One Shot Design

It seems Monster.com, the world’s largest job search engine, needs to hire a new sysadmin.

For the second time in 18 months, employment search site Monster.com has lost a wealth of personal data belonging to millions of job seekers after its database was illegally accessed.

In June 2008, the the Bank of New York (BNY) Mellon reported the loss of unencrypted tape sets containing details of 4,500,000 customers. Banks and civil servants generally seem oblivious to the importance of storing data in a form unaccessible to unauthorized parties. In the field of IT and database development, it is standard procedure to store user passwords as an irreversible encrypted string, such as NSA-released SHA hash functions; making it virtually impossible for hackers to decrypt the information.

In the case of Monster.com, the perpetrators could read all the user information except for the passwords; so they sent a phishing email inviting users to log on a fake Monster page, thus providing the cracker with the missing password. One solution to avoid this could have been storing email addresses using reversible encryption.

This story raises question about providing a lot of personal information to web sites (online mail, social networking, media storage and so on). Even if the company has a policy safeguarding the user’s privacy, all the confidental information is at risk if their servers are not properly secured.

The Trojan horse concealed Greeks soldiers who were to overtake the city of Troy once the former had been brought in. Instead of being help up at gunpoint, today’s victims of bank details theft are being surreptitiously robbed by a new breed of criminals operating from their basement. As early (in Internet development years) as 2000 an insightful article published by Aerospace and Electronic Systems Magazine warned against the vulnerability of online banking. Since 2006, a new breed of Trojan viruses such as Sinowal, Torpig and Mebroot have been successfully used to steal an estimated half-a-million online banking account details.

It all starts when an unsuspecting web surfers catches one of the viruses while browsing on unsecured porn or gambling Web sites. Upon activation, the virus conceals itself on the master hard disk, flying below the radar of 68.6% of the antivirus software (24 out of 35). The virus has a register of 2,700 online banking Websites and it is triggered whenever the user accesses one of them. The virus then discreetly alters the HTML login form on the web browser to record all the sensitive data and forward it to a network of compromised computers cleverly laid-out and constantly redesigned to make it hard to locate the command and control point of the botnet chain.

Security group RSA advised the authorities after discovering a database of 300,000 bank accounts and 250,000 electronic cards accounts details. These kind of trojan viruses have affected hundreds of financial institutions across the world.

Needless to say, the heavy majority of trojan viruses are designed to operate on Microsoft Windows and on a Web browser that has writing privileges to the master disk (read: Internet Explorer). Some viruses for Apple OSX have been appearing too. Using an account with limited priviledges can reduce the risk of infection but online banking methods using one-time login keys are 100% efficient. The bank usually provides an input or timing device that uses algorithms to generate a unique key for each new login session. Trojan viruses can record all the other information, but the one-time key is useless and the account cannot be accessed without the proper one. Unless of course, someone manages to reverse-engineer those key-generating devices…

An EETimes article on security chips quotes an expert explaining how “Most people can’t reverse-engineer a smart card, so the cards are secure enough against most attackers. But both smart cards and memory cards assume that the reader is trusted, and they can be defeated by a malicious reader.“

This article by Bruce Schneier dates from January 2007 article, but it is still relevant on criterion for choosing a password that it hard to guess:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Originally published on the 13th of September 2006, this article has been edited, updated and expanded to feature recent Open-Source applications and provide general guidelines on securing digital privacy.

Every week, we hear of laptop computers holding critical information being lost of stolen. Most of us don’t deal with classified government data, but we do own and use on a daily basis devices and storage media that hold a lot of information about us. They could put your privacy at risk if it they got into the wrong hands.

Here are 10 simple golden rules to follow in order to secure your computer and your storage media. Most of those tasks are as mundane as locking your front door or you car, but by combining then you can drastically raise the walls protecting your privacy. All the applications mentioned in this article are open-source, cross platform, and pretty much straightforward (they don’t require a PhD in Computer Science to be used).

Go to the article

With the strong decrease in price, flash memory has replaced magnetic and optical drives as a universal storage media. Every personal computer user now owns at least one of those USB flash keys. These tiny devices typically hold more data than a CD while taking less than a third of the physical volume. Fact is, USB key are so easy to carry around in the pocket or attached to a key… that they easily get lost or stolen. With the increased digitization of life, storage media often carries personal and sometimes critical information. And that can be a liability.

Password encryption software has already been discussed on this blog, but weekly reports about theft and loss of laptop computers holding critical information do raise the issue of protecting files as well as passwords. Truecrypt, a free open-source disk encryption application (for Windows Vista/XP, Mac OS X, and Linux) enables to create an encrypted containter on media storage or to encrypt a whole storage drive. Once access is given clearance, the application mounts the encrypted data as a virtual drive, allowing the user to browse and move files and folders around with the file explorer.