Wednesday, 27 July 2011

Insider Threat: Your Data Is For Sale

Security firm SailPoint released the results of a recent survey that shows that your corporate information may be for sale.  The SailPoint Market Pulse Survey examined the current state of employee compliance with corporate policy related to private and sensitive data.

Here's what they found:
22% of US, 29% of Australian and almost half of British (48%) employees who have access to their employer's or client's private data, and who answered the question, indicated they would feel comfortable doing something with that data, regardless if that access was intentional or accidental

10% of American, 12% of Australian and 27% of British employees with access admitted they would forward electronic files to a non-employee

9% of Americans, 8% of Australians and 24% of Britons of these same groups admitted they would copy electronic data and files to take with them when they leave a company

While only 5% of American and 4% of Australian employees with access who answered the question selected this response, an alarming 24% of British employees with access said they would feel comfortable selling data.

15% of American, 29% of British and 18% of Australian employees use their mobile devices to access their company's private Intranet or portals

Ed. Note: At those levels in Britain, I would think twice about storing more data than absolutely required in Britain if I didn't have to.


Tuesday, 26 July 2011

Ontario Cancer Screening Records Go Missing

Ontario's Privacy Commissioner is looking into reports that the whereabouts for up to 15 screening activity reports is unknown.   These reports contain the Personal Health Information (PHI) of up to 6,490 Ontarians.

The Privacy Commissioner's office is still investigating the status of 11 other reports that could jeopardise the PHI of another 5,440 individuals.

The records contain information such as names, birth dates, gender, health card numbers and cancer screening test information.   The whereabouts of the documents has been unknown since their being sent to doctors during the February - March 2011 time frame.
"Medical test results rank among the most sensitive personal information about an individual," said Commissioner Cavoukian. "I am astounded that such a loss could take place. The first step is to minimize any harm by locating as many of these reports as possible. As part of our investigation, we will be looking at steps that can be taken to ensure that this type of breach doesn't happen again.

Notification to potential victims will be sent in the coming weeks.

Ed. note: It's rather scary that at the moment, we don't know if the data has actually been lost in transit or simply misplaced upon being received.  What we do know is that the information lost pertains to individuals ranging in age from 50 to 75 years old.  That is a prime target age range for scammers and fraud artists.




Admin Notes: Domino and Encryption

I often find myself running for this information, and I'm going to keep it here.   That way, it may benefit someone else as well.
Lotus Domino Server/User ID

- RSA dual-key Cryptosystem and RC2, RC4 and AES algorithms for encryption

- RSA keys can be at any of the following strengths:

    - 630 bit (Domino R6+)

    - 1024 bit (Domino R7+)

    - 2048 bit (Domino R8+)

- RC4 algorithm key

    - 128bit (Domino R6+)

- RC2 algorithm key

    - 128bit (Domino R6+)

- AES algorithm key

    - 128bit (Domino R8.0.1+) (Required for FIPS)

    - 256bit (Domino R8.0.1+) (Required for FIPS) 

Lotus Network Encryption

- RC4 key

    - 128bit (Domino R6+)

Local Database Encryption

- RC2

    - 128bit (Domino 6+)


    - 128bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

    - 256bit (Domino 8.0.1+ based on UserID/ServerID encryption level)  (Required for FIPS)

Internet User

- X.509 certificate

SSL Encryption

SSLv3 Cipher Settings

    - AES encryption with 128bit key and SHA-1 MAC

    - AES encryption with 256bit key and SHA-1 MAC

    - RC4 encryption with 128bit key and MD5 MAC

    - RC4 encryption with 128bit key and SHA-1 MAC

    - Triple DES encryption with 168bit key and SHA-1 MAC

    - DES encryption with 56bit key and SHA-1 MAC

    - RC4 encryption with 40bit key and MD5 MAC

(MAC is Message Authentication Code, which ensures that a message has not been tampered with.)


Domino 8.0.1 and up support the Federal Information Processing Standard (FIPS) by using a FIPS 140-2 certified cryptographic library.  This certification applies only for Domino encryption, not for SSL encryption.   FIPS certified SSL requires that a proxy server that meets the FIPS standard be placed in front of the Domino server.


Wednesday, 20 July 2011

Lotus Domino Denial of Service Attack

Credits to Tom Duff.
Packet Storm is reporting a Lotus Domino Denial of Service issue...

# Exploit Title: Lotus Domino SMTP router, EMAIL server and client DoS - all 3 may crash
# Date: July 16, 2011
# Author: None - looks like a malformed Kerio generated calendar invitation was the reason this was discovered -
# Software Link: none - cut/paste the malformed meeting invitation show below, send into some Domino shop as a mime type text/calendar with a filename.ics
# Version: 8.5.3 and very likely all 7.x and 8.x
# Tested on: W2K3, W2K8, XP running 8.5.3
# CVE : none - but IBM has patches for this and other

Particularly ugly in that the rest of the page has the cut and paste code for making the attachment that will crash the server...

Admin Notes: Is your SMTP server running TLS?

I found a great website today that allows you to check if the mail server for your domain supports TLS.

This is a great tool to see if an email you send a client, colleague or even your buddy will be transmitted as open text.   It's also a great tool for troubleshooting your Domino mail server.

Check it out here: