Is It Safe?

How many firewalls are enough?

2011-12-27T17:14:00.000-08:00

Pretty much every company in the world places at least one firewall at the edge of its network, to protect its internal resources. There were dark times, where a simple router is all we had, and we exposed all of our computers to the internet without any protection, but now that the hardware and software have gone down in price, this brings a new discussion to the table…how many firewalls are enough?

On one hand, you can take some old computer that’s too slow for use with modern desktop operating systems, stick some Linux based firewall on it and you got yourself a firewall at a cost that’s close to zero. Many people think that a thicker armor can stop more missiles, and would take advantage of the cheap options to build a network with multiple layers of firewalls. Is more really better?....not always!

The thing about quantity is that it rarely really trumps quality. Even in the simplest example of a tank having multiple layers of armor on it this is not the case. Sure, a tank with 15 layers of steel would be harder to penetrate than one with 14 layers, but the multiple layers also make the tank heavy. The added weight makes the tank slower to move and maneuver, limits the distance it can travel and the land it can drive onto.

In the case of network security, adding more layers can make it harder for an attacker to crack it, but the complex configuration makes it more likely for something to get overlooked or misconfigured. For example, if you put 6 different firewalls in the mix, you’re probably not an expert on each and every one of them. Perhaps one of them has a built in remote-access option that you forgot to protect or disable? Perhaps one has a lesser-known vulnerability that you were not aware of and forgot to plug? Perhaps updating the various firewalls will be hard because of the limitations on internet connections?

A common term in my world is “security by obscurity”, referring to using technology to mask some component in hopes that if it’s hidden well enough, it’s less likely to be attacked. The same concept applies, however, to bugs and issues. The more complicated the environment, the harder it is for us to see any issues it may be harboring.

Unfortunately, there’s no simple answer to the age old question of how much is enough, and how much is too much. Depending on your own exposure, which includes the profile of the data you need to have coming in and out, and your public profile that makes your organization a prime target or a lesser one, the answer is individual. If you’re a small company that’s just publishing a simple website, it’s very likely that a single firewall is all you need. If you’re a multimillion dollar corporation, which has tons of public services, then it’s probably a good idea to have more.

If you were expecting a simple numerical answer, then I’m afraid I’m going to disappoint you. I’m here to remind you of the considerations pro and con for each option. Your own mileage may vary, but one thing is simple to note…if your configuration is so complicated that even you can’t explain easily where a packet is going and where it has been lost, then it’s probably too complicated to be reliable.

Recipe for disaster

2011-03-13T12:48:00.000-07:00

Disaster recovery is one of the most important aspects of a security officer’s work. It even has its own domain in the ISC2 CBK (Business Continuity and Disaster Recovery Planning). With recent disasters like the 8.9 magnitude earthquake in Japan, other aspects of disaster recovery come to mind.

The information security officer has plenty of tools for disaster recovery at his disposal. Backups, hot/cold sites, off-site storage are some of them. With sufficient budget and training, a company can live-through a disaster and resume work very rapidly, and this was demonstrated well during the Sep-11 events in NY City.

The other aspect of this is that while the operations and security teams are busy with trying to reestablish the company’s operations and IT, most companies forget that the disaster site, although dysfunctional, typically still has all of the company’s assets. In the case of the world trade center towers, everything was buried in tons of dust and rubble, but other disasters may leave sensitive equipment or data exposed. A building that has been overrun by water may be unusable, and the computers in it may be completely destroyed, but their hard drives may be intact. Backup tapes or optical media is also likely to withstand such an event, esp. if it is inside a fireproof vault. This could be a golden opportunity for infiltrators to come in and grab something.
Naturally, it may be hard or dangerous to try this sort of stunt, but the kind of financial gain someone can make has been known to drive certain people to take risks. You and I probably won’t, but it takes only one crazy bastard to compromise a lot of secure information.

In addition to the above, even companies that have nothing to do with the disaster, and haven’t been harmed at all (or very little) are at risk, as with any large scale disaster, the entire country can plunge into chaos. In Japan, many companies have not been harmed, but have been completely deserted, as the employees left to attend to their families and loved ones. This is perfectly understandable, but the result is low-hanging fruit for any cracker. The police are typically concerned with street-level looting going on, but we in information security need to think about data looting too.

Naturally, the physical security domain in the CBK deals with protecting the workplace from physical harm, though it usually deals mostly with day-to-day threats, like burglary, fire and flood. When something as large as an earthquake or missile bombing comes into play, many of these measures will collapse. With proper planning, at least some of these may be mitigated. For example, your sensitive servers are properly locked away in a server room, but that room may not be secure enough to withstand someone ramming it with a truck. Using secure cabinets instead of the simple glass-door ones may provide an additional level of security. Using hard-disk encryption on servers and storage arrays, even though slow, can protect your data in case all hell breaks loose. You can’t physically secure all desktops, but using thin-clients (or terminal services) for some or all employees can provide for additional protection.

In addition to these, you should encourage your employees to refrain from storing sensitive data in the offices. This means avoiding printing of sensitive info, and making sure printouts are shredded in-house. Sensitive documents like employee or customer lists should be stored in a secure room or vault. Backup tapes and other media should be stored in a vault. When using such a vault, remember it still needs to be secure, so don’t leave it unlocked or the key too easy to find (many companies open the vault in the morning, and leave it open throughout the workday…ah…..).

And lastly, when creating your disaster plan master policy, make sure to assign guards to the destroyed facility. You may find, in reality, that all your guards disappeared, but if you prepare well enough, even a single guard will be more effective than none…

book Smarts!

2010-08-02T10:28:00.000-07:00

I usually use this blog to talk about general security related issues, but on this special occasion, I’d like to tell you all about a new book of mine that just came out.

Even though I’ve been a writer for almost 15 years, this is my first published book, and it’s also good news for many users of UAG, IAG or eGap users, as this is the 1st public book about these products.

For those who never heard of these products, UAG is the latest member of a line of secure remote-access products. It was originally developed by Whale Communications from Israel, which was purchased by Microsoft in 2006. In 2007, the previous version named IAG (Intelligent Application Gateway) was released, and a few months ago, UAG (Unified Access Gateway) was released as part of the Forefront family of security products.

The book itself is not really finished – I still have a few more chapters to write, but the publisher has released the first three chapters as something they call RAW (short for Read As we Write). It’s like a Beta version – readers can get it right now, way before the book is officially out, and also make comments or suggestions to it. This is a great honor for me, of course, as the publisher only releases into RAW books that are very well written, and can stand their ground without significant edits.

Even though the book is about UAG, a lot of it also applies to IAG, and even eGap. It’s written specifically for the UAG beginner, and starts with basic concepts and design. It then goes through advanced configurations and troubleshooting, as well as Direct Access. It does not, however, cover advanced scenarios like ADFS or customizations.

Interested? I hope so…go ahead and look at:
https://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook/book

Automan

2010-07-07T17:08:00.000-07:00

An old boss of mine used to say that his best employees are the laziest, because they create automation to do their job, and automation reduces human error. Since human error is one of the leading causes of security breaches, this also means that using automation appropriately could not only serve to free up time, but also reduce your exposure and boost your security.

Granted, developing automation can be a pain. It sometimes takes days of development and testing, but the benefits are fantastic. For example, one of the most common security pain points out there are user accounts. Every time an employee joins the company, you have to create an account, create a random password, fill in all the account details, assign the user to various groups, and finally, convey the appropriate information to the user securely. If an employee leaves, it’s even worse, because you have to close out the account with very precise timing, to make sure the ex-employee doesn’t get locked out prematurely, but also not be able to connect from home after leaving his position. The worst are role-changes, which require you to carefully clean-up the account of unnecessary permissions, to make sure the employee can’t abuse the rights he had in the past.

