the short answer is NO, but the longer one depends a lot on you. Voice mail systems are pretty much standard all around, but few people realize what a security risk they can pose. On the surface, a phone seems pretty harmless. What are they going to do? Leave me a threatening message? Well, maybe, but that's not the danger.
Most people choose to leave a custom voice message on their voice mailbox. Something like "Hi, you've reached James Voca, IT manager for Pirulo systems. Please leave your message and I'll call you back" seems pretty ordinary, doesn't it? Well, for an employee giving you a call, it is, but if someone outside calls in, you just informed him or her which company it is, what's the name of the IT Manager, and how he sounds like. In the wrong hands, this data is very valuable. A type of hacking known as "Social Engineering" focuses on using peoples tendency to behave socially can use exactly that. A social engineering hacker would typically call employees of the company on the phone, and try to get them to give out sensitive data or access. With the info from this mailbox, the hacker can pretend to be the IT Manager, and influence others. Many users will recognize the high ranking position holder and tell/do anything he wants. They would give him their passwords, let him take over their computer remotely and more. Here's a scenario:
Hacker: Hi Jane. This is James from IT. I'm at home and late for meeting - do you mind if I log into your machine to get a PPT I really need?
Jane: Sure, James
Hacker: Cool. I'm sending you an Email with a link - just click it and I'll be in and out in a minute.
Outcome: Hacker can implant a backdoor on Jane's computer, or just use it to get access to some sensitive internal servers.
How about another scenario:
Hacker: Hi Scott. This is James from IT. A guy from HB is coming in to pick up my laptop for repair - be sure to let him through, OK?
Scott (security guard): Sure thing, James.
Outcome: The hacker can waltz in the building, grab some laptop and disappear with it, causing both financial damage and possibly stealing important data from the computer.
This is not the only danger, of course. Most modern voice mail systems let people access them remotely. You would typically call yourself, punch in some PIN and can listen to your messages. Many people don't want to remember complicated numbers, and set the PIN at 0000, 1234 or the default (which is often one of these too). When this happens, anyone else can call into the voice mail, guess that number and listen to your messages. These would usually be just some nagging from your Bank, but they could also contain sensitive info. For example, it could be a message from your doctor about your blood work, a message from a vendor talking about things you purchased or worse. A hacker that knows how you sound like, and that you've just ordered 10 servers from Deck.com can call them, quote back some "secret" info from the message, and divert the goods to his house. He can also call you, pretend to be the vendor and get you to let him in the building with the "servers", and a good opportunity to do some damage.
The lesson here is simple - don't think that the voicemail system is safe, just because it's not connected to your computer. In fact, your own answering machine at home could expose you personally to some dangerous elements. Does your message sound like "Hi, you've reached the Smith family at 2245 lake drive"? You're just inviting people to come over and clean up your house. I recommend taking four measures:
1) Have your PIN secure - no simple numbers, but ones that are chosen carefully, changed frequently and aren't easy to guess
2) Have your message give as little info as possible. A good one could be "Hi, you've reached Jack - please leave a message". Same thing at home - "You've reached the Cole residents, please leave a message".
3) Listen to your messages frequently, and delete them. right away. Don't leave messages to linger on your phone from Friday afternoon to Sunday noon.
4) When you are leaving messages to others, whether you are a vendor, a client, a boss or a subordinate, keep in mind that you can never know the level of security the other side keeps. Treat a message left like a note left on the door - others may read it. Keep sensitive info out of the message, and just call back later.
Friday, July 31, 2009
Tuesday, June 23, 2009
The ups and downs of backing up
My experience is that any and every user appreciates the importance of backing up your stuff, but when it comes to actually doing it, almost nobody does it, and even some large organizations are failing at it. Backup failure isn't necessarily "not doing it at all", but can also mean that it's done improperly. A proper backup is such that a person or organization will never, under any circumstances, lose more than a day's worth of work. Before we even go there, I should stress one important fact - many users, and even experienced system engineers often confuse between backup and archive. Backup is when you copy your current data to another storage medium, so that if something happens to the original, you can restore it and not lose anything. Archiving is similar, but opposite - you copy your data to another storage medium, and then delete the original.
For example, many people burn DVDs with their older files and delete the originals, and most of them consider this a backup. This is, in fact, an archive, but few people are aware that a recordable DVD has a limited lifespan, and is very sensitive to physical harm. Putting your photos on a DVD and stowing it in the closet is not safer than storing food in the trunk of your car. Often, we discover this only in hind-site, when trying to recover a file from a disc burned 3 years ago, only to discover that it's partially or completely unreadable.
