Internet Security Zone Blog

By James Grant, Team Lead and Senior Developer

PointSec, the product that has been protecting company laptops for years is now available for the consumer market. Pointsec Full Disk Encryption is the defacto standard of disk encryption products, leading others in independent test results:

http://www.checkpoint.com/products/datasecurity/pc/test-results.html

Companies were the first to see the need for data security as their employees took their work outside the company walls. Increasingly, consumers are choosing laptops for themselves. It is the ideal choice for a student on the go, for example. With the price of laptops tumbling, they are very affordable and they take less space than the big box.

The biggest risk of a laptop is having it stolen. The chance of a college student having their laptop nabbed while they are out is higher than the chance of a home break-in. For most of us, the biggest concerns are the cost of the computer and the setback of losing the information that was on it (I really love USB thumb drives as a backup tool for important information, BTW!). For some, there are privacy and identity theft concerns as well. Did you have private email on there? Picture? Your taxes? Anything with your social security or financial account numbers or passwords?

All those concerns are gone with Full Disk Encryption, available here in beta:

http://download.zonealarm.com/bin/free/beta/index.html

The "beta" label is on the user interface and packaging part of the software, not the encryption part. The core encryption tool is the same as is in use on millions of computers around the world, including the one I'm using right now!

As soon as we went to beta, I installed it at home .. on my wife's computer. The result: "Hon, I'm getting a new logon screen when it starts. What should I do?" So I wrote the username and password on a sticky note and stuck it to the screen. Hey, my goal wasn't security as much as seeing it work. It did.

As I saw the PointSec product transform into a Consumer product, my fears of total disaster subsided:

• Firstly, I knew rationally that the encrypting part was the same as what I'd used for years at work.
• Next, the product doesn't start encrypting until recovery information has been backed up on our servers (the files are encrypted by your password, so they are no use to anyone but you - including us).
• Lastly, the product helps you burn a recovery CD so if - just if - something were to go wrong, you could boot off the recover CD and unencrypt the drive. Forgot your password? No problem. Contact our Support team, tell them who you are, answer the security questions and they supply a code that unlocks your computer. (In other words, we can help you reset your password, but we don’t know your password, so you're truly safe.)

So if you've wanted to keep your laptop private in case of theft or break-in, ZoneAlarm's new FDE (Full Disk Encryption) is what you've been waiting for. Let us know what you think. While it is in beta, we are looking for feedback from you.

By James Grant, Team Lead and Senior Developer

When big stores started using digitizing pads to capture my signature for purchases, I had my usual paranoid reaction. No way! Think of all the ways it could go wrong:

1) My signature is stolen, gets applied to some other purchase, and I have no proof I didn't buy it

2) The store computer captures the purchase amount incorrectly and I get charged $150 instead of $15 for a watch

2) The store charges me twice when I purchased once

3) The store intentionally alters the price and I have no legal recourse

Signing for a computer - it's not the same
The beauty of signing on paper is you sign the same piece of paper that shows your purchase amount. You get a copy, they get a copy. In case of dispute, you each have evidence. The store cannot alter the amount without the risk of a detective discovering the alteration. They cannot apply that signature to another purchase. Also, it is a system that has worked reasonably well for decades and I have already accepted the risk.

When you sign on a pad or a "screen", most of them display the amount of your purchase, but when you hit the "OK" button, your signature gets stored in one computer file and the purchase amount gets stored in another (I expect, though I've never built or audited one of these). From my understanding of databases, I expect all these PoS (point of sale) systems record a transaction, and record the amount and the name of the file that contains the signature.

All four nightmare scenarios are possible
The computers used to handle sales are very much like the computer you use at home. They store information digitally and files get moved around from one computer to another. Sales computers can have software bugs, just as home computer software or voting machines can. I have been accidentally charged twice (it was an over-the-phone order), by an employee using a computer he didn't understand. I have no experience with a store intentionally defrauding me, but I have been a victim of credit card fraud, so it is no stretch to think a criminal would take my signature and use it if they could get hold of it.

So initially, I resisted using the signature pads. I asked to sign paper. At the start, when the pads were new, the stores still had the ability to print a paper receipt for me to sign, so I got my way. I noticed an increasing resistence however. I also noticed how my wife would roll her eyes, so I knew I needed to work out a compromise.

Problem Solved
One day, when asked to sign on the pad, I tried an experiment. I discreetly wrote the purchase price in the corner of the screen and signed in the middle. Accepted! So I kept it up. Before long, I was in the habit of putting the purchase price at the top in the middle and intentionally signing so that my signature overlapped the numbers.

