Pretty much every company in the world places at least one firewall at the edge of its network, to protect its internal resources. There were dark times, where a simple router is all we had, and we exposed all of our computers to the internet without any protection, but now that the hardware and software have gone down in price, this brings a new discussion to the table…how many firewalls are enough?
On one hand, you can take some old computer that’s too slow for use with modern desktop operating systems, stick some Linux based firewall on it and you got yourself a firewall at a cost that’s close to zero. Many people think that a thicker armor can stop more missiles, and would take advantage of the cheap options to build a network with multiple layers of firewalls. Is more really better?....not always!
The thing about quantity is that it rarely really trumps quality. Even in the simplest example of a tank having multiple layers of armor on it this is not the case. Sure, a tank with 15 layers of steel would be harder to penetrate than one with 14 layers, but the multiple layers also make the tank heavy. The added weight makes the tank slower to move and maneuver, limits the distance it can travel and the land it can drive onto.
In the case of network security, adding more layers can make it harder for an attacker to crack it, but the complex configuration makes it more likely for something to get overlooked or misconfigured. For example, if you put 6 different firewalls in the mix, you’re probably not an expert on each and every one of them. Perhaps one of them has a built in remote-access option that you forgot to protect or disable? Perhaps one has a lesser-known vulnerability that you were not aware of and forgot to plug? Perhaps updating the various firewalls will be hard because of the limitations on internet connections?
A common term in my world is “security by obscurity”, referring to using technology to mask some component in hopes that if it’s hidden well enough, it’s less likely to be attacked. The same concept applies, however, to bugs and issues. The more complicated the environment, the harder it is for us to see any issues it may be harboring.
Unfortunately, there’s no simple answer to the age old question of how much is enough, and how much is too much. Depending on your own exposure, which includes the profile of the data you need to have coming in and out, and your public profile that makes your organization a prime target or a lesser one, the answer is individual. If you’re a small company that’s just publishing a simple website, it’s very likely that a single firewall is all you need. If you’re a multimillion dollar corporation, which has tons of public services, then it’s probably a good idea to have more.
If you were expecting a simple numerical answer, then I’m afraid I’m going to disappoint you. I’m here to remind you of the considerations pro and con for each option. Your own mileage may vary, but one thing is simple to note…if your configuration is so complicated that even you can’t explain easily where a packet is going and where it has been lost, then it’s probably too complicated to be reliable.
Tuesday, December 27, 2011
Sunday, March 13, 2011
Recipe for disaster
Disaster recovery is one of the most important aspects of a security officer’s work. It even has its own domain in the ISC2 CBK (Business Continuity and Disaster Recovery Planning). With recent disasters like the 8.9 magnitude earthquake in Japan, other aspects of disaster recovery come to mind.
The information security officer has plenty of tools for disaster recovery at his disposal. Backups, hot/cold sites, off-site storage are some of them. With sufficient budget and training, a company can live-through a disaster and resume work very rapidly, and this was demonstrated well during the Sep-11 events in NY City.
The other aspect of this is that while the operations and security teams are busy with trying to reestablish the company’s operations and IT, most companies forget that the disaster site, although dysfunctional, typically still has all of the company’s assets. In the case of the world trade center towers, everything was buried in tons of dust and rubble, but other disasters may leave sensitive equipment or data exposed. A building that has been overrun by water may be unusable, and the computers in it may be completely destroyed, but their hard drives may be intact. Backup tapes or optical media is also likely to withstand such an event, esp. if it is inside a fireproof vault. This could be a golden opportunity for infiltrators to come in and grab something.
Naturally, it may be hard or dangerous to try this sort of stunt, but the kind of financial gain someone can make has been known to drive certain people to take risks. You and I probably won’t, but it takes only one crazy bastard to compromise a lot of secure information.
In addition to the above, even companies that have nothing to do with the disaster, and haven’t been harmed at all (or very little) are at risk, as with any large scale disaster, the entire country can plunge into chaos. In Japan, many companies have not been harmed, but have been completely deserted, as the employees left to attend to their families and loved ones. This is perfectly understandable, but the result is low-hanging fruit for any cracker. The police are typically concerned with street-level looting going on, but we in information security need to think about data looting too.
