Skip to main content

Posts

Showing posts from 2011

Citrix & RemoteApp File upload and Breakout using MS Office

It is possible to deliver applications remotely to users via a solution such as Citrix or Microsoft RemoteApp (part of their Remote Desktop solution). This has the advantage of only delivering the application rather than the whole desktop to the user. The user isn't even necessarily aware that the application is running remotely, as it will appear like any locally installed application when running. An example of the type of application delivered in this way might be Microsoft Office. If, however, the Citrix or RemoteApp environment hasn't been set up properly, then this can lead to security problems such as arbitrary file upload and running commands remotely. I'm not going to look at macro security, even though this can lead to complete compromise of a system. However, what some people are not aware of is that you can upload files through the Open and Save As dialogs in Office. These files can then be executed on the remote system through the same dialogs. The figure b

Encrypted ZIP Archives Leak Information

This post is just a quick note to remind people who use encrypted ZIP archives to store or transfer confidential information, that the headers of the archive are not encrypted. Therefore, the filenames, dates and sizes of all the files within the archive can be read by anyone, without the key. Is this a problem? Well, I believe it is. Many people and organisations have naming conventions for files. How do you know which report to open if the filename doesn't give you some clue? Often filenames will include project names or codes, departments and even the names of the people writing the report. Would you give this information out to anyone walking down the street? I have seen targeted Spear Phishing attacks on users whereby emails have been sent with what look like project spreadsheets attached with the correct naming conventions and project codes. These attacks were very convincing for an unsuspecting user. Filenames can leak enough data to start launching social engineering atta

Flaw in email security means signed mails cannot be encrypted

I was at a company the other day that uses a well-known email encryption solution as they have some very sensitive information that they need to send both internally and externally. As is common for these solutions, it is possible to automatically sign the email by putting a keyword in the subject line, such as 'signemail'. Similarly, the mail will be encrypted automatically if the confidential flag is set or a keyword, such as 'encryptemail' is added to the subject. So far, so good. There are no messy button presses or extra steps for the user. However, there is a flaw with the solution. (I should point out that at this moment it is unclear if it is a product problem or a configuration problem, hence my not mentioning the product.) The issue is that signing the message appears to take precedence over encryption. So, if you add both keywords to the subject then the message will only be signed and not encrypted. Now the encryption solution does also sign the message,

Sony to send password reset email

Sony have detected someone trying to gain access to their various networks again, by using ID and password pairs that Sony conclude have been extracted from someone else's network. This may be a valid conclusion as it was only a small percentage of users that were affected (less than 0.1%, which is still 93,000). Sony have been upfront and quick to react, disabling the affected accounts and putting out a notice . However, their next step, according to the notice given by their Chief Information Security Officer (CISO), is to send all the users who have been affected an email asking them to change their password. Cue phishing scam! Surely some bright spark will now construct a phishing email to send out to everyone saying that theirs was one of the 93,000 IDs compromised and could they now change their password. A simple copy of the site would then enable someone to lift thousands of valid credentials from accounts that weren't compromised. The problem is that Sony's

Password Protect Your Mobile

I know that many security 'professionals' will scaremonger and preach doom and gloom at every turn in order to drive up sales. However, they're not always wrong. I read the article 'Mobile device users fail to take basic steps to protect themselves, survey finds' and wanted to relate an event that happened this weekend. Many people are saying that mobile device security threats are hype and that nobody is actually exploiting them. That's possibly true to a certain extent at the moment, but for how long? Another article claims that identity theft is now more profitable than car theft! A mobile phone is a very good start for this purpose. An interesting figure that comes from the article above is that 160,000 mobile phones are lost or stolen every day. I assume that this is just in America, as in Britain the figure is around 20,000 a day . Whether or not these figures are accurate is immaterial, the fact remains that a lot of phones go missing. What do you hav

City Link and Gathering Data for Spear Phishing

I have just been sent an email giving me a tracking number for a City Link parcel due to be delivered. On checking this on their website , I found that I only need the tracking number to track the parcel and no other information. Is this a problem? Well, I think it is. Via my tracking number I am able to find the company name of the sender and my postcode. Now, postcodes normally only relate to around a dozen properties at most. However, that's not the end of the story. By entering different numbers (based on the one that I received) I was able to get the details of other parcels being sent around. Incidentally, their format is AAAddddd - representing three uppercase letters followed by sequential numbering. Does this matter? Well, by going backwards through the sequential numbering system I was able to find a parcel that had just been delivered (at 13.50 to be precise) to a postcode in West Yorkshire - BD22 (I have omitted the last part of the postcode here). Helpfully, th

Admin rights to data should be given sparingly (or not at all)

