Protection against a Cold Boot Data Attack

You might have heard about the new technique for getting data off of an encrypted hard disk by freezing the memory on the computer. (You can do your own Google to find more details.) The story has hit mainstream press.

Am I worried? Only if someone physically gets to my computer, just after a power-down (or hibernate).

Protection? Several choices -- the ones you use depend on the confidentiality of your data (or your activities on the computer):

- encrypt files / folders as well as the entire hard disk
- keep the computer physically secure to prevent theft; don't use sleep or hibernate
- power off the computer, don't use hibernate. By the time you get out the door, the data in RAM will 'bleed off'.

Risky places? Try hotels, conferences, going through customs (did you know that your computer can be inspected -- or even siezed -- by Customs?), any place where your computer is not under your total physical control.

And 'safe computing practices' will also help. Add to those the physical security of your system and data. And that includes USB thumb drives.

Blinded By the Updates

One of the mailing lists I subscribe to is the "Consensus Security Vulnerability Alert" from www.sans.org . It comes out weekly, and lists all new vulnerabilities of software - commercial and open source.

This week's list is notable for the many commonly used programs. No, not just Windows. The problem is that you might become a bit complacent if all you do is use Windows Update.

Here's a list of the software that caught my eye (in no particular order)

• Apple Mac OSX
• Apple QuickTime
• Novell Client
• Symantec BackupExec
• Adobe Reader
• ClamAV
• Apple iPhoto
• MPlayer
• Yahoo! Music Jukebox
• Nero Media Player
• Checkpoint SecureClient/SecuRemote
• Apple iPhoto
• WordPress plugins

Do you have an update strategy for keeping all of these applications current? Or do you just rely on Microsoft's Automatic Updates and your anti-virus update?

Security Policies and Inadvertent Holes

I worked on a vbScript program that queried a range of computers by IP addresses. The script grabs information from the registry on the status of Windows Update settings. It places the results in an HTML table for easy analysis. The result was interesting; even though we have a policy of those settings to be installed on all systems, there were a few holes found.

Which is sort of the old 'trust but verify' mantra of an information security guy. You can set up rules and procedures, but you need to verify that the rules and procedures are being followed. If they are not, there can be some serious holes for malware to slip through.

Loving Storm Worm Spam

I'm seeing what appears to be a new round of spam email from the "Storm Worm" gang. The messages are very short, wtih a subject related to Valentines' Day, and a short message with a link to a web site. An example: a subject of "Blind Love", and a message of "Rockin' Valentine" along with a link to a web site.

Clicking on the web link (or even typing it in manually) will get you an attempt to download some malware automatically. Current anti-virus may protect you against the download attempt, depending on the web page payload. Current patches will be another protection layer.

Note that Microsoft has released 12 patches today, many of them critical. Of course, all of my many readers (yes, the two of you in the back) are following Safe Computing Practices, and have their computer set up for automatic updates. And you have updated Adobe, Apple Quicktime, Firefox, and Linux kernal updates...

More info about the 'lovely' Storm Worm spam is here: http://isc.sans.org/diary.html?storyid=3976

PDF Exploits Seem Widespread

Reports from the various malware researchers indicate that the exploit for Adobe PDF files is becoming widespread. Although it's not clear at this time the exact distribution, there appears to be distribution via PDF links in banner ads, and also through the usual spam mail.

Adobe has an update available. To install, start up your Adobe program (reader or 'writer'), and use Help, Check for updates. Current version is 8.12 (shown via Help, About). Any prior versions (before version 8) should be replaced with version 8.12.

Here a Patch - There a Patch

While you are waiting for the monthly Microsoft patches, there are other important patches that need to be installed. These programs are probably on 80% of all computers, and affect all users.

Updates for Sun Java, Adobe Reader, Apple Quicktime, and Skype are now available from their respective vendor sites. I'd suspect that many users are a bit behind on their upgrades of these programs.

There is a program available from Secunia called Personal Software Inspector. It's free, and will scan all the programs on your computer and check for needed updates. I've used it for a couple of months. After the initial scan (which does take some time depending on your software 'load'), it is not very intrusive. More info here: https://psi.secunia.com/

In any case, updating all your software is just as important as the OS and anti-virus patches.

Domain Name Change Scam

At the office, we have consolidated our many domain names (don't ask why there are so many) to one registrar. And we have changed the contact email addresses on all of the domains to one email address, which is routed to three people only.

So imagine my surprise when I got a message from "Liberty Names of America" thanking me for my domain name renewal. And another email right after that my $94 payment had been recieved for that transfer. The email had a link that I could click on to confirm and complete my order. Wasn't that thoughtful?

Danger, Will Robinson!

Did you ever get an bill in your snail-mailbox that was puzzling? Did you send them a check? That's a common scam, especially for businesses. It's a great way to make money.

The mantra in Information Security is "Trust, but Verify". So I went to the local "Whois" tool to make sure that my domain name was properly registered. And verified that I had a 'lock' on the domain names to disallow transfers. ANd all was well (for now; I'll keep checking).

I didn't click on the "helpful" link in the email. Not in the "Safe Computing Practices" list. But I did note that if you search for the company's name, you'll find lots of warnings about this Domain Name change scam.

So, perhaps a slight revision: "Don't Trust, Verify First".

The Firewall Between Your Ears

Saw a question in another conference about putting a firewall on a network card. The person wanted to know if that would be a good idea: "Why not build a firewall into the wireless adapter/chip? In fact, why not position the firewall behind both the wireless and the wired network connections?"

My thoughts:

A "firewall on a chip" will not protect you from a 'man in the middle' hack. That's where you sit in a wireless hot spot, log in, and wander through the 'net. The problem is that your log in was to the hacker off in the corner, who presented you with the login page and passes your traffic through to the net.

The hacker captures all of your traffic (sort of like eavesdropping), hoping to catch your user/password as you log into your bank's web site to check your balances or pay bills. Or as you go to Amazon to order a book, paying with your credit card. All of your traffic is captured: your bank login, your credit card info, etc.

It will not protect the user who surfs to a page that asks to install a bit of software to view the latest humorous video. Or the user who will click on an email link to get their e-card, which installs a virus or keystroke logger.

A firewall on your computer is better (the Windows firewall is better than nothing). A firewall will protect from external scans and attacks. But it won't protect against unsafe computing practices by the user.

The ultimate firewall is the one that is between your ears working in conjunction with following the safe computing practices I've mentioned before.