Archive for RB

| April 8, 2010
Comments Off on Update Email Policy

Update Email Policy

Update Email PolicyA court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, “reasonably expect that emails she exchanged with her attorney on her personal, password-protected, web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer. She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are applicable only in New Jersey for now. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firm’s computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 3, 2010
Comments Off on NICs Latest Threat to PCs

NICs Latest Threat to PCs

NICs Latest Threat to PCsThe latest malware attack vector is the network interface card (NICs). According to a post at Gizmo’s Freeware, two separate presentations at the CanSecWest international security conference demonstrated exploits utilizing network cards. The article reports that both exploits focused on Broadcom (AVGO) NIC’s.

The post reports that in at least one of the demo’s the researcher used the Broadcom remote factory diagnostic mechanism to install custom firmware on the network card. The researcher used the compromised firmware to create a tunnel into the PC in such a way that packets sent via the tunnel were not visible to the system firewall. Using the network card’s access to memory,  the attacker could then run whatever code he wanted.

HP uses the vulnerable NICs in PCs

HP (HPQ) uses the vulnerable Broadcom NICs in many PCs. In response, the HP Software Security Response Team has released a Security Bulletin (Document ID: c02048471) “HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code.” In the bulletin, HP says this information should be acted upon as soon as possible.

HP has made softpaq SP47557 available to resolve the vulnerability. In the bulletin, HP says the following models contain the Broadcom Integrated NIC firmware

  • HP Compaq 6005
  • HP Compaq dc5700
  • HP Compaq dc5750
  • HP Compaq dc5850
  • HP Compaq dc7600
  • HP Compaq dx7200
  • HP rp3000 Point of Sale System
  • HP rp5700 Desktop PC
  • HP rp5700 Point of Sale System

Rb-

This is a new hole, not a new attack. The premise appears to be poor design. Why would a manufacturer leave “the remote factory diagnostic mechanism enabled.”  The article goes on to say that, ”by default, the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0) is normally turned off.” That’s a good thing unless it’s not then you got troubles.

This technique would allow a very low-level attack that is not visible to traditional desktop security software. The network security devices would have to pick up the threat and not desktop security software. This also proves the case for good asset management, I can think of one client who has 80+ of the HP 5700’s distributed at 80+ sites without a management tool such as Intel’s vPro to push these low-level updates to PC’s. There is no telling if these PCs will ever get patches unless Microsoft adds it Windows Update.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| April 2, 2010
Comments Off on What is eWaste?

What is eWaste?

What is eWaste?Electronic waste (eWaste) is classified as hazardous waste if it has components that are toxic (poisonous), ignitable/combustible, corrosive, or reactive. Most electronic devices contain heavy metals, such as lead. The BBC reports that the typical personal computer has many valuable, dangerous or valuable and dangerous materials.

Among the hazardous wastes included in the typical PC eWaste are according to the BBC are:

  1. Lead in cathode ray tube and solder.
  2. Arsenic in older cathode ray tubes.
  3. Selenium in circuit boards as power supply rectifier.
  4. Polybrominated flame retardants in plastic casings, cables and circuit boards.
  5. Antimony trioxide as flame retardant.
  6. Cadmium in circuit boards and semiconductors.
  7. Chromium in steel as corrosion protection.
  8. Cobalt in steel for structure and magnetism.
  9. Mercury in switches and housing.

eWaste risks

An article at CIO.com says that a firms major source of potential eWaste disposal liability comes from the Comprehensive Environmental Response, Compensation and Liability Act (CERCLA), aka the Superfund law. Under Superfund, the U.S. Department of Environmental Protection (EPA) identifies contaminated sites, arranges for cleanup, identifies responsible parties and seeks compensation for the cleanup costs. Many of these sites are landfills where a firm would typically send trash, including obsolete computer equipment.

Once the EPA targets a firm, they can pay the fine or fight the EPA in federal court. The court proceeding could be a costly and time-consuming investigation in to the environmental impact of the firm. Firms can be on the hook all clean-up costs, unless they can prove they never deposited so much as a printer cartridge at that site. The Superfund law states that all contributors to a contaminated site are jointly and severally liable for the entire cost of the cleanup.