Naturally, the physical security domain in the CBK deals with protecting the workplace from physical harm, though it usually deals mostly with day-to-day threats, like burglary, fire and flood. When something as large as an earthquake or missile bombing comes into play, many of these measures will collapse. With proper planning, at least some of these may be mitigated. For example, your sensitive servers are properly locked away in a server room, but that room may not be secure enough to withstand someone ramming it with a truck. Using secure cabinets instead of the simple glass-door ones may provide an additional level of security. Using hard-disk encryption on servers and storage arrays, even though slow, can protect your data in case all hell breaks loose. You can’t physically secure all desktops, but using thin-clients (or terminal services) for some or all employees can provide for additional protection.
In addition to these, you should encourage your employees to refrain from storing sensitive data in the offices. This means avoiding printing of sensitive info, and making sure printouts are shredded in-house. Sensitive documents like employee or customer lists should be stored in a secure room or vault. Backup tapes and other media should be stored in a vault. When using such a vault, remember it still needs to be secure, so don’t leave it unlocked or the key too easy to find (many companies open the vault in the morning, and leave it open throughout the workday…ah…..).
And lastly, when creating your disaster plan master policy, make sure to assign guards to the destroyed facility. You may find, in reality, that all your guards disappeared, but if you prepare well enough, even a single guard will be more effective than none…
The information security officer has plenty of tools for disaster recovery at his disposal. Backups, hot/cold sites, off-site storage are some of them. With sufficient budget and training, a company can live-through a disaster and resume work very rapidly, and this was demonstrated well during the Sep-11 events in NY City.
The other aspect of this is that while the operations and security teams are busy with trying to reestablish the company’s operations and IT, most companies forget that the disaster site, although dysfunctional, typically still has all of the company’s assets. In the case of the world trade center towers, everything was buried in tons of dust and rubble, but other disasters may leave sensitive equipment or data exposed. A building that has been overrun by water may be unusable, and the computers in it may be completely destroyed, but their hard drives may be intact. Backup tapes or optical media is also likely to withstand such an event, esp. if it is inside a fireproof vault. This could be a golden opportunity for infiltrators to come in and grab something.
Naturally, it may be hard or dangerous to try this sort of stunt, but the kind of financial gain someone can make has been known to drive certain people to take risks. You and I probably won’t, but it takes only one crazy bastard to compromise a lot of secure information.
In addition to the above, even companies that have nothing to do with the disaster, and haven’t been harmed at all (or very little) are at risk, as with any large scale disaster, the entire country can plunge into chaos. In Japan, many companies have not been harmed, but have been completely deserted, as the employees left to attend to their families and loved ones. This is perfectly understandable, but the result is low-hanging fruit for any cracker. The police are typically concerned with street-level looting going on, but we in information security need to think about data looting too.
Naturally, the physical security domain in the CBK deals with protecting the workplace from physical harm, though it usually deals mostly with day-to-day threats, like burglary, fire and flood. When something as large as an earthquake or missile bombing comes into play, many of these measures will collapse. With proper planning, at least some of these may be mitigated. For example, your sensitive servers are properly locked away in a server room, but that room may not be secure enough to withstand someone ramming it with a truck. Using secure cabinets instead of the simple glass-door ones may provide an additional level of security. Using hard-disk encryption on servers and storage arrays, even though slow, can protect your data in case all hell breaks loose. You can’t physically secure all desktops, but using thin-clients (or terminal services) for some or all employees can provide for additional protection.
In addition to these, you should encourage your employees to refrain from storing sensitive data in the offices. This means avoiding printing of sensitive info, and making sure printouts are shredded in-house. Sensitive documents like employee or customer lists should be stored in a secure room or vault. Backup tapes and other media should be stored in a vault. When using such a vault, remember it still needs to be secure, so don’t leave it unlocked or the key too easy to find (many companies open the vault in the morning, and leave it open throughout the workday…ah…..).
And lastly, when creating your disaster plan master policy, make sure to assign guards to the destroyed facility. You may find, in reality, that all your guards disappeared, but if you prepare well enough, even a single guard will be more effective than none…
Monday, August 2, 2010
book Smarts!
I usually use this blog to talk about general security related issues, but on this special occasion, I’d like to tell you all about a new book of mine that just came out.
