Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

If your business uses security cameras, recording is essential.  The recorded security camera feed can be used for a variety of purposes, especially after a business has been burglarized or robbed.  Currently, most businesses use a DVR (digital video recorder) to record their security cameras, but some still use time-lapsed VCR.  No matter which method you use to record your security cameras, what will prevent the criminal from taking the video tape or the DVR’s hard drive when they burglarize or rob your business?  If there is nothing to stop the criminal from taking the recorded security camera video, you should consider the use of lock boxes.

Just last month I wrote an article on “Choosing a Secure Web Browser” after a recent attack using vulnerabilities in the Internet Explorer 6 (IE) web browser.   In that article, I stated that security researchers and some governments were recommending that people change to a different web browser or at least upgrade to IE8 (you can read the full article using the above link).  Just this weekend, a couple of other security researchers announced another vulnerability involving IE web browsers including IE8.  This vulnerability was confirmed on Monday by Microsoft.  The question now is whether to wait for a patch from Microsoft or to change web browsers?  Let’s look at the highlights of the vulnerability to determine the right answer for you and your business.

When you look at the desktops, laptops and other devices in your business, do you realize the number and variety of software applications running on these devices?  Applications include Adobe Reader, Adobe Flash, Microsoft Office, off-the-shelf accounting software, and other similar types of applications.  Beyond these normal applications found on most computers, custom applications may also be used in your business such as credit card processing, accounting or other business-oriented software applications.  Most business owners and managers do not realize the number and variety of applications running on the computers they use.  Studies have shown that businesses spend most of their security efforts updating and securing the computer’s operating systems and not the software applications.

Do you or your company use encrypted USB flash drives?  If so, are they one of the flash drives that this month was discovered could be hacked?  Encrypted flash drives from SanDisk, Verbatim and Kingston are vulnerable to this most recent form of attack.  Basically, the attack occurs on the software that comes with the drives and runs on a computer, not the USB flash drive.  The software allows the user to enter a password, and if the password is correct, the software sends a signal to the encrypted USB flash drive to unlock itself.  The problem is that other software can be written and has been written to change the USB software running on the computer so that it always sends a signal to the encrypted USB flash drive no matter what is entered as a password.

Pod slurping is a generic term that refers to a technique where someone uses an MP3 player, such as an iPod, to steal sensitive information from a company.  In addition to MP3 players, thieves can also use other devices such as flash drives, digital cameras, mobile phones, PDA’s, or other plug-and-play devices that have storage capabilities.  Basically, any portable storage device can be used to steal or slurp sensitive information.   Special software on the thief’s device can automatically search the computer it is connected to for any sensitive information and then download or “slurp” the information to the device.  This type of software can easily be downloaded from the internet.  Back in 2004,  security expert Abe Usher developed a program called “slurp.exe” that he used on his iPod to demonstrate how information could easily be “slurped” from a computer.  In the demonstration, it took just over a minute to download all files from the computer.

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

Crimeware is a form of of malware (malicious software) that is  used to attack your computer and/or network.  Crimeware is designed for one purpose which is to facilitate illegal or criminal activity.

This type of software is often used to commit identity theft.  Also, crimeware allows attackers to capture and export sensitive information which they can sell or use to exploit for some other type of financial gain.  Another common type of crimeware includes phishing kits that allow an attacker with little or no technical skill to launch a phishing attack.  This type of crimeware may include website development software, content for the site, and spamming software that will allow the attacker to send out mass e-mails to their phishing targets.

A rootkit is a collection of software programs that contain a variety of tools and allow an attacker root or administrative level access to a computer or network.  Attackers install rootkits usually after having obtained basic user level access to a system, then gaining higher access to the account by using a cracked password or through some other vulnerability on the system which allows them to install software on the system.  Once a rootkit is installed, it allows the attacker to bypass security measures and hide the intrusion.  Rootkits do this by replacing normal operating system components or altering existing system tools or software so as to escape detection.

I just got done watching this short video (2 minutes) on installing a security door plate on a residential door with a wood frame.  It showed how this security plate could provide another layer of security against a criminal that tries to break in by kicking down your door.  As you watch, you will see that the door leads to what appears to be the speaker’s home office.  Although many commercial structures have metal doors with metal door frames which do not need security door plates, I have seen numerous offices and other commercial buildings which have exactly the same type of doors with wood frames where security door plates would have helped reduce the risk of someone kicking down the door.  Also, note that the security door plate helps the deadbolt lock resist such an attack (the door entry lock or door handle lock really is not affected by this security measure.)  Along this line, I would recommend that you install deadbolt locks on your exterior doors if you have not already.  Make sure any exterior door locks you use are resistant to lock bumping (read the definition and watch the videos on lock bumping to understand the dangers from this type of attack).