Apr 8

I have written many times before about the importance of end-to-end security across all types of networks. With the state of security today, protecting your data at all points on the network is crucial. Well Fortinet recently just introduced a new vulnerability management solution for medium to large corporate businesses. It is called the FortiScan-1000B. It helps businesses maintain security across their network by integrating all the crucial points in a network security policy. It integrates the following features: industry and federal compliance, endpoint vulnerability management, network-level vulnerability management, and patch management and remediation.

In 2008 Fortinet purchased the security company named Secure Elements. They’ve used the assets from this purchase to leverage technology in the new FortiScan-1000B. It uses the software solution from Secure Elements as the basis for its new solution. It also uses the vulnerability scanning feature from its own FortiAnalyzer solution. These features help security administrators stay compliant with SOX, PCI-DSS, GLBA, HIPAA, etc.

You can read more about this new device at FortiNet’s website.

Posted in Compliance, Data Protection, Encryption | No Comments »
Sep 16

The prevention of data leaks today is a main concern for most IT administrators. Data leaks expose confidential information of companies, employees, and clients. It can effect credit ratings, press coverage, reputation, fines, and overall business. So it is no wonder that preventing the loss of data is a high priority for IT professionals. One of the main methods for preventing data leaks is through backup encryption. There have been many laws written that protect the identities of consumers and force businesses to be proactive by enforcing fines on violations.

For violations of data loss that was not encrypted, companies are forced to report upon it. Thus, encryption is crucial, not only to remain compliant, but to prevent data leaks from occuring. Businesses today rely on their network infrastructure and most of their data resides on their central server mainframe. Because many companies back up their central mainframes with backup tapes, it goes without saying that there is confidential data on those tapes. This is why encrypting those backup tapes is important to data security. Many companies transport those tapes to offsite locations for disaster recovery purposes. This transport poses a security risk due to the fact that the data leaves the secured server room and is often exposed to the general public during travel. Backup tapes can also touch many hands during the process. Using backup encryption can help protect the data no matter where it is.

As with all data loss prevention, there is always a bit of risk management involved. There is a balance to be looked at between the encryption of confidential data and the overhead cost of implementing it. Data that is not confidential or business critical does not need the same backup encryption levels that other more private information does. It is important to identify what data requires backup encryption and what data does not. Also, data that goes offsite should always be encrypted due to the higher risk. Other files such as operating system files, temporary files, or disaster recovery start-up files do not need encryption applied to them.

It is also important to take a look at older data that resides on tape. Making the move to backup encryption is important. But unlike most upgrades, you can’t just ignore the data that resides on your old backup system or tapes. This data can be just as valuable to theives as your most recent backups. That is why it is paramount to encrypt the data located on all your backup tapes and not just tapes used in the future.

Backup encryption is a key part of your solution to protecting your network’s data. Make no compromises when it comes to data loss prevention.

Posted in Compliance, Data Protection, Encryption | 2 Comments »
Sep 11

For all businesses, there is a need to protect your data. That need extends through the entire life of that data and the hardware that it resides on. For many small and midsize businesses, this means that come time to upgrade to new solutions and dispose of old hardware, they must destroy or erase the old harddrives. There is a cost associated with that as well as the risk of data leak.

IBM has come up with a new solution that it just unveiled. It is a hardware based encryption system. The IBM System x Vault
is designed to provide a simple way for SMB’s to protect their data without compromising performance. Because it is a hardware based solution, there is no degradation in performance like you get with software based systems.

The System x Vault is compatible with the x series server models x3650, x3400, and x3500 and runs for about $1,099. The unit is an adapter for those servers that provides encryption for its harddrives.

Posted in Encryption | No Comments »
Sep 3
It seems as if Apple’s MobileMe service has quite a few problems going for itself. A couple weeks ago, the TechCrunch Blog reported a design flaw with the service that allows attackers to crawl the site’s public folder structure and obtain usernames. These usernames are the same usernames used for email addresses for the service. While this isn’t a huge flaw concern for users of the service because it does not expose sensitive information about the user, it is one more way for a spammer to easily obtain email addresses.

Email addresses obtained in this way can be used to launch a targeted spam campaign to phish for passwords and other sensitive information. One more reason why it is important to filter emails and be mindful of what you click on.

A larger concern about the service is the fact that the service does not use SSL security when transferring data from one account to another. The service is an email, contant, and file management service that allows users to collaborate with each other. Account and credential information is encrypted, but not the data that the users send. This is a larger concern due to the fact that users may not be completely aware of this issue and sensitive and confidential data may be transferred over the web and put at risk.

