Friday, May 04, 2007

Security Tips To Keep You Safe While Traveling

As we approach summer, more and more people are once again thinking of traveling, both for business and for pleasure. TechEd is in June, and a variety of other techie conferences are not far behind. School will be out soon, making way for family vacations – although with the ridiculous price of fuel, I’m not sure how many people will be traveling. Even when only traveling for pleasure, many business professionals, as do I, take their laptops and PDA devices with them to be able to do work during a few “down” moments on their trip, or at the very least to have a way to keep tabs on their email and events at work. We geeks are such workaholics, aren’t we?

On a recent business trip to the east coast, I had the opportunity to once again enjoy my hobby of just sitting back and observing people. I was again reminded of just how complacent folks are about their security when it comes to using computers and other information technology enabled devices when on travel. This seemed to be especially true when using computers in public places – either their own laptops, or computers in hotel business centers. I am not sure if people are just in a hurry, or if they just really are not aware of the potentials for exposing themselves (in a “data” sort of sense, that is) while out and about.

There are a number of things I will talk about in this article having to do with ways to keep yourself (and your data) more secure when away on travels. Some of these things are as simple as using fundamental physical measures to shield your computer screen from curious eyes. Others involve the act of just taking the time to clean up after yourself when using a public computer, and yet other measures I will discuss simply involve the use of technology that is already built in to the devices that you are using. There really is very little to no cost involved in protecting yourself with these measures, but the cost of giving away your data can be huge and devastating. So let’s take a look at a few of the vulnerabilities we face everyday when on travel and some solutions for protection.


Shoulder Surfing:

If you are flying, your potential for vulnerability begins the very minute you get to the airport. Many people find that they have to arrive at the airport a few hours early just to make it through check-in and security, in order to make their flight on time. There is often a lot of “down time” here, so many people, as do I, pull out the laptop and the Blackberry, and do some work. In this setting, we are often in very close proximity to other people. Once we board the airplane, it is even worse. Unless you are lucky enough to be in First Class, you are sitting with your elbows right up against someone else’s, and their wandering eyes are just a foot or two north. Even if you aren’t flying, or have arrived at your destination, the local restaurant and the corner coffee shop are no different. When you sit down in that comfortable chair to enjoy your latte and do some work, there are countless wandering eyes trying to figure out what you are doing.

There are two main problems here. First of all, your neighbor (who is usually NOT minding their own business) is looking at your computer as you type in your username and password. If they can see your log-in box, they can see your username, and if your computer is joined to a corporate domain, they can see the domain name. As you type in your password, unless you are lightning fast, they can see you type the characters. I’m one of those “two-finger wonders” (I don’t touch type) so this is a particularly big problem for me. A devious person with intent on harvesting such information (and they are everywhere, trust me) will be very good at following your keystrokes and will be able to obtain all the credentials needed to log in to your corporate network. They now have your username, the name of your corporate domain, and your password. All they have to do is get access into that domain, and they are in. Your username and password exist on the domain, and are only cached on your computer, which means that they can access your account from any computer that can get access to your corporate domain, such as a VPN or other remote connection. Another danger is that if they are able to steal your laptop (more on this later), they will have access to the data on it. Remember – these people are everywhere. And if they are shoulder surfing to get your log-in credentials, they are also following closely to look for an opportunity to grab your laptop as well.

The second (and more common) problem with being in close proximity to others is that they are often able to view what is on your screen. Are you working on a document with sensitive personal or company information? Composing an offline email that you really don’t want others (especially strangers) to know about? How about that PowerPoint presentation chock full of corporate proprietary sales or engineering data? Whatever it is, you have to either make sure you are only working on things that are completely dull and unworthy of your nosey neighbor’s interest, or make the screen un-viewable. In other words, either pick non-sensitive stuff to work on during these times, or find a way to hide the screen. For example, I usually pick some low-level instructional or procedure guide to work on while I’m flying, or just do some professional reading. For example, I keep a lot of pdf white papers and “eBooks” from various online sources on my computer for reading while on the plane. My job is such that professional reading and just keeping are large parts of my work anyway – so it’s not like I’m goofing off.

