Why I wouldn’t swap hard drives on a laptop.

Dax0007 wrote in response to my point 14. Secure format/wipe hard disk, and replace with original disk.  Repeat process. (21 Things to do when quitting work)

“When taking over a company laptop I think its a god idea just go out and buy another HD, HD kit for the laptop, & some restore cd’s for that laptop.. then setup your new harddrisk for personal use and when u do company work use ur company harddrisk.. you should be 100% safe to surf, download, and do what u want.. right????”

Maybe Dax0007.  But swapping hard disk drives on a Lenovo Thinkpad is going to get awful tiring fairly quickly.  The following three drawings from IBM illustrate how much of a process it is:
t43hdd1t43hdd2t43hdd3

(used to take me 10 minutes to swap the disks on a T41 Thinkpad)

If I still had a company laptop, I would

  • set a drive password on the hard drive
  • encrypt the hard disk drive with TrueCrypt.
  • also TrueCrypt encrypt any “backup” drives I used at/for work.

And I’d also remind myself that anything I do while connected to the corporate network, is definitely not “safe” from scrutiny.

Your IT security threat is in the tent with you.

Marie-Christos2420-420x0Most of the time, some people say 80%+, your IT security threat is in the tent with you (ie. someone who works for you) .  Based on experiences at different workplaces, I’d have to agree.

First there was the ATM fraud, which I wrote about on Saturday.  The bank took people to court over that.  Unusual for banks, as they try to brush these things under the carpet.  The brushing under the carpet is due to the embarrassment and all.

Then there was the fuel scam.  A BMW Mini has a fuel tank capacity of 40 litres.  Now perhaps in an alternative universe, there is a BMW Mini with a 70 litre fuel tank.  Not in our universe.  So when someone used their fuel card to fill the work Mini and it took 70.4 litres, we thought WTF?

Finally, there was the case of the accounts payable clerk thought no-one would notice the new Porsche 911 he drove into the car park one fine Tuesday morning.  Yes, a $230,000 car paid for on a $50,000 salary, was noticed.

All these people were insiders and they had police criminal history checks.

Now when someone says to me, “we want all staff to give up their fingerprints for a police criminal history check”, my initial reply is “No.”

Followed by a prompt, “they’ll make little difference.” 

After all, other organisations have had the same experience.

Further reading:
Police check security over Einfeld interview (24 Sept 2010)
Confidential Police files found in Melbourne drug raid 29 Sept 2010)

Today’s security theater brought to you by Iron Mountain

We have some of those “secure document disposal” bins.  The older version used a latch with a padlock.  The good thing about that design, was that there was only one “less obvious” way into the bin.  Via opening the padlock.  The bolt heads were hidden by the latch.

Look at the “new improved” version Iron Mountain gave us this week:
Iron Mountain Security Theater - 1Iron Mountain Security Theater - 2

It’s certainly a more impressive looking bin than the old green bins we had.  Must be more secure because it’s new and shiny!

But, oh look, Iron Mountain have exposed the bolt heads.  So it’s less secure than the old bin.

Bulk EFS decryption & encryption

Short story version: use the CIPHER command.

I had a 3-2-1 backup fail on me recently."

21,684 files could not be copied”.

The original files were EFS encrypted.  Here’s a picture of what was going wrong:
Encrypted files do not copy to other PC

In technical terms, the second computer did not have the EFS decryption key.  The easy fix was to remove the EFS encryption via the CIPHER command:

cipher /a /d /s:<directory name>

where:

  • /a is all files, including subdirectories
  • /d is decrypt
  • /s: is the directory name.
    ie. d:\users\wisefaq\downloads

To bulk encrypt, you just need to replace the /d with /e
ie. cipher /a /e /s:<directory name>

Note: the cipher command will fail if the files have the READ-ONLY flag set (ie. remove the flag first)

 Bookmark and Share

Automatically encrypting Firefox web pages

HTTPS_Everywhere_new_logoto stop snooping eyes from viewing what you’re doing.

Well you could use the HTTPS Everywhere Firefox plugin by the Electronic Frontier Foundation. 

The idea is simple.  You go to a web site, like http://www.google.com , and if there is a secure version (say https://www.google.com), you’ll be automatically redirected to it.

