Unless you have HIPAA, PHIPA, SOX, CISSP, work for DoD, or just a company who values privacy. Then you get a Blackberry and download the right apps. There should be no such thing as an iphone or droid at a company who has security requirements. Please tell me I’m wrong with citations of how an iphone or droid is fully compliant with FIPS140-2 and is listed on the appropriate NIST site so I can show my attorney. Then I will snuggle up in my happy google cloud or let my coworkers get all happy in their iphone cloud.

I do envy you people who are arguing about megapixels and screen size. Not becuase your petty arguments have merit, just because I want the happy ladder instead of the Escher staircase.

One side note- I still challenge anyone to show me an iphone app with a real business use for me that can’t be replicated by blackberry or droid. So far it doesn’t exist. I think these are all fairly equal platforms and just flavors, not fat vs carbs.

The combination of facebook owning your data, and you being excluded from that ownership/permissions editing should be something to ponder.

netsh ipsec static add policy description=”ossec block list”

netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 69.89.20.50 dstaddr=me protocol=tcp mirrored=yes

netsh ipsec static add rule policy=”ossec” filterlist=”ossecfilter” filteraction=block desc=”list of ips to block”

netsh ipsec static set policy assign=y

This blocks windowsnerd.com

Add another entry for slashdot. Ipsec doesn’t like having an empty entry so leave an addy in there to seed it for a delete in another step:

netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 216.34.181.45 dstaddr=me protocol=tcp mirrored=yes

Now if you open the ipsec MMC, you will see an applied ipsec policy, crack it open and you will see both entries for each IP.

Try going to windowsnerd.com, slashdot.com and another page. The first two will not work. All traffic has been blocked

Unblock -

netsh ipsec static delete filter filterlist=”ossecfilter” srcaddr= 69.89.20.50 dstaddr=me protocol=tcp mirrored=yes

Repeat – now you can block and unblock by running the static add and static delete command over and over. It will update the policy you created in the first step. Not quite as cool as adding to hosts.deny and firewall, but the same end result.

This example is for use on an application like OSSEC. If you desire, you can specify per port, IP addy, DNS name, whatever you want.

Skype TCP ports 13861, 34954, 42045

Apple remote admin stuff – tcp 5354

typical email – tcp  25, 143, 465, 587, 993, 995 (use these at your own risk. Some you need for gmail etc, but if you open 25 outbound you may be spamming if a machine is owned)

 web – tcp 80, 443

openvpn – tcp 1194

ssh – tcp  22

ftp -tcp 21

Instant messengers - tcp 1863, 5050, 5190, 5222, 5223

Remote desktop – do some port forwarding so it comes in on like 10020 and goes in to 3389. Dont open 3389 to the outside.

How do you find more?

Open a command prompt

type in netstat -no and hit enter

you will see a list of the open source and destination addresses. Compare this list to the auto refresh block list in your untangle firewall. Look for the PID. Compare that to a task manager PID and see what process is using it. Make sure you know what you are allowing when it is blocked.

<localfile>

<log_format>mysql_log</log_format>

<location>/var/log/yourlogfile.log</location>

</localfile>

Restart ossec and it should start reading your mysql logs now. Anyone have additional rules to add in for mysql?

After an SSH into a new Ubuntu machine, you can see that there are patches available. And not just Ubuntu patches, for all the packages you have installed.

Dear Microsoft: I wish that at the login screen to Windows, in all that empty space, you have a box that says:

XXX programs can be updated. XXX are security updates

XXX drivers can be updated. XXX drivers address critical issues

Once this is done, I would like to see Microsoft leading a charge to develop a central patch distribution service like Linux does so well. Manufacturers would be responsible for updating and uploading their latest into the system. The default action would be to install updates as a manufacturer releases them. Settings would allow you to download and notify, notify only or ignore. At that point we add to the login screen-

XXX 3rd party programs can be updated. XXX are security updates

I think it will be a pain in the ass to set up. But not as much of a pain in the ass as users who refuse to update java, flash, quicktime, acrobat and everything else out there.

Here is the link to wikileaks who broke the story.

Maybe this will be the new tax needed to make companies/govt agencies provide resources to protect data.

Operating system password only: BAD

If you depend on the Windows password to protect patient data, you belong in jail or in a place where they levy fines against you daily. You are lazy, ignorant or an evil penny pinching jerk. Enough said. No computers for you!

BIOS Password: NOT ACCEPTABLE

Honestly not much better than an OS password as far as time needed to exploit, bios passwords are easily defeated by many tools. They are bundled in to many boot cds anyone can download from the internet. I’ll leave these tools without a name because any idiot can use these and I’m not giving the lazy ones a head start.

Hard Disk Password: Getting started

Vendor information tells you that your hard disk’s password is safe even if the data is taken to another computer. This is not so. There are software tools that can brute force or wipe the chip containing the password. You can buy replacement security chips for certain hard drives. Tools to exploit a hard disk password located on the hard drive are a little more rare that say a multimeter. So obscurity is beginning. This is a good starting point, but here are few ways around it to prove how easy it is:

Call YEC. Ask about purchasing a Shinobi unit for $1190. You can use this to kill the password on most drives. Anyone could buy this for their garage, sell a legit password reset service on craigslist and make the cost back in a week. Then just start trading drives on ebay and dig for gold. For $100-$300, YEC will do the crack for you if you call them. A person who knows they have aquired a laptop with sensitive data doesn’t have to own anything or have experience hacking/cracking, they can just mail it in.  One could also remove the platters of the drive and install them in a nonprotected drive for around $500-$1000 using a data recovery service.  A few hundred dollars is more than enough to build a “clean box” to move the platters without a clean room and have a very good chance of imaging the drive without damage. 