Solutions: For the password problem, if you are on a computer that is joined to a corporate domain, use a local account on the computer (that does not have administrative privileges), and set a temporary password that will only be good for the duration of your trip. Of course, if you do this, you will have to make sure you know where to browse to on the computer to get to your documents in your “real” account, because the profile you log in with will have a “My Documents” folder in a different location. I get around this by accessing only documents that I have placed on a flash drive. If you are not joined to a domain, then just set a temporary password, and set it back to your actual password when you get home. One of the best solutions for this is to simply get a small finger print scanner to use to log into the machine. Many are small, portable, and just plug into the USB port. The newer laptops and tablet PCs even come with these built in. See my article on biometric devices for more information.

For the “prying eyes on the screen” problem, there are a variety of filters you can buy that will obscure the screen when someone tries to view it from other than looking at it straight on. This particular solution will also help to obscure your username and other login credential information as you log in. If they can’t see your username, the password will do no good. But again, don’t give them any pieces of the puzzle if at all possible. As I always tell people: “If they have even just your username, they then have 50% of the information they need to access your computer.”

Of course, being the wisenheimer that I am, if I notice someone trying to “catch a wave” on “shoulder beach”, I simply open a document, set the font to a larger size (to make sure they can easily read it), and then start typing in some juicy “official looking” verbiage. After a paragraph or two, I start a brand new paragraph, and type in “I think the nosey person sitting next to me is looking at what I am writing. I hope they enjoyed my previous two paragraphs. Now GO AWAY!” I have seen a red face or two resulting from that prank.


Using Flash Drives:

Flash drives are portable and can store a lot of data. Many people have resorted to using them because if they know they will have access to a computer at their destination, all they have to do is put their documents on the flash drive and leave the computer at home. Many cell phones and even iPods can be used for this purpose as well. The problem with these small flash drives is that they are easily lost or forgotten. It isn’t uncommon for someone to use them in a public or borrowed computer and then forget to take them when they are finished. A lost flash drive means lost data. Lost data can mean something as frustrating as losing work and having to do it all over again (if you didn’t have a backup copy somewhere else), or as devastating as putting sensitive information into a stranger’s hands.

Flash drives are cheap these days. If you lose the flash drive, you can just go get another one. But what about the data on the flash drive? Is it replaceable? Will it cost you if someone else has it? Another issue surrounding the ubiquitous nature of these things is that some people seem to have a whole lanyard full of them around their necks. Do you have a good inventory of how many you have? If one came up missing, how long would it take for you to notice? Kind of like the movie “Home Alone” where the family had so many kids that they didn’t notice little Kevin missing until they were in France!

Solution: The manufacturers of many of these drives have solved part of this problem for you. Flash drives have the ability to be encrypted, and the software to do that is often included with the flash drive itself. Typically, this encryption works by having you set up a password in order to access the data. You can encrypt all or only part of the flash drive’s contents. If someone gets a hold of your flash drive, they can access anything that is not encrypted, but will need to know your password to access the encrypted data. In some cases (depends on the drive and the encryption software), you can set your encryption such that if a number of unsuccessful password attempts occur the data on the drive will be erased. Know how many you have and keep track of them. If traveling, take only what you need – leave the other ones at home and in a safe place. I promise – they won’t miss you.


Using Common Area (Business Center) Computers:

Many hotels have business centers with computers to allow their guests to access the Internet and their web based email. In fact on my recent trip, I had full Internet access at the office I was visiting, but had to pay for Internet access if I wanted to use my laptop at the hotel. The only thing I needed after hours Internet access for was to check my personal email, and I wasn’t about to pay $10 just for 5 minutes of use. My remaining option then was to use the business center, since using those computers was free of charge.

A few problems present themselves in this scenario, however. One is that people use these public computers and often leave their surfing tracks for all to see. The other is that some people forget to just close out of their applications, and yet another is leaving those little flash drives plugged in for someone to come along and retrieve later. In fact, while in the hotel elevator on my most recent trip, I heard a woman telling her colleague that when he finished using the computer in the business center, he had left his email open, and she could have gone through all his email. Worse, she could have launched a few questionable emails in his name. This is truly a dangerous situation. What if it had been a stranger, and not a trusted colleague? That person could have read email, sent a few of their own (under the email account owner’s name), looked at the address book to get a list of names of people at the company, and just in general could do some serious damage. All this done under the name of the person who owns the account. How do you prove that it wasn’t you who did those things?

