Search This Blog

Thursday, December 22, 2011

(I) great example of session timeout.. Everyone should follow this

So many times in our business we ask or evaluate an application for session timeouts.  We hear "But we have screen savers on the Windows systems enforced by Group Policy".  This is not session timeout, this is locking the terminal requirement.  

So many times you see apps stay open all day, overnight or over the weekend.  You have no idea who is actually using the app at any given time. Session timeout lets IT and InfoSec know who is using an app recently, giving us more accurate troubleshooting and resource management.  If you are an admin of an app that does not timeout... Well that's not good either.

So take a look at how HootSuite times you out after an hour and forces you to login again...  Banks do it, so should all Internet apps... 1 hour is plenty of time.  If you don't like logging in, then use a URL & Password manager like LastPass to speed things up.

Wednesday, December 21, 2011

(I) How to erase a hard drive before re-using, a service call, giving away or selling a computer


In our business losing data is a bad thing... A very bad thing.  So what do we do when we need to end of life or recycle a PC, Server or anything else with a hard drive?

Do you have a computer you ever gave to someone?  Or someone gave to you?  What was on the hard drive?  Retired a server?  In our professional side we have to make sure these drives are wiped, erased or sanitized before they leave the building.  Or do we?

Let's take a look at some options to wipe, erase or sanitize drives to protect the data that was/is on them.  This blog will not address the ghost images that require a lab, and microscope or how many wipes.  it covers realistic every day needs for InfoSec and IT professionals.

Encryption as a protection:

If the hard drive was encrypted, then that is as good as wiping the drive.  Just format the drive and your done.  The encryption will sufficiently randomize the data since the data is protected with a key the new owner won't have or know about and hopefully you also formatted the drive hiding it further.  If you use BitLocker, Credant, PointSec, McAfee or other disk encryption solutions that encrypt your drive, you are going to be fairly sure the data will not be recovered if someone tries.

Warning:  Bit locker is not a full disk solution and will only encrypt the active data, so if you have a 1 TB drive and re-installed Windows and enabled Bit-Locker and protected say 25 GB, you will have an exposure of data that was once there past 25 GB before you encrypted.  Free space can be an issue if data was once there prior to using Bit-Locker.

If you use TruCrypt like I do to make encrypted volumes on hard drives and USB drives, this too should be sufficient to protect any data on the drive if you format it and give it away.  You could just create the biggest volume your allowed and encrypt it with TruCrypt.  Now there will be a big block of bits that once reformatted would be pretty much worthless to the new owner.



RAID:

If you think a set of drives in a RAID array would be safe if you broke the drive out of the array, you would be incorrect. I can tell you as I was involved with decommissioning a SAN and we tested a single drive of a RAID group and retrieved data. You will have to treat non-encrypted SAN drives the same as any other drive. Newer SANs have secure clearing options as a part of maintenance, so check if your system has the option, better yet, make it a requirement for your next SAN or RAID storage solution.
Wiping:

Wiping is where you write the entire drive with 0's, 1's or any other character(s) over the entire disk surface and then again and again to meet whatever legal or regulatory requirements you might have.  DoD wiping at a minimum is 3 passes, 
Standard DoD 5220.22-M, US DoD 5220.22-M (ECE) requires 7 passes and there are requirements for even more passes in order to cover up any ghost data that may reside on the drive that researchers have found can exist.... Using a fancy dancy microscope and lab.

Although writing 0's (filing with zeros) over the entire disk will not satisfy government data standards such as DoD 5220.22-M or (NIST) Special Publication 800-88, overwriting the entire hard disk prevents most forensic tools from gaining useful data, what we are most concerned with.

Reality... A 1 pass wipe with say, the Free version of KillDisk or vendor disk tool is plenty and an effective way in both time and cost to scramble data that might have been on the drive.  If you have requirements to wipe a drive more than 3 times... Do yourself a favor and just destroy the drive.. Shredding is faster, cheaper and requires less people time.

