Ryan, the co-founder of Provide Security, said the goal of the study was to determine how effective social networking sites like Facebook, Twitter, and LinkedIn would be as tools in covert intelligence-gathering activities. He crafted “Robin Sage”, a 25 year old Navy cyber threat analyst who graduated from MIT. Even though the profile had some red flags, like a 25 year old having “10 years experience,” it took less than a month to make connections with many in security related fields. Virtual friends shared photos, personal information, invited Robin to conferences, and a few even expressed interest in hiring her.

If Robin were a foreign agent, she would have had access to a lot of very useful information, said Ryan, who is scheduled to present his findings at the upcoming BlackHat security conference in Las Vegas.

Even if you are not in the spy game, what can you learn from this?

• Like your momma said, “If it sounds too good to be true, it usually is.”
• If you don’t know them, don’t friend them.
• Always be mindful of how information posted online could be used against you by identity thieves. For example, how many answers to your security questions for your bank account can be gathered from your Facebook profile?

Social networking has the potential to bring friends together regardless of distance, just be careful who you invite to the party.

Article Inspiration: CIO.com – Fake ‘Femme Fatale’ Shows Social Network Risks

Related posts:

1. The Value of Facebook… There can be no denying that Facebook, like so many...
2. Links of the Week: Data Security Edition There were some great articles on CIO.com this week relating...

So what versions are vulnerable this time? Basically all versions of IE on Windows 2000, Windows XP, and Windows 2003 Server (with Enhanced Security Configuration disabled). Protected Mode – a feature of Internet Explorer on Vista, Windows 7, and Windows 2008, prevents the attack from succeeding.

The Microsoft Security Advisory (980088) does contain a few workarounds for those stuck on a vulnerable platform:

• Disable Active Scripting for the Internet Zone
• Enable Network Protocol Lockdown for the file:// protocol (Windows XP only)

So far there are no known attacks in the wild, but we recommend that you take steps to protect your computers if using a vulnerable version.

Resources:

• Microsoft’s Advisory
• Secunia’s Advisory

Related posts:

1. Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...
2. Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...
3. 10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...

1. Implement a document management program. This falls in the category of “identify your treasures.” Make a list of the different types of documents you need to keep – invoices, receipts, contracts, etc. Next determine who needs access to these documents in order to do their job. Identify security measures needed to maintain privacy of the data. Lastly, train all employees on responsible information-handling. Many certifications like PCI and Red Flag require this secure document management training to be compliant.
2. Implement a document retention schedule. Building on #1, you should identify how long each type of document should be kept. Have a procedure to remove expired documents from storage and destroy them securely. If you process a large volume of documents, consider contracting the shredding to a trusted third-party.
3. Regularly shred sensitive documents. For documents that do not need to be retained, provide storage containers in convenient locations for documents that need to be shredded and have them emptied regularly. Make destruction rules simple on employees – when in doubt, shred it.
4. Keep documents securely offsite. This requirement should be balanced by the document management program. For documents that must be stored but are not required for frequent business processes consider storing them offsite. If you have a small amount of documents, a safe-deposit box might suffice. For larger amounts of documents, consider off-site data storage companies like those used for tape backup and disaster recovery services.
5. Limit acquisition of confidential customer data. If information is not integral to the business process, see if you can limit your exposure by not asking for the information. Once you have it, you are responsible for securing it. Follow a need-to-know policy on release of private customer data to employees.
6. Use password protection. Most document formats that can be password protected can also be cracked easily. So you must consider document password protection as a simple deterrent. Instead consider disk based encryption like TrueCrypt for file storage and PGP for files that have to be emailed.
7. Install and update virus protection software. They refer to this software as virus protection software, but make sure your software protects against all forms of malware and not just viruses. I personally like Microsoft Security Essentials due to its price point, its light footprint, and its effectiveness. Keeping anti-malware software up-to-date is a good first line defense, but does not replace security awareness training.
8. Clear data before disposing of old computers. We consider this process to be instrumental to a good security program (surprise, surprise). Use data destruction software like Blancco, dBan, or KillDisk to ensure that no data can be recovered from your machines after you are done with them. If you contract this service out, here are 5 questions you should ask a data-destruction company. As smartphones like Blackberries and the iPhone get used by companies in larger numbers, do not forget about wiping them as well.
9. Review company credit card statements. Corporate credit accounts can be compromised as easily as consumer ones. Make sure your security program includes a review of credit card billing for fraudulent charges.
10. Limit use of file sharing programs. File sharing programs can be a breeding ground for malware, and if used inappropriately can be a mechanism to expose business data. Using tools like Spiceworks you can easily generate reports to see exactly where a particular program is installed.

