Security Essentials 2010 is not good for your computers health.

Most of you who visit my blog on a regular basis will be familiar with Microsoft Security Essentials, its Microsoft’s free AV & Malware scanner and its not half bad.

Well now there is another version… Security Essentials 2010. Its not so much about cleaning up your system, its more about the screwing up your computer and charging you for the privilege. Its the usual scamware type software we have seen before on the AV front, but this one seems to be rather successful with such a similar name to Microsoft’s offering.

Below are some screen shots of the scamware, and the real Security Essentials offering to help you tell the difference. Remember, if its asking you to pay, then step away.

The real Microsoft Security Essentials:

Fake Security Essentials 2010:

If you have been unlucky enough to install this scamware, then you may notice you are unable to visit any of the common legitimate AV software vendors to help clear up your system, as well as other popular sites that you may visit. I would recommend you use another computer to download a free AV solution like Microsoft Security Essentials or Avast and then install on your computer to clean it up.

So for now, remember if its to good to be true, it usually is.

Security Bloggers Meet Up, proposed 27th April near Earls Court London

Security Bloggers Meet Up Website.

If you going to be in the Earls Court London area on the 27th April, and your a security blogger, then the Security Bloggers Meet Up is going to be the place to be.

An excellent time was had by all last year around the same time as RSA, and I hope this event to be as good if not better.

So if your interested, check out the site and follow as this progresses and register your interest.

Hopefully see you there.

DESlock+ Enterprise Review

Last year (2009) I got a call about reviewing a Full Disk Encryption product called DESlock+. I had not heard of the product, so a quick search later and more information was revealed. As encryption is an import consideration for users at home and within an organisation, and I had been looking at a few vendors for my day job I thought it would be some time well spent, and may be of use to some of you guys.

DESlock+ Enterprise is the product I am going to be look at, and its made by a company called DES. DES were founded in 1985, and the companies systems and methods originated within the British Government Communications Headquarters. The original users of DES products were government based, but over time have spread into other sectors. Over the past twelve years DES has also marketed the DESkey and DESlock range of software protection products. With an estimated 500,000 units in use throughout the world to date, sales of the DESkey continue to grow.

  • Full Disk Encryption
  • Removable Media Encryption
  • Encrypt Email, folders and files
  • Multiple encryption keys stored in a keyfile
  • AES, 3DES, Blowfish Algorithms
  • Encrypted mountable files
  • Secure data shredder
  • Keyfile backup utility
  • Scalable centralised licence and key management
  • Remote keyfile distribution
  • Software feature policy control
  • Includes DESkey USB manager tokens

When reviewing encryption products its can often be a difficult task. Lets face it the most important thing an encryption product can do is encrypt, if it doesn’t do that then we are in a pretty bad situation. So you will be happy to hear DESlock+ does encrypt and it works in a no nonsense way so with that in mind we are off to an excellent start.

To speed up my review Jamie Gordon (excellent guy) sent me a Windows 7 Virtual Machine with the DESlock product pre-installed, as like everyone getting the time to have a look at a product can be difficult. So the starting situation is essentially this. We have a Windows 7 client machine that has DESlock+ installed, and connecting back to DES HQ. The client gets its policy applied when we start up and authenticate for the first time, and we have various options available to us, but the Full Disk encryption has not yet been applied, our friend Jamie takes care of that for us remotely later.

I have a hell of alot of screenshot, about 120 or so, obviously I don’t want to post all of these, so as part of this review I will give an overview of whats going on, various configuration and functional options. I can tell you now the best thing for me about DESlock+ is it does what it says on the tin, with no fuss, and you don’t need to be a rocket scientist to configure your policy and get it up and running. I will basically show the shredder options, encrypting individual files, removable media and of course full disk encryption.

So to get things started we boot up our VM. Its important to remember that normally in an enterprise environment you would normally be logging onto a domain, however in this example this is not the case. So any credentials are not resolved from my domain credentials, its needs to be done manually. So I need to authenticate myself with the DESlock+ Enterprise Server using a one time password to get things started.

Once authenticated we need to change the password.

So now we are presented with the Desktop to go about our daily duties. Its worth noting we have the features of DESlock+ available to us now, but we have not yet had our hard disk encrypted.

So everything looks as normal, although we have the DESlock+ Shredder, and a couple of new icons in the task bar.

I will add a picture montage at the end of this review that shows various screen shots, so if you want to know what happens when you look further at these properties you can check them out.

So lets see what happens when I plug in a USB stick (A Dell branded 64Mb in this case). DESlock+ detects the USB device and prompts to do its thing.

