The password debate never ends.  Instead, it seems to be increasing in intensity.  The problem is the use of passwords isn’t going away anytime soon.  The cost of replacing passwords with a more secure access control method is typically too high, making it impossible to sell related projects to management.  Even the use of strong passwords is often regarded as either less secure—because users inevitably write them down—or a hindrance to productivity.  However, there may be a middle ground which can help bridge the timeline between password use and multi-factor authentication.

Background

Before jumping into the how-to part of this article, I want to look at how security professionals view password risk and related management.  A recent post in the SANS Internet Storm Center Diary, along with reader posts, sums this up pretty well.

There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called “Phishing” and “Social Engineering” attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky (“Brute Force”)
(c) Obtain the encryped/hashed [sic] password somehow, and crack it
(d) Leech the password off your computer with keylogger malware

None of these four scenarios becomes less likely if you change your password every 90 days. If the bad guy can’t break the password hash (c) within a couple days, he’ll likely just look for an easier target. Attack (b) is also out for quick wins – either it works within the first couple dozen passwords tried, or the bad guy moves on to easier prey. If (b) or (c) are successful, or the attacker already has the password through (a) or (d), 45 days on average is more than enough to empty out your bank account or use your email address for a big spam run.

Source:  Password rules: Change them every 25 years, Daniel Wesemann, 2 November 2009

For me, the two takeaways from this article are:

• There is more than one way to compromise and use a password access control, all of them tested and in wide-spread use
• The common account policy of requiring a password change every 45, 60 or 90 days is not a good security control

No, this doesn’t mean you should throw up your hands, assign the same simple password to all your accounts, and hope for the best.  If you can use a second authentication factor, if your organization or you can afford it for work or personal use, then implement it.  If not, I may have an alternate safeguard.

Two Factor Passphrases

First, this is not an original idea of mine.  I heard Steve Gibson discuss the concept on a Security Now podcast.  However, I’m taking it a bit further by extrapolating the concept into a complete solution.

I am not a proponent of strong passwords.  Users write them down or forget them, causing either security audit or productivity issues.  I also agree with Wesemann and his readers that changing a password frequently isn’t a good way of protecting  personal or organizational assets.  So I combined the use of random passwords with a memorable passphrase to develop a process I believe solves most—not all—problems with passwords.

1. Obtain a 13 character random password.  I used Steve Gibson’s random password generator for my example, and selected GSD6BtvzM4A0j.
2. Write down a phrase with 7 or more words.  I used, “Every Day I Look Better and Better.”  (I hope my wife doesn’t read this…)
3. Use the first character of each word in the phrase to arrive at an initial series of characters.  In my example, this works out to EDILBAB.
4. Change one or more of these characters to make the string a little harder to guess.  3D1LB+B.
5. Enter the 13 character random password into a text file and memorize the 7 character string from Step 4.

We now have two factors for authentication—something we have (GSD6BtvzM4A0j) and something we know (3D1LB+B).  Combining these two character strings into a number of different passwords is easy.

1. Go to one of your password protected sites.  I used my bank.
2. Change your password to a new two factor passphrase:
   1. Copy the 13 character string from your text file and paste it into the new password field.
   2. Insert your memorized 7 characters into the 13 character string.  I decided to insert it in the second character position, coming up with G3D1LB+BSD6BtvzM4A0j as my 20 character, sort-of random, password for this site.
3. Record the site and the character position in your password text file.  I list three password insertion points in Figure 1.

Figure 1

Note the Bank location is 3, not 1.  I inserted another layer in the process by adding 2 to actual insertion points.  This probably isn’t necessary, but I’m more paranoid that most.

Each time I step through the new/change password process, I try to select a different insertion location.  Yes, I will quickly run out of insertion points.  However, I will still have 14 strong passwords instead of one. 

If every time I log in I copy and paste the 13 character string into the password field, most of the password is unreadable by typical keyloggers.  The only portion of the password a keylogger would see is the 7 memorized characters as I enter them.  Brute force attacks against those sites or networks without a maximum number of incorrect attempts set are very difficult when using passwords of this size.  In fact, the work factor required to crack my sample password should be high enough to deter anyone from getting to any data my computer or sites might have to offer.  This also solves the problem of strong passwords, since we are actually recording the hard-to-remember part of the password. 

The final step is safely storing the text file with your password fragment and insertion points.  The easiest way I found of both protecting the file and having access to login information wherever I go is to use a TrueCrypt protected USB memory stick.  I use a long passphrase which I never use for anything but accessing mobile TrueCrypt data stores.  An attacker would have to gain physical access to the device to crack the password.  There would be plenty of time between the time I lose my USB device and the cracking of the encryption (if ever) to allow me to change my passwords.

