Resources

We call Him a Whistle Blower – September 2013

So we had a whistle blower divulge government programs that appear to illegally spy on US citizens. If legal, we have found our way into the Orwelian world detailed in "1984″. The "trick" to the legality issue is a secret court (FISC, also called the FISA).

Requests to the court must only show possible cause [...]

So we had a whistle blower divulge government programs that appear to illegally spy on US citizens. If legal, we have found our way into the Orwelian world detailed in "1984″. The "trick" to the legality issue is a secret court (FISC, also called the FISA)

Requests to the court must only show possible cause and the warrants granted allow the NSA or FBI analyst to target any individual or corporation they think might provide information which serves their request. The word relevant is redefined by this court to mean anything that might possibly have a bearing while other courts define relevant much more narrowly. All of the judges are appointed by the Chief Justice of the Supreme Court and petitions are presented to a judge for approval – there is no opposing counsel permitted. Perhaps that is why of the 33,949 warrants requested, 33,942 were granted. In addition, there is a FISCR (Foreign Intelligence Court of Review) to which decisions of the FISC can be appealed. It is composed of three judges, all appointed by the Chief Justice of the Supreme Court. It has heard only one appeal, overwhelmingly approving the appeal. And there is no review process to verify if information captured or people targeted met the cause defined in the warrant.

Over the years, this court has created a significant body of law without any oversight or review. For example, the word "relevant" is narrowly defined as directly related in all courts except the secret court where it has been broadened to mean anything that an analyst suspects might be of value to the case. In addition, the "special needs" exclusion which allows agencies to bypass fourth amendment protections has been expanded by the court to encompass mass collections of information which could be used in pursuit of terrorism suspects. In addition, the court has ruled that the principle of third-party doctrine (when a person provides information to a third party, they no longer can have an expectation of privacy over that information) allows the mass collection of telephone data. Guess this interpretation of the law allows them access to you credit card transactions and banking transactions.

The only difference between today and "1984″ is the physical surveillance. At least we think that NSA has not incorporated feeds for security cameras and traffic cameras into their vaults. Or have they?

Big Brother is Watching - June 2013

Five terrorists, each of which had been under surveillance by the FBI/NSA went on to commit terror attacks:

 

  • Anwar al-Awlaki, the US born citizen of Yemini parents directed numerous terrorists attacks including the infamous "shoe bomber". In 1998 and 1999, he served as vice-president for the Charitable Society for Social Welfare, a group the FBI described as a "front organization to funnel money to terrorists".
    The FBI investigated al-Awlaki from June 1999 through March 2000 for possible links to Hamas, the Bin Laden contact Ziyad Khaleel, and a visits by an associate of Omar Abdel Rahman (known for the 1993 World Trade Center bombings), it did not find sufficient evidence for a criminal prosecution.
    Three of the 9/11 hijackers attended his mosque in Northern Virginia and met with him personally, but that was not considered significant. When police investigating the 9/11 attacks raided the Hamburg, Germany, apartment of bin al-Shibh, 9/11 attack coordinator (aka the 20th hijacker) they found the telephone number of al-Awlaki among his personal contacts.
    Yet, in 2002 al-Awlaki was the first imam to conduct a prayer service for the Congressional Muslim Staffer Association at the U.S. Capitol. But some were beginning to believe that al-Awlaki was involved with the 9/11 attacks.
    By late 2002, the Joint Terrorism Task Force was highly interested in al-Awlaki who was being held for passport fraud. However, the FBI ordered his release and he fled to London.

 

  • David Headley (born Daood Sayed Gilani), made several trips to Pakistan for terrorist training while working as an informant for the U.S. Drug Enforcement Agency who though he was conducting undercover surveillance operations.

    In 2005 and 2007, Headley's wives had complained to U.S. authorities about his terrorist activities to no effect. The U.S. Director of National Intelligence James R. Claper undertook a review of how Headley had been handled.

    Between 2006 and 2008, Headley performed five spying missions in Mumbai scouting targets for the planned 2008 attack.

 

  • Nidal Hissan, known to be in contact with Answar al-Awlaki, was still able to shoot 43 in the worst terror attack on a military base in the United States. An FBI investigation concluded that his emails with the late Imam Answar al-Awlaki were related to his authorized professional research and that he was not a threat.

 

  • Abdulhakim Muhammed while under investigation by the FBI for his terrorist links was able to murder two Army privates in Arkansas.

 

  • Tamerlan Tsarnaev had been questioned by the FBI in 2011 at the request of Russian counter-terrorism officials who suspected he had extremist ties.

    In 2012, his trip to Russia included meeting with underground groups. Upon return, he filled his YouTube page with playlists dedicated to "Terrorists" and "Islam" including a song titled "I will dedicate my life to Jihad." He even divulged to his mother in a recorded phone call that he was prepared to die for his religion.

Considering the sizeable amount of data collected by the government (we learned and continue to learn that they have been collecting detailed telephone logs, chat sessions, documents, emails, website access, blogs, social network data, etc.), they concluded that none of these five extremists merited further investigation, allowing them to commit horrible acts of terror.

Clearly it's not a lack of data that's the problem. More likely they are overwhelmed by the massive amount of data and unable to correlate it. Perhaps if they only focused on theses five extremists that were already under investigation, they could have stopped them from committing acts of terror.

Worse, the FISA court, the secretive government court which convenes in total secrecy and produces rulings that are classified information approved all 1,856 petitions for warrants that it received in 2012 and all of those requested in 2011. Their hearings are only attended by prosecutors making the requests. Challengers to the request are not present. It's a court created by the government whose judges are appointed by the government which approves government requests which meet their "possible cause" criteria.

Little wonder why George Orwell's book is selling so well. Consistent with the thoughts in 1984, the government is seeking prosecution of those responsible for leaking this information instead of seeking to stop the 4th amendment breach.

Many, many years ago, information was classified as secret because it was. Today, information is classified as secret to avoid embarrassment of its exposure.

More interesting reading by these authors:
The Cost of Security - April 2013

There have been many articles about sacrificing freedoms for the sake of security. I'd like to start a discussion about risk disquised as a "security feature."

