Beware of Drive Erasure Problems on SSD Drives

There is a lot of interesting research going on right now with the processes and tools that may be useful in erasing the new solid state drives that many laptops and other systems are using. The traditional methods of magnetic cleansing (degaussing), and even file over-write tools that have been in use now for decades in many organizations, have little to no effect on removing sensitive data on these solid state drives.

Here is a nice article explaining some of the problems.

As described in the article, it seems that many of our current data management and cleansing techniques simply do not apply to these solid state memory-based devices. This makes drive encryption all the more urgent, as these systems are beginning to pop up in many organizations that are starting their hardware refresh processes after delaying them due to economic conditions.

If you are an information security team, or an IT team considering such purchases, please make appropriate cryptography a part of your solution. Many solutions exist by a variety of vendors today with pricing ranging from near zero to the cost of full-scale commercial enterprise implementations in the hundreds of thousands of dollars. Complexity also ranges from trivial and built into the operating system to quite high, depending on centralized management and remote assistance capabilities.

No matter how you to choose to address the problem, the key factor is that you are aware that SSD systems are a different animal with unique challenges versus traditional hard disks. Knowing that will at least put you on the right path toward investigating a solution and updating your processes.

Learn a Scripting Language to Make Security Work Easier

One of the most common complaints I hear from folks working in information security is that they are overwhelmed with data, alerts, log files and all of the other information sources they deal with on a daily basis. Often, this is a problem that can be solved with an adjustment to the level of data they are looking at and investment in some processes and tools to help gain some leverage. You may not need or be able to afford a full SEIM implementation, but with a couple of basic tools and a little bit of creativity, you can likely get a bit more leverage than you are today.

The first thing I often advise folks to do is to embrace a scripting language. You don’t need to become a master coder, but to get some leverage from systematizing your work, you will have to create some tools that are specific to your work. These scripts or tools should replicate much of the repetitive work you are doing today and can be a simple front end to handle the most common issues without your personal interaction, thus saving you time and resources.

Specifically, let’s say you have to comb log entries for a specific message that is pretty routine and then email the help desk when you see that message with the relevant details. In our example, with some basic scripting skills in python/ruby/perl, this becomes an easy to automate task. Pull the data in, parse through it with some scripting logic, segregate out the events you need and then drop them into an email and send it out. A quick script that runs in a scheduler or cron and your new virtual assistant just took over one of your daily tasks.

Do this enough, and you knock out much of the repetitive work you face today. That frees up your cycles to dive deeper, do additional research or grow your skills.

Scripting helps in other ways too. Understanding programming logic basics is a huge plus for security folks who might have a more network/systems-centric background. It will help you understand a lot more about how applications work in your environment and how to best interact with them in ways to protect them. It also gives you some empathy when working with developers and other folks who are heads down in code. Scripting can also be a very valuable skill in just solving complex problems and the security world is full of those.

How to get started in mastering the basics of a scripting language? Well, identify how you learn best. Are you a classroom learner, then take a class or use online universities and training that are common today. Learn by reading? Then get yourself a good book from Amazon or the mall and get started. Learn by doing? This is the easiest on of all. Just do it. Choose one language. Stick with it. Learn the basics. Looping, variables, basic syntax, file access, etc. Then grow your skills over time by actually scripting your tasks.

I challenge you to try this for 90 days. Give it a shot. If, after 90 days, this is not helping you free up more time at work, learn more about things you don’t know today and making your job in security easier, then write me a nasty email and stop doing it. I have made this challenge before and haven’t gotten one email in more than a decade that said it was horrible and that it didn’t help. 90 days. Give it, and yourself, a break and make it happen. The first step is committing to actually do it. Make the commitment and follow through. You won’t be sorry.

How to Avoid Falling For Social Engineering Attacks

I am one of the “end-users” in our organization. I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data. My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me. So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.

QUESTION EVERYTHING.

And follow some of these tips:

  1. If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  2. Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  3. Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  4. Check to make sure a site is secure before passing on confidential information. Usually this information is either available under a “Privacy” link or an icon (like a lock) is visible in the address bar.
  5. At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company. These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks. Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

InfoSec Insights: Getting Indexed Via Twitter – Good & Bad

Earlier this week, I did a quick experiment in the MSI Threat Lab. I wanted to see what happened when someone mentioned a URL on Twitter. I took a HoneyPoint Agent and stood it up exposed it to the Internet on port 80.

I then mapped the HoneyPoint to a URL using a dynamic IP service and tweeted the URL via a test account.

Interestingly, for the good, within about 30 seconds, the HoneyPoint had been touched by 9 different source IP addresses. The search engines, it seems, quickly picked the URL out of the stream, did some basic traffic and I assume queued the site for crawling and indexing in the near future. A few actually indexed the sites immediately. The HoneyPoint cataloged touches from 4 different Amazon hosts, Yahoo, Twitter itself, Google, PSINet/Cogent and NTT America. It took less than an hour for the site to be searchable in many of the engines. It seems that this might be an easier approach to getting a site indexed then the old visit each engine and register approach, or even using a basic register tool. Simply tweet the URL and get the ball rolling for the major engines. 🙂

On the bummer side, it only took about 10 minutes for the HoneyPoint to be probed by attacker scanning tools. We can’t tie cause to the tweeting, but it did target that specific URL and did not touch other HoneyPoints deployed in the range which certainly seems correlative. Clearly, search engines aren’t the only types of automated applications watching the Twitter stream. My guess is that scanning engines watch it too, to some extent, and queue up hosts in a similar manner. Just like all things, there are good and bad nuances to the tweet to get indexed approach.