When you need to do this on a routine basis, within a few days, you would be able to perform such tasks almost blindly. Like driving a car, this is what we refer to as “over-learned activity”. After a while, we tend to feel confident enough to chew a sandwich while doing it, talk on the phone or installing a server (talking about the network here…not installing a server while driving a car), and that’s where the little mistakes creep in. We might send the password to the wrong person; add the user to a group that has too many permissions, or worse. I’ve met an engineer who once, absentmindedly, misspelled the first name of a person named Bart as…well…you can guess. That guy got some chewing, but he might as well have exposed his network to attackers if his absentmindedness led somewhere else.

If you’re lucky, perhaps your company is rich enough to afford identity management software, but the costs of such suites and their adoption is immense. If so, why not write up your own automation? A VBScript, ASP page, PERL script or sometimes even a Batch file can save you tons of tedious work. If you’re thinking to yourself “heck…I ain’t no programmer!” you might be selling yourself short. Some tasks are so simple to achieve in VBScript and Batch that you can achieve this almost instantly. For example, a script to generate a random password in VBScript is so simple. Here’s a clever and tight one by Martijn Haverhoek http://www.haverhoek.nl/index.php?/archives/36-Random-password-generator-vbscript.html . Here’s another one, written in JavaScript: http://blazonry.com/javascript/password.php . With time and patience, a script can be written to automate almost the entire process of creating and deleting user accounts, as well as other administration tasks.

Even when using automation, mistakes can still happen, but by shortening the processes, it makes them less tedious and encourage performing them with more attention and focus. Another advantage is that it may allow you to delegate some tasks to your subordinates (knowing that there is less things for them to mess-up) or to your colleagues when you go on leave. Even if you are a decision maker and will never get into programming, you can still benefit your organization by hiring or contracting someone to develop some automation for you. Start simply by thinking which processes are performed routinely, and which are the most annoying or tedious. From then on…the sky’s the limit!

Chain of events

2009-10-19T14:20:00.000-07:00

When thinking about security, one of the things that are hardest to grasp is the way things are linked together, and of course, the ingenuity of criminals. One small thing can lead to disasterous results in ways a normal person could not even imagine.

For example, a well known story is about a family that went to a public event, and parked their car in the parking lot, like everybody else. The car was a piece of junk, so there was no reason to steal it, and therefore, the owners didn’t install any protection. When thieves broke into it, they weren’t even interested in the car itself, but instead, they stole the GPS that was in it. No…they didn’t want the $50 they could hawk it for, but instead, they just put it in their own vehicle, and pressed “go home”. Thirty minutes later, they were in the driveway of the car’s owner, and entered the house using the remote they also found in the car. I guess there’s no need to detail the resulting mess.

There are several preventative measures to prevent this kind of thing (the simplest would be to set the HOME location on the GPS at a point that’s actually a mile or two from home, or not at all), but the point is that everything can be used for bad deeds, even if it is worthless in itself. Knowing where you work, for example, will allow a clever social engineering hacker to squeeze some info from your co-workers. For example, when you are going on vacation (which would be a good time to hit your house) or what days you stay late at the office.

What can you do about this? Unfortunately, not enough. The criminal mind thinks differently than us, normal people, and even amongst the crooks, there are the more devious kind. A good practice is simply to pretend to be a bad guy for a day. Sit in your car outside your home or office, and try to come up with a way to break in. Sit at your computer, and think how YOU can bust into your boss’s computer, and then try to figure out how you would block him from doing the same to you. Some of us just can’t do it – too old to think outside the box, but you might also try having your kids suggest thoughts.

Cloudy weather

2009-08-20T12:50:00.000-07:00

There’s been a lot of talk in the industry recently about software-as-a-service, hosted services and cloud computing. Getting rid of the burden of managing servers and messing around with hardware seem charming, and has a lot of financial and administrative advantages, but is it SAFE?

Well, most of the stuff I write about here warns people that this or that is more dangerous than it appears, but this time, it’s quite the opposite. Cloud technology is actually is safer than the alternative in most configurations.

The thing about hosting services is that it takes away the hardest thing to control – physical security. I discussed this in my blog about thin clients – a physical computer or storage container is a sensitive thing. Cell phones and laptop theft is pretty obvious, but standard servers are also sensitive to some abuse. Even though most companies keep the servers in a secure room, not everyone can afford proper security, and even when a company can, the design is often imperfect because IT personnel are rarely trained in physical security. They might think a cardkey lock is secure, forgetting that the glass door or windows can be easily broken. They might setup alarms, but not be able to afford an onsite guard that can react fast enough in case of burglary. They might install smoke detectors, but miss out on proper fire extinguishers or water drainage infrastructure.

Also, having your own servers require some serious maintenance. AV updates need to be monitored, software updates installed, and security hardening needs to be done, and kept up regularly. Even though technologies like SMS are easily available, many companies don’t get them because of costs, and even with them, the massive resources on servers are a major honey pot. Many sysadmins are tempted to put some of their MP3s or movies “temporarily” on the file server, simply because it’s an easy plug until they come up with the cash to expand their own HD. Having this type of data would often be overlooked, but it may also expose the company to legal challenges or a virus infection.

While cloud technology is not yet perfect, and certainly does not fit every client or every scenario, it can have an important boost for the company’s security. Naturally, attention has to be given here as well, as a small or Startup Company that delivers hosted solutions might be riddled with the same problems, but with some major players entering the market in recent months, this is a great opportunity to get secure while reducing costs.

Is it safe to talk?

2009-07-31T16:40:00.000-07:00

the short answer is NO, but the longer one depends a lot on you. Voice mail systems are pretty much standard all around, but few people realize what a security risk they can pose. On the surface, a phone seems pretty harmless. What are they going to do? Leave me a threatening message? Well, maybe, but that's not the danger.

Most people choose to leave a custom voice message on their voice mailbox. Something like "Hi, you've reached James Voca, IT manager for Pirulo systems. Please leave your message and I'll call you back" seems pretty ordinary, doesn't it? Well, for an employee giving you a call, it is, but if someone outside calls in, you just informed him or her which company it is, what's the name of the IT Manager, and how he sounds like. In the wrong hands, this data is very valuable. A type of hacking known as "Social Engineering" focuses on using peoples tendency to behave socially can use exactly that. A social engineering hacker would typically call employees of the company on the phone, and try to get them to give out sensitive data or access. With the info from this mailbox, the hacker can pretend to be the IT Manager, and influence others. Many users will recognize the high ranking position holder and tell/do anything he wants. They would give him their passwords, let him take over their computer remotely and more. Here's a scenario:

Hacker: Hi Jane. This is James from IT. I'm at home and late for meeting - do you mind if I log into your machine to get a PPT I really need?
Jane: Sure, James
Hacker: Cool. I'm sending you an Email with a link - just click it and I'll be in and out in a minute.
Outcome: Hacker can implant a backdoor on Jane's computer, or just use it to get access to some sensitive internal servers.

How about another scenario:
Hacker: Hi Scott. This is James from IT. A guy from HB is coming in to pick up my laptop for repair - be sure to let him through, OK?
Scott (security guard): Sure thing, James.
Outcome: The hacker can waltz in the building, grab some laptop and disappear with it, causing both financial damage and possibly stealing important data from the computer.

This is not the only danger, of course. Most modern voice mail systems let people access them remotely. You would typically call yourself, punch in some PIN and can listen to your messages. Many people don't want to remember complicated numbers, and set the PIN at 0000, 1234 or the default (which is often one of these too). When this happens, anyone else can call into the voice mail, guess that number and listen to your messages. These would usually be just some nagging from your Bank, but they could also contain sensitive info. For example, it could be a message from your doctor about your blood work, a message from a vendor talking about things you purchased or worse. A hacker that knows how you sound like, and that you've just ordered 10 servers from Deck.com can call them, quote back some "secret" info from the message, and divert the goods to his house. He can also call you, pretend to be the vendor and get you to let him in the building with the "servers", and a good opportunity to do some damage.

The lesson here is simple - don't think that the voicemail system is safe, just because it's not connected to your computer. In fact, your own answering machine at home could expose you personally to some dangerous elements. Does your message sound like "Hi, you've reached the Smith family at 2245 lake drive"? You're just inviting people to come over and clean up your house. I recommend taking four measures:

1) Have your PIN secure - no simple numbers, but ones that are chosen carefully, changed frequently and aren't easy to guess

2) Have your message give as little info as possible. A good one could be "Hi, you've reached Jack - please leave a message". Same thing at home - "You've reached the Cole residents, please leave a message".

