security

Even Google Has Bad Days

bob — Tue, 15 Apr 2008 02:19:56 -0400

In my (lately) infrequent viewing of hosted Google mail, I noticed the following (click for bigger image):

At least this shows that even the might Google can strike out once in a while (which makes the difficulties of the past few weeks just a tad easier to deal with).

New HHS HIPAA Audit/Compliance/Enforcement Procedures Posted

bob — Wed, 27 Feb 2008 14:20:26 -0500

CMS is now the enforcement arm of the HHS for HIPAA and they’ve posted a sample interview/document request sheet.

You should already be prepared to answer questions like these if your security program is maintained well. It will be important to limit the scope (i.e. have a well-defined list of where EPHI - Electronic Protected Health Information - is stored) and it’s probably an even better idea to map the areas outlined against your policies and whatever standards you’ve built them against.

Hiveminder Security Only For Paying Customers

bob — Tue, 19 Feb 2008 14:22:02 -0500

UPDATE: Thoughtful response from Jesse @ Hiveminder in the comments.

Fans of Getting Things Done [GTD] are on a never-ending quest for the ultimate solution to help them get and stay organized. Remember The Milk [RTM] is one Web 2.0 site growing in popularity amongst the GTD-followers which allows you to perform task management via a slick web interface, from instant messaging services, on Twitter and even has a robust API for custom integration (not to mention some very interesting Google Apps interfaces). Amazingly enough, it even allows you to perform actions over SSL so your credentials and task bits remain secure (if you’re into that whole security thing when it comes to putting your information on Web 2.0 sites).

Contrast that with another contender I just learned about - Hiveminder. It has the similar integration points and facilities (some not as spiffy as RTM), but an entry in their FAQ gave me pause:

You’re not using SSL; how do I know my password is safe?
If you have a Javascript-enabled browser (most of them are these days), then your password will be encrypted when logging in, before being sent to us over the internet. But we also offer SSL encryption as a feature to pro users.

In other words: we don’t care about the security of your data unless you pay us to.

That is a fairly cavalier attitude given that their competition lets you encrypt all web traffic whether you are entering login credentials or just plain browsing.

In many cases, Web 2.0-ish sites put features first and security second (or third), and my concern is that others will either adopt this model of “Features? Sure, you can have ‘em! You want security? Cough up some dough!” or alter their terms of service to switch to this business model at some point after they gather a decent user-base.

This is yet another example of why you need to read the fine print when choosing a product or service and - especially for Web 2.0 sites - ensure that you have complete control over your data.

So, You Think That Hard Disk Is Encrypted? Think Again.

bob — Tue, 19 Feb 2008 02:16:52 -0500

Found this via slashdot.

The top-notch security researchers over at heise security discovered that encryption seems to be a play on words for a large class of consumer-targeted hard drives that use a common controller chip. While the manufacturers claim AES encryption, the reality is that AES is only used in one small part of the drive operation, with the rest being little more than a simple XOR data obfuscation:

heise Security has since received a statement from Innmax, the manufacturer of the IM7206[2] controller chip used, confirming our findings. The IN7206 merely uses AES encryption when saving the RFID chip’s ID in the controller’s flash memory. The company explained that actual data encryption is based on an algorithm developed in-house. As they put it, “The IM7206 only offers basic protection and is designed for normal users.” In contrast, the more expensive IM8202 controller chip is being designed for “power users, banks, and it enterprises with high security requirements”; it will reportedly offer true 128-bit AES encryption for data – but the chip is still in the development phase.

Fine print is especially important in security products and is one reason it is always a good idea to delve into details when there are assertions of FIPS certification levels, claims of the use of encryption or product security testing seals. heise invested very little effort and found a fairly large, gaping hole. Would your enterprise architecture team – even with the help of your security gurus – have been able to do the same?

Stop trusting your vendors and start verifying anything you plan on putting into production, whether it’s for data protection or just operational/functional performance/efficiency.

Browser History As A Web Service

bob — Sat, 09 Feb 2008 01:10:42 -0500

Well, you always wanted to share your browsing history with the planet, didn’t you?

(OK, so *technically* this really should have been a Tumblr post, but Tumblr and MarsEdit do not have speaks with each other and I really like MarsEdit. To all those bitterly disappointed in this choice, here is something to entertain you for a while.)

Totally Missed This - New FedTech Articles Online & In-Print

bob — Fri, 08 Feb 2008 11:14:32 -0500

The Employee Who Never Leaves was co-authored by Phil Kostenbader and myself (why they used phil’s picture in the article I’ll never know :-) and should scare the pants off of any manager, especially those with savvy IT employees.

Those with an in-print subscription will learn the basics of Windows patch management.

