Apologies for the auto-post from the NotObvious blog...am disabling it today.

---

The Department of Homeland Security publishes an ~daily Open Source Infrastructure Report which contains a summary of open-source published information concerning significant critical infrastructure issues (and not just IT security related). You can subscribe to e-mail alerts to be notified when they are available (they do not publish on weekends or holidays) and are in PDF format. While the information is sometimes a bit dated (by a day or two), I have found interesting/useful data in almost every report. It definitely belongs on your quick-scan list for the day.

There is, unfortunately, no "permalink" to the latest published report and - while PDF is an acceptable means of distribution - it means having a PDF viewer installed or available, which may not be the case on all systems.

I came up with a solution to both of these issues by creating a bookmarklet that always links to the current day's report (so it will not work if there is no report for today or the report has not uploaded yet) and turns the link into a Google PDF Viewer document, so you can see it in virtually any browser without the need for a PDF plug-in and without having to download it to your local system.

The bookmarklet has been tested with IE 7, Safari 4 & Firefox 3.5 and you just need to drag the link below to your bookmarks bar. Drop me a note in the comments if you encounter any errors or have any enhancements to it.

Today's DHS OSIR

Agile Solutions' 1Password utility is a great way to generate & store secure passwords, notes, license keys and more. They even have an iPhone/iPod Touch app which makes it very easy to have access to your passwords from almost anywhere.

If you do not have an iPhone or an iPod Touch you can still access your secure seekrits on other systems via a new feature in their latest release (version 3) called iPasswordAnywhere. In a recent blog post, David Chartier — Chief Media Producer at Agile Solutions — explains how to use Dropbox to take advantage of this feature which will allow you to keep your data in sync across multiple systems (i.e. anywhere you have Dropbox installed). Dropbox syncs your encrypted 1Password database/keychain files to your linked systems and you end up accessing the contents via a fairly clever local web page (1Password.html which is located on your home system in your ~/Library/Application Support/1Password/1Password.agilekeychain directory).

While I absolutely love Dropbox, my 1Password keychain database is over 2 MB and I do not want to eat up even that little of my free space there (I do not yet have a paid account with them). I also do not necessarily need the data stored locally on each system I might be using. Despite the fact that I haven an iPhone and make regular use of the 1Password Touch app for it, I thought it would be useful to synchronize the 1PasswordAnywhere data to a web host where I could access from any host, not just ones with Dropbox on it, and also access it when I forget my iPhone or it runs out of juice.

So, if you use 1Password but do not use Dropbox, do not have an iPhone and have the ability to rsync files to a web host under your control, then read on to see what I've cooked up.

In my (lately) infrequent viewing of hosted Google mail, I noticed the following (click for bigger image):

>

At least this shows that even the might Google can strike out once in a while (which makes the difficulties of the past few weeks just a tad easier to deal with).

CMS is now the enforcement arm of the HHS for HIPAA and they've posted a sample interview/document request sheet.

You should already be prepared to answer questions like these if your security program is maintained well. It will be important to limit the scope (i.e. have a well-defined list of where EPHI - Electronic Protected Health Information - is stored) and it's probably an even better idea to map the areas outlined against your policies and whatever standards you've built them against.

UPDATE: Thoughtful response from Jesse @ Hiveminder in the comments.

Fans of Getting Things Done [GTD] are on a never-ending quest for the ultimate solution to help them get and stay organized. Remember The Milk [RTM] is one Web 2.0 site growing in popularity amongst the GTD-followers which allows you to perform task management via a slick web interface, from instant messaging services, on Twitter and even has a robust API for custom integration (not to mention some very interesting Google Apps interfaces). Amazingly enough, it even allows you to perform actions over SSL so your credentials and task bits remain secure (if you're into that whole security thing when it comes to putting your information on Web 2.0 sites).

Contrast that with another contender I just learned about - Hiveminder. It has the similar integration points and facilities (some not as spiffy as RTM), but an entry in their FAQ gave me pause:

You're not using SSL; how do I know my password is safe?
If you have a Javascript-enabled browser (most of them are these days), then your password will be encrypted when logging in, before being sent to us over the internet. But we also offer SSL encryption as a feature to pro users.