3) Listen to your messages frequently, and delete them. right away. Don't leave messages to linger on your phone from Friday afternoon to Sunday noon.

4) When you are leaving messages to others, whether you are a vendor, a client, a boss or a subordinate, keep in mind that you can never know the level of security the other side keeps. Treat a message left like a note left on the door - others may read it. Keep sensitive info out of the message, and just call back later.

The ups and downs of backing up

2009-06-23T16:56:00.000-07:00

My experience is that any and every user appreciates the importance of backing up your stuff, but when it comes to actually doing it, almost nobody does it, and even some large organizations are failing at it. Backup failure isn't necessarily "not doing it at all", but can also mean that it's done improperly. A proper backup is such that a person or organization will never, under any circumstances, lose more than a day's worth of work. Before we even go there, I should stress one important fact - many users, and even experienced system engineers often confuse between backup and archive. Backup is when you copy your current data to another storage medium, so that if something happens to the original, you can restore it and not lose anything. Archiving is similar, but opposite - you copy your data to another storage medium, and then delete the original.

For example, many people burn DVDs with their older files and delete the originals, and most of them consider this a backup. This is, in fact, an archive, but few people are aware that a recordable DVD has a limited lifespan, and is very sensitive to physical harm. Putting your photos on a DVD and stowing it in the closet is not safer than storing food in the trunk of your car. Often, we discover this only in hind-site, when trying to recover a file from a disc burned 3 years ago, only to discover that it's partially or completely unreadable.

I believe network engineers won't need to read this, so I'm addressing this to the home user, mostly. For a backup to be worth anything, it has to meet some basic principles:
1) It has to be done to a media with at least SOME reliability.
2) It has to be done frequently.
3) It has to be stored in a place that is safe, but not too unreachable.
4) It has to be tested routinely.

What does all this mean? Well, 1st, this means you should not use a media that's unreliable. A writeable DVD, for example, has a low reliability rating, while a hard drive has more. That's not to say that a hard drive is bulletproof, but it's usually more reliable, and also easier to detect if it fails. This is because if it dies, you would usually be able to hear it, and respond by replacing it, while if a DVD stops being readable, you'll only find out when you put it in the drive. A high level tape drive, like an LTO or DLT is also very reliable, although these babies start at a few hundred dollars, so would be off the table even for some business customers.

A frequent backup is also important. Many users start this with full intentions of going all the way, but after a while, they kind'a give it up, and forget to backup for weeks or even months. Typically, you remember to do it right after your hard drive crashes, of course. A good way to avoid this pothole is to setup some automatic backup mechanism. If you use an external drive, for example, this can be done rather easily, and many external drives even come with the software. If not, Windows has a built in backup mechanism which is quite effective (especially the one that's in Windows 7!).

3rdly, if a lightning strikes your house, or a fire breaks out, the backup won't do you much good if you leave the DVDs next to the computer or leave the external drive connected. One should strive to keep the backup as far away as possible from the computer, although not too far. If you store it across town, you might have a good excuse to forget to backup. Also, if it's that far, you might become too lazy to drive over and get a file if you need it. A good solution could be to have a reciprocal agreement with a neighbor - you hold their drive during the week, and they hold yours. If you have an detached garage or storage shed, this could be good too (although, take care to prevent the drive from freezing or getting too much humidity).

Lastly, a backup that's untested will often fail you at the worst possible moment. You might discover that it hasn't actually run for over a month, or that some files are unreadable. A good practice is to test the backup around once a month. If you have a calendar like Outlook, you can use it to remind yourself to check it now and then.

One more thing - many people feel that buying a large drive just to store backup on is wasteful. In a way, that's true, but if you want to save some money there, you might consider getting a refurbished drive. These are inherently less reliable, but since you can easily detect if it stops working, it could be a suitable solution anyway. Also, keep in mind that you can activate folder-compression on it, as performance is less of an issue, and so use a drive smaller than your main one.

This car has more than 9 Lives

2009-06-08T17:13:00.000-07:00

Most of us obsess about retaining our data - we buy large hard drives, burn countless DVDs and protect it all with RAID controllers and UPS devices. What many people care much less about is making sure that discarded data is really gone. How many times have you thrown a dead hard disk in the trash, wiping a tear for your lost files? Did you consider that a person with sufficient technical skill may grab it from the trash, recover the data and make some coins off it?

Well, the issue of data destruction has been the center of much debate. Most people are already aware that deleting a file doesn't really erase it - it simply deletes the reference to the file in the disks directory (I'm talking about actually deleting, not moving it to the trash, which doesn't delete anything), while the data is still there, untouched. A file that has been deleted can be re-created simply by finding it's 1st sector, and creating a file entry that points to it. Once you delete a file, it can be overwritten by windows, as it the system creates new files. the new files might overwrite some or all of the file's original sectors, which are now marked as free, but these sectors can also remain untouched for years.

Some people will go the distance, and actually format the hard drive before throwing it away, but this too is not sufficient. Restoring a formatted drive is more time consuming, but certainly possible. The US Department of defense probed this issue in the past, and produced a standard, known as DOD standard 5220.22, that instructs exactly what to do to erase data properly. Later on, there was some debate as to this was safe enough. Some expert claimed that you would need to overwrite the data over a dozen times, and that has been misquoted repeatedly in the press since then.

Security experts are very much concerned about erasing data securely. A company cannot risk it's commercial data falling into the wrong hands simply because somebody was too lazy and took a shortcut with the disk. Same goes for other types of media - DVDs, backup tapes etc. Even a lost cell phone could present a serious security breach, as it could include phone numbers of sensitive customers, sensitive emails or meetings etc. I would like to take this opportunity to debunk some myths about data destruction.

1) Hard drive demolition derby.
• A common method of destroying disks, by punching a hold through them, or banging them strongly with a hammer is far from secure. It's not easy to recover in this condition, but it's certainly possible.
• With modern IDE and SATA disks, using a 5220.22 secure erase software is very safe. there's no need to overwrite everything dozens of times. The need for that kind of rewrites referred to some very old MFM drives.
• Using software erasure is pretty slow, but it can be done unattended, so setting up some dedicated old computer for that is pretty easy. Just make sure no one tries to steal the old drives from that station.
• A very effective way to destroy a disk is to take it apart, and separate the plates from the other components. Dumping the plates in a different trash facility makes it pretty much impossible to recover.
• There is a technique that allows data recovery off a drive in almost any condition, but that process is so lengthy and expensive, that most experts would consider it irrelevant. Recovering data from a disk that was physically destroyed would cost so much time and money, that even government agencies don't bother with it.
• Take care to monitor old computers - many times people upgrade the disk and don't think of giving the old disk back to the IT group for sanitation. Some even take the old disks home, thereby exposing the company to huge risks. This also goes for computers that are being retired - don't sell them to 3rd party companies without either sanitizing them, or making sure that the buying company commits with a contract to do this to ALL disks.

2) Other media types:
• Recovering data off other media types, such as tapes, CDs, floppy's etc is rather easy, but these media types are also much easier to destroy. Even a little heat can totally kill an optical disc, and a strong magnet can kill a tape almost instantly. I would, however, recommend a process is used for this - don't just break a CD, and don't pop it in the oven - use a CD shredder, which costs very little these days.
• Users often overlook CDs as a potential security risk, and often throw them in the trash. A security officer would be wise to issue a recurring reminder to all employees to collect discarded CDs and DVDs and have the IT or security department dispose of them securely. This goes not only for data disks, but also software - if someone finds and uses an old copy of windows for illegal purposes, with the company's serial number, it could lead back to the company and carry legal repercussions.
• Many people carry around USB drives to take a file or two back-and-forth from/to home. This is a big risk as these drives rarely get formatted, and often are lost. I would recommend any organization introduce a security mechanism to block such devices altogether, or at least control them with a policy (for example, require to have them signed by corporate security before they are allowed in)

Click YES/NO to format hard drive

2009-06-02T11:42:00.000-07:00

One of the problems we are still facing in the world of information security is that people still have a built in tendency to trust authority figures. If it looks "official" enough, most people will trust it and follow, like lambs to the slaughter. This caused the infamous "MS Antivirus" nag ware to be so effective - it's made to look like it was made by Microsoft, and most people just trust it and believe it's real.