My first example is the build-in garage door opener (HomeLink) found in many automobiles and trucks. Engineers must have spent many sleepless nights devising a plan to stop strangers from using the these built-in garage door openers in unlocked cars to gain access to the owners garage. I can almost imagine the hoopla of a tournament as each engineer waited anxiously to display their carefully crafted solution to this vexing security problem. After much ado, finger print readers and retina scanners (to insure that only authorized users could open the garage door) gave way to the simplest solution of all, the built-in garage door opener would only work when the ignition key was on.

What these brilliant people failed to take into account is that today, many people do not leave their cars in the street without locking the doors. In addition, most of my neighbors leave their garage doors open. But I'll be open minded and assume that there is some place where "smash and open (the garage door)" to steal the lawnmower is the crime du jour.

The side effect of this all is that I can't pull my car into the garage and use the built-in garage door opener to close the garage door, UNLESS I leave the motor running. No safety risk there, eh? Nor can I jump into my comfortable car, safely parked in the garage and open the garage door, unless, you guessed it, I start the car first. Not sure if the intent is to protect my garage from a stranger or if they are trying to asphyxiate me. With the level of computerization in a typical automobiles, I would think the "ignition switch on" requirement would be a modifiable option. However, manufacturers must value this "security feature" as critical to my well being: there is no option to modify the "ignition on" requirement.

Killing off customers is probably not a business model that they had in mind. I presume this "security feature" was implemented many years ago when cultures and lifestyles were different. It does show that "security features" must be re-evaluated to determine their value and their impact to other systems, stakeholders and the general public.

The Stolen iPhone Conundrum - April 2012

Newspapers are filled with stories of iPhone thefts and sage advise to protect our iPhones. But you, a savvy technical person, are assured by the famous "Find My Phone" APP and your records of the serial number and ESN (network ID) of your phone.

Shortly thereafter, you discover your phone missing.  "Find My Phone" to the rescue and you can see that someone has your phone it is tracked moving down a busy street many blocks away.  "Wipe the phone" flashes in your mind as you quickly issue the wipe command.  Then, nothing....Seems that the sage security experts at Apple decried that wiping a phone would also erase the ability to use "Find My Phone."

Comforted that your phone has been erased (or was it powered off before the Wipe command was received...), you notify your carrier.  You soon discover that your carrier has no interest in finding your phone or blocking it's ID.  Guess they assume someone else will register your phone and they will have another paying account.  Instead, you are warned that any charges generated by use of your lost phone are your responsibility and you are advised to temporarily disable your phone number (although you must continue paying for your account).

Turning to Apple with hopes that they can block someone from setting your phone up as a new iPhone results in Apple's position that they do not have any mechanism to deal with lost or stolen phones.  No penalty for registering a stolen phone.

The police department begrudgingly takes your info and exhibits surprise when you provide the phone's serial number.  They are not sure what to do with this information except to store it in their files.

The real problem is that no one cares about lost or stolen phones except the owner. Without some shared database and a commitment by carriers, law enforcement and Apple, there is no down side for a thief.   Imagine being able to steal items of value with little chance of being caught and to be able to sell or buy stolen property, register it and publicly use it without any risk of being punished.  No wonder iPhone theft is such a lucrative business.

All I want for Christmas is ???? - July 2011

Yesterday, the AntiSec hacking group posted 90,000 military email addresses and passwords that it harvested from Booz Allen Hamilton's servers.  "We infiltrated a server on [Booz Allen's] network that basically had no security measures in place," AntiSec claimed (11 July 2011).  

Booz Allen had no comment: "As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems."

Sharing knowledge of this attack and the forensic follow-up would help improve everyone's security.  However recent, successful attacks against other security contractors less than two months ago raises the question about the billions governments spend on security.  

On a positive note, researchers at the Georgia Institute of Technology have developed a viable technology to capture ambient energy (http://www.smartplanet.com/blog/pure-genius/capturing-energy-in-the-air-to- power-electronics/6717?tag=nl.e550).

Just for fun, Google+ is expected to exceed 10 million users today.  Imagine if we could get one hundred security professionals together on a social network...to brainstorm...

We've Been Hacked (don't tell anyone) - June 2011

Many business from the largest of banks to the toy store around the corner employ weak security techniques.   Security on the cheap is well, cheap security.  While officials sense and often pontificate on the value of protecting information and assets, they often fail to provide adequate protection for their most sensitive data.  While security should be based on a risk model - allocating security based on the asset, most security is based on a network model determining who is allowed in and who is not.  Guess these security professionals didn't watch the Pink Panther movies, where breaking in was the easy part.  Accompany this philosophy with the a basic business requirement that hiding a security breech is infinitely better than admitting one, we reach a dilemma.  

Let's start with the basic hacker seeking attention.  By not recognizing their successful penetrations of your perimeter, whatever that is today, you prod them on to bigger, more malicious hacks.  They seek attention and often politically select their prey.  Eventually, the credit card database used by your "out of the box" accounting software is compromised.  An earlier admission might have saved the sensitive data and certainly would help others targeted by the same hacker.

The professional hacker seeks fortune although a bit of fame and recognition helps their resume.  Very large firms, in an attempt to hide compromises, may withhold information from others in their company for fear it be publicly released.  By the time others learn of the attack strategy, they are also compromised. Being hacked is not good.  Keeping it secret is worse.  Sharing knowledge is good business for you and good for everyone else who may also be at risk.  Someday someone else may help you avoid a compromise.

Search Personalization - May 2011

As you should be aware, two users performing the same search in the same search engine on different computers may get different results.   The reason, automatic personalization dynamically created from previous searches.  Is this good? Not necessarily....Alternative views - political, scientific, etc.  - will not appear at the top of the search results leaving you a myopic view of the subject.  So we all become biased by search results slanted to fit "your search profile." Advocates claim that duplicating past search results and providing preferred results expedites searching.  How important is it to miss new suppliers because they weren't in a previous search or because some search engine decided it did not match "your search profile?"?

