Security management

ID Analytics Service Validates Identity Exposure Index

A new, free service offered by ID Analytics, www.myidscore.com, validates my Identity Exposure Index concept I proposed last month (What’s Your Identity Exposure Index?). While the results of the iEi investigation give you an index between 0 and 5, the MyIDScore.com results range from 0 to 1000. In both tests, the higher the score, the more at risk you are.

I compared iEi results for myself and my wife with those obtained from myidentityscore.com and was a bit surprised at the correlation: my iEi is exactly 4 times my wife’s; my My ID Score is 3.9 times my wife’s. I consider that a pretty strong case for my method. ID Analytics’ technology is patented, but they do reveal that they rely on real-time, cross-industry compilation of identity information, some other identity-specific analytics, and a database of reported identity frauds.

I don’t question the validity of their method and it’s certainly easier to go to their web site and enter a few pieces of basic information than it is to figure out your iEi, but it sure is interesting that my little “invention” appears to be just as valid.

You be the judge; do your own test and please let me know what you find.

Free Mini-courses from SANS

Without a doubt, SANS offers some of the best and most trusted computer security training and certifications. Today, I was thrilled to find that they’re currently offering four free mini-courses. I already completed the Windows Intrusion Discovery course and started on Cyber Forensics and let me tell you, there’s nothing “mini” about the content.

….(there are four - pen testing, forensics, vulnerability testing and Windows intrusion detection). They are very short…but you actually learn a lot in a short time. What is most interesting about them is how close the online teaching is to live classes. When the instructors are good enough,
on-demand courses are just wonderful- perhaps better than traveling to attend a live class because you can replay and review sections (Tivo-like) whenever you want. And you get real time feedback on mastery with quizzes at the end of each section. They are at
http://www.sans.org/ondemand/spring09.php

If you don’t have a SANS portal login, you’ll need to create a free account to gain access to the courses and other material on the site.

Each course presents a five-question assessment test (you can take it more than once) and you get a certificate of completion.

By the way, if you register for any full length SANS OnDemand course before June 15th, 2009, you’ll save 25% off the cost of tuition—a significant discount.

What’s Your Identity Exposure Index?

Quick: On a scale of 0 to 5 (0 being nearly invisible, 5 being at risk), how much of your identity is exposed on the Internet? If you’re wondering, there are some tests you can try that will give you a good idea of you Identity Exposure index (iEi). Here are the tests I performed and some calculations you can use. I chose these tests because they could give an identity thief enough information to impersonate you under the right circumstances. For example, knowing your mother’s maiden name and a former address might be enough to get past a security question or two. Heaven forbid your Social Security number shows up anywhere on line!

Keep in mind that this isn’t absolute by any means; it’s more of a quick-and-dirty estimate. But what you find might surprise you.

Use any top search engine. I used Google. My test results are shown in parentheses.

1. Search your name in the form you commonly use; e.g., Ken Harthun, not Kenny, Ken G. or other variants. Count the number of accurate hits on the first page. (9)

2. Search your full legal name as it appears on your birth certificate. Count the number of accurate hits on the first page. (3)

3. Search your mother’s married name, with and without her middle name and middle initial. If her maiden name shows up anywhere on the first page, count 10; if not, count 1. (10)

4.  Search the last six digits of your Social Security number, including the dash. If your name shows up anywhere on the first page, count 10; if not, count 1. (1)

5. Search your home phone number with area code. If your current address is shown, count 10; any former address, count 5; else, count 1. (5)

Now, add all the scores. Maximum score is 50. Divide by 10 to get your iEi. It’s your choice whether or not to round off.

As you can see, my score was 28, so my iEi is 2.8, which is above the median. For comparison purposes, I also did the tests using my wife’s information and her iEi is 0.7. That makes sense because she does almost nothing on the web, save for checking her one Yahoo! mail account.

I’m interested in some feedback on this for a future article and to further refine the tests.

10 Immutable Laws of Security Administration

My last post on this subject discussed the 10 Immutable Laws of Security. This one takes the next step–also a Microsoft “archived” essay, but still relevant today. These are so self-evident that I’m not even going to burden you with my thoughts. Print this out and hang it where you can see it as a constant reminder these are the 10 Immutable Laws of Security Administration:

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

10 Immutable Laws of Security

I search the web constantly for security-related news and content. One day last month, I came across a series of articles on TechNet buried in the archive. Microsoft prefaces the articles with this statement: “Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.” Well, I find the content interesting and relevant, certainly worthy of bringing to your attention. Here are the 10 Immutable Laws of Security according to Microsoft with my comments included:

“Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“

We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Physical security isn’t complicated. My Security Maxim #8 covers it admirably.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.

