Looking for Vulnerabilities in All the Right Places? Experts Think you Might be Missing a Few...

Source -- DarkReading

By Keith Ferrell, Contributing Writer
DarkReading

 

The biggest vulnerabilities in the enterprise might be items we see every day -- and just don't think about.

Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren't computers. Paper documents. Passwords posted in plain view. Portable storage devices.

Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say.

"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."

Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker, Brown observes. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits.

"An automated vulnerability scan may not reveal which printers and other hard copy devices have hard drives," Brown observes. "As a result, the business isn't aware that digital copies of sensitive information may remain in the printer."

A thorough vulnerability assessment should include examining all hard copy devices for internal storage capability -- this could require contacting the manufacturer or even opening the machine, Brown says.

Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer.

Other network-attached devices could also be vulnerable, Brown observes. "Any device connected to the network needs to have its security validated," he says.

He offers security cameras as an example. "For cost-saving and other reasons, companies have shifted security cameras from dedicated coaxial cable connections to TCP/IP connections, which run the risk of being vulnerable to cross-site scripting attacks and remote control takeover."

Even backup power devices might be at risk, Brown warns. "UPS devices connected to the network could enable an attacker to take control," he says.

Brown offers three bits of advice for all network-attached devices. "The biggest risk is leaving the default password in place," he says. No matter the device and its purpose, he advises, users should change its password before connecting it to the network.

"Second," Brown continues, "review all of the features that the device offers. Web printing capability may not be useful as a business function at your company, but it could be very useful to an attacker."

Finally, he points out that maintaining security readiness on peripheral devices is an ongoing process.

"Incorporate all devices into your patch cycle," he says. "We're all familiar with Microsoft and Cisco patches -- but when was the last time you upgraded the firmware on your printer? Seek out patch information on every device connected to your network, and incorporate them into your patching cycle."

Many of these office devices produce a lot of paper -- paper which, as security consultant Steve Stasiukonis of Secure Network Technologies points out, can be a vulnerability itself.

"Take a look at your copier station," Stasiukonis says, noting that many companies overlook sensitive material that might be found in unsecured places. Recycling bins or preshredder collection stations holding unshredded materials can be rich sites for information-miners, he notes.

Documents that aren't shredded could be the cause of a data breach, as a recent New Jersey incident revealed when papers containing Social Security numbers and other personal information were found in a public dumpster.

"And don't forget the amount of paper and other sensitive information on employees' desks," Stasiukonis advises.

A workplace walk-through -- even in a "clean desk" environment -- can often reveal security badges and swipe-cards laying in plain sight, ripe for the taking, Stasiukonis explains. In his physical penetration tests, Stasiukonis frequently also finds passwords and log-ins on sticky notes and keyrings hanging from thumbtacks in cubicles.

Even if you don't see anything at first glance, Stasiukonis suggests, look a little closer. "Have your employees turn over their keyboards for inspection," he suggests, noting that many users stick their passwords there for easy recall.

Stasiukonis also recommends checking devices, such as copiers, for default service tech passwords, which might remain in place even if the business has changed its own access and log-in codes.

"Check to be sure that security cameras haven't been repositioned," he adds. "Scan for infrared devices. Examine the security not only of IT administration notebooks, but also physical plant management and control notebooks. Beyond that, an examination of the contents of employees' desks can reveal treasure chests of vulnerabilities.

"But," he cautions, "before going into employees' desks, you should review your plans with your human resources department." Whatever your company's legal rights, many employees resent having their desks checked, so be sure to educate them before conducting a search, he explains.

Another vulnerability vector -- and in many ways the most common one -- is human nature.

Security professional Scott Wright's Honey Stick Project put human nature to the test by leaving specially prepared USB drives in plain sight. When one of the drives was inserted in a business device, the information was logged, revealing what the user had done.

Such behavior is typical, according to Wright. As he notes on his Streetwise Security Zone site: "Out of 54 devices dropped with specially configured -- but safe -- files on them, the Honey Stick Project has detected that at least 35 of these devices have had files opened."

Vulnerability-scanning tools are a good place to start, but they can't see the whole enterprise, the experts warn. To find all of your vulnerabilities, you'll need to look at the things your users see every day -- in a new way.

Piezoelectricity and You.

Sustainability got sexier last week at the opening of Surya in London. The Club4Climate project is London’s first taste of eco-friendly clubbing, making clubbers happy in the knowledge that their organic beverage-induced booty shaking can generate 60% of the energy needed to run the club. The venue’s most exciting innovation is the piezoelectric dancefloor, which uses quartz crystals and ceramics to turn clubbers’ movement into electricity!

Previously seen in the Sustainable Dance Club in Rotterdam, this is Britain’s first exposure to such technology. The rest of the power needed will come from a wind turbine and solar energy system, with any surplus used to power private homes in the area. The club will also be installing the latest air flush, waterless urinals, low flush toilets and automatic taps to ensure maximum water saving plus less greedy air conditioning units.

The project is clearly trying to affect behavior on a much wider scale, too, requiring patrons to sign a 10-point manifesto on entry, giving free entry to anyone who can prove that they walked or cycled to the venue, and encouraging as many other clubs as possible to adopt his philosophy.

Property developer Andrew Charalambous is behind Club4Climate, appearing in character as ‘Dr Earth‘ to be more down with the kids. He says the club aims to ’stop preaching to people and use an inclusive philosophy to create the revolution [needed] to combat climate change.’ A Club4Climate island is also planned for 2010, although how clubbers will transport themselves to the island hasn’t been mentioned.

In another shining example of using what you have  for power generation, a Netherlands train station is using a revolving door to produce electricity. The Natuurcafe La Port in the train station expects the coming and going of patrons to provide 4,600 kWh a year. So, while the coffee powers the customers, the customers are powering the coffee shop.

The door uses a generator that harvests the kinetic energy produced when the door spins and a supercapacitor to store the energy. The energy is used to power the cafe's LED lights. When the lights use up the stored energy from the door, the station's main energy supply takes over. For the curious, the station has a display that shows the amount of energy generated as customers walk in and out.

While 4,600 kWh is a small amount compared to a train station's total energy needs, it's great to see a large building harvesting renewable energy from as many sources as possible. These types of kinetic energy generators could go a long way if they're consistently implemented in both new buildings and renovation projects.

Piezoelectricity is the ability of some materials (notably crystals, certain ceramics, and biological matter such as bone, DNA and various proteins) to generate an electric field or electric potential[1]  in response to applied mechanical strain. The effect is closely related to a change of polarization density within the material's volume. If the material is not short-circuited, the applied stress/strain induces a voltage across the material. However, if the circuit is closed the energy will be quickly released. So in order to run an electric load (such as a light bulb) on a piezoelectric device, the applied mechanical stress must oscillate back and forth. For example, if you had such a device in your shoes you could charge your cell phone while walking but not while standing. The word is derived from the Greek piezo or piezein (πιέζειν), which means to squeeze or press.

The piezoelectric effect is reversible in that materials exhibiting the direct piezoelectric effect (the production of an electric potential when stress is applied) also exhibit the reverse piezoelectric effect (the production of stress and/or strain when an electric field is applied). For example, lead zirconate titanate crystals will exhibit a maximum shape change of about 0.1% of the original dimension.

The effect finds useful applications such as the production and detection of sound, generation of high voltages, electronic frequency generation, microbalances, and ultra fine focusing of optical assemblies. It is also the basis of a number of scientific instrumental techniques with atomic resolution, the scanning probe microscopies such as STM, AFM, MTA, SNOM, etc., and everyday uses such as acting as the ignition source for cigarette lighters and push-start propane barbecues.

Introducing Plexidor Electronic Access Control for your Dog!

Access Control is evolving all the time.  Situations in which access control can evolve to are limited only by one's imagination. That said, did you know that there’s access control option for your pets?

Yes, gone are the days where one worries about the unwanted entry of stray dogs, neighborhood cats, racoons, or any such pesky varmint.  Pet owners can find relief knowing that RFID tags are available for pet collars giving access to enter or exit the house when the pet door is equipped with electronic access control.  You are able to control which pet(s) can go outside and which cannot.

Love your pet? Can you hold it for 9 hours? The next time you have to “go” in the middle of the night, think about your pet – and the Plexidor® Performance Pet Doors. Sure, pets are different from people. People have flush toilets, pets don’t. Pets just have to wait until morning.

But if you forget, or make your pet wait too long, you know what comes next: Yup, the clean-up.

So, for the last 22 years, Plexidor® has been crusading for pets’ rights to come and go as they please. It’s actually a 2-in-1 crusade because pet owners have rights too…such as the right NOT to be a 24-hour-a-day doorman, the right NOT to live with spotted carpeting, and the right NOT to have to refinish scratched doors, to name just a few.

Because of this crusade Plexidor® has been designing and manufacturing the Performance Pet Door line. The Plexidors® come in sizes ranging from cat to great dane. They work in any kind of door or wall. All Plexidors® have heavy durable aluminum frames that can be secured and locked. White and bronze frames are baked on for strength and durability. And the door panels are made of insulated high impact acrylic to help keep your home warm in the winter and cool in the summer.

Call us or visit our website and join the crusade. Order a Plexidor® pet door today. You and your pet will be happier.

• High impact acrylic panels, also used in small aircraft windshields.
• These colors do not run. Plexidor® pet doors are not painted, they use a baked on finish.
• Dogs chew through plastic and bend thin aluminum frames. These are thick, heavy aluminum.
• Magnets are not effective “keys” and are not used with Plexidor® pet doors.
• The electronic door has 1000s of key codes.

Plexidor® Electronic Doors

Secure – Interior stainless steel locking bar, thousands of key codes. Opens only for your pets. Tough shatter resistant panel. Heavy, thick aluminum frames that won’t bend. Won’t interfere with home security system.

Energy Efficient – No gaps for air filtration, saves you money.

Pet/Child Safe – Panel won’t close when obstructed. Total control up and down. No pinched tails. No pinched fingers.

Dependable – Runs on household current. Collar key is waterproof and does not need batteries. Key fastens securely to collar and won’t fall off. Interior mounted motor won’t freeze up in cold.

Durable – Steel and hardened aluminum frame with thick acrylic closing panel. Wall units include aluminum tunnel pieces and stainless steel mounting hardware for years of service. No unsightly rust streaks on your home.

Easy to Use – One button programming to add or change collar codes quickly and simply. Collar key snaps on easily and stays on. Comes complete with pet door, exterior trim, stainless steel hardware, 2 collar keys, power supply and 15ft cord.

The key is a micro RFID chip weighing only 0.4 oz.

Plexidor® collar keys are:

• Waterproof
• Rugged
• Battery free
• Shock proof
• Won’t fall off
• Works with underground fencing
• Have 1000s of key codes

How it works: Plexidor® Electronic “reads” the key code and opens only for your pet. Panel unlocks and slides up like a mini garage door. The main frame has a low profile of just 1 5/8” in thickness. Door plugs into household outlet or can be hardwired.

Order a Plexidor® today and say goodbye to…

• Messy littler trays
• Scratched doors
• Wasted energy
• Awkward, noisy, chewed flaps
• Ruined carpets and drapes

Plexidor® Pet Doors Provide

• Peace and quiet
• Undisturbed sleep & TV
• Freedom from worry about letting your pet out

Plexidors® are

• A carpet saver
• A money saver
• An energy saver

There's a "People Element" to security we seem to be forgetting...

Social Engineering, the USB Way 

source: darkreading.com

Those thumb drives can turn external threats into internal ones.

The folks at DarkReading recently got hired by a credit union to assess the security of its network. The client asked that they really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging their effort in the report was a way to drive the message home to the employees.

The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue drive plugging into their network. So the DarkReading guys wanted to see if they could tempt someone into plugging one into their employer's network.

In the past they had used a variety of social engineering tactics to compromise a network. Typically they would hang out with the smokers, sweet-talk a receptionist, or commandeer a meeting room and jack into the network. This time, they knew they'd have to do something different. Employees were talking within the credit union and were telling each other that somebody was going to test the security of the network, including the people element.

So DarkReading tried something different by baiting the same employees that were on high alert. They gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with their own special piece of software. One of their guys wrote a Trojan that, when run, would collect passwords, log-ins and machine-specific information from the user's computer, and then email the findings back.

The next hurdle was getting the USB drives in the hands of the credit union's  internal users. Simply enough, they made their way to the credit union at about 6am to make sure no employees saw them. They then proceeded to scatter the drives in the parking lot, smoking areas and other areas employees frequented.