In other words: we don't care about the security of your data unless you pay us to.

That is a fairly cavalier attitude given that their competition lets you encrypt all web traffic whether you are entering login credentials or just plain browsing.

In many cases, Web 2.0-ish sites put features first and security second (or third), and my concern is that others will either adopt this model of "Features? Sure, you can have 'em! You want security? Cough up some dough!" or alter their terms of service to switch to this business model at some point after they gather a decent user-base.

This is yet another example of why you need to read the fine print when choosing a product or service and - especially for Web 2.0 sites - ensure that you have complete control over your data.

Found this via slashdot.

The top-notch security researchers over at heise security discovered that encryption seems to be a play on words for a large class of consumer-targeted hard drives that use a common controller chip. While the manufacturers claim AES encryption, the reality is that AES is only used in one small part of the drive operation, with the rest being little more than a simple XOR data obfuscation:

heise Security has since received a statement from Innmax, the manufacturer of the IM7206[2] controller chip used, confirming our findings. The IN7206 merely uses AES encryption when saving the RFID chip's ID in the controller's flash memory. The company explained that actual data encryption is based on an algorithm developed in-house. As they put it, "The IM7206 only offers basic protection and is designed for normal users." In contrast, the more expensive IM8202 controller chip is being designed for "power users, banks, and it enterprises with high security requirements"; it will reportedly offer true 128-bit AES encryption for data – but the chip is still in the development phase.

Fine print is especially important in security products and is one reason it is always a good idea to delve into details when there are assertions of FIPS certification levels, claims of the use of encryption or product security testing seals. heise invested very little effort and found a fairly large, gaping hole. Would your enterprise architecture team – even with the help of your security gurus – have been able to do the same?

Stop trusting your vendors and start verifying anything you plan on putting into production, whether it's for data protection or just operational/functional performance/efficiency.

Well, you always wanted to share your browsing history with the planet, didn't you?

(OK, so *technically* this really should have been a Tumblr post, but Tumblr and MarsEdit do not have speaks with each other and I really like MarsEdit. To all those bitterly disappointed in this choice, here is something to entertain you for a while.)

The Employee Who Never Leaves was co-authored by Phil Kostenbader and myself (why they used phil's picture in the article I'll never know :-) and should scare the pants off of any manager, especially those with savvy IT employees.

Those with an in-print subscription will learn the basics of Windows patch management.

From Government Executive:

The Homeland Security Department has appointed an official who is under federal investigation to a key position overseeing a program worth hundreds of millions of dollars to secure computer networks across the federal government.

The Feb. 1 appointment of Scott Charbo, Homeland Security's chief information officer, to be deputy undersecretary for the national protection and programs directorate, drew immediate criticism from House Homeland Security Committee Chairman Bennie Thompson, D-Miss., who was familiar with Charbo's past.

In a letter to Homeland Security Secretary Michael Chertoff, Thompson said an investigation conducted by his committee last year showed Charbo failed to properly address computer security breaches within agencies housed at department headquarters, along with incompetent and possibly illegal activity by private contractor Unisys.

The incidents included the exfiltration of information from Homeland Security Department networks to a Web-hosting service that connects Chinese Web sites, according to Thompson's investigation.

The security breaches that occurred under Charbo's watch and the work by Unisys are now under investigation by the FBI and the Homeland Security Department inspector general, according to Thompson and congressional aides.

We can just hope that the individual that takes over next January (provided Bush doesn't declare martial law before then) strives to just be a little less inept and corrupt than the current leader of the weakest currency in the civilized world.

I take a look at one of the more interesting security tools to hit Apple desktops in quite a while in TrueCrypt 5.0 Brings Plausible Deniability To OS X Users over on The Apple Blog:

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

UPDATE: Now up on TAB (Josh is teh cool) with good discussion in the comments on the efficacy of the executable.

[NOTE: Once/if Josh posts this to TAB, I'll be modifying the entry to just link over there...only posting it now in the interest of time (since it's after 1AM on the right coast). It needs to be on TAB so the widest audience gets the security fix info.]

