Archive for the ‘Security’ Category

« Older Entries

On The Fly Encryption (OTFE)

Tuesday, October 28th, 2008

If you are not encrypting your hard disk contents, your files have NO protection outside of the operating system.  It’s as easy as booting from a CD and copying your files directly from the hard drive to steal your personal data.  Your files are NOT secure.

If you are ecrypting files on your Windows NTFS partition using the built-in encrypted file system (EFS), your files are NOT secure.

If you are on a network domain at work, do you know that by default your system administrator can decrypt your EFS encryped files?  The administrator has a shared key.  In fact, your administrator can even disable the feature, not allowing you to encrypt files at all.

EFS is only as secure as your login password.  If someone finds out what your login password is, they can login as you and access your encrypted files.

If you leave your computer turned on and logged in, there is software that can steal your session key and decrypt your files.

Basically, EFS is very breakable.  Do not rely on EFS for security.

Instead, you should use a robust On The Fly Encryption (OTFE) system that includes session timeouts.

On The Fly Encryption works similar to EFS, except that you can mount OTFE file systems as partitions (the partitions appear as drive letters on your system).  When you want to access files stored on the OTFE mount, you simply start a session by entering your secure password.

The files are decrypted and encrypted in real time.  State of the art OTFE systems will automatically expire your session after a specified time period.  The OTFE partition is stored as a single file on your hard drive and lacks any file signatures, so nothing can be guessed about the encrypted partition.

TrueCrypt

TrueCrypt is the leading open source OTFE system.  TrueCrypt allows you to set automatic session timeouts–the shorter the better, and TrueCrypt uses AES and other very strong ciphers for encryption.

TrueCrypt also blocks write access to unencrypted file systems while your session is open to avoid you accidentally writing your secure data to the unencrypted system.  TrueCrypt even includes a feature to disable Windows paging, preventing Windows from using the hard disk as virtual memory, which could lead to unencrypted data being stored in the system cache.

TrueCrypt is cross platform and available on Linux and Windows, with precompiled binaries available for Windows.

If you wish to keep your data away from pyring eyes, use OTFE for secure storage of files.

Tags: , , , , , ,
Posted in Security | No Comments »

Properly retiring old web pages and software

Wednesday, August 6th, 2008

If you don’t properly retire old web pages and software on your website, bad things can happen.

Recently, we hit the file quota limit on our Brawny Lads site.  There are two quotas in place for our web hosting account:

  • Disk usage
  • Number of files

Our quota limits us to 100,000 files, which seems like it should be enough.  However, we hit the limit, which prevented me from receiving emails or even checking my mail via the web mail system.

I searched for new files and found that there were many new files in our old forum’s folder.  We used to run Ikonboard for our forum, but we retired that forum when we moved to phpBB.  Ikonboard doesn’t use a database, so each new post creates one or more new files.

When our webmaster made the switch, he changed all of the links on our site from the Ikonboard forum to the new forum.  Basically, he hid the old forum by removing all links to it.

So, how were we still receiving new posts, all of which were spam? 

Ikonboard was installed in the default Ikonboard folder, which is /cgi-bin/ikonboard.  Apparently, some spam bots were accessing that folder directly rather than spidering through our website to find the forum, or they found the old forum by following an outdated link from another website.

Dangers of simply removing links

So, when you retire old software or web pages from your website, it’s not enough to simply remove the links for the following reasons.

  • You may miss a link
  • Other websites may be linked to it
  • Once a spider visits and archives your site, that link may always be remembered
  • Default locations are well known

Proper removal of web pages or software

When it’s time to retire an old web page or software, it’s best to do one or more of the following:

  • Delete it completely
  • Rename the folder or file to a new, unguessable, name
  • Change the permissions so it can’t be viewed or run

Software that you leave laying around, thinking that you’ve properly retired it, may be a serious vulnerability, especially if you no longer keep it updated.

Tags:
Posted in Computer Maintenance, Security, Web Administration | No Comments »

« Older Entries