Category: Security

Physical security, locks, etc

Has your email been hacked?

If you suspect someone else is reading your emails you normally change your password immediately and figure out how they were able to access your account.

lens If you’re curious then the following information could interest you 😉

There’s a free online service called OneStatFree that can be used as a tripwire to detect access to your emails. It will tell the time and day your email was opened (by someone other than you), the country it was access from, the IP address and possibly more information (such as city) depending on the actual network used.

The way it works is you create a special email and send it to yourself. You never open this email yourself and if someone else does it will instantly send some information to the OneStatFree service, which you then check at a later date.

Full instructions are provided here, it should be fairly easy for most people to follow.

Just keep in mind that if someone is indeed reading your emails this trick won’t stop them. So think carefully if you want to continue compromising your email while you investigate the culprit, or take immediate action and change your password.

Trust Encryption Device (TED)

Australia’s CSIRO has developed a security device for online banking. It’s like a flash drive and contains a virtual computer environment which makes applications like online banking more secure.

However there’s a lot of doubt in the security world. You still need to plug it into a computer for it to start up, and you don’t always know what’s on the computer. Malware could still take screenshots and send them off to some unknown person on the other side of the world, and there’s little explanation on how it’s meant to avoid being tampered with.

It’s a technology to keep a watch on for the future. Full article here.

Encrypted external hard drive isn’t

A new external hard drive claims to use hardware data encryption using 128 bit AES. The case is a 2.5″ Easy Nova Data Box PRO-25UE RFID hard drive case by German vendor Drecom.

drecom drive In the security world AES is a recognised and trusted encryption protocol, so at first glance this external hard drive enclosure seems useful for transporting data outside the office or home.

However on closer inspection the drive uses a chipset from INNMAX, the IM7206, believing it provided AES encryption to data. INNMAX’s marketing strongly implies that AES encryption is being used for data on disk.

When questioned, INNMAX said:

The IN7206 merely uses AES encryption when saving the RFID chip’s ID in the controller’s flash memory. The company explained that actual data encryption is based on a proprietary algorithm. The company claims the IM7206 only offers basic protection and is designed for “general purpose” users.

In fact they’re using a security known as XOR, which is as secure as writing “do not read” on an envelope. Anyone with a basic understanding of programming can decode it in minutes.

It’s a case of marketing people not really understanding the technology and using buzzwords to sell products.

If you need to transport lots of data on portable hard drives then you should encrypt the disk using some encryption software, such as the ones mentioned in our previous article.

Free Online Health Check from F-Secure

F-Secure is a security software company that has been making good products for a long time. They have published a new tool that scans your computer for vulnerabilities and provides a report on what programs you need to update.

The application runs inside Internet Explorer and requires Window XP or Vista. Try it out here, http://support.f-secure.com/enu/home/onlineservices/fshc.shtml

Note that this doesn’t replace anti-virus software. It only checks which programs on your computer are vulnerable to attacks and need to be updated.

Online Tax Returns In The UK

Doing your income tax returns online is fairly common these days. In the UK there are more than 3 million people that file their tax return online.

UK’s tax department, HM Revenue and Customs, is a little unclear on how secure this is. They’re providing an online service that be default should be secure.

dollar signBut they’ve recently barred high profile people, including MPs, celebrities and the Royal Family, from using the same online system for security reasons.

If the system’s security isn’t good enough for high profile people then it shouldn’t be good enough for anybody. This can be taken as an admission that their security isn’t quite good enough to use.

Whole Disk Encryption

briefcase lockIf you carry a notebook outside of your home or office then Whole Disk Encryption is a technology you should be interested in. It’s also called Full Disk Encryption. First let’s identify the problem.

Most people who carry notebook computers (laptops) keep sensitive files on the machine’s drive. Business documents, business databases, contact lists, emails, chat logs, password lists, etc. The most common situation is someone carrying confidential documents on the computer.

If the notebook is lost or stolen then whoever holds the notebook computer has access to the files. Login passwords aren’t enough to protect the documents, they’re easily recovered by anyone.

A more worrying trend is for international business travellers who carry confidential data on their notebooks. passportThere have been many instances of airport customs staff not only inspecting the notebook for banned items but they’re now looking in the notebook’s hard drive and looking through any documents stored there. Their excuse is that they have to search for anything that’s a threat to national security. Irrespective of why they’re doing this the point is that someone else can gain access to your files at airports. Read this article for an example. And for examples of lost or stolen notebooks see here.

Most large companies are now telling their staff to wipe all documents off notebook computers before travelling. This is excellent advice.

Another solution is to use whole disk encryption. This is a software technology that encodes the entire drive so that it’s unreadable without a password. At present this technology is rarely used on notebooks.

Advantages:

  • It’s not possible for someone to extract files from a lost or stolen notebook computer
  • You don’t have to remember to turn it on or to prepare anything before you leave home or the office. It’s always enabled

Disadvantages:

  • Not all encryption programs are free (read below for some good news on free software)
  • It slows down the computer
  • You have to enter another password before using the computer
  • It doesn’t protect you from malware (trojans etc). You still need a good antivirus system
  • You must have a backup of all your data at home or at the office. If something goes wrong with the computer then there’s no way to recover the data without a backup
  • Security is only as good as your password. If you use your car number plate or some other easy to guess password then it’s not really secure. You need to use a good password.

notebook in the park So with more disadvantages than advantages you’re probably put off. It depends how valuable your files are. If you’re a lawyer carrying around all your client’s documents then your files are probably quite valuable, and you should be doing everything in your power to stop strangers getting at them.

