There’s no question that data security is senior to physical security. The real value in a stolen laptop or PC isn’t in the hardware, it’s in the data. Sure, some druggie might steal your laptop and sell it for a fix, but the real danger lies in the thief who knows the value of the files that are stored on it. If it’s a personal laptop, the passwords to your online banking site, credit card numbers, Social Security number–probably everything about your identity–may be stored on it. If it’s a corporate laptop, depending on who you work for, there could be valuable customer information complete with credit card numbers or other proprietary information that a thief or corporate spy could capitalize on.
But physical security is only slightly less important. Don’t get complacent thinking that you’re OK just because your data is secure. It’s an expensive proposition to replace that data, so you must take steps to prevent theft of your hardware.
Encrypting your data is analogous to hiding it. So hide your laptop. Chain down your PC. Make it as difficult as possible for a thief to steal it. I keep my PC in a locked room when I’m not nearby and I maintain the attitude that someone’s waiting around the next corner to steal my laptop. So, it’s always either in a secure area or with me–and I mean within a couple of feet of me. I rarely leave it in my car and if for some reason I must, I lock it up in the trunk. I never leave it overnight in the office. Out of sight, out of mind. There are other physical precautions you can take as this Security Focus article outlines.
And let’s not forget about removable and external storage devices; hide them, too. I’ll cover that in a future article. For now, I leave you with Maxim #8:
Physical security is almost as important as data security. Make it as difficult as possible through any physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
Although I use them for sites that don’t require much security, password managers are something I generally stay away from. Why? Because they store the information on my hard drive or a website, both of which could be compromised by a determined hacker. Even a relatively unsophisticated hacker could exploit an unpatched vulnerability leaving my passwords open to inspection. My personal security policy is to make it as hard as possible for someone to get to my passwords.
I write them down and keep them in my wallet.
Yes, that is the most secure “password manager” there is. No one can get to your wallet from the Internet or your PC. Passwords written on a piece of paper and stored in your wallet are nearly impossible to compromise–someone would have to steal your wallet (or you’d have to lose it) to get at them. How likely is that? I’m 55 years old and have never lost my wallet or had one stolen. Just be sure not to write down your username with the passwords.
We frequently hear news of a laptop holding sensitive information having been stolen. Bad in itself, but the reports often note that the information was unencrypted. Doubly bad. The news rarely focuses on personal laptop thefts, however because there’s no news value in reporting the loss of Joe Citizen’s personal files; nothing of value there, they think. But Joe’s entire life savings may soon be wiped out if he has ever used that laptop for online banking or other financial transactions.
Recently, a friend of mine (who shall remain nameless for security reasons) had his laptop stolen out of his car. Fortunately, he had just purchased it and there was nothing of value on it, but there could have been–he’s an oil company executive. Modern thieves know that if they can get their hands on a computer holding sensitive information — particularly bank or credit card information — they can sell that computer for tens or hundreds of times the value of the hardware. The hardware is virtually worthless to them. From the thief’s point of view, any laptop sitting on the seat or floor of a decent car or a desktop PC in a middle class home office could belong to someone who has access to valuable information.
But, if the data is encrypted, the thief is out of luck.
I’ll cover physical security later. For now, I present Maxim #7:
If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the folders or drives where the information is stored and use an unguessable passphrase as the encryption key.
How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:
- Comodo Firewall Pro 126.96.36.1999 (Free)
- Online Armor Personal Firewall 188.8.131.52 ($40, Free version available)
- ProSecurity 1.43 ($30 single PC home user, $40 household)
- Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
- Kaspersky Internet Security 184.108.40.2065 ($80/year for 3 PCs)
The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.
Using a HOSTS file to block access to malicious or unwanted web sites is an old trick and it’s excellent protection against malware. I’ve been using the mvps.org hosts file for about five years, and I have never been infected with any malware, despite, for testing purposes, intentionally visiting sites known to host it. The thing just works. It’s a great way to add an additional layer of security to your machine. You’ll also notice that many of those annoying ads no longer display in your browser.
Today, I found a cool utility that will let you download, install, and update your HOSTS file directly from the mvps.org site: Hosts File Updater, a freeware program by FaltronSoft. This single 16K executable checks the mvps.org site for a new version of the HOSTS file. If it finds one, it asks you if you want to update. Give your permission and the program backs up your existing HOSTS file and downloads and installs the new one. It also automatically sets the file to read-only, a nice feature.
There’s nothing new about the DNS rebinding attack, but it’s in the news again. Dan Kaminsky, Director of Penetration Testing for IOActive has shown a video of the attack in action at the RSA 2008 Conference. I first addressed this problem more than a year ago in a Lockergnome posting, and just recently in this Security Corner article. Both of those articles say the same thing: Change the default password on routers, switches, and any other configurable device on your network.