But wait, there's more....What if some phishing group learns not only what bank you use, your favorite charities, where your kids go to school....If the search engine can access this data on your computer, one would think that others could do so as well...

Imagine if an identity thief had access to your search history and the "hits" you selected as a result of the search.  For some, a worse thought is to imagine their government has access to the same information.  DYC! (Delete Your Cookies)

How Secure is eMail - April 2011

It is that time of the year in the United States that citizens reconcile their tax payments with the government.  For many, this involves accountants pouring over stacks of minute details concerning earnings, dividends, expenses and losses.  All of this information along with name, address and social security number are scribed onto numerous forms which are sent to the government.  

Unfortunately, many accountants send copies of this information via email to their clients.  Therefore, I am again trying to educate those who don't understand the risks of email.   If you have received sensitive information in your email, please refer the sender to this blog or contact me directly at help @ cdfsecurity.com.  So how does email work and what are the risks?

Imagine the delivery system for email as a bus, a very fast bus, that picks up the senders email at a bus stop and pins it to a board of outgoing emails.  Every time the bus makes another stop, passengers have private access to this email board.  Although the email is in an envelope, it is unsealed and they may peer inside: even copy it.  Etiquette indicates that only the recipient should open the email but others may examine it or make copies without leaving any clues that they did so.  So much for etiquette.

Once the bus arrives at the terminal, the attendant looks at the delivery address and makes an educated guess of the best route to deliver the email - buses do run on fixed routes.   The email is put on the next bus traveling on the delivery route chosen.   If the delivery address is far away, high speed, non-stop buses may be used to move the email to the next major terminal.  And in each terminal, everyone can see the email envelope and, if so inclined, make a copy of the email and any attachments.  If the final destination for the email is still far away, it will be send on another high speed, non-stop bus to the next major terminal on the route.   Some of these major terminals are run by businesses, some by students at universities while others are operated by goverment officers.  Can you trust them with your sensitive information?

When the email finally reaches the bus terminal local to the intended recipient, it is put on a local bus.   Again, at every stop, everyone can look at the email and copy it before it reaches the stop near the intended recipient.   If the recipient isn't there to receive it, it stays on the bus until the recipient checks the bus for emails.

Do you trust everyone on these buses?  Everyone in your business?  Everyone in your apartment building?  You only need one person with bad intentions...

What if an identity thief found a wireless connection at some establishment in the same neighborhood as an accountant or even better, multiple accountants.  Then the thief's computer would automatically make copies of all the emails sent or delivered from/to someone in the neighborhood.  Software which can be downloaded for free could later search through these emails for identity information to use.  They may even find investment account numbers and balances.  With name, address, social security number, investment account firm names, account numbers and balances, success from stealing your identity or selling this information to others could be very, very profitable.

Facebook - March 2011

In an apparent take off on the movie The Social Network, an enterprising 15 year old setup a facebook group called "You Pick" where members posted photos of themselves and ranked others "by looks."   Competitors striving for the highest rating, posted sexy photos of themselves.  Unfortunately, the group was composed of mostly 13, 14 and 15 year olds, or at least that was their posted age.  I'm sure all of you realize the risk and also understand that most 13 year olds want to be voted "best looking."  This is a tough problem to solve.  Maybe these social networks need to take on the responsibility of monitoring groups and applications.  Maybe these sites should create a new class of groups, local groups which restrict membership to several hundred members living nearest to the groups epicenter.

What's next, a seniors group where assets are compared and voted on? A home security group comparing intruder protection devices and their faults?  A group with a contest for the best hiding place for an emergency key hidden outside the home?  Think before you act.

Remember, joining a group often gives that group permissions to access all of your personal data.

Many years ago, your social network was composed of just a few neighbors but now is anyone in the world with a computer and a facebook account.

Recycle Diving - February 2011

Not too many years ago, dumpster diving was the rage for information gathering.   Now that idea has been scaled back to targeting individuals.  Guess we are throwing out mail, including pre-approved credit card applications and bank statements in the recycling bins.  Even better, it's not mixed with garbage and the bins usually are set out overnight.  So, an early morning excursion to a wealthy neighborhood during recycling day might be an identity thief's dream job.

Anything you dispose of, in the recycling bin or the garbage can should be suitable to be shared with anyone without impacting you or your family.

Smart Phones - February 2011

Not many years ago, phones were relegated to the menial task of being a communication device allowing conversations with distance parties (or close ones if didn't want to cross the street to talk to your neighbor).  Today, phones are functioning computers running a myriad of applications, some mission critical.   All of this beneficial functionality brings with it the dark side of viruses, malware and Trojans.  Vetting an application to insure it presents absolutely no risk is not done...for any platform.  While the android platform has the highest risk as application testing is minimal and third parties can install apps directly, the IOS apps are not analyzed for rogue functionality hidden deep within them waiting for a command to exert itself.

I'm not suggesting paranoia but I do recommend watching for unusual activity in apps from lesser known developers.  Hopefully the phone suppliers will develop a desktop computer application which can scan smart phone software for abnormalities.

Internet Media Connections - January 2011

Welcome to the world of technology.   The holidays brought Internet enabled DVD players, receivers, TV's and new Internet TV appliances into your home or office.   Many of these devices prefer unfretted access to and from the Internet.   After many hours, you might successfully create appropriate rules in you firewall to allow these devices to function without opening your network to risk.

These devices were designed to provide a rich multi-media environment for you.   Unfortunately, security controls in them only apply to content and downloaded media.   These devices are vulnerable to common security flaws allowing unwanted intruders an easy route to compromise your network.

We recommend that you isolate all such devices to a "restricted network" isolated by a firewall from your existing network.   A compromised device allows an avenue to easily attack any computer on your network.   In addition, caution is urged on using these devices for services that require authorization such as email as passwords might be compromised.

WikiLeaks - December 2010

Some praise WikiLeaks for exposing corruption and others condemn it for exposing confidential information.  In a way, your both right.   An interesting article in the Los Angeles times by two unsuccessful "whistle blowers" highlights this issue.  

