Tag Archive for Security

RB | January 3, 2012
No comments

Internet of Things

Internet of ThingsOnce upon a time, there was a time when “using the Internet” always meant using a computer. Today getting on the intertubes is an expected feature for many devices. The next digital frontier is the physical world, where the “Internet of Things.” The Internet of Things will bring online ability to objects.

Twine Sensor Connects Household Objects to the Internet

Twine Tested.com notes a Kickstarter project from two MIT Media Lab alums who developed a way to make the Internet of Things more available. A small, durable “Twine” sensor listens to its environment and reports back over Wi-Fi. The creators hope their new product will let regular users, even those without programming knowledge, digitally manage their surroundings.

A basic Twine unit senses temperature and motion, but other options like moisture detection, a magnetic switch, and more can be added using a breakout board. The various sensors and built-in Wi-Fi can be powered by either a mini-USB connection or two AAA batteries, which will keep it running for months. Twine readings get wirelessly loaded into the appropriately named Spool web app, where users can set simple if-then triggers that create SMS messages, tweets, emails, or specially configured HTTP requests.

For a donation of $99 or more will get you a basic unit when they ship in March.

Related articles

THE SMART FRRRIDGE. Chilly Forecast for Internet Frrridge

Internet FridgeThe Smart Frrridge is a new version of the familiar kitchen apparatus. According to Medienturn the new fridge comes with a built-in computer that can be connected to the internet. It is one of a growing class known as “internet appliances” that include not only smart phones, but also web-enabled versions of typical household appliances.

The refrigerator keeps an eye on the food in it by using RFID technology, a digital camera and image processing. These technologies allow the fridge to keep track of whats in it, how long has this been there, should it be trashed?

To keep in contact with the Smart Frrridge all you have to do is to pick up your mobile phone and call. It will be able to suggest a menu that uses the foods inside, and generate a shopping list of the missing ingredients and place the order online.

The Smart Frrridge cab also be used to watch television, listen to music, to take a photograph, save it to an album, or post it to a website, or send it to an email recipient. The comes with a docking station you can just dock in your Apple (AAPL) iPod or iPhone and start using all your favorite cooking apps.

Related articles

SCADA: How Big a Threat?

Cyber attackerThere are reports of two recent cyber attacks on critical infrastructure in the US. Threatpost says the hacker who compromised the water infrastructure for South Houston, TX, said the district used a three-letter password, making it easy to break in.

There are also reports that a cyber attack destroyed a water pump belonging to a Springfield, IL water utility. There are mixed reports that an attacker gained unauthorized access to that company’s industrial control system.

According to DailyWireless, Supervisory Control And Data Acquisition (SCADA) software monitors and controls various industrial processes, some of which are considered critical infrastructure.

Researchers have warned about attacks on critical infrastructure for some time, but warnings became reality after a highly complicated computer worm, Stuxnet, attacked and destroyed centrifuges at a uranium enrichment facility in Iran.

German cybersecurity expert Ralph Langner found Stuxnet, the most advanced worm he had ever seen. The cybersecurity expert warns that U.S. utility companies are not ready to deal with the threat.

In a TED Talk Langner stated that, “The leading force behind Stuxnet is the cyber superpower – there is only one; and that’s the United States.”

In a recent speech at the Brookings Institution, he also made the bigger point that having developed Stuxnet as a computer weapon, the United States has in effect introduced it into the world’s cyber-arsenal.

Related articles

New NIST Report Sheds Some Light On Security Of The Smart Grid

NIST DarkReading reports the National Institute of Standards and Technology (NIST) released a report (PDF) by the Cyber Security Coordination Task Group. The report from the Task Group which heads up the security strategy and architecture for the nation’s smart power grid includes risk assessment, security priorities, as well as privacy issues.

The smart grid makes the electrical power grid a two-way flow of data and electricity allows consumers to remotely monitor their power usage in real-time to help conserve energy and save money. DarkReading says researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, found multiple vulnerabilities in smart meters, including devices that don’t use encryption nor do they authenticate users when updating software. He who was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked (PDF) about his worries over utilities “self-policing” their implementations of the security framework. “This is history repeating itself,” Mr. Flick said in an interview with DarkReading.

