Archive for the 'Risk' Category

Dec 01 2013

Security in popular culture

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.

3 responses so far

Nov 25 2013

Two more years of Snowden leaks

Published by under Cloud,Government,Privacy,Risk

I’ve been trying to avoid NSA stories since this summer, really I have.  I get so worked up when I start reading and writing about these stories and I assume no one wants to read my realistic/paranoid ranting when I get like that.  Or at least that’s what my cohosts on the podcast have told me.  But one of the things I’ve been pointing out to people since this started is that there were reportedly at least 2000 documents contained in the systems Edward Snowden took to Hong Kong with him.  There could easily be many, many more, but the important point is that we’ve only seen stories concerning a very small number of these documents so far.

One of the points I’ve been making to friends and coworkers is that given how many documents we’ve seen release, we have at least a year more of revelations ahead of us, more likely two or more.  And apparently people who know agree with me: “Some Obama Administration officials have said privately that Snowden downloaded enought material to fuel two more years of news stories.”  This probably isn’t what many businesses in the US who are trying to sell overseas, whether they’re Cloud-based or not.  

These revelations have done enormous damage to the reputation of the US and American companies; according to Forrester, the damage could be as much as $35 billion over the next three years in lost revenue.  You can blame Mr. Snowden and Mr. Greenwald for releasing the documents, but I prefer to blame our government (not just the current administration) for letting their need to provide safety to the populace no matter what the cost.  I don’t expect everyone to agree with me on this and don’t care if they do.  It was a cost calculation that numerous people in power made, and I think they chose poorly.

Don’t expect this whole issue to blow over any time soon.  Greenwald has a cache of data that any reporter would love to make a career out of.  He’s doing what reporters are supposed to do and researching each piece of data and then exposing it to the world.  Don’t blame him for doing the sort of investigative reporting that he was educated and trained to do.  This is part of what makes a great democracy, the ability of reporters (and bloggers) to expose secrets to the world.  Democracy thrives on transparency.

As always, these are my opinions and don’t reflect upon my employer.  So, if you don’t like them, come to me directly.

No responses yet

Nov 04 2013

Attacking the weakest link

Published by under Cloud,Government,Hacking,Privacy,Risk

I spend far too much time reading about governmental spying on citizens, both US and abroad.  It’s a job hazard, since it impacts my role at work, but it’s also what I would be researching and reading about even if it wasn’t.  The natural paranoia that makes me a good security professional also feeds the desire to know as much as possible about the people who really are spying on us.  You could almost say it’s a healthy paranoia, since even things I never would have guessed have come to pass.  

But every time I hear about someone who’s come up with a ‘solution’ that protects businesses and consumers from spying, I have to take it with a grain of salt.  A really big grain of salt.  The latest scheme is by Swisscom, a telecommunications company in Switzerland that wants to build a datacenter in that country to offer up cloud services in an environment that would be safe from the US and other countries’ spying.  The theory is that Swiss law offers many more protections than other countries in the EU and the rest of the world and that these legal protections would be enough to stop the data at rest (ie. while stored on a hard drive in the cloud) from being captured by spies.  The only problem is that even the Swisscom representatives admit that it’s only the data at rest that would be protected, not the data in transit.  In other words, the data would be safe while sitting still, but when it enters or leaves Swiss space, it would be open to interception.  

It was recently revealed that the NSA doesn’t need to get to the data at rest, since they simply tap into the major fiber optic cables and capture the information as it traverses the Internet.  Their counterparts here in the UK do the same thing and the two organizations are constantly sharing information in order to ‘protect us from terrorists’.  Both spy organizations have been very careful to state that they don’t get information from cloud providers without court orders, but they haven’t addressed the issue of data in motion. 

So while the idea of a Swiss datacenter built to protect your data is a bit appealing, the reality is that it wouldn’t do much to help anyone keep their data safe, unless you’re willing to move to Switzerland.  And even then, this solution wouldn’t help much; this is the Internet and you never know exactly where your data is going to route through to get to your target.  If it left Swiss ‘airspace’ for even one hop, that might be enough for spy agencies to grab it.  And history has proven that at least GCHQ is willing to compromise the data centers of their allies if it’ll help them get the data they believe they need.  

