is not a computer security expert stop and ask if it makes sense. If the source IS a computer security expert stop and ask if it makes sense and then make sure your wallet hasn’t been stolen by the security expert.
Search engines index Facebook status, but only the status that has the Everyone permission. If you’re going to freak out, do it by reviewing your privacy settings. You know, the privacy settings Facebook had you review this week. Everyone means everyone on the internet.

Tags: Facebook, Google
Category: Awareness | 2 Comments

GuardianEdge Announces Hardware Based Encryption Support

December 12, 2009, 2:21 pm

GuardianEdge put out a press release this week announcing Encrypted Drive Manager. This software will allow you to managed hardware encrypted hard drives as well as drives encrypted with GuardianEdge Hard Disk all from one platform. This will be released in Q2 2010. When I was evaluating GuardianEdge in 2007 they talked about these features so its nice to see it finally (soon to be) making it to market.
Hardware based encryption may finally be ready to ignite. The Trusted Computing Group has been working on standards so its not such a mishmash. Performing the encryption on hardware keeps the encryption keys out of memory so it isn’t vulnerable to cold boot attacks. There isn’t a CPU performance penalty as there can be with software encryption. Wiping a drive is as simple as removing the encryption key.
The main problem has been manageability. You need to be able to corporately manage accounts on the hardware encrypted drive just as you do with the software encryption. It has to be enterprise ready. Its necessary to be able to manage both software and hardware based Full Disk Encryption and GuardianEdge is going to allow for that.
I anticipate a time when the drives we order in our standard systems will all be hardware FDE capable and managed by GuardianEdge.

Tags: FDE, GuardianEdge
Category: FDE | Comment

Facebook non-privacy settings

December 10, 2009, 1:00 pm

Facebook has rolled out new security settings this week. It seems designed to confuse and lead people into sharing more info than ever.
If you are one of the 20% of Facebook users who as adjusted their privacy settings previously than Facebook will make your old settings the default but encourage you to change it. For everyone else the default security permission is Everyone. In an effort to be more like twitter they want your status updates available to everyone, not your friends, not friends of friends, not your networks, not even just authenticated users. Every anonymous Internet user including search engines will be able to read your status updates. Like twitter data, anything you post could be mirrored permanently somewhere else.
Of course the best policy is to not post anything to the internet you wouldn’t want public knowledge. Web 2.0 security just isn’t that trustworthy.
Graham Cluley has a good blog entry and video on his blog regarding these new Facebook privacy settings. That is geared for the average end user. Dont forget to check application privacy as well. I found that applications my friends use could see my Birthdate. Not cool.
I was rather perturbed to find that I can’t restrict the world from viewing the Pages where I’m a fan. These fan pages announce my beliefs, affiliations and preferences. Facebook says Everyone gets to see your “publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.” I was kind of hoping this meant that there was a place where I could make that information not public. Unfortunately that is not the case. Check out this posting from the EFF (Electronic Frontier Foundation). According to the EFF, Facebook says my membership in a Page was already visible on a page so its not different. I certainly see a difference. While before you might take the time to see if I was a member of a few controversial Pages, now you can see all my pages. Hopefully this will change and I can make Page membership non-public.
If you use Facebook, take a moment to review your privacy settings

Tags: Facebook
Category: General | Comment

Adobe Flash and Air Updates

December 8, 2009, 9:05 pm

As you’ve no doubt read other places, Adobe has released updates for Flash and AIR. The security bulletin can be read here, the software can be downloaded from adobe.com.
I’ve found a bunch of our users have installed Adobe Air. Either they downloaded Adobe Reader 9 with AIR on their own or someone has screwed up the Ghost load. I’m leaning toward investigating how to deploy AIR updates rather than just emailing the users needing the AIR update.
It sure would be nice if the Enterprise distribution page included the file version. I either have to download and unpack the MSI to see if it is the new version or use another tool to check the modified file date on the webserver. Using http://headerviewer.com/ I see the last modified date is November 16th so it looks like I’ll be waiting a bit for the MSI version to be released.

Tags: Adobe, eMail
Category: General | Comment

Journalism in a pay per click world

December 2, 2009, 11:30 pm

I’ve had my own rants about the tech media. I particularly enjoyed Ed Bott’s ZDNet article on “What the Black Screen of Death Story says about Tech Journalism”. check it out.

Category: Microsoft | Comment

Stop Emailing Social Security Numbers

December 2, 2009, 9:14 pm

Recently we implemented a product to do content control on email. One of the main uses I have is looking for Social Security Numbers (SSN) in outgoing email. I did not like what I found.
I expected to just find the occasional person emailing their SSN to a spouse for benefits enrollment. I’ve talked with people who said expect to find business processes that are mailing around SSNs like mad. I guess the result is somewhere in the middle.
It looks like part of having a government clearance is having your SSN emailed around in the clear. The Director of physical security says that when setting up a cleared visit at a Army base it is mandatory to email SSNs in clear text. I find this hard to believe.
People dont get what a social security number is. It a (generally) unique identifier but people use it as an authenticator.
The Social Security Administration Reports (http://www.ssa.gov/pubs/10064.html) that:

Identity theft is one of the fastest growing crimes in America. A dishonest person who has your Social Security number can use it to get other personal information about you. Identity thieves can use your number and your good credit to apply for more credit in your name. Then, they use the credit cards and do not pay the bills. You may not find out that someone is using your number until you are turned down for credit or you begin to get calls from unknown creditors demanding payment for items you never bought.
Someone illegally using your Social Security number and assuming your identity can cause a lot of problems
The Social Security Administration protects your Social Security number and keeps your records confidential. We do not give your number to anyone, except when authorized by law. You should be careful about sharing your number, even when you are asked for it. You should ask why your number is needed, how it will be used and what will happen if you refuse. The answers to these questions can help you decide if you want to give out your Social Security number.

Seems like the kind of thing you’d want kept secret. I know some people have given up. With the amount of people that you legitimately (or not) give your SSN to, is it really just a lost cause. I’d say given the trouble that identity theft can cause I’d take caution.
But that’s the problem, even if you knew enough not to email your SSN to your buddy so he can get you into the White House Christmas tour, your manager is emailing your SSN and everyone elses so that access to a cleared facility can be arranged. Your Tax preparer is emailing your 1040. Your dentist didn’t wipe the hard drive before selling old equipment on ebay.
Ultimately you can only control what you control. Make sure surrendering your SSN is necessary. At thie point I might even ask how it is stored/transported. Only provide the number over a secure medium.

Tags: eMail
Category: General | 1 Comment

Roger's Information Security Blog