Practicing good information security means more than just turning on a box or installing software and assuming your business is in the clear. Educating the workforce is a great way to practice good security. Another method (and the purpose of today’s post) is periodic testing of equipment and systems to ensure that they are truly protecting your information. Penetration testing is exactly that -  testing your implementation for holes and gaps that could potentially lead to compromise of your business information.

David Maynor, makes a good point in his article about zero-day penetration testing. New attacks appear daily and without warning (known as zero-day attacks). Many times, the technology itself can’t protect against these type of attacks, and they are the most dangerous. Penetration testing looks for these types of vulnerabilities in your systems, and allows us to set up generalized mitigation techniques that will go “above and beyond” the technology itself to secure your business resources. Even though it is difficult to anticipate specific attacks, a good security professional is aware of new issues associated with specific technologies, and can employ measures such as better configuration, education and patching to strengthen the system.

At Etnacom, we have nearly 10 years of experience in all realms of information technology (industry, government and academic) that allow us to test the security of technologies that reside within your organization. We have the tools, knowledge and manpower to assist you in keeping your most vital business resources safe from outside threats.

Spanair 5022 (from Wikipedia)

It has been over 2 years since Spanair Flight 5022 crashed, killing 154 people. MSNBC recently released this article, which mentions that undetected malware could be to blame. As the world becomes more technology dependent, we need to take more steps to ensure safety. It is simply not responsible to allow systems to be interconnected without putting appropriate safeguards in place.

This incident is emerging proof that we live in a world where security sensors and checks on computer systems could mean the difference between life and death. Even in a perfect world (without malware and threats) we would still need to worry about human error and software malfunction.

Can we stop all malware? No. But we can take steps to minimize the impact of malware and reduce risk wherever possible. Monitors and machines that support life or even affect life are obviously those with the highest risk and should operate under the most stringent integrity checks.

In this particular case, the medium with the malevolent payload was a USB thumb-drive. This form of removable media could have been infected with malware, thus infecting the entire system. This leads us to ask: What are the security policies in place at this airline? What are the security policies at any establishment where lives are at risk?

This is a great time to reflect back on the nature of your own organization and think about the systems that you are running. Does your computer network handle systems that could harm others? Does it hold private or confidential data about your company or more importantly, your customers? If so, it might be wise to consider the risks associated with introducing foreign media onto the network.

MD5 Hashes Explained

For those of you that know what an MD5 hash is, feel free to skip this section. Otherwise, read on. An MD5 hash in simplest terms is a digital “footprint” of a piece of data. That data could be a message, a computer program, a music file, or anything else that occupies data storage. It doesn’t matter how large the file is – an MD-5 hash is usually 128 bits. An algorithm creates a “hash” of the data (for more information on how a hash function works, take a look at thisWikipedia article). The most common application for a hash is to verify the integrity of a file – if you generate a hash, change the file, and then generate a new hash, the hashes will not match. This helps to determine if a file was changed either on purpose or by accident (such as being corrupted in a download). Another important fact is that a hash function is one-way – that means there is no way to recover the original data from the hash itself. The only way to see if a particular piece of data corresponds to the hash is to run the algorithm against the data you think the hash might be for and see if the algorithm yields the same output. Basically, brute force it, or guess and check.

In recent years, researchers found quite a few vulnerabilities in both the MD5 hash and SHA-1, another one-way hash function. These vulnerabilities could compromise the intent of the hash function and could theoretically allow someone to make changes to the file which are undetected by the hash function (in other words, the hash would stay the same after the change). The most secure implementation of the one-way hash at the moment is the SHA-2 algorithm, so if you’re looking for the best, use that.

Obviously, the hash function in the CYBERCOM logo is meant for decoration, and to get some attention. I guess it worked.

So, while there may be specific reasons for personally choosing to use Windows, Mac OS or some form of Unix/Linux, there aren’t many compelling reasons to adopt a standard approach for business. Choosing an environment and operating system depends on your personal preference and what your needs are; for example, designers tend to choose Mac OS due to their support for high-quality design applications and aesthetics, while software developers may prefer Linux due to high levels of customization and uniform compatibility.