No responses yet

Oct 24 2013

LinkedIn Outro

“I know!  Let’s build a man in the middle (MITM) attack into our iPhone app so that we can inject small bits of information into their email that show how useful our site and service are.  At the same time we’ll now have access to every piece of email our users send, and even if we only have the metadata, well, that’s good enough for the NSA and other national spying agencies, isn’t it?  Let’s do it!”

I have to imagine the thinking was nothing like that when LinkedIn decided to create Intro, but that’s basically what the decided to do anyway.  If you read the LinkedIn blog post, you can see that they knew that what they were doing is a MITM attack against your email, even if they are calling it a proxy.  They’ve broken the trusted, or semi-trusted, link between you and your IMAP provider in order to get access to your email so they could insert a piece of HTML code into each and every email you receive.  Additionally, they’ve figured out how to make it so that this code is executable directly in you’re email.

Basically, what LinkedIn is asking you to do is create a new profile that makes them the proxy for all your email.  This is similar to what you do for your corporate email when setting it up on a new phone, but rather than having something that’s finely tuned for that corporation, LinkedIn makes the new profile on the fly by probing your phone’s configuration and basing it on the settings it finds.  

I have a hard time believing that someone at LinkedIn didn’t wave a red flag when this was brought up.  You’re asking users to install a new profile making you their new trusted source for all email, you’re asking that they trust you with their configuration and you’re capturing, or at least having access to the stream of all authentication data for their email.  Didn’t anyone at LinkedIn see a problem with that?  I have to imagine there are plenty of corporate email administrators who’ll have a problem with it.

Given recent history and the revelations that metadata about a person’s communications, LinkedIn is  audacious to say the least.  They know what they have, or at least want to have: information similar to what Google and Facebook have about your daily contacts and habits.  This is a huge data mining operation for them, aimed at learning everything they can about their users and applying that to advertising.  But I think they have overreached in their their desire to have this information and are going to get shut down hard by Apple.  And this doesn’t even take into account the fact that they’ve already had data breaches and are being sued for reaching into consumers’ calendars and contact information.

I don’t think LinkedIn has been a good steward of the information they’ve had before, and there’s no way I’d install Intro onto one of my iDevices if I was a heavy user.  The fact is, I have an account that I mostly keep open out of habit and this is nearly enough to make me shut it down for good.  If I wanted my every move tracked, I’d just keep open a Facebook tab in my browser. And while they may not be much of an example when it comes to privacy, I guess Facebook is a great example when it comes to profitability.  Way to go LI.

 

No responses yet

Oct 17 2013

What’s a micromort?

Published by under Family,Humor,Risk

One of the cool things we’ve found on TV since moving to the UK is QI XL.  It’s a BBC show hosted by Stephen Fry where they take a rather comedic romp through a bunch of facts that may or may not have anything to do with one another.  Last night’s show was about Killers and a term that was completely new to me came up, a unit of measure called the ‘micromort’.  It’s basically a measurement equal to a one in a million chance of dying because of a specific event.  Really, it’s a scientifically valid measurement of risk.  And yes, our family has a strange idea of ‘cool’.

Why is the micromort important and relative to security?  Because humans, and security professionals are included in that category, have a horrible sense of the the risks involved in any action.  For example, you are 11 times more likely to die from a 1 mile bike ride, .22 micromorts, than you are from a shark attack, .02 micromorts.  Yet the same people who fear sharks greatly but are willing to go on a bike ride on a daily basis.  And many of those people smoke, which is a single micromort for each 1.4 cigarettes smoked.  People suck at risk analysis.

So could we come up with a similar unit of measurement for the risk in a million of a single action leading to a breach?  Someone needs to find a better name for it, but for the sake of argument, let’s call it a microbreach.  Every day you go without patching a system inside your perimeter is worth a microbreach.  Deploying a SQL server directly into the DMZ is 1000 microbreaches.  And deploying any Windows system directly onto the Internet is 10 million microbreaches, because you know that it’ll be scanned and found by randomly scanning botnets within minutes, if not seconds.