Even though I’ve been a writer for almost 15 years, this is my first published book, and it’s also good news for many users of UAG, IAG or eGap users, as this is the 1st public book about these products.
For those who never heard of these products, UAG is the latest member of a line of secure remote-access products. It was originally developed by Whale Communications from Israel, which was purchased by Microsoft in 2006. In 2007, the previous version named IAG (Intelligent Application Gateway) was released, and a few months ago, UAG (Unified Access Gateway) was released as part of the Forefront family of security products.
The book itself is not really finished – I still have a few more chapters to write, but the publisher has released the first three chapters as something they call RAW (short for Read As we Write). It’s like a Beta version – readers can get it right now, way before the book is officially out, and also make comments or suggestions to it. This is a great honor for me, of course, as the publisher only releases into RAW books that are very well written, and can stand their ground without significant edits.
Even though the book is about UAG, a lot of it also applies to IAG, and even eGap. It’s written specifically for the UAG beginner, and starts with basic concepts and design. It then goes through advanced configurations and troubleshooting, as well as Direct Access. It does not, however, cover advanced scenarios like ADFS or customizations.
Interested? I hope so…go ahead and look at:
https://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook/book
Even though I’ve been a writer for almost 15 years, this is my first published book, and it’s also good news for many users of UAG, IAG or eGap users, as this is the 1st public book about these products.
For those who never heard of these products, UAG is the latest member of a line of secure remote-access products. It was originally developed by Whale Communications from Israel, which was purchased by Microsoft in 2006. In 2007, the previous version named IAG (Intelligent Application Gateway) was released, and a few months ago, UAG (Unified Access Gateway) was released as part of the Forefront family of security products.
The book itself is not really finished – I still have a few more chapters to write, but the publisher has released the first three chapters as something they call RAW (short for Read As we Write). It’s like a Beta version – readers can get it right now, way before the book is officially out, and also make comments or suggestions to it. This is a great honor for me, of course, as the publisher only releases into RAW books that are very well written, and can stand their ground without significant edits.
Even though the book is about UAG, a lot of it also applies to IAG, and even eGap. It’s written specifically for the UAG beginner, and starts with basic concepts and design. It then goes through advanced configurations and troubleshooting, as well as Direct Access. It does not, however, cover advanced scenarios like ADFS or customizations.
Interested? I hope so…go ahead and look at:
https://www.packtpub.com/microsoft-forefront-uag-2010-administrators-handbook/book
Wednesday, July 7, 2010
Automan
An old boss of mine used to say that his best employees are the laziest, because they create automation to do their job, and automation reduces human error. Since human error is one of the leading causes of security breaches, this also means that using automation appropriately could not only serve to free up time, but also reduce your exposure and boost your security.
Granted, developing automation can be a pain. It sometimes takes days of development and testing, but the benefits are fantastic. For example, one of the most common security pain points out there are user accounts. Every time an employee joins the company, you have to create an account, create a random password, fill in all the account details, assign the user to various groups, and finally, convey the appropriate information to the user securely. If an employee leaves, it’s even worse, because you have to close out the account with very precise timing, to make sure the ex-employee doesn’t get locked out prematurely, but also not be able to connect from home after leaving his position. The worst are role-changes, which require you to carefully clean-up the account of unnecessary permissions, to make sure the employee can’t abuse the rights he had in the past.
When you need to do this on a routine basis, within a few days, you would be able to perform such tasks almost blindly. Like driving a car, this is what we refer to as “over-learned activity”. After a while, we tend to feel confident enough to chew a sandwich while doing it, talk on the phone or installing a server (talking about the network here…not installing a server while driving a car), and that’s where the little mistakes creep in. We might send the password to the wrong person; add the user to a group that has too many permissions, or worse. I’ve met an engineer who once, absentmindedly, misspelled the first name of a person named Bart as…well…you can guess. That guy got some chewing, but he might as well have exposed his network to attackers if his absentmindedness led somewhere else.
