Newsroom Home · Privacy Trends

SDS Newsroom

Chad Boeckmann, CISSP, GSEC

File sharing, also referred to as P2P (Peer-to-Peer), is one of the hottest trends on the Internet. P2P is often described as a type of decentralized computing where computers communicate directly with each other. Websites and organizations that support P2P programs allow people to download the free software for the primary purpose of sharing files across the Internet. This free software allows users to download music files, movies and software. A recent report released by Ottawa-based AssetMetrix Research Labs, a provider of managed services for PC inventory and IT analysis, looked at the problems associated with P2P downloading and found that 77 percent of P2P applications resided on desktop systems. The study examined approximately 175,000 PCs from over 560 corporations, 10 percent of which were in Canada. Most of the content that is retrieved with these tools are illegal in terms of licensing and copyright regulations. This is just one example of the dangers of using Peer-to-Peer file sharing programs. Below is a summary regarding the security and legal issues of using file-sharing programs and the dangers imposed to the user of a program and the network in which a file-sharing program is used.

Sharing your hard drive

Some programs that are used for file sharing claim to only share a specific folder on your hard rive where all the files you wish to share and download are stored. In some cases, these programs appear to only share the folder which you specified when in fact you could be unknowingly sharing your entire C: drive. This is mainly due to poor programming and code audits of the free software.

Sharing your IRS tax statement

In the 2002 tax season there were some tax programs that saved your tax return on the local C: drive. This can be very convenient for some people. However, the folder in which the tax program would save your tax return was the same folder in which P2P programs would share. This meant that some taxpayers were sharing their confidential tax returns with the entire Internet via their file-sharing program and were oblivious to that fact.

Welcome mat for Viruses and Addware

Virus writers have written viruses and worms specific to P2P programs. This kind of malicious content can be hidden in all file types and when the file is executed the virus will infect your computer and you may not even know that you have a virus. This can cause many issues in terms of system stability, privacy and integrity. Other malicious content, which is sometimes installed along with the P2P application, are labeled as spyware or addware. These types of programs are used to track users actions on the Internet and sell products. Some of the symptoms of running addware or spyware programs on your computer is:

1. Your PC is running slower than usual
2. Your browser has a new toolbar which you did not knowingly install
3. New program icons are in your system tray
4. Advertising windows appear when you are not browsing the Internet

There are a variety of free tools available on the Internet to detect and uninstall addware and spyware. Though the spyware and addware programs are not as dangerous as viruses or worms, they can jeopardize your productivity and privacy.

RIAA is looking for you

The Recording Industry Association of America is on the hunt for users of file sharing programs that obtain music files illegally. Their mission is as follows: "One of the RIAA's key missions is to help foster a legal climate that protects the rights of record companies, artists and copyright owners in general. The RIAA has worked to achieve this goal by assisting its member companies in such areas as copyright enforcement, webcasting and First Amendment advocacy."

Recently RIAA has legally forced Verizon Communications to turn over the names of broadband users who were illegally trading copyrighted music files over the Internet. As of September 8, 2003 RIAA has subpoenaed 261 users of a popular file sharing service. These users could face a fine of $750-$150,000 per copyright work infringed.

Summary

File sharing is not a new concept and if implemented correctly it can be a productive tool. However, using such a tool across a public network such as the Internet can pose some serious risks. To be safe do not use these programs, as they can become a serious problem. For every connection through a public file sharing service creates a new doorway to your computer and the network it resides on creating a new vulnerability that could also cost users and companies legally and financially. It is simply not worth it.

Chad Boeckmann, CISSP, GSEC

Since the advancement of computer science and the widespread distribution of technology, information has become quite the commodity. The world is connected as never before through technology and technological infrastructures. Because of this change, we must classify and scrutinize the information we have in our possession. There are many new regulations that require companies and individuals to take care in handling private and sensitive information. The ways to do this are quite simple, but adherence to best practices is essential.

Classifying Information

Information can be classified into three levels of importance; confidential, internal use and public. I encourage you to read papers from the SANS reading room to help you understand the possible threats to sensitive data and why it is important to be overcautious rather than not cautious enough.

Best Practices
When you are in possession of your own or someone else's personal information, such as Social Security numbers, credit or financial information or any other personal identifying information, you are responsible for how this information is handled and distributed. It is a good idea to distribute confidential information only on an as needed basis. It makes no sense to place Social Security numbers in an employee listing and publish this to a bulletin board. Information disclosure such as this is a recipe for identity theft and a host of other problems. Below are some ways to better handle and distribute confidential and private information:

• Employ encryption on files and directories whenever possible. Be sure to store the encryption key password in a safe location where it may be recovered in the event you have forgotten your password.
• Distribute information only on an as needed basis. If someone does not have a need for potentially confidential or personal information, then do not disclose it. Make surethere is a definitive need, such as processing a transaction or completing a sign-up process.
• Delete files or documents that contain confidential information as soon as they are no longer required. There should be no reason to retain this kind of information in multiple locations throughout a business unit.
• Do not store confidential or private information in a publicly accessible location.
• Discard hardcopy documents containing confidential or private information by shredding them. It is too easy to recover this information from a wastebasket or garbage can if not shredded.