Once the drives were seeded, it was time to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desk.

Upon calling the guy who wrote the Trojan and asking if anything was received at his end, it was revealed that slowly but surely info was being mailed back to him. It would have been lovely to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, the unknowingly running the piece of software cleverly hidden away by DarkReading.

After about three days, they figured they'd collected enough data. Upon review of their findings, they were amazed at the results. Of the 20 USB drives planted, 15 were found by employees and all had been plugged into company computers. The data  obtained helped to compromise additional systems, and the best part of the whole scheme was the convenience. Everything that needed to happen did, and in a way it was completely transparent to the users, the network and credit union management.

This little "giveaway" takes security loopholes a step further, working off humans' innate curiosity. Email virus writers exploit this same vulnerability, as do phishers and their clever faux websites. The credit union client wasn't unique or special. All the technology and filtering and scanning in the world won't address human nature. But it remains the single biggest open door to any company's secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

Tough Snail Shell Could Inspire Better Body Armor

source. LiveScience

By Rachael Rettner, LiveScience Staff Writer

A snail's shell that protects it from attacks underwater could provide clues for designing improved body armor to guard human soldiers, a new study suggests.

The research involved an unusual sea snail, the so-called "scaly-foot" snail which was first reported in 2003 and makes its home in the harsh environment of a deep-sea hydrothermal vent in the Indian Ocean. Past studies of the  snail, a type of sea mollusk, revealed its foot was covered in plates of iron-sulfide minerals, and it is now the only known animal today to employ iron sulfides as a structural material.

  

Like other snails, this one also sports a shell covering its body. Although hard, a typical snail's shell will fracture if persistently squeezed by a predatory crab. Hoping to learn exactly how the scaly-foot snail's shell is designed to resist such crushing, the authors took a close look at the shell's structure, examining it on the nanoscale.

 

They saw that shell is composed of three layers: a hard outer layer that contains iron sulfides, similar to the ones identified in its foot scales; a more supple middle layer made of organic material; and a stiff inner layer with a large amount of calcium minerals. This arrangement of "rigid-compliant-rigid" layers creates a trilayer, sandwich structure unique to this snail, the researchers say.

Snail protection

After figuring out the shell's structure, the team used a computer model to simulate how the shell faired when subjected to a penetrating force, similar in strength to the pinching of a crab's claws.

"Each layer does something differently," said lead researcher Christine Ortiz, a materials science and engineering professor at the MIT.

The hard outer layer contains small, grain-like particles. When under attack, these granules help to dispel the energy of the blow, spreading it out across the outer region. Any fractures that occur will disperse along jagged lines guided by the granules, forming fissures in the top layer.

"Cracks that form travel extensively throughout the outer layers, thereby protecting the inner layers and mitigating catastrophic fracture," Ortiz said.

The softer middle layer helps protect the brittle inner layer from cracking, Ortiz explained. And the inner layer itself protects the snail's body from injury. Since this inner layer is rigid, it doesn't displace into the animal's body during an assault, which could cause blunt trauma, Ortiz said.

Put together, the three layers work to help prevent penetration of the shell and also withstand bending.

The outer and middle layers also help the snail to survive in the extreme environment characteristic of hydrothermal vents, since these layers are resistant to dissolving in the highly acidic waters.  And the middle layer protects the snail from temperature changes at the vents.

Snail-like armor and sporting gear

The shell's structure may one day inspire new and better designs for human protective equipment, from body armor to sporting gear. The three-layer arrangement and curved surface give the shell stability and penetration resistance, highly valued characteristics of materials used for armor, Ortiz said.

Automobiles painted with an iron-based, granular coating similar to the one found in the shell's outer layer could dissipate energy in the same way the shell does when undergoing a predator attack.

However, any bio-inspired design would likely not use the exact same materials found in the snail's shell, which has flaws of its own. Scientists would simply use it as a guide, and improve upon the shells shortcomings.

"Nature only uses what's available to it," said Ortiz. Engineers might use a similar design, but replace some of the components with high performance structural, or ballistic materials, she said.

The results were published online Jan. 18 in the journal Proceedings of the National Academy of Sciences.