If you’re lucky, perhaps your company is rich enough to afford identity management software, but the costs of such suites and their adoption is immense. If so, why not write up your own automation? A VBScript, ASP page, PERL script or sometimes even a Batch file can save you tons of tedious work. If you’re thinking to yourself “heck…I ain’t no programmer!” you might be selling yourself short. Some tasks are so simple to achieve in VBScript and Batch that you can achieve this almost instantly. For example, a script to generate a random password in VBScript is so simple. Here’s a clever and tight one by Martijn Haverhoek http://www.haverhoek.nl/index.php?/archives/36-Random-password-generator-vbscript.html . Here’s another one, written in JavaScript: http://blazonry.com/javascript/password.php . With time and patience, a script can be written to automate almost the entire process of creating and deleting user accounts, as well as other administration tasks.
Even when using automation, mistakes can still happen, but by shortening the processes, it makes them less tedious and encourage performing them with more attention and focus. Another advantage is that it may allow you to delegate some tasks to your subordinates (knowing that there is less things for them to mess-up) or to your colleagues when you go on leave. Even if you are a decision maker and will never get into programming, you can still benefit your organization by hiring or contracting someone to develop some automation for you. Start simply by thinking which processes are performed routinely, and which are the most annoying or tedious. From then on…the sky’s the limit!
Granted, developing automation can be a pain. It sometimes takes days of development and testing, but the benefits are fantastic. For example, one of the most common security pain points out there are user accounts. Every time an employee joins the company, you have to create an account, create a random password, fill in all the account details, assign the user to various groups, and finally, convey the appropriate information to the user securely. If an employee leaves, it’s even worse, because you have to close out the account with very precise timing, to make sure the ex-employee doesn’t get locked out prematurely, but also not be able to connect from home after leaving his position. The worst are role-changes, which require you to carefully clean-up the account of unnecessary permissions, to make sure the employee can’t abuse the rights he had in the past.
When you need to do this on a routine basis, within a few days, you would be able to perform such tasks almost blindly. Like driving a car, this is what we refer to as “over-learned activity”. After a while, we tend to feel confident enough to chew a sandwich while doing it, talk on the phone or installing a server (talking about the network here…not installing a server while driving a car), and that’s where the little mistakes creep in. We might send the password to the wrong person; add the user to a group that has too many permissions, or worse. I’ve met an engineer who once, absentmindedly, misspelled the first name of a person named Bart as…well…you can guess. That guy got some chewing, but he might as well have exposed his network to attackers if his absentmindedness led somewhere else.
If you’re lucky, perhaps your company is rich enough to afford identity management software, but the costs of such suites and their adoption is immense. If so, why not write up your own automation? A VBScript, ASP page, PERL script or sometimes even a Batch file can save you tons of tedious work. If you’re thinking to yourself “heck…I ain’t no programmer!” you might be selling yourself short. Some tasks are so simple to achieve in VBScript and Batch that you can achieve this almost instantly. For example, a script to generate a random password in VBScript is so simple. Here’s a clever and tight one by Martijn Haverhoek http://www.haverhoek.nl/index.php?/archives/36-Random-password-generator-vbscript.html . Here’s another one, written in JavaScript: http://blazonry.com/javascript/password.php . With time and patience, a script can be written to automate almost the entire process of creating and deleting user accounts, as well as other administration tasks.
Even when using automation, mistakes can still happen, but by shortening the processes, it makes them less tedious and encourage performing them with more attention and focus. Another advantage is that it may allow you to delegate some tasks to your subordinates (knowing that there is less things for them to mess-up) or to your colleagues when you go on leave. Even if you are a decision maker and will never get into programming, you can still benefit your organization by hiring or contracting someone to develop some automation for you. Start simply by thinking which processes are performed routinely, and which are the most annoying or tedious. From then on…the sky’s the limit!
Monday, October 19, 2009
Chain of events
When thinking about security, one of the things that are hardest to grasp is the way things are linked together, and of course, the ingenuity of criminals. One small thing can lead to disasterous results in ways a normal person could not even imagine.
For example, a well known story is about a family that went to a public event, and parked their car in the parking lot, like everybody else. The car was a piece of junk, so there was no reason to steal it, and therefore, the owners didn’t install any protection. When thieves broke into it, they weren’t even interested in the car itself, but instead, they stole the GPS that was in it. No…they didn’t want the $50 they could hawk it for, but instead, they just put it in their own vehicle, and pressed “go home”. Thirty minutes later, they were in the driveway of the car’s owner, and entered the house using the remote they also found in the car. I guess there’s no need to detail the resulting mess.
