Trust is *not* security

February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.”The entire article can be found here: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=282376&source=NLT_SEC&nlid=38

- Clearly this guy should not have been giving out his login credentials to anyone (much less a member of the media, jeez).

- Where were the auditing procedures and detection? "...an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office". OK, logging was working, but if no one reviews the logs regularly, or notifications are not sent out for suspicious activity, the logs provide less value (they provided good forensic value once people realized there was a problem though).

- Thankfully "a reporter from a competing newspaper called the county to find out why he didn’t have access". Just think if this reporter didn't call; the security breach would still be going on....

This article again proves that the human element is typically the weakest when it comes to computer security. I’m betting they are going to make an example of this guy…

jk

Alice & Bob

Things like patterns and best practices help out developers by promoting consistency and communication.  e.g.

 

In describing a piece of code to a fellow developer, which is easier to understand:

1)       I defined a family of algorithms, encapsulated each one as an object, and made them interchangeable
-or-

2)      “I used a Strategy Pattern” (http://en.wikipedia.org/wiki/Strategy_pattern)

 

Clearly #2 is easier to understand.  Not only did I use a tried-and-true coding technique (the pattern), but the term “Strategy Pattern” conveys special meaning and becomes part of the common language amongst developers.

 

In that same vein, the Security Community uses a common set of terms to represent characters in a system:  http://en.wikipedia.org/wiki/Characters_in_cryptography

.  The canonical example of this is: ‘Alice sends a message to Bob, but does not want Eve to read the message’.  When two security professionals sit down to discuss a scenario, this common verbiage raises the level and efficiency of communication.

 

Please read the ‘Characters in cryptography’ link and familiarize yourself with the characters.  I think these characters can have potential value in many developers day-to-day lives, just like design patterns already do.  Improving communication and developing a common set of terms will only help a team be more successful!

 

jk

 

 

 

 

 

 

Hackers attack Dolphin Stadium website -- beware

STAY AWAY for a while and make sure your machines are patched!

see post at:
http://www.scmagazine.com/us/news/article/630637/just-two-days-super-bowl-xli-hackers-use-dolphin-stadium-website-exploit-pcs/

Post #100 - Protecting yourself (and your company)

Sadly, there are bad people out in the world and the virtual world. Many coffee shops and bars offer free (read:unencrypted) WiFi to their patrons. This service is very convienent and fun; hey, who wants to work in an office setting when you could be hoisting a frothy beverage (coffee or beer, your choice) in the comfortable setting with your laptop and a few friends???

The problem is, no one believes there is a bad person lurking at a coffee shop, just waiting for you to enter your domain username and password to access corporate email/intranet/eBay/PayPal/Hotmail/your bank...

Are you protecting yourself and your company? I ran across an article titled How to protect yourself at wireless hot spots which offers some simple tips and techniques on protecting your data. Here are the highlights from this article:

1. Disable ad-hoc mode -- PLEASE PLEASE do this; it is so simple and the cost of using ad-hoc mode far outweigh the benefits from a security standpoint.
2. File Sharing -- many people doen't even know much about this, so if you don't know how to use it, reduce your attack surface and TURN IT OFF! Even if you think you know how to use it, make sure you are only sharing what you intend to share with the world. I know, your mom always told you to share, but if she would have known about unencrypted WiFi, she would have put on the disclaimer!!! :)
3. Turn off network discovery (Vista only) - I have not fired up Vista yet, so I have nothing intelligent to add here....
4. Carry an encrypted USB flash drive - I like this one; I don't own one of these yet, but suspect I will be picking one up very soon; not so much for storing my OS on it, but strictly for data...
5. Protect yourself with a virtual private network - VPN == goodness; 'nuff said
6. Disable your wireless adapter - ok, this maybe is not a reality, but it *IS* a possibility
7. Watch out for shoulder surfers - The security mantra of "Social engineering trumps most security systems" applies here!

Happy new year and 'safe' surfing!!

jk

Not even PDFs are safe - Security hole in Acrobat Plugin

A plugin for Acrobat Reader has a major security hole, so please, please, please be careful and only open trusted PDFs for a while until a patch is available.

from: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007051&source=NLT_SEC&nlid=38

"January 03, 2007 (IDG News Service) -- Security researchers are poring over what one vendor has called a "breathtaking" weakness in the Web browser plug-in for Adobe Systems Inc.'s Acrobat Reader program used to open files in the popular Portable Document Format. "


Browse safely!
jk

Building Connected Systems - Day 3

Today is 'Security Day' with the esteemed Keith Brown leading the class. We talked about lots of WCF-Security stuff, and also a lot about web security.

