Blog: Security and Compliance

Computer Security Day (CSD) is a worldwide, annual security awareness event.  It started in 1988 to help raise awareness of security concerns and remind people to protect their computers.  CSD is officially November 30th; however, when November 30th falls on a weekend or Holiday, it is usually observed the next business day.  The theme of CSD for 2008 is "A Good Defense"

To learn more, visit the official CSD website at http://www.computersecurityday.org

 


 

A Nevada Law that took effect in October will require all businesses to encrypt personally-identifiable customer data, including names, and credit-card numbers, that are transmitted electronically.  Companies in Nevada that suffer a security breach, but comply with the new law would cap their damages at $1,000 per customer for each occurrence; however, those that do not comply would be subject to unlimited civil penalties.

http://online.wsj.com/article/SB122411532152538495.html


 

The FBI, the U.S. Postal Inspection Service, and state and local authorities are investigating more than 60 threatening letters that have been received by Financial Institutions in Araizona, Caliofornia, Colorado, Georgia, Illinois, New Jersey, New York, Ohio, Oklahoma, Texas, Virginia, and Washington, D.C.  The letters began to be received on Monday, Oct. 20, 2008, and appear to all be originating from Texas - all have been postmarked in Amarillo, TX.  Most of these letters contain a powder substance with a threatening communication.  At this point, field and laboratory tests on the powder have been negative; however, additional testing is taking place.

To see a copy of one of the letters, visit http://www.fbi.gov/page2/oct08/threatletters_102308.html

 


 

On Thursday, October 23 2008, Microsoft released a critical out-of-cycle security update. This update addresses a vulnerability in the Windows server service that could allow remote code execution. Microsoft has rated this vulnerability Critical for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This vulnerability has been rated Important for all supported editions of Windows Vista and Windows Server 2008.

The update addresses the vulnerability by correcting the way that the Server service handles RPC requests. Additional technical details on the vulnerability and update can be accessed at:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

As a best practice, RPC functionality should not be exposed directly to the Internet. However as a precaution, CoNetrix recommends applying the update available from Microsoft as soon as possible.

If you have any questions or need assistance with this update, please contact CoNetrix at support@conetrix.com or call (800) 356-6568.


 

Yesterday, the Federal Trade Commission (FTC) stated they would suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written Identity Theft Prevention Programs.  This does not affect the other federal agencies' (FDIC, OCC, Federal Reserve, OTS, & NCUA) enforcement of the original November 1, 2008 deadline. 

To read the new Identity Theft Red Flags rules and guidelines go to conetrix.com/Files/ITPP_Regulation.pdf


 

What do you get the paranoid schizophrenic who has everything?

An "EnhancedHardDrive" from Ensconce Data Technology, of course! Tired of destroying your hard drives at home the old fashioned way using fire/thermite? How barbaric! How messy! The EDT Enhanced Hard Drive will flood itself with an acid mist using up to 17 remote triggers, rendering the drive forensically unrecoverable. [more]

After talking with a customer about how to dispose of old hard drives, I started doing some research on different data disposal methods and I happened upon EDT's site. I doubt any of use will encounter anything of this level of security, but it seemed interesting so I thought I'd share. It seems like the niche market for a product like this would be pretty small, but I recently read that their sales goal for this next year is somewhere around 25 million. Someone's got something to hide :)

 


 

The following Special Alert was released by the FDIC concerning e-mails being sent that claim to be from the FDIC.  These e-mails are attempting to trick recipients into installing unknown software on personal computers. The subject line of the messages is: "Funds wired into your account are stolen." Here is a copy of the FDIC's Special Alert: [more]

The FDIC is aware of e-mails appearing to be sent from the FDIC that ask recipients to open and review an attached file. Currently, the subject line of the e-mail states: "Funds wired into your account are stolen." The e-mail is fraudulent and was not sent by the FDIC.

The fraudulent e-mail tells the recipient that proceeds from identity theft crimes have been wire-transferred into their bank account. The e-mail then directs the recipient to open and review an attached copy of their bank account statement and to contact their bank account managers.

The attached file is actually an executable file containing malicious code or software. Recipients should consider the attached file as a malicious attempt to collect online banking credentials or other personal and confidential information that could be used to gain unauthorized access to on-line banking services or perpetrate identity theft and other criminal activities.