There’s another thing you can do: Use OpenDNS; they block known phishing and malware-infested sites, thereby making your web surfing more secure. They also just released a nifty tool called FixMyLinksys that makes it easy for anyone to change the default password and enable OpenDNS. An article at DarkReading.com had this to say about OpenDNS:
…“This will stop all the automated attacks that Dan is showing at the RSA conference today. It’s easy and is done over the Web,” says David Ulevitch, CEO of OpenDNS.
OpenDNS also launched a new type of DNS filter today that protects users from a DNS response from a malicious server. “In short, a DNS response from a malicious server that resolves to a host inside your network would get blocked,” Ulevitch says.
I’ve been using OpenDNS for some time; I’m glad to see they’ve addressed this issue directly.
The Enigma cipher machine was a very cool electromechanical device for producing polyalphabetic ciphers that reached it’s heyday during World War II. The original surviving devices are all in museums or private collections, but you can make a paper version. This site: http://mckoss.com/Crypto/Enigma.htm will let you print one out and play with it.
We security wonks always seem to be put into a position of having to say “no.” That makes us unpopular with the I’m-not-hurting-anything crowd who insist on checking their webmail, IMing their friends, and running assorted and sundry downloaded and web-based applications (but only on their time, of course). Maybe they’re right on some level; many of those things are benign and don’t represent security threats. But there are also potentially dangerous applications such as peer-to-peer (P2P) file sharing that can expose your network to hackers via an open P2P connection (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack). What’s one to do?
Start saying “Yes.” You read that right. Look at it from the user’s standpoint: A blanket prohibition against anything and everything usually foments rebellion on the part of some and they’ll do whatever they want to do with wild abandon. Your network is less secure as a result. But, if you develop policies that allow webmail, online shopping, and IM instead of blocking them at the gateway, while prohibiting the potentially dangerous stuff, you just might find the users starting to ask you if it’s OK to do certain things.
And they just might listen to you if you say “No.”
This has to be one of the most evergreen security topics to come along; no matter how much anyone writes about the dangers of clicking on links or opening attachments in unsolicited email, people continue to do it. SANS NewsBites, March 25, 2008, Vol. 10, Num. 24, begins with this statement:
The Excel story is number two in Top of the News this week because of the critical lesson it teaches: When you see your anti-virus package scanning a Word or Excel file, the odds are VERY high that it won’t find any of the important new vulnerabilities nation states and rich criminals are using to get past the most sophisticated defenses. Don’t open email attachments unless you were expecting them. [Emphasis added] Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization’s data are stolen and they won’t be able to hide.
(They’re referring to a months-old Excel vulnerability for which the exploit code has just been widely released. For more information on that, you can check out this ComputerWorld article.)
I remember, years ago, a client got a nasty malware infection that resulted in my finally resorting to a full wipe/reload of the OS and all her data. I had solved a couple of minor adware issues for her in the past and, as is my custom, gave her my standard admonition, “NEVER, EVER click on anything if you don’t know where it came from.”
“But I clicked on CANCEL!” she replied. She just couldn’t get her head wrapped around the idea that no means yes, yes means yes, cancel means yes, exit means yes, ANY click means yes.
I’m thankful that most of my clients now either call me or drop me an email if they see a message or pop-up they don’t understand, and malware-related emergencies are way down. But they’re not completely gone. Occasionally, I still get that one dull client who calls to say they clicked on something and now they’ve got popups all over their screen.
All I can say (think) is, “You clicked? Really? Are you nuts?”
Being a Ham Radio operator, I’ve always understood the risk inherent in using radio signals to transmit sensitive information: anyone with the right equipment can receive and record anything transmitted over the air. These days, I’m noticing a lot of people in various offices walking around with these cute wireless headsets hooked up to their office phones.
Ever wondered what kind of security risk these things might pose to your company? Yeah, me too. So, did the folks at Secure Network Technologies as evidenced by their article “Hacking Wireless Headsets” that appeared Jan. 22, 2008 at DarkReading.com, a site that provides in-depth security news and analysis. Here’s an excerpt:
To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900-928 Mhz and the 1.2 Ghz ranges, which is where many of the popular hands-free headsets operate.
We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device we were able to listen to conversations that appeared to be coming from our client’s employees. Several of these conversations discussed the business in detail, as well as very sensitive topics. After some careful listening, we determined that the conversations were indeed coming from our customer.
See the nightmare coming? With the right information you can then use social engineering techniques to get your tentacles very deep into the company. And that’s exactly what they did:
Our plan was to assume an identity of an employee who had never been to the office we were testing. Using that identity, we would enter the building, commandeer a place to sit and work, then see how long we could stay inside the building. After zeroing in on a particular employee, we gathered as much intelligence on him as we could. To prepare for the entry into the facility, we printed a business card with our assumed identity. I put on my best suit, and then went to work.
In all, they spent three days “working” in the company, gaining access to all sorts of information, technology, and resources. Not only that, but they also discovered that the headsets acted as bugging devices; even when disconnected, the headsets continued to transmit. The impersonators were able to listen in on conversations carried on by the wearers.
Be afraid. Be very afraid Seriously, read the article and if your office uses these things, do your own tests to find out where you’re leaking. Then, plug the leaks.