Last year I wrote about LoJack for Laptops, software that periodically checks in with a central server to help locate your laptop if it is stolen. One of the LoJack features that caught my attention is that, when installed on compatible computers, a bios agent is activated. The bios agent is supposed to reinstall LoJack if the thief removes it by, for example, reformatting the hard drive and reinstalling the operating system.
Around the time I wrote last year’s article, Vancouver-based Absolute Software sent me a copy to try out. I installed it on a HP Pavilion dv4 laptop, checked that it was working a few times, and promptly forgot about it. A few weeks ago, my laptop required a warantee repair, and prior to sending it in, I used DBAN to thoroughly wipe the hard drive. When I got it back, HP had reinstalled the original operating system. So I deleted both partitions and did a fresh install.
Over the weekend I remembered about LoJack and I was curious. I logged into their web site and was informed that my laptop had checked in earlier the same day! LoJack survived every bit on the hard drive being overwritten and two operating system installs. Had a thief stolen my laptop and reinstalled the operating system, it would be checking in every time it was connected to the Internet. And we’d be tracking it down right now.
By now most of us know that when we delete a file from our computer it isn’t really gone – the space is merely marked as being available for reuse. Unlike in the physical world, where we can easily shred or burn documents we wish to dispose of (and put the others out in the same trash bag as the kitchen waste and used kitty litter) it’s relatively hard to do the same on our PCs.
If our operating systems and applications were designed with privacy in mind, we could simply tell them that we don’t want to retain any browsing history, that our web cache and cookies should be deleted when we close our browser, that we aren’t interested in being presented with a list of our most recently used files, and that the last date/time a file was read isn’t necessary information. We could also tell it to overwrite disk space when it’s done with it.
The technical reasons behind some of these issues were originally performance related, but given the speed of computers these days, there is no good reason that our computer needs to keep notes on what we’ve been using it for.
Of course when one brings up these issues, there are those who ask, “What do you have to hide?” Child pornography is an often-quoted example of why computer forensics is a good thing, and I certainly agree that child pornographers should receive an express ticket to jail (or worse). But I’m not willing to give up fundamental privacy rights and live in digital glass houses in order to make it easier to catch criminals.
I’ve written before about hard drive encryption, and full drive encryption remains the best way to safeguard your privacy. The enhanced BitLocker functionality in Windows 7 combined with the TPG chip in many new computers are a move in the right direction. The open source TrueCrypt project is great, but they need to quick adapt to new realities in Windows 7.
Self-encrypting hard drives appear to be a promising technology, but while vendors brag about them, they aren’t readily available and technical information remains marginal at best. If — as a security professional and writer — I can’t get my hands on one to test, I have to conclude that they’re not a viable option at this time.
Then there are software products that perform tasks such as wiping free space and deleting unwanted browser histories. From a functional security perspective, products like Evidence Eliminator can perform a nice clean-up of your computer, deleting temporary files, browser artefacts, and wiping unused hard drive space to eliminate ‘deleted’ data. But “Evidence Eliminator” is a really bad idea.
From a security perspective, this product (and to be fair many others in the same category) often creates a bigger problem than it solves: While they do a good job of removing unwanted data, they also do a fantastic job of creating evidence that you ran “Evidence Eliminator”. It quite amusing to read of people attempting to explain in court that they didn’t delete data pertaining to the matter in front of the court when they ran “Evidence Eliminator”. By definition, if you’re eliminating evidence, you look guilty.
Ironically, by calling the product “Evidence Eliminator”, the vendor has made performing clean-up tasks that may be quite reasonable in many circumstances look like a criminal act.
Imagine you’re at work and someone you know emails a URL. You download a file you expect contains something humours and end up with porn on your work computer. Sure we can discuss why you shouldn’t have downloaded it in the first place, but there are countless scenarios that could result in you having some type of data on your drive that you don’t want.
In the physical world, you could toss it in the shredder bin, take it home and put it in the fireplace, or otherwise dispose of it. We should have the same ability with data. But it’s just real deletion that we want, not evidence elimination.
On the off chance that enterprising developers are reading, there are two products missing from the market – or at least I can’t find them!
The first is a clean-up product that runs entirely from a USB stick and does not require installation on the PC. Running it would clean up the hard drive, overwrite browser artefacts, temporary files, wipe free hard drive space, etc. In fact, it would do most of the things that Evidence Eliminator does – except the purpose would be to clean up the computer and protect privacy – not destroy evidence.
The second is an installable package that monitors system use and cleans up after the user automatically. In short, it would protect privacy by doing what the operating system and applications should offer to do by itself really deleting stuff.
Thoughts? Questions? Ideas?
Let’s hear ‘em!