I believe network engineers won't need to read this, so I'm addressing this to the home user, mostly. For a backup to be worth anything, it has to meet some basic principles:
1) It has to be done to a media with at least SOME reliability.
2) It has to be done frequently.
3) It has to be stored in a place that is safe, but not too unreachable.
4) It has to be tested routinely.
What does all this mean? Well, 1st, this means you should not use a media that's unreliable. A writeable DVD, for example, has a low reliability rating, while a hard drive has more. That's not to say that a hard drive is bulletproof, but it's usually more reliable, and also easier to detect if it fails. This is because if it dies, you would usually be able to hear it, and respond by replacing it, while if a DVD stops being readable, you'll only find out when you put it in the drive. A high level tape drive, like an LTO or DLT is also very reliable, although these babies start at a few hundred dollars, so would be off the table even for some business customers.
A frequent backup is also important. Many users start this with full intentions of going all the way, but after a while, they kind'a give it up, and forget to backup for weeks or even months. Typically, you remember to do it right after your hard drive crashes, of course. A good way to avoid this pothole is to setup some automatic backup mechanism. If you use an external drive, for example, this can be done rather easily, and many external drives even come with the software. If not, Windows has a built in backup mechanism which is quite effective (especially the one that's in Windows 7!).
3rdly, if a lightning strikes your house, or a fire breaks out, the backup won't do you much good if you leave the DVDs next to the computer or leave the external drive connected. One should strive to keep the backup as far away as possible from the computer, although not too far. If you store it across town, you might have a good excuse to forget to backup. Also, if it's that far, you might become too lazy to drive over and get a file if you need it. A good solution could be to have a reciprocal agreement with a neighbor - you hold their drive during the week, and they hold yours. If you have an detached garage or storage shed, this could be good too (although, take care to prevent the drive from freezing or getting too much humidity).
Lastly, a backup that's untested will often fail you at the worst possible moment. You might discover that it hasn't actually run for over a month, or that some files are unreadable. A good practice is to test the backup around once a month. If you have a calendar like Outlook, you can use it to remind yourself to check it now and then.
One more thing - many people feel that buying a large drive just to store backup on is wasteful. In a way, that's true, but if you want to save some money there, you might consider getting a refurbished drive. These are inherently less reliable, but since you can easily detect if it stops working, it could be a suitable solution anyway. Also, keep in mind that you can activate folder-compression on it, as performance is less of an issue, and so use a drive smaller than your main one.
For example, many people burn DVDs with their older files and delete the originals, and most of them consider this a backup. This is, in fact, an archive, but few people are aware that a recordable DVD has a limited lifespan, and is very sensitive to physical harm. Putting your photos on a DVD and stowing it in the closet is not safer than storing food in the trunk of your car. Often, we discover this only in hind-site, when trying to recover a file from a disc burned 3 years ago, only to discover that it's partially or completely unreadable.
I believe network engineers won't need to read this, so I'm addressing this to the home user, mostly. For a backup to be worth anything, it has to meet some basic principles:
1) It has to be done to a media with at least SOME reliability.
2) It has to be done frequently.
3) It has to be stored in a place that is safe, but not too unreachable.
4) It has to be tested routinely.
What does all this mean? Well, 1st, this means you should not use a media that's unreliable. A writeable DVD, for example, has a low reliability rating, while a hard drive has more. That's not to say that a hard drive is bulletproof, but it's usually more reliable, and also easier to detect if it fails. This is because if it dies, you would usually be able to hear it, and respond by replacing it, while if a DVD stops being readable, you'll only find out when you put it in the drive. A high level tape drive, like an LTO or DLT is also very reliable, although these babies start at a few hundred dollars, so would be off the table even for some business customers.
A frequent backup is also important. Many users start this with full intentions of going all the way, but after a while, they kind'a give it up, and forget to backup for weeks or even months. Typically, you remember to do it right after your hard drive crashes, of course. A good way to avoid this pothole is to setup some automatic backup mechanism. If you use an external drive, for example, this can be done rather easily, and many external drives even come with the software. If not, Windows has a built in backup mechanism which is quite effective (especially the one that's in Windows 7!).
