The prevention of data leaks today is a main concern for most IT administrators. Data leaks expose confidential information of companies, employees, and clients. It can effect credit ratings, press coverage, reputation, fines, and overall business. So it is no wonder that preventing the loss of data is a high priority for IT professionals. One of the main methods for preventing data leaks is encryption. There have been many laws written that protect the identities of consumers and force |
|
| businesses to be proactive by enforcing fines on violations. For violations of data loss that was not encrypted, companies are forced to report upon it. Thus, encryption is crucial, not only to remain compliant, but to prevent data leaks from occuring.
Businesses today rely on their network infrastructure and most of their data resides on their central server mainframe. Because many companies back up their central mainframes with backup tapes, it goes without saying that there is confidential data on those tapes. This is why encrypting those backup tapes is important to data security. Many companies transport those tapes to offsite locations for disaster recovery purposes. This transport poses a security risk due to the fact that the data leaves the secured server room and is often exposed to the general public during travel. Backup tapes can also touch many hands during the process. Using backup tape encryption can help protect the data no matter where it is. As with all data loss prevention, there is always a bit of risk management involved. There is a balance to be looked at between the encryption of confidential data and the overhead cost of implementing it. Data that is not confidential or business critical does not need the same encryption levels that other more private information does. It is important to identify what data requires encryption and what data does not. Also, data that goes offsite should always be encrypted due to the higher risk. Other files such as operating system files, temporary files, or disaster recovery start-up files do not need encryption applied to them. It is also important to take a look at older data that resides on tape. Making the move to encryption is important. But unlike most upgrades, you can’t just ignore the data that resides on your old backup system or tapes. This data can be just as valuable to theives as your most recent backups. That is why it is paramount to encrypt the data located on all your backup tapes and not just tapes used in the future. Tape encryption is a key part of your solution to protecting your network’s data. Make no compromises when it comes to data loss prevention. |
|
| An on/off switch has been developed for RFID cards by a UK firm that can help prevent RFID cards from being hacked. The risk comes from hackers being able to clone the transmissions sent from these devices and duplicate them to gain access to buildings. This can be done without the victim ever knowing it happened.
They have placed the switch on these devices that can be squeezed when it needs to be scanned by the reader. When it is done being scanned, the device is automatically shutoff when it is no longer |
|
| being squeezed. This prevents hackers from being able to clone the RFID card when they aren’t in use.
An on/off switch has been developed for RFID cards by a UK firm that can help prevent RFID cards from being hacked. The risk comes from hackers being able to clone the transmissions sent from these devices and duplicate them to gain access to buildings. This can be done without the victim ever knowing it happened. They have placed the switch on these devices that can be squeezed when it needs to be scanned by the reader. When it is done being scanned, the device is automatically shutoff when it is no longer being squeezed. This prevents hackers from being able to clone the RFID card when they aren’t in use. There are many attempts by companies trying to increase RFID card security. There are even wallets that you can place these cards in that are made from stainless steel that block the transmission from these cards from leaving the wallet. This new on/off switch provides one of the least bulky methods. FasTrak, the toll tag system in use in the San Francisco Bay Area, is trying to develop a similiar on/off switch that can activate the RFID card only when it is entering a toll. This can help prevent thieves from cloning other drivers’ toll tag and then using that tag ID to go through tolls and foot the cost to those drivers. The problem with introducing new security measures to RFID cards is cost. Because these cards are cheap to manufacture to begin with and are usually manufactured on a large scale, even a penny’s difference can make implementing a new security mechanism not feasible. Peratech, the company that has developed this technology says that it should cost cents and not dollars to implement it. Time will tell if their technology catches on with manufacturers. |
|
| For all businesses, there is a need to protect your data. That need extends through the entire life of that data and the hardware that it resides on. For many small and midsize businesses, this means that come time to upgrade to new solutions and dispose of old hardware, they must destroy or erase the old harddrives. There is a cost associated with that as well as the risk of data leak.
IBM has come up with a new solution that it just unveiled. It is a hardware based encryption system. The IBM System x Vault |
|
| is designed to provide a simple way for SMB’s to protect their data without compromising performance. Because it is a hardware based solution, there is no degradation in performance like you get with software based systems.
The System x Vault is compatible with the x series server models x3650, x3400, and x3500 and runs for about $1,099. The unit is an adapter for those servers that provides encryption for its harddrives. |
|
| Any time you introduce new features or products into your network, you must be aware of the fact that you may also be introducing new security threats. Technology is meant to be as an asset to the business that is to increase productivity. Unification is all the buzz lately and many applications on the network have become “unified”. This means that applications and resources on the network are integrating and seemlessly providing access through one interface. | |
| Many businesses have seen the benefits that can be provided by a VoIP phone system and have migrated their older generation system to this new technology. But, because VoIP is over the data network, there have been new security risks associated with it. Because of this, many IT departments have chosen to segregate their voice networks from their data networks as much as possible.