A more interesting, and frightening case of being fooled by software is illustrated by the tale of G-Archiver. This free utility is designed to allow the user to backup his Gmail account to his local computer. Generally, this is a good idea, as one never knows when his account might be frozen or accidentally deleted. In this case, however, it has been discovered that the program works in a way that's insecure, to say the least, and borderline identity-theft. Apparently, the software is coded to send an Email back to its creator, with the credentials of any user who uses it (you are required to give it our credentials, so it can download all your message for backup). A programmer who investigated it discovered that the developer's Gmail account was full of user+password info for thousands who downloaded the used the program. Even worse, it also turned out that the developer embedded the credentials of this account (where the passwords are being sent to) in his code, so anyone with the right skills can access it and harvest all these users-names and passwords.

If you are one of those who used this software, now would be a good time to change your Gmail password. In fact, it's a good idea to change it once a month anyway, although I don't fool myself into thinking that any normal person will actually do that. Well, I hope that you at least change your PayPal password now-and-then. What's frightening here is that most of us, even experienced Sysadmins and security experts, trust programs we download to do what they say. Few, if any of us, check if a program contains spyware, and few have the skills to check for the kind of behavior mentioned above. Your credentials or private files could be circulating all over the net without you even suspecting it. On a similar note, many people install file sharing applications and share their entire drive, without realizing that all their personal documents are readily available for everyone. Want proof? Open up some file sharing program and run a search for "my cv.doc" - you will find many!

Some organizations have configured domain-enforced policies that prevent installation or even downloading of unknown software, but that's only been done within a handful of companies. If your org considered it, it was most likely rejected for political reasons - it's not easy telling everyone that they can't install anything on their computers anymore - it sounds fascist, doesn't it? If you ask me, this is already a necessary step right now, and it's only a matter of time before more security administrators or CEOs realize it and make it happen. At home, it's even worse as there are no mandatory settings. We have the technology to sign software by a trusted publisher, but hardly anyone uses it. Perhaps it's time, before the next wave of a Conficker-like worm hits all of us?

May I have your life, please?

2009-05-12T16:58:00.000-07:00

Identity theft is far from new, but with the growing popularity of online accessibility, this has become a major risk that affects pretty much everybody. While most Americans are well aware of this risk and are taking several measures to prevent it, for others this is not so simple.

For Americans, the most common type of identity theft is a stolen password to an online service. If someone was clever enough to get you to hand over your password (with Phishing, for example), he can login to your account and if it's a bank account or PayPal, steal all your money. Another type of identity theft is stealing a person's Social Security Number. With that, a thief can gain access directly into things like medical records, bank accounts and much more. Most people are aware of this, and safeguard their SSN closely, but in other countries, this is not the case.

In Israel, for example, the equivalent of a SSN is the Identity Number, which is a 9 digit number assigned to each person when he/she is born. This number is unique, and will follow that person to the grave. It's printed on each citizen's Identity Card and drivers license and is the primary means of authenticating a person's identity. Unfortunately, the national identity card is notoriously easy to forge, which is why the Israeli government has been working on a smart-card based replacement. What's even more unfortunate is that the entire database of the Israeli population has been leaked to the public, and is freely available to anyone who knows how to download pirated music. In fact, this database, known as "Hipuson", "Shimoshon" or "Mirsham", has been going around for many years now. It's available on the Emule network, as well as many file hosting services, although the plethora of versions in the wild make it a little hard to find the most updated version. This database contains not only the full names and ID number of every living citizen in the state, but also their full address, birth date and parents name. With simple correlation, one can locate his parents, siblings, children and even his neighbors, and some versions of the database even have this function built in. Politicians, singers and other celebrities are not exempt, and their info is also included even if it was specifically redacted from the national phone directory. Using this database, anybody can choose a random person, or his enemies, and create a fake ID with their details and his/her picture. As I said, it is rather easy, and anyone with color laser printer, bitmap editor and laminating machine can do this. Once you have an ID card, you can access the targets bank account, his medical records and even sell his/her house and disappear with the money.

What can the Israeli citizen do? Basically, nothing. No one knows exactly how the database is leaked, but there are many parties who have access to it. When the Israeli Police started investigated this issue in March 2008, multiple breaches were detected, from unpatched servers to server-rooms left unlocked and unsupervised. Changing your ID number is not possible for a citizen, and this has been done only in rare cases where serious damage has been done to a person. In the recent report filed by the Auditor General exposes this outrageous conduct, but like most of these reports, it is likely to be completely buried or acted-upon very slowly. Perhaps the best solution is to keep your cash under the mattress?

Tunnel Vision

2009-05-04T15:33:00.000-07:00

When waging our battles on the security front, most organizations just put all the big guns on the front line. We buy expensive load balancers to prevent D.O.S attacks, state of the art firewalls to prevent penetration, VPN products to secure our backdoors etc. Whenever some major threat comes along, everybody jumps out of bed, and rushes over to plug the hole, but at time like that, we often forget one of the oldest tricks in the burglars book - the diversion (a.k.a "Steaks for the dogs").

Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.

Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.

If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?

Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.

Do you trust me?

2009-03-06T18:30:00.000-08:00

For most of us, the System Administrators, a.k.a Sysadmins, are life-savers. They reset our passwords when we forget them, recover our files when we delete them and sometimes give us a hard time about it. For corporate management, however, this kind of power can be frightening. An administrator would usually have access to every bit of information in the company, including every employees employment and HR data, personal email, and usually customer data as well. This kind of power, if abused, can cause irreparable damage to a company, but despite that, most companies interview and screen their sysadmin just like any other employee. If, for some reason, this employee becomes bitter or estranged, there's no telling what could happen, and there have been documented cases where entire companies have been complete destroyed intentionally by their admins.

Can this happen to your company too? Possibly. CEOs and CIOs have been looking for ways to counteract this sort of threat for a while now. There is a logical problem here - if you don't trust your admin, and appoint someone to watch over him, then how do you trust that someone to not break bad? After all, even CEOs have been known to go astray and stick their hands into inappropriate pockets. Who shaves the barber?

There is no simple answer here, but generally, the answer has two parts. The logical solution is separation of powers. You appoint at least 2 or 3 administrators, and try to make sure they don't become too friendly with each other so there's less chance of collusion. One way to go about this is appointing people who are a world apart - big age difference, for example. Then, add to that job or responsibility rotation. For example, one can be appointed to manage the finance department servers, while the other owns the engineering servers, and then rotate those roles every 3-6 months. This way, if one used abuses these resources, it will most likely be revealed upon the next rotation. Another good practice is the force the administrators to go on vacation on a regular basis (and YES, it's totally worth to give them an extra few annual vacation days just for that). When the admin goes on vacation, someone else has to take over, and that would usually expose any foul play.

The 2nd part is technological - Use some system to track and log activity. This serves two purposes - people tend to mess around a lot less when they know they are being watched, and that will affect not only administrators, but also regular users. Secondly, if someone does go to the dark side, at least there will be a way to check what's been going on, and have evidence in case a law suit or criminal charges need to be filed. One such software solution is Intellinx, and another is InFlight. These solutions can record user activity directly from the network, including keystrokes and screen output from every station in the company.