Summary

Information is in high demand, and many people in this world go to great lengths to get all kinds of information. You may not think that the information you deal with or may have in your possession is of great value, but it is safer to treat all information as valuable and take extra precautions. It is far more costly to allow private or confidential information to fall into the wrong hands than it is to take a few extra seconds in disposing of information properly. The effects of mishandled information can devastate an individual or a business.

Wondering About WiFi Security?

Chad Boeckmann, CISSP, GSEC

WiFi is an abbreviated term for Wireless Fidelity, known as Wireless Networking, which commonly uses the 802.11b protocol. The 802.11b protocol transfers data across a wireless signal at a rate of 11 mbps (megabits per second). There is new technology that allows the use of greater speeds, but these standards are not yet completed and industry approved. Wireless has many advantages over the conventional wired network; the most obvious of which are mobility and cost savings. However, there are some blatant risks.

Confidentiality At Risk

A default installation of a wireless network typically means that your data and connection are at risk and could be compromised at any time. This is because all vendors, particularly those who cater to home users, do not implement by default any prudent security measures.

If you were to connect to your online bank and look up your bank account, your data is transmitted with encryption from your bank's web server to your modem and from your wireless access point to your wireless enabled PC. This transaction is safe because your online bank has provided the encryption mechanism for you. Now, suppose you visit a website where you enter in your user id and password and the website is not protected with encryption (the site begins with http:// instead of https://). Your user id and password and all data that you retrieve from this site will be transmitted in plaintext. What this means is anyone who is capturing data from your wireless connection will be able to intercept this information. With a default wireless installation, your data could be compromised and you may be at risk for identity theft. This is because you have not properly secured the access point or wireless router with proper security mechanisms.

In order to properly secure a wireless device it should be configured to use encryption, with WPA (WiFi Protected Access) at a minimum. Many vendors exploit the use of WEP encryption on their devices, but unfortunately this encryption mechanism is not strong enough to thwart the determined thief. Newer wireless equipment should have the option of using the stronger WPA encryption. Hard coding the MAC (Media Access Control) address of your wireless networking cards to the access point is an additional precaution that prevents other rogue users from picking your signal and riding it for free Internet access. This could also include illegal activity on your connection!

Case In Point

The RIAA (Recording Industry Association of America) recently investigated a case that held a 14 year-old responsible for downloading hundreds of songs from a popular file-sharing service. After further investigation, it was found that a neighbor had used the 14 year-old's wireless connection to download songs from the Internet. This is just one example of why any wireless implementation must be thought out and scrutinized prior to implementation.

Summary

Prior to implementing a wireless technology in your home, you should research products that seem to offer the best security and functionality to make your life easier and safer. If you have any questions about implementing a wireless technology in your home, consult a vendor that you are considering using, or research the Internet for best practices. Another option is to not use wireless. Many people hook onto the wireless trend before really understanding its implications. Keep yourself safe by doing your homework first.

If you are already using a wireless implementation, you should begin the use of WPA encryption as a minimum safeguard. A free guide to securing your wireless network at Practically Networked should provide the basics on safeguarding your home wireless implementation.

Chad Boeckmann, CISSP, GSEC

Threats to computers and networks have been an issue since computers were introduced to the general public. Today, any computer or network that is connected to the Internet is at risk to various types of attacks. It is important that we keep all of our PC’s both at home and at work, up-to-date on the latest security patches and bug fixes. CERT (the Computer Emergency Response Team funded by Carnegie Mellon University) cautions that:

"Intruders form groups and develop scripts that they share with each other on how to maliciously exploit vulnerabilities in systems. Intruders dedicate time to developing programs that exploit vulnerabilities and to sharing information. They have their own publications, and they regularly hold conferences that deal specifically with tools and techniques for defeating security measures in networked computer systems."

For more information on the great things CERT is doing please visit their website. The CERT/CC and the Internet Community

Your Computer in a Nutshell

There are four basic components to the system that we call a PC (Personal Computer) that you may have sitting on your desk at work or at home.

The first is called the BIOS. The BIOS is an acronym for Basic Input Output System. The BIOS is responsible for booting the computer by providing a basic set of instructions. It performs all the tasks that need to be done at start-up time and this allows the Windows operating system to start. Access to the BIOS can allow an attacker to completely disable the computer and render it useless.

The second piece of the puzzle is called the Operating System or otherwise referred to as the OS. Many different files compromise an operating system. These files control the operation of your Windows machine and allow it to function properly. Access or corruption to these files can allow an attacker to do harmful things to your data and the operation of your computer. Viruses that infect the files that comprise the operating system can replicate themselves and spread to other workstations and servers thus causing more damage by spreading across the network the machines are connected to.