How long does wiping take? 
Wiping a drive takes a loooonnnng time...  Recently I wiped a 250GB drive with KillDisk (Free 1 pass wipe) that took 1.5 hours.  If that drive were a 1TB drive it would take roughly 6 hours just for a 1 pass wipe.  Using 'Boot and Nuke' a 3 pass wipe to meet minimum DoD would take roughly 44+ hours for a 1TB drive.  Actually the 3 pass wipe of the same 250GB drive using 'Boot and Nuke' took just short of 11 hours... For a 1 pass wipe it took almost 5 hours.  Clearly KillDisk is more efficient at wiping a drive.

This length of time for just one drive makes wiping a drive an extremely time consuming prospect.  You would have to setup several systems to attach drives to and run the utilities to wipe the disks.  A typical corporation would have too many drives and could make this a full time job, not a cost effective or a good use of people's time... Unless you are required for law or regulatory reasons.  You would then buy an expensive multiple drive unit or utilize a service.

By the Numbers... What it took me:

  • 250GB - Long Test using SeaTools = 1.0 hour (validate/repair drive)
  • 250GB - Full Erase using SeaTools = 1.5 hours
  • 250GB - 1 Pass wipe using KillDisk = 1.5 hours
  • 250GB - 1 Pass wipe using DBaN = 5.0 hours
  • 250GB - 3 Pass wipe using DBaN = 11.0 hours
  • 500GB - Long Test using SeaTools over USB = 2.5 hours
  • 1TB - Full Erase using SeaTools = 5.5 hours
  • 1TB - Full Erase using SeaTools over USB = 8 hours














Of course the type, speed and performance of the drive will vary by model how long wiping will take, but you can get an idea of what to expect with these numbers.

Tip:  If you get a drive that shows really long time estimates that are not what you normally see, just destroy it, it's not worth the time and is probably older and slow.

Drive vendor tools:

All the hard drive vendors have bootable or Windows utilities that can maintain/repair the drive and even wipe it.  Seagate/Maxtor, Western Digital, Samsung, Hitachi and others all have tools to help wipe drives.  I tested for this Blog Seagate SeaTools on a 1TB drive.  Wiping took roughly 5 1/2 hours, roughly the same as a 1 pass KillDisk wipe.

Use a service:

If you don't want to deal with this issue you can opt to take all the drives you retired and you give them to a service that will shred them for you and 'POOF' problem solved.  Just make a form to record the drive serial number, the system it came out of, date the drive was destroyed, who did it with a signature and you would be in good shape for an audit.  Destroying takes no time at all and is fun to watch too!!!  Damn loud.

These services may also provide wiping as well, but compare the cost to destruction.  You will find disk encryption on the system in thequantities you need may make disk encryption a cost effective time saving option vs. wiping more than 1 pass.  Keep in mind if you lease systems or have service contracts, you may have to negotiate what to do with the drive and get the proper wording in your contracts to allow you to wipe or destroy a drive before returning it to the vendor if the drive is NOT encrypted.  You may be in a pickle with your vendor needing the drive back if the drive is NOT encrypted and you can't wipe or destroy it.

So?

The whole purpose of this Blog entry was to develop a process to retire and recycle hardware where we have to ensure the data that was on the system has been wiped so a system can be reused by another party, either internal or external to the company.  The advantage of using a Windows based solution is you can save reports and logs or print the screen and use it in your report the wiping was completed and save it to a directory that matches a log of the disposition of your drives.  Using a IDE/SATA USB drive adapter you can easily plug in drives to a Windows desktop and run the tools against them, save the final screen to disk as proof the wiping occurred.  Good enough for any auditor that might review your data sanitization process.  For server drives like SAS, SATA II or Fibre Channel drives, there are controllers that can be added to a desktop to allow you to see and wipe these drives as well.  