Some of the more interesting web security things were:

• The Code Room - Vegas starring Keith Brown et. all.  It is a fun little poke at security on web sites and shows session hijacking and SQL injection.


• Keith has an excellent set of tutorials about input validation located at http://pluralsight.com/wiki/default.aspx/Keith/InputValidationModules.html. All developers should be using these techniques to improve web site security!


• Integer overflow in managed code exists in C#!!!! This suprises a lot of people (myself included). Keith recommended turning on checking at a project level, and use the 'unchecked' statment if you really need to 'squeeze' performance and bypass the overflow/underflow checking.


• I got Keith to sign my copy of The .NET Developer's Guide to Windows Security (ok, a bit nerdy I admit)


• The Cookies and tamper detection module is excellent!


• We did a lab on input validation using regular expressions. Here is a good link to the PAG site on common regular expressions. Remember, all user input is EVIL and NOT TO BE TRUSTED!


• Manageability (instrumentation) often gets overlooked in apps because we're too busy building features. However, when it comes time to debug, it is difficult to impossible to quickly find the problem. The .Net Framework makes it trivial to write to the event log and Windows performance counters and there is no reason not to do it!

My brain is full for today. Time to relax for a bit and get ready for days 4 and 5.

jk

Some nice "running as non-admin" links

I was having trouble editing the power settings on my work laptop (running as non Administrator, non Power User).

So, firing up my trusy browser and favorite search engine resulted in a lot of nice links that I wanted to share.

Managing Power Options as a non-administrator

Temporary admin for your limited user account

Changing the system date, time and/or time zone (I feel less strongly about this one, but posted in case it was helpful)

and of course the granddaddy of posts:
Item 9: How to develop code as a non admin

Doing this requires some learning and some dicipline. There is a registry hack if you want to get Flash to work properly (i'll post that link sometime when i find it again).

jk

Edit 4/18/2006 12:56pm:

oops, forgot another granddaddy: Mr. Howard's Non-admin best practices in Windows XP

apologies to Mr. Howard :)
jk

Paypal Phishing Phake toolbar

yes, i know Phake is not a word. :)

Seriously, I see the phishing artists are hard at work with new ideas to trick people.

Tonight I received an email in my Junk Mail from "PayPal" which was clearly a phake. This is not new, we've all received emails like this.

I always like to open the phake link to see how accurate it looks compared to the real site. The interesting thing to note about this phishing site is they hid the real address bar and put in a simulated address bar textbox (the dropdown even sort of works on it).

In the picture below, the toolbar on the top with the address "http://0xd35bda31" is the 'real' toolbar (I right clicked and re-displayed the toolbar) and the toolbar with the "https://www.paypal.com/cgi-bin/webscr?cmd=_login-run" is the phake toolbar.

Is having a removable toolbar in IE really worth it? (I don't have FireFox installed, so I can't test it to see what it does on there. Maybe one of my loyal readers could do that and comment?). Web sites have long been able to hide/show the address and menu bars. Should my browser really allow some random website to voliate my boundries like this? One way to remedy this would be for browsers to create an option to override the ability for script to hide/show menu and address bars.

These types of phishing pages will only get more sophisticated and confusing. Please IE/FireFox, help protect users from this type of deception!

Here is the phake phishing link (PLEASE DON'T GIVE THEM ANY USEFUL INFO!)

Here is the screenshot of the browser with the phake toolbar:


I hope phishing is not good!

cheers
jk

2 year old Identity theft

Apparently even innocent children are victims of identity theft per this MSNBC article.

It’s a practice that often victimizes innocent people, like 2-year-old Tyler Lybbert of Draper, Utah. She doesn't understand that she's got some serious credit problems.

"She's basically got two loans out on her Social Security number and, I believe, a credit card out," says Tyler’s mother, Camber Lybbert. "She's got $15,000 in debt."

This article goes on to discuss illegal immigration, but to me ID theft is a separate issue. True, illegal immigrants are going to want to obtain false identities, but there are thieves who are legal US citizens and there are thieves from other countries who don't even have to set foot in the US to steal someone's identity.

