Information Security and Strategy Carnival - Issue #3

For the third issue of the Information Security and Strategy Carnival, I am pleased to present the following texts:

Paul Wilcox at Security Manor presents


WM Media
presents

Colleen Dick at Hot Dorkage presents Credit card security online: what you need to know.

Theme Lib at ThemeLib presents Be Careful of Fake Paypal Emails, a variant on the phishing/pharming attack method.

CMOE at CMOE - Strategic Thinking Blog presents Critical Elements of Strategic Leadership: Beyond Corporate Strategy

Marcus Hochstadt at Internet Business Guide presents Protecting Your Computer Using Deep Freeze

That concludes this edition. The next issue of the Information Security and Strategy Carnival is due on the 1st of August 2008.

Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot com or submit them through the Blog Carnival Web Portal http://blogcarnival.com/bc/submit_3975.html



Related posts
Information Security and Strategy Carnival - Issue #1

Information Security and Strategy Carnival - Issue #2


Talkback and comments are most welcome

Blueprint - Successful IT Organization

Different types of organizations have different views of IT. Usually, there are two general organizations: a Corporate IT and a Service Provider IT. There is a HUGE difference in the way things work in those IT organizations. By comparing these two organizations, here is a blueprint of a functional IT organization.

My first job was in an ISP. My second was in technical sales of a large corporate organization. In both functions I had to cooperate and work with the IT guys.

Corporate IT organization - a typical and frequent organizational structure within large companies. Their characteristics are as follows:


  • Take time to react to requests - as specified in the policies and procedures
  • Follow established procedures to the letter, but rarely object or try to improve them
  • Document everything - as per the defined standards
  • Focus on maintaining the services and/or calling up the supplier
  • Have a very clear, usually multi-tiered organizational structure
  • Within the structure, very few people are empowered to make decisions
  • Have systematically planned and available budget for all required activities
  • See the service as their job - they will maintain it and escalate as per the procedures. At the end of the day, the next shift takes over, and the employees will forget about it until the next day.
  • In case of incident, will communicate the issue to other units for resolution.

Service Provider IT organization - a typical and frequent organizational structure within ISPs or smaller software development companies. Their characteristics are as follows:

  • React as fast as possible to any request
  • Usually avoid procedures, or have a very loose understanding of them. Constantly trying to change procedures to make their life easier
  • Document some things - In a hurry, and rarely in a very usable form for anyone other then the author
  • Focus on delivering a service as fast as possible
  • Has an overlapping or flat organizational structure
  • A lot of people are empowered to make a decision
  • Have planned but rarely sufficient budget for all required activities - Tend to make the most out of current resources
  • See the service as their own - they will do anything and everything to make it work. They take it very personally when things don't work.
  • In case of incident, will help each other, even if it is only by bringing coffee to the other guys.
Both organizations clearly have strong points as well as problems which arise from their understanding of what is their job:

  • Corporate IT is systematic but very rigid and usually slow to deliver a service.
  • Service Provider IT is fast and customer oriented, but usually functions on the edge of chaos.
From the above characteristics, by taking a here is my proposal for the best functioning IT department:
  • React as fast as possible to any request - try to minimize the specified reaction time in the policies and procedures
  • Follow established procedures with exceptions - Document exceptions for review of procedures. If you find a procedure that hampers you, escalate to remedy it.
  • Document everything, but don't be too strict about the standard - The team leader should be the manager of all the teams documentation - collects and organizes, but rarely writes.
  • Focus on delivering the services ASAP, but in a coordinated effort - There is no "software error" or "hardware error". There IS AN ERROR . If the service is purchased from someone, all people should be aware of the service contract, so they can pester the supplier within the contract limits
  • Have as flat an organizational structure as possible - Your team leaders should be few and chosen by efficiency and ability, not by seniority.
  • Empower as many people as possible to make decisions, within their area of expertise.
  • Promote a culture of "service ownership" - the IT teams should treat the service as more then just their job.
  • Promote a culture of mutual assistance - In case of incident, everyone should pitch in together. To avoid procedural problems, a person with authority should be included and advised of the process
This ideal blueprint is not achieved overnight. But here are the steps that should get you there:

  • Position the IT as a business - Establish a business aspect of IT's work and enforce it, including costs, profitability, head count, resources. Even strive to establish a brand for your IT within the corporation.
  • Empower your teams - Encourage your teams to educate themselves, and delegate responsibility to them for parts or a whole service in your everyday portfolio. There is nothing more rewarding for an engineer then to see his creation in function and use.
  • Encourage mutual cooperation instead of delegation or escalation - avoid the not my problem philosophy. Where ever possible, strive to resolve things with a horizontal communication
  • Organize the teams for efficiency, not for seniority - Your most senior people may not be your best team leaders. Good leaders are readily visible in times of incidents and potential problems. It is then you can see who will step forward, direct, give advice, coordinate. You are the manager and accountable for the entire operation. So regardless of personal emotions, choose the best parts for your engine.
  • Maintain procedural compliance - This is a very difficult part. This is a part where team leaders will have to step up and earn their salary. In all processes, strive to maintain efficiency while adhering to procedures as much as possible. Also remember that procedures are not set in stone, and can be changed.
  • Award good work - Think out of the box. Contrary to the mantra "don't praise me, just pay me", there are hundreds of ways for a manager to award an employee. Here are some that i have seen to work beautifully
    • verbal commendation in front of the peers;
    • opportunity for education and training (usually costs much less then a raise);
    • free personal time when needed;
    • asking for advice and expert opinion on subjects;
    • inclusion in strategic projects;
    • delegating person as representative in intracorporate projects;
    • corporate benefits - special discounts at stores for your team, team building trips