Sanitization Station:

After running these tests to decide what the Policy, Standard and Procedure will be, the next step is to setup a system to do the wiping.  Keeping in mind that several pieces of information are needed to make sure your sanitization is complete and will stand up to an audit.  Here is what I came up with for a small Sanitization Station or stations:
 

  • Windows PC.. (Yeah I know we all love Linux)
  • Install all vendor disk tools for Windows
  • USB to SATA/IDE adapter
  • SAS/SATA controller
  • Install KillDisk Windows
  • Install Secure Erase
  • Install SDelete 
Optional:

Run SATA cable externally from internal controller to improve speed, though I found for this function speed  was not an issue using a USB connected solution.  We are not transferring any data, just a few commands.

This setup would let you wipe most drives we use today including flash, thumb, USB, SATA and SAS drives that are found in servers along with older IDE drives and many memory cards used in cameras, phones and smart devices.

A Windows system because it provides you a simple screen capture that you can then paste into a Word document to capture and save the Repair and/or Wiping of the drive for audit purposes.  This is difficult to do on a bootable ISO image as there is no easy way to grab the output of the results from the wiping unless the solution builds in saving to another USB device.
With any drive recycling, auctioning old hardware, service calls or whatever reason a drive must leave your building, the proper paperwork is needed to show it was accounted for and verified wiped or destroyed.

RESOURCES:

KillDisk is the clear choice as it has a FREE 1 pass wipe option and a commercial solution to do multiple drives on multiple systems, data verification and meet DoD wipe requirements.

The vendor tools finish a close 2nd as they are also fast and provide an option to repair/validate your drive in the case you are recycling a system for reuse.  For true drive repair and data recovery, nothing beats Steve Gibson's SpinRite!!

 
GRC SpinRite:
http://www.grc.com/spinrite.htm

Tools:

I hesitate to recommend 'Boot and Nuke' since it is so slow (3x+ slower) and drive wiping is time consuming, so I am pointing you towards the most efficient solution.  Nor can it provide a report like KillDisk and the Vendor Tools running under Windows can.

KillDisk:
http://www.killdisk.com/

Secure Erase:  (For all drive types, including thumb drives, flash and SSD's)
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

SDelete: (Microsoft/SysInternals) utility to wipe drives, files or free space)
http://technet.microsoft.com/en-us/sysinternals/bb897443

Drive Vendors Tools:

Hitachi:
http://www.hitachigst.com/support/downloads/#DFT

Samsung:
http://www.samsung.com/us/support/SupportOwnersFAQPopup.do?faq_id=FAQ00000083&fm_seq=251#

Seagate and Maxtor:
http://www.seagate.com/www/en-us/support/downloads/seatools

Western Digital: (Select your drive and select the correct version of DLGDiag)
http://support.wdc.com/product/download.asp?modelno=DLGDiag&x=0&y=0

General Info:

Security through data erasure website:
http://www.dataerasure.com/

Government Docs:

DSS Clearing and Sanitization Matrix:
http://www.oregon.gov/DAS/OP/docs/policy/state/107-009-005_Exhibit_B.pdf?ga=t

NIST 800-88:  Guidelines for Media Sanitization:
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Common Criteria Validated Products List: (approved wiping tools and other stuff):

 http://www.niap-ccevs.org/cc-scheme/vpl/ 
  • Be sure to use the FREE KillDisk version for home computers or Boot and Nuke to wipe your personal drives before you give or sell them to someone.


(I) Update to Blogging with an iPad and Social Dashboard

Thanks to a friends suggestion, I tried a Social Dashboard App called HootSuite to solve the post to many sites need.  This app or browser solution is similar to TweetDeck and Ping.FM.  The primary feature this app does for me when posting a Blog is a built-in link/URL shortener Button using Ow.ly and saving me from having to copy my long URL into the Ow.ly website to shorten it then copy that to my Ping.FM post.  Hoot also eliminates me having to use Ping.FM and Hoot is an actual iPad app where Ping.FM is an iPhone app and Ping.Fm app does not have a built-in URL shortener.  For browser users, Hoot lets you add your Ping.FM account.

The App also makes a nice dashboard for your Social sites, though limited in available sites, where Ping.FM shines, it does have Twitter, Facebook, LinkedIn and Foursquare for the iPad and adds Ping.FM the Japanese social site Mixi and MySpace and WordPress in your Browser.

