Good File Transfer Protocol software can be hard to come by. Luckily there are some very good programs out there for those of us who like to throw data around using FTP. This is where WinSCP comes in– it handles all of your FTP needs perfectly, offering secure copy, secure FTP, and regular plain vanilla FTP (not recommended). With secure FTP, your sessions are encrypted, offering protection from packet sniffers and whatnot. WinSCP supports multiple sessions, saved configurations, handles the SSH host keys just fine, and integrates with the desktop so you can just drag and drop stuff in there all day.
And it’s free. It’s one of those programs that’s just solid all around.
Obligatory screen shot:
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!
If you followed or attended the recent Blackhat conference you may have heard a talk given by Peter Kleissner regarding his recent work on “Stoned Bootkit.” A bootkit is a boot virus that is able to hook and patch Windows to get loaded into the Windows kernel and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one’s secure!
Peter even demonstrates getting past TrueCrypt’s full disk encryption.
Electronic health records (EHRs) are touted as making healthcare more affordable and efficient. It also assists care providers – you doctor – in making fewer mistakes such as prescribing a drug that reacts with other drugs you are taking but he doesn’t know about. The 2009 economic stimulus package aims at encouraging physicians to adopt EHRs, eventually reducing the Medicare payments to those who do not adopt EHRs.
What are Electronic Health Records, why are they useful, and more relevant here, what are the security implications of using them?
It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.
We wrote a short whitepaper covering a brief security overview of cloud computing, and this is one of the topics we have been concerned about. I’m currently en route to perform an on-site assessment of a service provider for a customer of ours. This type of assessment provides my customer a great deal of confidence that they can trust their business partner. If the provider of cloud services either won’t let you (or your auditor) visit their data centers, or can’t tell you which one to visit (because your data is unpredictably stored in many different locations), then it is impossible to get the same level of confidence that your data is being stored and protected.
Cloud computing isn’t for everything. It’s not going to be a good fit when you need compliance with PCI or similar standards, or your security policies require on-site assessments. Kudos to Amazon for admitting that.
Questions about the trustworthiness of electronic voting machines have been inthenews a lot over the last few years. Plenty of people acknowledge the potential for abuse of these machines, and discussions of how they can be used to swing elections are pretty common. A trait that these discussions share are hypothetical scenarios or instances where an attacker would need to have some kind of esoteric/insider knowledge about the hardware and/or software running the machine to mount an effective attack.
However, I recently came across a video detailing a real attack against a real voting machine, carried out by real engineers, using real tools and data, and showing very real results.
The Sequoia AVC Advantage, a pretty old piece of electronic voting equipment, was broken pretty badly by hardware reverse engineering and return-oriented programming. The following video shows how it was done by a team of computer scientists and engineers from the University of California, San Diego, the University of Michigan, and Princeton University:
What’s really interesting is the ease in which they were able to get a voting machine to play with in the first place. They didn’t steal one or bribe a government worker. Instead, they bought 5 of them… online… from a government surplus auction for less than $20 a pop. Craziness… especially considering some states still use these same machine models. A few months later and these guys have a well-structured attack that can swing the vote any way they want.
This just goes to show how thin the line is between hypothetical voting machine attacks carried out by insiders with special knowledge and real voting machine attacks carried out by smart people with a couple of dollars and some spare time on their hands.
In past blog posts, we’ve talked about how important it is to be aware of the encryption being used when communicating with your bank’s website or other sites where private information may be exposed. We’ve seen how web browsers try to help keep you on your toes, and we’ve encountered malicious programs that fool you into thinking your connection is secure when it’s not.
SSLPasswdWarning is a Firefox add-on designed specifically to avoid being tricked by something like sslstrip. If you click on or give focus to a password box, the add-on will examine the web page’s source to make sure that the password will be submitted using a secure connection. A warning box is shown, and the submission is halted if that is not the case. For instances when the site remembers your password and fills in the field for you, SSLPasswdWarning will also examine forms at the moment they are submitted.
Even if you feel like you cannot possibly be affected by programs like sslstrip, this add-on can make things more convenient for you. Sometimes, a website might present a login page that is not encrypted and only encrypt the password submission. Now, if you install this add-on, you can feel more comfortable about the security of your password without having to examine the page’s source code each time.
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!
The Windows utility Sandboxie runs applications in an isolated environment on your computer so you can protect yourself from malware, surf the web, and maintain your registry without affecting your host system. You can run a number of applications including Firefox and Outlook to protect your privacy and keep viruses and other potentially harmful changes from messing up your Windows machine.
Sandboxie is a good alternative to setting up a virtual machine, especially if you just want to run a quick test or two without having to wait for an entire operating system to boot up.
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!
Last week were two of the premier events in the security world- BlackHat and Defcon. Every year, we patiently wait with baited breath as new exploits are announced (and usually patched). I’ve been once, but until Caesar’s Palace (and the Las Vegas airport) bans smoking everywhere, I won’t be returning – so I watch from the sidelines and enjoy the smoke-free air of home.