Hard Disk passwords can be enhanced by using something like a Shinobi to install a better MD5 protected password. This adds some complexity and shows any court that you are making a heck of an effort to protect data. For $1000 it is really cheap if you use it to protect 100 hard drives, and also use it to wipe your disks before disposal. 

As a proof of concept I just ran a few tools against a sata 160GB drive, brute force took 2.5 hours on a single word, 1 digit password. Easy peasy. 

Whole Disk Encryption: Decent-Good

Implementation is the key here. Whole disk encryption is breakable using information in RAM. Google cold boot attacks. Adding a token like from Pointsec doesn’t gain you anything against ths same type of attack on RAM. This holds true for Truecrypt, Bitlocker, apples encryption, pgp, most of them. To use whole disk encryption to protect HIPAA data you need to:

Disable sleep, hibernate, any low power settting other than ON or OFF.

Set the laptop to shut off if the lid is closed.

Don’t use TPM without a pin or usb key in combination with TPM

If whole disk encryption is combined with a hard disk password, you get a great combination for security. Your users will hate you for having 2 passwords which need to be different in order for the effort to be worthwhile. 

New Hard Disk – On disk encryption “opal standard“: Good

Far from perfect, the new standards implemented by storage industry manufacturers and computer vendors are more complex, but fairly safe. The Opal standard is the Trusted Computing Initiative plan to solve laptop/desktop storage security issues.  My personal experience with the Dell/Wave/TPM module is negative so far. The software is buggy and bloated, I’ve had to reset the encryption a few times on a few machines and this has made the experience for the user horrible.  As of 4/15/2009, the Dell/Wave/Embassy suite for an XT tablet is an 198MB download! The fingerprint reader should at least work for a 200MB installer. Not something I will be implementing company wide any time soon. I don’t want ALL the employees to hate me. 

As time goes on this technology will get better, but the clock is ticking until someone releases a crack for it too. I’m not sure why but vendors always seem to be in a state of denial about the number of people activly working against their new “unbreakable” technology. Right now I rank the opal standard as great by means of “security through obscurity.” It is new enough not to have a giant target on it’s head. For now I’d say it is your best bet. As market share increases and more computers use this technology, it will be broken in to and you should have a back up plan in place.

Windowsnerd recommendation: Wholedisk + HDkey

Older computers/small business- Truecrypt + your HD vendors key. Not perfect by any means but it sure is a good effort and it is free  + $manpower. Will someone in a hurry to do a cold boot attack know they need to crack your HD password first? Yes. Will they do it while your laptop still has power? Maybe not. If anyone ever tries to prosecute you for losing HIPAA data on a laptop with both of these in place, I’m sure they will lose. I would not recommend spending thousands of dollars on a whole disk product until you have a company with a whole lot of machines. When installing Truecrypt, use Twofish+serpent+AES. Adds a big A for effort, slows you down 10% or so. If the performance is important, buy faster hard disks. If performance is really important buy SSDs. Security is with regulated data is more important than speed. You can make that part of your employment policy. 

New computers/large business – pointsec/newer disk key. I still like Pointsec over PGP only because of the active directory tools and key management. I recommend Pointsec and a password on every hard drive. If you get new computers, buy a drive advertised to have encryption capabilities and use that as well. Read up on the OPAL standard, manufacturers are just getting started with releasing some good drives compliant with OPAL. 

Oh and dont forget- backups become UBERimportant. When these encrypted drives/operating systems smoke, they go down in big flames. If you can’t get past that first password you can’t use any recovery tools. 

Lesson to be learned over and over:

HIPAA reminds me a lot of FERPA. Universities lose FERPA data all the time.  They know that bad press is the worst that will happen to them. With the number of records being lost every year creeping into the thousands of incidents, they know the bite from the press is becoming painless. Nobody notices, it happens all the time. When your information is lost, xUniversity sends you a letter telling you to file a police report, a freeze on your credit and  leaves the mess to you. I have many of these letters. I know the admins who weren’t given money to protect the FERPA data. They weren’t given the money because the worst that would happen is that xU sends some letters and fires the admin who asked for money to protect the data in the first place.  If there were fines against the institution in the millions of dollars, data would be protected.  Don’t universities have history, ethics or computer science classes? Ah but the accounting and economics classes are more important than ethics and history at todays degree mills. The worker bees at the big Us don’t want to listen to the academics anyhow.

To date I beleive we are still at 2 prosecutions in the US for misuse of HIPAA data. The fact remains that bad press is all that will likely come of losing HIPAA data. See above for ramifications. Did I mention HIPAA is a 1996 thing and the year right now is 2009? 2 prosecutions?

So the lesson I keep learning and repeating – the solution to protect data. The only solution that works is to have government regulations with real teeth. The day we assign jail time, personal fines and prosecute offenders will be the day our data becomes  safer. Right now everyone looks at the least they can do to satisfy the rules. Or how much the fine is vs the cost to implement safegaurds. If the fine is steeper, the demand for good security goes up, and industry produces better security more often. 

If you are a consumer- suck it up and pay to have your credit monitored. Your personal data WILL be stolen and it will not be your fault. If you decide to be insured or monitor your credit, you are taking some good advice from someone who watches admins lose data all the time.

Google Chrome ad blocker -Adsweep.org – follow the instructions, it will only take a minute or two to copy and paste what you need.

IE – download and run IE8, turn on the “in private” browsing thinger.

For all 3 – download and install the hosts file from MVPS.org. This maintains a list of bad guys and prevents your computer from having any traffic going there. Make a calendar appointment to update this every few months or so.