The Final Word

No, this isn’t for everyone.  The complexity of this process would bring a normal user to tears.  However, this approach or your version of it can help protect,

• Network administrator accounts
• Accounts used to access highly sensitive information
• Your own accounts

This week Microsoft released a toolkit designed to help IT professionals protect systems from common threats.  Named the Enhanced Mitigation Evaluation Toolkit (EMET), this little gem is easy to implement, once you install the very small executables on your workstations.

Before I walk you through setting up FireFox, I want to take a minute to tell you why you should care about this.

Why you should care

In its initial release, EMET protects against exploitation of four common attack vectors.  When an application is “configured,” requisite behavior necessary for an effective compromise of a system is blocked.  The following information is from readme.rtf included in the downloadable EMET .zip file:

1. SEHOP – Structured exception handling (SEH) chain validation breaks SEH overwrite exploitation techniques.
2. Dynamic DEP – Certain portions of memory are marked as non-executable.  Using EMET, you can target specific applications instead of fighting with compatibility issues caused by setting DEP in the BIOS.
3. Null page allocation – Attackers are blocked from taking advantage of NULL dereferences in user mode.
4. Heap spray allocation – Heap spraying involves filling a process’ heap  with specially crafted content to aid system exploitation.  EMET pre-allocates those memory addresses and blocks these attacks.

Although Microsoft hasn’t testing all possible applications, they have successfully tested the following:

1. iexplore.exe (IE) – although there are apparently some problems getting IE to behave all the time.
2. winword.exe (Word)
3. excel.exe
4. acrord32.exe (Acrobat Reader)
5. firefox.exe
6. outlook.exe
7. powerpnt.exe

The developers of EMET warn it isn’t for everyone.  Since EMET turns off functionality some applications may need to work as expected, it should only be used by IT personnel willing and able to work through possible issues.

Using EMET

Using EMET starts with a quick download of a .zip file.  Extract the file in a folder not generally accessible.  This helps prevent unwanted visitors to the target system from messing with them.

Once I extracted the files on my Windows 7 Ultimate desktop, I was in such a big hurry to start testing I forgot about my “new enhanced” security.  EMET is run from a command prompt and requires elevated privileges.  So my initial run was thwarted until I performed the following steps to bring up a command line window with the proper permissions:

1. Click Start
2. Type Command Prompt in the search field.
3. Right click on Command Prompt at the top of the programs list to bring up the window shown below.
   

   Figure 1

4. Click Run as administrator

I then followed the simple example in the readme document to protect FireFox, as shown in Figure 2.

Figure 2

Pressing Enter resulting in a successful run of EMET.  I confirmed this by listing all protected applications.  See Figure 3.

Figure 3

That’s all there is to it.  EMET works with

• 32-bit Windows XP, Server 2003, Server 2008, Vista and Windows 7
• 64-bit Vista, Windows 7 and Windows 2008 R2

A new visualization approach to detecting forgeries was presented this summer at EuroVis 2009.  Songhua Xu demonstrated how pen angle and pressure provides enough information to determine if a signature, for example, is a forgery.

In this image, the signatures at the top are genuine.  It is easy to see that what Songhua Xu calls the “lilly” is different and inconsistent on the bottom, forged examples.  Supposedly, any forgery is easily detectable no matter how close it “looks” to genuine one.

Have you ever wanted to see where a link takes you or whether it actually downloads what you expect?  If so, you know there are add-ons for FireFox and other browsers that provide this functionality.  However, I just noticed this morning while working within my research SandBoxie sandbox that Google Chrome apparently provides this functionality out-of-the-box.

When I hover my mouse icon over a link, the destination or file references appears in the lower left corner of my browser window.  Not perfect, but a nice quick-check.

Once again, patching isn’t just about plugging holes in Windows.  Most if not all applications have security vulnerabilities if someone looks hard enough.  Up until now, however, finding those vulnerabilities was harder than just whacking the OS.  But Microsoft has settled into a patch release routine that, when followed, pretty well hardens servers and user workstations.  And although there are still vulnerabilities, the level of effort required to find and exploit them has become harder—more difficult than shifting focus to widely installed user applications.

Adobe is experiencing attacker-love now.  They are a good target because their reader is everywhere. 

Adobe’s software has increasingly come under attack in recent years as hackers have come to realize that it can be easier to find flaws in popular software that runs on top of Windows than to dig up new vulnerabilities in the operating system itself.

That’s led to a round of new attacks that exploit bugs in products such as Adobe’s Reader, Apple’s QuickTime, and the Mozilla Firefox browser, for example.