The problem is that the actuarial tables that the micromort measurements are drawn from millions of daily events.  People die every day, it’s an inevitability and we have a very black and white way of measuring when a person is dead.  We can’t even really agree on what constitutes a breach in security at this point in time, we don’t have millions of events to draw our data from (I hope) and even if we do, we’re not reporting them in a way that could be used to create statistical data about the cause of these events.

Some day we might be able to define a microbreach and the cost of any action in scientific terms.  There are small sections of the security community that argue endlessly about the term ‘risk’ and I have to believe they’re inching slowly towards a more accurate way to measure said risks.  I don’t expect those arguments to be settled any time soon, and perhaps not even in my lifetime.  So instead I’ll leave you with an entertaining video on the micromort to watch.  Thanks to David Szpunar (@dszp on twitter) for pointing me to it.

No responses yet

Oct 15 2013

Don’t ask for my password or PIN, United!

I’ve been a United Airlines customer for years.  I’ve been very loyal to United and the Star Alliance.  I’ve flown over 300k miles with them, I’ll have flown over 100k miles this year alone as of my next trip.  I’m in the top tier of their frequent flyer program and they generally treat me very well, with the kinds of exceptions that plague every airline, like maintenance and weather delays.  But they do one thing that really, really bugs me and they need to change it: When I call in use my mileage or alter a ticket, their customer service representative asks for my PIN!

When you log into the United site, you have two choices; you can use your password or a four digit PIN to log in.  The same PIN or password can be used to login to the mobile application as well.  This login allows access to all aspects of the account’s capabilities, allowing the user to change flights, get updates and spend frequent flier miles.  In other words, total control of the account.  And the customer service reps need this PIN in order to make changes to my account.

This is why I’m extremely annoyed by the way United treats my PIN.  In effect, every time I call in to United, I have to give up total control of my account to a complete stranger.  I have to either trust that they are well vetted by airline, something I’m not entirely sure is true or go through the hoops of changing my PIN every time I call in to United’s customer care services.  Alternatively, I can ignore both of those options and simply hope that nothing happens when I give up my password.  I’ve done all three at various times, but it still makes me angry that I have to choose one of these options.

I’ve complained to United several times when calling in.  I’ve talked to the agent on the phone, I’ve asked to speak to a manager, but as recently as last week they show no sign of understanding that this is a problem or making any changes.  The requirement to give up my password seemed to coincide with the merger of United and Continental and the adoption of the Continental computer systems.  The impression I’ve received from sources inside of United and out is that the Continental system was developed in the mid-70′s and has been largely unchanged since then.  Yes, they slapped some lipstick on the pig in the form of a web interface, but the back end is still a mainframe of some sort with a security model that hasn’t changed since it’s inception.

I have to appeal to United’s security teams:  Please, please, please find some way of changing your system so that I don’t get asked for a sensitive piece of information like my password or PIN every time I need to talk to your agents for a change to my flight!  I realize there is no credit card data directly available from my account, but my flight information is and it opens up the ability to change my flights or spend my mileage.  This really is something that shouldn’t be allowed in the modern age, from a multi-national corporation that really should know something about security and securing customer data.  Between moving to the UK and your poor security, I’m seriously thinking it’s time for a different airline.

One response so far

Oct 14 2013

Your email won’t be any safer over here

I’m not sure why anyone has the illusion that their data would be safer in Europe than it might be in the US.  While some of the countries in Europe seem to have better laws for protecting email, it’s not a clear cut thing and there are always trade-offs.  While they might have better protections for data at rest, while in transit it might be fair game, or vice versa.  Plus, if you’re an American, you’re the foreigner to those nations, so many of the protections you might think you’re getting are null and void for you.

Rather than simply speculate, as many of us do, Cyrus Farivar at Ars Technica has written an article, Europe Won’t Save You: Why Email is Probably Safer in the US.  If you examine the laws closely, you’ll find that while countries like Germany appear to have stronger privacy laws, some of the caveats and edge cases make a lie of that appearance.  In this particular example, German law puts a  gag order in place by default that prevents your service provider from notifying you in case they’re served with a subpoena or similar device.  Think on that for a moment: if your service provider is served, you’ll never hear about it by default, rather than only when the large intelligence agencies take an interest in you.