There are several preventative measures to prevent this kind of thing (the simplest would be to set the HOME location on the GPS at a point that’s actually a mile or two from home, or not at all), but the point is that everything can be used for bad deeds, even if it is worthless in itself. Knowing where you work, for example, will allow a clever social engineering hacker to squeeze some info from your co-workers. For example, when you are going on vacation (which would be a good time to hit your house) or what days you stay late at the office.
What can you do about this? Unfortunately, not enough. The criminal mind thinks differently than us, normal people, and even amongst the crooks, there are the more devious kind. A good practice is simply to pretend to be a bad guy for a day. Sit in your car outside your home or office, and try to come up with a way to break in. Sit at your computer, and think how YOU can bust into your boss’s computer, and then try to figure out how you would block him from doing the same to you. Some of us just can’t do it – too old to think outside the box, but you might also try having your kids suggest thoughts.
For example, a well known story is about a family that went to a public event, and parked their car in the parking lot, like everybody else. The car was a piece of junk, so there was no reason to steal it, and therefore, the owners didn’t install any protection. When thieves broke into it, they weren’t even interested in the car itself, but instead, they stole the GPS that was in it. No…they didn’t want the $50 they could hawk it for, but instead, they just put it in their own vehicle, and pressed “go home”. Thirty minutes later, they were in the driveway of the car’s owner, and entered the house using the remote they also found in the car. I guess there’s no need to detail the resulting mess.
There are several preventative measures to prevent this kind of thing (the simplest would be to set the HOME location on the GPS at a point that’s actually a mile or two from home, or not at all), but the point is that everything can be used for bad deeds, even if it is worthless in itself. Knowing where you work, for example, will allow a clever social engineering hacker to squeeze some info from your co-workers. For example, when you are going on vacation (which would be a good time to hit your house) or what days you stay late at the office.
What can you do about this? Unfortunately, not enough. The criminal mind thinks differently than us, normal people, and even amongst the crooks, there are the more devious kind. A good practice is simply to pretend to be a bad guy for a day. Sit in your car outside your home or office, and try to come up with a way to break in. Sit at your computer, and think how YOU can bust into your boss’s computer, and then try to figure out how you would block him from doing the same to you. Some of us just can’t do it – too old to think outside the box, but you might also try having your kids suggest thoughts.
Thursday, August 20, 2009
Cloudy weather
There’s been a lot of talk in the industry recently about software-as-a-service, hosted services and cloud computing. Getting rid of the burden of managing servers and messing around with hardware seem charming, and has a lot of financial and administrative advantages, but is it SAFE?
Well, most of the stuff I write about here warns people that this or that is more dangerous than it appears, but this time, it’s quite the opposite. Cloud technology is actually is safer than the alternative in most configurations.
The thing about hosting services is that it takes away the hardest thing to control – physical security. I discussed this in my blog about thin clients – a physical computer or storage container is a sensitive thing. Cell phones and laptop theft is pretty obvious, but standard servers are also sensitive to some abuse. Even though most companies keep the servers in a secure room, not everyone can afford proper security, and even when a company can, the design is often imperfect because IT personnel are rarely trained in physical security. They might think a cardkey lock is secure, forgetting that the glass door or windows can be easily broken. They might setup alarms, but not be able to afford an onsite guard that can react fast enough in case of burglary. They might install smoke detectors, but miss out on proper fire extinguishers or water drainage infrastructure.
Also, having your own servers require some serious maintenance. AV updates need to be monitored, software updates installed, and security hardening needs to be done, and kept up regularly. Even though technologies like SMS are easily available, many companies don’t get them because of costs, and even with them, the massive resources on servers are a major honey pot. Many sysadmins are tempted to put some of their MP3s or movies “temporarily” on the file server, simply because it’s an easy plug until they come up with the cash to expand their own HD. Having this type of data would often be overlooked, but it may also expose the company to legal challenges or a virus infection.
While cloud technology is not yet perfect, and certainly does not fit every client or every scenario, it can have an important boost for the company’s security. Naturally, attention has to be given here as well, as a small or Startup Company that delivers hosted solutions might be riddled with the same problems, but with some major players entering the market in recent months, this is a great opportunity to get secure while reducing costs.
