Storage

I’ll Say it Again—Turn Off the Remote Web Management Interface!

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things - and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

How to Quickly & Securely Erase a Hard Drive

Over at Ask the Geek, I often receive questions about how to properly erase a PC hard drive so personal data can’t be recovered. Clients also ask similar questions, particularly those involved in medical, dental, or financial practices. I’ve posted on this subject before, of course. “Paranoid About Hard Drive Security? Try This” outlined a two-step approach that works well, but is probably overkill for most, including those under regulatory scrutiny. The Center for Magnetic Recording Research (CMRR) points out that completely secure erasure doesn’t exist: erasure security is relative and is “a tradeoff between the erasure security level and  the erasure time required. A high security protocol requiring custom software or days to accomplish will be avoided by most users, making it  little used and  therefore of limited practical value.” Enter Secure Erase (SE).

According to CMRR, “The Secure Erase (SE) command was added to the open ANSI standards that control disk drives, at the request of CMRR… The SE command is implemented in all ATA interface drives manufactured after 2001 (drives with capacities greater than 15 GB)….

“Secure erase does a single on-track erasure of the data on the disk drive. The U.S. National Security Agency published an Information Assurance Approval of single pass overwrite, after technical testing at CMRR showed that multiple on-track overwrite passes gave no additional erasure.”

Secure Erase is a DOS-based program, so you need to make a bootable floppy, CD, or flash drive that boots DOS, FreeDOS, or a Windows 95/98/ME rescue disk. Download the freeware HDDerase, extract HDDerase.exe to your bootable media, boot the computer to a command prompt, and execute HDDerase.exe (HDDerase.exe must be run from an actual DOS environment and not a Window based DOS command shell).

In about an hour or two, depending on the size of the hard disk, you’ll have a drive that can be safely disposed of or re-deployed without fear. If you plan to re-deploy the disk, you’ll have to create a new partition and format the disk before you’ll be able to use it again.

I’ve used this handy utility many times to sanitize disks that contained data subject to the Health Insurance Portability and Accountability Act (HIPAA). All normal attempts to discover any trace of identifiable data on my test drives failed to reveal anything usable.

The #1 Security Priority: Protect The Information

SANS recently reported that a Ponemon Institute survey, commissioned by Dell, found that more than 630,000 laptops are lost at airports each year, usually at security checkpoints and departure gates. A staggering 67% of them are never recovered. From SANS NewsBites Vol. 10, Num. 52:

The survey…included feedback from 864 business travelers: 53% said their laptops held confidential data; 42% said their data was not backed up; 16% said they would do nothing if they lost a laptop while traveling on business; 77% said the chance of recovering a lost laptop was less than ten percent.

Surprisingly, the SANS article made no mention that the Ponemon survey found that 65% of the travelers who have confidential or sensitive information on their laptops do nothing to attempt to protect it. The article seems to be more focused on physical security and this is indicative of a paradigm that is too heavily weighted in favor of protecting the network rather than the information traveling across it. The paradigm is shifting, but not nearly fast enough, as the survey shows.

Given the nature of operating systems and software, embedded or otherwise, there will never be a completely secure network; there will always be vulnerabilities to deal with and deal with them we must. However, the Internet is designed for sharing, not securing, a fact that’s never been more true than it is today;  with Web 2.0’s emphasis on community and collaboration, the need to protect the information is even more critical.

We can’t predict security vulnerabilities in third party software and systems, so all we can do is patch after the fact. If we make data protection the first priority and never allow a scrap of sensitive information to reside anywhere on any storage medium without it first having been encrypted or physically isolated, the severity of any newly-discovered vulnerability is greatly lessened.

What do you think?

Encrypt, You Must, But Do It Right!

One of the clients I service has information that falls under HIPPA. Prior to last week, all of the data was stored on a server located behind a strong firewall in a building with good physical security. Last week, however, this organization decided to deploy laptops for their field operatives. Major security problem. Full-drive encryption was my first thought.The good thing is that there was nothing on the laptops except for the OS–they were brand new. Nobody had seen them except me. I was able to encrypt the hard drive before any data had been written, thus insuring that no remnants of unencrypted data exist. Every future write to the hard drive will be encrypted.

If you think about it, this is the safest way to do full drive encryption. But what if you want to re-deploy equipment that has had data on it? In this case, you’ll want to first wipe the drive using a good tool like Darik’s Boot and Nuke (DBAN) or CMRR’s Secure Erase, depending on the sensitivity of the data. DBAN will let you write multiple passes of pseudorandom data, which is usually “good enough.” Then, reinstall your OS of choice and run your full drive encryption program assigning a passphrase at least 20 characters long (mine’s 45). All this working of the drive should sufficiently scramble any data remnants.