When I used one of the business center computers, I got curious and opened the browser history. I saw a plethora of email sites and surfing history. Wouldn’t be too hard to put together a few patterns and find out where some of these email servers existed. Depending on the cookies still on the machine, going to one of those sites may not even require me to log back in to access the account. The cookie would remember that I (or more accurately the email account owner) was just there and just let me right back in. This is especially true if the previous user had left the web browser open.

On a really malicious (and hopefully rare) side of things, a devious person could sneak into the hotel business center and put a keystroke logging dongle on the back of the computer between the keyboard and the computer, or in a USB port. Such a device is used to capture everything typed into the keyboard. Which means that they can get the URL to your banking site, the username and password for your banking site, and the contents of an email or anything else that you type into the computer. These key loggers have legitimate investigative purposes, but are inexpensive and can be obtained by anyone – including thieves. I say that this is (hopefully) rare, because most hotel business centers require a room key card to access – a person would (theoretically) have to be a paying guest in order to do this. But many public computers often do not offer such access protection as that provided by hotel business centers.

Solutions: For the reasons mentioned above, it is very important to pre-inspect the computer before and clean up after yourself after using a public computer. It takes a few extra minutes to do this, but you can’t put a price on the time it would take to straighten out the mess after you have been exposed because you didn’t have time to prevent these vulnerabilities. Here are some important steps to take when using public computers:

  • Do a quick inspection of the back of the computer and any USB ports to look for key logging devices. If you find something, and are not sure, contact the management immediately and have them investigate.
  • Never select the option to have “Windows remember me on this computer.” Do not allow the computer to store your username and password on the machine. Some web based email applications such as MSN will give you an option to tell it that you are on a public computer and not remember anything about your session.
  • Delete browser history, all temporary Internet files, and all cookies when you are finished using the computer.
  • Make sure you are logged out of any sites that you visited. Just closing the browser is not good enough. You must click the “Log out” link on the web site before closing the browser.
  • Close all instances of the web browser and all applications.
  • Make sure you take your flash drive when you leave.

Being the cheapskate that I am, however, my solution is that I try my best to only patronize hotels and coffee shops that provide complimentary Internet access to their guests. That way, I can avoid public computers altogether. But sometimes that just doesn’t work out, and I end up staying somewhere that makes me pay additional fees for access. In which case, the above solutions are a must.


PDAs/Blackberrys/Cell Phones:

Many of the same problems that exist with flash drives exist with these devices as well. They are small, easily lost, and can really store a lot of information. A Blackberry, for example is a phone, email client, and PDA all rolled into one. Emails, contact lists, to-do lists, documents, and personal journals are just a few of the things that can be kept on these devices. A lost phone device can not only give away sensitive data, but can give someone access to a free phone. And watch what you are discussing. What you say can be as revealing as anything else – especially if you are one of those people who puts everything on speaker phone, even when in public.

Solutions: Just as you can do with your flash drives, you can password protect and encrypt the data on your PDA as well. On my Blackberry, for example, I can password protect access and encrypt the contents. Not only that, but my Blackberry is set so that if someone types in an incorrect password ten times, the Blackberry erases all of the contents. Then, for added security, the data is encrypted, so that even if someone takes apart the Blackberry, and somehow gets the data off of the chip, the data is encrypted and unusable. Don’t discuss anything on your phone that you don’t want others in close proximity to hear. If you are sitting next to me on the plane, just don’t use your phone – period! I have no interest in what you have to say ;)


Laptops:

Saving the best and biggest for last: Laptops (and the data on them) need a lot of protection. They can carry a lot of data, and are very attractive to thieves. Keeping the laptop from being stolen is a job in and of itself, but if it does get stolen, there is more to worry about than just losing an expensive piece of hardware. Keeping the data on it from being compromised is the really important issue at hand, and if someone can access the data, they can potentially do a great deal of damage.