I wish there was an easy answer to this, but there isn't (or it would have already been fixed). The best countermeasure right now is vigilance I guess. :(

jk

Feds Again Score Low on IT Security

While looking through the 2005 U.S. government's security report card, it is concerning that ANY agency should get an F, much less agencies like these that are critical to the function of the country!!!

• Department of Defense


• Department of Homeland Security


• Department of the Interior


• Department of State

oh, and kudos to the Treasury and Commerce departments on their D- and D+ grades respectively.

More information about scoring methodology and the hearing in general is available here.

Thanks Computerworld Security for catching my eye on this....

jk

Schneier on Security: Basketball Prank

Here's an excellent story that Mr. Bock found on Bruce Schneier's blog.

It gives a whole new meaning to "March Madness" :)

Social engineering is still quite effective, alive, and well!

cheers
jk

Qwest Voice Mail setting is unsecured

I've had Qwest voice mail for a number of years now (probably around 10). I've always had it set to ring 4 times before going over to voice mail; 4 is a pretty reasonable number of rings IMHO.

Recently, the phone would ring 2 times and then go to voice mail, making for numerous missed calls (some of which were telemarketers, so i didn't mind THAT much). Obviously, someone or some interal Qwest system changed that value from 4 to 2 for me as I didn't even know how to change it.

I finally got tired of sprinting to the telephone to pick it up before 2 rings, so I searched Qwest for the answer on how to change this voice mail setting and came up with the answer.

So, I called 800-669-7676 per the instructions, entered in only my telephone number and chose the number of rings (2-8 is allowed). Reread the last sentence. Notice how I did NOT need to type in my account password, last 4 digits of my social or use my account code (as found on my monthly statement).

Just to be sure I didn't make sure I didn't 'miss' something, I tried again and again was able to change my voice mail settings w/o providing any real authentication credentials.

THE SYSTEM ALLOWS ANYONE TO CHANGE ANYONE ELSE'S VOICE MAIL SETTINGS!!!!!!!!!!!!

From a privacy/security standpoint, this annoyed me, so I called 800-669-7676 again, punched the zero key a whole bunch of times so I could actually talk to someone, and asked about this. The response I received is that since the number of rings for voice mail is a low priority thing, that "it is unnecessary" to secure it. I asked if the changes were logged (because I wanted to find out when my account got changed from 4 to 2 rings) but that information was unavailable. Ok, I grant you the value of the asset in question here (# of rings) is low, but it is just the premise here that is troubling:

1) Why can someone change my account settings w/o my authorization
and
2) what other systems does Qwest have that allow similiar changes?

One of my friends suggested how easy it would be to build a war dialer and randomly change people's voice mail rings daily. As I found out, 2 rings is akin to mini-DoS attack!

So, I'm hoping that if this information becomes public, it will cause a change at Qwest, and hopefully not spawn an epidemic of random voice mail ringer changes!

jk

Free CDs highlight security weaknesses - Computerworld

Free CDs highlight security weaknesses - Computerworld

Even a low tech scam like this was 75% effective! "While the front of the CD contained a written warning to users to check their company's internal security guidelines before running the CD, as many as 75 of the 100 CDs were played."

People are still the weakest link in security: "The experiment underscores what experts say is the weakest point for IT security: people. While many companies have policies and make their employees sign legally binding documents with rules of use for company computers, it's doubtful users get specific training on why those rules are in place, Chapman said."

Forewarned is forearmed I guess...

BTW, if people are giving out free Milli Vanilli CDs, that is also a dead giveaway that it contains 'very bad things' :)

cheers
jk

Microsoft Office Marketplace: Comodo Free Email Certificate

Comodo is giving away free email certificates to use in signing and encrypting emails.

they are good for roughly a year. i havn't published mine anyplace yet, but probably should to promote PKI :)

jk

FAQ about PGP messaging

This was an excellent bit of text PGP messaging.

What it is, what it's for, and why you'd use it
“Pretty Good Privacy” (PGP) is a scheme used to encrypt or sign messages. There are other schemes for the same thing, but this one is freely available for various different types of computer systems. It works by using secret and public key pairs, you pass out your public key and keep your secret key, and so does anyone else that you communicate with (they pass out their public keys, and keep their private keys). All the keys, in combination, are used to encrypt messages (your own private keys, and each other's public keys), and all of them are required to decrypt them (you send a message encrypted with your private key and their public key, and they decrypt it with your public key and their private key). This way, no outsider can decrypt the material (because they don't have anybody's private keys).

jk