Since I moved to the UK I’ve been hip deep in similar arguments with regards to cloud service providers.  Many folks in and around Europe seem to think that their own laws will somehow protect them from the threat of having their data raided by the NSA or some other, even more shadowy US organization.  But the reality is that in many countries they have less protection from their own governments than they do from the US.  Which barely scratches the fact that the core internet routers in many, if not all, countries are compromised by multiple governments, who are getting feeds of every packet that flows across their infrastructure.

The other concern that I hear quite often is about US businesses and information leaving the European Union.  I find this concern interesting, and believe it is likely to be a much more legitimate issue.  In the EU, the data protection laws appear to be much stronger than they are in the US, especially the Safe Harbor Principles.  But the reality is that businesses see the value of having as much personal information as they can get their hands on, so Safe Harbor is given lip service, while the businesses find ways to get around these requirements.  Or in many cases, ask users to opt out of some of the protections to get additional functionality out of a site.

Don’t think that hosting your email or other service is going to protect you if a government wants to get its digital fingers into your email.  As Farivar points out, the closest thing you’ll have to privacy is if you store your email on your own devices and encrypt it with your own encryption keys.  Storing it anywhere else leaves you open to all sorts of questionable privacy laws between you and your hosting provider.  You can’t just consider the jurisdiction you’re in, you have to consider every route your data might take between point A and point Z.  Being the Internet, you’ll never know exactly what route that is going to be.

Personally, I’m not pulling the plug on my Gmail account any time soon.  No government is worse than Google when it comes to intrusive monitoring of your email, lets be honest.

No responses yet

Oct 13 2013

Time to change DNS methods

I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now.  The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial.  Either way, your company is effectively serving up something other than the page you intended, which is what really matters.

There have been a number of high profile sites that have recently been attacked through their DNS registrar.  Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain.  In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet.  But the practice is different from theory, and even registrars have their weaknesses.  In the case of Register.com, this appears to be social engineering attacks.

The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp.  What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes.  To think that a technology that had it’s heyday in the 80′s would be the method used to attack companies in the second decade of the 21st century is amusing.  Hopefully Register.com has already begun reviewing their processes to prevent a similar event from happening again in the future.  And, again hopefully, other registrars are learning from the mistakes of Register.com and reevaluating their own processes.

There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar.  Also, not all registrars support locking, so this isn’t always an available option.  If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar.  That last part usually gets their attention.

I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS.  It’s not an enviable position to be in.  Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there.  But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.

Update: Add two more to the compromised list, Bitdefender and ESET.  And again Register.com is the common point of weakness.

No responses yet

Oct 06 2013

Invasive monitoring at next Winter Olympics

If you have plans to go to the next Winter Olympics, in Sochi, Russia, prepare to have any and all of your electronic communications monitored.  The Guardian has found paperwork, including procurement documents and tenders, looking for the technology needed to monitor all communications to and from the Olympic venue.  We have to assume that this means all phone calls, all wifi access and is very likely to include ways to break into other, supposedly encrypted, channels such as Skype and the TOR network.

It’s really nothing new to think of governments monitoring the communications going on at the Olympics, but the sheer size and depth to which the Russian government will be monitoring is more than a bit daunting.  Given the current environment and the fact that citizens from every walk of life are more sensitive than ever to being spied upon, it’s very likely that this will receive more attention than if it had happened at the London Olympics.  And because it’s Russia that’s doing the monitoring, rather than a western power, it makes it more suspect in many people’s eyes.

One of the scary aspects the Guardian story hints at is that monitoring won’t be aimed simply at the security and safety of attendees of the Olympics, it will also be aimed at political dissidents and ‘illegal’ activities, such as gay rights activism.  Adding to that the probability that all data captured during the Olympics is going to be stored indefinitely and analyzed in depth, anyone who holds views that are unpopular in Russian government should be very, very nervous.  I won’t be surprised to see a number of Russian citizens who attend the Olympics arrested three to six months later as the government gets around to analyzing their communications.  Or to have these communications surfacing years later to embarrass dissidents.