Is any of that foolproof? Of course not. A smart crook can always find some way to scam his way around, and the only answer to this is to carefully build a security policy that tries to address each and every possible threat - external or internal. Another important lesson to be learned here is that the system administrator is a very sensitive position, and should be screened appropriately. The screening process should include not only technical evaluation, but also personality and psychological testing, and it wouldn't hurt to have this monitored on a regular basis too, especially if a big change has happened in the company. If you had your sysadmin fire half his technicians because the company is tight on money, you can bet he's preparing for the possibility of him being next on the chopping board, and his preparation might include stashing sensitive data or implanting backdoors into servers. Also, keep in mind that even a small-time technician that you are hiring today to haul some printers around might end up being the sysadmin in 10 years. That means that those guys should also be chosen carefully, and reviewed once again upon getting promoted. And speaking of Admins, a fun thing to read is the old classic BOFM, which tells some tails of a particularly nasty sysadmin.

Why does it keep coming back?

2009-02-12T18:09:00.000-08:00

Conficker (a.k.a Downadup) is a nasty worm, no doubt about it, but even though it's been out for ages, it would seem there's just no way to get rid of it...or is there?

A lot of our customers seem to be getting this feeling. "We've installed patch MS08-067, and removed the worm using our anti-virus or the MSRT, but we keep getting re-infected, " they say. Some even reached the (false) conclusion that 08-067 doesn't work. Well, I can assure you that the patch works, but the worm has several clever secondary infection schemes that make it very slippery.

1. If even a single machine on the network is still infected, it will attack all other machines on the subnet consistently and try to infect them, so until every machine has been cleaned, this problem won't be over.

2. The worm penetrates target machines by using accounts with weak passwords. Resetting all domain passwords and local accounts is a good step. If that's not possible, then the SERVER and TASK SCHEDULER service should also be stopped. This is drastic, but only temporary, while the machines are being cleaned up. Once there are no longer infected machines, these services can be brought back.

This sort of step is a big problem for Server Machines, which needs the Server service to do their job, but sometimes this is what needs to be done. Think of it as quarantining a sick patient until his medicine kicks in.

3. The worm infects removable drives, like USB disks, so if an admin uses a USB disk to copy a removal tool to infected machines, he may be, in fact, contributing to the spread of the worm. This can be averted by setting the removable drives to read-only, if the drive supports it. If your drive doesn't, consider getting an SD with a USB SD Reader, as SD cards all have a read-only physical switch. Another option is to burn a CD with the tools and use it instead of a removable drive.

I've heard from several IT administrators that forcing users to use strong passwords is a problem. In certain environments, where the users are very non-technical or lazy, and have a hard time remembering passwords, this is indeed hard. However, even though resetting passwords for users is an annoying chore, the solution is not to let everybody off with empty or suitcase passwords (1111, 1234 etc), as this worm is specifically designed to take advantage of such environments. An alternative is to use a self-service password reset tool. With this type of thing, a user who forgot his/her password would use another employee's computer, or a designated Kiosk computer to reset his password. Here are several products of this type:

ADSelfService Plus by ManageEngine (http://manageengine.adventnet.com/products/self-service-password/index.html)
Desktop Authority® Password Self-Service by ScriptLogic (http://www.scriptlogic.com/Products/password-self-service/)
SSRPM by Advanced Toolware (http://www.advtoolware.com/software/ss-reset-password/self-service-reset-password-management.asp)
Self Service Password Reset by JiJi (http://www.jijitechnologies.com/product/self-service-reset-password-management/)
Quite a few more: http://www.softplatz.com/software/active-directory-password-reset/

Finally, here's a step by step, for an IT administrator in a large organization:

1) Use a Startup script (http://technet.microsoft.com/en-us/library/cc179134.aspx) to stop the SERVER and TASK SCHEDULER on all domain machines:
Net Stop Server
Net Stop Schedule

Or better yet: Set these services to Disabled:
SC CONFIG SERVER start= "disabled"
SC CONFIG SCHEDULE start= "disabled"

2) Use the startup script to deploy the 08-067 patch to all machines

3) Use the startup script to deploy the MSRT in QUIET mode to all machines (http://support.microsoft.com/kb/891716/)

4) Reboot all domain machines to make sure that the patch and MSRT run on all machines (can be automated using the SHUTDOWN command)

5) Inspect your AD security log using Event Viewer, and filter for event ID 539 - this will tell you which machines are infected and need cleaning up.

6) Once all machines are clean, and 539 events do not appear anymore, re-enable the services and open the champagne bottles!

Bring in the troops

2009-01-28T11:13:00.000-08:00

In recent weeks, the Conficker virus has been causing a lot of havoc everywhere – account lockouts, network congestion and a lot of headaches. People running Symantec anti-virus software know the same virus as “Downadup”, and that’s not the 1st time a Virus gets labeled differently by different companies. After all, there’s no single authority that investigates viruses, but that got me thinking – maybe it’s time we had one.

With things as they are now, it takes the anti-virus market some time to react to new viruses. Each AV vendor gets samples from its customers, analyzes them and issues signature updates to its product. Each vendor uses its own methodology to assign a priority, and as a result, some vendors take longer to react. In the Conficker case, for example, Symantec’s product is still unable to remove the infection today, almost 3 months since the virus’s first appearance. Even when an update is issued, it’s usually available only for customers of AV vendors, while users with AV software are stranded (We’ll discuss the stupidity of not having AV software on your computer another time).

When a new type of virus or disease appears in the real world, no one waits for Pfizer or Bayer to classify it and inform the public. In the USA, we have the Department of Health and Human Services and the CDC (Center for Disease Control), as well as other federal agencies like FEMA to help manage outbreaks. Since computer worms and viruses do have an economic impact, which could easily reach disastrous proportions (like in the case of worms such as MS Blaster, Code-Red and Sasser), I feel that this sort of thing should definitely be at-least shared by the governments of the world. A Federal Malware Research Center could bring some order to this wild field, and have the necessary resources to inform the public of new threats and how to manage them.

And another thing, while we're at it...we should stop giving worms "cool" and distinctive names. Maybe if the latest virus was called "The Dumbass 1", virus writers were a little less proud of themselves. Now seriously, a malware's name is not a big deal, but it's sad to say that the press today is still glorifying viruses, thereby encouraging low-self-esteemed jerks to write them. Writing a virus is stupid and detestable, and this message should be delivered clearly whenever the issue is discussed in the media - no discounts or exceptions.

Never take candy from strangers

2009-01-19T10:41:00.000-08:00

Yesterday, my darling wife told me that she got a weird SMS about 9.99$ and she's not sure what it is. Turned out it was from some IQ-Test she took online on FaceBook. When she completed the test, she was asked for her phone, to which her score was sent, along with the message that she just subscribed to a 9.99$ a month service. Clearly, this is a scam, but my sweetheart never thought that something from such a reputable source like FaceBook could be harmful.

"This is exactly how the 1st nasty Viruses/worms started to spread", I told her. A worm would harvest his victims address book, and send itself to all of his recipients. The guy's poor friends and family members would think that this, coming from a friend or family member, must be legit, but of course, it wasn't. Later on, some worms got even cleverer, and spoofed the source address to be someone else from the list, so that the victims could not know who of their close-ones is really the source of the infection.

Luckily, some people have learned to beware of wolves in sheep's clothing, and others are protected by more secure software that wouldn't let them open attachments, but the success of that "service" and others like it shows that apparently, many people still fall for that old trick. Well, if you, or your close ones think that since FaceBook is a legitimate site, then everything on it is too, think again. Pretty much anybody can upload data to FaceBook or write an app for it, and although the site has a lot of security features, it's far from secure. This specific application gives you an IQ test comprised of 10 questions (I won't waste your time with explaining why such a test is closer to guessing your IQ that actually measuring it) and asks for your phone number. To that phone, it sends a confirmation code that you need to punch in to the website, which then sends you an SMS with your so-called IQ. By entering the code, you are actually agreeing to be subscribed to a service that charges 10$ a month. Although this is written both on the website and on the SMS message, some people might miss that, or misunderstand it. Many wouldn't notice another 10$ charge on their cell service bill, and some people are making millions on those people's back.