The third critical piece of your computer is called the Desktop. The desktop is the basic interface for your Windows operating system. Access to the desktop can allow applications to be added, deleted and modified as well as modifications to the core of the Windows operating system. If preferences are changed this can be confusing to the user of the computer and may cause unintentional damage.

The last component that runs on a PC is called an Application. Applications have many different purposes and they are typically separate from the BIOS, Operating System and the Desktop. But, most all Applications depend upon the existence of the previous three components. Access to an application can allow an unauthorized user to manipulate the application and its’ data in ways it is not intended to do. Changes in configuration and preferences can lead to confusion and corruption of the application and the data within it.

General Problems with Legacy Microsoft Windows Systems

Many users do not understand how their computer behaves and why it behaves the way it does. This is ok, but what we all must understand is that each and every one of us computer users must take the appropriate steps to gain a better understanding of what are risks are.

Two of the older Microsoft Windows systems called Windows 95 and Windows 98 were designed for the home user and never intended to be deployed in a corporate network environment. These versions of the Microsoft Windows operating system are inherently insecure. They offer no sufficient password protection for protecting access to the desktop and various files on the hard drive. These versions were also not designed for use in a public environment. These machines are basically just a high-end word processor that should not be joined to any network including the Internet. The Windows 95 and 98 versions also offer no security management abilities to prevent the machine from unauthorized changes. This can result in significant data loss, degradation and theft.

Protect Yourself

With the release of Microsoft Windows 2000 came much improved security enhancements. This Windows operating system allows users to create accounts, allow and disallow permissions to files and folders as well as the most important, securely locking the workstation. Your workstation can be locked in Windows 2000 by pressing and holding three keys; they are Control (Ctrl), Alt and Delete (labeled “Del” on some keyboards). When you press and hold these three keys at the same time you will have a dialog box that appears. The very fist button on the left is titled “Lock Computer”. If you hit your key or click on that button, this will lock your workstation and prevent others from using it or viewing your data. Remember, you are responsible for actions that happen with your login id and computer. So please take this simple step to prevent any future problems. In order to unlock your workstation simply hit the same three keys, Ctrl, Alt and Delete. A fun way to remember this is by calling it the 3-finger salute. Just remember to give your computer the 3-finger salute prior to leaving it unattended. This will help protect yourself from someone else causing harm, even unintentional under your user account.

Chad Boeckmann, CISSP, GSEC

I am sure by now most of you have heard of corporate networks being attacked. These attacks typically originate from malicious individuals who are connected to thea Internet that we like to call hackers. Hacking in and of itself is not a bad thing. The true meaning of hacking in the modern sense of the word is: .one who is proficient at using or programming a computer; a computer buff.. The individuals who use their computera skills for illegal purposes are the individuals who have given the term hacker a bad reputation. This article focuses on the frequency and some methods of illegal activity to a corporate computer system from individuals with malicious intent.

In February 2000 the most significant attack on corporate networks occurred and you may recall this event. Yahoo!, eBay, Amazon and CNN were among the 4 largest victims of a denial of service attack that caused the websites to be unavailable for roughly 3 hours. A denial of service attack is caused by multiple machines sending network traffic to one particular website. The overwhelming amount of network traffic causes the website to become unavailable and thus incurring millions of dollars of losses as in the February 2000 incident. In that incident, the sites were down for only a few hours. Had they been unavailable for days or weeks, the financial losses could have bankrupted the organizations. There are roughly 4,000 denial of service attacks worldwide every 7 days. These attacks are against small countries, public organizations and home users; basically anyone connected to the Internet is a potential target

Denial of service attacks is just one method of interrupting a corporate network. Another method is by gaining unauthorized access to a corporation through system vulnerabilities and bypassing weak security controls. The Computer Security Institute generates the Computer Crime and Security Survey every twelve months that summarizes responses from participating organizations across the United States. This year 503 organizations participated in the survey and approximately 125 of those participants stated that their organizations. website suffered unauthorized access and misuse in the past 12 months. Of those, 53% stated the attacks came from outside sources such as the Internet, 5% came from inside sources, 18% came from both inside and outside sources and an alarming 24% did not know where the source of the attack originated. Many times each security breach costs an organization financially. It may be a soft-cost of having to reassign responsibilities to already overburden IT staff to fix the problem, or worse, it could publicly embarrass the organization resulting in the loss of customers and vendors. Another relevant statistic that the survey uncovered was the percentage of the participating organizations that experienced unauthorized use of computer systems. Out of the 503 respondents, 56% stated they experienced unauthorized access to their computer systems, 29% percent stated they had not and 15% stated they did not know. It should be known that many organizations do not report security breaches to law enforcement or any public reporting agency due to the possibility of corrupting their image. The statistics are only meant as a guideline.

Prevention

These are just two simple methods to prevent external attacks on a corporate network. Prevention and awareness is the key to promoting a healthy network that our business depends on for day-to-day activities. This takes everyone's effort to promote such an environment.