Data leakage? What’s that, you ask? Well, it’s a growing security issue which has at its root, the explosive proliferation of mobile and portable devices and the exponential growth of social networking tools, instant messaging, and external storage devices. Simply defined, data leakage is “the intentional or accidental exposure of sensitive information ranging from personally-identifiable information to protected intellectual property and trade secrets” (Source: Data Leakage for Dummies, Sophos Special Edition by Lawrence C. Miller, CISSP). You can download your own copy here which, if you are involved in enterprise security like I am, I highly suggest you do.
The book outlines six ways to reduce data leakage risks, but I consider only five to be relevant and my order of importance is somewhat different. That probably doesn’t matter in the overall scheme of things as longs as all the bases are covered. Here is my top five in order of most important to least important:
- Device control – policy should be in place to control who is issued mobile devices such as laptops and smart phones based on roles and responsibilities. Policy should also include how staff, contractors, etc. may use removable storage devices such as external hard drives, USB thumb drives, CD/DVDs, cloud storage etc.
- Encryption – laptops should be issued only with full-disk or file-level encryption. Employees who use USB thumb drives to occasionally move data around, or take it home to work on (yes, I know this isn’t best practice, but people do it anyway) should be instructed in the use of security that is normally provided on today’s leading USB storage devices.
- Anti-Virus – it goes without saying that ALL endpoints must have complete anti-virus/anti-malware protection to prevent hackers for accessing sensitive data through trojans and malicious links. Security policies should be implemented in Group Policy and automatically applied to any device connected the network.
- Network access – strict policy should be in place to dictate who is granted access to the network and what level of access they are granted. Traffic in the network should be segmented so it can be monitored and any potentially insecure segments should be locked down tight.
- Application control – User-installed applications increase the risk of data leakage in your organization. Third-party IM, games, VoIP applications, and P2P software should be tightly controlled and if allowed should be thoroughly tested and vetted by the IT department before approval is issued.
These five areas form the basis of a comprehensive security policy to prevent data leakage in your organization. They also apply to your personal information.
Give them due consideration, won’t you?
This snippet from SANS NewsBites Vol. 13, No. 74, 16 September 2011:
Researchers have detected a rootkit that targets the BIOS, Master Boot Record (MBR), the kernel, and files of PCs. It has been at least four years since malware that focuses on BIOS has been found. Trojan.Mebromi adds malicious instructions to the BIOS that cause machines to becomere-infected when they are booted even after the master boot records has been cleared of infection. Mebromi is unlikely to become widespread as it affects just one type of BIOS. However, it raises the question of how to create a utility to clean BIOS and poses no risk of damage.
Regardless of whether or not this becomes widespread, it points up the reality that nothing in a PC is truly safe; indeed, routers switches and other networking equipment all contain IOS chips that can be flashed. In this case, it’s only one BIOS maker, Award. Here is an interesting flowchart put together by Symantec after they analyzed the trojan’s behavior:
It’s almost too simple. I think we’ll be seeing more of this type of thing in the future.
The National Institute of Standards and Technology (NIST) issued a draft of Special Publication 800-118 entitled “Guide to Enterprise Password Management” that I have been using to help our corporate IT folks formulate standard password policy. The guide is a comprehensive look at the subject and I highly recommend that anyone involved in establishing enterprise-level password policy give it a read.
If you have ever read any of the NIST security-related publications – or any other government publications – you know that their standards dictate a define-your-terms approach to everything. This got me to thinking that over the years, I have used much password-related terminology in my various posts, many of which I have never defined. The guide contains a listing of the terms used in the report along with their definitions. I found this enlightening and I think you will too.
Authentication: The process of establishing confidence in the validity of a claimant’s presented identifier, usually as a prerequisite for granting access to resources in an information system.
Brute Force Attack: A form of guessing attack in which the attacker uses all possible combinations of characters from a given character set and for passwords up to a given length.
Capturing: The act of an attacker acquiring a password from storage, transmission, or user knowledge and behavior.
Claimant: An entity that has presented an identity but has not been authenticated.
Cracking: The process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of those hashes.
Dictionary Attack: A form of guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive.
Guessing: The act of repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords.
Hybrid Attack: A form of guessing attack in which the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.
Identification: A claimant presenting an identifier that indicates a user identity for a system.