3rdly, if a lightning strikes your house, or a fire breaks out, the backup won't do you much good if you leave the DVDs next to the computer or leave the external drive connected. One should strive to keep the backup as far away as possible from the computer, although not too far. If you store it across town, you might have a good excuse to forget to backup. Also, if it's that far, you might become too lazy to drive over and get a file if you need it. A good solution could be to have a reciprocal agreement with a neighbor - you hold their drive during the week, and they hold yours. If you have an detached garage or storage shed, this could be good too (although, take care to prevent the drive from freezing or getting too much humidity).
Lastly, a backup that's untested will often fail you at the worst possible moment. You might discover that it hasn't actually run for over a month, or that some files are unreadable. A good practice is to test the backup around once a month. If you have a calendar like Outlook, you can use it to remind yourself to check it now and then.
One more thing - many people feel that buying a large drive just to store backup on is wasteful. In a way, that's true, but if you want to save some money there, you might consider getting a refurbished drive. These are inherently less reliable, but since you can easily detect if it stops working, it could be a suitable solution anyway. Also, keep in mind that you can activate folder-compression on it, as performance is less of an issue, and so use a drive smaller than your main one.
Monday, June 8, 2009
This car has more than 9 Lives
Most of us obsess about retaining our data - we buy large hard drives, burn countless DVDs and protect it all with RAID controllers and UPS devices. What many people care much less about is making sure that discarded data is really gone. How many times have you thrown a dead hard disk in the trash, wiping a tear for your lost files? Did you consider that a person with sufficient technical skill may grab it from the trash, recover the data and make some coins off it?
Well, the issue of data destruction has been the center of much debate. Most people are already aware that deleting a file doesn't really erase it - it simply deletes the reference to the file in the disks directory (I'm talking about actually deleting, not moving it to the trash, which doesn't delete anything), while the data is still there, untouched. A file that has been deleted can be re-created simply by finding it's 1st sector, and creating a file entry that points to it. Once you delete a file, it can be overwritten by windows, as it the system creates new files. the new files might overwrite some or all of the file's original sectors, which are now marked as free, but these sectors can also remain untouched for years.
Some people will go the distance, and actually format the hard drive before throwing it away, but this too is not sufficient. Restoring a formatted drive is more time consuming, but certainly possible. The US Department of defense probed this issue in the past, and produced a standard, known as DOD standard 5220.22, that instructs exactly what to do to erase data properly. Later on, there was some debate as to this was safe enough. Some expert claimed that you would need to overwrite the data over a dozen times, and that has been misquoted repeatedly in the press since then.
Security experts are very much concerned about erasing data securely. A company cannot risk it's commercial data falling into the wrong hands simply because somebody was too lazy and took a shortcut with the disk. Same goes for other types of media - DVDs, backup tapes etc. Even a lost cell phone could present a serious security breach, as it could include phone numbers of sensitive customers, sensitive emails or meetings etc. I would like to take this opportunity to debunk some myths about data destruction.
1) Hard drive demolition derby.
• A common method of destroying disks, by punching a hold through them, or banging them strongly with a hammer is far from secure. It's not easy to recover in this condition, but it's certainly possible.
• With modern IDE and SATA disks, using a 5220.22 secure erase software is very safe. there's no need to overwrite everything dozens of times. The need for that kind of rewrites referred to some very old MFM drives.
• Using software erasure is pretty slow, but it can be done unattended, so setting up some dedicated old computer for that is pretty easy. Just make sure no one tries to steal the old drives from that station.
• A very effective way to destroy a disk is to take it apart, and separate the plates from the other components. Dumping the plates in a different trash facility makes it pretty much impossible to recover.
• There is a technique that allows data recovery off a drive in almost any condition, but that process is so lengthy and expensive, that most experts would consider it irrelevant. Recovering data from a disk that was physically destroyed would cost so much time and money, that even government agencies don't bother with it.
• Take care to monitor old computers - many times people upgrade the disk and don't think of giving the old disk back to the IT group for sanitation. Some even take the old disks home, thereby exposing the company to huge risks. This also goes for computers that are being retired - don't sell them to 3rd party companies without either sanitizing them, or making sure that the buying company commits with a contract to do this to ALL disks.
2) Other media types:
• Recovering data off other media types, such as tapes, CDs, floppy's etc is rather easy, but these media types are also much easier to destroy. Even a little heat can totally kill an optical disc, and a strong magnet can kill a tape almost instantly. I would, however, recommend a process is used for this - don't just break a CD, and don't pop it in the oven - use a CD shredder, which costs very little these days.