For those that have installed Office 2008, you may have seen some news floating on the internets about improper permissions — that were created by the installer — potentially allowing another local user to access your documents. It's not a remote exploit issue and most folks are probably not vulnerable (you only need to be concerned if you've created another user on the system).

Erik Schwiebert posted instructions for a temporary fix over at Mac Mojo and Microsoft will be issuing an official patch/update to address the issue as well. Erik's instuctions require some Terminal-fu, so I wrapped them into an executable – Fix Office 2008 Permissions.

Just download/extract the archive and run the executable. You will be prompted for your password since the fix requires elevated privileges.

If you have any issues with the executable or following Erik's instructions, post them in the comments and I'll see if your particular install requires any tweaking.

A story in the Fairview Observer illustrates a number of problems that plague more than just small county election offices.

In Davidson County, two laptops were stolen from the offices of the election commission. One of the laptops had a password taped to the top, though the election administrator, Ray Barrett, claims that it was an old password that had been changed. The other laptop was claimed to be broken. These systems were not secured - no hard disk encryption, no physical isolation - and contained approximately 337,000 Social Security numbers.

The Mayor has called for a government-wide security audit, but that may do little to allay the fears of voters and voter watchdog groups. Without encryption, the data on the disks inside those systems is completely accessible to the thieves. Beyond the PII loss, there is also a concern that the voting machine ballot testing software may also be loaded on the systems, potentially putting election results at risk.

There are reports that the security guards ignored their duties the night of the break-in and, in an audit of the access card key swipes, it was discovered that no guards had been watching the building at all on Saturday nights through early Sunday mornings for months.

What could they have done to prevent this?

• Physically secure the portable computers
• Employ full hard disk encryption
• Maintain an accurate and up-to-date inventory of what data and applications reside on all systems
• Never tape passwords/passcodes/passphrases to machines
• Have a tested incident response program in place
• Perform regular audits of the physical security controls

Would it have been *that* hard to lock the laptops in a desk or cabinet? Is hard disk encryption *that* expensive or difficult to employ? In such a small environment, is maintaining an asset database *so* time-consuming and intensive to make it not worth doing? Is it completely unreasonable to expect folks to remember a password? Should an organization not already be making sure outsourced functions are meeting expectations?

The only area that I am willing to give them a "bye" on is that of incident response procedures, and even that is not too difficult to get a handle on.

Unfortunately, Fortune 500 corporations make the same mistakes. Security is not that difficult, yet most folks pay little-to-no attention to even the fundamentals.

If someone broke into your store/small business would you have fared better than the Davidson County officials?

Here is what was fixed, security-wise in the 1.1.3 update:

Foundation
CVE-ID: CVE-2008-0035
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1 through 1.1.2
Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs.

Passcode Lock
CVE-ID: CVE-2008-0034
Available for: iPhone v1.0 through v1.1.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

Safari
CVE-ID: CVE-2007-5858
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1 through 1.1.2
Impact: Visiting a malicious website may result in the disclosure of sensitive information
Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

CVE-2008-0034 (bypassing of the passcode lock) is ugly and I hope this is the last time this feature has a vulnerability. CVE-2008-0035 is what was used by those "cool" folks to break their phones to run apps on it. I still stand by my position that it is unwise to publish the means to decimate the security of any device for the sole purpose of being able to make it do what you want it to do. Who knows how many folks were exposed to real iPhone vulnerabilities as a result of the work of these "fine" engineers.

Fire up Software Update or head on over to QuickTime's official download page to grab the 7.4 update. While it fixes:

• CVE-2008-0031: A maliciously crafted Sorensen 3 movie file may lead to arbitrary code execution
• CVE-2008-0032: A maliciously crafted movie file may lead to arbitrary code execution during the handling of Macintosh resource records
• CVE-2008-0033: A maliciously crafted movie file may lead to arbitrary code execution during parsing of Image Descriptor atoms
• CVE-2008-0036: A maliciously crafted PICT image may lead to arbitrary code execution

it does *not* fix the most recent QuickTime flaw, however, so continue to watch which sites you visit. Remember what your mother taught you: don't accept streaming media from strangers!