Category Archives: Security

Ssshhhh. Security by obscurity is not practiced here. So don't disturb us, we're being vigilant.

In the News

Maxell 256AES USB Drive

Leave a comment

Maxell Launches Compact, Secure, Extremely Durable USB Drive That Exceeds Government Encryption Standards

(Woodland Park, New Jersey–January 6, 2011) Maxell Corporation of America introduces its Guardian USB Backup Drive, a USB flash drive with 256-bit AES hardware encryption for complete file security during storage and transport. The 256-bit AES hardware encryption and anodized aluminum housing protect the device even if it is lost or stolen, exceeding the government’s standard level of data protection.

The Guardian USB is extremely durable, including protection from water, sand, dropping the device and even crushing forces, making it well suited for government applications, as well as for any professional who needs to store sensitive footage.

The Guardian is an ultra-fast, high-performance backup solution, perfect for transferring important files for the professional photographer or videographer. The mandatory 256-bit AES encryption provides a perfect solution when shooting sensitive material, including government or corporate footage that could be detrimental if lost or stolen. Easily portable, the Guardian easily fits in a pants pocket or briefcase.

The Guardian’s straight forward interface requires a user to enter a complex password consisting of upper and lower case letters, numbers and symbols upon first use. Once the drive is locked, users have eight attempts to unlock the drive before the saved data is completely and securely erased. The drive also allows a user to include contact information in case it is lost.

Maintaining the form factor and affordability of slim USB stick drives, Maxell’s new Guardian USB Backup Drive expands the company’s offering in storage media. The Guardian USB has a read speed of up to 20MB/sec, due to its fast dual-channel NAND flash memory. The Maxell guardian is backed by a lifetime warranty.

The Guardian USB is currently available in 2GB, 4GB and 8GB storage capacities at list prices of $49.99, $54.99 and $69.99, respectively.

Maxell is widely recognized as a major supplier in the data storage media industry and has remained at the forefront of the data recording business, with an emphasis on quality, reliability and innovation. In addition, Maxell continues to develop new products utilizing digital storage formats and technologies.

http://www.maxell-usa.com

In the News

Beware the Firesheep

Leave a comment

It’s even more dangerous if you’re not making secured connections to the websites themselves. Sites that use a secure, encrypted connection have https in their Web address – rather than just http – and show a lock icon in most browsers.

In the past, you could take some comfort in the fact that it requires some skill to launch one of these attacks. Most people are honest, and even more people are clueless as to the hackery needed to access someone else’s online accounts.

From the San Francisco Gate article: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Firesheep changes all that. It’s a Firefox extension that makes it ridiculously easy to log into certain sites as another user. It’s as simple as this:

1. Launch the Firesheep extension in a Firefox sidebar.
2. Click the Start Capture button.
3. See who’s connected to which sites.
4. Double click on one of those connections.
5. You’re logged in as someone else on that site.

Ian Paul at PCWorld has a good explanation of how Firesheep works.

Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic on an open Wi-Fi connection between a Wi-Fi router and the personal computers on the same network. The extension waits for someone to log in to any of the 26 sites listed in Firesheep’s database. When you log in to Amazon, for example, your browser’s Amazon-specific cookie communicates with the site and contains personally identifying information such as your user name and an Amazon session number ID.

As your browser swaps cookie information back and forth with the Website a third party can hijack that communication and capture info including your user name and session ID. Typically, the cookie will not contain your password. But even without your password, the fact that Firesheep has snagged your session cookie means that a hacker can, at least in theory, access your account and gain virtually unrestricted access.

Read the rest of the article at the link: 
Firesheep: Making Web-connection hijacking easy : Hot Topics

Find suggestions for use at:
Firesheep, A Day Later
or the forum at:
Firesheep | Google Groups

Other links:
http://brakertech.com/firesheep-wifi-hacking-facebook-twitter-google-flickr/
http://github.com/codebutler/firesheep/downloads
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html 

[Addendum] At this moment, it seems that Firesheep is unavailable for download. The author seems to have made his point though. Free, open access WiFi hotspots are bait shops for predators. 

