A bank safe deposit box, securely stored in a vault behind several feet of concrete on five sides with a virtually impenetrable combination-and-time-lock-protected door on the sixth side, is about as safe a storage place as you can get for your cash, gold, jewels, important documents, and other valuables. You rarely hear of anyone losing valuables from a safe deposit box, but there’s an almost daily news story about sensitive data being lost or stolen. This makes for an interesting thought experiment.
While it’s not possible to provide the physical security of a bank vault on a laptop or other portable storage device, it is possible to protect the information itself with encryption so that only authorized persons can access it. Take the bank’s physical security out of the mix for a moment, making it possible for someone to walk right into the vault; they still can’t unlock your box without access to the bank’s key and your key. Similarly, encryption requires two keys: the encryption key and a passphrase; without both, the encrypted volume won’t open.
One could say, therefore, that an encrypted volume is a virtual safe deposit box for your valuable data.
In a recent Q & A episode of the Security Now! podcast with Steve Gibson and Leo Laporte, a reader was concerned that doing remote desktop support on infected PCs from his computer could make him vulnerable to infection. As I always do, I immediately began thinking about how I would answer the question (my wife thinks I’m nuts because I’m always talking to myself while I listen to the podcast). In my experience with remote support programs, I’ve never had a problem with malware, so never considered the issue. However, I have to agree that Steve’s answer amounts to the safest way to do remote desktop support on infected PCs. Here’s an (edited) excerpt from Security Now!Episode 146:
STEVE: …In a perfect world, [remote desktop support] would be completely safe because…
LEO: You’re not really running anything on your system. It’s a window into their system; right?
STEVE: Exactly. Essentially you’re seeing their video, and you are taking over their mouse and keyboard. So it’s purely a remote I/O sort of deal. But we know it’s not a perfect world… So if…there were a vulnerability in whatever remote communications software you were using, and malware knew about that, it would be…possible for the malware to detect that you had connected using VNC, GoToMyPC, Remote Desktop…and exploit a known problem in order to cause a buffer overrun at your end of the connection.
LEO: So anytime you’re having a conversation with another computer, there’s always that potential no matter what protocols you’re using.
STEVE: Yes. So what I would do if I were a person who was going to be sort of habitually connecting to probably infected remote machines…you’d want to do that in a VM [virtual machine] at your end.
I’ve often recommended using virtual machines for surfing the web. My post, “Two Ways to Operate Securely on the Web,” is a good example. Extend that security maxim to remote connections of all kinds and you’ll be even safer.
My May 29th post, “Phlashing Attack Can Damage Systems Beyond Repair,” generated some attention from Hewlett-Packard’s PR department. Depending on how you read it, my article could be interpreted to imply that their Integrated Lights Out (iLO) embedded remote management interface may be vulnerable to the PhlashDance attack. It wasn’t my intention to imply this and I am convinced that iLO is secure.
After having had a cordial conversation with Doug Hascall, Manager, iLO firmware, Industry Standard Servers, Hewlett-Packard, I agreed to post details about iLO’s security. Here is Doug’s email responding to my article:
I enjoyed our conversation yesterday regarding the security of iLO and the phlash attack referenced by my colleague Richard Smith. As I mentioned on the phone, we take the security of iLO and our HP servers very seriously. This note is to share some of the information we discussed regarding iLO’s flash security.
iLO firmware employs the following flash protections:
* iLO firmware images are digitally signed with a 1024-bit RSA public/private key.
* The digital signature is checked before allowing a firmware update process to continue.
* The digital signature is checked by the iLO boot block every time iLO comes out of reset.
* The iLO boot block can only be flashed by physically changing a switch setting inside the server.
* Flashing the iLO firmware remotely requires login authentication and authorization, including optional two-factor authentication.
* The iLO firmware image to be flashed is completely uploaded into RAM before reprogramming of the flash device.
All ProLiant iLO firmware releases, from the original version that shipped with the ProLiant DL360 G2 in March 2001, have employed these protections.
I conferred with Rich Smith via e-mail to explain the iLO security architecture and to investigate the possibility of iLO being vulnerable to a Phlashing attack. Rich’s assessment was that iLO firmware and its upgradeability appear to have been designed with security in mind and he does not believe that iLO would be susceptible to a phlash attack or the methods used in the phlashdance fuzzer.
Security is a vitally important topic. I appreciate the attention that the security community brings to this topic and the associated opportunity we have to improve our products.
Manager, iLO Firmware
Industry Standard Servers
This is security done right. Are you listening, Microsoft?
Please note: since this article was posted, WPA-TKIP has been found to be vulnerable. See my post of 2008.11.13 entitled “WPA-TKIP Vulnerable to Attack” for more information.
It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:
1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure (and one CISSP, no less, is recommending it!) While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.
2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.
3. Don’t bother with MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network.
So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA-Personal and WPA-Enterprise. WPA-Personal relies on a pre-shared key (PSK), while WPA-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA implements 128-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.