Once I saw that being accepted, I decided my problem was solved. It address three of the four worries I listed at the top and I can't imagine a thief going so far as erasing the numbers in an attempt to isolate my signature - that is pretty extreme.

So for anyone out there who has been nervous about the adoption of digital signature pads, try what I do: write the purchase amount first, then sign over it. 

• What it does: When you (or a thief) goes to a store with your credit card, the store keeper will be notified to double-check your identity before allowing any transaction. 
• When to use them: When you think you're about to be a victim (ex. your wallet was just stolen) and when you know you're a victim.
• Cost: Free under the federal Fair Credit Reporting
• Types: Initial (90 days, can be renewed) and extended (7 years)

• How to do it:

  Call any one of Equifax: 1-800-525-6285; Experian: 1-888-EXPERIAN (397-3742); TransUnion: 1-800-680-7289. Whichever one you call is responsible for contacting the other two agencies on your behalf.

By James Grant, Team Lead and Senior Developer

I was recently traveling and wanted to keep in touch with both work and the world. I packed my laptop and was off. On arrival, the hotel clerk proudly told me that the hotel offered free Internet over Wi-Fi, no encryption to worry about. Great! I guess...

Confession: I get a little paranoid about security so I'm thinking through all the ways this could go wrong: the person in the next room is going to see all my Internet traffic because it is going over the airwaves like a cell phone call; the person in the next room will try to hack into my computer; the person in the next room will see my email address and I will get more spam. I need a new room! But wait, everyone in the hotel can see my traffic-- as well as anyone driving by! Well, the good news is that not everything you do on the Internet puts you at risk.

Using email

The first thing I wanted to do was check email at work. My company uses a VPN to support email access, so I can do that safely. I am free to use a public Wi-Fi link because a snoop will not try to decrypt my VPN traffic to read the emails. The VPN is the strongest link in the chain, not the weakest link.

The next thing I wanted to do was check my personal email at Gmail. There I have to be a bit more careful. I deliberately go to https://gmail.google.com (instead of http://...)because then Gmail gives me an encrypted connection (safe). If I just typed gmail.google.com, my login would be encrypted, but the emails I read and wrote would be unencrypted and any snooper could see them! Remember: whenever you see "https" at the start of the link in your browser, it means you're a lot safer than "http".

Checking online news

With that done, I wanted to check the news. Now I personally don't care who knows what news articles I read, so I freely went to my favorites:

www.news.google.com, www.theregister.co.uk.

Using Facebook

Then I wanted to check what was happening at Facebook. Darn. That's where I caught myself and chose to wait. Facebook encrypts the actual login, but after that it isn't as safe. Snoopers could learn the email address I use to log in as well as my profile ID (every Facebook member has a unique profile ID).

They also might be able to get my "session token": information that lets them connect to Facebook as if they were me. I could be wrong, like I said, I get a little paranoid. So I did not connect to Facebook over the unencrypted Wi-Fi.

Banking and other private activities

What else would I not recommend in a public setting?

- banking - even if the connection is encrypted, I reveal what bank I use

- online investments - same as banking, only more money at stake

- private activities: IM, political activities, porn (no, I'm

not confessing anything here. It's you, Dear Reader, I am thinking of!)

Avoid all of these things on unencrypted Wi-Fi, unless you use a service like Anonymizer Anonymous Surfing. With a service like Anonymizer, everything works the same but your network traffic gets routed through their server using an encrypted connection. Snoopers can't tell where you're going or what you're sending.

What about public computers?

A final note about using a public computer (library, conference, hotel, etc.) I would not log on to any account of mine on a public computer, even if it were an encrypted https: website. The computer might have a virus or other tool for logging everything you type. Think of a public computer as having the public looking over your shoulder.

by John Gable

Another Valentine's Day special.

You may have been reading how the Waledac botnet, a successor to the Storm botnet, has come to haunt your Valentine's Day.

This botnet is running a Valentine’s Day "campaign" soliciting people with phony Valentine’s themed e-mails and greeting cards. When users click through to a Web site to receive their messages, malicious software is silently and automatically downloaded to their computer. The malicious software can do any number of nasty things such as logging and transmitting everything a user types, stealing their credit card numbers and online passwords, and turning their computer into a launch pad to attack others.

With over 1000 variants in just one day, this is very hard to stop.  Perhaps impossible to stop for typical antivirus software that relies on lists of known threats.