So lets kick off the removable device encryption.

Encryption Completed.

Once the drive was encrypted a put a couple of files on there, ejected the drive and tried the stick on a windows machine, linux and Mac. All found the drive to be unreadable, so no chance at getting at that data. So good stuff.

So next I decided to decrypt the drive, and then try just encrypting a single file.

So now we create a file, and right click for our encryption options.

Once the file is encrypted the remainder of the stick was still usable, but as expected the encrypted file is not accessible. Obviously files can be encrypted like this locally, as well as on removable media. This allows for some versatile application, whilst ensuring control and protection over your data.

Of course for that little bit of additional protection its a good idea to securely erase files when your done with them, and this brings us along to the DESlock+ Shredder. You can choose how many passes you want to make when erasing the data, and choose between two methods.

So we know we can encrypt our files as needed, and we can securely erase them also. So the next thing to get sorted is obviously full disk encryption.

There is an option to encrypt using a local wizard, and an activation code you get from the administrator. I did have a look at this option as the screen shots below show. However I decided to go the remote route as this is an enterprise offering, and see how it works from the admin console.

As you can see above. If we had an authorisation code from our admin, we could kick off the full disk encryption ourselves.

So now lets take a brief look at what we see as an administrator from the DESlock+ Enterprise console.

Once we are in the admin console we have access to the various configuration options. We have the ability manage both DESlock vouchers (these control what you can or cant do based on what you have purchased) and users of the system. From a day to day perspective this is probably where you will spend time verifying what accounts are created, active machines and so forth when your first getting set up. Then there is the profiles section, this does what it says on the tin. It allows the for creation, modification and assigning of encryption profiles. Next is the Enterprise server section, this shows the user details and associated machine, when they last connected, keyfiles in use etc. The full disk encryption section is fairly obvious, this where you manage the FDE of machines in your environment. We then have the encryption keys section, this is a useful section as you can create multiple encryption keys for different parts of your organisation, to give extra levels of control. Finally the install admin section, this pulls various information together to form a registry key that is applied as part of the product install on client machines.

I viewed this section remotely with the DES guys, so I didn’t have time to have a proper play myself, but I did take some snapshots that you can see towards the end of the review.

So whilst viewing remotely, Jamie kicked off my remote encryption of my VM machine. It worked a charm with no fuss. My machine connected with the remote server, downloaded configuration updates, and then started encrypting. I even rebooted mid encryption as a test and it resumed once logged in.

So here are a couple of snaps to show what’s going on at the client end.

Now lets reboot.

Job Done 🙂

Wrap up and thoughts….

So we have gone through the motions, seen some screen shots, but is it actually any good. Personally yes I think it is. For me when it comes to encryption products it can be a difficult evaluation process, because lets face it if its encrypting our data in a secure method its ticking the box. I think what makes DESlock+ a good product is that its simple. I don’t mean that in a negative way at all, the product does what it says on the tin. It encrypts files, removable media, full disk encryption as well as emails and other bits and bobs I was not able to spend time in testing, and it does it in a professional no fuss approach. The menus and clear and simple to understand, policy configuration is easy and flexible, I like the fact you can use different encryption keys in different parts of the business, and for different users, this gives an extra level of access control. I like how easy it is to revoke access to encrypted files and devices in the event of loss, and I like the challenge response stuff for when people forget passwords and I like the secure deletion with the shredder.

I would certainly make organisations (especially SME’s) I work with aware of DESlock+ as well considering their similar home offering to family and friends who just want to encrypt files and don’t need FDE. However as with everything I had a few gripes with the product whilst reviewing. Its great that you can encrypt removable media, but its abit frustrating you cant share the content with non DESlock+ customers (they now have an offering for this coming soon), and I have seen some other products that allow custom configuration messages for users screens, this isn’t a major one for me but its a bonus sometimes. Lastly its my understanding that the product itself does not support distribution across the organisation, so you need to utilise some other tooling to package up and distribute DESlock+. None of this stops me thinking its a good tool, just sharing my thoughts. It is also worth noting the DESlock+ products only work on W2K upwards, so no support for Linux and OSX.

Since I have completed the review DESlock+ has been FIPS 140-2 validated, so congratulations and well done to the guys on that achievement. They have also made a product available called DESlock Reader which will allow non DES customers to decrypt emails, and files that have been encrypted with DESlock+ (obviously you will need to know a pre shared password to decrypt), this something that can be enabled or disabled at a policy level if you don’t want everyone having the ability to potentially share data outside the organisation. Another product is in the pipeline that should be out later this month, and this is DESlock+ Go. This product is all about encrypting removable media to share with 3rd parties in a secure manner. The 3rd party doesn’t need to install any software, it all runs from the encrypted package, and if its writable media such as a USB device, the 3rd party can even write data back to the device to share securely back with the original DES user. Finally they also have an MSI configuration in the pipeline that I think will help with the installation and distribution of the product, especially in larger enterprises.

