[SecurityRatty] tag: floppy

Confidentiality, Integrity, Availability - Pick Any Two

Fri, 21 Nov 2008 06:50:19 +0000

Under Worm Assault, Military Bans Disks, USB Drives

The Defense Department's geeks are spooked by a rapidly spreading worm crawling across their networks. So they've suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further.

The ban comes from the commander of U.S. Strategic Command, according to an internal Army e-mail. It applies to both the secret SIPR and unclassified NIPR nets. The suspension, which includes everything from external hard drives to "floppy disks," is supposed to take effect "immediately." Similar notices went out to the other military services.

In some organizations, the ban would be only a minor inconvenience. But the military relies heavily on such drives to store information. Bandwidth is often scarce out in the field. Networks are often considered unreliable. Takeaway storage is used constantly as a substitute.

Its almost like we built out a bunch of systems and then connected them to huge networks without building security into the software or something.

A New Way to Back Up Digital Files on paper

Thu, 04 Sep 2008 04:28:19 +0000

This is pretty funny — a free open source application where you can backup your data by printing it, on paper, in a bar code format. A friend of mine says he tried it and that it even works –

PaperBack is a free application that allows you to back up your precious files on the ordinary paper in the form of the oversized bitmaps. If you have a good laser printer with the 600 dpi resolution, you can save up to 500,000 bytes of uncompressed data on the single A4/Letter sheet. Integrated packer allows for much better data density - up to 3,000,000+ (three megabytes) of C code per page.

You may ask - why? Why, for heaven’s sake, do I need to make paper backups, if there are so many alternative possibilities like CD-R’s, DVD±R’s, memory sticks, flash cards, hard disks, streamer tapes, ZIP drives, network storages, magnetooptical cartridges, and even 8-inch double-sided floppy disks formatted for DEC PDP-11? (I still have some). The answer is simple: you don’t. However, by looking on CD or magnetic tape, you are not able to tell whether your data is readable or not. You must insert your medium into the drive (if you have one!) and try to read it.

Paper is different. Do you remember the punched cards? EBCDIC and all this stuff. For years, cards were the main storage medium for the source code. I agree that 100K+ programs were… unhandly, but hey, only real programmers dared to write applications of this size. And used cards were good as notepads, too. Punched tapes were also common. And even the most weird codings, like CDC or EBCDIC, were readable by humans (I mean, by real programmers).

Read the whole thing here.

Service Canada employee loses flash drive

Sat, 28 Jun 2008 19:18:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Service Canada

Victims:
Canadian Residents

Number Affected:
More than 1,500

Types of Data:
Name and Social Insurance Number

Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."

Reference URL:
NowPublic
Radio-Canada (French)
Radio-Canada (Google English translation)

Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader

Response:
From the online sources cited above:

An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french. An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it. Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians. As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information. Was this employee aware of the risk of using a flash drive to store this information? If so, then there should be consequences for his/her actions. If not, then Service Canada really needs some help. Training and awareness is only a part of an effective information security program, but it is a very important one. Are flash drives permitted for use at Service Canada? They probably shouldn't be.

The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.

Among the information contained in the key, were found including the names of persons and their number of social insurance.

One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected. "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.

There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.

Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.

The government agency has opened an investigation and added that no identity theft had been reported.

It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada. It may be worse than some of us think, and it may be better than others of us think. In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.

As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.

If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree. Risk management is critical.

However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.

Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is. I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada. We'll see if this happens. I don't expect things to change until the people responsible are held responsible.

How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?

Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
December, 2007 - Passport Canada web site suffers serious breach
June, 2008 - Canadian farmer personal information on stolen CCGA laptop
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600

Cloud computing - I want my cake and eat it too

Sun, 08 Jun 2008 18:20:19 +0000

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

Disinfecting a virus-laden PC

Sun, 13 Apr 2008 20:00:00 +0000

When I insert a floppy into the A: drive and the floppy is used on another computer, that computer either then gets the virus or the anti-virus software on that computer reports that there is a virus trying to get access/control of the computer. How can I get rid of the virus?

HP admits to selling infected flash-floppy drives

Mon, 07 Apr 2008 09:00:00 +0000

Hewlett-Packard has admitted to selling HP USB Floppy Drive Key drives that were pre-infected with malware.