This type of story shows why information security is more about security than information. Although this is propagated by computers, it could just as easily be done via just the phone, through an interactive TV channel, and many others. Even if you don't like computers, or maybe ESPECIALLY if you don't like computers, this poses a real risk. Not only can you be billed, you can never know for sure where your info will end up in. Maybe tomorrow you'll be flooded with 20 SMSs a day, advertizing the current Viagra or Rolex, or maybe be part of an identity theft operation. The most important lesson here is this: FaceBook is NOT your friend, and neither are MySpace or any other web service. Always assume the worst about an information source, even if you've used it for years and it was great otherwise. The bad guys, or "evil doers" as W likes to call them, are all around, and they will keep on finding new ways to separate us and our money. Just make sure it's not you, and I might also suggest educating your friends and loved ones too.

The human factor

2009-01-12T14:25:00.000-08:00

Many companies base a significant part of their manpower on outsourced workers, and this is an effective way to conveniently manage human resources that enabled financial efficiency in most cases. An aspect that many managers tend to forget is the issue of security. Are outsourced workers a source of danger to the company?

This post will anger many readers, I’m sure. After all, millions of people make an honest living as outsourced workers and many companies depend on them. However, the truth must be told, even if unpleasant. Outsourced workers could be a major security threat for the organization in many cases, and history records quite a few cases of serious damage suffered by companies that didn’t take the appropriate measures. No, I’m not saying outsourced workers are treacherous, bad or dangerous. In many cases this is exactly the opposite, because employees whose position is not secured as full-time employees will often outperform others to demonstrate their worthiness. However, the outsourcing model causes workers, esp. in the maintenance field, to be exposed to certain risks.

One problem stems from the fact that outsourced workers usually make a lot less money than FTEs. The economic pressure causes these employees to be an easy target for industrial espionage. For example, a known case involved a cleaner who was offered a significant amount in return for a daily visit to the floor-printers of his organization, and collecting the printed matter that was left there by other employees. These print-outs are of random content, but frequently include sensitive material, such as email correspondence, financial reports, future-product info etc. Such a random collection could be extremely valuable for hostile parties, both for industrial espionage and infrastructure penetration. The sum that was offered to that employee was larger than his monthly salary, and you’d be hard-pressed to find people who make 2000$ a month and can resist such a temptation. For some of them, this is a unique opportunity to finally get out of debt.

Another problem is that managers often ignore outsourced workers when thinking about their employees, and these workers are often excluded from routine activities. Often they don’t receive email that is sent to other employees (if they even have an account) or invited to events and lectures with the rest of the company. These employees might miss the companies’ procedures about information security, simply because these were never given to them in an orderly fashion. This is less obvious for technical staff, but in case of the cleaning crew, administration etc – these people are usually with the company for short periods and often do not receive thorough guidance about the procedures and guidelines. An FTE, for example, is often assigned a mentor or “buddy” for a while, who helps him get acquainted and learn what is permissible and what is not. A cleaner or security guard, on the other hand, often finds himself alone, trying to distinguish right from wrong by randomly asking co-workers or guessing. Such an employee might think that using another’s computer for surfing the web is a reasonable thing to do, just like making a phone call from someone’s phone is legitimate and common. In most companies, a phone call costs money, but is not dangerous. Web surfing, on the other hand, could introduce spyware or a virus to the computer, and that is less pleasant.

It’s important to stress once again that the purpose of this is not to impeach all outsourced workers, but to stress the great importance of them to the “system”. This requires that they be treated as equals. Even a temporary and low-ranking worker must receive a detailed guide, including the nuances of working at the company, and stressing the aspects of information security and security policies. Besides clarifying the importance of protecting the company values, such sharing of information could strengthen the bond between the employee and the employer, and reduce the temptation to cross the lines. Let’s not forget, by the way, the full timers could cross the same lines and there are many recorded incidents where even high-ranking officials succumbed to external pressure, or simply prepared a nest for a rainy day. This leads to one conclusion – there is no alternative to professional risk management procedures, which include identifying risk sources and plugging holes on a personal and systematic level.

Is it safe? Not if you're Jewish!

2009-01-02T13:50:00.000-08:00

The fighting in Israel in the past days is having an impact on the cyber world as well. This time, two major Israeli sites - Ynet and Discount Bank have been defaced.

When the fighting between Israel and this-or-that Arab faction breaks out, as happens once every few months, national hackers from around the globe have an excuse to waging some cyber war. This time, a group of Morrocan hackers called "Team Evil" has mounted a successful attack against two major Israeli sites. The two sites are the site belonging to Discount Bank, one of Israel's largest banks, and the other is the English version of YNet, Israel's 2nd largest web portal, operated by Yedioth Aharonot, Israel's largest daily newspaper.

The defacement shows some graphic images of dead terrorists, accompanied by anti-Israeli text. At 1st, this was thought to be a simple deface, but turns out the hackers actually brute-forced the passwords to the accounts of the sites on the Israeli hosting provider and domain registrar DomainTheNet. this allowed the hackers to impersonate the account holders and modify the DNS records to point to another website, without ever actually penetrating the original website.

This sort of attack is much easier than cracking the original websites, which are very secure, but ironically, harder to resolve. DNS modifications take time to propagate throughout the world - as long as 48 hours, so it took quite a while until the hack got noticed. When it was fixed, again, it takes a while to propagate so currently, quite a lot of users will still get the defaced page and might continue to be affected for over a day.

This breach illustrates the importance of creating a complete security policy. A company can invest millions in securing it's web farm, but a minor overlooked password could lead to an effective attack. The lesson is simple - when securing a resource, we must take into consideration every aspect of its security. In this case, the person who created the domain account with DomainTheNet simply chose an insecure password (which is a secondary lesson in this case) but there are other, simpler ways to bypass security. For example, making changes to a domain directly with ISOC, Israel's Internet Society and main registrar involves submitting a request via a web form, and then completing the request by sending a fax. The web form has virtually no security, and forging a fax of this nature is also pretty easy. Another example: Many companies rely on Email a primary, or even the only way to communicate with customers. Hacking a user's mail account is usually pretty easy, either by using brute force or calling the ISP and resetting the password, and once you have someone's email, you can use that to reset passwords of most other accounts that the user has. In short, there's an old expression to keep in mind: The chain is only as strong as its weakest link!

Unleash the hounds!

2008-12-30T12:49:00.000-08:00

Most security people are concerned with their current firewall or SSL-VPN, but some are already thinking about the future. We all know that the current line of security products are very secure, and we already have solutions for most current threats, but it's a cat-and-mouse game. We put up firewalls, and the hackers turn their attention to our Dial-up banks. We implement call-back, and they go after the VPN cluster. We get digital certificates and they start targeting our endpoints with Trojans. This is never going to end, of course, but the question is...what's next?

As long as there is money and computers in the world, there will be cyber criminals looking for ways to get them. The question of what threats and exploits are on the horizon is being asked not only by security professionals, but also by software development companies. The 1st company to predict the next threat will possibly the first to develop a solution for it, and capitalize on it when everybody rushes to buy it. So, how do you find the winning horse?

The major shift in the security industry lately was from network security to endpoint security. As security products for the network and the backbone have matured, attackers turned to exploiting the weakness of the human nature. Trojans and spyware became a global phenomenon, opening a channel for direct access to the corporate network through any desktop. Security companies quickly developed a slew of solutions - Anti spyware scanners, Endpoint lockdown mechanisms and Network Access Control systems. By now, most companies have implemented at least some of these, but there are more threats on the horizon.

Criminals are drawn to where the money is, and in the technology world, the money is where the DATA is. While the data in your servers and workstation is probably protected well enough, there are still some sources of data that are less protected. The 1st threat, as I see it, are mobile devices. Pretty much every phone in the world today can do everything a computer can - it can hold contacts, schedules, email and files, and often quite a lot of those. Usually, money can't be stolen directly off your phone, but the personal data can be easily used for identity theft, which can be used to hack the corporate network of your company. Imagine the phone of a company's IT manager being stolen...a list of vendors the company works with can be easily compiled, orders of hardware can be diverted, and passwords can be socially-engineered. If an attacker knows when your IT manager is on vacation or in long meetings, these timetables can be used to coordinate a focused attack. All this is not new, and Security solutions for phones are already quite advanced. Some solutions encrypt the phone's internal memory, so it can't be accessed without a password. Other solutions lock out the phone or format it when given a remote command through the carrier's network. There are, of course, quite a few anti malware products as well. One thing no one is doing yet is a way to prevent the phone from being lost. Cabs, airports, coffee shops - all are prime locations for forgetting your phone, and most are never recovered. Technologies such as RFID can be used to prevent this sort of loss, but it still doesn't have significant adopters.

