Blog: Security

You might have heard the publicity that Octoshape received after Obama’s inauguration.  They used “Octoshape Grid Delivery.” Octoshape’s “grid streaming technology” is just a peer to peer network, like bittorrent, except it is geared toward live streams.

There are a number of issues with this including:

Cost-shifting to ISPs and users without informing them (approximately 30% of the bandwidth for CNN’s live stream comes from peers).

Crazy license agreement.  Here are a couple of quotes from their EULA (http://www.octoshape.com/files/EULA.html) which you have to go digging on their web site for: [more]

“You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.”  You mean I am violating to EULA if I try to see what is using up my upstream bandwidth?

“Accordingly, you hereby grant permission for Octoshape and other end users of the Software to utilize and share the processor and bandwidth of your personal computer system for the limited purpose of facilitating the communication between you and other end users of the Software, including Octoshape.”  Including Octoshape?

Company policies may exist concerning outbound traffic and the user would be telling any number of others what video stream they are currently watching.  Of course, there could be security vulnerabilities that could be exploited.

To learn more here is an article I recommend and it has plenty of links in it to follow: http://windowssecrets.com/2009/02/05/01-Watch-a-live-video-share-your-PC-with-CNN

An open (non-commercial) peer to peer streaming solution is from the p2p-next consortium http://www.p2p-next.org.

ICBA and Visa are providing a free Data Breach Toolkit available to all ICBA member banks.  The toolkit was developed due to the recent data breach at Heartland Systems, and is designed to help community banks answer customers' questions following a breach of credit and debit card account information.  The toolkit provides member banks with customizable materials, including cardholder letters, statement inserts, FAQs and media statements.  You can login to receive your toolkit at http://www.icba.org/publications/visa.cfm?ItemNumber=37529

AVG recently released an update that mistakenly identified a valid user32.dll file as containing a virus.  It instructs users to delete the file, which of course makes the system unbootable.  This affects AVG 7.5 and 8.0 running on Windows XP.  AVG says this only affects a few non-English versions, but the volume of reported incidents indicates this may not be completely accurate. [more]

• http://www.avg.com/support
• http://www.tomshardware.com/news/avg-antivirus-virus-removal,6587.html
• http://www.winhelponline.com/blog/avg-false-positive-user32-dll-restore-tool

PCWorld published an article yesterday titled "Holiday Travel Tips: Protect Your Laptop and Privacy."  It is a good and timely article; however, a few additional tips you might find handy include:

1. Cable lock your laptop anytime it will be out of your possession (in your car, hotel, etc.).  Cable locks are relatively inexpensive and provide an excellent additional layer of protection.
2. Encrypt any confidential information on your laptop - it is best to utilize full-disk encryption.
3. Shut down your laptop when you are not using it - some encryption software can still be compromised if a laptop is stolen while logged in or in "sleep" mode.

We hope you have a fun, safe, and secure Holiday season!

Computer Security Day (CSD) is a worldwide, annual security awareness event.  It started in 1988 to help raise awareness of security concerns and remind people to protect their computers.  CSD is officially November 30th; however, when November 30th falls on a weekend or Holiday, it is usually observed the next business day.  The theme of CSD for 2008 is "A Good Defense"

To learn more, visit the official CSD website at http://www.computersecurityday.org

A Nevada Law that took effect in October will require all businesses to encrypt personally-identifiable customer data, including names, and credit-card numbers, that are transmitted electronically.  Companies in Nevada that suffer a security breach, but comply with the new law would cap their damages at $1,000 per customer for each occurrence; however, those that do not comply would be subject to unlimited civil penalties.

http://online.wsj.com/article/SB122411532152538495.html

On our Information Technology Audits, one of the things we do is spot check workstations to see if it appears employees are storing nonpublic customer information in documents on their workstations.  One of the reasons we discourage storing confidential files on a user's local computer is that it helps prevent the loss of confidential data if a computer is stolen.  When looking for these files, most people know to check on the Desktop and My Documents folder.  However, there is a location where these confidential files can exist that is commonly overlooked - the user's Temporary Internet Files directory.  There are a few different ways a file with confidential information can unintentionally end up in your Temporary Internet Files. [more] One way a copy of a file can be left in the Temporary Internet Files directory is when the document is an attachment to e-mail messages and it is opened.  Another situation where a file would be saved to the Temporary Internet Files is when you download and open a file from a webpage on your local intranet or any other website. 

We recommend deleting your Temporary Internet Files everytime you logout/shutdown to avoid unintentionally storing files with confidential information on your local hard drive. There are a couple ways to do this. The most reliable way to delete the files is to setup a script that runs automatically when you logoff or shutdown the computer.  Here is a good example of a script to delete Temporary Internet Files by the Scripting Guys at Microsoft TechNet.  If for some reason you must store confidential files on a workstation then you should look into protecting the hard drive of that system with full disk encryption.

On July 8, security researcher Dan Kaminsky announced he planned to reveal details about the DNS vulnerability (DNS cache poisoning) at Black Hat.  Since then, many technology vendors have provided patches to help fix the flaw.

Kaminsky has provided a "DNS Checker" self test on his website - see his personal blog at http://www.doxpara.com/

• Link to Wall Street Journal article about the security vulnerability - http://blogs.wsj.com/biztech/2008/08/06/disclosing-a-hole-in-the-internet/
• Link to InformationWeek article about the security vulnerability - http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209903948

A study by Verizon Business contends nearly 9 out of 10 data breaches could have been prevented with reasonable security measures in place.  The study also indicates the great majority (73%) result from external threats.  However, it is also pointed out that damages are usually greater from internal threats.  A summary of the study can be found at http://www.eweek.com/c/a/Security/Your-Data-Breach-Was-Probably-Avoidable/