Researchers have developed a method (pdf) by which they are able to record the sound of a dot matrix printer in operation and recreate the information that was printed based on the audio data. Data leakage from electronic devices isn’t new (TEMPEST comes to mind). However, it seems like the higher-profile methods tend to encompass electromagnetic properties rather than mechanical properties.
MD5 is a hashing algorithm created in 1991 and still used by many applications for certain features. But MD5 is no longer recommended for many cases due to weaknesses discovered in the last few years, opening up some scary possibilities. At the end of this year, NIST standards for cryptography used by the federal government will no longer permit 160-bit SHA1 hashes or 1024-bit RSA signature keys, since concerns over the long-term security of these technologies are rising.
With cryptographers constantly working on new algorithms and breaking old algorithms, one may get nervous about whether the foundations of today’s secure transactions are really that secure. But despite the occasional ominous forecast of a cryptographic meltdown, you can remain fairly confident in encryption technology.
Just as we’re constantly finding new weaknesses in various approaches, we’re constantly finding new approaches that overcome various weaknesses. For instance, scientists are working to develop “quantum computers” that perform calculations in a completely different way than today’s electronics. These new machines would be powerful enough to crack several of the strongest algorithms currently in wide use. But just this week, several researchers demonstrated that a 30-year-old algorithm, using a different type of mathematical basis, would foil any known quantum attack. This approach has not been widely used due to large key sizes that would hinder performance, but computers are getting faster every year.
Cryptographers also work to maintain a gap between theoretical attacks and practical compromises. NIST does not wait for programs that can crack any key within seconds before deprecating an algorithm. Researchers are constantly working to build stronger systems, and often start recommending replacements when only the slightest cracks begin to show for a particular approach. Also, one type of weakness does not necessarily ruin every possible use of a given encryption method.
But while the mathematics behind today’s systems may be sound for the near future, strong encryption alone does not guarantee you security. In fact, most security problems come through either insecure implementations of a given approach or bad security practices built on top of strong algorithms. Keeping current with effective cryptography is important, but it’s only one part of an effective security strategy.
A colleague lent me his most recent copy of IEEE’s Computer magazine. Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read). Some possible benefits of their proposed approach were listed, including:
- Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
- Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
- Share similar and alternative protocols and their analyses across many medical facilities and individual providers…
Anyone want to guess what’s completely missing from their approach? You guessed it, any mention of security. The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected. Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.
The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information. How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on? Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice. Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase. As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,
As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.
By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security. It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.
Due to the way Android requires SD cards to be formatted in VFAT, it leaves a bit of a hole when it comes to security for files stored here. VFAT is an old standard that doesn’t support the access controls of Linux, so data stored here is unprotected. Because of this, all storage here is shared with all programs on the device. So storing sensitive information here isn’t going to be the best thing to do. With some devices having limited internal storage though, this might be your only option, or depending on what the data is, you may require large amounts of storage space.
One way around this is to simply encrypt the data from within your application. This can be achieved via the ‘javax.crypto’ library.
Recently at Gemini we evaluated basic security implications of deploying a particular large-scale desktop virtualization package. Many people have heard of “virtual machines” that enable you to run different operating systems concurrently on one physical computer. But enterprise virtualization solutions go far beyond that scenario, enabling companies to do everything from stream specific applications from a server rather than installing them or have users share the same desktop configuration running on a central server. Companies can even mix and match various types of virtualization in the same environment.
The variety of virtualization options means each situation can carry specific security demands. But certain benefits and risks factor into many deployment decisions. On the positive side, virtualization can simplify maintenance and help ensure consistency by centralizing certain administrative tasks. The added layers of abstraction can also assist in isolating resources or adding flexibility to data storage options.
But those same new abstractions mean increased complexity and potentially much more data flowing between various parts of a network. Administrators also need to stay aware of how data retention is handled in a virtual environment. Adding virtualization to an existing environment can blur traditional notions of access, authentication, and management. Securing each aspect may require rethinking old approaches and policies; for instance, stealing an entire virtual desktop basically involves copying a file.
An article from last month in The Register explores these and other aspects of virtualization security. And as an earlier piece had noted, many deployments introduce security risks from a failure to fully evaluate the effects of such a setup: “Oddly enough, in many cases, security seems to not even be an afterthought, much less a forethought. Gartner’s surveys show that 40 per cent of server virtualization projects were done without bringing the company security experts in from the get-go as the virtualized infrastructure was planned.”
If you’re thinking of adding desktop virtualization to your enterprise, don’t make the same mistake – contact Gemini to ensure your data remains safe.
Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service. Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow.
And so we have another example of what can happen when data and communications are left unprotected. You’re even susceptible to accidental disclosure of information. What other accidents might occur? One thing that comes to mind is accidental loss of bandwidth. Someone who doesn’t know any better might turn on their laptop and find that they have Internet access. What they didn’t realize is that they automatically connected to your network, and while they are streaming high-quality video, your employees are struggling to get their work done.