Apparently, government officials denied a request from an FBI agent to search the possessions' of Zacarias Moussaoui, a known terrorist who was arrested on an immigration violation.   This was in August 2001.  The same government officials ignored a plea from the agent's supervisor that he was "trying to keep someone from taking a plane and crashing it into the World Trade Center." If this information was exposed at that time, would 9/11 have been averted?

In addition, an FAA team to audit airport security found that in 9 out of 10 times, it was possible to smuggle weapons aboard an airplane.   That report was ignored and subsequently suppressed.   After 9/11, that audit team was disbanded.   Leaking this information would expose security weaknesses to the world and Microsoft would condemn you for exposing it until it was fixed....   However, exposing might also have resulted in improvements in a very weak security environment possibly leading to the arrest of the perpetrators before the hijackings.

Perhaps the real problem with WikiLeaks is that democracies include many "whistle blowers" while few survive in dictatorships.   This unfortunately makes the democracies appear weak and dictatorships strong.   Hopefully this exposure results in stronger security for democracies and a weakened security for dictatorships.

Package Bombs - November 2010

Last Friday, the discovery of two packages being shipped by international couriers that contained bombs sent a shockwave across the United States.

The United States Department of Homeland Security (DHS) was expected to be scanning 100% of cargo shipped on passenger flights by August of 2010 but was not expected to improve scanning of cargo-only flights.  CBS News reported that only 20% of all inbound air cargo is scanned for bombs.  Of the seven and a half million pounds of inbound cargo on cargo only flights, roughly five percent is scanned for bombs.  To add to the confusion, DHS representatives rate security procedures for inbound air cargo as good....

TSA indicated that the bombs might have successfully passed the screening process for passenger flights.  But the reality of all of this is that we can't insure the security of this cargo.  That security is controlled by the shipping country.  

Although we have too many similar but different security standards, an international security standard for passengers and cargo would be of value.  An international agency could manage audits and non-compliance.  

Is Bredolab Dead - November 2010

Recent news of the arrest of the Bredolab create and the elimination of 143 rogue servers that provide command and control information allows us to sleep better.   But does it?   Are the estimated three million infected computers safe?   The answers are no and no.   The Bredolab botnet was created for profit and its bot army was sold much like slaves.   It's current masters, the purchasers are not likely to walk away from the botnet.   Already, several new command and control servers have appeared on the Internet and more are likely to follow.  You really aren't safe until the Bredolab clients have been removed from your machines.

Did you lock your doors - October 2010

Not too many years ago, we locked car doors by inserting the key in the lock and turning it.   Today, we use a remote keyless entry fob to lock the car doors.  Not to be outdone, criminals have developed jamming devices that block the "lock request" from your key fob.  While this does put thieves once step closer to stealing your car, it more likely will be used to easily steal any valuables left in your car.   With the coming holiday season, many load their cars with gift purchases and are more lucrative targets.   TheResister reports that the jamming devices are available on the Internet for $100.

Traditional home and business door locks are also becoming available with remote keyless entry using similar RF fobs.   Are they also susceptible to interference from jamming devices.  Or will hidden listening devices capture enough "unlock" signals to break the code?

Critical Infrastructure - September 2010

I was going to blog about cloud computing security but that will need to wait.   The U.S.  Energy department publish a report about numerous weaknesses in the computers and networks controlling the electric grid.  And we all know about stuxnet and expect more to follow.

Many of the problems centered around missing patches and poor coding practices.  To be fair, few companies have a set of spare SCADA systems to test patches on.   And a patch that fails on a production machine could be catastrophic.  I doubt many corporate security organizations scan process control systems for vulnerabilities.  While there are excellent Security models for Process Control Systems, large corporations may find them cost prohibitive and choose to ignore the risks.

Truly isolating process networks from business networks can reduce the risk.  Further isolation between management layers and the control layers is also necessary.

So you went all out into "the cloud" - July 2010

Cloud computing is a hot topic and any discussion of the cloud computing model is alive with comparisons of cost savings.  So you bought in to the whole idea and now run your enterprise in the cloud (somewhere in a virtual computer farm).   You sheared 10% off your IT budget.  Eliminating internal servers saved another 14%.  But unexpectedly, the cloud services were lost.   The provider became a victim of the economic downturn.

Welcome to the collapse of time-sharing in the late '70s.   Then we became disenchanted with outsourcing critical systems and information and embraced the client-server model to increase personal and systems productivity.  Today the high cost of operating data centers to meet business demand has again made outsourcing popular.  As we adopt the software-as-a-service model, we circle back to the cost savings and risks common to time-sharing.  Hopefully, we are now wiser and have developed trust models that insure safe business continuity.

Much ado about nothing?   – June 2010

We are all aware that Google collected some unencrypted wireless data in Europe that "spilled" onto the street.  Google claimed no knowledge of the accidental data collection; has not used that data for any purposes; and plans to delete it under the watchful eye of an independent third party.

Maybe Google should be rewarded for identifying this great security risk the users didn't seem to be aware of.  Many homes and some users have deployed a wireless networks without encryption.  Wireless hotspots abound without employing wireless encryption.  Eavesdropping on unencrypted wireless is easy and everyone needs to understand that their email, their web access, twitter and facebook activities are easily captured by others.

The practice of "war driving" - identifying the exact location and attributes of wireless networks is a common practice throughout the world.  I'm sure remote locations such as the South Pole are excluded.  Not many years ago, this global inventory of wireless networks was published on the Internet.  Finding unencrypted wireless networks in a neighborhood was merely a search away.

Walking around the house naked with the curtains wide open does not make a person who glances through the windows a spy.   Listening to ham radio transmissions does not make one a spy.  Anything published publicly; whether it is this blog, conversation on a crowed bus or transmissions from a wireless router are available to anyone unless controls have been established to restrict access.  It’s up to the individual to protect what should be private.  Not all “listeners” can be expected to be discreet and/or honest.

Security du jour - May 2010

In case you haven't noticed, many of your users claim the title of security expert.  More disturbing is the claim by IT staff and IT consultants that they are security experts.