McAfee recently released a comprehensive report on the array of threats facing banks and their customers. It includes topics such as card skimming, money laundering, the Nigerian 419 fraud, auctions, and online banking. The report also provides a good overview of current countermeasures.
Highly recommended reading!
The full report is available for download here.
As a security professional, I spend a lot of my time contemplating how to manage security risk in the corporate and government space. But there is another challenge that greatly interests me: Protecting the average user.
Unless you have an IT guy or gal in the family, it can be hard to get the right information. And there are definitely challenges. For example, check out Justin Foster’s blog post on Keeping Granny Safe.
One of the great tidbits in it is the link to Secuna’s free vulnerability scannersfor home users. They offer both a web-based and a downloadable package. I installed the latter on my notebook and it quickly identified a few products on my computer that needed updating.
The Internet has been around so long that domain registrations have become a commodity. The competition is fierce, and margins are small. Registrars compete for your business not only on price, but also on added features like bundled hosting and DNS service. And among the sales tactics is the offer of free domain registrations.
The reality, of course, is that there is no such thing as a free domain registration. Somebody pays for it. And while there is nothing wrong with giving a customer a “free” domain when they purchase other services, as one of my colleagues recently found out, ethics among hosting services greatly vary.
My colleague purchased a hosting plan for $5.95 per month with HostPapa.ca that included a free domain. According to the terms of service posted on their web site, there shouldn’t have been a problem:
“You have all rights to transfer, sell, or modify your domain name to another person or individual. If you decide to sell or transfer your domain name and HostPapa is the domain name registrar, please request our “domain name transfer instructions” by sending an email to email@example.com. We will send you the specific details and information about transfer of ownership.”
But, when my colleague decided to transfer his domain to another registrar, he found out that it wasn’t that straight-forward. Host Papa had registered the domain in their own name. In email, he was told,
“The $100.17 you paid upon sign up with HostPapa was for a hosting account. We included a FREE domain as a thank you for creating an account with us. This domain is only free as long as you are a HostPapa customer, hosting the domain on our servers.
If the domain was not free, you would have been charged $126.37 for hosting and a domain purchase. Now that you wish to cancel your services and take your domain away, the invoice I have created for your domain in the amount of $26.20 covers the cost of HostPapa registering this domain on your behalf when you signed up with us.
This is standard for anyone cancelling their account and wishing to retain their domain.”
During his email discussion with them, at one point a representative of HostPapa wrote chillingly, “Legally, the domain name is ours.”
We contacted HostPapa and inquired, and they explained,
“Yes, you can transfer your domain name to another host at a later date, however, there will be a fee of $24.95 + GST for Canadian clients to release the domain, since it’s only free as long as you are hosted by us.”
Your domain name is key to your Internet presence, and losing it can have a significant impact. Assuming you maintain a backup of your web site, you can easily move to another hosting company if you control your domain.
So what can you do to protect yourself?
First, keep in mind that virtually anyone can become a ‘registrar’ through a simple reseller agreement. The fact that a company can register a domain for you doesn’t provide any indication of business ethics. Search the web, read their agreements carefully, and do your best to check our their reputation. Be cautious if transferring your domain requires emailing or telephoning support or the description of the process is vague.
Second, check your domains to ensure that they are registered in your (or your company’s) name, not a provider’s. If you don’t already have a favourite “whois” tool or web site, try allwhois.com. If the domain is not in your name, contact the registrar immediately and ask that it be corrected. If they refuse, indicate that you wish to transfer your domain to another registrar. But keep in mind that as far as the domain registration world is concerned, the owner is the entity listed in the whois database.
Third, consider using a separate registrar from your hosting provider. If you’re more technically inclined and have a number of domains, you might consider opening your own reseller account with a large registrar like Tucows and becoming your own registrar. It also might make sense for you to use a third-party DNS provider like dnsmadeeasy.com. Ideally you want control of your domain information including the contact names, addresses, and DNS servers. Your registrar should allow you to update at least your DNS information through a web-based interface.
Non-profits, co-ops, and other organizations that depend upon volunteers often have challenges when it comes to protecting corporate information assets against individuals who leave the organization.
For example, I’ve recently been dealing with a situation involving the use of Yahoo Groups. While it’s a great way to share information with a group of people, here’s what can happen:
- A volunteer sets up a group on behalf of the corporation, bearing the corporate name.
- The volunteer runs the group for a while but subsequently decides to leave the role.
- The volunteer refuses to turn over control of the group to a board member.
- When pressed on the issue, the volunteer claims that the group is inaccessible because it hasn’t been used for a while.
- When pressed further, the volunteer deletes the group including all content.