I was reading a well-known telco’s document on the trade-off between productivity and network security recently. A lot of what they said is fair comment and they do have some helpful suggestions. However, their response to security risks, like those of many organisations, jumps straight for the technology solution with only a thin veneer of trying to deal with people. Many organisations will talk about people and process and how important they are and that you need education programmes (most of which miss the point and are not terribly effective), but they say it as if they have been told to and don’t really believe it themselves. At the end of the day they will jump on the technology bandwagon and sell you/buy the latest bit of kit. One statement in this document stood out though: “...full administration rights to all data are rarely appropriate for the entire workforce.” What? When are they EVER appropriate for the entire workforce? When is full admin rights over all data ever

Skype Phishing from ONLINE HELP

It seems that many users are receiving Phishing phone calls through Skype from a profile called 'ONLINE HELP'. This call, if answered, plays a recorded message telling the user that their computer is not protected and that they must go to visit www.hosog.com . If you do visit this site, it is riddled with malware. This is a phishing scam! The user account that I have observed is drationlinehelpgb and shows as being registered in the US, but seems to have been taken down now. However, others have reported a user account of drajizonlinehelp, which appears to be registered in Afghanistan. This one is still live at the time of writing and is using the same 'ONLINE HELP' profile name. It would appear that new accounts are being created as the old ones are blocked by people and reported for abuse to Skype. It is slightly worrying the number of people who are reporting having answered this call. If you receive any unsolicited calls through Skype from users outside your con

Google email Accounts Compromise

I was asked to comment yesterday on the story that emerged about the Google mail accounts that were compromised over the last few days, so I thought I'd put some of my answers down here. First off, Google wasn't compromised ; a set of phishing emails were sent out and a fake Gmail login set up to harvest login details. These were used to set up forwarding rules to copy mail to another account. Unfortunately, although a large number of people are aware of phishing and are (to a certain extent) vigilant, it only takes one person within the organisation to fall for the attack to compromise security. The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people. Phishing is not just about email, although that is the most common avenue for the initial contact. Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well. User education is the o

3M Privacy Filters Update

I have blogged about 3M's privacy filters before and their gold filter still remains, in my opinion, the best privacy filter on the market. If you want to find out more about that one and why you need a privacy filter, see my previous blog post " Why do I need a privacy filter? (3M's new Vikuiti Gold Privacy Filter) ". I also blogged about their mobile phone privacy filter . The problem with their mobile phone privacy filter last year was that it was only available in their standard grey louvered filter, so didn't work well with accelerometer phones that can be used in portrait or landscape modes - you had to pre-select which orientation you wanted to use your smartphone in. Also, the light transmission wasn't as good as the gold filter nor was the touch quite as good after applying it. Well, they've addressed this and lanuched a new filter for mobile phones and slates at InfoSecurity Europe. The filter is now significantly thinner with excellent tou

InfoSecurity Europe 2011

InfoSecurity Europe is over for another year. Once again there were several interesting companies and sessions worth noting. The 'themes' (if they can be called that) or 'hot topics' were cloud security again, social media and mobile access/the consumerisation of IT. The big difference seemed to be in the attitudes of people - more 'how can we reduce the risks to an acceptable level?' rather than 'we can't secure it, so we won't allow it!' We are seeing a shift in the types of systems end users are accessing the corporate network from. The IT department are no longer dictating what will or will not be allowed. More and more users want to use their own personal devices, such as iPhones or iPads, on the network. In the past IT departments have resisted this and said no to the users. However, this attitude is beginning to change and there were a raft of organisations with solutions to help secure these devices and manage the data they contain. How

Base64 Encoding is NOT Cryptography

I have once again come across an IT department who were/are firmly convinced that the commercial web application that they use is secure and has encrypted user details. What it actually does is Base64 encode the password. This is not encryption and must be treated as plaintext. So what is Base64 encoding and why do we have it? Well, a large number of popular application layer protocols are ASCII text based, i.e. they transfer plain text over the network. A good example of this is HTTP - the protocol used to transfer HTML (or Web) pages around. Originally, only text pages were sent with markup embedded to style it. However, soon other resources were added to the web including pictures, documents, etc. HTTP is designed to transfer plain ASCII text, so how do you transfer a JPEG photograph? Answer: You convert it into plain ASCII text. The basic principle of converting a file into text is to use the data to represent an index to the ASCII character, e.g. 'A' is 63, 'B&

Security Risk is Proportional to Hacker's Skill

There are many factors that influence the risk to your organisation and they are by no means all about hackers. However, we do have to deal with hackers and have to realise that they are a fact of life that won't ever go away. So how much risk are we at from hackers? The truth of the matter is that the risk your organisation faces from hackers is proportional to the skill of the hacker. There are many different types of hacker, from the person who downloads a free tool, through script kiddies to highly intelligent, technically skilled people who can discover and exploit any vulnerabilities you may have. The tricky thing is to figure out who you will likely get attacked by. Many organisations have the attitude that they are not a natural target so nobody will attack them and they don't need to worry about security. Unfortunately that just isn't true. Computers are very good at doing repetitive tasks without getting bored. As a test we have a standard ADSL line with a web