How does it work?

The technical explanations are beyond the scope of this article. It’s enough to know that it encrypts all of the drive. Older encryption programs encrypt some files only and smart hackers can usually recover all or part of documents. Therefore the “whole disk” part of the encryption program is important. The disk is completely unreadable and unusable without the password.

What whole disk encryption programs are available?

Recently there has been some progress on this and there are now good free versions including ones for Mac notebooks, as well as commercial solutions.

Free Windows Solutions:

There are quite a few solutions, below are the more popular ones available today.

  • BitLocker – it comes with Windows Vista Enterprise, Windows Vista Ultimate, and Windows Server 2008
  • TrueCrypt – a popular open source solution (see notes below). Available for Windows, Mac and Linux.

Commercial Solutions:

Below are low cost commercial solutions. There are many expensive enterprise level solutions not listed here.

  • PGP – This program has been around for a very long time and is trusted by many people and companies. On the 13th Feb 2008 a version was also made for Apple Macs.

Summary

If you take your computer outside of a secure environment (home, office, etc) and you have anything on there you wouldn’t like others to have then whole disk encryption is a must.

As for airport customs and other law enforcement agencies, a lot of countries have laws making it possible for them to demand your password. So while you can keep random strangers from reading your data it’s really up to you how you comply with legal requests to hand over data. At least you have a choice.

Notes:

Open Source: in security it’s often a good thing to make programs or algorithms open source. It enables the programming community or security community to review the code and find any possible bugs as quickly as possible. It’s also a form of full disclosure. With commercial solutions you have to trust a company that they didn’t include a backdoor for whatever reason. With open source solutions everything’s exposed for public review.

Happy Valentine’s Day

With all the virus infected emails being sent with Valentine’s Day themes now’s a good time to remind you not to save or run anything just because it asks you to. Especially if the filename ends with .exe

Some examples of what not to run, download or save:

  • valentine.exe
  • sony.exe
  • shift.exe

And recall our earlier warning on Valentine’s Day malware.

Apart from this, have a great Valentine’s Day 🙂

heart_wood

Extreme Protection – Disabling ActiveX

Quite a few problems with malware come from malicious bits of code hidden in what’s known as ActiveX controls. Some web sites use this feature to add functionality. Other web sites hide malicious code inside ActiveX controls that can take control of your computer. You can’t really tell good ActiveX controls from bad ones.

One way to deal with suspicious ActiveX controls and to increase the security of your computer is to completely disable ActiveX for all sites. It’s an extreme measure and the downside is that some websites will no longer work.

To disable ActiveX:

  • Start up Internet Explorer (if you haven’t already)
  • Look on the bottom right corner for the word Internet, double click on it internet
  • Highlight "Internet"
  • Set the security level to High
  • Click OK
  • See this screenshot:
    security-high

Some web sites this will affect are Facebook and MySpace. This is a good thing because Facebook and MySpace will publish ActiveX code written by unknown people. Even if you lose some functionality it’s a good thing to block code from people you don’t trust (and that the Facebook or MySpace companies don’t really trust).

If you come across a legitimate web site that no longer works because of this change, such as your bank’s web site, you need to decide if you trust them. In the case of a bank then you most probably do trust them and you can add them as an exemption.

Follow these steps (after the previous steps) to exempt an important web site that you trust:

  • Open the web page you want to allow to allow ActiveX code
  • Highlight the address and copy it (Control C, or right click and select Copy).
    E.g.  address
  • On the bottom right corner of Internet Explorer you’ll see the word "Internet". Double click on this. internet
  • Click on the "Trusted Sites" icon (large green tick)
  • Click on the Sites button
    trusted
  • Paste the address you copied (it might already be here)
  • Uncheck the option called "Require server verification (https:)"
  • Click Add
    trustedsites
  • Click Close, then OK again

Be wary of what pages or sites you’re exempting. What you’re in effect doing is trusting the author of any code found on that sites. Social sites such as Facebook and MySpace allow anyone to publish code, and this makes it a playground for writers of malicious code.

As stated at the beginning of this article, it’s an extreme measure that will increase the security of Internet Explorer. Increasing security always decreases convenience and these days with so many talented people out there trying to steal money online it’s definitely worth considering.

Another fake anti spyware site

All these fake sites and applications are becoming a bigger problem. The latest is called removal-tool . com (warning, do not try going to this site). It appears to be a collection of spyware removal tools except that it actually tries to install quite a few different bits of malware on your computer. It’s a malicious web page in disguise.

wolf The web site looks nice, contains a blog, a news section, and reviews. The authors went to some effort to make it look convincing. Most of the links on the site even work. It would be difficult to tell that this site will compromise your computer.

Good anti virus software these days has the option to filter all web pages and they stop most of these sites before your web browser starts loading them. It’s a good investment.

Another technique to avoid these traps is to use a less popular web browser such as Firefox or Opera, or to use a less popular operating system such as Mac OS or Linux.

At the moment the majority of malicious code is designed to target Windows and Internet Explorer. That’s not to say that other systems are immune, malware is just less common on them.