UMW IT Security

Blog is moving.

ccalvert — Fri, 22 Feb 2008 18:57:53 +0000

Update your bookmarks, RSS feeds, etc.

The new location for this blog will be http://ccalvert.umwblogs.org

Thanks

Disk Encryption Bad News!

ccalvert — Fri, 22 Feb 2008 18:27:33 +0000

After being excited about the new version of Truecrypt and learning of FREE Compusec, this study really yanked the rug out from under full disk encryption. Researchers at Princeton discovered fairly easy ways to get a disks encryption key if a computer is on and even recently turned off. What is really bad news for some implementations of Bitlocker, and possibly other disk encryption techniques that store the key in a TPM chip, is that the computer can be turned off for months and this attack is still effective.

Other then making sure one’s computer is turned off completely — no sleep mode, even hibernation in some cases — there isn’t a good defense for software based full disk encryption. Segate’s Momentus FDE isn’t currently subject to this attack because the drive stores the key in it’s own memory chip independent of the system RAM.

This research from Princeton is certainly going to cause manufacturers to make new hardware technology to protect against RAM dump attacks.

Disk Encryption Good News!

ccalvert — Fri, 22 Feb 2008 18:27:21 +0000

Good news in the full disk encryption arena. Truecrypt 5.0, and now 5.0a, has been released. The most important new feature in the Windows version is that can encrypt the entire Windows system partition. Finally, an open source full disk encryption product for Windows. I’ve been using the full encryption on my home machine since Feb. 17th and there doesn’t seem to be any conflicts or performance issues. Steve Gibson, of GRC.com, ran a test (defragging copies of a hard drive) that showed performance to be increased under Truecrypt compared to an unencrypted drive. One limitation of TC’s full disk encryption is that it doesn’t support hibernation so it may not be suitable for most laptops.

Truecrypt also released versions for Mac OS X, though not full disk encryption. Along with Windows and Linux support Truecrypt volumes can be very portable between systems.

In addition to Truecrypt, FREE Compusec is a free, though not open source, product for full disk encryption for Windows. This product does support hibernation and it has some other features not currently in Truecrypt. I will do an evaluation of this product as well.

Accessing the Internet with lower privileges. (Subtitled: Surfing Safer)

ccalvert — Thu, 05 Jul 2007 20:31:53 +0000

By default XP creates all users as full administrators on the PC. Now I know that everyone creates another account for day-to-day use that has fewer privileges, right? No?

After patching and having a firewall, including a home router, the main ways that machines are compromised are through malicious web sites or e-mail. Using one’s web browser as a full administrator makes it much easier for a computer to get ‘owned’. Where I used to work the vast majority of the users were not local administrators. Scans would be done to look for malware and occasionally there would be machines that had lots of spyware installed. In every case the user’s account would have elevated privileges.

That being said, it can definitely be a pain to have two different accounts (though there are techniques that help quite a bit. RunAs.exe, for example). Since most attacks come through web browsers or e-mail, there is a way to run them in a safer way.

One way to surf safer is to use Firefox, Opera or some other web browser besides Internet Explorer. I’m not saying IE is poorly coded but it has three things working against it:

It is the most commonly used browser so it is the biggest target
It is closed source which prevents thousands of security experts looking over the code
It uses Active-X which is not officially supported, and not ‘allowed’ because of Microsoft patents.

Many pages don’t work properly in non-IE browsers. There is great plugin that allows pages to opened inside of Firefox being rendered by IE. This plugin is set to always open Microsoft or MSN sites in IE. Other pages can be opened in IE with a right-click.

Instead of Outlook or Outlook Express for e-mail use Thunderbird or Eudora (which will be open source soon). Regardless of the e-mail client, attachments should be considered unsafe by default. Gmail is a great way to protect one’s computer from malware via e-mail as they have quite a few layers of protection.