7 Famous Security Breaches

source: NJ.com

When Rutgers doctoral student Haisong Jiang slipped under a security rope to give his girlfriend a kiss before she left on a flight out of Newark Liberty airport Jan. 3, the resulting security breach threw the airport into a lockdown, and inspired everyone from politicians to ordinary business travelers to talk about airport security. While this incident grabbed headlines worldwide, it's only the latest in a long line of high-profile breaches to hit airports, computer networks and even the White House. Take a look at our list of seven famous breaches.

7. Presidential Dinner Crashers: Washington D.C., November 24, 2009
Tareq and Michaela Salahi, a Virginia couple, slipped past security and were uninvited guests at a White House state dinner. The event was to honor Indian Prime Minister Manmohan Singh, but the well-dressed Salahis got all the headlines, mingling with guests and even getting a photograph with President Barack Obama.


Result: White House security systems are under review, two wannabes got 15 minutes of fame and may face criminal charges.

6. Man of Many Talents: Worldwide, Arrested, 1969
New York native Frank Abagnale was at different times an airline pilot, an attorney, a doctor. Actually, he was fooling security officials at airports, hospitals and other institutions. Abagnale was also famous for forging millions of dollars in checks and playing havoc with security systems long before computers.

Result: Abagnale was arrested in 1969 in France, served jailtime and later became a security expert. His life story became the inspiration for "Catch Me if You Can," a movie starring Leonardo DiCaprio and Tom Hanks.

5. Grammy Gatecrasher: New York, Feb. 25, 1998
Picture it: Rock and roll legend Bob Dylan is jamming on stage during the Grammy Awards. Suddenly, a pasty man with no shirt is on stage next to Dylan. How did this guy get past show security? How come he's got SOY BOMB written on his chest? The man gyrates for about a minute on TV before being escorted off by security. The best part? Dylan never missed a beat.

Result: Artist Michael "Soy Bomb" Portnoy  had been hired as one of dozens of show extras to dance in the background as Dylan performed, but he clearly went over the line. He never faced charges, but never got paid for his appearance.

4. This is Only a Drill: Slovakia, Jan. 2, 2010
Airport security workers in Bratislava, Slovakia put a bomb in an unsuspecting passenger's luggage as part of a drill. Problem was, none of the airport staff being drilled removed the explosive and it was loaded onto a plane bound for Dublin. Fortunately, the bomb didn't explode, no one was hurt and the plane landed without incident. The bomb was recovered after the plane landed, when the passenger was arrested for carrying a bomb aboard a plane.


Result: The passenger was released, but European Union officials are demanding changes in Slovakia's airport security procedures.

3. Security breach in the CIA:  Arlington, Va., arrests made Feb. 24, 1994
Some spies spill secrets for ideological reasons. Central Intelligence Agency USSR expert Aldrich Ames was in it for the money. Beginning in 1985, the FBI says Ames shuttled the Soviets classified documents and was paid nearly $2 million over several years. Because he was schooled by the CIA, Ames was able to cloak his misdeeds for years.


Result: Ames and his wife Rosario were arrested, plead guilty and sentenced to jail.

2. Retail Hacker: Miami, Arrested August 17, 2009
If you shopped at T.J. Maxx, ate at Dave & Buster's or bought books at Barnes & Noble, computer hacker Albert Gonzalez may have had access to your credit card number. The feds say Gonzalez led a group of hackers who breached computer security systems and stole 170 million payment card numbers from ordinary people just like you. Gonzalez may have been emboldened by his experiences as a one-time government informant.


Result: Gonzalez's sentencing has been delayed. He's lobbying for a lenient sentence because he has Asperger syndrome.

1. Deadly Painkillers: Chicago, 1982
A string of deaths in and around Chicago in 1982 were blamed on Extra-Strength Tylenol spiked with cyanide. At first it was feared the poison had been introduced during the production of the painkillers, but authorities later said the pills were most likely tainted after they were stocked on supermarket shelves.


Result: The incident led to changes in the way medications are packaged, but the killer or killers remain at large.

© 2010 NJ.com. All rights reserved.

Company responsible for 1/3 of the world's junk email shut down.

source: http://www.theregister.co.uk

A botnet that was once responsible for an estimated third of the world's spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye's control, an indication of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn't have a chance to counteract. "As it turns out, no matter how many fallback mechanisms are in place, if they aren't all implemented properly, the botnet is vulnerable," they wrote.