It’s a reality that Adobe Chief Technology Officer Kevin Lynch freely acknowledged Monday in a press conference at the company’s annual Adobe MAX developer conference, held in Los Angeles.

Source:  After attacks, Adobe patches now come faster, Robert McMillan, Computerworld, 6 October 2009

But Adobe isn’t the only end user application on your endpoints.  It’s critical to get ahead of the attack curve by developing an overall patch process today, BEFORE that new user productivity tool becomes a target.

Search engine results for download sites offering hard to get or difficult to find popular software are increasingly used by attackers to ply their insidious craft.  Users looking for an easy way to circumvent vendor constraints or to find popular free software must practice caution.  This isn’t a new warning, but it apparently needs repeating.

The following appeared yesterday in an article at The Register:

Surfers also need to be wary about hunting for Microsoft’s new freebie anti-malware scanner via search engines. Websense further warns that scareware distributors have poisoned search engine results so that sites passing off fake anti-virus scanners appear prominently in searches for Microsoft Security Essentials.

Both the Google Wave and Microsoft Security Essentials attacks rely on black hat Search Engine Optimisation techniques. Wrongdoers typically break into well-established sites and create webpages stuffed full with relevant keywords, cross-linked to other sites compromised in the same way. The tactic is designed to trick search engines into pushing doctored sites higher in search engine indexes for relevant terms.

Source:  Google Wave search poisoned by scareware scammers, John Leyden, The Register, 1 October 2009

And there’s more.  The following appeared in a related article:

Two ongoing scams are tricking Google and other search engines into prominently displaying millions of compromised webpages that attempt to hijack end users’ computers or steal their credit card numbers, researchers said.

One of the attacks is being used to direct people searching the web to an online store hawking pirated copies of popular software titles. Plugging the phrase “cheap vista for students” into Google, for instance, returned more than 19 million results, many of which redirected users to a site called soft4pcs.com.

A separate attack is the work of a botnet dubbed ASProx, which injects malicious links into misconfigured ASP webpages. Users who enter a wide array of search queries, such as “used corvette parts“, received results pointing to a page that redirected to ads-t.ru, which attempted to serve a hostile Adobe Flash file that installs malware

Source:  Google results flog millions of compromised webpages, Dan Goodin, The Register, 1 October 2009

So if you or someone you know is looking for a free AV scanner or is trying to get their hands on an invite for the newest beta, go directly to the source; avoid second-hand sites unless you are certain they are trustworthy.

A recent breach of a PayChoice Inc. server is evidence that organizations must provide overall controls, not just those targeting popular attack vectors. 

Chris Wysopal, chief technology officer at application security vendor Veracode Inc., said the breach is interesting because it shows that hackers are looking for targets other than credit card numbers and social security numbers to steal.

“The market is saturated with [stolen] credit card data,” Wysopal said. A credit card record that was worth $10 in the underground in 2007 today can be had for about 50 cents, he said.

As a result cybercrooks looking to monetize what they are doing are moving up to higher value attacks where possible, he said.

In this case, the hackers appear to have been trying to install keystroke loggers to get information that would have allowed then to access online banking accounts of PayChoice’s customers, he said. “That is where they would have got tens of thousands of dollars,” had they been able to pull it off.

Source: Large online payroll service hacked, Jaikumar Vijayan, Computerworld, 1 October 2009

This is an example of why security professionals must continue to protect ALL sensitive information regardless of what pops up in the media.  Overall protection requires continuous marketing by security for management buy-in at all levels.

Organizational role changes are common.  People are promoted, move from one department to another, or responsibilities change for the roles they’re in.  The result over time, commonly known as permissions creep, is a bunch of user accounts for which least privilege and segregation of duties no longer apply.  The solution is a documented and aggressively followed job change process.

First, let’s look at the issue of job changes.  A job change process should use an authoritative source, such as your human resources system, to track role changes.  If you assign a job code to each employee based on his or her position, then this is pretty easy.  One approach is to compare a nightly extract, including employee ID and job code to the previous night’s run.  A difference in job code indicates a change in position.  If your HR system produces a report listing job changes, then you already have what you need.

For organizations with an automated provisioning system, the next step is easy.  Feed the changes to the provisioning server and let it do its thing.  Otherwise, hand it off to a system administrator for manual changes to directory services and all relevant applications.  Whether automated or manual, the process is the same.  For each affected account, remove all current access and replace it with the approved access for the new job role.  This assumes you’ve defined access by application, AD group, etc. for each job code.  If you haven’t, this is a big job so you’d better get started…

Some admins might simply reverse access based on the original role.  This is not effective, especially for an employee who’s been around a few years.  Exceptions to base access settings may have been added over time as the employee’s manager added additional responsibilities not commonly given.  Changing responsibilities causes problems, particularly when an employee’s job never changes and the job change process isn’t invoked.