The combination of knowing the users email address and being able to openly view transferred data through the service could allow an attacker to target their attacks knowing direct information about the user.

With that said, Apple is not the only one to blame when it comes to openly displaying usernames in a public webpage format. Many social network sites display a user’s login name on searchable webpages that can then be used to find information on the user. One more lesson on how the internet is an open and public forum.
Posted in Data Protection, Encryption, Internet | No Comments »
Aug 29

With public key infrastructure in use today, the defense we have against man in the middle attacks with SSL sessions is limited to certificates issued from trusted certificate authorities only. If a session is initiated with a server that isn’t using a trusted CA signed digital certificate and the authenticity of the server is not verified, then there is no guarantee that your transactions with that server are secure.

With a man in the middle attack, an attacker can route all traffic between the
server and client through their own system and capture all the data sent. If the connection is encrypted, the attacker must decrypt all data before being able to access it. But, if authentication was compromised before hand or the certificate was not verified for authenticity, then the attacker could gain access to all encrypted data easily.

At Carnegie Mellon University, researchers have developed a possible way to ensure that transactions over the internet with unverified servers are secure. The method is called “Perspectives.” It uses a system of notaries that maintains a history of public keys used with the server. The client can use a web interface to verify that the key received is the same key that the server received. In order for the man in the middle attacker to successfully issue the attack, they would need to successfully initiate a man in the middle attack on both the client and the notary. This makes it very difficult to successfully launch the attack.

This method however, is not a replacement for the current PKI system. Perspectives assumes that the man in the middle (MITM) is close in proximity to either client; the client user and the notary. For example, the MITM might be in the same subnet as the client. But, if the MITM is close enough to the server so that both the client and the notary must pass through the MITM to access the server, then the attack may be successful without the Perspectives system being able to detect it.

The Perspectives system also needs to maintain a history of public keys used in order for the system to work. So while the chances are slim, but if a MITM server were to go up at the same time as the notary server, then validity of the notary server is compromised from the start.

For the time being SSL CA’s and PKI is here to stay and is the most efficient and effective way to secure trusted transactions between client and servers. But Perspectives has an intuitive way to verify untrusted certificates and it will be interesting to see if this method takes off in the future.

Posted in Encryption, Internet | No Comments »
Aug 28
In case you needed further confirmation that the internet is not a safe place, an exploit in the Border Gateway Protocol can be used to divert internet traffic to another location. This can be done from anywhere on the internet and does not require the attacker to be within the same subnet. This was demonstrated at the DEFCON security conference in August.

While this is not a new discovery, the recent demostration helps show how unstable and insecure the core infrastructure of the
internet really is. Not only are higher level applications like DNS vulnerable, but also the lower level protocols have flaws in their design that can be taken advantage of. Experts in the field are calling for changes to internet routing and have been making warnings for years. A newer secure protocol, S-BGP, is a possible solution that could be deployed, yet there are still issues that need to be worked out regarding deployment and operation.

For now however, the only solution to any privacy over the internet is to use point-to-point encryption such as a VPN tunnel. Send data over the internet without encryption and you risk compromising it.
Posted in Encryption, Internet, Routing, Vulnerabilities | 1 Comment »
Aug 7
More and more people today are taking their banking online. Some 42% of internet users do their banking online. Considering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their banking online claimed that their main reason for not doing so is the lack of online banking security. One of the reasons why they feel insecure about banking online is because of misinformation and not knowing the correct information on internet security.

A study from the University of Michigan by Atul Prakash looks at design flaws that many banking sites have today that fail to protect users who don’t know the basics about internet security. It looks at design flaws rather than actual application vulnerabilities. Design flaws are different from application vulnerabilities because they are based on decisions that were made when designing the website. Many of these decisions that the designers of banking sites have made promote insecure user behavior and because many users are uneducated about basic internet security, these flaws can be taken advantage of.

Some of the flaws of online banking security that were noted were things such as being able to access the site by using insecure HTTP, being redirected to an untrusted site, low security password thresholds, and emailing confidential data to users. These are all flaws that have been found that if a user is unaware of the risks that these designs pose, can lead to confidential data being leaked.

As far as user password information goes, many of the sites involved in the study don’t require password restrictions for users. Having low quality passwords invite themselves to being disclosed by brute-force attacks. But it is also noted that with the introduction of phishing sites and keyloggers, having a strong password doesn’t protect against those and many banks find it to be just an inconvenience for their users to force strong passwords. It is also claimed that by enforcing a ‘three-strikes’ lockout policy when incorrectly typing in a password makes brute-force attacks on low quality passwords unrealistic. But the study finds that even enforcing a lockout policy is not enough if low quality passwords are allowed. Parallel dictionary attacks can be used if a list of usernames are available where a string of authentication requests are run across all the usernames using common passwords.