Spygate in Formula One racing Or: Dont forget your ancient floppy disks!

Thu, 27 Mar 2008 13:16:37 +0000

For those who didn’t know, the Formula One racing series has recently started in Australia and Asia. While high-speed enthusiasts in the US flock to NASCAR or the IndyCar series, the rest of the world is hooked on the F1 racing circus (kind of similar to the situation with football/soccer…).

Anyway, as a security professional you have probably heard of last year’s massive data theft involving several high profile Formula One teams like Ferrari, McLaren, and Renault. What you might have not heard is how the technical data got stolen: Well, in the ultra sophisticated and technologically advanced world of Formula One racing, design plans and test results were simply copied to a bunch of floppy disks. Yes, floppy disks - those early versions of portable media devices that never really made it into the new millennium!

Having recently had a chance to chat with a CISO from a European F1 team, I can assure you that data theft via traditional data loss channels like email, IM, and FTP, as well as endpoint activities like copying to USBs, CD-Roms, external hard drives, and yes, floppy disks are now sufficiently safeguarded with the help of modern data loss prevention (DLP) solutions. F1 teams simply cannot afford to lose critical data because even small data pieces can mean the difference between winning and losing races. And likewise, merely having stolen information in your network (e.g., your competition’s construction plans or results from aerodynamic testing brought along by a newly hired engineer), can – under the tight regulatory rules of the FIA – lead to anything from hefty fines to (more likely!) exclusion from races, i.e., put you out of business…

The moral of the story? Please manage and safeguard all possible data theft channels and know what data resides in your network! That is, unless you want to risk losing your next data security race.

Are your digital devices Certified Pre-0wned?

Mon, 17 Mar 2008 13:11:45 +0000

I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the “band” and pontificate with no holds barred about the latest security threats, just like we did in the old days.

One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, “What scares you the most these days?”. My answer was the proliferation of of inexpensive digital devices made in China that we plug into our computers. The malware problem is getting tricky to dodge. First you couldn’t open email attachments you weren’t expecting. Then you had to worry about surfing even trusted websites with JavaScript turned on, even with the latest patched browsers. Now you have to worry about plugging in the shiny new digital toy you got as a gift. Perhaps its a digital picture frame, digital camera, music player or silly programmable gizmo. Welcome to the age of factory installed malware –the age of devices coming Certified Pre-0wned.

The Associated Press writes:

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

We all know malware is starting to fly under the radar of black list style detection. Low volume malware is flooding the AV labs’ capability to build detection for it. The digital picture frame sold at Sam’s club was infected with previously unknown malware that stole passwords and turned off AV software.

An additional threat that has been reported is devices have been found infecting the flash memory cards that are often inserted to upload photos. From SANS:

“Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it. Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe. The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file. At first I thought this virus came in on one of our employee’s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us. Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. “

We are back to the days of the floppy or “sneaker net” attack vector. Do you know who has touched your SD card or USB drive? Don’t use it in public. Don’t share it with multiple machines. Dan Geer told me he once tossed a USB drive into an audience with the slides for a presentation he just delivered on it. About 10 people passed it around and copied off the slides. It came back with a virus on it. And this was at a security conference.

Cascade Healthcare Community donors affected by malware

Fri, 07 Mar 2008 11:02:22 +0000

Technorati Tag: Security Breach

Date Reported:
3/5/08

Organization:
Cascade Healthcare Community

Contractor/Consultant/Branch:
St. Charles Medical Center (Bend - Redmond)

Victims:
"community members", Donors

Number Affected:
11,500

Types of Data:
Names, addresses, dates of birth and credit card information

Breach Description:
"A computer virus may have exposed the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community in Bend and Redmond"

Reference URL:
Cascade Healthcare Community press release
The Oregonian
The Bend Bulletin

Report Credit:
Cascade Healthcare Community

Response:
From the online sources cited above:

Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information.
[Evan] We would like to think "all health care organizations" have a strong commitment to protecting patient and employee information, but some obviously take this commitment more seriously than others.

Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.

Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11.

The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.

After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.