Another abundant data mine is home networks. Securing a wireless home network isn't hard, but many people are still afraid to mess-around with their router's settings and just leave it open. Some people are concerned about sharing their bandwidth with driver-byers, but the real danger is that an unwanted guest might have unlimited access to your computers. Even if you setup a password on your computer, an attacker has all the time in the world to brute-force it, and it's likely that the average user won't check his event log and notice the failed attempts. Securing the home network is not that hard, really, but apparently, most people don't bother. Very few companies enforce a policy to prevent or control how their employees connect the company laptop to the home network, not to mention storing business files on the home PC. An ideal solution would be for the company to give its employees desktops, which would allow the company full control over what goes on inside it.

Buy every employee a PC, on the company dime? Am I crazy? Well, it will cost a pretty penny, but consider the costs for a minute. This could amount to several hundred dollars per year per employee, but would still be only a negligible part of the cost of an employee to the company. If it would prevent even a single attack, it could be well worth it. I'm not very optimistic that many companies will adopt this idea, but what should definitely happen is an improvement to home network security and cellular phone technologies. Instead of confusing dialog boxes about TKIP, AES, WEP, WPA and Hex Keys, a home router should be secure by default, and easy to configure. For example, a router could be pre-set to generate a random password and display it on a small LCD. The user will be asked to type it into his machines when connecting for the 1st time. Same goes for phones. Phones today are like Windows 3.11. You have to really try to set a lock on it. I think that settings a strong password should be the default action when getting it from the carrier, and only users who really want to and have the know-how can bypass it. No doubt it will be annoying to many, but so is locking your home every time you leave...and yet we are all OK with that! Currently, all router producers focus on performance and price, and I've yet to see even one that boasts better security. Same for phones - it's all about the music and easy texting, but not a single device that is safer. Will we ever learn?

There's no business like the scam business

2008-12-15T10:25:00.000-08:00

Just a few days ago, the FTC has finally decided to act against Innovative Marketing, Inc. and ByteHosting Internet Services . These two companies are responsible for many, if not most, technical support calls received by pretty much every company in the world. Their variation of spyware nicknamed "Scareware" sneak in to computers and internet sites, and notify the user that his computer is infected with viruses, urging him to buy an anti-virus from these companies. The "warning" is false mostly, and it is designed and branded to look like a genuine notification from Microsoft or the operating system.

Why did it take the FTC so much time to do something about this menace is beyond me, but the question is this - can the FTC really combat this sort of threat? Despite charging only 40$ for their software, both companies made millions of dollars, and that kind of incentive isn't going to go idle just because of some FTC barking. These companies, just like spammers and other shady or illegal operations have never cowered away from authority. In similar cases, the operators would usually disappear and re-start their operation somewhere else. Sometimes under a new name, and other times in another country. Innovative Marketing already has offices in Ukraine, pretty far from the FTCs grab. In fact, I suspect that there at least a few hundred people reading about this in the media and thinking "Hmmmmm...maybe I should start a business like that?"

The Spam market is a good analogy. We have been fighting spam for years now, and we've tried everything. We've enacted legislation , successfully sued spammers , developed technology to fight it and even raised awareness in the public , but Spam rates haven't decreased significantly. Why? Because as long as there's somebody who will buy it, there will be someone to sell it.

That sounds bleaker than I intended, but are we really going to have to live with these computer annoyances forever? I was never an optimist about human nature, and I'm afraid I can't be one here either. The human race has been battling crime since the dawn of time, and despite some very effective law enforcement and punishment systems, people are still stealing, hurting, killing and more. Bottom line? We shall always rejoice when spammers or other cyber terrorists are taken down, but the hard truth is that this is a fight that's never going to end. Maybe it's time to think of taking out some insurance...

The art of war

2008-12-09T14:25:00.000-08:00

Although there's nothing nice about war, I'm using the title of Sun Tzu's famous work to raise this point: Is information security a science, or art? According to Ira Winkler of ISAG, it's definitely science, but I beg to differ. Ira raised this issue in a presentation a few months ago, and we debated this issue for a while.

According to Ira, dealing with information security is purely scientific. You learn the technology, tools, techniques and methods of the field. Whether you put that info to good or bad use is another matter, but at the bottom line, it's about knowledge and the ability to apply it.

If you ask me, I believe that hacking, and defending against hackers, is a lot more of an art than you might think. That's not to say it's not a science, but that it's much more than science. No doubt that to be any good at either side, you must learn the ropes. You need to learn your TCP/IP, understand networking, get familiar with tons of products, as well as their strengths and weaknesses, This, however, is just the first part. If you think about it, every major form of art is based on a lot of technical know-how. If you want to paint the new Mona Lisa, you need to learn how to stretch that canvas on the frame (yeah, today you can buy it pre-stretched, but you catch my drift, right?), select your colors, mix them properly, choose the brushes and start painting. To do it right, you should also learn some color theory, use of perspective and composition, the golden ratio etc. It's certainly possible to create a painting without any of those by just using a pencil or crayon and a piece of paper, but in most cases the outcome will be no more pretty, interesting or relevant than guessing someone's "1234" voice mail pin.

Basically, what I'm saying is that any art is based on some sort of technique that needs to be learned and perfected, and that while many people learn the principles of information security very thoroughly, only a handful of them have the skills to transcend the science and make it into art. This goes both for the hackers and crackers, and those who defend their company against them. It doesn't take much to install and configure a firewall, neither does it take much skill to run some well-documented exploit and break into something, but to be able to inventively use the existing technologies to circumvent a security mechanism or build an effective protection against undocumented or yet-unknown attacks is something else.

For example, let's take the well known SAMY worm that has been written by Samy Kamkar. This worm did not cause significant damage to anyone or anything, so it's a good example of a piece of art. MySpace is very well protected from users running most script commands, and so creating this worm took a lot of inventiveness by Kamkar. He spent weeks on weeks developing his code to circumvent all the various mechanisms, often inventing clever ways to sneak commands through the complex filters used by MySpace. Reading the final code (http://web.archive.org/web/20060208182348/namb.la/popular/tech.html) is not easy even for experienced web developers, but it's clearly a piece of digital poetry. A conventional poet would hunt for new metaphors or synonyms to express himself with rhyme and rhythm, similarly to how a worm writer looks for pieces of code that will "work", and that's the difference between the MySpace security team and Kamkar. The security team were just updating the filters occasionally, whenever a new way to sneak-in code was discovered. Similarly, most security managers update their systems or modify their configuration when new patches or attacks are discovered, but a rare few are as active as the hackers, spending their time researching and trying to come up with new better ways to secure their systems. One such guy, who manages security at a bank I once consulted to, was a perfect example. He spent almost no money on security products, and instead wrote mountains of scripts that blocked every attack I was aware of, and also quite a few things that were only theoretically possible back then.

Don't get me wrong - despite my praise for Karmar's work, I don't condone worm writing, and I don't mean to glorify the horrible things done by virus writers. What I am saying, though, is that hackers ARE artists, and to be able to fight back effectively, we need to become at least as artistic, or we'll always be on the defense. Maybe that's one of the reasons so many ex-hackers are making it so well in the security-officer profession? How to transform oneself from a technical expert to an artist is something that I can't tell anyone how to do, but it's certainly possible. Maybe as a first step, the CISSP certification should include some philosophy lessons, or at least a mandatory reading of the Art of War...

No Money=No Security?