 

There are tools to help prevent this type of invasion. Large corporations will have a VPN that places all data through an immediately made and constantly used pipe through their servers. Private access by non-corporate users can be made through companies like proXPN and simple extensions like Hotspot Shield.

Encrypt the Web with the HTTPS Everywhere Firefox Extension – An EFF and Tor Project

 

 

Constant Alertness

Update Everything Month~! Software Vulnerability Records

Leave a comment

Just glancing through the update literature we see that Windows had started the trend with a record number of patches, then Adobe got into the competition with several programs getting the ‘record number’ treatment. Opera thought that was good publicity and topped the 50 fixes line, then Java gave everyone a good run at the records. All in all, there have been other “Update Everything” months, but nothing like this last two weeks of October 2010.

Set aside the time, and if required, the task force to make certain that every computer in your operation that could ever be connected to any of your digital cinema systems, whether by USB key (moving a security key), or by network, has every piece of software checked for updates. Start with the major ones, especially those listed in this article: Ongoing Security–It’s “Update Everything Month”

In the News

Infected USB caused biggest US military breach ever

Leave a comment

 

Read the entire ITPro article at:
Infected USB caused biggest US military breach ever | IT PRO
By Tom Brewster, 26 Aug 2010 at 14:57

An infected USB drive was at the heart of the most serious breach of US military networks ever in 2008, a senior US Government figure has confirmed.

 

US Deputy Defense Secretary William Lynn explained how the provenance of the infection stemmed back to a drive being inserted into a laptop at a US base in the Middle East.

“The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the US Central Command,” Lynn noted in an article on theForeign Affairs website.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.”

This incident led to the creation of Operation Buckshot Yankee, a Pentagon initiative designed to help counter the cyber threat facing the US.

Lynn admitted even since Operation Buckshot Yankee was set up, foreign enemies have managed to acquire thousands of files from US networks and from allies’ systems, including weapons blueprints, operational plans and surveillance data.

“When an organisation, such as the US military holds sensitive information, it is important that they ensure the security of all devices entering the network,” Ash Patel, country manager for UK and Ireland at Stonesoft, told IT PRO.

Patel stressed the importance, especially for bodies such as the US military, to completely lock down USB ports.

“Never leave a USB lying about unattended, this can lead to a quick win for a hacker but leave devastating consequences for an organisation. Never insert a USB stick into a company machine unless you know exactly what it contains and where it has come from,” he added.

Earlier this year, McAfee reported spreading malware on USBs was a technique being used heavily by cyber criminals, even though many would have been forgiven for thinking it was a dying art.

In the News

Remote wiping technology Hard Disks

Leave a comment

[For the DCinema business, this isn’t in the direct line of possible solutions…but good to know. The original article is at:
Secure Business Intelligence Magazine: Remote wiping technology introduced for Toshiba products]

The company said that Wipe can automatically invalidate a hard disk drive security key when its power supply is turned off, instantly making all data in the drive indecipherable. Also, copier and printer systems vendors can now use Toshiba’s Wipe technology to securely invalidate sensitive document image data by automatically erasing the SED’s internal encryption key.

This feature can be used prior to system disposal or re-purposing to ensure that private data never leaves the control of the responsible business unit or IT department.

Basic Lessons

Simple Great Passwords v Cracking Dictionaries For Rent

Leave a comment

 

Anyone who deals with projector or media players should certainly have good password practices. It would be logical that anyone who passes security keys around should also figure out a pattern for creating passwords.

The article’s idea of putting in the last letter of the site associated with the password is a good first stop. So, the password for dcinematools would start with an ‘s’, and since it is easier to have most letters following be small letter, making the ‘S’ capitalized is a second good stop. 

One imagines that eventually hackers will start putting the letters of typical phrases into their dictionary cracking databases. I find it easier to use the letters of some object that is in front of me all day, but never a whole word. So, if the American Heritage Dictionary is in front of me, I might choose the first three letters from each word, and put a number in between each, with one of them being shifted to a symbol. I also have found that I give numbers based upon sensitivity, so that public sites which might have their data stolen get higher (or lower) numbers while more secure sites get the opposite. 

