A recent study on lost laptops by Dell and the Ponenom Institute show how important data protection and encryption are, especially for portable devices. Here are some of the findings.

• 12,000 laptops are lost in US airports each week.
• 65-70% are never reclaimed.
• 53% carried sensitive corporate information.

Guess how many of those machines were protected with encryption.

You can read the entire report [pdf] and find out on page 7.

Overnight, the Clear Registered Traveler Program ceased operation.  I do travel by air 5-10 times per year, and had considered the program to speed my visits through airports.  There were three main reasons why I didn’t, and I wonder if they are reasons why they have had to cease operation.

1. There weren’t Clear lanes at every airport I travel to; the only way this system could be cost effective for me would be if it worked everywhere.
2. As mentioned at the Consumerist, the Clear lanes just provide shorter lines; you still were subject to all the security checkpoint hassles.
3. My home airport, Dulles International, opened the Black Diamond lanes: basically the same as Clear without the fee.

In addition to the $199/year charge, enrolling in Clear required presentation of two IDs, your social security number, and the capture of your fingerprints and retinal scan. Clear lost (and found) a laptop last year, and although their privacy policy (pdf) indicates that all personal information is always stored and transmitted encrypted, it doesn’t indicate what algorithm is used or how key management is performed. (Remember, ROT13 is an encryption algorithm…)  Biometrics are the only identification factor that you can’t have revoked and reissued, so giving mine up to both a private company and the Transportation Security Administration to save perhaps 15 minutes didn’t seem like a good idea.

The privacy policy also indicates that personal information is removed from their system automatically after 90 days if you are no longer a Clear member. It is not yet clear if the cessation of operation that occurred overnight will trigger this data removal event. It is also not clear if the TSA ever gives up your data which Clear shares.  All told, if I had been a Clear member, I would seriously examine tools for detecting and preventing identity theft for a while.

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.

2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.

The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.

Pop quiz! Be honest as you answer these questions:

Well, if you answered anything other than C for the above questions, let me introduce you to your worst nightmare: sslstrip.  The author of this program realized that most people don’t type in the https prefix, and don’t look closely for padlock icons; people don’t care about security, they just expect it to work.  Most of the time, the way you get to SSL pages is by clicking on links, or being redirected with an HTTP 302 status.

sslstrip takes advantage of this, and transparently hijacks HTTP traffic, replacing all HTTPS links and redirects with look-alikes.  It even can supply a favicon which looks like a browser’s lock icon.

It’s pretty evil, actually. Of course it requires that the attacker running sslstrip has already compromised your network, through ARP spoofing, DNS poisoning, or otherwise having your traffic routed to the attacker. Good luck noticing if it’s being used against you. The author used it on a TOR node — note that TOR is generally used by people that are paranoid by their privacy and security — and collected 254 passwords over a 24 hour period.

What’s the fix? As far as I’m concerned, there isn’t one. It’s a design flaw with the way most “secure” websites work today. Do you have ideas on how to prevent this attack? Let us know in the comments.

First, what is network sniffing? It’s listening to the bits on the wire (or in the air) that are sent between computer systems. Really, it’s all 1s and 0s that are sent in a particular format. That particular format is usually “Ethernet” or 802.3, but can also be 802.11 (wireless) or single/multi-mode fiber. There are ways of sniffing by “vampiring” the physical wires, but we’re going to start a step above that and assume you have a computer that can already connect to the network somehow.

A basic introduction to how 802.3 works would be useful, so here we go. Because of the way Ethernet works, the machines on the network have to take turns transmitting or their transmissions will interfere with each other. There’s one signal that is sent out first to see if the wire is clear. If it is, then that machine starts sending its data. If not, an exponential back off timer starts, and the machine asks again once that timer goes off. As long as the wire is shared, every single machine on that wire can hear what every other machine is sending. You now see how easy it is to listen in on other conversations Hubs and repeaters are considered part of the same physical wire. All they do is boost the signal and rebroadcast to all their other ports. Switches are one step above that and place a physical barrier between network segments. They don’t indiscriminately rebroadcast to all of their ports. They just re-broadcast to the one port that has the destination machine. How do they do that, as in how do they know what port to broadcast on? That’s where MAC addresses come in – Media Access Control. These addresses are (supposed to be) unique for every single network connected system manufactured. In practice – not so much, although it’s generally “good enough” – except when you ship an entire box full of Ethernet cards to a university, and they all have the exact same MAC address…