If you have employees who have worked for your organization for many years, especially those who demonstrate the ability to perform a wide variety of tasks, they have probably been given special permissions in addition to those approved for their organizational role.  These exceptions were likely approved by a data owner and are on file for the auditors.  So far, so good.  However, the dynamic nature of business inevitably shifts these responsibilities around, removing the need for access but not the actual access itself. 

Dealing with permissions creep caused by variable responsibilities over time requires actual reviews of employee access.  Schedule periodic reviews by data owners, managers, etc.  Use the results of these reviews to adjust access to reflect employee job responsibilities today.

Finally, there is the question of location.  For non-healthcare organizations (HIPAA free), this might not be a problem.  However, when you have to manage patient information visibility based on role and location, access reviews take on an additional dimension.  Make sure reviews and job changes take into account where the employee is working and adjust need-to-know controls accordingly.

Managing permissions creep isn’t exciting, but it is a necessary part of securing information assets.

No, this isn’t a security post.  However, the level of frustration I felt over the past two days should never happen to anyone.  So I decided to put everything you need to know about dealing with drastic iPhone issues in one place.

It all started yesterday when I excitedly connected my iPhone 3GS to my office laptop to get the long-awaited-should-have-had-it-long-ago MMS update.  A funny thing happened, however.  I received a message immediately after iTunes loaded telling me that iTunes had stopped working.  And then that Apple-revenue-generating software simply closed.  I tried again with the same results.  I rebooted and retried.  Same results.  Ignoring the adage that the sign of insanity is trying the same thing over and over expecting different results, I continued to connect and disconnect my iPhone so I could send my first photo to another phone.  No luck.

After I left the office, and my Windows XP SP2 laptop, I drove home and ran to my Windows 7 Ultimate desktop and plugged in my iPhone.  iTunes loaded long enough to display that dreaded message telling me that iTunes had stopped working.  Again, an iTunes crash and burn.  ARRGGH!

To verify that this was an iPhone issue, I plugged in my iPod Touch (yes, I am an uber geek).  It worked fine.  OK.  So now I knew that my iPhone, which I just purchased two months ago, was the problem.  On to Apple support.

There may have been something in one of the forums, but I couldn’t find it.  So I scheduled a call back for the next day at 5:45.  But I am not a patient man (I hope my boss isn’t reading this or there may be more confirmation of that fact than I can bear).

When I got up this morning, I immediately visited my old friend Google to see if anyone else was having this iTunes crash problem.  My search resulted in finding a significant number of people who were experiencing the same frustration as I.  However, there didn’t seem to be anyone who had actually fixed it.  One person wrote that removing my iPhone’s authorization for iTunes and putting it back would help.  Or that a master reset (holding the home and power buttons down, ignoring the shutdown slider, until the iPhone screen goes black) might work.  Neither worked for me.

But after about three frustrating hours—and many colorful remarks about Apple, AT&T, etc.—I found the fix.  Here it is:

1. Load iTunes
2. Turn off the iPhone
3. Make sure the USB cable is unplugged from the iPhone
4. Hold down the home button for three to five seconds
5. KEEP HOLDING HOME BUTTON and
   1. Plug the USB cable into your iPhone
   2. Plug the USB cable into your computer
   3. After iTunes recognizes your iPhone, release the home button

This process places your iPhone in recovery mode.  iTunes informs you that a phone in recovery mode is connected.  Click the RESTORE button on the iTunes screen and sit back.  The iPhone will be set to factory defaults.  If a backup exists, iTunes will eventually prompt you for restore.  After the restore, you phone is in the same condition is was in prior to the service recovery, assuming you had a current backup.

This fixed my problem and I had my MMS functionality.

In closing, I will admit there is a little security associated with this story.  That is, the process to place the iPhone in recovery mode is the first step in cracking iPhone security.  I guess we can’t have everything, can we Steve?

Today I tried to load and activate VIP Access on my iPhone.  The app loaded OK from the app store, but finding the page on PayPal where I could activate it was another story.

For those of you out of the loop, VIP Access provides a means to use your iPhone as a second authentication factor.  When installed, the software provides a different six-digit code every 30 seconds.  This code is used to verify your identity at sites supporting this VeriSign identity management technology—like PayPal.  See Figure 1.

Figure 1

 Installing and launching the free software on my iPhone 3GS was easy.  The first screen included a video and other information about how to use the service.  So, having lost my VIP “football” for PayPal, I was anxious to try this out.  That was where the fun began.