Many businesses tend to think that all computers need to be of one specific type or platform. I have personally seen large businesses do this, and although I don’t agree with it I do understand the reasons (mostly cost and configuration issues). A small business usually doesn’t have these types of issues, and can actually be more robust and successful by having a mix of machine types and platforms (Etnacom is proof). A common misconception is that there might be extra configuration or specialized software needed during setup and operation. In reality most basic networking tasks (such as file sharing, instant messaging, e-mail and anything requiring a web browser) are platform-independent can be done natively on both platforms.Also, platform diversity actually enhances overall network security, since most worms and viruses propagate among machines of the same platform. By diversifying the network, it is much more difficult for malicious activity or an outage to completely halt operations.

At Etnacom, we embrace personal preference. I choose a Mac because of its roots in Unix. Paul has he his operational and managerial reasons for using both a PC running Windows and a second PC running Linux. Our wider range of knowledge allows us to better address our customers’ needs because between the two of us, we can work a wider variety of issues and capabilities across platforms.

What’s the sudden hype with Conficker?

The reason why this strain of the virus is so highly publicized in the news is because it was only recently discovered, and is also somewhat mysterious. The worm itself has already infected millions of machines on the Internet, but none of them are showing symptoms. This is because it isn’t supposed to “wake up” and start doing harm until April 1st.

The truth is, not much is known about what Conficker-C is supposed to to do its infected hosts once it awakens. Most speculate that it will give a remote attacker control of your computer to do harm. Most dangerously, the attacker can take control of your computer and many others all at once and use them to attack other computers. This is known as a botnet.

How do I know if I’m infected?

The easiest way to tell is to try to access one of these websites:

• http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
• http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
• http://www.mcafee.com

If your computer is infected, the virus will actually prevent you from viewing the site. In that case, you need to immediately take steps to remove it.

Websites with removal instructions:

• Microsoft - http://support.microsoft.com/kb/962007
• Symantec - http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

How to Prevent Infection

Infection can be easily prevented. First, ensure that Windows has the MS08-067 patch installed. It can be downloaded (both for XP and Vista) from Microsoft’s web site - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Second, disable the autorun property. More instructions are available at http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Third, it is reccomended that your computer have all of the latest software updates and your virus protection is up-to-date.

For More Help

More information regarding this virus is available from the US-CERT cyber alert database: http://www.us-cert.gov/cas/alerts/SA09-088A.html

If you require assistance with patching or removing the virus from your computer, please contact us or your computer administrator.

Secure Certificates Explained

Let’s look at this in a real-world scenario. Say you’re looking to buy a book on web design, and as such, you go to the king of online book retailers, Amazon.com. You select your book, add it to your cart, and click “check out”. You’re about to be taken to the part of the website that asks for your private information such as name, address and credit card number.

Once you arrive at this point, you’ll notice that some interesting things have happened in your browser. First, your address bar will show “https://…” instead of the normal “http://…”. The extra “s” denotes that we’re using the secure HTTP, or SSL protocol. You’ll also notice that somewhere in your browser, an icon of a padlock appears. This also signifies that you’re on a secure website. With most browsers, clicking the padlock will bring up the secure certificate details of that site.

So, what happened here? When you moved to the checkout portion of Amazon’s site, You connected to its secure website. In doing this, your web browser opened an encrypted connection to Amazon’s server, a process that prevents a malicious user from eavesdropping on the information you’re sending to Amazon, such as your credit card details. Once you’re connected, Amazon sends your browser its secure certificate, which is an electronic document proving its identity. Your computer verifies this document with a “trusted third party”, typically the company that Amazon bought their certificate from. Basically, this company is vouching for Amazon. Your browser is happy, and you proceed with buying your book.

Do I Need a Secure Certificate?

The quick answer is, it depends. If your website is purely informational and nobody is submitting data on it, you probably don’t need one. If visitors are submitting personal information to you, or if you’re running an online store, chances are that you need a secure certificate. Think about it this way: instead of typing in data on a website, someone is shouting the information to you on the streets of New York City, where hundreds may be listening. If you’re worried about others hearing that information, you need a secure certificate.

How Do I Purchase a Secure Certificate?

Many companies sell these services. We recommend VeriSign and GoDaddy. Both are extremely popular. Although GoDaddy’s certificates are priced significantly lower than VeriSign, there is barely any quality difference.

If you have any questions, or if you’re still not sure whether or not you need a secure certificate for your website, feel free to contact us. We’d be happy to help.