The MAC address is sent with every single packet that is sent on the wire. The switch remembers which ports have what MAC address (and so do a lot of machines). This is stored in a table on the switch – with a limited amount of memory. If the switch gets overloaded, it will tend to revert to hub operation – rebroadcasting to all ports. One packet at least will be broadcast to all ports until the switch knows what port a specific MAC address is on. In normal operation (i.e., not *trying* to break the switch) and with a properly planned network, the switch has enough memory to maintain the table for the number of ports it has (and the bandwidth it’s expected to provide). However, what if there is a hub connected to the switch? That means X more MAC addresses the switch has to remember above and beyond the number of ports that it has. There used to be a rule of thumb – never have more than 3 hubs/switches connected together. This was part of the reason. You’d see degraded network performance because the MAC table couldn’t keep up (it also had to do with the physical limitation on Ethernet cable lengths).

So, you now have a switch, and if you don’t happen to be on the port that the packets are being sent to, you can’t “hear” their communication. But, if you “break” the switch and make it revert to broadcasting to everyone, you can “hear” the traffic. Another way to “break” the switch is to keep telling the switch that you are the destination’s MAC address, and the switch will start rerouting everything to you instead. If you want to sniff something useful, you’d better be prepared to keep routing the traffic to the “real” machine (and not through the switch you just “broke”), or you won’t get very far.

Most of this applies to wireless networks as well, although they use a slightly different method of telling other systems that they want to transmit.

For anyone who wants to delve more in-depth on how Ethernet works, the Ethernet Wikipedia page has a good discussion, and any good college textbook on networking will discuss Ethernet and several other technologies as well.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

XKCD #538, Security

It’s worth a discussion. Is Randall Munroe, writer of xkcd.com correct? Is there an unreasonable investment in cryptography and information security?

My take: Since the ‘drug him and hit him with a wrench’ probably violates several very enforceable laws, the attacker is taking a pretty big risk going down that path. Whereas if the attacker was just trying to expose flaws or use massively parallel processing to crack a key, that may violate some laws on paper (ahem) which are harder to enforce–and an attacker would be pretty dumb to let slip that they were up to something like that. What are your thoughts?

Making and breaking security is dependent on good planning, which takes time that most people won’t devote. There are however, 4 quick ways to enhance the security of any office; home, small, or Fortune 500.

• Lock your screen every time you get up - Set your computer to automatically initiate a password-enabled screensaver when your machine is inactive for 10 minutes. Got to tinkle? Lock your screen first (Vista/XP users > Hold the Windows key [] and press L).
• Buy a good shredder – A shredder that can destroy mail in its envelopes, CDs, and DVDs is an effective way to keep your confidential information safe.
• Invest in an alarm system and door lock - You’d be surprised at how many small companies don’t lock their front doors or have basic alarm systems on their windows. Keeping doors locked, even when the office is occupied will stop most opportunistic thieves.
• Enable Automatic Updates on your operating systems and applications - Or at least update notification so you can test patches before they are released into production. Don’t rely on an administrator to check for updates from time to time.

Successful security doesn’t require every component to be complex, this list could have much more added to it. I’d also recommend you take a page out of the crime book and train your users to think like the mafia.

What do you think is missing from this list?

IBM’s X-Force R&D has sent out a report( “pdf”:http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf ) detailing computer security statistics collected over the first six months of 2008.

Among the results of this report, we find the following (compared to last year’s figures):

• Decreased time between disclosure and public exploit
• Further shift from OS and multimedia exploits to web browser exploits
• Further shift from browser core to browser plugins

What this tells us is that attackers are keeping a steady eye on the disclosure process itself, quickly adapting the details into POC code. It also shows that attackers are recognizing and taking advantage of the browser as an attack vector– a trend that has been steadily increasing over the past few years.

