Business Security Information

It seems no matter where I go I run into security issues.  It was no different recently when I took a trip to another state and stayed in a hotel.  The hotel belongs to a national chain and is located in a major city in Ohio.  Obviously, just because a hotel is well-known and located where you think security would be evaluated more closely does not mean this is always the case.  This article is mainly geared towards those who own a hotel or travel a lot for their job.

A couple of weeks ago I went with my family to get some pizza.  It was one of those day we had been rushing around and just wanted to get some good hot food, so pizza it was.  Like most food service businesses, this one had a security camera system that was visible as soon as you walked into the store.  While I was standing there waiting for our pizza, I started looking at the positioning of the security cameras.  What I noticed was that the security cameras covered the cash registers and other employee work areas, but the camera system did not cover the customer area in front of the checkout area.  With this positioning of the cameras, their purpose seemed to be just to monitor employees work and to address internal theft issues.

Do you use an EAS (electronic article surveillance) system in your retail store?  I know that most of the major retailers use these type of systems.  Actually, I was at a department store the other day, and I noticed, like I have so many times in the past few years, how ineffective they can be.  Let me explain that statement.

Do you or your company use encrypted USB flash drives?  If so, are they one of the flash drives that this month was discovered could be hacked?  Encrypted flash drives from SanDisk, Verbatim and Kingston are vulnerable to this most recent form of attack.  Basically, the attack occurs on the software that comes with the drives and runs on a computer, not the USB flash drive.  The software allows the user to enter a password, and if the password is correct, the software sends a signal to the encrypted USB flash drive to unlock itself.  The problem is that other software can be written and has been written to change the USB software running on the computer so that it always sends a signal to the encrypted USB flash drive no matter what is entered as a password.

Pod slurping is a generic term that refers to a technique where someone uses an MP3 player, such as an iPod, to steal sensitive information from a company.  In addition to MP3 players, thieves can also use other devices such as flash drives, digital cameras, mobile phones, PDA’s, or other plug-and-play devices that have storage capabilities.  Basically, any portable storage device can be used to steal or slurp sensitive information.   Special software on the thief’s device can automatically search the computer it is connected to for any sensitive information and then download or “slurp” the information to the device.  This type of software can easily be downloaded from the internet.  Back in 2004,  security expert Abe Usher developed a program called “slurp.exe” that he used on his iPod to demonstrate how information could easily be “slurped” from a computer.  In the demonstration, it took just over a minute to download all files from the computer.

This past month I have been working with a business regarding some physical security improvements, and one of those items was a security or intrusion alarm system.  It got me thinking about businesses that I deal with who usually ask me about why a certain element of security they have implemented, such as security systems, is not working.  Most of the time when I look at their particular situation, one or more elements of the security system does not fit their needs.  Usually this is not discovered until the system has been installed and paid for, leaving the business with a system that does not fulfill their needs and sometimes results in the system not being used after a period of time.  This results in wasted time and money for the business owner as well as poor or nonexistent security.

Lock Bumping, or “bumping” as it is sometimes called, has been around for the past fifty years and is a form of lock picking where a specially cut key is used to move the pins in the lock so the lock can be opened.  The key is made by cutting all cuts in the key to their maximum depth and is sometimes called a 999 key because the cuts are made to the maximum depth of 9.  The cuts can be made by using a hand file, but using a key-cutting machine speeds up the process of making a bump key.

Just when you thought it was safe to use wireless, along comes a new attack on wireless encryption.  WEP (Wired Equivalent Privacy), the oldest form of wireless encryption,  has not been safe to use for quite some time, and I would recommend you use one of the other wireless encryption methods mentioned in this article if you are still using WEP.  The information or data that you send or receive on your wireless connection can easily be captured and read by others if you don’t encrypt that traffic.  This article will help you make necessary changes to your wireless network.

In securing your computer network, you have probably thought about servers, desktops and laptops, but what about the other devices that you have on the network such as webcams, printers, network switches, routers, voice over IP phones, or NAS (network attached storage that can store 1 terabyte or more of information)?  All these devices recently were studied and tested by researchers at Stanford University, and out of the 21 devices they tested, not one was secure.  Because the devices were manufactured by sixteen different manufacturers, the security issue is not limited to one manufacturer.

What is ATM Skimming?

ATM Skimming involves a device called a skimmer to gather and store the information from your ATM card.  A crook also has to install a hidden camera, usually a wireless camera, pointed at the keypad so your pin number can be gathered or transmitted.  There are some small cameras or hidden cameras on the market that have built in flash drives or digital video records that can store information so the bad guy does not have to be nearby to gather the PIN numbers.  Another method is to use a fake keypad or keypad overlays which, when slipped over the original keypad, can either transmit or store the information.  Watch this YouTube video to see an actual skimming device and hidden camera.