All in all a nice edition to iPad Blogging and a nice Social Dashboard...

No Google+ yet.. ;-(



(W) Warning Will Robinson.. Walgreen's Phishing scam looks real !!!

I just received the following password reset email from Walgreens...

Or is it fake?  Can you tell the difference?

I forwarded this email to Walgreens to inform them of the good looking Phishing attempt along with a REAL password reset email that I generated...

You REALLY need to pay attention to these types of emails or you WILL get your account compromised!!!

Remember what I say... "Don't Click on THAT!!!!" dot commmmm...

ALWAYS go to the website directly and generate a request or login and make the change.

Happy Ho Ho Ho Holidays.

Stay Secure my friends...



Monday, December 19, 2011

(I) Health Care lost laptop... Really people... Beyond Stooopid!!!


I am amazed, well, not really... That companies that use Healthcare data still allow people to have this type of data, or any other PII, SPI, FTI, PCI or PHI type data to reside on a portable device like a laptop or USB drive that is NOT encrypted by default.

It's hard to believe with BitLocker being free on Windows 7 devices and the OpenSource TruCrypt, not to mention several other commercial solutions, that companies are still not encrypting drives with confidential data on them.

In the article below, $6000 was paid for credit monitoring for each owner of a lost record due to breach notification, $1000 per record lawsuit they face and the total costs at roughly $288,000 for the incident.  This cost alone can not seem to convince people to encrypt their confidential data!!!  It blows my mind that this type of data loss continues when there are cost effective solutions that would easily cost less than 10% of the breach.

Simple fix... Encrypt your portable devices and you won't face this risk...




Friday, December 16, 2011

(W) What have you downloaded on BitTorrent?

There is a new website or service that allows you to check if your IP address has downloaded a BitTorrent file.  Why?  Because users of BitTorrent are NOT private and much like the lawsuit by the makers of 'The Hurt Locker' They can use this type of information to prosecute you.  Not specifically from this website, but equally obtainable information...
The moral?  Don't download illegal content !!!!  People ARE getting prosecuted...  Read my previous Post here:

Monday, December 12, 2011

(W) Card Skimmers found in Self-Service checkout line in grocery store

I have written about Credit and debit card skimmers telling people to go inside and get their cash and avoid using outdoor ATM devices.  Well thanks to My friend Martin pointing out that Lucky's Supermarkets in California just found some 20 Self-Service checkouts had card skimmers attached.. INSIDE the store!!! Where people SHOULD be watching!!!

Alas, the nefarious ne'er-do-welles have found that self-service checkouts at not so LUCKY'S are not as well monitored and managed to replace units in 20 stores.
I still say inside is safer than outside, but now I would add... Use a staffed register to gain cash... Or if you use a Self-Service checkout.. Wiggle and yank the unit card reader and get to know what your stores systems look like so you can detect anything out of the ordinary...

I am still looking to find my first skimmer dang burnet...

So as Martin so accurately pointed out n his Tweet to me... Buy Beer, not a pack of gum... At a staffed register.

Sunday, December 11, 2011

(I) How to Blog with an iPad

So you wanna Blog...


With the recent IOS 5.0 and 5.1 upgrade to my iPad, which broke all my blogging apps (BlogPress, Blogsy and Blogger+), I had to resort to the old fashioned way.. use a browser.  Well I don't like to blog at my desk at home, I rather capture my thoughts over lunch or while watching a show or a football game... "GO PACKERS!".

Since I got my iPad I have been blogging 100% on my iPad, with only a few exceptions where I opened the browser to correct the Blog site or add a file or page, something not easily done from the iPad.  By the way, I use Blogger for my Blog, so no WordPress info here, except many of the manual steps would apply for any Blogger.

When the Apps broke, and I mean can't use them broke, who knows why (IOS 5 upgrade obviously), but I was unable to post a single thing via the iPad, and with BlogPress breaking I had to find a more manual way to Blog and post items.  Using your browser you still have to take your Blog entry and copy it into Facebook, Twitter, LinkedIn and Google+ or use an aggregator link Ping.FM to replicate it quickly.