Yes, I’m paranoid.  But if I have an opportunity to attend the Olympics in Sochi, I’ll have to think twice before accepting it.  I’ll take a number of precautions similar to what I’d take if I was attending a big event in China: burner phone with a local SIM, laptop that will be retired after the event, email address that only gets used during the Olympics, just for starters.  I’d also be very cognizant of the fact that I’m being monitored every moment, with my movements being analyzed by computer algorithms as well as human agents.  Most importantly, I would avoid any reading that would raise my paranoia level higher than it already was before or during the trip.

Most people will be oblivious to the monitoring at the Olympic games.  And for most people, that’s a price they’re willing to pay in order to see one of the biggest events in the world.  Which could be the right decision for the average Joe.  But if you’re not the average Joe, if you have opinions or tendencies that are unpopular with the Russian government, think twice about taking some precautions before you head to the Olympics in 2014.

Last of all, remember, the monitoring of electronic communications will just part of the equation.  There will be mics and cameras everywhere as well.  Probably even the bathrooms.

No responses yet

Oct 03 2013

Not so anonymous

Published by under Government,Privacy,Risk

Maintaining anonymity on the Internet is hard.  And it’s only getting harder as governments get savvy about how to track down people who are doing “bad things”.  All it takes is one little mistake and you’re cover is completely blown.  This applies to criminals as much as it does to political activists, something to keep in mind as you wander the web and express your opinions: OPSEC (Operations Security) is hard.

We have two recent examples of this.  The Dread Pirate Roberts mastermind of Silk Roads, an online drug trafficking site that has been around for years, was arrested this week, and in part it appears that all it took was a few simple mistakes.  One mistake was accessing the servers controlling Silk Road from an internet cafe near the hotel he was staying in at the time.  Another was using an Gmail address that had additional contact information, at least if you have a subpoena forcing Google to disclose that information.  Apparent the final straw was when “Dread Pirate Roberts” tried to get fake ID’s sent to his real address.  Connecting your digital and physical identities like this is generally a bad idea.

The other story is that thirteen members of Anonymous have now been indicted on charges related to attacks against the MPAA, RIAA and several financial institutions.  When Anonymous started attacking as a form of protest, they thought that the use of tools like LOIC and HOIC would keep them from being caught, because they’d be part of a crowd and hard to track down.  That was a laughable assertion, primarily because the tools make no effort to hide the source of their traffic and makes tracking it back fairly simple.  It’s more an issue of having the time and will to hunt down a nuisance than technical difficulty.  But if you add hacking of web sites and other federal crimes to the list, you might find that the FBI suddenly has the will needed to find you.  Funny, that.

The difficulty of maintaining on the Internet is much higher than most people understand.  All it takes is logging in from the wrong location once or using an address that’s linked to your real world identity and you’re toast.  Which makes it all the more amazing that th3J35t3r has managed to maintain some anonymity for a number of years now.  Makes you think maybe he has people helping him maintain that anonymity in all sorts of places.

It’s only going to get harder to retain any sort of secrecy associated with identity as time goes by.  Due, in part, to American spying, Brazil is considering creating their own ‘Internet’.  The ITU is seriously considering taking control of the Internet away from American companies and allowing various countries to implement their own controls at their borders.  Many of the proposed changes would require end users to explicitly tie their identity to their browsing and Internet activity.  The idea of a balkanized or country specific Internet with borders, was once thought of as a laughable idea, but now might be a very real possibility.

If you’re planning on doing ‘bad things’ on the Internet, remember that keeping your identity a secret is hard now and it’s only going to get more difficult as time goes by.  Both of the examples I used are clearly criminal actions, but it’s our governments who get to decide what ‘bad things’ are; the opinion that you felt free to express today might be added to that classification at any time.  Since everything you’re doing online is now being kept in databases for future reference, keep in mind that what you’ve already said could some day be considered ‘bad’.  May you live in interesting times.

No responses yet

« Prev - Next »