There are no references to this service on PayPal.  Neither searching nor browsing turned up anything useful.  Finally, I searched Google and found someone who had solved this lack-of-information challenge by actually sending a message to PayPal. 

It turns out VIP Access activation uses the same link used to activate the VIP token, as shown in Figure 2.

In the activation form, enter the VIP Access Credential ID into the Serial Number field.  The rest of the form is self-explanatory.  After jumping the activation hurdle, everything worked as advertised.

Figure 2

Many organizations use Web filtering to block employee access to “unsuitable” sites.  Blocking usually takes the form of products like WebSense and services such as OpenDNS (from free, through SMB and Enterprise).  However, savvy employees will find a way around these controls. 

Definitions of what constitutes an unsuitable site vary from business to business, but there is a general set of objectives which typically underlies them all.

• Prevent viewing of pornography, hate sites, or any other material which may be interpreted as creating a hostile work environment
• Prevent activities which may put the organization at risk, such as visiting sites
  • which present a known high risk of infecting the network with malware
  • which provide an easy way for employees to wile away the workday focused on social networking, shopping, sports, or other non-business related media

Whether an organization uses Web filtering to achieve one or all of these objectives, users will find a way around restrictions.  One of the best ways is to encrypt outgoing sessions with a client-based or hosted proxy.  Yes, most if not all Web filters allow you to block access to these sites.  And yes, restricting employee rights to install applications can help.  However, there are services which circumvent both controls.

Web filters rely on their ability to see destination information and compare it to a database of blocked sites, usually organized by category.  If a user connects to an external proxy service (not in the blocked sites list) via SSL/HTTPS, no traffic from the end-user device to the Internet is visible to the Web filter.  The result?  The user can browse to any and all sites on the Web.

Take, for example, Megaproxy.  Figure 1 is the message I receive on my test machine if I try to go directly to the Megaproxy site.  Why?  Because the site is considered a proxy site.  All proxy sites must be blocked—as they are on this network–or Web filtering is the proverbial exercise in futility.  But Megaproxy provides an easy way around this.

Figure 1

The Megaproxy service periodically changes the URL used to get to the proxy sign-on prompt shown in Figure 2.  So Web filtering vendors have to play catch-up to block the current URL.  This is only possible when using the for-fee service, which a user can simply set up from home.  The fee is so low that any user with a strong desire to break out of IS constraints imposed on browsing will quickly get out the credit card.  I’ve been testing the same URL for about three weeks now with no problem.

Figure 2

Once logged on, the service asks for the URL for the page I want to visit, as shown in Figure 3.  The Web filter system I’m testing blocks remote access services, such as GoToMyPC.  So, I entered gotomypc.com. 

Figure 3

Figure 4 shows the result; I easily access gotomypc.com with full functionality.  I could just as easily access playboy.com.  Note that I have to enter all addresses for sites I want to visit into the address bar provided by Megaproxy.  If I use the standard browser address bar, I will leave Megaproxy, and my traffic will once again be visible to the filtering solution.

Figure 4

Megaproxy is not malware.  Nor is it intended to make your life as a security professional miserable.  It is designed to provide safe browsing from hotels, airports, and other hot spots.  The changing URL allows use of secure browsing even if the hotspot tries to prevent it by blocking proxy access.

The bottom line? An organization cannot rely on Web filtering alone to prevent unsuitable Web behavior.  Rather, other controls—preventive and detective, administrative and technical—must support filtering.  For example, some organizations simply block all SSL traffic not explicitly approved for business purposes.  If your organization is using Web filtering, take a look at the gaps unique to your organization and plug them.

IPv6 has security issues.  This is no surprise.  What may be a surprise is that you might be vulnerable even if you haven’t rolled it out to your network.

Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).

IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?

Source: IPv6: Not a Security Panacea, AJ Jaghori, CSO, 21 Sep 2009.

For more information about IPv6 security issues, see the article referenced above and,

• IPv6: What you need to know
• IPv6 Security Issues

The following stats are from AV tests find that reputation really does count, Robert McMillan, Copmputerworld, 21 Sep 2009.  The article is a good read about reputation-based AV solutions.

Credit: Technology Review

Many of us started using one-time password devices some time ago.  They typically take the form of “footballs” or smartcards and generate a random—or pseudorandom—string used only as a password for one session login.  This was considered to be “safe enough.”  But now we might have to rethink our approach.

In a recent article by Robert Lemos, he describes an actual theft using a Trojan that rides one-time password sessions. 