But now many VoIP applications offer unified communications. This integrates many data applications on the network with your voice communications. This is introducing many new ways for attackers to gain access to confidential information. Unified communications (UC) opens up your infrastructure so that users can collaborate and share ideas easier. All this opens up the VoIP network to the data network and vice versa. VoIP now integrates with applications such as LDAP, email, and instant message communications. This means that now network credentials can be stolen through the VoIP network and once those credentials are compromised, a much broader range of access can be accomplished. Softphone clients are common in UC implementations and that provides just one more point of access for attackers to take advantage of. Still though, while some of the more complicated attacks against UC in the application layer garner more attention, the more prevalent attacks are the lower network layer attacks that can deny service to VoIP networks. Protecting your network at the lower network layer can have a greater impact on your overall network security. When it comes to UC implemtations, including security planning early in the development cycle can make it much easier to create a secure environment. |
|
| A little time has passed since the major uproar over the critical DNS cache vulnerability that researcher Dan Kaminsky discovered. Since then a temporary “band-aid” fix has been applied. Randomized source ports are used to make it very difficult for an attacker to poison a DNS server’s cache. But it is not a fix that can stand the test of time to secure DNS. DNS is still broken and vulnerable and much more work and many more ideas are needed to secure it. | |
| There have been a lot of ideas to come out from researchers to find a way to secure DNS. Many of them are discussed on Dan Kaminsky’s blog and he discusses their benefits, downsides, and their possible implementation.
In an earlier article on his blog he discussed using TTL as a security feature. Someone came up with a method of using TTL to prevent someone from poisoning the cache on a server unless the TTL (time-to-live) on a record has expired. Kaminsky states several things wrong about this. One is that the TTL on servers vary and for those servers that have vary high TTL’s it can actual cause of a lot of problems and for those with very low TTL’s, you don’t gain much value from it. For more on Kaminsky’s take on TTL being used to try and fix DNS, you can read his statements on his blog. It will be interesting to see what people come up with to secure DNS. |
|
| When Sarbanes-Oxley was introduced back in 2002 everyone scrambled to get their business and IT infrastructure compliant. Today, the trouble isn’t with getting your policy model compliant, it is with maintaining that compliance that you initially set up.
IT is a field that is constantly changing and thus your IT policy and structure in your business will change and expand constantly. Putting the documentation and set of controls in place to ensure improvement is the first step to ensuring |
|
| that your compliance efforts are not too rigid. In order for businesses to stay competitive, they must have the ability to be flexible. If your set of controls is too rigid, then you will hinder your company’s flexibility. Having a set of documents that states processes and controls will make it easier to maintain and follow order when introducing new policies and models for your IT infrastructure.
One way to ensure compliance is to monitor legislation and stay on top of new regulations that are set in place so that you can make adjustments to your internal policy. Document these new regulations and then make adjustments accordingly. Organized documentation is one of the more difficult but crucial keys to maintaining compliance. Change control policies must also be set into place and documented. Having a change control structure in place will ensure a sort of checks and balances in your business and IT department. Having change control policies documented will also ensure that you will have the right documents to show in the event you are audited. Risk management is something that many IT managers deal with on a day to day basis. Taking into account risk levels with new regulations and new technology will help you decide the best course of action. As always, the documentation of this will help you get a better grasp of the scope of the project or policy. Sometimes maintaining compliance is more about policy management and documentation that it is about actual network security. But both of them go hand in hand. The technical geek inside of us all wants to just focus strictly on the actual security technology that underlies every compliance regulation. But the truth is that documentation and change control processes is what drives it all. Without the policies in place to maintain compliance, security goes out the door. |
|
| It seems as if Apple’s MobileMe service has quite a few problems going for itself. A couple weeks ago, the TechCrunch Blog reported a design flaw with the service that allows attackers to crawl the site’s public folder structure and obtain usernames. These usernames are the same usernames used for email addresses for the service. While this isn’t a huge flaw concern for users of the service because it does not expose sensitive information about the user, it is one more way for a spammer to easily obtain email addresses. | |
| Email addresses obtained in this way can be used to launch a targeted spam campaign to phish for passwords and other sensitive information. One more reason why it is important to filter emails and be mindful of what you click on.