A big part of this problem is that even if they can’t log into the computer itself, and if they have the computer (physically), then they can remove the hard drive and put it into a computer that they can access. In fact, many data recovery techniques rely on taking the hard drive out of the failed (or in this case inaccessible) computer and “slave” it into a working computer. The working computer’s primary hard drive allows it to be booted up, and the slaved in hard drive contains data that can then be accessed. More clever people have freely available tools such as Knoppix (Linux on a CD) that they can use to boot up the computer, bypass the security on that computer, and access the data on the hard drive. In fact Knoppix can even be used to change the administrative password on a computer so that access can be gained through the more conventional method of booting up and logging in.

Solutions: There are some basic measures that will protect against access to a computer, but only if the computer is not stolen. In other words, these measures will work if you can keep the computer from being stolen. But once the computer is in unauthorized hands, these measures can be quickly bypassed. You can set a BIOS password that will prevent the computer from being booted into the operating system. But this is bypassed by simply taking the hard drive out of the computer and putting it into a different computer. Strong passwords for the operating system itself should also be used. As mentioned above, consider using temporary or “disposable” passwords. Small biometric devices, such as fingerprint readers, are fairly inexpensive, and many laptop and tablet computers have a fingerprint reader built in. Unfortunately, this can still be bypassed by putting the hard drive in another computer, or using a tool such as Knoppix to access the hard drive’s contents.

Encrypting the hard drive contents will help a great deal, even if the computer is stolen. Windows XP has the ability to do this using a built in feature. Windows Vista has a built in tool called BitLocker. Technologies such as that which is built into the BitLocker feature, for example, have the ability to protect data even if the hard drive is transferred to another computer. The downside of that is that you need to make sure you remember your password for logging into the computer, or set up what is known as a “recovery agent,” or you will lose your encrypted data.


Wrapping It All Up:

There are many other dangers that I haven’t mentioned here, such as accessing wireless networks while on the road, but that is a topic in and of itself. Wireless encryption, making sure you are not accessing an “evil twin” wireless access point, and a few other issues will be discussed in an upcoming article.

But for the purposes of this article, I wanted to focus mainly on the more ”physical” aspects of being secure on the road, as well as using built-in technologies to protect your data. Shielding your laptop screen from roaming eyes and preventing laptop theft are important ideas. If your laptop is stolen, knowing that you took measures to prevent the data from being usable by unauthorized people is also a very important idea. Other technologies, such as flash drives, cell phones, and PDAs represent things that are small, easily forgotten, or easily stolen. Those items contain sensitive data as well, and must have data security measures proactively applied. Once the data is in unauthorized hands, it must be assumed that it will be used for malicious or illegal purposes. Even if you retrieve your items, it must also be assumed that the information was copied and will be used – unless you took measures to make it useless in the event that a loss occurs.

It is easy to be complacent when traveling. And, unfortunately, there are plenty of people out there willing to take advantage of this fact. By taking a few extra moments to think about what needs to be protected, take inventory of your technology rich possessions, and take the extra time to protect your data, you will ensure a more worry-free travel experience. If I ever go into a hotel business center and see that you left your email open – man – I will hunt you down! (After I email a few jokes to your whole company, that is)


Additional Resources:

  • Theft tracking tools
  • Encrypting files and folders

Wednesday, May 02, 2007

The First 90 Days of an Operating System

People who know me know that I often complain about Microsoft systems because of the constant vulnerabilities they seem to have. "patch Tuesday" is always an interesting time for me, as it typically provides a lot of work. But I read a recent article that outlined the vulnerabilities that occurred within the first 90 days of the life of various operating systems. It was funny to see that of all the operating systems discussed in the article that Red Hat Enterprise Linux 4 Workstation Reduced actually led the way with the most vulnerabilities in the first 90 days. Also mentioned were Ubuntu Linux, Novell SLED 10, and MAC OSX 10.4, all of which had more vulnerabilities than both Windows XP and Windows Vista combined.

It appears that 1) Windows Vista has made great strides in plugging security weaknesses, and that 2) The Linux folks need to reassess their stance on just how much more secure Linux is than Windows. A thought from someone who tests and deploys patches on Windows systems from month to month: I still see a lot of work to be done, but this article really makes us security professionals step back and realize that security vigilance is important, no matter what OS you are working with.