• Users often overlook CDs as a potential security risk, and often throw them in the trash. A security officer would be wise to issue a recurring reminder to all employees to collect discarded CDs and DVDs and have the IT or security department dispose of them securely. This goes not only for data disks, but also software - if someone finds and uses an old copy of windows for illegal purposes, with the company's serial number, it could lead back to the company and carry legal repercussions.
• Many people carry around USB drives to take a file or two back-and-forth from/to home. This is a big risk as these drives rarely get formatted, and often are lost. I would recommend any organization introduce a security mechanism to block such devices altogether, or at least control them with a policy (for example, require to have them signed by corporate security before they are allowed in)
Well, the issue of data destruction has been the center of much debate. Most people are already aware that deleting a file doesn't really erase it - it simply deletes the reference to the file in the disks directory (I'm talking about actually deleting, not moving it to the trash, which doesn't delete anything), while the data is still there, untouched. A file that has been deleted can be re-created simply by finding it's 1st sector, and creating a file entry that points to it. Once you delete a file, it can be overwritten by windows, as it the system creates new files. the new files might overwrite some or all of the file's original sectors, which are now marked as free, but these sectors can also remain untouched for years.
Some people will go the distance, and actually format the hard drive before throwing it away, but this too is not sufficient. Restoring a formatted drive is more time consuming, but certainly possible. The US Department of defense probed this issue in the past, and produced a standard, known as DOD standard 5220.22, that instructs exactly what to do to erase data properly. Later on, there was some debate as to this was safe enough. Some expert claimed that you would need to overwrite the data over a dozen times, and that has been misquoted repeatedly in the press since then.
Security experts are very much concerned about erasing data securely. A company cannot risk it's commercial data falling into the wrong hands simply because somebody was too lazy and took a shortcut with the disk. Same goes for other types of media - DVDs, backup tapes etc. Even a lost cell phone could present a serious security breach, as it could include phone numbers of sensitive customers, sensitive emails or meetings etc. I would like to take this opportunity to debunk some myths about data destruction.
1) Hard drive demolition derby.
• A common method of destroying disks, by punching a hold through them, or banging them strongly with a hammer is far from secure. It's not easy to recover in this condition, but it's certainly possible.
• With modern IDE and SATA disks, using a 5220.22 secure erase software is very safe. there's no need to overwrite everything dozens of times. The need for that kind of rewrites referred to some very old MFM drives.
• Using software erasure is pretty slow, but it can be done unattended, so setting up some dedicated old computer for that is pretty easy. Just make sure no one tries to steal the old drives from that station.
• A very effective way to destroy a disk is to take it apart, and separate the plates from the other components. Dumping the plates in a different trash facility makes it pretty much impossible to recover.
• There is a technique that allows data recovery off a drive in almost any condition, but that process is so lengthy and expensive, that most experts would consider it irrelevant. Recovering data from a disk that was physically destroyed would cost so much time and money, that even government agencies don't bother with it.
• Take care to monitor old computers - many times people upgrade the disk and don't think of giving the old disk back to the IT group for sanitation. Some even take the old disks home, thereby exposing the company to huge risks. This also goes for computers that are being retired - don't sell them to 3rd party companies without either sanitizing them, or making sure that the buying company commits with a contract to do this to ALL disks.
2) Other media types:
• Recovering data off other media types, such as tapes, CDs, floppy's etc is rather easy, but these media types are also much easier to destroy. Even a little heat can totally kill an optical disc, and a strong magnet can kill a tape almost instantly. I would, however, recommend a process is used for this - don't just break a CD, and don't pop it in the oven - use a CD shredder, which costs very little these days.
• Users often overlook CDs as a potential security risk, and often throw them in the trash. A security officer would be wise to issue a recurring reminder to all employees to collect discarded CDs and DVDs and have the IT or security department dispose of them securely. This goes not only for data disks, but also software - if someone finds and uses an old copy of windows for illegal purposes, with the company's serial number, it could lead back to the company and carry legal repercussions.
• Many people carry around USB drives to take a file or two back-and-forth from/to home. This is a big risk as these drives rarely get formatted, and often are lost. I would recommend any organization introduce a security mechanism to block such devices altogether, or at least control them with a policy (for example, require to have them signed by corporate security before they are allowed in)
Tuesday, June 2, 2009
Click YES/NO to format hard drive
One of the problems we are still facing in the world of information security is that people still have a built in tendency to trust authority figures. If it looks "official" enough, most people will trust it and follow, like lambs to the slaughter. This caused the infamous "MS Antivirus" nag ware to be so effective - it's made to look like it was made by Microsoft, and most people just trust it and believe it's real.