According to DarkReading, the report recommends smart grid vendors carry out some pretty basic security practices:

  • Audit personally identifiable information (PII) data access and changes;
  • Specify the purpose for collecting, using, retaining, and sharing PII;
  • Collect only PII data that’s needed;
  • Anonymize PII data where possible and keep it only as long as necessary;
  • Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks;
  • Network perimeter devices should filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial-of-service attacks;
  • The AMI system should use redundancy or excess capacity to reduce the impact of a DoS;
  • AMI components accessible to the public, must be in separate subnetworks with separate physical network interfaces;
  • The AMI system shall deny network traffic by default and allows network traffic by exception;
  • Consumers’ access to smart grid meters be limited. Authorization and access levels need to be carefully considered.
Related articles
Category: Security | Tags: , , , , , , , , , , , , , , , , , , , , ,
RB | November 24, 2011
5 comments

How-secure-is-my-password Tells You

The former DownladSquad points out howsecureismypassword.net. How secure is my password is basically like a full-screen version of one of those password-strength meters websites sometimes use. But instead of showing you a bar going from “weak” to “strong”, it shows you an estimation of how long your password would take to crack. That’s a much more visceral way to understand why your password is strong.

How secure is my password

rb-

How secure is my password helps make password best practices meaningful.

For example, when I entered “Detroit”, it came back with “your password is one of the 1090 most common passwords. It could be cracked almost instantly.  “D3troit!” would take 57 days, and “!D3tro1tM!” would take 928 years to crack.

Password best practices include using:

8 or more characters , that is not a dictionary word, which includes capital letters, digits, and a symbol or two.

Related articles
Category: Security | Tags: , , , , ,
RB | November 10, 2011
One comment

Tablet Security Tips

Portable computingICSA Labs suggests a series of security tips for users of smartphones, tablets and apps Help Net Security reports.

App store1. Only buy apps from recognized app stores. Apps from unofficial third-party stores and applications downloaded from peer-to-peer sites are much more likely to contain malware than apps sanctioned by official vendor stores such as the Android App Market or Apple App Store.

2. Think twice about accepting “permissions.” Most applications, legitimate as well as malicious ones, need users to accept several “permissions” before the apps are installed. Check carefully to be sure that the app comes from a legitimate source. I wrote about mobile phones leaking data previously.

Inspect bills3. Monitor bills for irregular charges. If attackers gain access to personal information stored on the mobile device, they can quickly rack up charges by sending “silent” text messages to high-priced call services. For example, if the Google (GOOG) Android Trojan GGTracker is inadvertently installed on a device, it can sign up users, without their knowledge, for premium text messaging services.

4. Employ security policies to protect employer-issued devices. Employers should enforce password-based access and require voice mail codes so that only authorized users can get access to data on employer-issued devices.

Bring your own device5. Be mindful that more and more employees bring their personal devices to work. Companies must have security systems and policies in place to safeguard their business environment and prevent access to company networks from employees’ personal devices. I wrote about BYOT here

6. Remember that mobile devices are tiny handheld PCs. Many security threats that apply to traditional computers also apply to mobile devices, such as smartphones and tablets, and consumers should take necessary measures to protect themselves. One way to do this is to install anti-malware software on mobile devices and enable VPN functionality.

7. Protect your mobile phone password and voicemail PIN. If your mobile phone does not have a password, add one that is at least six digits. Try to choose a unique password that is not already used across other systems and accounts. Do not use repeating digits in passwords or voice mail pins. Remember that your provider will never request your voice mail pin, so do not be tempted to give it to anyone who requests it.

Related articles
Category: Security | Tags: , , , , , , , , , , ,
RB | November 1, 2011
No comments

Arbor Networks Adds 20 New Mich Jobs

Michigan Ann Arbor.com reports that Information technology security firm Arbor Networks promises to add 20 new jobs to its Ann Arbor R&D operations. In exchange the Ann Arbor City Council unanimously agreed to give Arbor Networks a five-year abatement on $883,527 in real property improvements and $7.8 million in new personal property and equipment.

Arbor NetworksThe tax break for the University of Michigan spin-off, runs through Dec. 31, 2016. As part of the agreement, Arbor Networks will be required to add no less than 20 jobs by Dec. 31, 2013. The city’s administration recommended approval of the latest tax break, calling the attraction and retention of Arbor Networks’ operation consistent with the city’s economic growth objectives,

“The digital information business is continually changing with new and faster technology and Arbor Networks needs new test equipment and digital equipment, with anticipation of 20 new employees resulting to this facility,” City Assessor David Petrak wrote in a memo to council members.

Image representing Ann Arbor SPARK as depicted...Paul Krutko, president and CEO of the  economic development group Ann Arbor SPARK also supported the action in a statement; “Attracting and retaining Arbor Networks in the Ann Arbor region is reflective of Ann Arbor SPARK’s work to help IT businesses grow in the region.”

Arbor Networks is a leading provider of network security and management solutions for next-generation data centers and carrier networks, including the majority of the world’s Internet service providers and many of the largest enterprise networks in use today. Arbor’s proven network security and management solutions help grow and protect customer networks, businesses and brands.

rb-

The Michigan techie jobs story keeps growing and maybe i was wrong about Arbor Networks abandoning Michigan.

