CoNetrix

Blog: Security and Compliance

Microsoft Office uses various types of password protection.  In general, passwords used to limit modification of documents are reasonably weak and can be cracked easily (and immediately) with tools such as Office Key (from www.lostpassword.com).  Passwords required before a file can be opened usually require brute force type cracks but until I did some research, I still didn't know how strong the encryption was for these types of protection. [more]

There is also an online service (www.decryptum.com) that offers document recovery for about $29/document in many cases.  The service will show you part of the decrypted document before you have to pay for the whole document decryption process.  If they can't decrypt it, you don't pay.  However, it seems to work pretty well.  I tested it with a simple Office 2003 document that required a password to open.  Within about 30 seconds, they showed me the first two lines of the document's contents (which, in this case was the whole document).

Note - this does not work with 2007 XML formats - only with previous versions of Office documents.  That is consistent with Microsoft's warning that encryption with older versions of office is not as strong as it is with native mode 2007 documents.

The online document recovery process does not determine what the password is.  It just involves removing the password requirement altogether.

Of course, you would want to be very careful with confidential documents…

This came up in a recent audit where the bank was using password protected Word and Excel files for security measures.  We determined this isn't a suitable method for securing documents they send via e-mail.

Security and Compliance, Encryption, Word 2007, Office 2003,
 

October is National Cyber Security Awareness Month!

Each year, the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS) joins with the National Cyber Security Alliance (NCSA), the Multi-State Information Sharing and Analysis Center (MS-ISAC) and other partners to support National Cyber Security Awareness Month, a national campaign focused on educating the American public, businesses, schools and government agencies about ways to secure their part of cyber space, computers and our nation's critical infrastructure.[more]

The goal of National Cyber Security Awareness Month is to educate everyday Internet users on how to "Protect Yourself Before You Connect Yourself", by taking simple and effective steps.  These steps will teach Internet users how to safeguard one's computer from the latest online threats, offer ways to respond to potential cyber-crime incidents, and link how each person's cyber security affects securing our nation's critical infrastructure.

Below are a few links related to National Cyber Security Awareness:

Security and Compliance, National Cyber Security Awareness Month, NCSA,
 

On our Information Technology Audits, one of the things we do is spot check workstations to see if it appears employees are storing nonpublic customer information in documents on their workstations.  One of the reasons we discourage storing confidential files on a user's local computer is that it helps prevent the loss of confidential data if a computer is stolen.  When looking for these files, most people know to check on the Desktop and My Documents folder.  However, there is a location where these confidential files can exist that is commonly overlooked - the user's Temporary Internet Files directory.  There are a few different ways a file with confidential information can unintentionally end up in your Temporary Internet Files. [more] One way a copy of a file can be left in the Temporary Internet Files directory is when the document is an attachment to e-mail messages and it is opened.  Another situation where a file would be saved to the Temporary Internet Files is when you download and open a file from a webpage on your local intranet or any other website. 

We recommend deleting your Temporary Internet Files everytime you logout/shutdown to avoid unintentionally storing files with confidential information on your local hard drive. There are a couple ways to do this. The most reliable way to delete the files is to setup a script that runs automatically when you logoff or shutdown the computer.  Here is a good example of a script to delete Temporary Internet Files by the Scripting Guys at Microsoft TechNet.  If for some reason you must store confidential files on a workstation then you should look into protecting the hard drive of that system with full disk encryption.

Security and Compliance, Security,
 

Paraben has released a new electronic device designed to capture all data that a cell phone contains.  The device is called the Cellular Seizure Investigation Stick or CSI Stick.  The device plugs into a cell phone's data port and can copy all the data off the device including: e-mails, instant messages, text messages, call logs, contact lists, spread sheets, pictures, movies, or anything else stored on the device (even deleted files that haven't been overwritten).  In addition, the device leaves no trace that data was compromised.  Currently a long list of Motorola and Samsung cell phone models are supported, but the company states that more manufactures and models will be supported in the next generation.  [more]

The device was built primarily to help government agencies gather forensic grade data from cell phones, but it is available to the public.  The device costs $199 and the software to analyze the captured data on your PC runs $99 to $895 depending on the features you need.  The next time you loan your cell phone to someone or leave it unattended be aware that someone could quickly steal all the data off of it by simply plugging in a CSI Stick.  To reduce the risk of this threat you should store as little sensitive data on your cell phone as possible and never leave your cell phone unattended.