A more interesting, and frightening case of being fooled by software is illustrated by the tale of G-Archiver. This free utility is designed to allow the user to backup his Gmail account to his local computer. Generally, this is a good idea, as one never knows when his account might be frozen or accidentally deleted. In this case, however, it has been discovered that the program works in a way that's insecure, to say the least, and borderline identity-theft. Apparently, the software is coded to send an Email back to its creator, with the credentials of any user who uses it (you are required to give it our credentials, so it can download all your message for backup). A programmer who investigated it discovered that the developer's Gmail account was full of user+password info for thousands who downloaded the used the program. Even worse, it also turned out that the developer embedded the credentials of this account (where the passwords are being sent to) in his code, so anyone with the right skills can access it and harvest all these users-names and passwords.
If you are one of those who used this software, now would be a good time to change your Gmail password. In fact, it's a good idea to change it once a month anyway, although I don't fool myself into thinking that any normal person will actually do that. Well, I hope that you at least change your PayPal password now-and-then. What's frightening here is that most of us, even experienced Sysadmins and security experts, trust programs we download to do what they say. Few, if any of us, check if a program contains spyware, and few have the skills to check for the kind of behavior mentioned above. Your credentials or private files could be circulating all over the net without you even suspecting it. On a similar note, many people install file sharing applications and share their entire drive, without realizing that all their personal documents are readily available for everyone. Want proof? Open up some file sharing program and run a search for "my cv.doc" - you will find many!
Some organizations have configured domain-enforced policies that prevent installation or even downloading of unknown software, but that's only been done within a handful of companies. If your org considered it, it was most likely rejected for political reasons - it's not easy telling everyone that they can't install anything on their computers anymore - it sounds fascist, doesn't it? If you ask me, this is already a necessary step right now, and it's only a matter of time before more security administrators or CEOs realize it and make it happen. At home, it's even worse as there are no mandatory settings. We have the technology to sign software by a trusted publisher, but hardly anyone uses it. Perhaps it's time, before the next wave of a Conficker-like worm hits all of us?
A more interesting, and frightening case of being fooled by software is illustrated by the tale of G-Archiver. This free utility is designed to allow the user to backup his Gmail account to his local computer. Generally, this is a good idea, as one never knows when his account might be frozen or accidentally deleted. In this case, however, it has been discovered that the program works in a way that's insecure, to say the least, and borderline identity-theft. Apparently, the software is coded to send an Email back to its creator, with the credentials of any user who uses it (you are required to give it our credentials, so it can download all your message for backup). A programmer who investigated it discovered that the developer's Gmail account was full of user+password info for thousands who downloaded the used the program. Even worse, it also turned out that the developer embedded the credentials of this account (where the passwords are being sent to) in his code, so anyone with the right skills can access it and harvest all these users-names and passwords.
If you are one of those who used this software, now would be a good time to change your Gmail password. In fact, it's a good idea to change it once a month anyway, although I don't fool myself into thinking that any normal person will actually do that. Well, I hope that you at least change your PayPal password now-and-then. What's frightening here is that most of us, even experienced Sysadmins and security experts, trust programs we download to do what they say. Few, if any of us, check if a program contains spyware, and few have the skills to check for the kind of behavior mentioned above. Your credentials or private files could be circulating all over the net without you even suspecting it. On a similar note, many people install file sharing applications and share their entire drive, without realizing that all their personal documents are readily available for everyone. Want proof? Open up some file sharing program and run a search for "my cv.doc" - you will find many!
Some organizations have configured domain-enforced policies that prevent installation or even downloading of unknown software, but that's only been done within a handful of companies. If your org considered it, it was most likely rejected for political reasons - it's not easy telling everyone that they can't install anything on their computers anymore - it sounds fascist, doesn't it? If you ask me, this is already a necessary step right now, and it's only a matter of time before more security administrators or CEOs realize it and make it happen. At home, it's even worse as there are no mandatory settings. We have the technology to sign software by a trusted publisher, but hardly anyone uses it. Perhaps it's time, before the next wave of a Conficker-like worm hits all of us?
Tuesday, May 12, 2009
May I have your life, please?
Identity theft is far from new, but with the growing popularity of online accessibility, this has become a major risk that affects pretty much everybody. While most Americans are well aware of this risk and are taking several measures to prevent it, for others this is not so simple.