And that, my dear reader, is Maxim #13 in the How to Secure Your Computer series of articles:
When it comes to securing a WiFi network, the only way is WPA.
You’ve seen them: PCs with serious malware infections that seem to defy any and all attempts to clean them up. You persevere and eventually get rid of the files that regenerate upon deletion, clean up the autorun registry entries that keep the malware going, and kill all the malicious processes that keep showing up. You’re proud of yourself; you’ve conquered the beast, out-hacked the hackers. You’re the man: a real, live uber-geek! Pat yourself on the back–you earned it. Then, after you’ve finished congratulating yourself, reformat the hard drive and reinstall the operating system–you can never trust that machine again unless you do.
There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.
It’s a matter of trust; it’s also a security maxim. So without further ado, I present How to Secure Your Computer, Maxim #12:
Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
I hope I’ve given you some valuable advice in this series of posts on how to secure your computer. If so, and if you’ve chosen to take my advice, you’re probably careful about what you do on the web. You certainly have strong passwords for all of your logins, all of them different, and you don’t go around telling people what they are or keeping them on sticky notes attached to the monitor at your workplace. But the web can be a dangerous place; make a mistake and you could be in trouble. There’s one common mistake that if you make it, you may as well paint your passwords in 10-foot tall letters on a lighted billboard next to a busy freeway and invite every hacker to drive by it.
I’m talking about entering your password — or any sensitive information — into any web page that’s not secure. All communication — including your username and password — between your browser and a web server is normally transmitted in clear text, easily read by anyone who cares to look. Your data is being sent in clear text if you enter anything onto a page that has the prefix http:// in its URL. That’s how you know the page isn’t secure. While not a totally reliable method of identifying a phishing site, it’s a pretty good bet that any financial site or one requesting personal information that displays http:// is suspect; steer clear and don’t enter your credentials.
How do you know a page is secure? It will use an encrypted connection, signified by the prefix https://. This page will use a technology known as Secure Sockets Layer (SSL). Any information you put into such a page is unreadable by anyone who might intercept it. Only your browser and the web server at the other end can decipher it. Some browsers even show a lock icon to let you know it’s secure. SSL relies on special security certificates issued by a trusted authority who has verified the identity of the website you are logging onto. So, I present you with Maxim #11 in the How to Secure Your Computer series:
Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
Microsoft has issued Security Advisory 953818 advising Safari users to “restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.” According to Microsoft:
“A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user. “
Oddly enough, there’s a quick fix for the problem. In the advisory, Microsoft clearly states: “Mitigating Factors: Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.” Just go to Edit > Preferences > General > Save downloaded files to [your chosen new location].
That was easy.
A friend of mine came up to me the other day and said, “I love your computer security maxims, but there’s one thing I don’t have anything to worry about–I keep all of my passwords stored on an encrypted thumb drive.”
“Well, that’s a good thing,” I said. “Where do you keep your backups?”
“On my external USB drive.”
“That’s encrypted, right?”
He blinked and looked away. “No.”
Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend could be toast. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords.
Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place. And that is Maxim #10:
When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
It has long been an “everybody knows” that viruses and other malware cannot physically damage hardware. We’ve all seen those alarming emails that say, “…the virus destroys Sector Zero, thus permanently destroying the hard disk,” a statement we know is rubbish; at worst, the disk is rendered incapable of booting an OS, but the drive is still operable and the data recoverable. Seems that now, however, an HP researcher has found a way to exploit security vulnerabilities to create a permanent DOS (PDOS) attack by thrashing embedded hardware. From The Register:
The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems.
The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest security conference in London on Wednesday [21 May 2008]. Smith told Dark Reading that such a “permanent denial of service” attack could be carried out remotely over the internet.
The attack would be carried out by exploiting flaws in remote management interfaces to gain access to the system and then flashing or fuzzing the firmware binaries to render the hardware useless. One such remote management interface is HP’s Integrated Lights Out (ILO) which is embedded in their ProLiant servers; however, Doug Hascall, an HP manager in charge of ILO firmware, believes the security architecture of the interface makes it invulnerable to the attack.
Security watchers, myself included, don’t see crackers destroying systems since there would be no money in it; rather, this attack could make it possible for them to plant malware inside of the firmware: a far more insidious threat. Moreover, a country’s enemies could use the technique as an effective cyberwarfare weapon either to take out critical infrastructure or to implant spyware to gather military intelligence.
Some spammers, phishers, and other Internet criminals have resorted to (mis)using the convenient service of tinyurl.com in order to disguise their web site addresses and entice you into clicking. Tinyurl.com takes those weird, long URLs and converts them into something smaller and more manageable. So, instead of a URL that might look like this, http://3468664375@3468664375/o%62s%63ur%65%2e%66t%6D (not a real address), you see one that looks like this: http://tinyurl.com/d99g5. That’s a bit less intimidating and you may be tempted to click on it. Don’t; you’ll be sorry.
Never, ever click on a link in an email unless you know and trust the sender. Never, ever click on a link in a website, blog post, online article, or what-have-you, unless you know the content is safe.