For pricing your best of contacting DES yourself, but its my understanding the Home versions are about £45, which just provides secure file encryption (not FDE). Business Desktop licences start at around £75 for small numbers of licences and then decrease in cost as the number of users increases over 1000, and the Enterprise Server is about £250. Maintenance is also available at additional cost as needed.

Picture Montage


Information Commissioners View on using Personal data for system testing

Following on from my recent post on “Doing the right thing when testing with production data“, I was discussing my frustation with a colleage at work and they told me to take a look at a copy of the the “Data Protection: Guidelines for the Use of Personal Data in System Testing” document. We had an old copy, and this is a statement from the ICO, in 2003 I believe. There is an updated 2009 version, but I dont have access to this, so I am unable to comment. Either way its a useful snip it to share with everyone.

The Information Commissioner’s view
The ICO advises that the use of personal data for system testing should be avoided. Where there is no practical alternative to using ‘live’ data for this purpose,
systems administrators should develop alternative methods of carrying out system testing. Should the Information Commissioner receive a complaint about
the use of personal data for system testing, his first question to the data controller would be to ask why no alternative to the use of ‘live’ data had been found.
Key risks in system testing There are a number of general risks that exist whenever system testing is undertaken using live data and/or a live environment.

These are as follows:
• unauthorized access to data;
• unauthorized disclosure of data;
• intentional corruption of data;
• unintentional corruption of data;
• compromise of source system data where appropriate;
• loss of data;
• inadequacy of data;
• objections from customers.

There will of course also be sector-specific risks peculiar to each individual business, each type of business and each particular system.
Before commencing any system testing, it is advisable for the data controller to undertake a risk assessment identifying the nature of the risks that apply, their
possible impact and planned handling strategies.

A cautionary tale
The view is sometimes expressed that system testing poses no real data protection problem, as it takes place all the time with little apparent detriment
to individuals. The following case study, which is based on a true complaint received by the Information Commissioner’s Office, shows that the use of ‘live’
data to test systems can indeed cause very real problems for individuals. A pupil was away from home at boarding school. The pupil’s parents received a
letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital
had been using live patient data to test a system for sending out letters to patients.

UK Organisations still struggling with PCI:DSS Compliance… Time for fines?

Apparently only 9% of the UK’s level 1 retailers are confirmed as being PCI:DSS compliant, and most of these are virtual retailers, who most likely have a slightly easier task at becoming and demonstrating compliance.

So with the fact that organisations still seem to be lacking, VISA and MasterCard are apparently taking steps to up their game and apply some more pressure / persuasion. I know what your thinking, most likely the same as me. We have heard it all before, and with disclosure being the way it is we dont get to hear about it anyway.

So what does this mean. Well the fines are starting to flow, many organisations are being fined (apparently a little under half a million a month), as well as taking steps to prevent acquirer hopping which is common if an organisation is getting to much hassle, they simply jump ship to another. Now if organisations are suspected of doing this to dodge regulation they are effectively black listed.

Of course I cant prove this is happening, same as no one else can because disclosure laws dont allow for it, and companies are not going to be actively publishing this on their sites, and customers I have worked with obviously share information under NDA.

All you can be sure of is the fact that companies are making progress, but its slow and non impressive, and obviously isnt a big enough priority. To provide encouragement fines are and will continue to be handed out, and they will be increasing. It can sometimes be hard to find out about the fines, so here is the current schedule of fines, correct on 2nd Feb 2010.

Fines are represented in US Dollar and Euro respectively

MasterCard fines for non compliance are:

Level 1 & 2 Merchants

  • First Violation – Assessment Amount: Up to 25,000
  • Second Violation – Assessment Amount: Up to 50,000
  • Third Violation – Assessment Amount: Up to 100,000
  • Fourth Violation – Assessment Amount: Up to 200,000

Level 3 Merchants

  • First Violation – Assessment Amount: Up to 10,000
  • Second Violation – Assessment Amount: Up to 20,000
  • Third Violation – Assessment Amount: Up to 40,000
  • Fourth Violation – Assessment Amount: Up to 80,000

Visa expects level 1, 2 and 3 merchants to demonstrate that they are actively engaged in the programme to become compliant. A merchant will not be at risk from Visa fines for non-compliance if they are compliant with milestones 1-4 of the Prioritised Approach

  • Confirmation of compliance not received within 30 days of notification letter
    – Assessment Amount: €5,250
  • Confirmation of compliance not received within 90 days of notification letter
    – Assessment Amount: €10,500
  • Confirmation of compliance not received within 120 days of notification letter
    – Assessment Amount: €26,250

The merchant will continue to be assessed €26,250 every 30 calendar days until compliance is achieved

Further fines will be applied if you suffer an actual data compromise and are found to be non compliant with PCI DSS.

