Archive for January, 2010

« Older Entries

RockYou’s Sour Rhapsody

January 31st, 2010

RockYou.com, once a successful major application developer for popular social networking websites like Facebook and MySpace, is now singing a different tune. While the technology company has enjoyed great success toward the end of 2009 and secured a significant amount in funding for its projects, it experienced a major security breach as it was ushering in the New Year. As we mentioned in an earlier post, a ton of personal information was leaked. A poor SQL database exploit allowed hackers and other clever computer geeks access to RockYou’s entire list of users and their passwords.

While outside database access is never a good thing, the situation could have went a lot smoothly for RockYou if it had protected its information using data encryption software. The company’s storage method was a little ridiculous- according to Techcrunch: ”The database included a full list of unprotected plain text passwords. And email addresses!” Not only did the company fail to keep their the database protected, they didn’t even try to secure their user’s private information! As you can imagine, the fiasco is still hurting RockYou. The site had to put up an apologetic security notice and send out messages to every user, asking them to change their password and informing them of the cyber attack.

The Rocky Future

Though RockYou has already suffered a serious blow to its reputation in the world of the technology, the worst is yet to come. A class action lawsuit has been filed against the company, lead by Alan Clardige. The complaint alleges:

“While some security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ personally identifiable information by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers…

It is anyone’s guess whether the case will be heard and tried in the courts- it’s more likely that RockYou will work out some sort of settlement agreement- but the damage is already done. As a business that appears to primarily depend on investors for capital, RockYou has lost its status as a secure corporation and is likely to have trouble in the future.

Lessons to be Learned

An interview with a person claiming to be the RockYou hacker helps point out a scary truth- 30% of websites store their users’ login information without encryption, having plain text passwords on their database. While there’s no way to verify the statistic, it’s main message rings true. Most companies, even online businesses, are woefully unprepared for all the dangers of the Internet. Full disc encryption, something that should have been a standard for many years, is still unknown and unused by a multitude of companies.

It’s best to not have a shocking wake-up call like the security team at RockYou did. Choosing to purchase encryption software before disaster strikes will help avoid any P.R. disasters and let you stay out of the courtrooms. To try the proven technology we offer and protect your business, sign up for a free trial of Alertsec Xpress today!

Further Reading
 RockYou Raises A Whopper – $50 Million In Venture Capital [Techcrunch]
Serious SQL flaw could have compromised millions of Rockyou.com users [Net-Security]
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now. [Techcrunch]
Social Application Developer RockYou Sued After Data Breach [Softpedia]
RockYou Hacker: 30% of Sites Store Plain Text Passwords [ReadWriteWeb]

2 comments »

Posted in Data Protection, Encryption, Identity and Information loss, Lawsuits and settlements

Tags:

Securing Content Management Systems

January 28th, 2010
Image representing MySQL as depicted in CrunchBase
Image via CrunchBase

As one of the front-runners in data security & computer encryption  software we always try to focus on aspects with which users can ensure optimum protection of their critical data and related assets.

Taking a forward step in this direction, we observe and analyse the security state of open-source world specifically pertaining to Content management systems like Joomla and Drupal etc. Today some of the world’s best websites are being developed on open-source CMS for their improved architecture, work-flow mechanism and end-user stability. But with it, we are witness numerous security issues & vulnerability threats as well. In-fact, this is one of the key reasons why businesses are still hesitant when it comes to adopting & implementing these systems.

There has been constant debate about the above issue, and we think John Veiga’s article pretty much sums-up the current state in his article, “Open Source Security: Still a Myth”

“For most applications it does seem reasonable to expect that proprietary software will generally have fewer eyeballs trained on the source code. However, can the average developer who looks at open source software do a good job of finding security vulnerabilities? While I do believe the answer to this could someday be yes, the answer is not at all clear-cut right now.”

Quick security tips

Here are some quick tips to ensure that the website which is running on modern open-source CMS stays secure and free from hack attacks:

  1. Password security: Perhaps the most common and the basic security measure is to use a strong password which isn’t your date of birth or mother maiden name. Ideally it should be a combination of upper-case & lower-case characters and if your system permits, you should always use special characters.
  2. Follow CMS security guideline: Always read the security guidelines provided by your open-source CMS system vendor. It is like a security rule-book, never ignore them.
  3. Deployment of updates: Always make sure that the latest version of your CMS is updated, the right computer protection software is used on the deployment server.
  4. Secure root user-name in MySQL database: Normally, all the database driven CMSes have a common user name and password. Typically the user-name is root and password is blank. Always keep in mind that you should change the user-name & password.
  5. Secure login URLs: A lot of CMSes can be accessed by their common URLs. For e.g. in Drupal’s case it is http://drupal.org/user and in Joomla it is http://joomla.org/administrator
  6. Un-secure plug-ins: Most of the content management systems, provide a list of vulnerable un-secure plugins. In addition, you can always run the Cron jobs to see if there’s any plugins/module or component that is incompatible with the architecture of your current system.
  7. File permissions: If you are running a website which has got global read/write permissions for the external world, then you are in for a big problem. Make sure that file permissions are set appropriately and only the administrator have the permissions to make the desired changes.
  8. Iframe injection prevention: Hidden iframe attacks are one of the most popular vulnerabilities which create an impact on your site. To remove injection plug-ins you need to install Exploit scanner through which you can scan your site files.  It helps you to fill illegal iframes and remove new iframe codes which are not created by the site-owners and akismet.
  9. Don’t use the common table prefixes in CMS: Content management systems use standard prefixes for CMS tables for example ‘jos_’  for Joomla.
Reblog this post [with Zemanta]