Another interesting trend that caught my eye was the most commonly used web browser plugin exploits… most attacks exploited vulnerabilities that were between 1 and 2 years old. On one hand, I would say that an improvement has been made– no longer are people getting exploited by 4 or 5 year old bugs. But at the same time, we have a long way to go before people constantly address the security issues of software that is regularly exposed to the dangers of web browsing.

The rest of the report ( “pdf”:http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf ) is a very solid read– they cover everything from spam, to phishing, and even the relatively fresh vulnerability frontier of virtualization.

Another lost laptop story, this time from the UK. The details of the theft aren’t too unique – laptops with sensitive patient data were stolen from a hospital and a doctor’s house, and while the files were supposed to be encrypted, they weren’t. This story, much like every other data leak story, brings up the same arguments for why it isn’t a big deal:

• “The data, which also cannot be accessed without passwords, contained patients’ names, postcodes, hospital numbers and dates of birth.” (Emphasis added)
  Passwords are ridiculously weak forms of security, and, if the files aren’t encrypted, chances are the statement that access is impossible without a password is most likely just flat-out wrong
• “However they insisted there was no reason to believe the computers had been targeted for the information they contained, merely for their monetary value.”
  Targeted or otherwise, the data is now freely accessible to the thief. There’s equally no reason to believe that this will not be exploited. While historically, thieves are just in it for the quick score, that’s not really a guarantee.
• “However he insisted that only someone with ‘specialist computer knowledge’ would be able to crack the passwords and access it.”
  It’s not too hard to find people who know their way around a computer. And, thanks to the internet, specialist-type information is ridiculously easy to find.
• “‘We believe the data will almost certainly be wiped by the thief so he can get a quick sale. “
  Without any evidence that this is the case, you can believe whatever you want. I’m sure that’s really comforting to the people whose data is at risk.
• “The hospital has stressed that the data was only a copy of information stored centrally, so no details of appointments or treatment have been irreparably lost.”
  Well, thank goodness the people responsible for the data didn’t get hurt.

Every story about a data leak, regardless of the source (hospital, bank, etc), always seems to contain the same PR spin. “Well, the files are password protected anyway, and the person who stole them probably isn’t even going to notice, and it doesn’t matter because they probably just want to wipe the hard drive and sell the machine anyway, so, no hard feelings, okay? We’re sorry we weren’t adhering to the applicable laws and data protection standards, but this probably isn’t a big deal anyway.”

I understand the desire to try to mitigate the problem and reassure customers that things will “be alright”. But, these arguments are at best wishful thinking and at worst outright lying. If someone’s data could have been compromised, they need to understand the steps they need to take to protect themselves, not be reassured that it’s probably not a big deal.

In a recent case in Arkansas, a registered nurse has pleaded guilty to violating HIPAA rules by disclosing confidential patient information for personal gain. No one should be surprised that things like this happen.

Every industry has laws, regulations and penalties set up for the purpose of consumer (and business) protection. In the health care industry, there is and has been an enormous amount of money spent to bring processes and systems into compliance with regulations like HIPAA to try to protect patient confidentiality. You can lock down electronic systems as much as you want, but nothing can ever be truly secured, because of one simple fact – these systems are owned and operated by people.

A “weakest link” analogy that’s popular in the security industry is the concept of putting deadbolts, latches, chains, and bars on a door while leaving the window next to it open. This is usually used to make a case to bring an insecure area up to par, or to discourage spending a lot of money on one aspect of a system when there’s another module in dire need of attention. Social engineering attacks, like the one in the article, are the “unclosable window” in the proverbial computer security house.

Now, this isn’t an argument against trying to secure electronic systems as much as reasonable or possible, or that laws and regulations are a waste of time. Keeping out as many attackers as possible from as many angles as possible is a “good thing”. Social engineering is just one of those things that makes a security professional occasionally throw their hands up in the air and wonder why they’re trying at all. It’s an insidious type of attack that no one can ever plan for, and, despite all efforts to the contrary, will never, ever go away. Unfortunately, despite the lofty goals that legislation like HIPAA aspires to accomplish, nobody’s data will ever be truly safe.