Fines for Merchant Data Compromise

MasterCard fines for an account data compromise consist of several elements:

  1. Case Management Fee – this fee goes towards recovering costs related to administering ADC events, and is based on the type and complexity of the case, along with the number of cards involved. The minimum fee ranges from USD 2,500 to USD 150,000.
  2. Forensic Investigation – the merchant may be required to engage a third party forensic investigator at their own cost, in order to investigate the cause and extent of the problem.
  3. Dependant on the number of cards compromised, card issuer losses, and monitoring costs, further charges may also be passed onto merchants at MasterCard’s discretion.
  4. MasterCard also retains the right to charge for other costs relating to the ADC investigation, such as legal fees.

Visa fines for an account data compromise are:

  1. Sufficient remediation would be satisfied through demonstration that the following PCI DSS requirements have been implemented:
    1. Remove sensitive authentication data and limit data retention
    2. Protect the perimeter, internal and wireless networks
    3. Secure applications
    4. Protect through monitoring and access control
    5. Removal of CVV2 data must be achieved with 30 days
  2. The initial fine assessment of €2,500 would only apply for compromises notified to acquirers until October 31 2009 and will also apply to e-commerce merchants in Level III in the same period.

  • Visa may also pass on issuer reimbursement of fraud losses which is unlimited and dependant on each individual issuer’s claim.

Do the right thing when testing with production data

I thought I would write a post about organisations not doing the right thing (in my opinion) when they are using production data for carrying out testing. Perhaps I am alone on this one, and I would appreciate any feedback and opinions in the forms of comment.

Now when I talk about production data, I am talking about data that could be considered personal or sensitive data. This could be credit card information, bank details, national insurance number, address, date of birth, medical records, sexual preference, etc. All of this data would be considered highly valuable to a criminal /  fraudster, and as a result should be considered a significant business risk, not to mention the compliance implications regardless of the industry the organisations operate in.

So with this in mind, why is it that so many organisations seem to think that serious consideration doesn’t need to given when it comes to the protection of data when its comes to using production data in a testing environment. Now I fully understand the value of using production data, and the possibly improved quality of testing that can be achieved, however this data shouldn’t be used as is. This data should be removed and sanitised to make it anonymous / de-personalised. This ensures that should the data be compromised, or not cleaned down appropriately or migrated into production this is no real world impact. Also I think we all know that test environments are not often a full representation of a production environment, especially when it comes to security controls.

I have seen this happen in organisations and it can have a real impact on an individual. Put yourself in this situation. Perhaps an organisation who offers health insurance is testing a new premiums engine. They use production data, and kick off testing, changing various parameters, including illness information, and decide to test the impact of having a sexually transmitted disease. Testing then completes, and by some error information is migrated back into production. Next thing the customers knows is they receive a letter saying they can no longer be offered insurance due to being a sufferer of HIV. This information will have been linked with other databases of other organisations, and the domino’s begin to topple.

When we think how something might impact us as an individual we tend to take a little more ownership and care, and I think this is something lacking in alot of organisations. I am not saying creating test data or converting production data for testing purposes is a trivial process, but that doesn’t mean its something that shouldn’t be done. There are various tools and scripts available to do the necessary to production data, and some companies also offer off the shelf test data that may be appropriate.

So next time your involved in testing, make sure you do the right thing. Understand what the goal of testing is, and what the results might look like. Review the data sets that are relevant and the risks and exposures may bring. Then as appropriate do what is needed to mask, scramble, randomise and de-personalise the data. During testing ensure access levels are appropriate, and the necessary logging is in place. Then when all the testing is completed, follow the appropriate steps to clear down the environment ready for next time.

Ideally all this would be clearly defined in security and testing policies and processes, but regardless you will know you are doing the right thing, and this will also help greatly with meeting compliance and regulatory controls. Its probably not considered that this occurs from a consumer level, but doing the right thing could also be considered a marketing benefit.

So rant over, maybe you agree, maybe you don’t, but I would be interested in your comments.