With the Blog Apps broken, I set out wondering how to do this manually using multiple tools vs. relying on BlogPress like I had up to this point.  Let's first look at what my, and I am sure others requirements are to Blog and post.

1.  Write the Blog of course - All the Apps do this, write it in whatever you want 
2.  Add pictures
3.  Resize pictures so you get a consistant size in your posts
4.  Add links
5.  Text formatting
6.  Some sort of upload to a picture repository like Flickr or Picasa
7.  Post to Facebook
8.  Post to one or more Twitter feeds
9.  Post to LinkedIn
10.  Post to website
11.  Post to Google+

Simple right?  Apparently not...  Up until the last month when I updated my iPad to IOS 5.1, BlogPress did it all, well most of the above anyway.  By far BlogPress is the best Blogging App available, but alas, since it is dead I cannot use it anymore...  So how was it done before BlogPress ?

Via the Browser and the middle of the road iPad blogging Apps I guess.  The only App that works now is Blogsy.  Blogger+ was updated in the last couple days, but it is so limited you might as well use the Browser to create your Blog entry.
So what is the process to Blog and publish manually ?

Well first you need pictures...  Every Blog post needs a picture to help grab the eye and attention of the reader.  On the iPad you just search Google Images and take a snapshot (press both buttons) to add the screen to your Saved Photos Library.  Next, you use a killer app called 'PhotoPad' to crop and resize your photo and then save it.  I use a 100 pixel width for my blog pics and I do not size them in PhotoPad, I do it in the Blogging App, BlogPress or Blogsy.

Second, you need to upload the pictures to your Cloud based repository like Flickr and/or Picasa.  Now this is where BlogPress shines... It does it as a part of posting your blog.  Blogsy does not and you have to upload them before writing your blog entry.  For uploading cropped and rotated pictures to Picasa and Flickr I use Web Albums for Picasa and FlickStackr for Flickr.  Both of these Apps manage your Cloud Photos really nicely for viewing or uploading.  Once you do this you can delete the pics from your Saved Photos library and keep your iPad memory freed up.

Third, you need to save your URL's and links that you will reference in a Blog entry so you can just cut and paste them into your Blog Post.  All I do when I read something worth saving on the InterWebbings or in RSS is send them to one of my email addresses with a subject.  Now when I want to Blog I have the link to copy and paste.. easy.  The email also acts as a ToDo list for Blogging.

Forth, write your Blog Entry.  I am currently using Blogsy and it is the 2nd best App for Blogging since it does NOT post to facebook and Twitter like BlogPress used to do or does Blogsy upload pics to Picasa like BlogPress did as part of posting.  Hurry up #BlogPress and update your App for IOS 5... PLEEEEAAASSEE !!!!  Blogsy does have some nice formatting tools to color your text and format it.  I am not a fan of Drag and Drop pictures from your Picasa or Flickr accounts as I can't get them quite where I want them and often it kills links I have at the end, an odd bug...  But it is what this entry was made with.
Fifth, it is time to post....  I publish the blog entry and while I am there I select and copy the title for posting to the other sites...

Sixth, Send to the other sites...  I use Seesmic on the iPad which has a profile for my Ping.FM account that allows me to post to my website, Facebook, Twitter and LinkedIn with one post...  I paste the title that I copied in Step 5 and then I open Safari, go to my Blog and copy the URL to the specific post, and paste it into the URL shortener Ow.ly (OW.LY website) and then paste it into Seesmic for the Ping.FM profile to send out since you are still limited have the 140 character limit Twitter imposes you want to use short URL's.  Before I hit send, I Select All and copy it for Step 7.

Seventh, Post on Google+...  I open the Google+ App on my iPad (iPhone App really 2x) and paste the entry from Step 6 and send...

Now I have made my Blog entry....

Simple huh?

Come on BlogPress....   Update your App.  I would only need to post to LinkedIn and Google+ when I use BlogPress and skip the Sessmic step since Google has yet to allow API posting to Google+ via apps like Ping.FM.

Tips and Tricks?  Send me an email... you know how...

