NoticeBored blog

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.

The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.

Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.

Labels: Availability, Mobile, Privacy

"Ultraportable" lightweight slimline laptops are all the rage, apparently (I've been using them for years already - ahead of my time maybe, or just wary of the old luggable portables?). A Computerworld piece "Small laptops pose a big security threat" claims that because they run with "a stripped down" Linux or Windows XP operating system instead of, presumably, Vista, they are inherently insecure. Well maybe there are drawbacks but I'm not entirely convinced that they are significant - properly configured, I would rate XP and Linux at least as if not more secure than Vista.

On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious "laptop bag", making theft less likely I hope.

The article's comments on WiFi and USB connectivity are irrelevant since the same applies to standard laptops and I really don't agree with the author's comments to the effect that ultraportables are treated carelessly like toys, except perhaps in the case of the very cheap ones anyway. The truth is that, for many years now, the value of personal and corporate data on the average PC has far outstripped its hardware replacement value. The equipment is, in corporate terms, disposable with near zero book value though the data on it or accessible from it may well be the most valuable asset [not] on the company's books.

The article's final points about the need for user security awareness ring true at least.

"Employee education in acceptable-usage practices is a must, regardless of the IT security systems used, Enderle says. Leja agrees. "You have to count on continual security awareness," she says. "Make sure that [students or employees are] being conscientious, and then use the few tools that do exist to help."

Hear hear!

Labels: Mobile

In the past year, the British Government admits to having lost:

• 53 computers
• 36 BlackBerrys
• 30 mobile phones
• 4 memory sticks; and
• 4 disc drives.

If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high:

The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.

As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.

Labels: Mobile, Physical, Privacy, Secrecy, Trust

Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...

Labels: Mobile, Privacy

December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.

Labels: Awareness, Mobile

NIST security standard SP800-114 is a new User’s Guide to Securing External Devices for Telework and Remote Access.

"Many people telework (also known as telecommuting), which is the ability for an organization’s employees and contractors to conduct work from locations other than the organization’s facilities. Teleworkers use various devices, such as desktop and laptop computers, cell phones, and personal digital assistants (PDA), to read and send email, access Web sites, review and edit documents, and perform many other tasks. Most teleworkers use remote access, which is the ability of an organization’s users to access its nonpublic computing resources from locations other than the organization’s facilities. Organizations have many options for providing remote access, including virtual private networks, remote system control, and individual application access (e.g., Web-based email)."

The 14,000 customers of an ISP who lost their email accounts (see our previous blog entry) could have avoided disaster by taking the 46 pages of free but sound advice in SP800-114. Its scope is much broader than data backups, covering aspects such as securely configuring and maintaining operating systems, using VPNs for remote access etc.

Labels: Mobile, Office

Gosh: another stolen laptop contains personal data. But it's OK, we're told, because the laptop is "password protected".

"Password protected" could mean a BIOS boot password, a hard drive access password, a Windows/UNIX user login password, or a data encryption key. Using hacker or forensics techniques, all but the latter control can be broken, and even encryption can often be brute-forced given enough time and a weak pass phrase. If the laptop's data or entire hard drive had been strongly encrypted, we'd presumably have been told so and the people whose personal data are on the stolen laptop could sleep easier.

Call me paranoid but "password protected" sounds very much like "insecure" to me.

At least the Gap company 'fessed up that their stolen laptop was unencrypted.

UPDATE Dec 9th 2007: after a laptop was stolen from a Citizens' Advice Bureau employee's car, the CAB confirmed that it was protected with "a high level of encryption". Presumably 'high level' means strong encryption using a current encryption algorithm (such as AES) with a long key length (at least 128 bits, ideally 256 or more) and a strong password/passphrase policy, ruthlessly enforced (long non-dictionary phrases). Anyway, if it were my personal data on the laptop, the fact that the PR people specifically state that the laptop was encrypted would give me a lot more confidence than the usual mention of "password protection".

This is doubly important if you are, say, a government that regularly loses hundreds of laptops and desktops per year.

Labels: Mobile, Physical

A professor on holiday in Madagascar lost a USB drive containing personal data on ~8,000 students, and another one stolen from a Michigan university contained info on ~3,000 students. Both incidents exposed students' names and Social Security Numbers, and could potentially lead to identity theft.

We hear about these kinds of incident because the organizations have to inform the data subjects, and word either leaks out to the media and public or they come clean through press releases.

We don't often hear about such incidents:
- in places where there is no compulsion to inform data subjects about them
- where the loss is unnoticed or goes unreported
- involving loss/disclosure of proprietary or military as opposed to personal information
- on a smaller scale, where it is not considered so newsworthy

... in other words, it's even worse than it seems. USB flash memory drives should be routinely encrypted.

Labels: Mobile, Privacy

"A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. This is just one of the scenarios that security professionals and IT managers are increasingly worried about. According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern."