Keyspace: The total number of possible values that a key, such as a password, can have.
Keystroke Logger: A form of malware that monitors a keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker.
Passphrase: A relatively long password consisting of a series of words, such as a phrase or full sentence.
Password: A secret, typically a character string, that a claimant uses to authenticate its identity.
Password Expiration: The process of forcing a user to select a new password after a certain amount of time.
Password History: The retention of one or more previous passwords or password hashes for comparison against new passwords or password hashes.
Password Management: The process of defining, implementing, and maintaining password policies throughout an enterprise.
Password Management Software Utility: A local utility that allows a user to store usernames, passwords, and other small pieces of sensitive information, such as account numbers.
B-1 GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT) B-2
Password Recovery: The process of a user regaining access to a password that the user has forgotten.
Password Reset: The process of a user having a new password set for a user account.
Password Synchronization: A technology that takes a password from the user and changes the passwords on other resources to be the same as that password, so that the user can use the same password when authenticating to each resource.
Personal Identification Number (PIN): A password that is relatively short (usually 4 to 6 characters) and consists of only digits.
Rainbow Table: A lookup table that contains pre-computed password hashes, often used during cracking.
Reduced Sign-On: A technology that allows a user to authenticate once and then access many, but not all, of the resources that the user is authorized to use.
Salting: The inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash.
Single Sign-On: A technology that allows a user to authenticate once and then access all the resources that the user is authorized to use.
Stretching: The act of hashing each password and its salt thousands of times, which makes the creation of rainbow tables more time-consuming.
I use Last Pass and Steve Gibson’s Password Haystacks to create super-secure passwords. I also own and use a Yubikey for secure, two-factor authentication. I’m not overly-paranoid about my sensitive information–I just feel that I’m taking reasonable precautions that everyone should follow. However, there are those who don’t even trust trustworthy services like LastPass and want nothing to do with any of their passwords or encryption keys being stored on line. I guess I understand that, though I consider it a bit unreasonable.
There’s good news for the completely paranoid amongst us, however. Steve Gibson has created the only known system to provide secure encryption using nothing but a specially designed piece of paper: Enter “Off The Grid: A paper-based system for encrypting domain names into secure passwords.” While the system uses technology to set up the grid, nothing is stored and no other software is involved. There is always the concern that since modern encryption technology relies upon software running on various devices, there is a risk of security vulnerabilities that can lead to compromise of your system. The beauty of “Off the Grid” is best described by its inventor:
“Off The Grid” converts any website’s name into a secure password that you never need to write down, store, or remember because you can easily re-create the same secure password from the same website name the next time, and every time, you need it.
Websites are routinely compromised with their users’ logon identity (eMail address and password) stolen. So reusing the same password on separate websites creates a tremendous risk because bad guys could obtain your eMail address and password from one site, then logon as you somewhere else with your reused password.
The “Off The Grid” system securely and uniquely encrypts each website’s domain name into your personal password for that one site, so it automatically creates a different secure password for each website and reuse never occurs.
Is that beautiful, or what?
I tried it and it is very easy to use; however, it’s not completely ready for prime time yet, as Steve explains on this page:
. . . a KEY requirement for the practical use of this system is that you should be able to recreate and reprint, perhaps in different sizes, fonts, character spacing, etc., YOUR own unique grid, not only now, but at any time in the future. To enable that, the final version of this page — which will be forthcoming shortly — will provide you with a matching randomly generated cryptographic KEY that you will be advised to record and store securely. Then, at any time in the future, you will be able to reuse that unique KEY to recreate YOUR unique personal grid structure, while being able to freely change its shape, size, coloration, fonts, and so forth.
I am currently working to complete the remaining background web pages to fully document this “Off The Grid” system. Once they are complete, I will add the finishing technology touches to this grid generation and printing page.
In the meantime you can, of course, play with the technology. But since there is currently no way for you to recreate any of the grids that this page displays, you should not commit to any grid until the cryptographic keying technology has been added.
In the meantime, have fun with it!
How many of you have been through this?
“Why does my password expire so often?”
“I can’t change my password, why does it expire?”
“Why can’t I use ‘abc123′ as my password?”
“I can’t log in; did you change my password?”
“I changed my password, but it doesn’t work.”
“I used ‘fido1′ and it doesn’t work.”
