Security practice

Convert a USB Thumb Drive into a ROBAM

What’s a ROBAM? you ask. Check out this post: Protecting Your Business from Online Banking Fraud. SANS says, “The number one recommended mitigation [to online banking fraud caused by infostealer infections] is to use a read-only bootable alternative media (ROBAM) as an isolated environment for financial transactions.”

You can use a USB thumb drive instead of a CD if you do the following:

1. Download your alternative Linux OS choice (I prefer Ubuntu or Knoppix) in .iso format
2. Download UNetbootin from http://unetbootin.sourceforge.net/
3. Create a bootable USB thumb drive using UNetbootin
4. Set the properties of the drive to “read only”

This should have the same effect as using a Linux live CD.

I haven’t tried this, so comments welcome.

How to Make a USB Thumb Drive Laptop Theft Alarm

Picture this: Someone tries to steal your laptop off your desk and as soon as they pull the plug from the wall, your latpop emits a screaming siren that won’t quit until your password is entered to unlock the laptop and disable the alarm.

There’s another scenario: You take one of your old USB thumb drives (maybe the one you used to make an anti virus bootable scanner) attach a chain to it and secure it to your desk; if someone tries to move your laptop, unplugging the USB thumb drive in the process, the alarm goes off.

This is possible because of an interesting piece of software called “LAlarm.” It’s free for personal use and there’s a nominal fee for commercial use. Download LAlarm from this link: http://www.lalarm.com/en/index.htm.

I tested this software by installing it on my Dell laptop. It works. You simply install the software, configure the options you want and restart your laptop. To set the alarm, you just press Windows key + L to lock the workstation. If anyone pulls the plug or removes the thumb drive, the alarm sounds.

There’s much more to the software than just an alarm. You can set the software to destroy your data in selected folders in the event of a theft. You can also set zones based on IP addresses and cause an alarm to sound if the IP address changes.

The theft alarm is not affected by the system volume control setting–it’s screaming loud no matter how you have your volume set.

It’s a very cool tool.

Hacker HighSchool is a Great Idea!

Steve Gibson of Spinrite and Security Now! podcast fame talked about Hacker HighSchool in his most recent Security Now! episode 204. What a great idea! I checked out the site and here’s what I found:

The Hacker Highschool project is the development of license-free security and privacy awareness teaching materials and back-end support for teachers of elementary, junior high, and high school students.

Today’s kids and teens are in a world with major communication and productivity channels open to them and they don’t have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.

In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. All lessons work with a free “live linux” CD which will boot off any PC with a CD-rom drive to perform the lessons. HHS is a great supplement to student course work or as part of after-school and club activities.

I checked out some of the lesson transcripts and I have to say that I plan to do them all myself. This is great stuff and while I’m no slacker at being a hacker, there’s a lot of great information to be had. Not only that, but I think it’ll be fun to pretend that I’m 16 in this day and age.

The first lesson (they’re in PDF format on the website) is aptly titled “Being A Hacker” and the first paragraph of the lesson starts out with this:

This lesson is about how to learn – a critical skill for a hacker.  Hacking, in reality, is a creative process that is based more on lifestyle than lesson. We can’t teach you everything that you need to know, but we can  help you recognize what you need to learn.  This is also true due to the constant advances in the computer sciences.

They go on to say that hacking is a life skill that can be applied to other fields, too.

I suggest you check it out for yourself and if you have teenagers still at home, get them going on these things ASAP.

“I guess I forgot to lock the door.”

Physical security is something we often take for granted, but it can be just as important as cyber security. One of my clients recently called to say that some suspicious files had suddenly appeared on one of their servers. Naturally, I investigated, but I couldn’t find any breach in the firewall or any indication in the IDS logs that the network had been hacked from outside.

After spending a couple of hours digging around in the server logs, I finally dug into the registry and found that the files had apparently come from a USB device that had been plugged into the server around 9:30 pm on the day in question. Since only three people have access to the servers–myself, the IT Manager and the Controller–and none of us were guilty, I had to suspect that someone had gained unauthorized access to the server room.

Sure enough, the IT Manager recalled leaving early on an emergency the day of the incident and with a sheepish grin told me, “I guess I forgot to lock the door.”

We now have an electronic combination lock on the door and only the three of us have the code. The door automatically locks itself three seconds after it’s opened, so “forgetting” isn’t an option.

Lesson learned. Fortunately, the files were benign.

10 Immutable Laws of Security Administration

My last post on this subject discussed the 10 Immutable Laws of Security. This one takes the next step–also a Microsoft “archived” essay, but still relevant today. These are so self-evident that I’m not even going to burden you with my thoughts. Print this out and hang it where you can see it as a constant reminder these are the 10 Immutable Laws of Security Administration:

Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea

10 Immutable Laws of Security

I search the web constantly for security-related news and content. One day last month, I came across a series of articles on TechNet buried in the archive. Microsoft prefaces the articles with this statement: “Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.” Well, I find the content interesting and relevant, certainly worthy of bringing to your attention. Here are the 10 Immutable Laws of Security according to Microsoft with my comments included:

“Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore“

We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Physical security isn’t complicated. My Security Maxim #8 covers it admirably.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.

Law #5: Weak passwords trump strong security

I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. Heed my advice and make your passwords unguessable.

Law #6: A computer is only as secure as the administrator is trustworthy

If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants.

Law #7: Encrypted data is only as secure as the decryption key

Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Out-of-date malware scanners of any kind won’t protect you against the inevitable new variants that come along.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”

Law #10: Technology is not a panacea

No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.