Wasn't There A Candidate Not Under Federal Investigation?

bob — Thu, 07 Feb 2008 21:25:05 -0500

From Government Executive:

The Homeland Security Department has appointed an official who is under federal investigation to a key position overseeing a program worth hundreds of millions of dollars to secure computer networks across the federal government.

The Feb. 1 appointment of Scott Charbo, Homeland Security’s chief information officer, to be deputy undersecretary for the national protection and programs directorate, drew immediate criticism from House Homeland Security Committee Chairman Bennie Thompson, D-Miss., who was familiar with Charbo’s past.

In a letter to Homeland Security Secretary Michael Chertoff, Thompson said an investigation conducted by his committee last year showed Charbo failed to properly address computer security breaches within agencies housed at department headquarters, along with incompetent and possibly illegal activity by private contractor Unisys.

The incidents included the exfiltration of information from Homeland Security Department networks to a Web-hosting service that connects Chinese Web sites, according to Thompson’s investigation.

The security breaches that occurred under Charbo’s watch and the work by Unisys are now under investigation by the FBI and the Homeland Security Department inspector general, according to Thompson and congressional aides.

We can just hope that the individual that takes over next January (provided Bush doesn’t declare martial law before then) strives to just be a little less inept and corrupt than the current leader of the weakest currency in the civilized world.

TrueCrypt Post Up On TAB

bob — Wed, 06 Feb 2008 16:30:54 -0500

I take a look at one of the more interesting security tools to hit Apple desktops in quite a while in TrueCrypt 5.0 Brings Plausible Deniability To OS X Users over on The Apple Blog:

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

Fix For Office 2008 Security Issue

bob — Sat, 26 Jan 2008 01:42:54 -0500

UPDATE: Now up on TAB (Josh is teh cool) with good discussion in the comments on the efficacy of the executable.

[NOTE: Once/if Josh posts this to TAB, I’ll be modifying the entry to just link over there…only posting it now in the interest of time (since it’s after 1AM on the right coast). It needs to be on TAB so the widest audience gets the security fix info.]

For those that have installed Office 2008, you may have seen some news floating on the internets about improper permissions — that were created by the installer — potentially allowing another local user to access your documents. It’s not a remote exploit issue and most folks are probably not vulnerable (you only need to be concerned if you’ve created another user on the system).

Erik Schwiebert posted instructions for a temporary fix over at Mac Mojo and Microsoft will be issuing an official patch/update to address the issue as well. Erik’s instuctions require some Terminal-fu, so I wrapped them into an executable – Fix Office 2008 Permissions.

Just download/extract the archive and run the executable. You will be prompted for your password since the fix requires elevated privileges.

If you have any issues with the executable or following Erik’s instructions, post them in the comments and I’ll see if your particular install requires any tweaking.

Voters + Missing Laptops - Guards == Trouble For Davidson County

bob — Thu, 17 Jan 2008 17:59:03 -0500

A story in the Fairview Observer illustrates a number of problems that plague more than just small county election offices.

In Davidson County, two laptops were stolen from the offices of the election commission. One of the laptops had a password taped to the top, though the election administrator, Ray Barrett, claims that it was an old password that had been changed. The other laptop was claimed to be broken. These systems were not secured - no hard disk encryption, no physical isolation - and contained approximately 337,000 Social Security numbers.

The Mayor has called for a government-wide security audit, but that may do little to allay the fears of voters and voter watchdog groups. Without encryption, the data on the disks inside those systems is completely accessible to the thieves. Beyond the PII loss, there is also a concern that the voting machine ballot testing software may also be loaded on the systems, potentially putting election results at risk.

There are reports that the security guards ignored their duties the night of the break-in and, in an audit of the access card key swipes, it was discovered that no guards had been watching the building at all on Saturday nights through early Sunday mornings for months.

What could they have done to prevent this?

Physically secure the portable computers
Employ full hard disk encryption
Maintain an accurate and up-to-date inventory of what data and applications reside on all systems
Never tape passwords/passcodes/passphrases to machines
Have a tested incident response program in place
Perform regular audits of the physical security controls

Would it have been *that* hard to lock the laptops in a desk or cabinet? Is hard disk encryption *that* expensive or difficult to employ? In such a small environment, is maintaining an asset database *so* time-consuming and intensive to make it not worth doing? Is it completely unreasonable to expect folks to remember a password? Should an organization not already be making sure outsourced functions are meeting expectations?

The only area that I am willing to give them a “bye” on is that of incident response procedures, and even that is not too difficult to get a handle on.

Unfortunately, Fortune 500 corporations make the same mistakes. Security is not that difficult, yet most folks pay little-to-no attention to even the fundamentals.

If someone broke into your store/small business would you have fared better than the Davidson County officials?