Unethical volunteers (and employees) can create disruptive scenarios. In this case, they have the potential to impact communication with group members and information can be quickly lost. While criminal and civil proceedings can be initiated after the fact, the disruption has already occurred.
In an ideal world, there would be services available that take these issues into account. For example, one could have multiple administrators and require two of them to approve sensitive transactions. But until services like that exist, your best defence is to recognize what can happen, ensure that someone other than the group administrator has a copy of all documents and maintains a list of participant’s email addresses so that they can be contacted if an issue arises.
Have another suggestion? Please comment and let me know!
Sometimes in security, and life in general, it’s the seemingly small issues that cause problems. As the saying goes, “The devil is in the details.”
Take dates for example. If I were to suggest we meet for a 10:00 coffee on 07/10/09, when should you show up? Most of you would assume that 09 is 2009. Then you’d hope to infer from other information whether I meant July 10th or October 7th. Those who know I’m a night owl might wonder if I mean 10 p.m., while my old army buddies would assume that if I meant 10 at night I’d write 22:00.
About ten years ago, software developers and IT managers were in hectic race against the clock. In many cases they just didn’t know what would happen when computers using two digit dates rolled from 99 to 00. Or 100. And it appears that in the past 10 years we’ve learned very little about standardization.
Of course there are those who don’t bother with the year at all. The yogurt in my fridge reads JL13. At least I can figure out that they mean July 13, and I can hope that this container didn’t somehow get shoved to the bottom of the pile for a year. Or even worse, the dreaded “Best before 08/01.” Is it good for another month and a half, or should I carefully double bag it and put it in the trash without disturbing whatever new life form might dwell beneath the lid? It just doesn’t make sense to force product manufacturers to put a date on something if we can’t be positive what it means.
Fortunately there is a simple solution: Adopt the international standard, ISO 8601. Unlike many ISO standards, it isn’t all that complex. June 22, 2009 is 2009-06-22 or 20090622. 10:00 a.m. is 10:00:00, and 10:00 p.m. is 22:00:00. Provisions exist for omitting seconds, etc., if they aren’t required.
Isn’t today a good date to become part of the solution?
There’s a lot of information about the Payment Card Industry Data Security Standard (PCI DSS) on the Internet, but if you’re looking for a good overview, check out eNable’s Quick Guide to PCI Compliance video. Their fifteen minute presentation is both technically correct and presented in language that anyone can understand – a refreshing change from many security presentations.
If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are. If you business accepts credit cards, you owe it to yourself to watch this video.
One of the reasons that security programs aren’t always as effective as they should be is that organizations of all sizes often fail to ask the most important question: What is security?
Security is often categorized as physical security, personnel security and information security. Much of the reason is historical. Back before computers, corporate security people were concerned primarily with physical assets. The area of personnel security evolved with background checks and security clearances and then expanded into workplace violence prevention and ensuring the safety of employees at work and when they travel.
Then computers came along, and the complexity of these new systems gave birth to “computer security”. Over time the “computer” field became known as “information technology” and “computer security” became “information technology security”. Some time after that it finally dawned on people that the focus should be protecting information (as opposed to “information technology”) and since then the term “information security” has increased in popularity.
Within the information security field, the buzz phrase, “Confidentiality, Integrity, and Availability” describes its goals: Protecting information against unauthorized disclosure, ensuring that it is not inappropriately modified and making sure that authorized user can actually use it. Every so often somebody (commonly a vendor representative trying to push their product) tries to expand this definition by adding a fourth or fifth, but in doing so they usually succeed only in proving that they don’t understand information security.
In some organizations different people or groups are responsible for different “types” of security. They often use different language, different processes and their failure to co-ordinate activities often increases security risks.
So what is this security thing anyway? Security is simply about protecting assets.
Physical security is about protecting company assets. But so is personnel security. While I’m certainly not suggesting that a company owns employees, they are assets. Their ability and willingness to work is of great value to the company – without them very little could get done. If a company fails to protect employees, and they are unable to work, that constitutes a loss. Failure to comply with laws and regulations regarding the protection of employees also impacts other assets including employee and public relations and monetary losses due to fines or civil damages. All political correctness aside, employees are valuable assets that require protection.
Finally, there’s “information security”. Today information is an asset. While computers and networks can be complex, and different skills are required to protect digital information, in the end it’s all really just about protecting assets.
During the last decade a lot of money has been spent trying to protect information systems. Firewalls, intrusion detection systems, two-factor authentication and other technical controls sometimes make good business sense when applied as part of comprehensive security program. But what we’re not good at yet is the human firewall.
Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,
“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”
In addition to speaking and writing on security awareness, Wright also conducted some interesting research:
“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.
The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”
Perhaps it’s time we put more emphasis on security awareness training?