Accidents will happen. If you must have a wireless network, and you still have not secured it, do something about it (hint: WPA2).
PDF files have become commonplace on the Internet and in the business world, but they have also become favorite tools for attackers to deliver malicious payloads. While some problems may be mitigated by using an alternative PDF reader, many people have little choice but to use the standard Adobe Reader. In that situation, you can help protect yourself from many PDF-based attacks by following a few basic steps.
These precautions are only a small part of keeping your computer protected against attack, but they will go a long way to help you avoid many threats involving PDF files.
Earlier this week, blogger and author Cory Doctorow published an account of how he fell victim to a phishing scheme:
I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).
And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.
I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.
Or so I thought, until I got phished last week.
Doctorow goes on to describe how a perfect storm of circumstances led to him logging in on a fake Twitter page. His story is an excellent reminder that no one, even those educated on security best practices, is entirely secure against every possible threat. All of us can overlook basic recommendations at times, get distracted as we try to get tasks done, or even encounter a targeted attack that’s convincingly crafted. The tale is also a reminder that the extra time spent in understanding threats, double-checking protections, and closely examining resources really can go a long way in keeping data safe.
Good security solutions have to take into account both prevention and response. It’s important for your business to prepare for threats, as Doctorow knew common steps to avoid phishing. Yet it’s also important to be ready and nimble in case that one attack succeeds. Dealing with compromised systems is never enjoyable, but it’s far worse to be caught off-guard and without a plan for such emergencies.
Earlier this week, news reports surfaced of a security hole in a popular mobile application for sharing photos. The program, called Quip, enabled iPhone users to send picture messages to any phone without using carriers’ MMS technology, which often requires an extra monthly fee. Quip sent text messages or push notifications with a link to a web page where the recipient could view the intended picture. According to the developers of Quip, users have sent over 3 million photos using the service.
But those 3 million photos did not only reach their intended viewers. The application uploaded pictures to a public web server with no encryption or authentication, and even worse, the addresses of the files followed a simple, predictable pattern. Once someone posted the information to a popular link-sharing site, Internet users began posting links to images that ranged from racy to disturbing. Intrepid voyeurs even identified people in the photos and found their accounts on various social networking sites.
Addy Mobile, the company behind Quip, reportedly shut down their servers and turned off access to the servers hosting images, but not before many of the pictures were downloaded and re-posted on other web sites. The founder of Addy Mobile issued an apology and promised to keep the service offline until they built better protection for uploaded files. He noted that the company had only three employees but said they would work quickly.
The unfortunate Quip incident provides a real-life illustration of many security lessons, but one in particular stands out: Developers need to think about security aspects of their projects from the beginning. Online resources make it very easy for anyone to learn programming, but that same ease of access can lead to a three-person product handling three million files. While mistakes happen and foolproof security can be difficult, if not impossible, to achieve, building basic precautions into Quip’s system could have avoided embarrassment and difficulty for many end users. Security is not simply a feature or add-on – in today’s connected world especially, it is an essential part of product development.
Last weekend, people from all corners of the technology converged on Austin, Texas for the 2010 South By Southwest Interactive (SXSWi) conference. Much of the coverage has echoed the focus of an old real estate mantra: Location, location, location. In a rivalry dubbed the “geolocation wars,” mobile start-ups Foursquare and Gowalla competed for attention as attendees used GPS-enabled phones to record electronic check-ins at various conference events. And while these two players often come up in reports on location-aware social networking, Twitter has begun letting users record where they tweet (giving new meaning to the word “follow”), and sources indicate Facebook will be rolling out a similar feature soon.
Across the Web, sites are adding features that will quite literally put them on the map. And while letting the online world know where you are offline can certainly offer benefits, the sudden overlap raises fresh privacy concerns. One tongue-in-cheek response, aptly named “Please Rob Me,” drew attention to Foursquare users who publicly broadcasted when they were not at home. From a security perspective, problems have been observed on several platforms. An early flaw in Google Buzz risked exposing private location data. One researcher has noted that Gowalla’s API can apparently override privacy settings, then demonstrated location spoofing. Foursquare does not verify location, making fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi connections.
Of course, trailblazing applications are not the only ways people can share their location. Facebook users often leave a trail of event RSVPs that show past places visited. But even on the real-time Web, data can leak accidentally. A study of posts on Twitpic, a Twitter-based photo-sharing service, found that some pictures’ EXIF data included GPS information. In one case, an iPhone snapshot even included compass and accelerometer metrics.
All of these ways to track users, particularly when combined with other content, can create real risks for companies seeking to shield sensitive transactions or avoid corporate espionage. Similarly, those using company-owned devices with GPS capabilities ought to be aware of how such functions are used. With the online world increasingly intersecting the real world through geolocation services, it’s time to figure out what place they have in a secure business environment.