For Americans, the most common type of identity theft is a stolen password to an online service. If someone was clever enough to get you to hand over your password (with Phishing, for example), he can login to your account and if it's a bank account or PayPal, steal all your money. Another type of identity theft is stealing a person's Social Security Number. With that, a thief can gain access directly into things like medical records, bank accounts and much more. Most people are aware of this, and safeguard their SSN closely, but in other countries, this is not the case.
In Israel, for example, the equivalent of a SSN is the Identity Number, which is a 9 digit number assigned to each person when he/she is born. This number is unique, and will follow that person to the grave. It's printed on each citizen's Identity Card and drivers license and is the primary means of authenticating a person's identity. Unfortunately, the national identity card is notoriously easy to forge, which is why the Israeli government has been working on a smart-card based replacement. What's even more unfortunate is that the entire database of the Israeli population has been leaked to the public, and is freely available to anyone who knows how to download pirated music. In fact, this database, known as "Hipuson", "Shimoshon" or "Mirsham", has been going around for many years now. It's available on the Emule network, as well as many file hosting services, although the plethora of versions in the wild make it a little hard to find the most updated version. This database contains not only the full names and ID number of every living citizen in the state, but also their full address, birth date and parents name. With simple correlation, one can locate his parents, siblings, children and even his neighbors, and some versions of the database even have this function built in. Politicians, singers and other celebrities are not exempt, and their info is also included even if it was specifically redacted from the national phone directory. Using this database, anybody can choose a random person, or his enemies, and create a fake ID with their details and his/her picture. As I said, it is rather easy, and anyone with color laser printer, bitmap editor and laminating machine can do this. Once you have an ID card, you can access the targets bank account, his medical records and even sell his/her house and disappear with the money.
What can the Israeli citizen do? Basically, nothing. No one knows exactly how the database is leaked, but there are many parties who have access to it. When the Israeli Police started investigated this issue in March 2008, multiple breaches were detected, from unpatched servers to server-rooms left unlocked and unsupervised. Changing your ID number is not possible for a citizen, and this has been done only in rare cases where serious damage has been done to a person. In the recent report filed by the Auditor General exposes this outrageous conduct, but like most of these reports, it is likely to be completely buried or acted-upon very slowly. Perhaps the best solution is to keep your cash under the mattress?
For Americans, the most common type of identity theft is a stolen password to an online service. If someone was clever enough to get you to hand over your password (with Phishing, for example), he can login to your account and if it's a bank account or PayPal, steal all your money. Another type of identity theft is stealing a person's Social Security Number. With that, a thief can gain access directly into things like medical records, bank accounts and much more. Most people are aware of this, and safeguard their SSN closely, but in other countries, this is not the case.
In Israel, for example, the equivalent of a SSN is the Identity Number, which is a 9 digit number assigned to each person when he/she is born. This number is unique, and will follow that person to the grave. It's printed on each citizen's Identity Card and drivers license and is the primary means of authenticating a person's identity. Unfortunately, the national identity card is notoriously easy to forge, which is why the Israeli government has been working on a smart-card based replacement. What's even more unfortunate is that the entire database of the Israeli population has been leaked to the public, and is freely available to anyone who knows how to download pirated music. In fact, this database, known as "Hipuson", "Shimoshon" or "Mirsham", has been going around for many years now. It's available on the Emule network, as well as many file hosting services, although the plethora of versions in the wild make it a little hard to find the most updated version. This database contains not only the full names and ID number of every living citizen in the state, but also their full address, birth date and parents name. With simple correlation, one can locate his parents, siblings, children and even his neighbors, and some versions of the database even have this function built in. Politicians, singers and other celebrities are not exempt, and their info is also included even if it was specifically redacted from the national phone directory. Using this database, anybody can choose a random person, or his enemies, and create a fake ID with their details and his/her picture. As I said, it is rather easy, and anyone with color laser printer, bitmap editor and laminating machine can do this. Once you have an ID card, you can access the targets bank account, his medical records and even sell his/her house and disappear with the money.
What can the Israeli citizen do? Basically, nothing. No one knows exactly how the database is leaked, but there are many parties who have access to it. When the Israeli Police started investigated this issue in March 2008, multiple breaches were detected, from unpatched servers to server-rooms left unlocked and unsupervised. Changing your ID number is not possible for a citizen, and this has been done only in rare cases where serious damage has been done to a person. In the recent report filed by the Auditor General exposes this outrageous conduct, but like most of these reports, it is likely to be completely buried or acted-upon very slowly. Perhaps the best solution is to keep your cash under the mattress?
