Before we proceed with the show notes, may we please have a moment of silence for the passing of Geocities, the last refuge of the blink tag.
(The rest of the show is all about security stuff, and we even have all three of us on together again, but I’m just too chocked up over the death of Geocities for proper show notes. It was as if a million cheesy fan sites cried out, and were suddenly silenced.)
This really is Episode 171, even if I called it 170 at the beginning of the podcast – Martin
Network Security Podcast, Episode 171
Fraud alerts on your credit cards are one of those really useful tools that have been put in place by law, only to be neutered by the same law. They’re great in that they put a lock on your credit scores and let you know when anyone is trying to open an account in your name, but at the same time they’re incredibly hard to use because you have to fill out paperwork every three months. There is an extended fraud alert that will protect you for a period of seven years, but in order to qualify for that, you have to provide a police report proving that you’ve been targeted by identity theft. To top off the insult from the credit reporting companies, you have to file separate fraud alerts with each company and maintain them yourself if you want to be relatively safe.
Enter Lifelock; for a small monthly fee they would maintain your fraud alerts for you and even provide a number that creditors could call in order to unlock your credit ratings. This was great for consumers, it let them keep their credit scores locked so that it was that much harder for someone to open an account in your name or for the credit card companies to review your credit score and send your monthly junk mail offerings. This a big win for us, but it cuts into the major source of the big three credit scoring companies, Experian, TransUnion and Equifax. If too many people keep their credit scores hidden, the scoring companies can’t sell their big lists of names, or at least those lists lose some of their value. So in 2008, Experian sued LifeLock to block the practice and won. Experian and LifeLock have settled the lawsuit and LifeLock is forever forbidden from filing credit locks on behalf of consumers.
According to Experian and LifeLock, this is a positive for LifeLock, which it is. They get to move out of the shadow of a nasty lawsuit and rework their business model to find something else to do to help protect consumers. Experian and the other two credit scoring companies find this to be a huge win, since this sets precedence and makes it that much harder for any other company to provide a similar service. The big loser in this transaction is us, the consumer, since we now have to remember to reset our credit lock with all three credit scoring companies every three months if we want to protect ourselves. Thanks, Experian. You’ve made it perfectly clear what you’re really trying to protect: your revenue stream.
I knew about the Miranda act and the Fifth Amendment, but I’d never really realized how little protection they offer if you decide to talk. The words “Anything you say can and will be used against you” really mean exactly what they say. I’m not much of a trouble maker, despite what some of my previous employers might say, but after watching a pair of videos from the University of Alberta (watch them below or on the Law is Cool site), the only words I’m going to say to a police officer from now on are going to be “I want to talk to my lawyer”.
The point that the professor makes again and again is that there is nothing you can say to a police officer that is going to help you. You are infinitely more likely to say something that can be used against you, even if your innocent, than anything you say helping you. The part that surprised me, is that even if you say something that could help you to the police, your attorney can’t use it in your defense. That may just be the law in Canada, but I’m not willing to take the chance.
Even if you’re completely innocent and were just a witness to a crime, do yourself a favor and have a lawyer present. It’ll cost you some money, it’ll cost the police some time, but it might make the difference between potential problems and walking out of the police station at the end of the interview. People get excited and make mistakes, and things sometimes come out the wrong way. Better to remain silent and be thought a fool than open your mouth and remove all doubt. The officer in the video states several times that the police are allowed to lie in interviews; in a worse case scenario, what you thought was just making a statement could turn into a full on interrogation if you misspeak, even if it’s an honest mistake.
This should make the holiday season interesting; my BiL is a Southern California police officer and I don’t think he’d see the humor in me bringing a lawyer to the family get togethers.
It’s not often you win a contest you didn’t even know was going on, but that’s exactly what happened to me today! I’ve been using a local ISP, Sonic.net for almost a decade and been almost uniformly happy with them the whole time. They were started by a couple of students from the Santa Rosa Junior College and have grown to be one of, if not the, largest independently owned ISP’s in the United States. This October marks their 15th anniversary and they’re celebrating by running a contest on Twitter where they’re giving away free Internet service for a year and I was one of the winners! Who knew retweeting something Leo Laporte sent out could be so rewarding!
I won’t lie and say my experience with Sonic has always been perfect. There was a period of about a year where DSL was not available at my house yet (thanks to AT&T) but a variety of radio based Internet access was. I used it with varying results. On sunny days before my neighbor’s tree grew to big it was great. On foggy days the wireless was okay but prone to some occasional dropped packets. And when it rained, it almost wasn’t worth it to turn on the computer. Eventually my neighbors tree grew to the point where the wireless link wasn’t viable anymore and AT&T finally got DSL into my area, which is funny since I’m almost equidistant between the local AT&T office and Sonic.net’s world headquarters. But through it all the folks at Sonic did everything they could to help me, including sending technicians to check the antenna on more than a few occasions. I don’t want that wireless connection back, but knowing the company cared enough to work with me through those problems has kept me with them since.