Michigan eWaste rules

Enhancing the Superfund threats are state laws and regulations that affect the disposal of eWaste. For example in Michigan, Governor Granholm signed Senate Bill No. 897 into law in Dec. 2008. The law imposes a new annual registration tax of $2,000 to $3,000 on manufacturers of computers and related equipment sold in Michigan to fund a take-back program. Producers must pay for the collection, transportation and recycling.

The program is available for small businesses (10 employees or fewer) purchasing new computers and televisions. The take-back program is good for up to 7 units per day which may recycle covered electronic devices for free. Covered devices include  computers, peripherals, facsimile machines, DVD players, video cassette recorders, and video display devices. Printers will be added in 2011. Program collection must start by April 1, 2010. The Michigan Department of Natural Resources and Environment (DNRQ) is responsible for enforcing these eWaste laws. Larger firms are on their own and there is no current ban on disposal of e-waste. Firms with locations in New York or California faces much tougher requirements.

Many firms take the opposite approach to dumping eWaste into the landfill. Many firms are retaining their out of date IT assets. In 2007, the EPA estimated the number of desktop computers, monitors and notebooks in storage totaled over 110 million units. Despite the declining cost of office spare, storing obsolete equipment is a waste of money. Storing obsolete equipment creates data loss risks and any residual value in the equipment will disappear. There are steps a firm can take to deal with e-waste.

Disposal plan

CIO.com suggests the first step in disposing of eWaste is a well-thought-out technology disposal plan. The plan should start with an attorney or an environmental consultant to get a fuller understanding of the risks and opportunities. CIO.com says the eWaste plan should address:

  • A way to track regulatory changes.
  • Develop methods for achieving your business goals in an environmentally and legally sound way.
  • Determine the point at which your waste volume puts you in a more restrictive class of regulation.
  • Evaluate tax liabilities and incentives.
  • Preserve the confidentiality of legal and business-critical information.

The environmental consultant should be able to find alternative options for reusing and recycling out of date equipment. They should be able to identify a network of local computer resale shops, nonprofit groups, and government agencies where businesses can donate, upgrade or recycle used computer equipment. The consultant can develop agreements that shift the burden and financial risks to others who are better situated to manage the issue according to the CIO.com article. One way to defer the eWaste risk is to lease computer equipment rather than buying it. This was the manufacturer is responsible for disposal at the end of the term.

rb-

We have developed eWaste programs and PC life-cycle programs for clients. We try to bring home the problems of storing out of use IT assets including:

  • Wasted money for floor space to store equipment and the loss of residual value. especially with high-end equipment which could be re-sold on eBay.
  • Data protection regulatory and theft risks. After all. who checks on the old servers once they get stashed in the warehouse?
  • Environmental regulatory risks. If a firm stashes away enough obsolete systems and your storage area can change the firms EPA status to a hazardous waste generator.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| March 30, 2010
Comments Off on Digital Swiss Army Knife

Digital Swiss Army Knife

Digital Swiss Army KnifeVictorinox, the firm behind the legendary Swiss Army Knife, has introduced the Victorinox Secure Pro. The Secure Pro has a USB memory stick integrated into it along with the expected knives and screwdrivers. The firm claims it the most secure USB stick of its kind available to the public. The Secure Pro uses several layers of security to protect the data on it from being stolen.

The security layers included in the Swiss Army Knife include a fingerprint scanner linked to a heat and oxygen sensor. The sensor is capable of determining whether the user’s finger is still attached to a living person – so that a detached finger will not yield access to the memory stick’s contents. Any attempt to forcibly open the Victorinox Secure triggers a self-destruct mechanism that destroys the CPU and memory chip.

