Security Ripcord

CGISecurity recently pointed out that a Russian company has released a password recovery program tool for Intuit Quicken files. This information helps show the importance of protecting sensitive information within your environment. For home users “within your environment” means on your personal computer(s), portable computing devices, and storage devices. You can definitely benefit from using some of the same tools and methods I listed in a recent post to protect your financial files such as those utilized by Quicken, Microsoft Money, and any other money management tool. You should also be using these methods to protect your digital bank and stock statements, wills, and any other highly sensitive information.

So, where is the breakdown in the protections (other than this stated vulnerability) provided by Intuit Quicken’s password protection capabilities? Well, it is not really providing defense in depth. Sure, the files are not readable if you do not have the password, but people are still aware of what software the files are used with because of their file extension. In addition to the password protections supplied by the manufacturer the files should also be encrypted so that their intent is not readily identifiable to casual inspection.  Good practice would be to ensure that both of these safeguards utilize different passwords or passphrases.

By utilizing the password protection and encryption technologies an attacker is forced to defeat two mechanisms or find another way to attack . If the file password and encryption protections are employed, attackers are better off trying to subvert the overall operating system so that they can gather the information in these files by either installing a key logger to steal the passwords as they are typed or by visual monitoring via some type of virtual network console. Countermeasures for these types of attacks delve into the system hardening arena and users need to increase their defense indepth by utilizing operating system configuration considerations, network and host based firewalls, anti-malware software, and good email and web surfing practices.

Go forth and do good things,
Cutaway

Technorati Tags: Security Ripcord, CGISecurity, Intuit, Quicken, password, sensitive information, Microsoft Money, Cobia, Kerio, pfsense, Center for Internet Security, Comodo, Zone Alarm, AVG Free, Spybot, NoScript, Firefox, Thunderbird

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.