Many businesses run their own wireless infrastructures and many know well to protect it. But how do you know when it is time to use a stronger encryption algorithm to protect the data sent wirelessly?

Generally, there are two possibilities. One is to wait until hackers break into your network by exploiting the easy-to-break WEP encryption you have on your wireless network and as a result steak millions of customers’ credit card numbers and personal data. Example: the TJX story.

The second, and the better possibility, is to do it before your (or your client’s) organization is prominently featured in the Wall Street Journal. Example: the TJX story.

Here’s a short excerpt of what should make every IT director to think about switching from WEP to WPA or better.

Investigators found that TJX was using a weak encryption protocol to protect its consumer data in July 2005, when hackers first broke into its computer system. The protocol, known as Wired Equivalent Privacy, or WEP, isn’t recommended by securities experts even for wireless home networks because it is so vulnerable to hackers.

TJX decided to upgrade to a more secure Wi-Fi Protected Access encryption protocol at the end of September 2005, Canadian officials said. By then, however, hackers had been able to access the company’s internal transaction database. They did so initially from outside two stores in Miami, the probe found.

- TJX’s Security System Faulted in Canada Probe, Wall Street Journal, September 26, 2007.

From Slashdot.org:

"The Treasury Inspector General for Tax Administration reports that its inspectors were able to get IRS employees to improperly disclose their user names and passwords over 61% of the time. 60,000 of the IRS’s 100,000 employees and contractors thus are susceptible to computer hackers, putting personal taxpayer information at risk for unauthorized disclosure, theft and fraud. ‘Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller … The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.’"

 

steganography (n.) The practice of hiding messages, often by writing them in places where they may not be found. Often (wrongly) used to mean the same as cryptography which relates to encoded messages.

Why Use Steganography?

Unlike encryption, steganography (or stego for short) is useful to "hide" data in a way that a third party would not know of its existence and hence would not try to break its encryption or force the encryption key from its owner.

There are many uses for steganography, especially in the information security and privacy field. You may want to exchange sensitive information like passwords or shared secrets over an insecure transmission protocol, such as email or ftp. You can embed secret files that should be available to selected audience. You can embed copyright information into digital files and control distribution of content. You can store your own sensitive information in an image, upload it to a flickr, and have the information available anywhere in the world (subject to decryption, of course.)

Stego Tools

There are a variety of tools that allows steganography. Here  is a sample of few.
- Hide in Picture (Win) - allows you to embed a file into a GIF or BMP image and lets you set a password to retrieve the hidden file.
- wbStego (Win) - allows you to embed files into PDF, HTML, or bitmaps.
- mp3Stego (Win) - allows you to embed files into MP3s
- PictEncrypt (Mac) - adds text to GIF, JPEG, TIFF, PNG, and MacPICT images.

More tools and tutorials.

I am attending a what turns out to be a wonderful conference so far, "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead" organized by Georgetown CLE. The opening by Paul Kurtz of the Cyber Security Alliance was interesting and set the table for the conference - what information security legal frameworks are out there and what should companies do to protect themselves.

Thomas Smedinghoff of Wildman Harrold went through a great overview of the new developments and trends in the law of Information Security. It was interesting to see how the playing field is shifting from approaching information security and security breaches reactively to adopting security measures and proactively seeking to protect an organization from liability in case of a breach. Also, the balance between the increased push by law enforcement for increased data retention (for preventing counter-terrorism, online child abuse, etc.) on one hand and the security issues on the other hand is becoming very tricky. Many organizations find themselves under an affirmative duty to protect a piece of sensitive information they have, and at the same time there are requirements to preserve more.

Evidentiary Issues

An interesting case related to affirmative duties to properly protect information (especially within litigation context) is American Express v. Vinhnee, 9th Cir. (2005).   In this case, American Express sought to prevent Vinhnee’s debts’ cancellation under bankruptcy proceeding. During a hearing in front of the Bankruptcy Court, American Express brought an expert witness who introduced American Express computer records collected within the regular course of business about Vinhnee’s financial affairs. Vinhnee did not attend the proceeding and the court, after hearing AmEx’s witness, declined to admit the records under the business records exception to the hearsay rule because AmEx’s lawyers could not prove that the information was properly secured.

Although this is one of the rare cases where a party goes to court, unopposed, and still manages to lose, the holding is important in another important way - it shows that the you need to show not only that business records were collected and kept in the regular course of business, but also that they were properly secured. Granted, a corporation such as AmEx would most likely (we all hope) have proper security mechanisms and as long as its lawyers are on notice that they need to present evidence to the court, things should be ok. However, litigants who know that their records are not properly secured may need to do more if they want to prevail in court.

A recent (Aug. 1) holding from the U.S. District Court for the Middle District of Florida says that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act (CFAA).  The court granted the defendant Speed’s motion to dismiss the complaint, but gave Lockheed leave to amend. Lockheed Martin Corp. v. Speed, M.D. Fla., Case No. 6:05-cv-1580, 8/1/06. Opinion here.

"Exceed Authorization" Background

Under CFAA, a party accessing a computer (as it is broadly defined) without "authorization" gives rise to criminal and civil liability. Section 1030(a)(4) makes it a violation to knowingly, and with intent to defraud, access a protected computer "without authorization" or "exceed[] authorized access" to commit fraud and obtain something of value.

Many civil cases have been filed under CFAA, generally in the employment or trade secret misappropriation contexts, where an employee has copied valuable company information before joining a new employer, usually a competitor. Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.

Generally, "exceed authorization" under CFAA has been construed somewhat broadly (as Judge Posner’s case suggests) to cover access to information even when the employee, in computer security terms, has authorization to access the information.