The information technology security firm will receive a five-year abatement on $883,527 in real property improvements and $7.8 million in new personal property and equipment.
Related articles
Category: Networking, Security | Tags: , , , , ,
RB | October 25, 2011
3 comments

Copier Security Best Practices

Copy Scan PrintMulti-Function printers (MFP) can scan, copy, fax and print, now they can also send email, host web-based administrative pages, and even tell you when the ink is low. While doing all that, MFP’s can store image files on on-board hard drives which can contain sensitive personal identifiable information (PII). Compliance with standards/laws as PCI-DSS, HIPAA, Sarbanes Oxley, or state privacy laws, etc. may force MFP’s to be secured.

MFP SecureState suggests some general questions to ask when trying to understand the criticality of these systems and to show some due diligence:

• Are these devices accessible on the network? If so, how is “Administrative” access controlled?
• How long are the image files retained on these systems?
• If the device is compromised, can the attackers actually capture sensitive data?
• If a hard drive fails, does the replacement process follow the normal standard for securely destroying the disk?
• What are some of the services enabled on these devices? Is there an administrative website, SNMP client, or SMTP server? How about the accounts and passwords of the administrative websites; are they set to default accounts and passwords?

SecureState says If you answered “No” or “I don’t know” to these questions, some of the issues more than likely need to be addressed.

Data theftJust like any network appliance, MFP’s and other print devices are small computers that have memory, storage, processors, an operating system, full-fledged web servers and are connected to the network. These devices can hold sensitive information. Before that old printer is finally decommissioned, make sure that the hard drive is securely wiped. If the existing device does not have advanced security options such as disk encryption or immediately overwriting data, the hard drive should be removed and securely wiped or destroyed separately before being decommissioned.

Recommended best practices for multifunction printers and copiers with disk drives:

  • Review vendor security configuration guides
  • Develop a standard configuration and check regularly
  • Enable immediate image overwrite and schedule regular off-hours overwrite (DoD 3 pass)
  • Enable encryption (minimum 128-bit AES)
  • If network-enabled, use network encryption and secure protocols such as IPSec, SSL, SNMPv3
  • Regularly review vendor security bulletins
  • Enable authentication and authorization (if possible, use network credentials)
  • Change admin password regularly
  • Enable audit log and review periodically
  • Treat network-enabled devices like any other computer on the network
  • Purchase a device which has an EAL2 Common Criteria certification

Data destructionIf the device processes restricted data, it MUST have encryption and image overwrite. For devices which process restricted data but do not have the necessary security features:

  • If possible, buy the necessary security modules and enable the features.
  • If security features cannot be purchased or enabled, replace the device as soon as is appropriate and have the hard drive removed and destroyed.

By Vendor

XeroxXerox – Newer Xerox (XRX) devices come with security features that often have to be turned on. See the Xerox Information Security Guides for more info.

RicohRicoh -  Security options for Ricoh’s (7752) have to be purchased separately. See the Ricoh Common Security Features Guide (PDF) for more info.

CanonCanon – Security options for Canon (CAJ) devices have to be purchased separately. See Canon Security Solutions for iR and iP Devices (PDF) for more info.

HPHP – All HP (HPQ) multifunction printers have hard drives.

  • There is a disk-wipe utility for all MFPs.
  • This utility is not installed by default and has to be downloaded from HP.COM. The utility is protected by an admin account and password.
  • The utility can be configured to do a printer disk wipe daily.
  • Some non-MFP HP printers may have hard drives. These printers will have an occupied EIO card (with resident hard drive) in the slot next to the network card. This EIO card should be physically evident by viewing the printer external case.
  • Third party disk wipe utility cannot be used against HP MFP hard drives without removing the drive from the card – which is likely to cause damage to the card and, possibly, the hard drive.
  • Non-MFPs with hard drives are somewhat rare and may be purchased for special purposes.
  • Non-MFPs with hard drives and network connections can be remotely disk wiped. Non-MFPs with a hard drive but without a network connection need to be handled by HP.
  • For leased HP printers, the agreements should include a defective media retention provision that permits the lessor to keep the hard drive before releasing the printer.
  • The WebJetAdmin tool, downloadable from HP.COM, can scan a network subnet and identify HP printers (and non-HP printers if the tool has a MIB for the non-HP printer).
rb-
Richard Nixon

I don't worry about data security

All they focused on was the costs, they did not ask any of the due diligence questions pointed out in this post. They had no plans on having the HDD’s on the 12 networked copy/scan/print Ricoh’s wiped. It is pretty clear that all the info on the HDD’s was bound for South America or else were on the secondary market, was I wrote about here.

Related articles
Category: Printer, Security | Tags: , , , , , , , , ,
« Older Entries  

Switch to our mobile site