Another option, which may not be for everyone, is to launch programs with fewer privileges. There is a tool that was recently purchased by Microsoft called PsExec which can, among other things, launch processes but it “strips the Administrators group and allows only privileges assigned to the Users group.” What is handy about this method is that all bookmarks (excuse me, Favorites) are still the same and it is possible to run the program as an admin if necessary. Here is sample syntax for launching IE with PsExec.

psexec -l -d “c:\program files\internet explorer\iexplore.exe”

I’ve changed most of my IE shorcuts to use the above syntax. I’ve been using it for about a year now and most sites work just fine. Ironically, the Windows Update site does not work unless it is running as an admin. No problem, I just launch IE from an unmodified shortcut.

Once again, none of the above techniques help with saving attachment or downloading malware and then launching it separately. Don’t trust attachments. Gmail won’t even let you download a .EXE file.

Oh yeah, some of you are wondering about Vista. Well Vista, by default, runs account with reduced privileges and then asks “Are you sure”, if the program wants to do something normally requiring admin rights.

PayPal Security Key

ccalvert — Thu, 05 Jul 2007 19:32:18 +0000

Multi-factor authentication (biometrics, security token, etc.) is better than using a password alone. For $5 one can get a security key for PayPal. I’ve always been a fan of PayPal because it is safer than credit cards in that money is transferred in exact amounts to vendors. Only PayPal has to have the credit card information.

PayPal, though great, is still susceptible to attacks in that a password can be guessed or keystroke loggers can capture login credentials. The new security key takes care of those two attacks. Read more, or order your own, here.

Using “PGP” in Gmail

ccalvert — Fri, 18 May 2007 14:10:34 +0000

Yesterday, someone asked me if I use PGP, and at the time I wasn’t, but I am using it now. The methods I used are likely to be applicable to UMW students, because I set this up in Gmail. Next year, hopefully, Gmail will be the standard e-mail for students.

I initially set this up on a Mac and used these instructions to get started. Things didn’t seem to be working at first, but after opening a new terminal all was well. This link helped with some of the syntax, and finally, here is the link to FireGPG to install the extension that hooks into Gmail running in Firefox.

The above is a screenshot showing the new buttons, context menu, and an example of encryption in Gmail.

At home on my Windows machine I installed the GnuPGP for that OS and imported the keys I had created on the Mac. I’ll probably use this software for key management on Windows.

Also for a Mac you may want to use GPG Keychain Access for managing keys. Here is an option for Gnome users.

Happy Crypting!

Giving Blink a try.

ccalvert — Thu, 17 May 2007 16:51:19 +0000

Blink Personal, might be the only security software to add to a PC. Here is a list of features from eEye.com.

Blocks and removes viruses, spyware, worms, trojans, and other malicious programs
Protection from unknown ‘zero-day’ attacks
Protects against Identity Theft and Phishing attempts
System and Application firewalls protect against hackers and unauthorized system changes
Intrusion prevention and system protection prevent remote attacks and unauthorized program execution
Detection of missing operating system and application patches
Detection of weak configurations that leave personal information at risk of being compromised

Another awesome feature is that a another version of eEye’s flagship software is with this product. A personal version of Retina scanner allows for doing vulnerability scans on your own computer, and it only takes a few minutes. Not only does it check for typical Micrsoft vulnerabilities, but other software as well. I was reminded to update my Quick Time and iTunes because they contained critical vulnerabilities.

I was also surprised that it stated there were some critical problems with Word. It said there are no fixes for these particular problems yet, just to be careful what documents you open. At my former job some of the overseas posts where compromised to zero day exploits in Word. So reading this brought back memories of having to change every single password on a network of over 50,000 users.

Anyway, here are some of the negatives to Blink.

It is only free for the first year, but I think I’ll be paying the $29.00 for it next year.
It will report incidents back to the mother ship. This is to allow eEye to make a better product, prevent false positives, etc.
It wants you to uninstall previous security type programs such as anti-virus, personal firewalls, etc. I was already going to uninstall my anti-virus but was looking for a good substitute. Some of the legitimate security tools I use Symantec wants to eat, and I can’t find a good way to stop the program from doing that.
Like many outbound firewalls, it can annoying to get them trained properly. It already understands common Internet software such as Firefox and IE, but it did not like my news reader or Groupwise client, but all seems to be calm now.