Alas these claims are often only bolstered by arrogance and ignorance.  A business manager may revel in the vast savings from employing IT personnel for security needs.  Unfortunately, this requires the IT personnel to consume time reading about security instead of performing operational tasks.  The end result may not be good for your business.

Eliminating a small risk with too many security components is a waste of money.  Installing a firewall may seem to be a wise investment but a poorly configured firewall provides little protection from threat.  Malicious applications may not be thwarted by firewalls and are easily installed within your network by unsuspecting users.  Components such as JAVA or Adobe Flash may be overlooked for upgrades even though the risk from using old versions is very high.

If you do rely on IT to perform security tasks, I recommend an annual review of your security infrastructure.  The cost should be small and the benefit of insuring you are safe could be very high.  There are very good security experts that could perform a simple vulnerability assessment of your network and systems.  The assessment may consume several days to complete and a simple report identifying risk and recommended solutions may take several more.  If no serious risk is identified, you should compliment your IT staff on a job well done.  If risk is identified you should pursue remediation efforts relevant to the risk.  Furthermore, I recommend that you do not purchase any security related hardware or software with out a clear understanding of the costs and benefits.

Attacked by Security Software – April 2010

Last week, McAfee released an update for their anti-virus software that had a major flaw.   It identified a critical Windows system file as infected.  Only Windows XP/SP3 could be impacted and symptoms include continual reboots and lack of network connectivity.

McAfee has said very little about the incident and their PR effort seems more like a cover up for their blunder.   Four days after the release of the rogue virus definitions, McAfee had circled the wagons as is evident in a blog post:

  • "When this problem came up, I immediately called McAfee technical support.  I paid $90 to your tech support group and was told that it was not a virus problem.  The tech said that I should contact Dell because he didn’t know what was happening with my system....."

Yet other blog entries were more positive:

  • "I’m not pro-McAfee, but the majority of posters need to get real, and get a sense of perspective.  If you’re still alive and your business hasn’t folded and you haven’t lost millions of pounds/dollars, maybe you should just count your lucky stars and find something else to moan about."
  • "Good Luck, Barry.  Mistakes do happen, best of luck resolving the customer issues and getting back to normal operations."

While Toyota would probably have been fined for such a disaster, McAfee will recover and most likely regain the confidence of businesses and consumers.  The real question is why are automobile companies held to a different standard than software companies?  

Malfunctioning computers could cause infinitely more destruction than malfunctioning brakes in a Toyota.  Remember the blackout of 2003 in the Northeast United States and Canada.  A software failure on a computer hid the growing crisis from operators that could have controlled the problem before it became a crisis.  There were fires, vandalism, theft, unpotable water, inoperable signals for cars and trains, and many other safety issues.   How many security systems were rendered ineffective?   Were toxic materials at plants spilled when power failed?

Most agree that fining Toyota was justified and some think the fine should have been higher.  But few think that fining McAfee is necessary.  What about Microsoft whose security flaws cost businesses hundreds of millions?  

Do you trust your phone - February 2010

So you started the new year with a fancy new phone.  Maybe it is an iPhone or a phone using Android.  Maybe you have a new Blackberry.  Whatever the phone, you probably are amazed by the applications which make everyday life a bit easier and sometimes fun.  Finding restaurants "near you" is great as are games like "My Town."

To produce this wizardry, the applications use a location service on your phone, essentially a GPS, and an application server.  While you are having fun, remember that these applications are tracking you.  They know where you go and they know it in real-time.

So the application server can identify all of the users that go to CIA headquarters everyday.  And it knows if you go to a nearby nursing home every weekend.  They even know where you shop and where you eat.  If a person that you travel with has an application on their phone from the same developer, they know who your companion is.  They even know if you drive too fast or if you stop for a drink on the way home.

While location service provides a valuable commodity that can enrich our lives, it is a security risk and a privacy risk.

Another year and another decade - January 2010

Photo ID seems to be a preferred verification tool for some websites.  Even PayPal demands it in some situations.  Now there are numerous sites on the Internet that offer fake ID's.  There is even a review site that rates the fake ID offerings.  Prices range in the $20 to $100 for a good fake ID.  However, for something that you only need to fax a copy of, a Photoshop mockup is more than sufficient.  So why do these sites consider a photo ID a good form of verification?

Worse, many people wanting the service of the requesting website eagerly copy their driver's license or even their passport and send it off into that dark abyss known as the Internet.

Does PayPal shred all of the paper "photo ID's" that it receives?  Are you responsible for aiding and abetting your own identity theft?

Military Secrets and more... - December 2009

The United States spent how much for drone surveillance plane?  Would you believe $10 to $12 million per plane?  At least, that is what senior defense and intelligence officials reported.  Unfortunately, the price of the plane does not include any security software to protect the transmission of surveillance photos or video.  This sophisticated plane transmits its surveillance data in clear text.

Not surprisingly, those that are targeted by these surveillance planes have found software on the Internet costing $26 that allows them to receive the surveillance photos and video.  It's unclear if auditors and security staffers overlooked this flaw or determined it not significant enough to justify the increased cost of upgrading the drone software and software of all receiving stations.  My guess is that they never considered the Internet in their risk calculation.

Fun with Microsoft - November 2009

Let your mind wander into the future.  Automobiles are more automated and the autonomous vehicle, aka driverless car will be will be the norm.  So you relax in comfort as your intelligent car whisks you off to some magical vacation destination...  Before you return to reality, imagine all this automation runs on Windows 12, the latest Microsoft release.

Mixing the future with our experiences raises some interesting questions.  The many version of Windows, 1.x, 2.x, 3.x, NT, 95, Bob, CE, Me, 98, 2000, XP, 2003, Vista and 7, all had (have) intermittent failures requiring restarts.  What if these same problems exist in our imaginary Windows 12?  When you experience an intermittent failure in your autonomous vehicle, will you need a similar restart process?   CTRL-ALT-DEL at highway speeds could be a bit disastrous.  Imagine if the restart took thirty seconds or even a minute (because of other applications that you installed)...  Maybe some network timeout will shut off the car in the name of safety.  Then it could be towed to the dealer for a clean install of the OS and applications.  Think of all of the unplanned adventures that lie ahead.  