The theft happened despite Ferma’s use of a one-time password, a six-digit code issued by a small electronic device every 30 or 60 seconds. Online thieves have adapted to this additional security by creating special programs–real-time Trojan horses–that can issue transactions to a bank while the account holder is online, turning the one-time password into a weak link in the financial security chain. “I think it’s a broken model,” Ferrari says.

Source: Real-Time Hackers Foil Two-Factor Security, Robert Lemos, Technology Review, 18 September 2009

The use of multiple factors of authentication is often viewed as a panacea for sensitive data access control challenges.  However, it was only a matter of time before attackers found a way to exploit these methods.  So what do we do?  How can we ensure our business and personal systems are protected when we perform online transactions, like banking or accessing strategic business data?  There are multiple answers to this question, which implemented together provide a layered approach.

1. Continue to use multi-factor authentication.  This is still a good way to thwart the majority of attempts to get to your data, and it’s far better than using only a traditional password.
2. Keep patching and updating your AV solutions.  Patching is still one of the best ways to keep bad stuff off your endpoint devices.  Combined with AV (anti-malware) software, patching can smack down bad stuff crawling over the wire.
3. Remove local admin access—even for you.  No one should browse the Web while logged in with an account which allows installation of anything on the desktop.  This is much easier with Windows Vista and Windows 7, but the large number of Windows XP systems still running on systems at the office and at home still require some special effort to make this happen.
4. Consider using a sandbox or virtual machine.  The best way to prevent unwanted software from making a home on your PC is to browse the Web with a browser running in a sandbox.  Products like Sandboxie provide a free solution for isolating any Internet activity to a work area with read only access to the hard drive, system files, etc.  When finished, kill the sandbox and everything picked up along the way simply goes away.  Another approach is using virtual machines.  For home or home office, Sun’s VirtualBox is an excellent choice.  For larger businesses, VMware is an option.  However, beware of using a sandbox or VM for casual browsing and for accessing your bank account.  Remember, anything installing itself in your VM or in your sandbox will function as it would on your actual desktop.

Need to access your passwords, secret questions, and personal ID information anywhere, anytime?  Then you need to take a look at the new RoboForm online service.  I recommend it.

RoboForm isn’t new.  A product by Siber Systems, Inc., the RoboForm desktop application has been helping users auto-fill forms and remember important information for some time.  What IS new is an online service (beta) which allows you to:

1. Sync your passwords, secret questions, and other identity information with RoboForm servers.  All data shared with RoboForm is encrypted with AES using a password which only the user knows.  RoboForm cannot access your data.
2. Access your online information from any computer with Internet access, without installing any software.
3. Access your online information using selected smartphones, including iPhones and Blackberries. 

Before we get to the online capabilities, let’s walk through the RoboForm Pro client application functionality.

Client Functionality

The RoboForm Pro client, with a $29.95 price tag for the first license, is available for download.  There is a nice quantity-discount calculator at the site, but $15.95 seems to be as low as it goes.

I downloaded the client and installed it on my desktop (Windows 7 and Firefox 3.5).  After activation (see Figure 1), I restarted Firefox.  The toolbar shown in Figure 2 appeared.

The time-to-live setting for the RoboForm master password is an important setting during setup.  As you’ll see as we step through this section, maintaining an active login to the client provides access to passwords and other private information.  So you want the login to expire without having to think about it.  The default is 120 minutes.  I set mine to 10.

The core of RoboForm password management is the passcard.  A passcard contains login and address information for a specific site or application.  There are two ways to set one up.  First, you can navigate to the login screen of the target site or Web application and enter your account ID and password.  You can also pre-configure a site login.   

To create my Gmail passcard, I provided a name and left Password-protect checked, as shown in Figure 3.  This requires the encryption password before I can access it.  I then created an email folder in which to place the passcard.  I also checked Add Shortcut to Links Toolbar.  When I clicked save, a button with the passcard name appeared in the RoboForm toolbar (See Figure 4).  Also saved was the URL to the login page.

The button performs two functions.  If the Gmail login page is not currently displayed, RoboForm instructs the browser to go there.  The second function is the same whether you are at the page or not.  RoboForm auto-fills the account name and password fields.  If you’ve previously used this function , a persistent cookie exists on your computer.  When the cookie is present, clicking the button causes the browser to navigate to the page, enter the login information, and login.  You can disable the persistent cookie feature by removing the asterisk in the field shown in Figure 5.  (Note: When editing passcards, the password is displayed in plain text.  This is so you can retrieve an unremembered password.  So beware shoulder surfers…)

In addition to passwords, you can store all personal information–including credit cards, bank account info, and social security number–in an identity form.  See Figure 6.  Note that the identity information, like all passcards, is encrypted with AES.  When saved, the identity appears in the RoboForm toolbar, as shown in Figure 4.  You can use it to fill-in any browser-based forms, and you can create multiple identities.