There's a website we all know that offers a "Security Key" to provided an added layer of security, beyond the email address and password. While this is great in principle, it is undermined by giving users a way around it if they "lose" their Key. PhoneFactor, on the other hand, is a lot harder to lose and abuse.

The Security Key I'm thinking of displays a 6-digit number that changes every 30 seconds or so. The website at which you type the number code knows what number your key is supposed to be showing, so it knows when you type in the right number. To the rest of us, the numbers appear to be totally random and the next number can't be figured out based on the numbers that have been shown so far. That's a good layer of security because if you type in the right number, it's pretty clear you must be holding the Security Key. A hacker around the world might fool someone into giving their email address and password (phishing) but if the website then demands a 6-digit code, they don't have it.

If it ended there, I would be a big fan of the Security Key and I'd buy one. But it doesn't end there. The website has to handle the predictable case that someone will lose their Security Key. The website I'm thinking of has the answer in their FAQ. If you lose your Key, you can still log in, they'll just ask some security questions. What kind of question would that be? Typically, they are "What's your mother's maiden name?" or "What's the last 4 digits of your credit card?".

Now those are answers that are in reach of hackers half-way around the world! My mother's maiden name is no secret. A hacker that can trick someone into giving their password on a phishing site might also trick them into entering the credit card they use. The difficulty of getting these answers is much much less than the difficulty of guessing a continually changing 6-digit number. So in the end, the layer of protection added by the Security Key is no better than the layer of protection added by typing in answers to "security questions".

Take a look at PhoneFactor now.

Step 1: Enter your usual username and password.

Step 2: Instantly, you receive a phone call. Answer and press #.

A hacker around the world can't press # on your phone, so they can't use your account. It's a lot harder to lose your telephone than a Security Key and if you do, you've got a lot more motivation to replace it anyway and not just switch to "security questions". So there are three real benefits to chosing PhoneFactor:

1) You don't have to buy a Security Key,

2) You don't have to carry around a Security Key, and

3) The website doesn't need a weaker substitute that neuters the whole system.

ID Theft is obviously becoming more common, however, we must take care to ensure the solution is not worse than the disease. As I pointed out in another posting, some protections can go too far or be a hindrance to investigating ID Theft itself.

Here is a well researched article on ID Theft protections possibly going a bit too far. In this case, the buyer of a new car was instructed to provide a thumb print to a private company (the car dealer) to complete the transaction:

Imagine you’ve gone through a multiple week process to purchase an automobile.

You know the drill. Research every feature, pick your color, then, it’s negotiations for purchase price and for trade-in. Everything is done and agreed-upon, and excited, you are ready to hand over the check and collect your new car.

But wait!

You are handed a slip of paper and told to mark your right thumbprint in a box. The paper says clearly that it’s a request, for your protection, and to prevent your identity theft. [read the rest here]

Is this going too far to prevent ID Theft? How do we know what is or isn't too far when we want to be protected?

I came across two interesting posts regarding credit cards in the past two days and wanted to pass them along. The first is regarding credit score calculations (FICO Score). As you probably know, this score determines many things:

• How much interest you might pay on large loans (mortgage, auto, boat)
• Your credit worthiness as seen by other agencies
• Prices for auto/homeowner insurance

The first article explains what types of activities impact your FICO score and looks at some common mistakes. These mistakes include:

• Canceling old credit cards
• Staying current on “most” of your cards
• Having too many open lines of credit

The second article provides 50 Fun Facts About Credit Cards (credit cards and fun? Paying interest on borrowed money is not my idea of fun ;) and contains both good information for credit card users and some interesting trivia. Here are a couple very important points from the article:

• If you have multiple balances with different interest rates on one card, payments are generally applied to the balance with the lower interest rate. You will have no choice in the matter and you cannot request it be made to the higher balance. So if you have a $100 balance at 19.99% and a $5,000 balance at 4.99%, your payments apply to the $5,000 at 4.99% first. A note about this will be in your agreement.

• Each American household receives approximately 6 offers a month. The typical response rate is .33% (one third of one percent). You can opt out of these mailings via OptOutPrescreen. [plus, this reduces junk mail, prevents bad guys from getting the offer and submitting it]

Since it's the start of the new year, it might be a good time to commit to closer management of your credit information, including a review of your current credit report.

What happens if you tear up a credit card application, tape it back together and send it in? Someone did just that to see if it would be accepted -- read on to find out what happened.