This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community.
[Evan] Although I think I understand why this information was kept by CHC, I don't agree with CHC's decision to keep credit card information on file. I can see something like this as a statement, "In the best interests of CHC, it's donors and patients, we do not store credit card information".

At this time, there is no evidence indicating any patient health information was compromised.

“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC.
[Evan] Mr. Diegel understands that the information security buck stops with him. As an organizational leader, he understands that he is ultimately responsible for the due care of information assets. I admire Mr. Diegel for addressing this situation personally.

“We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”

CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.

In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time.

All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.

“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”
[Evan] "It is vital that we continue to raise the level of security within the organization". This is one of the best statements I have read from an organization leader in some time. It is vital that ALL of us raise the "level of security" within our areas of responsibility (personally and within our organizations) and explore ways to continuously improve our security posture. This is a never-ending cycle.

A few select FAQ's from the press release:
Q: Is there any way to find out how this virus entered the environment?

A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this.
[Evan] This is all too common. Understand that each and every connection we make from work to an Internet site is a potential (and at times successful) avenue of attack. We weigh the convenience and business benefits of using the Internet against the risk of exposure. It's about balance.

Q: What is Cascade Healthcare Community doing to prevent this from happening in the future?

A. Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.

Commentary:
I am very impressed with Cascade Healthcare Community's press release. The information they provide paints a clear picture of what happened and helps me to feel confident that they know what they are doing. I would just suggest that they not store credit card information anymore (if possible).

Past Breaches:
Unknown

Who do you trust?

Fri, 08 Feb 2008 19:04:45 +0000

I came up in the network / security industry with the concept of "trust no one" at the forefront of my brain. Well, trust no one until you have been given assurance that you should trust someone or something.

So, do you trust "Virtual Disk Images" downloaded off the internet? Would you download an image from VMWare's Virtual Market Place or a web site called ThoughtPolice.com?

Have no clue about what I am talking about?

Well, one of the cool things about virtualizaiton is that servers and desktops now have the ability to go mobile. They can be copied from place to place and even be downloaded off the internet. This capability makes it easy for you to get a server up and running.

Remember the days when you had to install a Novell 3.11 server from 20-30 floppy disks? It was painful wasnt it? Worse than watching paint dry. You had to stare at a screen and wait for the next prompt to change the floppy disk. Then you would get to a question to enter some information that you didn't have a clue about and then have to rush to grab the manual.

Well, now with virtualization you or someone else can go through the installation process and once the server is installed, you can replicate it without having to ever install it again.

The problem with the above sentence is "someone else". Again, I trust no one else and I definitely don't trust someone I don't know installing a Linux server and publishing it on the internet for me to use.

But there are many people out there in the world that are ok with downloading "Virtual Disk Images" off the internet and placing them either in lab environments or production environments. The problem with this is that anyone could create a Virtual Disk Image of the latest Fedora Linux operating system, purposely embed a trojan or virus in it and make it readily available on VMWare's Virtual Market Place or sites like ThoughtPolice.com

Click Me Click Me

An unsuspecting, trusting individual could then download that "Virtual Disk Image", run it inside their VMWare environment and the next thing you hear is there data center or lab is attacked.

Downloading these virtual disk images are more dangerous than downloading a file off the internet or clicking on an attachment in an email from an unknown sender. Why do I say this? Because downloading a virtual disk image is a FULL ON operating system with many applications in it. If a hacker has control of a full operating system they can do things like schedule attacks that happen in the middle of the night, port scan your network for information and email the results to a BotNet Master and even run a packet capture of traffic and FTP that to a BotNet master. Imagine the possibilities and imagine being able to run any application not just a small file attachment. An application buried in a directory somewhere on the Virtual Disk Image.

Did I just bum you out and paint another picture of doom and gloom?

Well, its not all doom and gloom. Knowledge is power as they say and now with this knowledge you should think twice before downloading an image off the internet and use it without fully checking it out. Fully checking it out means running anti-virus software INSIDE the image and making sure you have VM to VM aware firewalls within your virtual environment to isolate traffic flows between VM's.

Lastly, I think downloading these images is pretty cool and would love to be able to take advantage of someone else watching the paint dry during an installation however, I think there needs to be a "Verisign" of Virtual Disk Images. This way someone who you trust can do the work of inspecting these images for me.

-JP