I presume reporter Sharon Gaudin from Information Week has simply swallowed and regurgitated the blurb from Bill Piwonka (yes, that's his real name - I couldn't make 'em up), VP of product management for Centennial Software, which conducted a "survey" at the InfoSec security conference in London. [Would you be surprised to hear that the company sells a "solution" to control access to USB drives?] The scenario described above looks more like an insider threat example to me. The fact that the worker used a USB thumb drive is incidental: it could equally have been a USB hard drive, a CD-ROM, even a pen and paper. She could have emailed it to herself or an accomplice, perhaps ZIPped up with 256-bit AES to bypass any content inspection. Preventing the abuse of USB thumb drives is hardly going to stem the flow.

Labels: Insider, Mobile

Manufacturing Computer Solutions, one of the lesser known sources of cutting-edge information security news (I love you Google!), is reporting a security study by the NCC Group. Seems the NCCG delivered a "party invitation of a lifetime" gift box (a Trojan horse shaped box would have put the icing on the cake!) with USB drive to finance directors at 500 UK companies and, surprise surprise, the clueless ones simply plugged the USB drives into their machines. Compounding the problem, many even clicked on the "Yes I want to install some software" option without a clue about what the software was actually going to do.

Paul Vlissidis, NCCG's head of penetration testing, said “This demonstrates a fundamental lack of healthy suspicion by IT users, even at a senior level. The need for real security awareness has never been greater… This kind of technique could easily be adopted by genuine hackers and these directors could have seriously jeopardised the security of their company’s networks. Not only could fraudsters have customers’ or employees personal details to steal their identities, but they could also have gained full control of an FD’s email account, allowing them to access information regarding forthcoming unreleased trading statements or even results which they could then use to influence share dealing.”

So, now we know (for sure) that the 'free USB thumb drive' trick is yet another social engineering technique that works well. The big unanswered question is what we are actually supposed to do about the threat. 'Raising awareness' is much easier said than done, getting people to change their behavior even more so. Perhaps USB lock-down technology (and/or Sumitomo's super superglue solution) is the best option here with the added benefit of frustrating those wayward employees who would steal gigs of data from right under the noses of the their managers, colleagues and security guards using thumb drives or iPods.

More security awareness, social engineering and mobile IT security links.

Labels: Awareness, Mobile, Social engineering

An international survey reveals a fascinating discrepancy between what teleworkers say they do in the way of information security and what they actually do. For example, about a quarter admit to personal use of company laptops yet around half say they shop online (OK, some might be shopping with the corporate credit card, but probably not all of them). There are significant implications for those of us who use questionnaires and interviews to assess the level of security awareness. Essentially, the survey warns us against believing everything are told and to beware the gap between perception and reality.

More links on teleworking security and security awareness

Labels: Awareness, Mobile

ZDnet reported "The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain." I would of course agree that loss or theft of data on laptops is important ... along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

More portable IT security and wireless networking links

Labels: Malware, Mobile, Network

A few organizations that recognize the security issues created by USB thumb drives, hard drives, CD-RWs etc. decide to lock down the USB ports on their systems. The usual way to do this is to buy, test and install additional USB control software. A Microsoft MVP (Most Valuable Professional) has come up with a low cost solution using native Windows functionality - specifically, Group Policy. WindowsDevCenter explains how to define a policy to disable the USB storage driver. A Microsoft Knowledge Base article contains the necessary code. This looks like a viable option if you only want to turn off USB storage devices on your Windows network machines. If you need more fine-grained control such as the ability to allow read not write or to log and report use of the devices, you'll presumably still have to buy, test and install the USB control software though.
More portable IT security links

Labels: Mobile, Network

The Washington Post reports that over 1,100 laptops have gone missing from the US Commerce Department since 2001. Congress was told that "1,137 laptops had been stolen, lost or otherwise vanished since 2001, mostly from the Census Bureau and the National Oceanic and Atmospheric Administration. Of these, 249 contained personally identifiable information, nearly all from the Census Bureau. All were password-protected, a low-level safeguard. Only 107 of the computers were fully encrypted." So if the Census Bureau or other parts of the Commerce Department has sensitive data about you on its laptops, you'd better hope it is on the one-in-ten encrypted systems.
More laptop security links

Labels: Authentication, Mobile

Slurp is a program to download MS Office files from the C:\Documents and settings area onto the hard drive of an iPod through a PC’s USB connector. The risk is that someone with physical access to the PCs in your office (such as a hacker in the guise of an unescorted visitor, maintenance worker or cleaner) may have much more than ripped MP3s on their iPod.
More portable IT security links

Labels: Mobile, Physical

A list of the top ten out of 50,000 jobs handled in 2006 by data recovery specialists DiskLabs reveals a number of threats to portable IT devices not specifically considered in the NoticeBored newsletter this month. Some of them have the ring of "the dog ate my homework" but they appear vaguely credible. Perhaps we should add "jilted lovers" to the standard list of IT threats we consider?
More portable IT security resources