Like all matters dealing with responsibility for other people’s assets (equipment, art, friendship…), passwords are a sometimes pain, often done away with without penalty, but important that one time that it was required. Having a pattern will, in this case with the human-machine relationship, make things easier the one time that it might matter.

In the News

!!! Browser Auto-Complete–All Vulnerable

Leave a comment

This article takes a while to say that all browsers, except possibly Internet Explorer 8, are vulnerable to a simple attack that will cough up any data you have in your auto-complete file. That is, names, password, credit data? (who keeps credit card data in auto-complete? Have you checked your auto-complete file recently?)

Read the article: Auto-complete: browsers disclose private data – Update

Comments on original proof of concept site says some Mac OSX systems are giving the data, yet some not, even with Auto-Complete turned on.

Advice: Turn off Auto-Complete in all browsers until this is solved…regardless of what a pain in the ass this is. Oh, and don’t go to those hacker sites.

In the News

Security: Connect the Dots–Ongoing

Leave a comment

This article will be an ongoing list of interesting articles in the security arena, none earth-shattering (which will have separate articles), but each one a dot that might connect to other data. Please add other news in the comments or write editor at dciematools.com 

15 August–Welcome to the future: cloud-based WPA cracking is here

Cloud computing is the latest effort to put data off site, to let professionals handle the IT details, or to put large amounts of data close to the user, while allowing the users to concentrate on their application. Dolby, for example, uses the well-regarded Salesforce solution (as do many large corporations) to monitor equipment and solutions in the field. Thus it is news…and really really really points to the need for using excellent passwords.

In 2008, I speculated about the future of distributed security cracking. That future has arrived, in the form of a $17 “cloud” based service provided through the efforts of a security researcher known as Moxie Marlinspike. It is effective against pre-shared key deployments of both WPA and WPA2 wireless networks.

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. …Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

If you opt to use the service, you will of course leave a money trail via Amazon Payments — which is probably a bad idea if you are attempting to gain unauthorized access to a secured network illegally. For the good guys testing the security of a client’s network, however, this is an incredibly handy tool to have at one’s disposal.

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.

 

Please report any security news which you think that community could benefit from in the comments.

Basic Lessons

Your Own Penetration Test

Leave a comment

 

Typical defenses against these threats include:

• A firewall to separate the corporate network from the Internet

• An intrusion prevention/detection system (IPS/IDS) to detect when typical hacker activities, such as port scans, occur and to take steps to prevent them from successfully penetrating the network

• Malware scanners to prevent malicious software getting on to the network hidden in e-mail, instant messaging or Web traffic

• The use of passwords to prevent unauthorized access to networks, computers, or data stored on them.

Every organization should have these defenses in place, but this leaves a very important question to be answered: How effective are these measures?

It’s a deceptively simple question, but it’s essential that you know the answer to it. That’s because if you don’t it may turn out that:

• Holes in your firewall leave your network vulnerable

• Your IPS/IDS is not configured correctly and will not protect your net- work effectively

• The passwords used to protect your resources are not sufficiently strong to provide the protection you require

• Your IT infrastructure has other vulnerabilities you are not aware of, such as an unauthorized and insecure wireless access point, set up by an employee.

Since the professionals at your cinema are responsible for entertainment materials which are more valuable than the contents of your local bank, this is valuable information for them.

This set of instructions include where to download the free, open-souce files, and how to install them.

These are the chapter headings. We’ll go through these one at a time at a later date.

  1. Carrying Out Your Own Penetration Tests
  2. Network Discovery: Scanning with Nmap
  3. Sniffing Your Network with Wireshark
  4. Checking Password Security with Hydra
  5. Spotting Weak Passwords Using Offline Attacks
  6. Checking Wireless Security with aircrack ng

The attached file can be downloaded by those who are registered and signed in.

Security Sites and Blogs

Social Engineering Preview

Leave a comment

Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.

Those are the beginning paragraphs to an interesting site:

Social Engineering and the Art of Influence.