In general, if you don’t need it, don’t store it. If you aren’t sure, don’t store it and ask the customer for it when needed.

Cintas Issues Top 10 Tips for Protecting Business Data in Honor of Data Privacy Day

Related posts:

1. Stimulus Bill significantly modifies HIPAA regulations Buried within the huge American Recovery and Reinvestment Act (a.k.a,...
2. 5 Questions to ask your Data Destruction Company When you replace your computers, what happens to the data...
3. Data Destruction: Is One Pass Overwriting Enough? There is some controversy regarding data destruction in the IT...

If you choose to outsource data destruction services, how can you be sure they handle your data with the same care as you would? Here are a few questions to ask:

What methods of data destruction do you provide?

This question is more for your education than anything else. There are many different forms of data destruction. First is do they use software or physical destruction methods. On the software side there are many different algorithms, from single pass, 3 pass, 7 pass, Secure Erase. The NIST states that a single pass is sufficient for most drives, but 3 pass tends to be the standard.

On the physical destruction side, there is degaussing, drilling, shredding, or hitting it with a hammer. If they use drilling, ask how many holes they drill into the platters. If they only do 1 or 2, be wary that it is theoretically possible to retrieve portions of the drive using an electron microscope. Our perferred method is shredding. Unlike degaussing, you can easily tell if the drive has been destroyed, and it doesn’t have the safety issues of hitting it with a hammer or drilling.

What do you do with failed drives?

When using software overwriting techniques, not every drive will be able to wipe 100%. Remapped sectors and bad sectors can still have data in them. At what point does the company consider a drive failed, and what do they do when it fails? Do they attempt to wipe it again? Do they inspect the drive for data remnants? Do they physically destroy the drive?

What reporting options are available?

The company providing the data destruction services should provide some form of certification of data destruction, but what does that certificate say? Does it merely indicate that they destroyed some data? Can the certificate be tied back to a particular asset? Preferably back to an asset tag you can track through your own inventory management systems?

Do you have any outside certification?

Has their process been inspected and verified by an independent body? Have drives destroyed by the company been inspected by data recovery firms? Common certifications are the NAID AAA certification, and we are starting to see requests for certification under the PCI / DSS rules. If a company has not been certified, be wary of their data security processes. Even if they have been certified, ask if they will let you tour the facility and see the processes for yourself.

What do you do with e-waste?

No matter how a company destroys data, there will be some electronic waste generated. What do they do to ensure that this waste does not end up in landfills? Do they partner with a recycling firm? Do they recycle the electronic waste themselves?

Related posts:

1. Data Destruction: Is One Pass Overwriting Enough? There is some controversy regarding data destruction in the IT...
2. 10 Tips for Protecting Business Data How do you protect confidential business data? Here are 10...
3. Buy a used hard drive on eBay, get government secrets for free! Imagine it, you purchased a computer on eBay, plug it...

In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.

	Windows 2000	Windows XP	Windows Vista	Windows 7
Internet Explorer 6	Exploitable	Exploitable (current exploit effective for code execution)	N/A (Vista ships with IE7)	N/A (Windows 7 ships with IE
Internet Explorer 7	N/A (IE 7 will not install on Windows 2000)	Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7)	IE Protected Mode prevents current exploit from working.	N/A (Windows 7 ships with IE
Internet Explorer 8	N/A (IE 8 will not install on Windows 2000)	DEP enabled by default on XP SP3 prevents exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.	IE Protected Mode + DEP enabled by default prevent exploit from working.

In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.

Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.

Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?

Related posts:

1. Another Internet Explorer Vulnerability (…sigh) Well, here we are again. A few weeks after Microsoft...
2. 10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...
3. Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

Related posts:

1. Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...

