6.22.2010

Looking for Vulnerabilities in All the Right Places? Experts Think you Might be Missing a Few...

Source -- DarkReading
By Keith Ferrell, Contributing Writer
DarkReading
 
The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren't computers. Paper documents. Passwords posted in plain view. Portable storage devices.

Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.

"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."

Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker, Brown observes. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits.

"An automated vulnerability scan may not reveal which printers and other hard copy devices have hard drives," Brown observes. "As a result, the business isn't aware that digital copies of sensitive information may remain in the printer."

A thorough vulnerability assessment should include examining all hard copy devices for internal storage capability -- this could require contacting the manufacturer or even opening the machine, Brown says.

Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer.

Other network-attached devices could also be vulnerable, Brown observes. "Any device connected to the network needs to have its security validated," he says.

He offers security cameras as an example. "For cost-saving and other reasons, companies have shifted security cameras from dedicated coaxial cable connections to TCP/IP connections, which run the risk of being vulnerable to cross-site scripting attacks and remote control takeover."

Even backup power devices might be at risk, Brown warns. "UPS devices connected to the network could enable an attacker to take control," he says.

Brown offers three bits of advice for all network-attached devices. "The biggest risk is leaving the default password in place," he says. No matter the device and its purpose, he advises, users should change its password before connecting it to the network.

"Second," Brown continues, "review all of the features that the device offers. Web printing capability may not be useful as a business function at your company, but it could be very useful to an attacker."

Finally, he points out that maintaining security readiness on peripheral devices is an ongoing process.

"Incorporate all devices into your patch cycle," he says. "We're all familiar with Microsoft and Cisco patches -- but when was the last time you upgraded the firmware on your printer? Seek out patch information on every device connected to your network, and incorporate them into your patching cycle."

Many of these office devices produce a lot of paper -- paper which, as security consultant Steve Stasiukonis of Secure Network Technologies points out, can be a vulnerability itself.

"Take a look at your copier station," Stasiukonis says, noting that many companies overlook sensitive material that might be found in unsecured places. Recycling bins or preshredder collection stations holding unshredded materials can be rich sites for information-miners, he notes.

Documents that aren't shredded could be the cause of a data breach, as a recent New Jersey incident revealed when papers containing Social Security numbers and other personal information were found in a public dumpster.

"And don't forget the amount of paper and other sensitive information on employees' desks," Stasiukonis advises.

A workplace walk-through -- even in a "clean desk" environment -- can often reveal security badges and swipe-cards laying in plain sight, ripe for the taking, Stasiukonis explains. In his physical penetration tests, Stasiukonis frequently also finds passwords and log-ins on sticky notes and keyrings hanging from thumbtacks in cubicles.

Even if you don't see anything at first glance, Stasiukonis suggests, look a little closer. "Have your employees turn over their keyboards for inspection," he suggests, noting that many users stick their passwords there for easy recall.

Stasiukonis also recommends checking devices, such as copiers, for default service tech passwords, which might remain in place even if the business has changed its own access and log-in codes.

"Check to be sure that security cameras haven't been repositioned," he adds. "Scan for infrared devices. Examine the security not only of IT administration notebooks, but also physical plant management and control notebooks. Beyond that, an examination of the contents of employees' desks can reveal treasure chests of vulnerabilities.

"But," he cautions, "before going into employees' desks, you should review your plans with your human resources department." Whatever your company's legal rights, many employees resent having their desks checked, so be sure to educate them before conducting a search, he explains.

Another vulnerability vector -- and in many ways the most common one -- is human nature.

Security professional Scott Wright's Honey Stick Project put human nature to the test by leaving specially prepared USB drives in plain sight. When one of the drives was inserted in a business device, the information was logged, revealing what the user had done.

Such behavior is typical, according to Wright. As he notes on his Streetwise Security Zone site: "Out of 54 devices dropped with specially configured -- but safe -- files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened."

Vulnerability-scanning tools are a good place to start, but they can't see the whole enterprise, the experts warn. To find all of your vulnerabilities, you'll need to look at the things your users see every day -- in a new way.

6.21.2010

The Pelco DX Series, Doing More for Less... Part 1.