Monday, May 4, 2009
Tunnel Vision
When waging our battles on the security front, most organizations just put all the big guns on the front line. We buy expensive load balancers to prevent D.O.S attacks, state of the art firewalls to prevent penetration, VPN products to secure our backdoors etc. Whenever some major threat comes along, everybody jumps out of bed, and rushes over to plug the hole, but at time like that, we often forget one of the oldest tricks in the burglars book - the diversion (a.k.a "Steaks for the dogs").
Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.
Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.
If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?
Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.
Unlike the movies, hacking into a network is not a wham-bam, thank you, ma'am deal. A hacker spends a long time conducting surveillance and gathering intelligence, and when he does move in, it will hardly seem like a commando attack. There won't be alarms ringing or security-doors closing and sealing people off in safe rooms, and no SWAT teams will show up with mega-phones yelling. More often than not, some minor file will be found to be missing or altered several days, weeks or months later, and that will lead to investigation that will show the break in. If you get that dreadful 4 AM phone call, telling you that the Firewall's alerts are all over the place, or that your security center detects multiple attacks, that doesn't mean that someone is actually attacking your firewall.
Just like a commando unit trying to break into an army base will distract the guards with some explosions at the front gate, while trying to sneak in through the back, a computer attacker will most likely try to get the entire security team to focus everything on the very visual notification mechanisms. He will use multiple mechanisms to trigger every possible alert on your security devices, and he will do it at past-midnight so that you and your security team will be tired, angry and less-effective. He will try to get you guys to spend as much time as possible blocking the DOS attack and plugging the holes, while he quietly sneaks in through some back door that's less obvious and less protected. You will find yourself running from server to server, trying to find your hands and feet in gigabytes of logs, and chances are you'll spend days on it. When things quiet down, you might find the actual leak or penetration, but by that time, the attacker will be long-gone.
If this has happened to you, don't be surprised. After all, most information security people are technology gurus, not military-trained commanders, and it's only normal to focus our attention on the most visible threat, just like a driver would focus his attention on the tree he's about to crash into rather than another car that's about to crash into him (that is referred to often as "Tunnel Vision"). However, there is a way to handle this, and that is by preparing properly. Your organizations security policy should have this scenario specifically laid out, and the team needs to be trained not to treat any alert as an alarm. One way is to assign responsibilities to people, and sticking to them. If there is a virus rampant on the network, the backup administrator shouldn't be told to forget about the backups "for now" and help clean up machines. On the contrary! He should continue his work and keep an eye out for anything suspicious or wrong with the procedure. If the firewall appears to be breached, the PC-Technician crew shouldn't be assigned to reviewing logs, but should continue to monitor the user-request queue. Maybe an innocent account lockout request could reveal an account breach that is masked by the pointless firewall attack? Perhaps the virus was unleashed intentionally on the network so that the attacker could have uninterrupted access to the data on the backup server?
Another technique that has worked well for the physical security industry is the emergency level system. A company could create an emergency level scale, and assign specific duties to each. If a file was found to be altered, that would raise the threat level, which would have people deflect some duties and investigate, but wouldn't throw the entire IT group into chaos and mayhem.
Friday, March 6, 2009
Do you trust me?
For most of us, the System Administrators, a.k.a Sysadmins, are life-savers. They reset our passwords when we forget them, recover our files when we delete them and sometimes give us a hard time about it. For corporate management, however, this kind of power can be frightening. An administrator would usually have access to every bit of information in the company, including every employees employment and HR data, personal email, and usually customer data as well. This kind of power, if abused, can cause irreparable damage to a company, but despite that, most companies interview and screen their sysadmin just like any other employee. If, for some reason, this employee becomes bitter or estranged, there's no telling what could happen, and there have been documented cases where entire companies have been complete destroyed intentionally by their admins.
Can this happen to your company too? Possibly. CEOs and CIOs have been looking for ways to counteract this sort of threat for a while now. There is a logical problem here - if you don't trust your admin, and appoint someone to watch over him, then how do you trust that someone to not break bad? After all, even CEOs have been known to go astray and stick their hands into inappropriate pockets. Who shaves the barber?