Useful?  Maybe…

If you don’t want your employer viewing your Google search, or Twitter, it might work for you. 

The 0.2.2 release of HTTPS Everywhere currently has support for the following 27 web sites:
Amazon, DuckDuckGo, EFF, Facebook, GMX, Google, GoogleAPIs, GoogleServices, Identica, Ixquick, Live, Mail.com, Meebo, Microsoft, Mozilla, Nederland, NYTimes, PayPal, Scroogle, Torproject, Twitter, WashingtonPost, Wikipedia, WordPress, zGentooBugzilla, zNoisebridge, Zoho

You can download the HTTPS Everywhere plugin here.

Bookmark and Share

Inside a RSA SecurID tag

This is a “new style” RSA SecurID token.
RSA Securid Token

It, like the older style token, generates a code number every 30 seconds.  With the code number, and a PIN code and a username/password, I’m able to logon to my employer’s computers, from anywhere in the world.  The SecurID tokens are supposed to be tamper resistant.

In fact, the electronics package is mostly covered in a soft plastic coating.  The kind of plastic you might pour over a insect to preserve it.  It is fairly easy to remove, so it doesn’t seem that resistant to me.  The CR-2032 battery is soldered to the electronics board, so you can’t re-use it.
RSA SecurID opened up RSA SecurID Token, some plastic scrapped away

You’d hear stories about the old token, such as opening the case would cause the SecurID token to immediately disable itself.  I was disappointed that the newer model didn’t do that.  For those who don’t remember the old token, here’s what they looked like:
RSA SecurID token displaying OFF

Bookmark and Share

Today’s password is ‘4rfvgy7uj’

Never heard about the concept of password “snakes” until I visited a customer 2 years ago.

Password snakes, simply put, are passwords which follow a path on the keyboard, as this picture illustrates.
final_snake

It’s an interesting idea, but not one I’d really encourage as it’s too easy to remember, particularly for those types of people who like looking over your shoulder.

Bookmark and Share

Anti-virus False Positives – been a few

McAfee - Not Proven Security (image courtesy Lifehacker) It was an Ed Bott article which got me to thinking, “just how many anti-virus false positives have I dealt with over the years?”.   Six.   A false positive is when your anti-virus product flags a non-virus file as being virus-infected.

Number of false positive virus updates which impacted my customers? 6
Number of virus outbreaks which occurred, which the AV products missed? 3
Number of virus outbreaks actually prevented by an AV product? 0

I’ve often thought that enterprise customers should pilot AV updates before inflecting them on their wider user community.  I mean, what’s the point of having an AV product which effectively does more damage than an actual outbreak?

Here is the list of anti-virus updates I’ve seen which have caused some havoc for customers.  It was longer than I thought it would be.

AV product Date Product it killed Customer impact
McAfee AV April 2010 Windows Minor.  We stopped it in time.
CA eTrust September 2008 Spybot S&D Couldn’t use SpyBot as eTrust deleted the .exe
CA Pest Patrol March 2005 IBM SameTime 20,000+ computers unable to use instant messaging product.
CA eTrust January 2004 Windows Stopped Windows booting in two countries.
CA eTrust December 2003 WiseScript created utilities Broke a number of software installations, and caused a logon error on 1,000+ computers.
Symantec Norton AV November 2001 InstallShield created software installs. When trying to install a particular VPN product, Symantec said the install was “NIMBA”.  Stopped a country-wide deployment for a week.

The anti-virus product I use at home?  Microsoft Security Essentials.

Bookmark and Share

The world knows where you live – that is not good.

It might be a bit of a surprise to you, it certainly was to me.  The Apple iPhone stores the location of where a photo was taken.  It’s known as Location.  Or geo-location with other makes of phones/cameras.  Seems harmless enough, doesn’t it.

Except when some enterprising people decide to create a Firefox plug-in which lets you view the GPS co-ordinates, then link you though, to say Google Maps.

iPhone photo - we know where you liveOr not.  "42° 53? 7.60? S, 147° 19? 35.54? E" is a church in Tasmania.  I selected it at random, to mask the real address.

Bookmark and Share