Labels: Mobile

The press release for a survey of information security relating to USB thumb drives and other removable media mentions a number of incidents involving the little blighters. Small drives cause big problems includes the line "Some alarmed companies are even super-gluing USB ports shut so data cannot be downloaded from PCs and laptops." This may be a reference to an attempted theft of information worth £220m (US$423m) from Sumitomo bank in London using keyloggers, after which Sumitomo reportedly gunked up its USB sockets. According to the BCS article, the National High-Tech Crime Unit (which has since become the Serious Organised Crime Association SOCA) described USB devices as the 'Swiss army knife of the cyber criminal'.
More links on securing portable IT

Labels: Mobile

In a piece ostensibly in the same vein as Catch Me If You Can, Spies Among Us or Know Your Enemy, the author of Laptop hacking step-by-step invites us to consider how data thieves or hackers might break into laptops in order to identify necessary security controls. The laptop security vulnerability assessment is rather narrowly focused, highlighting certain issues (such as missing or weak passwords) and controls (such as disk encryption) but compeltely missing many other issues (such as lost data or malware) and controls (such as backups and antivirus).
More on mobile security

Labels: Malware, Mobile

And now for something completely different.
More links on bugs! and other portable security issues

Labels: Bugs, Mobile

A Beaumont Hospital Home Care laptop was stolen from the car of a home care nurse, reports Metro Detroit. The nurse, a new employee, "broke hospital policy by leaving her access code and password with the computer". Doh! Data on more than 28,000 present and former patients have been compromised. "The best protection is to train and educate people who use this information as part of their jobs, to have an awareness of the things they need to do to keep this protected," said Michael Friedman, an attorney in Detroit who has handled several HIPAA cases. "It's not a sophisticated technological solution." Having covered identity theft in this month's NoticeBored security awareness module, we'll be moving on to mobile/portable IT and teleworking next month ... what more can we do to encourage organizations to invest proactively in security awareness?
More identity theft links

Labels: Authentication, Awareness, ID theft, Mobile, Risk

A news item in Computer World reports that Unisys (in conjuction with the Veterans Administration and FBI) is offering a $50,000 reward for information leading to the return of a missing desktop computer containing personal data on 38,000 vets. The machine went missing from a Unisys office.
The same article notes the theft from an unnamed accountancy firm of a portable PC containing personal details on an unknown number of Chevron employees. Another report on the Chevron incident says the firm notified employees that "a laptop computer was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans". The data included names and Social Security Numbers (at least), and was protected 'by a password'. The absence of a clear statement re the use of encryption is worrying but is all too common. Wake up!
More identity theft info

Labels: Authentication, ID theft, Incidents, Mobile

The Seattle Times reports yet another security breach involving the potential compromise of thousands of confidential personal details. "The laptop was grabbed from a Boeing human-resources employee at an airport," said company spokesman Tim Neale. "The laptop was password-protected and was turned off," he said. But the file containing the names, Social Security numbers and in some cases, addresses and phone numbers for 3,600 current and former employees was evidently not encrypted, despite a directive issued five months ago to remove or encrypt all sensitive information on laptops.
Whereas a few years ago it would have been infeasible for anyone to carry 3,600 personnel records without a large trolley for the filing cabinets, all modern laptops have sufficient hard disk space for the data and a whole lot more. They also have the CPU capacity to apply strong encryption. Boeing is certainly not alone in failing to apply suitable security measures to protect senstive data on vulnerable hardware.
More confidentiality resources.

Labels: Authentication, Incidents, Mobile, Secrecy

Data security and backups can be a pain for roving users using portable PCs but SecureTrieve is an attractive option. The system protects data stored on the PC using AES encryption and makes off-site backups through the web. Without the user's password, a thief can't easily see the encrypted files, and even if he can get at them, AES protects them. Meanwhile, the user can retrieve his valuable data from the off-site backup onto another machine. Combining this with PC Phone Home might even give the user a fighting chance of finding the stolen PC when it connects to the web.
More mobile and teleworking security resources

Labels: Authentication, Mobile

A Florida man has been unauthorized access to a WiFi network. The man admitted using a laptop PC in an SUV parked outside the house to 'steal' WiFi access. The case will presumably center on whether the WiFi network was adequately secured - most aren't.
More wireless networking security and anti-hacking resources

Labels: Hacking, Mobile, Network

Police are warning of a street con involving the sale of what purports to be a laptop, only the bags are swapped and victims find they have actually bought a load of rubbish [the police don't actually say which make of PC is involved].
More IT fraud links here

Labels: Fraud, Mobile

GFI LANguard Portable Storage Control is an example of a software product to control the use of USB memory sticks, smartphones, MP3 devices etc. It can help avoid the introduction of malware as well as preventing the removal of confidential data.
More malware and confidentiality resources

Labels: Malware, Mobile, Secrecy