Worse how will the annual vulnerability patches (The high cost of patching will likely drive the monthly patch Tuesday to an annual patch Monday) be deployed?    Will all the automobiles in the world download and install patches at the same time?  How will reboots be handled?   Maybe all cars will simply stop, install patches, reboot and wait for the others to complete their update cycle before any are activated.  Then we all would need to wait for Bob and his 10 year old clunker to complete its updates before we could continue.would need to wait for Bob and his 10 year old clunker to complete its updates before we could continue.

Maybe we should start demanding more reliable software now.

Storing Pictures and Backups on Internet Sites - October 2009

By now you have read about the T-Mobile Sidekick problems.  Many thousands of users lost their contact lists, pictures and calendars.  The data was stored on Microsoft servers in Redmond, apparently without backup on October 2.  CNET also covered the massive failure as a cloud computing issue.  

Thanks to the wizardly and marketing of many Internet sites, we store our important pictures "out there".  We use Internet sites for backup, even for our mobile phones.  Email contact lists and calendars are also "out there".  The amount of information stored on Internet sites is staggering and growing rapidly.  In some situations, users are not even aware that an Internet site is being used to store information.

Sure, you trust the site to protect your information.  But Sidekick users trusted Microsoft and apparently their information still was not safe.  And we haven't even addressed the problems of a disgruntled employee sabotaging the servers.

So the next time you move something important to an Internet site, imagine what your loss might be if that site had a disaster and was no longer available?  Think about your risk if all of the information on you phone was suddenly lost.  

Making a periodic backup on a different system, on a CDROM or on a USB drive will minimize any lose.

Hacking in the Future - September 2009

The Canadian Advanced Technology Alliance (CATA) wants to build a state-of-the-art wireless network 1,000 kilometers long following highway 401.  The goal of this effort is to create a sizeable testing site for futuristic networked vehicle applications.  Early applications will probably focus on collision avoidance and optimizing traffic flow.  Other applications such as finding or creating a car pool are likely to follow.

As the network vehicle evolves and begins taking on the chore of driving, entertainment applications, including existing web applications, will abound.  Now imagine pop-ups, viruses and denial of service attacks on your networked vehicle.  Security will need to evolve to address these new challenges.  Otherwise we may end up with botnets of networked vehicles destined to take over the world......

As a note, it's easy to fear the future but not the past.  Yes, many years ago people feared the technologies we have today.  They feared the model T, expansion bridges, the telephone (not the phone bills), electric power plants and the computer.  All of these are familiar and accepted in our society.  All had security risks and a few still do.  Nonetheless, we have been able to leverage these technologies and many others that were also feared and evolved to where we are today.  Tomorrow's fears are likely to succumb to other new technologies and advance our culture to another level.

Identity Theft Revisited - August 2009

Much has been written about identity theft but users still ignore good security practices  So let's put it all in perspective  Last year there were about 10 million victims of identity theft  The number of unreported cases is unknown  What can you do to reduce the chances of having your identity stolen?   Yes, that's the same question that you have been asked many times  So I'm sure you use strong passwords and a good paper shredder.

But what about electronic documents?   A tax preparation program would contain all of your personal information, you ID numbers and possible even you bank and investment account numbers  What if some malware were to steal that file?   Do you store all of those strong passwords in a securely encrypted file?   Do you delete sensitive files using an application that securely deletes them?   Are your Quicken and Microsoft Money files impenetrable?   (Intuit charges $9.95 (US) to remove a password but shareware programs are available)  Password crackers for Microsoft Money are easily found on the Internet  Security based password recovery applications may cost as little as $49 (US)  Do you have other accounting software installed?   Try searching for a password cracker.

Many users, although aware of good security practices, don’t recognize the risk for electronic documents  The strong password you created for accessing your computer is of little value when a malware application can easily steal sensitive files allowing access to your investments and bank accounts  Stealing your identity is only a small part of the risk.

Patching - July 2009

Sometimes, security patches are disguised as software updates.  The vendor may not want to highlight security problems.  Whatever they are called, you should install the security updates needed to protect your systems.

Risk was discussed in last month's blog.  If you only use a secure Internet connection, keep your anti-virus up-to-date, don't visit unknown web sites and don't open email from unknown senders, you shouldn't worry about the news stories claiming we are under attack.  But you still need to manage the security of your systems to mitigte new threats.  Many systems automatically receive updates because the software/application was installed with an "automatic update" option checked.  Updates for the following list of software/applications should be supported through automatic updates or be reviewed for manual updates:

  • Adobe Acrobat/Reader
  • Anti-virus (from any vendor)
  • Applications accessible from the Internet
  • Applications that access Internet Resources
  • Common Browser Applications (Accelerators, Flash, Quicktime, Shockwave, Silverlight, Weatherbug, etc.)
  • Database Software
  • Firewalls (software and/or hardware)
  • LYNIX (all variants)
  • JAVA
  • Macintosh OS
  • Microsoft Office
  • Microsoft Windows (and embedded software)
  • Networking Components
  • Security Devices/Software
  • UNIX (all variants)
  • Web Browsers (Firefox, Google Chrome, IE, Opera, Safari, etc.)
  • Web Servers/Environments (AJAX, Apache, IIS, JAVA, PHP, WebSphere, etc.)
In addition, support and patches are often not available for old versions of software.  For example, Windows 95 is no longer supported and will not receive necessary security updates.  You should upgrade it as soon as possible.  

Business Approach to Patching (or not)

Business may discover more cost effective solutions to protect their infrastructure.  If a new threat requires downloading its main code from an ftp site, blocking outgoing ftp activity eliminates the threat while computers are connected to your business network.

Another simple practice is blocking all inbound packets from Bogons will vastly increase security and decrease unnecessary network traffic.  A quick list of Bogons can be found here.

However, from my experience, businesses really can't stop all threats.  The concept of a hardened network perimeter has been replaced with the reality that network boundaries have become more like fishing nets.  New business paradigms have created rich relationships with partners joining networks in ways unimagined merely ten years ago.  Costs are being slashed by leveraging network services necessitating trust between networks and applications.