I guess what I am trying to say here is that there is a lot of stereotypical information about where the problems are. As I mentioned in a previous article: Microsoft is really not the problem. The problem is in that people get so wrapped around the axle on making assumptions about that which they are familiar with. For example, the Linux people will swear that Linux is flawless, and the Novell people will feel likewise. Much vigilance gets lost regarding educating users, and just keeping up on the day to day maintenance of the systems you do have. Educate your users, keep your systems patched, and at the end of the day, you Windows users will have an environment that is every bit as safe as that which the Linux folks claim to enjoy.









Federal Information Systems - Information Assurance Reference

I wanted to take this opportunity to post a quick "cheat sheet" on the various resources needed for the certification and accreditation (C&A) of federal information systems, as well as some other related resources. A number of federal C&A things are changing. For example, rather than using the NIST 800-26 self assessment questions, C&A will be done by making assessments against the NIST 800-53 controls. Some organizations use NIST 800-53, and some use 800-53, Rev 1. Here is a quick list of the publications and regulations that apply to federal systems. Enjoy.

National Institute of Standards and Technology (NIST):

SP 800-100
Information Security Handbook: A Guide for Managers

SP 800-12
An Introduction to Computer Security: The NIST Handbook

SP 800-14
Generally Accepted Principles and Practices for Securing Information Technology Systems

SP 800-18
Guide for Developing Security Plans for Federal Information Systems

SP 800-23
Guidline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

SP 800-26
Security Self Assessment Guide for Information Technology Systems

SP 800-27
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)

SP 800-30
Risk Management Guide for Information Technology Systems

SP 800-31
Intrusion Detection Systems (IDS)

SP 800-34
Contingency Planning Guide for Information Technology Systems

SP 800-36
Guide to Selecting Information Technology Security Products

SP 800-37
Guide for Security Certification and Accreditation

SP 800-42
Guideline on Network Security Testing

SP 800-47
Security Guide for Interconnecting Information Technology Systems

SP 800-51
Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

SP 800-53
Recommended Security Controls for Federal Information Systems

SP 800-53 Rev 1
Recommended Security Controls for Federal Information Systems, Revision 1

SP 800-53A (DRAFT)
Guide for Assessing the Security Controls in Federal Information Systems

SP 800-55
Security Metrics Guide for Information Technology

SP 800-56
Recommendation on Key Establishment Schemes

SP 800-57
Recommendation on Key management

SP 800-60
Guide or Mapping Types of Information Systems to Security Categories

SP 800-61
Computer Security Incident Handling

SP 800-64
Security Considerations in the Information System Development Lifecycle

SP 800-70
Security Configuration Program Checklists Program For IT Products - Guidance For Checklists Users and Developers

-------------------------------------------------------------


Federal Information Processing Standards (FIPS):

FIPS 140-2
Security Requirements for Cryptographic Modules

FIPS 199
Standards for Security Categorization of Federal Information and Information Systems

FIPS 200
Minimum Security Requirements for Federal Information Systems

-------------------------------------------------------------


Office of Management and Budget (OMB):

OMB Circular A-123
Management's Responsibility for Internal Controls

OMB Circular A-130
Management of Federal Information Resources

OMB Circular A-130, Appendix III
Security of Federal Automated Information Resources

-------------------------------------------------------------


Laws and Regulations:

FISMA
Federal Information Security Management Act of 2002

-------------------------------------------------------------


Other Publications and Usefull Information Assurance References:

CNSS
Committee on National Security Systems

Common Criteria
Common Criteria for Information Technology Security Evaluation

Common Criteria - An Introduction
Brochure: An Introduction to the Common Criteria Project

DIACAP
DoD InformationAssurance Certification and Accreditation (will replace DITSCAP)

DITSCAP
DoD Information Technology Security Certification and Accreditation Process

GAO-05-231
Emerging Cybersecurity Issues Threaten Federal Information Systems

Mitre
Common Vulnerabilities and Exposures

NIACAP
National Information Assurance Certification and Accreditation Process

NIAP
National Information Assurance Partnership

NIATS
National Information Assurance Training Standard for System Administrators

NIST and SDLC
Brochure: NIST and the Systems Development Lifecycle (SDLC)

US-CERT
United States Computer Emergency Readiness Team

-------------------------------------------------------------


Topic Reference:

Security Certification and Accreditation
SP 800-37
NIACAP
DITSCAP
DIACAP

Security Categorization (C-I-A, High, Moderate, Low)
FIPS 199
SP 800-60