Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

Just last month I wrote an article on “Choosing a Secure Web Browser” after a recent attack using vulnerabilities in the Internet Explorer 6 (IE) web browser.   In that article, I stated that security researchers and some governments were recommending that people change to a different web browser or at least upgrade to IE8 (you can read the full article using the above link).  Just this weekend, a couple of other security researchers announced another vulnerability involving IE web browsers including IE8.  This vulnerability was confirmed on Monday by Microsoft.  The question now is whether to wait for a patch from Microsoft or to change web browsers?  Let’s look at the highlights of the vulnerability to determine the right answer for you and your business.

When you look at the desktops, laptops and other devices in your business, do you realize the number and variety of software applications running on these devices?  Applications include Adobe Reader, Adobe Flash, Microsoft Office, off-the-shelf accounting software, and other similar types of applications.  Beyond these normal applications found on most computers, custom applications may also be used in your business such as credit card processing, accounting or other business-oriented software applications.  Most business owners and managers do not realize the number and variety of applications running on the computers they use.  Studies have shown that businesses spend most of their security efforts updating and securing the computer’s operating systems and not the software applications.

It seems no matter where I go I run into security issues.  It was no different recently when I took a trip to another state and stayed in a hotel.  The hotel belongs to a national chain and is located in a major city in Ohio.  Obviously, just because a hotel is well-known and located where you think security would be evaluated more closely does not mean this is always the case.  This article is mainly geared towards those who own a hotel or travel a lot for their job.

Do you use an EAS (electronic article surveillance) system in your retail store?  I know that most of the major retailers use these type of systems.  Actually, I was at a department store the other day, and I noticed, like I have so many times in the past few years, how ineffective they can be.  Let me explain that statement.

Do you or your company use encrypted USB flash drives?  If so, are they one of the flash drives that this month was discovered could be hacked?  Encrypted flash drives from SanDisk, Verbatim and Kingston are vulnerable to this most recent form of attack.  Basically, the attack occurs on the software that comes with the drives and runs on a computer, not the USB flash drive.  The software allows the user to enter a password, and if the password is correct, the software sends a signal to the encrypted USB flash drive to unlock itself.  The problem is that other software can be written and has been written to change the USB software running on the computer so that it always sends a signal to the encrypted USB flash drive no matter what is entered as a password.

Pod slurping is a generic term that refers to a technique where someone uses an MP3 player, such as an iPod, to steal sensitive information from a company.  In addition to MP3 players, thieves can also use other devices such as flash drives, digital cameras, mobile phones, PDA’s, or other plug-and-play devices that have storage capabilities.  Basically, any portable storage device can be used to steal or slurp sensitive information.   Special software on the thief’s device can automatically search the computer it is connected to for any sensitive information and then download or “slurp” the information to the device.  This type of software can easily be downloaded from the internet.  Back in 2004,  security expert Abe Usher developed a program called “slurp.exe” that he used on his iPod to demonstrate how information could easily be “slurped” from a computer.  In the demonstration, it took just over a minute to download all files from the computer.

A strike plate is a part of a door lock.  It is the metal plate that is attached, usually with screws, to the door jamb (door frame) and has one or more holes that hold the lock bolt when the lock is engaged.  When the door is closed, the lock bolt extends into the hole which then keeps the door closed.  Refer to the picture for a look at a high security strike plate.

A rootkit is a collection of software programs that contain a variety of tools and allow an attacker root or administrative level access to a computer or network.  Attackers install rootkits usually after having obtained basic user level access to a system, then gaining higher access to the account by using a cracked password or through some other vulnerability on the system which allows them to install software on the system.  Once a rootkit is installed, it allows the attacker to bypass security measures and hide the intrusion.  Rootkits do this by replacing normal operating system components or altering existing system tools or software so as to escape detection.

I just got done watching this short video (2 minutes) on installing a security door plate on a residential door with a wood frame.  It showed how this security plate could provide another layer of security against a criminal that tries to break in by kicking down your door.  As you watch, you will see that the door leads to what appears to be the speaker’s home office.  Although many commercial structures have metal doors with metal door frames which do not need security door plates, I have seen numerous offices and other commercial buildings which have exactly the same type of doors with wood frames where security door plates would have helped reduce the risk of someone kicking down the door.  Also, note that the security door plate helps the deadbolt lock resist such an attack (the door entry lock or door handle lock really is not affected by this security measure.)  Along this line, I would recommend that you install deadbolt locks on your exterior doors if you have not already.  Make sure any exterior door locks you use are resistant to lock bumping (read the definition and watch the videos on lock bumping to understand the dangers from this type of attack).