Patching was once a necessity to prohibit intrusions.  Today, patching is more about reducing disruptions to business services.  Which means metrics must evolve to drive patching decisions and ultimately to guide all security decisions.  The old axiom "better safe than sorry" is being replaced with "safety built on metrics".

Am I Safe - June 2009

The news media is very informative describing new threats to help raise user awareness.  Attacks on popular websites are chronicled in fine detail including a lengthy analysis of the threat and the likely attacker.  All of this news is worthwhile and meaningful but it creates fear among many users who wonder if they are safe.

First the bad news.  If someone really, really wants to gain control of your computer, they can.  The cost could be many thousands of dollars and might require them to compromise your friends, but it can be done.  To insure your computer is safe, you must keep it securely locked up, never connect it to a network and never access any removable media.  It's similar to the risk of being killed by a terrorist bomb a block from your home in Idaho.  You could avoid the risk by never leaving the house.  

The probability of a terrorist bomb in Idaho is near zero.  Even though we read about terrorist bombs elsewhere in the world, we do not think it likely that terrorist bombers are roaming the streets in Idaho.  We judge the risk to be low and feel safe in Idaho.

Now you need to apply the same concept to computers.  A major component of measuring risk is understanding the likelihood of someone successfully exploiting the threat.  Similar to how we judged the likelihood of a terrorist bomb in Idaho in the example above.  If the likelihood is extremely low, we should feel safer.

Another key component is the potential loss if the threat is successful.  If a successful compromise will cost you hundreds of millions of dollars, you should take some protective action even if the likelihood is low.

If the potential loss is high and the likelihood is high, you better act fast to protect your assets.

Without a hardware firewall, or other isolation from the Internet, the likelihood of a threat increases dramatically.  Software firewalls are ok, but need to be configured and maintained to be effective.

If you have a firewall, the latest patches, up-to-date anti-virus definition and don't visit unknown websites; the likelihood of someone compromising your computer is minimal.  An unlikely threat that will have little impact if successful should not be a major concern.  Without a firewall, patches or appropriate anti-virus software, the likelihood increases and so does the risk.  If the impact to you of a system compromise is high, your risk is also higher.

In summary, low likelihood and low impact is low risk while high likelihood and high impact is high risk.  Everything else is medium risk.  High risk requires immediate action while low risk can wait for vendor patches or alternative risk elimination techniques.  Be careful though as moving a laptop to a public wireless network from a protected network increases the likelihood and subsequently the risk.

Phishing Today and Tomorrow - May 2009

Phishing has been successful because a large audience can be targeted using automated tools.   Although the number of people that "take the bait" is small, it is a very profitable scam.  The anti-phishing group,   APWG claims an increase of 827% in crime-ware sites last year .  

The automotive warranty companies have shown how robot telephone dialers can be used effectively to enlist new clients.  They avoided detection by spoofing the Caller ID number thus hiding their origin.

Given readily available tools, someone could setup a robot dialer in China using an Internet phone service.   With very little effort, they could create a recording pretending to be a major bank and spoof the Caller ID to show the number of the bank’s branch nearest each perspective victim.   The message could ask for the social security number or other government issued ID number as "proof of identity".  A victim would feel reassured seeing their local banks phone number and think the bank wise for requesting information to insure they are the account holder.   I suspect the victim would be willing to divulge account numbers, balances, addresses and other information unwittingly aiding the identity theft.

As with email phishing, an unsolicited request for information needs further verification.   Visual clues such as a known URL or Caller ID number should not be sufficient for trusting the requester.

Uniform Threat Management - April 2009

Uniform threat Management (UTM) devices are quickly becoming hot security appliances.   The research firm, IDC is projecting UTM products to consume over one third of the network security market by 2012.  With a comprehensive suite of security services, they are quite attractive products.  

One metric often missing from an evaluation of these security devices is the ability of the vendor to respond to new threats.   We all understand what zero day means.   The ability to block threats quickly versus waiting a week for an update could have a significant impact.   In the past, weekly updates of anti-virus definitions were acceptable.   Today, waiting a day while a new threat attacks our systems is an eternity.  

Before you replace you current gateway architecture, be sure you understand the gains and losses.   Replacing SNORT which offers the availability of same day rules to detect new threats with a device that may not be able to identify the threat for several days may upset your security posture.   Will this impact the availability of your systems?   What are the likely remediation costs for infected systems?   Can patches be deployed over a four day span or will patches be required immediately?   What counter-measures can you deploy until the UTM device has been updated?

A change to your security architecture or processes should produce a reduction in costs or a reduction in risk.   Increasing short term risk while reducing long term risk, or vice-versa, must be carefully factored in to your decision.  

Remote Eavesdropping - March 2009

In 2003, a paper was published by Markus G.  Kuhn illustrating how radiation from a computer display could be intercepted and decoded to identify the characters.   More recently, two research efforts illustrate how easy it is to capture keystrokes from distances up to sixty feet away.   One is by Inverse Path Ltd and the other was by the Security and Cryptology Laboratory at EPFL (Ecole Polytechnique Federale de Lausanne).  

For those environments where measuring radiation from the display or the keyboard isn't possible or affordable, thieves have been using wireless cameras.  The most frequent use of wireless camera spying has been to capture the entry of PIN numbers into an ATM.   However, these cameras can easily be hidden in an office environment and used to monitor keystrokes including passwords.  

While we are on the topic of remote eavesdropping, Chris Paget created a video demonstrating how easy it was to capture information from e-passports (PASScards) and electronic drivers licenses (EDL) issued by several states.  Using a device he build in his spare time at a cost of $250, he could read the embedded RFID chips.   With this hardware connected to his laptop, he drove along city streets and captured information from the people walking by.  Chris plans a test of his hardware at a range of 213 hundred feet or more with some antenna improvements.  At that distance, he could sit in Central Park and track the other visitors.  Or...............  