Finally, you can create free-form safe notes.  I created one to hold a sample security question, as shown in Figure 7.

This is a good time to talk about encryption strength.  The strength of the AES encryption used depends on the password used to protect your RoboForm information. 

• Master password less than 32 characters – 128 bit
• Master password from 32 to 47 characters – 192 bit
• Master password greater than 48 characters – 256 bit

If you can’t decide on a password for an account, the create-a-password feature built-in to RoboForm can help.  There was a small issue with the sample password shown in Figure 7.  It contained a dictionary word.  While this might not be a huge problem, you should be aware this might happen.  Play with this a little.  You can watch the bit strength change as you change the provided parameters.

So far, this looks like something I can use.  However, what happens when I’m not in front of the computer with my client software installed?  Well, I can create a repository with software loaded on a thumb drive.  Or I can use the new RoboForm online service (beta).

Features of Online Service (beta)

The online service provides you with your passwords, identity information, and safenote data anytime, anywhere.  The data is encrypted with your master password, which only you know.  If you lose the password, you lose your data.  Not even RoboForm can help.

To synchronize your local information with the online service, you first have to create an online account.  RoboForm must be installed on your computer to use this service.

Once the account is created, and you have synchronized your computer with your online repository, you can access your RoboForm data using an SSL connection as shown in Figure 8.

To sync your computer, click the Sync button in the toolbar.  If this is your first sync, RoboForm needs your online user ID and password, as shown in Figure 9.  Sync settings can be set or changed at any time by using the button shown in Figure 10.  Once configured, the prompt shown in Figure 10 is displayed, allowing you to manually sync your data and select auto-sync if you don’t want to worry about pushing future changes or additions to the online repository.  Note that you can also sync to local or network storage devices.

There are differences between using the online service and the local client.

1. Auto-navigation to the login page is not enabled, although the link is provided
2. Auto-fill is not enabled, so you have to copy and paste your account ID and password, which is displayed in plain text, to the login fields

The online service is free to try while in beta.  No future cost information is currently available.

The last online feature I tested was access via smartphone.  This worked flawlessly when I tried using my iPhone 3GS.  Figures 11 and 12 show the screens provided.

Recommendation

I recommend both the client software and the online solution.  This is the best password, identity, and general sensitive information repository solution I’ve seen.  If you are worried about how RoboForm manages passwords in memory, check out the user manual.  Passwords are purged from memory during events you select.

Any organization with an effective software development lifecycle (SDLC) builds QA and development environments to test new or upgraded systems.  Testing, either unit (developer) or user acceptance (UAT), requires data available to the application which looks very close to production data, including construction of all data dependencies.  The fastest way to make this happen is to copy production data into the test and development databases.  However, perception of the sensitivity of data in these non-production environments is often… well… wrong.

I like to practice data-centric security.  This means security controls are about protecting sensitive data and access by critical systems to that data.  So if someone moves a customer database, for example, to a development server the data should be protected with the same controls used to protect it in production.  Organizations often use a system-centric approach to security, assuming that servers, workstations and data not in the production environment don’t require the same level of trustworthiness.

Research commissioned by enterprise applications vendor Micro Focus and carried out by the Ponemon Institute surveyed 1,350 application development staff at UK and US firms with turnover between $10m (£6.1m) and $20bn-plus.

The past 12 months have seen data breaches at 79 per cent of respondents, with the same amount using live production data in application development and testing. But just 30 per cent of firms mask this data during the process.

Application testing takes place on at least a weekly basis at 64 per cent of companies, with 90 per cent claiming it happens once a month or more. A mere seven per cent of respondents said data protection procedures were more rigorous during development and testing than during normal production.

Source: Lax data masking hits four in five firms, Sam Trendall, CRN, 18 August 2009

Granted, the purpose of the study was ostensibly to promote a data masking solution.  But it demonstrates the need for better focus on non-production data stores.  In other words, data in QA and development systems must be managed with the same rigor as that residing in production.  And if extending security controls to these systems is not feasible, then data masking is necessary.

During my daily review of security RSS feeds, I stumbled upon a PCWorld article entitled Internet Security Threats: Swift and Short-Lived.  The first paragraph read,

Internet security threats such as worms and trojans last for just 24 hours, says Panda Security.

Wow!.  Somebody must have figured out how to cleanse the millions of infected machines connected to the Web, because that is the only way an Internet threat is eliminated.  However, that was not the case.  Instead, this was apparently a statement about the effectiveness of certain AV solutions. 