For many years and countless hours of around-the-lock operation, the Pelco DX Series of DVRs has been relied upon to protect people and property in thousands of location worldwide. From basic video security systems with just a few cameras, to fully distributed network video systems, the DX Series is the perfect digital recording solution to meet most any video recording need.

The DX Series begins with the DX4100. These affordable, entry-level DVRs eliminate the need for the traditional VCR/multiplexer/matrix combination. Offering four-channel models with internal storage capacity of up to 2 tb, the DX4100 series is designed to guard your business while protecting your bottom line. The hallmark of the DX4100 series is its ease of operation. These systems feature simple installation, are ready to record right out of the box, and have an easy-to-use and intuitive user interface which makes training and support a snap.

6.09.2010

Piezoelectricity and You.

Sustainability got sexier last week at the opening of Surya in London. The Club4Climate project is London’s first taste of eco-friendly clubbing, making clubbers happy in the knowledge that their organic beverage-induced booty shaking can generate 60% of the energy needed to run the club. The venue’s most exciting innovation is the piezoelectric dancefloor, which uses quartz crystals and ceramics to turn clubbers’ movement into electricity!

Previously seen in the Sustainable Dance Club in Rotterdam, this is Britain’s first exposure to such technology. The rest of the power needed will come from a wind turbine and solar energy system, with any surplus used to power private homes in the area. The club will also be installing the latest air flush, waterless urinals, low flush toilets and automatic taps to ensure maximum water saving plus less greedy air conditioning units.

The project is clearly trying to affect behavior on a much wider scale, too, requiring patrons to sign a 10-point manifesto on entry, giving free entry to anyone who can prove that they walked or cycled to the venue, and encouraging as many other clubs as possible to adopt his philosophy.

Property developer Andrew Charalambous is behind Club4Climate, appearing in character as ‘Dr Earth‘ to be more down with the kids. He says the club aims to ’stop preaching to people and use an inclusive philosophy to create the revolution [needed] to combat climate change.’ A Club4Climate island is also planned for 2010, although how clubbers will transport themselves to the island hasn’t been mentioned.

In another shining example of using what you have  for power generation, a Netherlands train station is using a revolving door to produce electricity. The Natuurcafe La Port in the train station expects the coming and going of patrons to provide 4,600 kWh a year. So, while the coffee powers the customers, the customers are powering the coffee shop.

The door uses a generator that harvests the kinetic energy produced when the door spins and a supercapacitor to store the energy. The energy is used to power the cafe's LED lights. When the lights use up the stored energy from the door, the station's main energy supply takes over. For the curious, the station has a display that shows the amount of energy generated as customers walk in and out.

While 4,600 kWh is a small amount compared to a train station's total energy needs, it's great to see a large building harvesting renewable energy from as many sources as possible. These types of kinetic energy generators could go a long way if they're consistently implemented in both new buildings and renovation projects.

Piezoelectricity is the ability of some materials (notably crystals, certain ceramics, and biological matter such as bone, DNA and various proteins) to generate an electric field or electric potential[1]  in response to applied mechanical strain. The effect is closely related to a change of polarization density within the material's volume. If the material is not short-circuited, the applied stress/strain induces a voltage across the material. However, if the circuit is closed the energy will be quickly released. So in order to run an electric load (such as a light bulb) on a piezoelectric device, the applied mechanical stress must oscillate back and forth. For example, if you had such a device in your shoes you could charge your cell phone while walking but not while standing. The word is derived from the Greek piezo or piezein (πιέζειν), which means to squeeze or press.

The piezoelectric effect is reversible in that materials exhibiting the direct piezoelectric effect (the production of an electric potential when stress is applied) also exhibit the reverse piezoelectric effect (the production of stress and/or strain when an electric field is applied). For example, lead zirconate titanate crystals will exhibit a maximum shape change of about 0.1% of the original dimension.

The effect finds useful applications such as the production and detection of sound, generation of high voltages, electronic frequency generation, microbalances, and ultra fine focusing of optical assemblies. It is also the basis of a number of scientific instrumental techniques with atomic resolution, the scanning probe microscopies such as STM, AFM, MTA, SNOM, etc., and everyday uses such as acting as the ignition source for cigarette lighters and push-start propane barbecues.