Security and Compliance, Cell Phone,
 

CoNetrix is pleased to announce the CoNetrix Identity Theft Prevention Program online solution is a candidate for the BankNews 2008 Innovative Solutions Award.

The Innovative Solutions Award, sponsored by BankNews, recognizes companies that have introduced or enhanced a product or service designed to help banks better serve their customers.  Entries are divided into four categories:

  1. Architectural/Equipment Solutions
  2. Consulting/Outsourcing/Training Solutions
  3. Management Software Solutions
  4. Online/Remote/Mobile Solutions

CoNetrix solution "Identity Theft Prevention Program" is listed under category 4 "Online/Remote/Mobile Solutions".

To vote now, go to  http://surveys.verticalresponse.com/a/show/180223/f7c379558a/0

To learn more about the Innovative Solutions Award, visit  http://www.banknews.com/

 

Financial Institutions, General, Security and Compliance, Identity Theft Prevention Program, Red Flag Compliance, Red Flag Program, Identity Theft, Red Flags, Red Flag,
 

The Board of Governors of the Federal Reserve System (Board) is proposing amendments to Subpart A of Regulation S, which implements the requirement under the Right to Financial Privacy Act (RFPA) that the Board establish the rates and conditions under which payment shall be made by a government authority to a financial institution for assembling or providing financial records pursuant to RFPA.  These proposed amendments update the fees to be charged and takes account of recent advances in electronic document productions.

Comments must be submitted on or before September 29, 2008.

To read the Press Release from the Board of Governors of the Federal Reserve System, visit http://www.federalreserve.gov/newsevents/press/other/other20080813a1.pdf

 

Financial Institutions, Security and Compliance, REPA, Reg S, FRB,
 

The OTS presented a live, ninety-minute, telephone briefing today (Monday, August 11, 2008) beginning at 2:00pm Eastern Time on the new Identity Theft Rules and Guidelines that go into effect on November 1, 2008.  The presentation went through a review of the rules and guidelines, exam procedures, and answered questions.  Below are links to two of the PowerPoint's used during the briefing:

 

Financial Institutions, Security and Compliance, OTS, Identity Theft, Red Flag,
 

On July 8, security researcher Dan Kaminsky announced he planned to reveal details about the DNS vulnerability (DNS cache poisoning) at Black Hat.  Since then, many technology vendors have provided patches to help fix the flaw.

Kaminsky has provided a "DNS Checker" self test on his website - see his personal blog at http://www.doxpara.com/

Security and Compliance, Patch, Black Hat, Vulnerability, DNS, Security,
 

A study by Verizon Business contends nearly 9 out of 10 data breaches could have been prevented with reasonable security measures in place.  The study also indicates the great majority (73%) result from external threats.  However, it is also pointed out that damages are usually greater from internal threats.  A summary of the study can be found at http://www.eweek.com/c/a/Security/Your-Data-Breach-Was-Probably-Avoidable/

Security and Compliance, Security,
 

On April 8, 2008 Adobe released a Security Bulletin regarding vulnerabilities with various versions of Adobe Flash Player.  In the Security Bulletin they recommend upgrading to the latest version of Adobe Flash Player (at least to version 9.0.124.0 or higher).  However, various reports were published today from security firms and security related websites reminding users about the threats associated with continuing to run earlier versions of Adobe Flash Player.[more]  If you have not already verified your system(s) (or your companies systems) have the "patched" version of Adobe Flash Player, you should do so.  You will need to check for both Microsoft Internet Explorer and FireFox.  The plug-ins are different, so updating in FireFox does not update IE and vice versa.  To read more, visit the links below.

http://www.adobe.com/support/security/bulletins/apsb08-11.html

http://www.informationweek.com/blog/main/archives/2008/05/adobe_flash_pla.html

 

Networking, Security and Compliance, Vulnerability, Adobe Flash Player, Patch Management,