Well, most of the stuff I write about here warns people that this or that is more dangerous than it appears, but this time, it’s quite the opposite. Cloud technology is actually is safer than the alternative in most configurations.
The thing about hosting services is that it takes away the hardest thing to control – physical security. I discussed this in my blog about thin clients – a physical computer or storage container is a sensitive thing. Cell phones and laptop theft is pretty obvious, but standard servers are also sensitive to some abuse. Even though most companies keep the servers in a secure room, not everyone can afford proper security, and even when a company can, the design is often imperfect because IT personnel are rarely trained in physical security. They might think a cardkey lock is secure, forgetting that the glass door or windows can be easily broken. They might setup alarms, but not be able to afford an onsite guard that can react fast enough in case of burglary. They might install smoke detectors, but miss out on proper fire extinguishers or water drainage infrastructure.
Also, having your own servers require some serious maintenance. AV updates need to be monitored, software updates installed, and security hardening needs to be done, and kept up regularly. Even though technologies like SMS are easily available, many companies don’t get them because of costs, and even with them, the massive resources on servers are a major honey pot. Many sysadmins are tempted to put some of their MP3s or movies “temporarily” on the file server, simply because it’s an easy plug until they come up with the cash to expand their own HD. Having this type of data would often be overlooked, but it may also expose the company to legal challenges or a virus infection.
While cloud technology is not yet perfect, and certainly does not fit every client or every scenario, it can have an important boost for the company’s security. Naturally, attention has to be given here as well, as a small or Startup Company that delivers hosted solutions might be riddled with the same problems, but with some major players entering the market in recent months, this is a great opportunity to get secure while reducing costs.
Friday, July 31, 2009
Is it safe to talk?
the short answer is NO, but the longer one depends a lot on you. Voice mail systems are pretty much standard all around, but few people realize what a security risk they can pose. On the surface, a phone seems pretty harmless. What are they going to do? Leave me a threatening message? Well, maybe, but that's not the danger.
Most people choose to leave a custom voice message on their voice mailbox. Something like "Hi, you've reached James Voca, IT manager for Pirulo systems. Please leave your message and I'll call you back" seems pretty ordinary, doesn't it? Well, for an employee giving you a call, it is, but if someone outside calls in, you just informed him or her which company it is, what's the name of the IT Manager, and how he sounds like. In the wrong hands, this data is very valuable. A type of hacking known as "Social Engineering" focuses on using peoples tendency to behave socially can use exactly that. A social engineering hacker would typically call employees of the company on the phone, and try to get them to give out sensitive data or access. With the info from this mailbox, the hacker can pretend to be the IT Manager, and influence others. Many users will recognize the high ranking position holder and tell/do anything he wants. They would give him their passwords, let him take over their computer remotely and more. Here's a scenario:
Hacker: Hi Jane. This is James from IT. I'm at home and late for meeting - do you mind if I log into your machine to get a PPT I really need?
Jane: Sure, James
Hacker: Cool. I'm sending you an Email with a link - just click it and I'll be in and out in a minute.
Outcome: Hacker can implant a backdoor on Jane's computer, or just use it to get access to some sensitive internal servers.
How about another scenario:
Hacker: Hi Scott. This is James from IT. A guy from HB is coming in to pick up my laptop for repair - be sure to let him through, OK?
Scott (security guard): Sure thing, James.
Outcome: The hacker can waltz in the building, grab some laptop and disappear with it, causing both financial damage and possibly stealing important data from the computer.
This is not the only danger, of course. Most modern voice mail systems let people access them remotely. You would typically call yourself, punch in some PIN and can listen to your messages. Many people don't want to remember complicated numbers, and set the PIN at 0000, 1234 or the default (which is often one of these too). When this happens, anyone else can call into the voice mail, guess that number and listen to your messages. These would usually be just some nagging from your Bank, but they could also contain sensitive info. For example, it could be a message from your doctor about your blood work, a message from a vendor talking about things you purchased or worse. A hacker that knows how you sound like, and that you've just ordered 10 servers from Deck.com can call them, quote back some "secret" info from the message, and divert the goods to his house. He can also call you, pretend to be the vendor and get you to let him in the building with the "servers", and a good opportunity to do some damage.