2008-12-03T16:47:00.000-08:00

The economic crisis is affecting everybody these days, and everybody is cutting expenses. This could mean a lost job or reduced benefits to some, but a popular way for companies to cope is by cancelling purchases of software and hardware. This is bad news for anybody who's selling anything, and many IT people will be heartbroken for having to live with an old mail server or domain controller, but a lot of companies are also postponing or cancelling upgrading their firewalls and other security products. Staying with an old piece of software or hardware for another year is certainly not fun, but when it comes to security, this is much more concerning. Information Security has always been hard to prove, and even today, many managers see it as a money hole. I'm afraid I can't do the talking for you, but here are some ways to save money without giving up security.

Virtualization
Unless you've been living on a tree, you must have heard of virtualization. This has many aspects, but for our purpose, I'm talking about consolidating several servers onto a single piece of hardware. This is still going to cost money, as a hosted server license costs the same, but instead of spending 20,000$ on 4 servers, you might save as much as half of that by buying a single, stronger server (You're going to need LOTS of ram!) and hosting the same 4 servers on it as virtual machines. Other than the hardware costs, using virtualization saves time, money and downtime. If your server suddenly dies, you don't have to wait several hours for tech support or parts - just move the disks to another server and you can bring up the virtual-machines almost immediately. Not convinced? How about electricity? Using one machine instead of many machines reduces the electricity bill both for the server's power consumption and cooling. Some virtualization products are given away for free, like Microsoft's Hyper-V 2008 server (http://www.microsoft.com/servers/hyper-v-server/how-to-get.mspx) and VMWare Server (http://www.vmware.com/products/server/) , so dive into it and give it a whirl!

Outsourcing
You might not be able to afford that fancy SEM tool you've been dreaming about, but that doesn't mean you have to give up on the entire idea. Software like SEM costs an arm and a leg, but there are alternatives. I'm talking about outsourcing. Nowadays, you can outsource almost anything, including letting others watch over your servers. These kind of services are usually billable periodically and by server, and although this is more expensive in the long run, it allows better security without making huge investments. Another advantage is that the outsourced technicians might be better trained to handle emergencies, which could translate to a quicker solution in case of a virus outbreak or successful hacker attack. Not convinced? Some states and countries give better tax breaks for outsourced services than for purchased software, so this could be even cheaper than you or your manager thinks. Speaking of outsourcing, there are a lot of other services that could be outsourced, from backup to user management, so for any purchase you had to scrap, check out the outsourcing market for that area - you might be surprised at how secure you might get for a lot less money.

Play hard ball
When the economy is this bad, everybody takes some of the heat, and sales are down everywhere. This means that even robust companies that have multi-million dollar product sales are feeling it. It's also important to keep in mind that those who actually make the sales are people just like you and me. They have deadlines and quotas, and at times like these, they are anxious to protect their jobs. This means that they might go a long way in order to close another deal, esp. now (December). don't be afraid to play hard ball and negotiate. Many people feel that haggling is more appropriate for the downtown meat market, but you can afford to be a little less honorable. Play it cool and flaunt the offers you got from other vendors, and get your boss or colleague to play "bad cop-good cop". I've personally witnessed cases where such maneuvers led to 60% price reductions. Can you afford not to?

Lose some of that weight
We are all used to having a nice desktop with tons of disk space and resources, but with today's costs, it might be time to think about going thin. Thin clients have a lot of advantages, but the best one is saving money. The clients themselves are far from cheap - some cost more than a desktop, not to mention the Terminal Server costs and licensing, but it saves money in several other ways. A thin client is designed to do as little as possible, and consumes very little electricity. Some companies report a reduction of 30% on their electricity expenses after switching to thin clients. Not enough? how about support costs? Instead of having one technician per 60-70 workers, thin clients require very little support. There are no viruses, drivers, hard-drive crashes to deal with, and most problems can be fixed by a secretary (who replaces the damaged unit with a spare one). A company with 1000 employees might be able to reduce its IT staff from 15 people to just 2 or 3. Trimming people is not fun, but that might be what it takes to save the company from going under.

Stoneage 101

2008-12-02T16:04:00.000-08:00

When you mention "Information Security" in front of people, most of them will shrug. "I ain't no computer guy", some might say. Truly, only very few people are "Computer Guys", but there's information anywhere, not just in computer, and so information security is no more "computers" than mice or speakers.

About a year ago, I was standing in line to buy a ticket to some concert. Apparently, the theatre was offering some sweet deal, by which you could pay for part of the ticket using reward-points accumulated with your credit card. As I was moving down the line, I noticed that the cashier was writing down on a piece of paper the credit card number of each buyer who elected to take advantage of this pitch. I raised my phone and took a snap of the cashier, and later, at home, with some image processing, I could easily decipher every number and name on the sheet.

The point of this little story is that had I been a less honest person, this little exercise in negligence could have easily led to a massive shopping spree, and this is a classic electronic fraud which has nothing to do with computers. It's easy to see who's at fault here, but blame aside, the lesson here is that information security flaws could be lurking everywhere. You could be completely computer-illiterate, but still throw out your credit card statements in the trash, thereby exposing yourself to fraud. In fact, one could say that computer-illiterate people are even more at risk than those who use computers all the time. At least when you have one, you would probably be aware of at least some of the dangers involved with open communication lines.

What you can do? 1st of all, open your eyes. Look around you. Do you have yellow notes sticking on your screen with private information that could be used to hurt you? Do you keep a bunch of sensitive documents in that unlocked top drawer in your cabinet? Is your trashcan full of documents that would go out to the public trash tomorrow, and may reveal a lot about you? If some of those are YES, here's your chance to get better. Next, open your spouse, kids, parents, family and friends ears too. Tell them this tale and help them think more critically about their data. Your parents told you when you were little that when you come in or out of the house, you should lock the door, right? That's a basic security measure that seems to go without saying, but it's up to you as a parent (now or in the future) to educate the next generation how to apply security to stuff other than doors and windows.

Is it safe?

2008-12-01T17:09:00.000-08:00

After much debate, Israel's new smart ID Cards are going forward. This has been debated for the past 10 years, and seems that it's finally going to happen...but are we happy about it?

Israel is one of a handful of countries where every citizen is issued an ID card, and is required by law to carry it with him at all times. This immediately brings concerns about big-brother and that sort of thing, but I'm worried about some other stuff too. The "ID number" serves as the Israeli equivalent of the American SSN. Most official forms require it to be filled out, but despite the sensitivity of these numbers, the security level is astounding. A few years ago, the entire population registry database has been leaked to the internet, and now, everybody who knows how to use a browser or a P2P program can download it and search for anything. The software is called "Rishumon" or "Hipuson", and sometimes just "Mirsham" (registry in Hebrew), and it's about a 2 GB download. With this kind of data one can find anybody's ID number, as well as who are his parents, siblings and even neighbors. Are you scared yet? You should be, because Israel's ID cards are notoriously easy to forge. Sure, they use special paper and some anti-counterfeiting measures, but when you show it to a bank teller through the 1" glass, he won't notice if it's original, printed on some laser printer, or hand painted by a 4 year old. This has been tried and tested. What's even worse is the fact that there is so much demand for fake IDs - not only criminals and Identity thieves, but also illegal residents, which are flowing from the occupied territories on a daily basis, hoping to score some work in Israel.

So now you know why a smart ID is important. With something like that, it will be harder to steal someone's identity, but if the ID database has been leaked repeatedly (there were at least 4 "updates" to it since the year 2000), what happens if the smart-ID database gets leaked too? It's true that the hardware is more complicated, but it's still digital data, and if you can't trust the people who operate the entire thing, it could lead to a lot of problems. One of the aims of this program is to allow citizens to work with various government offices remotely, which takes the human factor out of the game. A crook with the right tools and inside-information can do pretty much everything with a slim chance of being detected. What then? Will they just replace all the IDs? Will they even notice it? I'm not so sure.

What I am sure of is that so much money is involved with this idea that it's definitely not the end of the mess. The process has been trusted in the hands of HP, who won the auction, but have earned a lot of scrutiny about their customer service in Israel. It's not a bad company, but if the past has taught us anything is that better hardware can't rid us of basic flaws in the system. In this case...the human factor.