I find myself in the midst of a major IT initiative and the powers that be are asking my what I recommend. I keep pointing them to my posts about the new password paradigm and others I have written over the years, but they keep asking me what I think.
Here’s what I think: Choose a memorable word or phrase, add a couple of characters to the front and back – also things you will remember – and leave it at that. Mix it up a bit. The hackers don’t know what you’re doing. My dog’s name is Missy. She was born in 2007. My password is “Missy07*(”
It’s not rocket science, people. Jeesh!
The key is the last two characters which is my personal password enhancement pattern.
If you have been reading this blog for any length of time (and I hope you have!), you know that I’m a big fan of ciphers. In my next post, I’m going to talk about Steve Gibson’s “Off the Grid” paper encryption system; that one is a stroke of genius. It’s based upon Latin Squares with a twist. It works. It takes an unique approach to randomness.
Well, I realized that there isn’t anything too much more random than the behavior of my pet Yorkie, Missy. It’s always a combination of play bone, growl, bark, lick my leg, lick my arm, hide the bone, bark because I can’t find the bone, fetch the bone, growl, bark, lick my wife’s leg (rarely), run to the door, pee on the floor, ad nauseum. Get the idea? Truly random. No perceivable pattern (right now, she’s throwing “poor pitiful poochie” into the mix since I’m ignoring her). Oh, and she just nipped me on the leg. Truly random, no?
So, I’ve created a Yorkie cipher that is completely unbreakable. Here’s the cipher:
1. Create a key based on Yorkie behavior: bark=b, growl=g, hide bone=h. you get the idea.
2. Write down the letter for what the Yorkie is doing at least for 20 repetitions, then take the last four characters. In my case it was bone, growl, lick, fetch: bglf.
3. Reverse: flgb.
4. Ask Yorkie what that means.
5. Give up because this is just a joke.
Did I have you going there? Sorry. It’s just time to lighten up.
When you know how it’s done, you can prevent it. Here’s a cool video on the latest DOS attack against Apache (which will soon be patched…)
[kml_flashembed movie="http://www.youtube.com/v/K13nutRdlvE" width="425" height="350" wmode="transparent" /]
Sophos is offering a free copy of “Data Leakage for Dummies.” The book promises to help you:
- Create strategies for data-risk management
- Prevent data loss from your computers and devices
- Protect your network from data leakage
I downloaded my copy and am looking forward to implementing the advice it offers.
Get your copy here.
For some time now, Facebook has offered two-factor authentication that allows you to force the entry of a code whenever there is a log-in attempt from an unrecognized device. This is a very good additional layer of protection against unauthorized log-ins to a user’s account. When you consider that most people use weak, easily guessable passwords (despite my advice and the advice of other experts), this additional factor can make a big difference.
Setup is simple: Go to Account > Security, edit Login Approvals and check the box. Facebook then gives you a wizard that walks you through setting up your mobile phone, starting with their sending of a confirmation code. Enter the code and you’re done!
How safe is your web browser? For a long time now, I and many other techies have been advocating a switch to to Firefox (or any of the other popular browsers) for anyone who is using Internet Explorer. The reason? Other browsers are more secure. We all know that’s not really true anymore, it’s just that the other browsers are attacked less frequently than IE. Internet Explorer is and always has been the low-hanging fruit for hackers.
For some time now, modern browsers have been coded to detect and block malicious websites. We have all seen the messages like the one shown below:
Have you ever wondered how well your browser stacks up with respect to blocking malware? The answer might surprise you. Msnbc.com’s Technolog reports that IE9 is the clear winner:
Tests by NSS Labs to “examine the ability of five different web browsers to protect users from socially-engineered malware” showed that IE9 was able to block this kind of threat 99 percent of the time, beating out Apple Safari 5, Google Chrome 12, Mozilla Firefox 4 and Opera 11.
(Msnbc.com is a joint venture of Microsoft and NBC Universal.)
The closest another Web browser got to that blocking-the-bad stuff rate was Chrome, at a very distant 13.2 percent. At the low end of the blockers was Opera, with a 6.1 percent rate.
Makes you think twice, doesn’t it? Those tests are meaningful, of course, but they don’t take into account that IE9’s market share is only 6.8 percent whereas IE8 controls the market with 29.23 percent, so the overall effect at this time is not significant. However, perhaps this will spur the others on to increasing the effectiveness of their own technologies.