A larger concern about the service is the fact that the service does not use SSL security when transferring data from one account to another. The service is an email, contant, and file management service that allows users to collaborate with each other. Account and credential information is encrypted, but not the data that the users send. This is a larger concern due to the fact that users may not be completely aware of this issue and sensitive and confidential data may be transferred over the web and put at risk. The combination of knowing the users email address and being able to openly view transferred data through the service could allow an attacker to target their attacks knowing direct information about the user. With that said, Apple is not the only one to blame when it comes to openly displaying usernames in a public webpage format. Many social network sites display a user’s login name on searchable webpages that can then be used to find information on the user. One more lesson on how the internet is an open and public forum. |
|
| Come September 2nd, Google is going to release a beta version of their new browser called Chrome. So what does this new browser mean for security? Here are some of the features that this new browser with entail.
It runs each new browser tab in a seperate sandbox. Each tab gets its own process and memory space. This means that one tab cannot crash another, so you won’t lose all your sessions if just one of them hangs. This also means that |
|
| applications from one tab does not have direct access to stored memory data of another browser tab. This increases the protection provided by the browser from rogue sites.
This ’sandboxing’ technique that it uses Google claims to protect against malicious data from websites. If a website is causing an issue, it is contained within Chrome and simply closing the browser will protect your PC. However, Google admits that installed plugins in the browser bypass this security feature. It also features a privacy mode. This is similiar to Microsoft’s InPrivate mode. No user information is recorded while in this mode. No usernames, passwords, website history, form data, etc, are recorded or stored while in this mode. This is useful for users using a public PC and can’t guarantee privacy. This does not protect against your data once it leaves the PC however. Once the data leaves the PC it is still vulnerable to attackers sniffing out data over the network. Similiar to current features in Internet Explorer, Chrome will also download the latest list of known phishing sites to protect and warn users from unknowingly accessing a phishing site. All these security features however are nothing new with Internet Explorer and Firefox already in the market and claiming their stake in the “high security” web browser market. It will take something new and extraordinary from Google to take market share away from Microsoft and Mozilla. |
|
| With public key infrastructure in use today, the defense we have against man in the middle attacks with SSL sessions is limited to certificates issued from trusted certificate authorities only. If a session is initiated with a server that isn’t using a trusted CA signed digital certificate and the authenticity of the server is not verified, then there is no guarantee that your transactions with that server are secure.
With a man in the middle attack, an attacker can route all traffic between the |
|
| server and client through their own system and capture all the data sent. If the connection is encrypted, the attacker must decrypt all data before being able to access it. But, if authentication was compromised before hand or the certificate was not verified for authenticity, then the attacker could gain access to all encrypted data easily.
At Carnegie Mellon University, researchers have developed a possible way to ensure that transactions over the internet with unverified servers are secure. The method is called “Perspectives.” It uses a system of notaries that maintains a history of public keys used with the server. The client can use a web interface to verify that the key received is the same key that the server received. In order for the man in the middle attacker to successfully issue the attack, they would need to successfully initiate a man in the middle attack on both the client and the notary. This makes it very difficult to successfully launch the attack. This method however, is not a replacement for the current PKI system. Perspectives assumes that the man in the middle (MITM) is close in proximity to either client; the client user and the notary. For example, the MITM might be in the same subnet as the client. But, if the MITM is close enough to the server so that both the client and the notary must pass through the MITM to access the server, then the attack may be successful without the Perspectives system being able to detect it. The Perspectives system also needs to maintain a history of public keys used in order for the system to work. So while the chances are slim, but if a MITM server were to go up at the same time as the notary server, then validity of the notary server is compromised from the start. For the time being SSL CA’s and PKI is here to stay and is the most efficient and effective way to secure trusted transactions between client and servers. But Perspectives has an intuitive way to verify untrusted certificates and it will be interesting to see if this method takes off in the future. |
|
| In case you needed further confirmation that the internet is not a safe place, an exploit in the Border Gateway Protocol can be used to divert internet traffic to another location. This can be done from anywhere on the internet and does not require the attacker to be within the same subnet. This was demonstrated at the DEFCON security conference in August.
While this is not a new discovery, the recent demostration helps show how unstable and insecure the core infrastructure of the |
|
| internet really is. Not only are higher level applications like DNS vulnerable, but also the lower level protocols have flaws in their design that can be taken advantage of. Experts in the field are calling for changes to internet routing and have been making warnings for years. A newer secure protocol, S-BGP, is a possible solution that could be deployed, yet there are still issues that need to be worked out regarding deployment and operation.
For now however, the only solution to any privacy over the internet is to use point-to-point encryption such as a VPN tunnel. Send data over the internet without encryption and you risk compromising it. |
|