1 comment »

Posted in Uncategorized

Tags:

Breaking into BitLocker

January 27th, 2010

Windows 7, Microsoft’s latest snazzy operating system, comes pre-installed with BitLocker for its Enterprise and Ultimate editions. BitLocker is a hard drive encryptions feature which is meant to help business users and customers who pay a premium enjoy a greater sense of security. BitLocker uses a combination of AES encyption in CBC mode and the Elephant diffusor to protect data. According to Microsoft TechNet, “BitLocker protects against data theft or exposure on computers that are lost or stolen, and offers more secure data deletion when computers are decommissioned.”

Unfortunately, that’s only part of the story; BitLocker isn’t quite as safe as Microsoft would like customers to think. In fact, just recently, software firm Passaware released a tool which can essentially crack the encryption! It also lacks a quite a few features that other providers offer and has several vulnerabilities. The BitLocker service is very new and fails to get any sort advantage over existing market leaders.

What Does Your Business Need?

If you’re managing an organization, you know that you have enough on your plate without having to worry about your computers’ security. You need a solution that works out-of-the box, a proven and successful encryption service which keeps your private information safe and won’t give you any trouble. You need a standalone feature which can’t be exploited and works without any overly complicated set-up.

More importantly, you need a service provider which specializes in its field. Using security companies that work exclusive on encryption technology grants many advantages. Security solution provider who’ve worked in the field for many years can offer a much more complete service than business that offer encryption as a bonus feature.

BitLocker’s Weakness

An analysis of BitLocker from WindowsSecurity.com summarizes our thoughts on the product:

For organizations that take security more seriously this technology still needs to mature substantially before being able to be used with confidence.

BitLocker’s greatest weakness is its integration with the Windows 7 operating system. Unlike our computer encryption software, which works alongside your OS, the BitLocker feature is coded directly into it, making the service less secure. BitLocker’s dependence on the operating system login credentials can be exploited, as can its complicated volume structure. BitLocker also inexplicably stores the Master Key (used for data recovery) unprotected on the hard drive. BitLocker also fails to automatically back up recovery information, meaning that the process has to be done manually.

If you’re serious about your company’s security, it’s a much better idea to go with the full disk encryption we offer. We go beyond BitLocker’s capacities, fixing all of its quirks and providing customers with additional support. For example, we offer a 24/7 remote password reset service, something BitLocker has never even considered. It’s unsurprising that’s the Pointsec technology we offer is certified and can be used by governments or the military, while BitLocker has no 3rd party certification. In business, it’s best to play it safe and choose a product with a 20 year history and proven record, rather than experiment with an inferior one.

Further Reading

BitLocker Drive Encryption [Microsoft TechNet]
First commercial tool to crack BitLocker arrives [ars technica]
Endpoint Encryption – Is BitLocker Enough? [WindowsSecurity]

1 comment »

Posted in Data Protection, Encryption

Tags:

Social Networks, Spam & Data Security

January 26th, 2010
Information Security Wordle: PCI Data Security...

Barely a week ago, a Georgian family logged on to their AT & T mobile Facebook account only to gain access to a stranger’s Facebook profile. The glitch was apparently caused by some server software connectivity error. Another spam attack on Facebook was Koobface, a malware bot that controlled Facebook profiles and turned them into infectious zombies. The targets were falsely lured to click on malicious links. In-fact, these stories are classic examples of security breaches caused due to access of social networking sites & related devices.

Social networking sites have really grown in popularity ever since the term Web2.0 was coined by great Tim O’ Reilly. If we just look at the numbers of Facebook, it has grown in leaps-and-bounds and has now tripled its user based to 350 million. However the rise of social web also exposes us to an increasing risk of malicious attacks by spammers.

The latest 2009 security report released by Cisco does raise some security concerns as according to it, the spam in 2010 will increase by a level of 30% – 40%.