I’m going to give Blink a try to see how it behaves. It looks very promising as a different, yet thorough, way of protecting one’s PC.

Update, 18May2007: Blink can be a pain for those that use not-that-popular Internet software. It will take a while to train, and it did eat some of my legitimate-software-that-can-be-used-for-nefarious-purposes, but at least it was easy to tell it to spit it back out and don’t eat it again.

Update, 15June2007: Blink is now off most of the time. If eEye would streamline some usability options then this would be a great product. I rebooted my laptop where I didn’t have any Internet connectivity, and it took over 5 minutes just to shut down Blink. Skype and LogMeIn couldn’t connect to servers, obviously, so they kept trying multiple servers and multiple ports. Blink was extremely offended by this behavior and kept asking “Are you sure?” every time Skype or LogMeIn tried something else.

When the “Are you sure?” prompt was up I couldn’t disable Blink via the icon in the tray because this is how the software was designed. I tried stopping the service but kept getting “access denied”. So, I had to set up rules in Blink to allow Skype and LogMeIn to be able to talk to any IP on any port before I could stop Blink. There should be another way to quench a security product’s desire to do good without making one’s computer wide open to external servers. And it wasn’t just Skype and LogMeIn, there were other things running such as Quicktime, Groupwise and ClamWin that were trying in vain to phone home.

Then again, without Blink, or similar, running then those applications could talk to whomever they’d like. I do basically trust Groupwise, etc., but I’d like to know when some unknown program tries to open a connection. Sooo, if there was a better way to simply state that Program X can be trusted (like the behavior of older ZoneAlarm), then Blink would be a more pleasant program.

FTP alternatives

ccalvert — Wed, 09 May 2007 13:15:25 +0000

As of July 1st, FTP access to the main shares will be disabled from the Internet except for faculty and staff using a VPN. As of the Fall, FTP access will be disabled altogether. This link lists other options for getting to a share.

Unfortunately, none of the alternatives work with Vista out of the box, however, NetStorage does work if one installs and uses Firefox. NetStorage only allows one file to be uploaded/downloaded at at time, but at least it is a viable option until, hopefully, one of the other options will be updated to work with Vista by the Fall.

Update: Another workaround for Vista that does work without installing additional software is to disable TLS 1.0 in Internet Explorer, but make sure SSL 3.0 is still set. This will allow NetStorage to work with IE. Use this option only as a last resort because it does lower the security posture.

Using Firefox has security advantages, mainly that it doesn’t allow ActiveX applets to run. It is also open source which means that hundreds, if not thousands, of security experts have gone through the source code looking for exploits. Mozilla offers a $500 reward for any security flaws found in Firefox (as long as the flaw isn’t exploited by the discoverer).

Windows users, There’s a new exploit in town!

ccalvert — Tue, 03 Apr 2007 17:16:39 +0000

There is a newly found vulnerability that effects Internet Explorer, Outlook, Outlook Express and even the Windows’ OS itself. Actually, the discovery isn’t that new, the flaw was reported on 20 Dec. 2006 to Microsoft.

The short answer is to make sure antivirus definitions are up to date. All major AV vendors had an update over the weekend for this new attack vector. Avoid using Outlook Express if at all possible because the exploit will fire even if viewing in text mode. Use Outlook in text mode, and only use IE for going to known safe sites.

Microsoft says there will be a patch today. This must be a big threat for MS to release a patch out of cycle, which is normally the 2nd Tuesday of each month.

Disk Image Encryption for Macs

ccalvert — Fri, 30 Mar 2007 12:33:54 +0000

TrueCrypt was mentioned in an earlier blog entry as a way to encrypt part of a drive. This great utility is only available for Linux and Windows. Well, Mac OS X has a built in way of encrypting disk images.

As with TrueCrypt this method can be used for encrypting portions of a drive, and sections of a thumb drive as well. I’m liking Macs more and more as time goes on. ; )