To make a blanket statement about killing worms and viruses, rendering them impotent, is a little misleading.  Worms and other nasties released into the wild have a life of their own, infesting unprotected systems, waiting for the opportunity to infest computers of users who don’t patch, don’t keep their AV systems up-to-date, or connect to the Web from behind a firewall/router. 

If you want to test just how much bad stuff is still out there, simply attach an unprotected Windows PC directly to your ISP (connected straight into your cable modem, DSL modem, etc.) and let it cook for a few days.  Then, do some surfing and downloading of “free” stuff.  (No, don’t use it to check your bank balance.) Finally, install your favorite AV software, start a scan, and stand back.  After you’ve had your fun, remember to wipe the hard drive before using the machine for anything serious.

Yes, anti-malware defense is rather mature.  Yes, a well-managed system and network can repel most old threats.  But don’t assume they’re not still out there.

I have never thought of this.  After a breach, just blame the auditors.  Wait.  The reason I hadn’t thought of it is because passing a compliance audit IS NOT ASSURANCE OF SECURITY.  But some still don’t get it.

In an interview with CSO’s Bill Brenner, Heartland Payment Systems’ CEO, Robert Carr, blamed his QSA auditors for a recent (huge) breach.  Because they said his organization was PCI compliant, he felt secure.  Wow.  Security by checklist once again.

Rich Mogull, in an open letter to Carr, makes several excellent points about reliance on compliance instead of solid security practices.  He concludes his letter with,

But, based on your prior public statements and this interview, you appear to be shifting the blame to the card companies, your QSA, and the PCI Council. From what’s been released, your organization was breached using known attack techniques that were preventable using well-understood security controls.

As the senior corporate officer for Heartland, that responsibility was yours.

Source: An Open Letter to Robert Carr, CEO or Heartland Payment Systems, Rich Mogull, 12 August 2009

Rich’s letter is a good read, and it should be circulated widely among security professionals and senior executives. 

Among other things, this is another case where an organization is falling back on a completed checklist representing compliance with the PCI standard, a bare minimum set of security requirements.  But whether you are HIPAA, GLBA, or PCI compliant, checking off on recommended practices doesn’t equal security.

Each of us is responsible for placing compliance activities within the proper context: guidelines within a broader security program.  No regulatory or industry standards can protect our critical infrastructure or sensitive data.  Only an aware, thinking human who actually cares about security—and understands how standards apply within his or her unique environment—can do that.

I’ve been sort of stuck in the land of physical security lately.  The reason I can’t seem to extricate my brain relates to the dismal facility security many organizations employ.  It’s the lack of good physical security, including employee resistance to challenging strangers browsing the work area, which makes implementation of hardware hacks a real possibility.

Unlike software keystroke loggers and other nasty malware typically obtained via poor user habits—combined with a lack of Web browsing controls—hardware hacks are virtually invisible to AV software.  (See the vendor agnostic whitepaper, Keystroke Logging at http://ow.ly/jaeU.)  For example, a firmware hack for Apple keyboards was demonstrated at DEFCON 2009.  A related video (http://ow.ly/jahK) shows security researcher K. Chen gathering keystrokes from a laptop via a compromised keyboard.  The main difference with this hack is the ability to take over the hardware without taking the keyboard apart to install a logging component.  However, implementation of the hack is similar to other logging issues—physical access to hardware by an attacker means game over.

This hack, and others like it, require physical access to your computers.  How do you keep bad people away from your information resources?

• Lock your doors.  Only authorized personnel should have access to your business office.  (If you aren’t securing your datacenter, this bullet is meaningless…)
• Train your employees to notify security—or management if on-site security personnel aren’t available—when someone they don’t recognize is in the office area without a guest badge.  (This assumes your organization actually makes real employees wear employee badges and guests to wear guest badges.)
• Make sure your employee training includes social engineering issues.  For example, an employee should know that when a stranger tells him or her that they are replacing the widget control on the computer’s frazzilator, there may be something amiss.  In any case, strangers unaccompanied by regular employees—even if carrying a tool bag—are to be considered suspicious and reportable.
• Even if a person has a guest badge, unexplained lingering around cubicles or use of an employee system should be reported. If unexplained access was gained to a workstation, consider replacing it.  At least ensure,
  • The keyboard is standard company issue.  (You might consider marking keyboards so they are identifiable as yours.)
  • There are no unusual components connected to the keyboard cable.
  • There is no unexplained hardware anywhere in the cubicle.
  • The Event Logs show no trace of an attack.  (Any attacker worth his or her fees will eradicate any traces of unusual activity–if they have enough time.)
  • Your intrusion detection/prevention logs don’t indicate the PC is sending/receiving unusual traffic.