Perhaps spying will become a lucrative profession.   No, I don't think the economy can support two million new spies.  But there is a lesson to be learned.   We judge risk by our knowledge and experience combined with sensory input from our environment.   We didn't think that the DES algorithm could be cracked.   Early adopters thought 128 bit WEP was very secure.   How secure are your RFID based access controls?  Will the security of the new proximity credit cards be broken soon?  I challenge the RFID manufactures to embrace the global security community to insure their products have no weaknesses.  

Identity Theft Risks - February 2009

We hope that our doctor protects our medical and identity information.  Do we expect the same from our insurance agent?  Not the insurance company but the local "authorized agents".  These are the front line workers that operate out of a small office or home office and are authorized to sell policies for major insurance companies.  You may be most familiar with them for home or automobile coverage but they also provide life insurance, annuities and long term care coverage.  Many of these agents also provide investment services.  

You would think that someone possessing medical, identity and investment information would certainly protect it.  Do you expect your agent working from his home office to be an information security expert?  Is the agent's laptop configured to encrypt the sensitive information stored on it?  Hopefully your agent is not the target of a criminal group seeking identity information.  However, you should ask your agent about security practices.  

Many of you are aware of botnets.  Botnets, also called zombie armies, are a collection of infected computers called bots (short for robots) used to perform duties as instructed by a control computer.  Secureworks has published an updated list of SPAM botnets for 2009.  The control computer could instruct the bots to send SPAM or to create a denial of service attack against some target.  The botnet controllers, called handlers, have full control of the bots and can instruct them to perform any action.  Unsophisticated bots could capture keystrokes but more sophisticated bots could harvest the information caches directly from applications.  Today, no known bots can read Microsoft Money or Quicken files.  Tomorrow is another day.

Reminder Regarding the Economic Turmoil - February 2009

Tighter budgets, lost bonuses, salary decreases and layoffs are often precursors to insider security threats.  Facing dire times with a bleak possibilities of quick recovery is driving some workers to strike back against their employers.  The highest risk is from the displaced worker faced with the stress of finding employment when there are few jobs.  These workers, most with reasonable IT skills may be a risk.  Although very few are a risk, layoffs involving thousands of workers, increases the likelihood of risk.  

Regardless, companies need to be compassionate for those displaced workers, many of which just happened to be in the wrong job at the wrong time.  In addition, IT departments must quickly and efficiently disable user accounts for those displaced workers.  History reminds us that 90% of the companies don't disable user accounts on the day the worker is displaced.  The longer these accounts remain active, the more likely someone is going to react to their stress and cause a negative impact to the business.

These are difficult times and we all must work together and understand the stress that exists.  

Risks from Useful Gadgets - January 2009
Most of us have a GPS unit but few think of it as a security risk.  How many of you have programmed the home location as your actual home?  Think of all of the parking attendants and garage workers that you trust with this information What if your car is stolen?

In Manhattan and many other cities, leaving your car and its keys with a parking lot attendant is standard operating procedure.  The restaurant you love so much only has a valet parking lot.  At the mall, you choose valet parking because you don't want to drag packages through the parking lot in search of your vehicle.  Maybe you shop less now, but valet parking still remains a treat.  

Sure, you know the attendant as you have parked there many times before.  But did you notice that the keys are hanging on a pegboard for all to see.  That Jaguar key fob will surely attract attention, but perhaps from the wrong person.  

Once they steal your car, they will "mine it" for any other useful information or things that they find.  They know where you live, thanks to your trusty GPS which will even provide the fastest route to get there.  Do you mistakenly leave a house key on the key ring?  Maybe you have an emergency key in the glove box.  

Maybe they will find your blackberry, left behind because you didn't want to tote it.  With a little luck and some imagination, they might find your banking account and request a password reset be sent to your email.  The term "owned" comes to mind.  Not with the traditional definition regarding a compromised computer, but really being owned.  We have overflowed our gadgets with so much information that any thief would know more about us than even our mothers know.  

What else do you leave in the car that contains information about you?  A digital camera?  An organizer?  Garage door key?  Credit card slips?  ATM transaction logs?

New ATM Software - December 2008
Several months ago, my local bank modified the ATM software.  This new software does not keep my ATM card until I am finished.  It returns the card immediately after scanning it.  After I finish my transaction, it prompts with offer to perform another transaction.  The old software would end your ATM session and return your ATM card at this point.  Since you already have the card, you are conditioned to take your receipt and leave.  

Since the ATM software modification, I have noticed that 30% of the time I find the ATM offering another transaction as the last user forgot to end the session.  So they have reduced the security to only knowing the pin.

Password Resets - September 2008

Automated password reset mechanisms are all the rage.  Vendors have discovered that software to manage password resets is almost free while the cost of a support staff to do the same is quite expensive.  

However most automated password reset systems ask the same questions and we provide the same answers.  Do you think your Mother's maiden name is really a secret?  Care to guess how many people know your pet's name?  The fact is pet names are harvested from social networking sites such as MySpace and user profiles.  In addition, the list of probable pet names is relatively small.  And how many know about the grade school you attended?  Examine your resume and there are probably only one or two schools near your residence.  MySpace and other social networking sites are also good sources of information about your birth.  A white pages directory lookup may even discover that your parents still live in the same house you were born in.  

Even worse, many sites allow a user unlimited changes to supply correct answers for password reset questions.  What if that user isn't you?  

Your email account may be the target.  The email account name is already known and only a few password reset questions prevent someone from gaining access.  Once they have access to your email, they can target your online bank accounts and anything else of interest found in your email messages.  Their task is now easier as password reset mechanisms send an email to the email account which they already "own" and thus your other accounts are easily compromised.  

The only solution is to answer the password reset questions with truly random answers with no correlation to facts.  Next, change your passwords and make them unique for each account.  I realize you are now ready to write the passwords down on note paper.  You only need these passwords when you are using your computer and there are numerous programs, such as Password Manager XP that allow you to store the passwords in a securely encrypted file on your computer.  You can even store the password reset questions and answers along with other information for each account.  Yes it requires some work but it's much less than the impact of even one breeched account or worse, successful identity theft.