As usual, something has been designed without a good forethought on security ramifications. Recovering your computer from thieves sounds great in marketing materials - but it comes with a price.

If you have purchased a computer with the ability to contact Lojac, then you are at risk. No you don't have to subscribe to CompuTrace LoJac - you just have to have a computer with the code embedded in the BIOS.

This vulnerability is particularly nasty because it leads to a "persistent and complete control of a compromised system." That's right - once compromised, you effectively can't get rid of it.

Look, the only effective way to protect your data in the event of theft is to encrypt your entire hard drive - and use a sufficiently strong password.


Reference:
Researchers find insecure BIOS 'rootkit' pre-loaded in laptops
http://blogs.zdnet.com/security/?p=3828&tag=nl.e539

Labels: encryption, lojac, truecrypt

When you put a file in your "recycle bin" or "trash can" on your computer, it is not really gone - not even after you empty the recycle bin. The information can be recovered with freely available software. Granted, over time the file becomes harder and harder to recover, but it can be recovered.

You can permanently erase a file though. Free programs such as Eraser allow you do erase single files, folders, or even nuke the whole drive. As a matter of fact, wiping the whole drive is the only way to insure that the files can't be recovered.

In the past, people have touted the fact that erasing over a file once was not  secure enough. As a matter of fact, most of these programs will do up to a 35-pass wipe of the file or drive. It looks like you don't need to be that paranoid though. In reality a single pass will do the trick.

even firms specialising in data recovery, openly admit that if a hard disk is overwritten with zeros just once, all of its data is irretrievably lost.

http://www.h-online.com/news/Secure-deletion-a-single-overwrite-will-do-it--/112432

You should also remember that encrypting your whole drive is a much better solution for data protection. You only need to wipe the drive if you think your encryption password has been compromised - or just change the password.

Labels: encryption, erasing data

While scanning through some email newsletters, I came across this article . It looks like data security is still an afterthought to many organizations. I cannot stress enough that it is very important to secure your important data.

Even home users have Quicken, Money, or Quickbooks files. I have several clients that store a list of their passwords or other important information in Word documents on their computers. That's fine - I keep my entire business stored on my primary laptop. The difference is that my entire hard drive is encrypted. If someone steals my laptop, that will not be able to access my data.

As I've said before, the irony is that the software to do all of this is free and open source. It is easy to use and once you encrypt the drive, your computer acts normally. The only time you notice anything is when you restart the computer. You must enter the password at reboot or the operating system simply won't start.

One other point that  I'm going to state again - Windows and Microsoft and Security don't go in the same sentence. Just because you have a Windows login password doesn't mean anything. That is trivial to bypass.

Also remember the following:

• Rule #1: You are only as good as your last successful backup - from which you can recover.
  
• www.truecrypt.com - open source and free
  

Labels: backup, encryption, rule #1

This "white paper" was created to present to several clients of mine. I'm posting it to my blog so that it can be reviewed and maybe raise some questions as to how you handle your home and business information.

PDF Copy Here

Company policy concerning safety and security of data

• How important is your data?
• What is the company policy about sharing data?
• What workers / contractors have access to what data?
• What would you do if that data were leaked to a competitor?
• Do you allow users to surf MySpace, FaceBook, or similar sites? How do you know?

“Over 90 percent of the Webpages that are spreading Trojan horses and spyware are legitimate sites, some belonging to household brands and Fortune 500 companies, Sophos reports. Most have been hacked through SQL injection.” - source: Sophos.com

“Cross-site scripting

AJAX also increases the possibility of so-called cross-site scripting flaws, which occur when the site developer doesn't properly code pages, experts said. An attacker can exploit this type of vulnerability to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said. Big-name Web companies such as Microsoft, eBay, Yahoo and Google have all experienced cross-site scripting flaws on their Web sites.” - source: Cnet.com

"Certification" method to insure all outside pc's (ex: laptops) are clean and malware free

• How do you know if the pc's are infected or not?

• What is the policy on maintaining anti-virus and safe surfing habits?

Secure Backup Method

• What is your backup method?

• Have you practiced recovery from disaster?

• Do you use imaging software to recover the OS and applications?

• Are your backup files secure?

Data Encryption on Laptops and Remote Devices

• Are your laptops and remote devices utilizing data encryption?

• How much is your data worth if it gets into the hands of a competitor or criminal?

There is some evidence that cyber criminals are now specifically targeting laptop users, encouraged to do so by the finding that corporate laptops hold an average $525,000 worth of sensitive data. - source: Bahn, October 2007

Company Email and Consistency

• Do your workers use their personal Yahoo or AOL accounts for email?

• Do you want your clients to have an image of your company with potentially suggestive email addresses? (ex: cutiegirl69@yahoo.com)

• What will you do if a lawsuit and discovery injunction requires that you are able to provide all communications?

Further Resources:

The Growing Importance of E-Discovery on Your Business

http://www.google.com/a/help/intl/en/security/pdf/importance_e_Discovery.pdf

Business Guide to Compliance

http://www.google.com/a/help/intl/en/security/pdf/WP44-BMGuide.pdf

The Impact of the new FRCP Amendments on your Business

http://www.google.com/a/help/intl/en/security/pdf/WP42-FRCP_0107.pdf

Protecting Off-Network/Laptop Users

http://www.google.com/a/help/intl/en/security/pdf/off_network_workers.pdf

2007 Annual Study: Cost of a Data Breach

http://www.ponemon.org/press/PR_Ponemon_2007-COB_071126_F.pdf

Labels: backup, email, encryption