The first requires access to a power outlet on the same circuit as the target computer. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical circuit. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say. The attacker then filters out other ground signals and is left with the keystrokes entered.

The second attack points cheap lasers at shiny portions of a laptop, like its lid or even the surface of the table near the device and measures the vibration caused by hitting the various keys. The researchers claim that each key has a distinct vibration pattern and by knowing the language used by the typist, the keys entered can be determined. They found the attack works best when pointing at the lid of the laptop, either at a shiny logo or at a spot near the hinges.

The cost of the tools needed for the electrical outlet attack cost around $500 US and the cost of the laser attack cost around $100 US and took about a week to test. While the researchers admit that their tools are currently rudimentary, they feel that given their minimal time committment and relative cheapness of the tools illustrate the potential for expansion by a dedicated team or government entity.

CIO.com – How to Use Electrical Outlets and Cheap Lasers to Steal Data

Related posts:

1. Build an under-the-cabinet kitchen PC Lifehacker is on a laptop recycling kick recently. Last week...
2. Hacking the Dot-Matrix Printer It sounds like something out of a bad spy movie,...

It sounds like something out of a bad spy movie, but researchers at Saarland University have published a paper on a new hack targeted at those old trusty dot-matrix printers. These researchers discovered that by recording the sounds the printers made and running them through a speech-recognition algorithm, they were able to extract the words printed on the page.  They were even successful in running their tests inside an actual doctor’s office – with permission of course, so this is not something that only works in the lab.

So what? No one still uses these dinosaurs, right? Not so fast, in a survey conducted by the same university, 30% of the banks, and 58.4% of doctor’s clinics still use them. In many cases, these devices were used to print out semi-sensitive information like receipts and prescription information.

And why do businesses still use dot-matrix printers? Well, for fairly standard reasons – they cost less then more modern printers, are very durable, and work with older hardware and computer systems. One company I talked to about this study said that it was cheaper to keep these old printers working then to upgrade the systems and software that utilized them.

After reading the paper, it seems the attack would have to be tailored to a particular model of printer, but even with that limitation, some interesting possibilities are available. Will the next Mission Impossible movie include a scene with Tom Cruise planting a recording device in a bank to get account numbers of his target? And what will we find out next, that the contents of a CRT or LCD can be replayed by measuring the radiation output? Oh wait….

Original study: How Printers Can Breach Our Privacy: Acoustic Side-Channel Attacks On Printers

Related posts:

1. Use Electrical Outlets or Lasers to capture keystrokes? This has been a week of crazy hacking announcements. CIO.com...
2. Do you know who your friends are? It sounds like a plot out of one of a...
3. Buy a used hard drive on eBay, get government secrets for free! Imagine it, you purchased a computer on eBay, plug it...

Come shake some hands where smart business people come for their computer supplies and data security needs.

Enjoy Yellow-Tie networking with breakfast and coffee, and a back-store tour.

What could be better?

Hosted By….  EPC, Inc.

– http://www.epcusa.com

Host Contact. Frank Polston — 636-443-1999 x1013, frank@epcusa.com

Date……… Tuesday, June 23, 2009
Time……… 7:30 to 9 a.m.
Location….. EPC, Inc.
Address…… 3941 Harry S. Truman Blvd., St. Charles, MO 63301

Cost……… Free

Register now at: http://www.yellow-tie.org/events/stcharlesco/june2009handshakes

No related posts.

This hard drive reportedly contained files from Lockheed Martin, a large US military contractor. The data recovered included: test launch procedures for the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system, security policies, blueprints of facilities and social security numbers for individual employees.

A representative from Lockheed Martin is quoted in the article as saying:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

Fortunately, this drive as purchased as part of a controlled study to see what information could be recovered from used hard drives and did not fall into the wrong hands. The study also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.

A spokesman for the project said they found 34 per cent of the hard disks scrutinized contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization.’

Even though the information in this case did not fall into the wrong hands, this story illustrates the importance of having a controlled data destruction process in every organization. Ask yourself this: can you track every computer, every hard drive after it is pulled from production? Do you know for a fact that every hard drive is wiped or destroyed? If you cannot answer yes to both questions, you owe it to yourself to work with a vendor that can fill this gap.