There is no simple answer here, but generally, the answer has two parts. The logical solution is separation of powers. You appoint at least 2 or 3 administrators, and try to make sure they don't become too friendly with each other so there's less chance of collusion. One way to go about this is appointing people who are a world apart - big age difference, for example. Then, add to that job or responsibility rotation. For example, one can be appointed to manage the finance department servers, while the other owns the engineering servers, and then rotate those roles every 3-6 months. This way, if one used abuses these resources, it will most likely be revealed upon the next rotation. Another good practice is the force the administrators to go on vacation on a regular basis (and YES, it's totally worth to give them an extra few annual vacation days just for that). When the admin goes on vacation, someone else has to take over, and that would usually expose any foul play.
The 2nd part is technological - Use some system to track and log activity. This serves two purposes - people tend to mess around a lot less when they know they are being watched, and that will affect not only administrators, but also regular users. Secondly, if someone does go to the dark side, at least there will be a way to check what's been going on, and have evidence in case a law suit or criminal charges need to be filed. One such software solution is Intellinx, and another is InFlight. These solutions can record user activity directly from the network, including keystrokes and screen output from every station in the company.
Is any of that foolproof? Of course not. A smart crook can always find some way to scam his way around, and the only answer to this is to carefully build a security policy that tries to address each and every possible threat - external or internal. Another important lesson to be learned here is that the system administrator is a very sensitive position, and should be screened appropriately. The screening process should include not only technical evaluation, but also personality and psychological testing, and it wouldn't hurt to have this monitored on a regular basis too, especially if a big change has happened in the company. If you had your sysadmin fire half his technicians because the company is tight on money, you can bet he's preparing for the possibility of him being next on the chopping board, and his preparation might include stashing sensitive data or implanting backdoors into servers. Also, keep in mind that even a small-time technician that you are hiring today to haul some printers around might end up being the sysadmin in 10 years. That means that those guys should also be chosen carefully, and reviewed once again upon getting promoted. And speaking of Admins, a fun thing to read is the old classic BOFM, which tells some tails of a particularly nasty sysadmin.
Can this happen to your company too? Possibly. CEOs and CIOs have been looking for ways to counteract this sort of threat for a while now. There is a logical problem here - if you don't trust your admin, and appoint someone to watch over him, then how do you trust that someone to not break bad? After all, even CEOs have been known to go astray and stick their hands into inappropriate pockets. Who shaves the barber?
There is no simple answer here, but generally, the answer has two parts. The logical solution is separation of powers. You appoint at least 2 or 3 administrators, and try to make sure they don't become too friendly with each other so there's less chance of collusion. One way to go about this is appointing people who are a world apart - big age difference, for example. Then, add to that job or responsibility rotation. For example, one can be appointed to manage the finance department servers, while the other owns the engineering servers, and then rotate those roles every 3-6 months. This way, if one used abuses these resources, it will most likely be revealed upon the next rotation. Another good practice is the force the administrators to go on vacation on a regular basis (and YES, it's totally worth to give them an extra few annual vacation days just for that). When the admin goes on vacation, someone else has to take over, and that would usually expose any foul play.
The 2nd part is technological - Use some system to track and log activity. This serves two purposes - people tend to mess around a lot less when they know they are being watched, and that will affect not only administrators, but also regular users. Secondly, if someone does go to the dark side, at least there will be a way to check what's been going on, and have evidence in case a law suit or criminal charges need to be filed. One such software solution is Intellinx, and another is InFlight. These solutions can record user activity directly from the network, including keystrokes and screen output from every station in the company.
Is any of that foolproof? Of course not. A smart crook can always find some way to scam his way around, and the only answer to this is to carefully build a security policy that tries to address each and every possible threat - external or internal. Another important lesson to be learned here is that the system administrator is a very sensitive position, and should be screened appropriately. The screening process should include not only technical evaluation, but also personality and psychological testing, and it wouldn't hurt to have this monitored on a regular basis too, especially if a big change has happened in the company. If you had your sysadmin fire half his technicians because the company is tight on money, you can bet he's preparing for the possibility of him being next on the chopping board, and his preparation might include stashing sensitive data or implanting backdoors into servers. Also, keep in mind that even a small-time technician that you are hiring today to haul some printers around might end up being the sysadmin in 10 years. That means that those guys should also be chosen carefully, and reviewed once again upon getting promoted. And speaking of Admins, a fun thing to read is the old classic BOFM, which tells some tails of a particularly nasty sysadmin.
Subscribe to:
Comments (Atom)
Posts