The Victorinox Secure Pro uses AES256 technology, together with MKI’s Schnuffi Platform Single Chip Technology. Martin Kuster, CEO of security chip specialist MKI, told InfoWorld,  “I’m concerned about the way technology is progressing, with all our personal data going into “the cloud.” Soon everything will go into the cloud – and I don’t like it! Perhaps one day I will have to buy back all this information from eBay!” The security integrates Single Chip Technology, meaning that there are no external and accessible lines between the different coding/security steps, as on multi-chip solutions; this makes cracking the hardware impossible.

Victorinox was so confident of Swiss Army Knife security that it offered a $150,000 prize to a team of professional hackers if they could break into it during the two hours product launch event. The money went uncollected. Victorinox Secure’s designer Kuster, stated, “Life is becoming more digital every day… And yet people do so little to protect their data. The world’s most common password is ‘12345’ – and even encryption can be broken given time.”

“We wanted to create not only a product for today’s modern lifestyle but a new generation of memory stick that had all the values of functionality and reliability that the iconic Swiss Army Knife has come to represent” stated Carl Elsener Jr., Victorinox’s CEO. “We think of the Victorinox Secure as the digital Swiss Army Knife.”

The Secure Pro Swiss Army Knife was launched 03-25-10 in London and is available in 8GB, 16GB, and 32GB sizes and will sell for $75 to $270. Additional features include:

  • LED Mini White Light
  • Retractable Ball Point Pen
  • Blade
  • Scissors
  • Nail File with
  • Screwdriver
  • Keyring

David Reinsel, group vice president of storage and semiconductor research at IDC was on-point when he stated, “It’s a cool product that will capture attention … adoption en-masse by corporations is quite another thing.” Reinsel told Newsfactor.com that there’s no doubt that data breaches are expensive for businesses in many ways. However, so is data on a computer that sits behind an encryption key that only the employee knows, he said. “Hence the age-old issue — corporations (most of them) want to control the encryption methodology and the keys,” Reinsel said. “Any corporate solution would have to allow for some type of master-key so that the company can get at a rogue employee’s data.”

rb-

Mr. Reinsel is on-point, this Swiss Army Knife, no matter the cool factor is a threat to the enterprise’s data. The size of the device can swallow a whole database and once it is encrypted with an individual’s key, it is pretty much gone. There is also the risk that some overambitious TSA agent will “confiscate” it if the user forgets to put the knife part of the device in checked baggage.

Despite all of that the cool factor is high and I want one.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , ,
| March 27, 2010
Comments Off on Detroit Least Risky Online City

Detroit Least Risky Online City

Detroit Least Risky Online City Symantec has declared Detroit as the least risky online city in America. In a joint study with Sperling’s BestPlaces, Symantec released a report Norton’s Top 10 Riskiest Online Cities The U.S. cities under the greatest threat from cybercrime (PDF) (03-22-10) of the 50 riskiest places in America to be online and at the bottom of the list is Detroit.

DetroitThe report indicates that Detroit is the least risky online city, with residents less likely to take part in risky online behavior. Detroit has low levels of Internet access, expenditures on computer equipment, and wireless Internet access. The city also ranked low in cybercrime, wireless Internet access, and Internet access generally compared to other cities. El Paso, Texas, and Memphis were the second and third safest cities, respectively as reported by eWeek.

Data from several sources were used to determine the rankings. The data came from Symantec Security Response as well as third-party data about online behavior, such as accessing WiFi hot-spots and online banking. Each city was scored across several categories. For example the number of malicious attacks per capita, prevalence of Internet use, and the number of bot-infected machines per capita.

Symantec logoDetroit ranked last in all categories including:

  • Individual cybercrimes,
  • WiFi and hotspots per capita,
  • Annual expenditures per household on Internet Access and Computers,
  • Adult Internet use.

rb-

Up is down and down is up in Detroit. These are not promising statistics for Detroit. The depression “global financial crisis” has ravaged Detroit and southeastern Michigan for the past 11 years. These results are just another indicator of how far Detroit has fallen. Low levels of Internet access, not buying computer equipment along with slow and limited wireless Internet access cause the city to rank low in cybercrime. This is just like driving a car, the more you drive the more risks you take. Until the Motor City gets on the information super-highway there is little chance of Detroit moving forward.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries   Recent Entries »