If we look at some of the past incidents, the report doesn’t spring much of a surprise:

  1. Last year in November, researchers at Symantec’s MessageLabs branch had mentioned that the DonBot network had begun sending spam emails in large numbers which accounting for as much as four per cent of the total global spam.
  2. During the beginning of this year, Mcafee had raised similar concerns

The type of risks

There is a multitude of risks involved with activity on social networking sites. The worst of which could be your account credentials could be hacked leading to severe consequences. If a social networking is infected with a spam script and if you pick that up, it could lead to gaps in your data security. At times these attacks are so threatening that even you state-of-art encryption software & computer security software cannot protect you.

Going back to Cisco’s security report, it also provide key inputs on the potentially devastating combination of minor vulnerabilities, poor user behaviour, and outdated security software that can dramatically increase risks to network security.

According to Cisco’s fellow Patrick Peterson; “The blending of social media for business and pleasure increases the potential for network security troubles, and people, not technology, can often be the source.

How to stay secure?

While it can be very hard to keep yourself away, but a lot of common-sense can help you to avoid these risks from a user’s perspective.

  1. Never ever save your passwords on public computers.
  2. Do not write sensitive information such as credit card information, Facebook account details in public forums or groups
  3. If you receive an email invite from someone posing as your friend to join a social networking website, do not click on the link without doing a cross-check.
  4. While on Facebook, do not install unverified applications or those released from unknown developers.
  5. At best, try to ignore friend requests from unknown users.
  6. There’s every-chain According to Cisco’s fellow Patrick Peterson; “The blending of social media for business and pleasure increases the potential for network security troubles, and people, not technology, can often be the source.
  7. Make sure that the privacy settings are upto the adequate level on your favourite social networking site.

You can download the full-version of Cisco’s security report from here.

Suggested reading links

Top 8 Social Media Security Risks
Social Networking will be target for hackers in 2010
Social Networking: Latest, Greatest Business Tool or Security Nightmare

Reblog this post [with Zemanta]

No comments »

Posted in Data Protection

Tags:

Is Your Password Secure?

January 24th, 2010

Most computers come with some sort of built-in password protection system and any savvy user will tell that it’s important to make sure you take advantage of it. Running a machine without password protection is the computer equivalent of going on vacation but leaving your front door wide open. In short, it’s not a good idea! Unfortunately, setting a password alone isn’t enough to ensure that you have a fully protected computer. In fact, if you set a weak password, you’re not even really increasing your machine’s defenses! There have been many businesses which have failed to use secure passwords and suffered embarrassment when someone made a lucky guess and was able to access their private information. Even the ever-growing social giant, Twitter, has fallen victim to poor password choices in the past!

However, the topic of today’s post involves password security, and more importantly, how to determine if your password is actually protecting your computer. RockYou, a popular third-party application developer for sites like Facebook and MySpace, had a major data leak near the end of 2009. Though we’ll be fully covering that story in a future entry, it’s important to note that the data leaked consisted mainly of personal user information. The 33 million passwords of all of RockYou’s users were briefly posted on the Internet by the cyber criminal who hacked the site. Analysis of these passwords showed that most people aren’t protected and could easily find their personal accounts and private data compromised.

Lessons from RockYou’s Users

The New York Times ran an article a few days ago evaluating these passwords. The number one most used password for the group: 123456. The second most used was 12345. It appears many users neglect the responsibility of coming up with a password that’s actually difficult for an outside party to guess. A significant group of RockYou members even chose to set their password as the site’s name! Though it’s convenient and often tempting to have a simple and easy to remember password, it’s extremely insecure. Hackers trying to get access to the accounts of RockYou users could have simply tried one of these commonly used passwords and successfully broken in. If you notice that the password you use is on that list, change it immediately, using the tips the next section. Otherwise, check the section to confirm your password is protecting your computer from hackers.

Making Your Password Secure

Having a weak password allows cyber criminals easy access to your computer. Use the following tips to come up with a password that’s easy for you to remember but hard for others to guess:

  1. Try to have a long password (at least 7 characters) to make it difficult for others to figure it out
  2. Don’t just stick to letters! Mix up your password by using numbers and symbols
  3. Think outside the box. Don’t use a common word or a personal detail that everyone in your life knows

If you’re hankering for more password tips, check out Microsoft’s helpful online safety guide which shows you how to craft a perfect one. Full disc encryption allows you to take your computer’s defense to the next level. Instead of relying solely on password protection, our encryption software secures your data using the AES block cipher. It also adds another required login which gives you the opportunity to make a special, incredibly challenging password to further secure your private data. If you ever forget your password, we’ve got you covered with a 24/7 Helpdesk which can help you reset it after confirming your identity. If you’re ready to fully protect your computer with Pointsec encryption, sign up for a free trial!

Further Reading
Weak Password Brings ‘Happiness’ to Twitter Hacker [Wired]
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now. [Techcrunch]
If Your Password Is 123456, Just Make It HackMe [New York Times]
The RockYou 32 Million Password List Top 100 [reusablesec.blogspot.com]
Microsoft Online Safety [Microsoft]
Image [scc.hu]

2 comments »

Posted in Data Protection, Encryption