Further research is needed in what happens when a URL is tweeted, but I thought this was an interesting enough topic to share. Perhaps you’ll find it useful, or perhaps it will explain where some of that index traffic (and scanner probes) come from. As always, your mileage and paranoia may vary. Thanks for reading!

Audio Blog with Brent Huston: SpeakerConf 2011 and Developer Awareness

I recently attended SpeakerConf 2011, which was a fantastic tech conference for developers. We had some great sessions, and I was able to connect more with developers. In this audio blog post, I cover:

    1) Observations from SpeakerConf

    2) What language developers are loving right now

    3) New attack processes

    4) Moving into the next phase of security

This and more. Check it out!

Click to access the entire audio file: DevAwarenessSpeakerCon

All Your Data Are Belong To Us!

My last post discussed some tactics for realizing what’s happening under the hood of our browsers when we’re surfing the web, and hopefully generated some thoughts for novice and intermediate users who want to browse the Internet safely. This week, we’re going to look a step beyond that and focus on steps to protect our passwords and data from unwanted visitors.

Passwords are the bane of every system administrator’s existence. Policies are created to secure organizations, but when enforced they cause people to have trouble coming up with (and keeping track of) the multitude of passwords necessary. As a result, people commonly use the same passwords in multiple places. This makes it easier on us as users because we can remember puppy123 a lot easier than we can those passwords that attackers can’t or don’t guess. Doing so also makes it easier on attackers to find a foot hold, and what’s worse is that if they are able to brute force your Yahoo! email account then they now have the password to your online banking, paypal, or insurance company login as well.

Hopefully some of you are thinking to yourselves “Is this guy telling me I shouldn’t be using the same password for everything?” If you are, you get a gold star and you’re half-way toward a solution. For those of you who are not, either you have mastered the password problem or still don’t care- in which case I’ll see you when our Incident Response Team is called to clean up the mess.

To solve this problem, find your favorite password manager (Google will help with this), or use what our team uses- KeePass. This is a fast, light, secure password manager that allows users to sort and store all their passwords under one master password. This enables you to use puppies123 to access your other passwords, which can be copied and pasted so you have no need to memorize those long, complex passwords. KeePass also includes a password generator. This tool lets users decide how long and what characters will make up their passwords. So you’re able to tailor passwords to meet any policy needs (whitespace, special characters, caps, etc) and not have to think about creating something different than the last password created- the tool handles this for you.

In addition to password composition, this tool lets you decide when and if the password should expire so you can force yourself to change this on a regular basis- this is an invaluable feature that helps minimize damage if and when a breach DOES occur. Once passwords are created, they are saved into a database file that is encrypted- so if your computer is lost, stolen, or breeched in some other manner, the attacker will have a harder time getting to your protected password data. There are many of these solutions available for varying price ranges, but I highly recommend KeePass as a free solution that has worked really well for me for quite some time. It’s amazing how nice it is to not have to remember passwords any longer!

Okay, so our passwords are now safe, what about the rest of our files? Local hard drive storage is a great convenience that allows us to save files to our hard drive at will. The downside to this is that upon breaking into our PC an attacker has access to any file within their permission scope, which means a root user can access ALL files on a compromised file system! While full disk encryption is still gaining popularity, “On the fly encryption” products are making their mark by offering strog and flexible encryption tools that create encrypted containers for data that can be accessed when given the appropriate password.

I have used the tool TrueCrypt for years and it has proven to be invaluable in this arena! TrueCrypt allows users to create containers of any size which becomes an encrypted drive that can be accessed once unlocked. After being locked, it is highly unlikely that an attacker will successfully break the encryption to decipher the data, so if you’re using a strong password, your data is as “safe” as it can be. This tool is one of the best out there in that it offers on the fly and total disk encryption, as well as allowing for encryption of individual disk partitions including the partition where Windows is installed (along with pre-boot authentication), and even allows these containers to be hidden at will.

Wow, we’ve gone through a lot together! You’re managing passwords, protecting stored data, learning what’s going on when your browsing the web, and becoming a human intrusion detection/prevention system by recognizing anomalies that occur in regular online activities! Visit next time as I explorer updates with you to round out this series on basic user guidelines.

Mobile Application Security Podcast with Brent Huston

Are you working with mobile applications? Trying to figure out security? In this helpful informative podcast, Brent covers 3 tips that will give you the tools you need to move forward. Often a developer isn’t certain what questions to start asking. Brent shares some common areas that include foundational practices:

Here is what you’ll learn:

    1) What you should be doing to encrypt your application

    2) Almost 50% of the apps we tested missed this powerful avenue toward leveraging knowledge that is readily available

    3) How are you storing your data? And where? Brent shares insights on data storage

Click to access the entire audio file

Quick Advisory: Several new DB2 & PostgresSQL Exploits in the Wild

In the last couple of days, several new vulnerabilities, some with exploit code, have been made public in the DB2 database and PostgresSQL products. Given the core sensitivity of the data and business processes often handled by these applications, we thought we would post about them.

If you are running these applications as a part of your core business processes, now might be a good time to check with the vendor support sites, download the available updates and get them into your weekend maintenance windows as a critical update.

Given the exploit code availability and the ease of exploitation for a couple of these issues, their impact could be high if an attacker is in position to leverage them against your organization.

As with all of your applications, these should already be a part of your ongoing patching cycles, though these components are often missed or ignored as “too critical to patch”. Don’t make that mistake.

If you would like more information about the issues or would like to schedule a briefing privately with one of our engineers, please give your account executive a call or email. As always, thanks for selecting MicroSolved as your security partner!