A hat tip to ExportLawBlog for their analysis of the incident.

Related posts:

1. Data Destruction: Is One Pass Overwriting Enough? There is some controversy regarding data destruction in the IT...
2. Stimulus Bill significantly modifies HIPAA regulations Buried within the huge American Recovery and Reinvestment Act (a.k.a,...
3. Hacking the Dot-Matrix Printer It sounds like something out of a bad spy movie,...

If not removed, all those pictures from Cancun… all the music you’ve downloaded… and yes, all those text messages to your mother can be retrieved! So next time you upgrade to the latest and greatest smart phone, make sure you dust off the manual for the old one and take the time to run through the steps to perform a complete reset of the unit.

On the other hand, you could also take it to a company, such as EPC, who will completely shred the unit to help protect any overlooked data within.

No related posts.

• Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab Groups, and Find in Page is now a task bar (finally).
• Microsoft Support Flooded with Complaints after IE 8 released. Top issues reported include: website printing, image positioning, slow boot times, and a bug dragging images into Facebook.
• Microsoft Released new security assesment tool. The new tool, dubbed !exploitable Crash Analyzer, is considered a “game changer” by Dan Kaminsky, a well-known security researcher.
• Insiders hacked Russian ATMs? Diebold released a software patch to Opteva line after it was discovered that several machines were infected by a card skimming trojan.
• Diebold admits flaw in voting machines that causes vote tallies to be lost. Admission called a “disturbing revelation” by security auditor.

Related posts:

1. Another Internet Explorer Vulnerability (…sigh) Well, here we are again. A few weeks after Microsoft...
2. Tech News: Seesmic Desktop Edition Seesmic Desktop Beta available: Thanks to the great video podcast,...
3. Microsoft asks users to abandon IE6, kinda Much has been written about the recent hack targeting Google,...

Previously, Business Associates were required to comply only with a written business associate agreement. Now Business Associates are subject to many of the same requirements hospitals and medical providers are. They will be required to appoint a security official, develop written policies and procedures pertaining to data leakage, and training its workforce in electronic data protection.

In addition, breach notification requirements were increased. If a breach occurs, the specific business entity that has the breach will be required to notify every individual affected by the security breach. If current contact information is not available, the entity may be required to post notification on their website or in some other broadcast medium (television, newspapers). The bill also provides for the creation of a website by the Health and Human Services department to list information about these breaches.

Source: Stimulus Bill dramatically modifies HIPAA rules

Related posts:

1. Links of the Week: Data Security Edition There were some great articles on CIO.com this week relating...
2. Buy a used hard drive on eBay, get government secrets for free! Imagine it, you purchased a computer on eBay, plug it...
3. 10 Tips for Protecting Business Data How do you protect confidential business data? Here are 10...

Studies have shown that most of today’s media can be effectively cleared by one overwrite.

Popular TV shows like Numb3rs show scientists able to recover data from drives even after they have been wiped. There are probably as many standards to wipe data from hard drives as there are companies providing solutions. When is it enough? EPC as a company has standardized on the 3 pass DoD wipe as it is well recognized in the IT industry and it is a relatively fast process.

Back in January, SANS Forensics blog published an article entitled “Overwriting Hard Drive Data”. SANS paper is noteworthy because it concludes that a single pass of zeros is enough to make the drive forensically unrecoverable:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible..

What does this mean?

Basically the SANS study said that unless you could guarantee where on the drive a particular set of data was stored, it was virtually impossible to rebuild that data from a wiped drive. Even if you could recover an individual bit, you would not have enough information to make usable data.

This study, filled with probability charts and bayesian confidence scores, probably won’t change your mind if you are really paranoid. However for those people, I recommend a certified drive shredding program like EPC’s DDRV.

Related posts:

1. 5 Questions to ask your Data Destruction Company When you replace your computers, what happens to the data...
2. Buy a used hard drive on eBay, get government secrets for free! Imagine it, you purchased a computer on eBay, plug it...
3. Stimulus Bill significantly modifies HIPAA regulations Buried within the huge American Recovery and Reinvestment Act (a.k.a,...