I like working with a local ISP. I like knowing I can make the two mile drive to visit their offices if I need to. I like knowing that their CEO as well as some of their support staff are on Twitter. But most of all, I like the fact that they’ve done everything they can to make my experience a positive one. I’d be staying with Sonic for the foreseeable future in any case, but winning a free year of Internet access makes it even better.
Richard Bejtlich had to take a couple of minutes yesterday to rant about someone who posted in a forum that we just need to protect the data. Don’t we wish it was that simple? Which form of the data is it we’re trying to protect? At rest, in motion, encrypted, unencrypted, printed out, on your screen, at the POS, on the server, in the database, in the client/customer’s hands etc. etc. ad nauseum. The basic thought from the original commenter was that if we just protect the data itself, none of what’s going on in our network should matter, since the data itself is safe. But as Richard points out, it’s impossible to separate the data from the servers and networks that it exists on, and therefore ‘protecting the data’ just isn’t enough.
Let’s use Heartland Payment Systems as an example: a piece of code on the servers that were processing the cardholder data was compromised and the data was being stolen in the brief time between when it was received over a secure connection and when it was encrypted. Simply protecting the data fails here. There’s no iteration of protect the data that could have possibly worked here. The data had to be in an unencrypted state for a brief time; it was impossible for it to go from the encryption of SSL to another form without existing in an unencrypted form during the process at some point. Which is why the simple maxim of protecting the data itself is always going to break down at some point; in order to be usable, the data is always going to have to be in a vulnerable, unencrypted state at some point. Which is why we will always have the concept of defense in depth in security and why we need overlapping security controls that cover for each other’s weak points.
There’s no one true way to data security. Ask the physical security guys who have centuries of history and lessons to draw from. Every security measure has it’s weakness that will be exploited at some time, no matter how small. There aren’t simple ‘just do X’ answers in our chosen profession, it’s always going to be about making trade-offs between security, usability and resources. Some security philosophies work better than others, but just like security measures themselves, we have to embrace a set of overlapping security philosophies just like we have to have overlapping security measures. Otherwise we’re just fooling ourselves and leaving blind spots for the enemy to exploit.
It takes a brave man to admit publicly that he almost fell for a phishing email, especially when he’s the head of one of the biggest law enforcement agencies in the world. It takes an even braver man to admit that his wife has forbid him from doing any online banking in the future. But that’s exactly what FBI Director Robert Mueller did earlier this week; he told the world that he almost fell for a phishing scam recently.
I can’t blame Director Mueller in the least. Like most people who have a semi-public email address, I get several hundred spam and phishing emails a day. If I let my account go for a weekend, it’s not uncommon for me to end up with over a thousand messages in my spam folder and 40-50 that make it through several layers of protection to my in box. And of those I can dismiss 90% with a glance. But it’s that last fraction of a percent that really worries me. I have to take a long close look at them and I still don’t know sometimes if they’re really phishing attempts or just poorly written emails from one of the dozens of people I have legitimate business with. If there’s any doubt in the end, I delete them without the email. I’m sure I’ve deleted some real emails from time to time, but I’d rather not take the chance.
I wish it was as easy of saying “You’re bank will never send you a link to click on”, but the truth is there’s a lot of banks that really will send you links in an email. To make matters worse, some of them will use odd domains or redirect through other company domains. It’s easier for them to market too you if they can send you a nice easy link to click on for that new mortgage. And we’ve all encountered marketing and sales professionals who don’t get it even if you try to explain until your blue in the face. Some IT professionals don’t understand it any better and I’ve even run into some security professionals with the same weakness. Phishing emails are purposely confusing and as close as possible to the real thing as they can get in order to get through.
I hate the to bang the drum of “we’re losing the cyberbattle”, but right now, I think the tide is in favor of the bad guys. And I think it’ll get worse before it get’s better. But unlike 10 or even 5 years ago, the FBI and other law enforcement agencies are getting geared up to make a real difference in the war. We’ve got a few years before the tide starts to turn again, but I think we’ll start seeing some effect much sooner. The FBI’s arrest of 33 people in Operation Phish Phry is a good start, but it’s only a drop in the ocean.
Update: Thanks to Walt Conway for letting me know I had the wrong link and sending me one for Operation Phish Phry as well.