Recipients of the fraudulent e-mail should not reply and should not attempt to open the attached file. According to reports received by the FDIC, many antivirus software programs have been detecting and removing the malicious attachment before the e-mail is delivered. However, if a recipient does open the attachment, the FDIC recommends updating anti-virus software patches and performing a complete scan of the computer and network, if applicable. If a computer becomes infected and the user encounters difficulties removing the malicious code, users should contact their anti-virus software vendor. The FDIC highly recommends using anti-virus software.

For additional information about safe online banking and avoiding online scams, visit http://www.fdic.gov/consumers/consumer/guard/.

For your reference, FDIC Special Alerts may be accessed from the FDIC's Web site at www.fdic.gov/news/news/SpecialAlert/2008/index.html.


 

The Dallas Region of the FDIC conducted a conference call today (October 8, 2008) entitled "ID Theft Responsibilities - FACTA Red Flag Guidance."  The call consisted of a presentation including an overview of the regulation and guidelines, exam procedures, and what examiners will be looking for, followed by a question and answer session.  The FDIC presenters were:

  • James Brignac, Regional Office IT Examination Specialist - Risk Management
  • Jeff Kopchik, Technology Supervision Branch Senior Policy Analyst

The call was not recorded, but attached you will find a copy of the PowerPoint slides used during the call in Adobe pdf format.

FACTA ID Theft presentation.pdf (165.52 kb)


 

I recently started reevaluating how we do port security as a result of a recent customer's information security audit.  We normally turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected).  The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.

However during testing I discovered this didn’t work exactly like I expected.  Port security was enforced as long as a device stayed connected to the port.  If the port was disconnected, the switch would remove the pre-existing MAC’s and ANY new device could connect, as long as the maximum was not exceeded.  While this prevents unauthorized hubs and switches, it doesn’t prevent someone from unplugging a device and plugging in a different unauthorized device.

The solution to this is to use the sticky option on the port security interface command: [more]

  • switchport port-security – enables port security, optional “maximum <n>” to set the max greater than 1
  • switchport port-security mac-address sticky – turns on the sticky MAC feature

After enabling, you will notice the currently connected MAC address(es) will appear in the running config:

  • switchport port-security
  • switchport port-security mac-address sticky
  • switchport port-security mac-address sticky 0080.6433.xxxx

This will stay in the config until the switch is rebooted, so it’s important to write the config.

Other related commands:

  • show port-security address – lists all the learned MAC addresses by interface
  • show port-security interface fa0/1 – shows the detailed port security settings for an interface, including enable/disable status
  • clear port-security sticky interface fa0/1 – clears the learned sticky MAC addresses, must be done prior to a shut/no shut to re-enable a port disabled due to port security

When you use sticky MAC addresses you'll want to make sure that the MAC addresses are cleared off of a switch when a device is moved.  We had a laptop that was moved from one client location to another and one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged ito the new switch.  This created a situation where some network traffic was reaching the laptop and some was going into a black hole.  After clearing the the sticky MAC addresses on the old switch the problem was resolved.

Update:  You might also be interested in a couple stick MAC address tips.


 

Microsoft Office uses various types of password protection.  In general, passwords used to limit modification of documents are reasonably weak and can be cracked easily (and immediately) with tools such as Office Key (from www.lostpassword.com).  Passwords required before a file can be opened usually require brute force type cracks but until I did some research, I still didn't know how strong the encryption was for these types of protection. [more]

There is also an online service (www.decryptum.com) that offers document recovery for about $29/document in many cases.  The service will show you part of the decrypted document before you have to pay for the whole document decryption process.  If they can't decrypt it, you don't pay.  However, it seems to work pretty well.  I tested it with a simple Office 2003 document that required a password to open.  Within about 30 seconds, they showed me the first two lines of the document's contents (which, in this case was the whole document).

Note - this does not work with 2007 XML formats - only with previous versions of Office documents.  That is consistent with Microsoft's warning that encryption with older versions of office is not as strong as it is with native mode 2007 documents.

The online document recovery process does not determine what the password is.  It just involves removing the password requirement altogether.

Of course, you would want to be very careful with confidential documents…

This came up in a recent audit where the bank was using password protected Word and Excel files for security measures.  We determined this isn't a suitable method for securing documents they send via e-mail.