Facts of the Case

Departing employees (and before their employer learned about their imminent departure) used their access privileges to burn a stack of CDs with valuable company files for use in their new jobs. The employer, Lockheed Martin, alleged that the employee file-copying activities violated multiple subsections of the CFAA. Lockheed invoked the civil remedies provision of the CFAA.

Change of Sea?

The August 1st Speed case may suggest a change of sea, or at least a circuit split. By holding that because the access occurred while the employee still enjoyed access privileges to the company’s computer system, it cannot be said that the access "exceeds" the employee’s authority. This holding is in direct contradiction to Judge Posner’s Citrin holding. Judge Presnell said that he "respectfully disagrees" with the Seventh Circuit because its decision "effectively turns the plain reading of the statutory definition of ‘exceeds authorized access’ on its head." He suggested that Judge Posner had "stretch[ed]" the meaning of "without authorization" to cover those who have access but act badly. "Congress did not so stipulate," Presnell wrote.

In addition, the court was worried that adopting Citrin could result in far-reaching CFAA liability for employees. For example, the Citrin theory may permit an employer to pursue a CFAA claim against employees who check personal e-mail accounts on company time, a minor offense to invoke a criminal statute, or as a bargaining chip in a complex employment dispute.

Good passwords are critical to good security. Which usually keeps regulators, journalists, and plaintiff lawyers away. Do you know how long your password will stand up using a brute force? You can check here.

It may be obvious to many, but it is worth repeating. Follow the 10 steps to a secure wireless network and you will sleep (at least in theory) easier at night.

1. Use encryption - chances are bad guys won’t bother breaking it.
   
2. Use strong encryption - in case they are trying to break it, make it harder for them.
   
3. Change the default admin password - avoid using ‘password as the password.
   
4. Turn off SSID broadcasting - don’t ’shout’ to everybody in the neighborhood "come and try me."
5. Turn off WAP when not in use - do you leave your TV on running when you are not at home?
   
6. Change your default SSID - yes, there are at least 50 other ‘linksys’ stations around, and they are easier to find.
7. Use MAC filtering - you give keys to your home only to trusted people - do the same with the wireless network.
8. Isolate the wireless LAN from the rest of the network - why did you think Titanic sank? Create levels of protection.
9. Control the wireless signal - unless you want to power the whole city, there is no need to use signal amplifiers.
10. Transmit on a different frequency - this is why we haven’t intercepted the aliens yet
    

Read the full text here - ZDNet UK, UK

More and more financial institutions adopt a two-factor authentication - in this case, Bank West has chosen to use an authentication token (a little device with rapidly changing authentication keys that is in possession of the user) along with a password to authenticate its online customers..

The system is designed to provide customers with greater protection
than that afforded by using static, reuseable passwords. BankWest
Business plans to distribute the free tokens to all customers by the
end of 2005.

This is good news for the financial (and security) industry - two factor authentication is likely to prevent individual account security breaches, and eliminate the threat of phishing - because of the quickly changing authentication code on the security token device, even if a phisher is able to trick a user into submitting his password + token key, the authentication information will be "valid" for the duration of the token key, which usually changes within seconds or few minutes.

[Via ZDNet.com.au, Australia -]

Yes, passwords in and of themselves are no longer adequate measure of security (including typing on silent keyboards.) But are they good enough for most uses?

Gartner analyst Jay Heiser is quoted by CNET as saying the increasing
sophistication of attacks and the professionalism of cybercriminal
gangs have lead companies to make passwords longer, or to change them
more frequently. Speaking at the Gartner IT Security Summit in London,
Heiser also said users respond by forgetting passwords, or writing them
down, which can compromise security in a different way.

So what is the solution? It depends on the requirements of an organization. For example, a password is more than enough security to login to a bulletin board website while a simple password authentication is quite inadequate for online banking. A sliding scale approach is best, as demonstrated by attempts by institutions such as Bank of America to create a two-factor authentication using its SiteKey system.

However, such new approaches to security would be prohibitively expensive for smaller organizations so the security of your private data becomes as strong as the weakest link.  Even if Bank of American spend millions of dollars on a new authentication system and spend millions on revamping its procedures to protect your personal information, it could be your dry-cleaner or your university that will compromise your entire personal information.

[Via SAP INFO, Germany -]

It is common practice for some security-conscious users to look around and make sure nobody is looking at their fingers when they enter their password into a computer. Things are changing now, with UC Berkeley researchers claiming that a password can be guessed by recording and analysing the clicking sound of keyboard when a sequence of keys are pressed.

The researchers were able to take several 10-minute sound recordings of
users typing at a keyboard, feed the audio into a computer, and use an
algorithm to recover up to 96 percent of the characters entered.

Apparently this technique is successful because each key makes a distinct sound when
hit (does it really? they all sound the same to me,) and users, who typically type about 300 characters a minute, leave
enough time between keystrokes for a computer to isolate the individual
sounds.

So what is the solution? Sweep your office from "password bugs" listening to your key entries? Playing loud music when entereing sensitive information into the computer? Using a mouse to "click-enter" sensitive information - however difficult that might be? The bad news is that "quiet" keyboards are not immune to this and that no special technology was needed - a $10 microphone was sufficient.


What is the good news then? Well, the system is not all that accurate, at least initially, but that is likely to change. The first pass is right about 60 percent of the time for characters and
20 percent of the time for entire words. The transcript is then run
through spelling and grammar checks, which increased character accuracy
to 70 percent and the word accuracy to 50 percent. The results are then fed back through the computer to refine
future results. After three feedback cycles, the accuracy rate rose to
88 percent for words and 96 percent for characters.


Enter a new computer crime - "click-hacking."

[Via News.com]

« Previous entries