Friday, December 9, 2011

(R) BrowserID option over OpenID, OAuth and others

The folks over at Mozilla are pushing for this to be the next Internet Authentication Standard.  BrowserID uses your validated email address and password to authenticate you to websites like the Facebook icon does when you select it 'Login with your Facebook ID' does or any OpenID or OAuth login does, but easier.

Take a look... it makes total sense to me.


Test drive the authentication process using an appropriate for engineers to create...  My Favorite Beer..

(W) Warning !!! If you have seen one of these.. Cancel your Credit/Debit Cards

Especially my friends in Southern California..  This was found in my old stomping grounds.  ATM Skimmers WILL drain your bank account, so beware when you use any outdoor ATM Credit Card device!!!

Need cash?  Go into a supermarket, WalMart, Target etc., buy a pack of gum and get cash back!!

(I) How to validate shortened or any URL's are safe

If you see these shortened URL's from Bit.ly or O.wl and you want to know if they are safe, then use these 3 websites to do just that.  would also work for any length URL...FYI

Securi SiteCheck allows you to enter a URL, like the one in this article and it will crawl the website to look for any known Malware and provide you a nice report.

Google SafeBrowsing allows you to modify the end of the URL below and replace it with a URL you want to check and Google will lookup if the URL is or ever has been bad.

And F-Secure Safe Links for web sites allows you to add a plug-in to a website, it is what I use on HackerHurricane.com to validate all the URL's that I use in my Blogging.




If you are browsing using FireFox or Chrome, add the plug-in/extension called 'Web of Trust' (WOT).  This little add on will show you a Re, Yellow, Green or Grey circle next to each link/URL showing you it is safe (green), warning (yellow), unsafe (red) and unknown (grey).  Treat all unknowns/grey as RED since mentions in Twitter often have new URL's that have yet to make it to the unsafe database.


Monday, December 5, 2011

(W) Yahoo Mail users - DON'T CLICK ON THAT !!!


Here we go again with Phishing attempts to gain your username and password...

NEVER, EVER, EVER provide your username and password or any other personal information to validate an account or login.  The website or company will NEVER do this, so don't fall for something so obvious...

And yahoo can't block this ???  Can you say "FAIL!!!"

#InfoSec  #Yahoo  #Phishing




Friday, December 2, 2011

(I) VanishCrypt..Fails practical use

If you are looking for a solution to encrypt USB Devices, this new solution fails practical use.  Practical use is where a newb or greenhorn can install a tool and use it.  There is no installer, you have to run a tool to add some needed Windozs components and register an .OCX file, so only for the geeks at heart.

TruCrypt still reigns king in the encrypted USB drive space.

http://code.google.com/p/vanishcrypt/


Thursday, December 1, 2011

(R) Research on HP Printers

We have all recently read the articles on the HP printer vulnerability, but after a friend said "this seems to be a pretty targeted attack scenario..." I replied back saying.. "Not really, I discovered years ago with JetDirect printers that you can harvest data" and as another friend pointed out today even Nessus can lock up the JetDirect Print Server and interrupt print jobs..

Using the oldest trick in the book... Cough...cough.. Telnet port 80....

You can obtain data from HP printers easier than easy..

HTTP/1.1 400 Bad Request

Connection: close

Server: HP HTTP Server; HP Officejet Pro 8600 - CM750A; Serial Number: CN19T1K0W

V05KD; Coulomb_pp Built:Wed Sep 07, 2011 11:21:09PM {CLP1CN1136AR, ASIC id 0x00320104}


Yup... Now if you read this from a simple telnet query, you can grep what you're looking for and know exactly what firmware sploit to throw at an HP printer..


Not targeted, just plain stooped to serve up so much info...


HP... Epic FAIL !!!!



Taking a Blogging break.. Not by choice.. By IOS 5 upgrade

IOS 5 has broken all my iPad Blogging Apps, so until they work again I am on a 'Blogging Break'.. Or is is 'Break Blog'?

I could use a browser... but seriously, why should I have to?

#BlogPress #Blogsy #Blogger+