We will use it as the launching point for exploring the best way for organizations who realize what a tremendous responsibility they have in the assets that they are storing.

Step I – Find the right person to learn this expertise.

Step 2 – Have them wander the site for a while.

Security Sites and Blogs

Hackers For Charity – MetaSploit Unleashed

Leave a comment

Mastering the Framework is the chant behind this marvelous idea – put together a great set of test programs, put together the technical data that teaches on how to use it, and ask for a 4$ contribution to help feed people.

Offensive Security is a white hat group who teaches people to think like blackhats, so that they can better protect their environment. Find someone in your organization who can take advantage of this now, and make it a part of your procedures.

Security Sites and Blogs

Ex-Army man cracks popular security chip

Leave a comment

Read the entire article at:
Ex-Army man cracks popular security chip
How to open Infineon’s Trusted Platform Module
By Dan Goodin –– 17th February 2010 21:08 GMT

[Editor says: Constant Vigilance Alert – This is only interesting in that someone clever kept at it, breaking over 50 security chips until he found the means to break in…circumventing hardware and software destructive mechanisms.
Lesson: every network has the potential for a moment of excitement. Maybe not now, but at sometime you will need to have a professional view of your projection/server network.]

Basic Lessons

Example of PC Vulnerability, and Why Important

Leave a comment

One of the magic rules of security is to presume that the bad guys think differently than you do. (That may be what makes them bad guys.) Hopefully, they won’t think that entering the locked portion of a facility is such a good idea, and messing with your system is just to worthy of being caught.

 

But if you are paying attention, there are constantly new updates to Adobe Reader, and most of them are to plug security problems. Same with Firefox. Same with many other common programs. And if your desk computer isn’t updated, and if some blackhat figures a way to put a worm into a pdf file that will only affect a Unix machine…like that server over there…it might not trigger your virus checker. But it could get placed onto the server.

Be a professional. Stay updated. Stay aware of updates. Stay aware of what a virus or trojan horse could do. If you can’t tell your sister’s friend what the difference is between a virus and a trojan horse, learn some more.

Meanwhile, think abou the implications of a story like this, and how someone (who doesn’t think like you) could take advantage of it….to your detriment. 

Matousec has discovered a relatively simple loophole that could leave Windows PCs vulnerable to malicious code, with all commercial anti-virus packages powerless to prevent it.

By Martin James, 10 May 2010 at 11:33

Security analyst firm Matousec claims it has revealed a vulnerability in Windows PCs that could leave mainstream security software all but powerless to prevent an attack.

The flaw exploits the way anti-virus packages use System Service Descriptor Table (SSDT) hooks to access the Windows kernel. Because of the inability of multi-core systems to track threads running on other processing cores, a simple bait-and-switch attack stands no chance of being detected if the timing is right.

Once an anti-virus program is satisfied a given piece of code poses no threat, it will give the code the green light to be executed. However, at this point there is a short window where the innocent code can be replaced by malicious code without the security software being any the wiser.

Read the rest of this lesson at:

Researchers find way to bypass all Windows security software

Security Sites and Blogs

Happens to the best of them-Apache Passwords Exposed

Leave a comment

The full article is at IT Pro:
An attack on Apache’s project server has resulted in passwords being stolen from all users.
By Jennifer Scott, 14 Apr 2010 at 11:25 

And continues:
“If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised,” said a blog post from the Apache Infrastructure team.

It has warned users of any of these programs to change their passwords, especially if they logged in between 6-9 April.

It has also left those who had Atlassian accounts before July 2008 in danger as an old unencrypted database containing customer passwords was left online and could have been compromised.

“We made a big error,” admitted Mike Cannon-Brookes, chief executive of Atlassian, in a blog post. “For this we are, of course, extremely sorry.”

He added: “The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.”

Apache is running JIRA on a proxy configuration for the meantime and has made a number of changes to make the server safer.

“We hope our disclosure has been as open as possible and true to the ASF spirit,” concluded the Apache blog. “Hopefully others can learn from our mistakes.”