The lesson here is simple - don't think that the voicemail system is safe, just because it's not connected to your computer. In fact, your own answering machine at home could expose you personally to some dangerous elements. Does your message sound like "Hi, you've reached the Smith family at 2245 lake drive"? You're just inviting people to come over and clean up your house. I recommend taking four measures:
1) Have your PIN secure - no simple numbers, but ones that are chosen carefully, changed frequently and aren't easy to guess
2) Have your message give as little info as possible. A good one could be "Hi, you've reached Jack - please leave a message". Same thing at home - "You've reached the Cole residents, please leave a message".
3) Listen to your messages frequently, and delete them. right away. Don't leave messages to linger on your phone from Friday afternoon to Sunday noon.
4) When you are leaving messages to others, whether you are a vendor, a client, a boss or a subordinate, keep in mind that you can never know the level of security the other side keeps. Treat a message left like a note left on the door - others may read it. Keep sensitive info out of the message, and just call back later.
Most people choose to leave a custom voice message on their voice mailbox. Something like "Hi, you've reached James Voca, IT manager for Pirulo systems. Please leave your message and I'll call you back" seems pretty ordinary, doesn't it? Well, for an employee giving you a call, it is, but if someone outside calls in, you just informed him or her which company it is, what's the name of the IT Manager, and how he sounds like. In the wrong hands, this data is very valuable. A type of hacking known as "Social Engineering" focuses on using peoples tendency to behave socially can use exactly that. A social engineering hacker would typically call employees of the company on the phone, and try to get them to give out sensitive data or access. With the info from this mailbox, the hacker can pretend to be the IT Manager, and influence others. Many users will recognize the high ranking position holder and tell/do anything he wants. They would give him their passwords, let him take over their computer remotely and more. Here's a scenario:
Hacker: Hi Jane. This is James from IT. I'm at home and late for meeting - do you mind if I log into your machine to get a PPT I really need?
Jane: Sure, James
Hacker: Cool. I'm sending you an Email with a link - just click it and I'll be in and out in a minute.
Outcome: Hacker can implant a backdoor on Jane's computer, or just use it to get access to some sensitive internal servers.
How about another scenario:
Hacker: Hi Scott. This is James from IT. A guy from HB is coming in to pick up my laptop for repair - be sure to let him through, OK?
Scott (security guard): Sure thing, James.
Outcome: The hacker can waltz in the building, grab some laptop and disappear with it, causing both financial damage and possibly stealing important data from the computer.
This is not the only danger, of course. Most modern voice mail systems let people access them remotely. You would typically call yourself, punch in some PIN and can listen to your messages. Many people don't want to remember complicated numbers, and set the PIN at 0000, 1234 or the default (which is often one of these too). When this happens, anyone else can call into the voice mail, guess that number and listen to your messages. These would usually be just some nagging from your Bank, but they could also contain sensitive info. For example, it could be a message from your doctor about your blood work, a message from a vendor talking about things you purchased or worse. A hacker that knows how you sound like, and that you've just ordered 10 servers from Deck.com can call them, quote back some "secret" info from the message, and divert the goods to his house. He can also call you, pretend to be the vendor and get you to let him in the building with the "servers", and a good opportunity to do some damage.
The lesson here is simple - don't think that the voicemail system is safe, just because it's not connected to your computer. In fact, your own answering machine at home could expose you personally to some dangerous elements. Does your message sound like "Hi, you've reached the Smith family at 2245 lake drive"? You're just inviting people to come over and clean up your house. I recommend taking four measures:
1) Have your PIN secure - no simple numbers, but ones that are chosen carefully, changed frequently and aren't easy to guess
2) Have your message give as little info as possible. A good one could be "Hi, you've reached Jack - please leave a message". Same thing at home - "You've reached the Cole residents, please leave a message".
3) Listen to your messages frequently, and delete them. right away. Don't leave messages to linger on your phone from Friday afternoon to Sunday noon.
4) When you are leaving messages to others, whether you are a vendor, a client, a boss or a subordinate, keep in mind that you can never know the level of security the other side keeps. Treat a message left like a note left on the door - others may read it. Keep sensitive info out of the message, and just call back later.
Subscribe to:
Comments (Atom)
Posts