Law #5: Weak passwords trump strong security

I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. Heed my advice and make your passwords unguessable.

Law #6: A computer is only as secure as the administrator is trustworthy

If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants.

Law #7: Encrypted data is only as secure as the decryption key

Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Out-of-date malware scanners of any kind won’t protect you against the inevitable new variants that come along.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”

Law #10: Technology is not a panacea

No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.

What Will Conficker do on April First?

No one knows for sure, but we do know that *something* is going to happen on April Fools’ Day. Conficker is a new breed of malware; the people behind it are of exceptional intelligence. They aren’t a crew of script kiddies out to make a quick buck. Whatever Conficker is specifically designed to do, you can bet its actions will be directed toward: 1. Maximizing proliferation of its binaries (survival); 2. Avoiding detection; and, 3. Maximizing profit (or damage).

The worm has been pretty effective at #1, by some estimates having already infected several million PCs. It has done this through exploitation of a Windows vulnerability, MS08-067 that was patched back in October and about which I wrote Will They Ever Learn to Patch? in January. However, it’s possible that those computers in the most concentrated areas of infection–China, Russia, India, Brazil, and Argentina–are impossible to patch because they are running pirated copies of Microsoft Windows software, and Microsoft does not allow updates of any kind to its pirated software. Seems to me this is a self-defeating policy, but I’m just a sensible Geek, not a Microsoft executive.

As for #2, the latest variant has added new anti-detection features. According to Larry Seltzer writing in PCMag.com, “Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but “C” does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center.”

We’ll find out Wednesday, April 1st, what–if anything–happens with #3. My bet is that it’ll be another Y2K-type event. Then again, who knows?

NoScript Blocks Latest Firefox Bug

Got NoScript? If not, get it–the latest Firefox bug, an XML tag remote memory corruption vulnerability released on Wednesday, is mitigated by having the NoScript addon installed.

The bug can be exploited by a malicious website and can cause the browser to execute malware with no user intervention. All 3.0.x versions of Firefox running on Windows, Mac, and Linux operatintg systems are vulnerable. According to the Mozilla Wiki, the patched version, Firefox 3.0.8, “…is a high-priority firedrill security update to Firefox 3.0.x” and will be rolled out April 1.

The 3.0.8 release also fixes the Pwn2Own bug discovered at CanSecWest 2009, an issue that NoScript also mitigates.

I’ve said it before (see “Software for Secure Computing: Firefox & NoScript“); now’s a good time to say it again: install NoScript, and enjoy secure computing.

SecurityFocus bulletin: http://www.securityfocus.com/bid/34235/info.
The Register article: http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/.
Mozilla Security Blog post: http://tinyurl.com/mozillasecurityblog

Worm Targets Home Networking Equipment

As reported yesterday in The Register, the “psyb0t” worm targets home routers and modems and may be the first piece of malware to do so. Researchers from DroneBL, a real-time tracker of abusable IPs, say that as of March 22 100,000 hosts had been infected.

Whether or not your equipment is vulnerable depends on three things:

Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.

Your device also has telnet, SSH or web-based interfaces available to the WAN, and

Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”

If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions:

1. Power cycle your router.
2. Disable WAN-facing telnet, SSH or web-based configuration interfaces.
3. Change the passwords to something unguessable (see this article).
4. Upgrade to the latest firmware.

Pagefile.sys is a Security Risk

Since the early days of Windows (3.x and forward), the operating system has relied upon vritual memory in the form of files stored on the hard drive to compensate for the lack of a machine’s physical memory. When the machine’s physical memory begins filling up, pages of data are moved from physical memory to the virtual memory file. Until Windows NT, this file was called win386.swp; when NT came along, it was renamed to pagefile.sys. While the pagefile generally enhances performance, it’s a security risk.

For one thing, Windows’ default behavior leaves the pagefile intact when a user logs out, so there’s a good chance of viewing information in any files the user opened while logged in.

Encryption doesn’t necessarily mean the data is safe, either. Sure, the file itself is encrypted, but in order to work with encrypted files, the system must first decrypt them and this unencrypted copy may be stored in the pagefile.

There’s a simple registry setting that will clear your pagefile when you shutdown your computer. Why this setting isn’t enabled by default only makes sense from a performance standpoint. It may take Windows slightly longer to shut down, but you’ll rest easier knowing your confidential data isn’t at risk.

Start regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSIONMANAGER\MEMORYMANAGEMENT

Set the key ClearPageFileAtShutdown to 1

Close regedit and reboot your computer to apply the change.

Another Little Known Tool to Securely Delete Files, Folders, and Volumes

Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.

But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.

I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

One more tool you can use to mollify your paranoid clients.