The study also mentions websites that break the chain of trust. Often times bank websites will redirect to other websites without notice. Regardless of whether these sites are secured by using SSL, many times the certificates used are not affiliated with the bank at all and there is no way for the user to tell if they are still on the banks website or not. This makes it hard for even a knowledgable user to know if they are on a phishing site or not.

As mentioned, other sites present secure login options under insecure webpages. While their site may offer secure logins via SSL and HTTPS, that same webpage may be available insecurely under an HTTP version. While redirection to a secure page may occur, if the user had already entered in credential information under the insecure page, their credentials are at risk of being compromised.

For more information on this online banking security study, you can visit the following page: Analyzing Websites for User-Visible Security Design Flaws
Posted in Compliance, Encryption, Internet | 6 Comments »
Aug 5

Keeping data secure at all times is crucial if you want to keep confidential files confidential. Any data that is stored on disk is at risk of being compromised in some way. It is important to learn ways to keep it as safe as possible and to encrypt it to ensure that if an attacker does gain access to files on your hard disk, then the encryption on the files will deter them from accessing your confidential data.

One program I use to encrypt my most confidential data files is called TrueCrypt. It is an open-source program that creates a virtual disk on your computer to access the files within the encrypted file and mounts it as an actual disk. When you dismount the disk, your files are kept securely within the encrypted file. It also has the ability to encrypt an entire partition and whole disk encryption. If you want to encrypt everything on your computer, it utilizes pre-boot authentication and allows you to encrypt the system partition as well.

The nice thing about the application is that you can put the program on a thumb drive and run the application from any PC without the need for installation. This allows you to carry the encrypted file with you anywhere and have access to your data while keeping it securely contained. There are a ton of great security features in the free download. Check it out and let me know what you think. It can be downloaded here: TrueCrypt.

Posted in Encryption | 1 Comment »
Jul 31
Public Wi-Fi networks are everywhere today. The nearest hot-spot in your city is probably only a block away. With so many employees on the road and working out of the office today, IT departments are finding the need to provide external access to network resources. The need to stay productive while out of the office is crucial.

Anytime an end-user is accessing corporate data on a public network, security is a big concern. You never know
when your confidential data may be compromised. If your company provides access to data from outside of the corporate environment, you must make sure that you take the necessary steps to ensure that data is secure.

When on a public network, any data that is sent to and from an end-user’s laptop is generally visible to anyone else that is on that same public Wi-Fi network. What this means is that those traffic streams are open to what is called a man-in-the-middle attack. A man-in-the-middle attack utilizes a natural security flaw in the Address Resolution Protocol (ARP). The flaw allows an attacker to secretly respond to an ARP request of a computer initiating a connection with another node. The attacker then makes private independent connections with the two nodes. Once this is done then all traffic is relayed through the attacker’s computer and the end-user will be unaware that this has occurred. If this attack is done between a laptop and an internet gateway, then that attack is able to sniff every packet that the end-user sends out to the internet, including confidential corporate data.

So how do you protect your private data from attacks like these? Encryption is one of your biggest defenses. However you decide to provide access to network resources to employees on the road, whether it be via a VPN or a web portal, encryption is a must. If your company uses VPN software to provide access to the network from outside it, then once the VPN tunnel is negotiated all traffic that is passed between the laptop and the corporate network is encrypted. This means that even if the attacker were to sniff out those packets sent, they will be encrypted and the attacker will find it nearly impossible to gain access to that data without knowing the key used to encrypt it.

If your company uses a secure web portal to provide access to network resources, then there are a few things that should be known. First off, most web portals that are secured using the HTTPS protocol use certificates to authenticate the encryption process. If the attacker is using the right tools, he or she can send a spoof certificate to the end-user. If the end-user accepts this certificate, then they will be opening secure communications with the attacker. The attacker then sends the real certificate request on to the corporate web server and opens secure communication with the web server. Once this is done, then the attacker is able to see all traffic that the end-user sends before it is encrypted and sent on to the corporate web server. To prevent this, it is important that you use certificates that are generated from trusted sources such as Verisign or Geotrust. Then if the end-user receives a certificate that is from an untrusted source, the end-user will be alerted to this.

It goes without saying that any end-user that is going to be accessing corporate data from outside the internal network should be trained on basic security. With the proper security infrastructure in place and users trained, then the IT staff should be able to rest easy knowing that corporate data is safe.
Posted in Encryption | No Comments »