Talkback and comments are most welcome

ICANN and IANA Domains Hijacked

On the 26th of June 2006, the official domains of ICANN, and IANA were hijacked by the NetDevilz Turkish hacking group.

The hackers group redirected visitors to the ICANN and IANA sites to another server hosted Atspace.com, specifically to 82.197.131.106.
There, they had the following defacement message (click on image for larger version)


ICANN is the Internet Corporation for Assigned Names and Numbers, and IANA is the Internet Assigned Numbers Authority - the very organizations that assign Domain Names!
So far, there is no definitive answer on how the hijacking was performed.

This event is another proof that every organization, regardless of size or expertise is vulnerable to hacker attacks.

Related posts
8 Tips for Securing from the Security expert
Citibank PIN Heist - Sources of Security Breach

Talkback and comments are most welcome

Template to Regulate your Firewall Configurations

In many companies, the powerful firewall systems are considered these black boxes and protection by and in themselves. Such organizations tends not to control their firewalls properly. This often leaves the full responsibility of firewall management and rule setting on a small (and usually overworked) group of administrators.

The problem with such an approach is that the firewall administrators are the only ones that know and understand what rules and permissions are set on the firewalls. Furthermore, this puts the burden of proper security directly on their shoulders.

In case of a security breach, an audit may show that an improper configuration was set-up on the firewall, either intentionally or by mistake. But in any case, the administrator will then have the argument that he performed under the "best effort" principle, and didn't have the big picture or proper guidelines.

Therefore, it is very useful to create a Corporate Firewall Policy. This policy is a high level documents that will

  • assure firewall setup compliant to the Corporate Security Policy
  • provide a high level, easily readable description of the rules that must be applied to the firewalls
  • regulate responsibilities for set-up and approval of rules
  • regulate emergency changes to rules
  • regulate audit and control of compliance to the policy
  • Give the administrators the guidebook on what to actually set-up
Information Security Short Takes has prepared a Template document, that you can download and use as a basis for your own Firewall Policy.

Download the Firewall Configuration Policy Template HERE


Related posts
8 Tips for Securing from the Security expert
Be Aware of Security Risks of USB Flash Drives
Check Your DNS Zone Transfer Status
6 steps to securing your backup media

Talkback and comments are most welcome

Keep Your Security Systems Patched

Even a company with very high level of security awareness can become a victim to simple oversight. Such companies have implemented the works: network segregation; firewalls on all egress points; corporate antivirus with automatic updates; WSUS server. And yet, a lot of these companies are vulnerable, since they haven't patched or upgraded their security systems.

In the complex infrastructure of today's network, it is very easy to observe certain elements as self-sufficient black boxes, which you set-up and never need to touch. Even more so, since because of budget cuts you don't have enough manpower, or training, or both.

But your security systems are nothing more then computers, even if they have the appearance of strange black devices without a VGA or keyboard interface. And, as any computer, their operating systems have bugs and glitches, the programs that they are running (firewalls, IDS, routing) can have bugs and be compromised.

This is the avenue by which a prepared attacker can gain access into your network.

Example Scenario
A number of e-mails destined for the company were undelivered, and a customer is complaining that he cannot communicate properly. An investigation concludes that the Intrusion Protection System (IPS) falsely identifies the e-mails as malicious and drops the IP packets of the SMTP session. The protection feature of the IPS is disabled.
2 days later, the mail server is compromised by a malicious attacker.

Analysis
Due to a bug in the IPS software, it created a large number of false positives, while also successfully blocking actual malicious attacks. A new version of the IPS software was available but wasn't installed. After the disabling of the protective feature, a bot net performed an automatic attack and discovered that the infrastructure is vulnerable to the malicious message

Recommendations

  1. When purchasing security systems, apart from purchasing a subscription service to attack/virus signatures, always include an agreement for regular update of the engine/operating system. It is a good idea to task the supplier with proactive responsibility to inform you of the available updates.
  2. In parallel, task an internal person/team with reviewing the advisories from the manufacturer of equipment, in order to plan upgrades or patching for the infrastructure operating systems. These persons should primarily observe advisories for: firewalls and other security equipment; network infrastructure; services and servers which are contactable from the outside
  3. An attack can usually be blocked in more then one spots on the attack path. Maintain a layered defense, with updated versions of software and up-to-date patches on all levels. Even if you fall behind on patch level on one layer, you are relatively safe with the other layers in place until you fix the issue.

Related posts

Check Your DNS Zone Transfer Status

DHCP Security - The most overlooked service on the network
5 Rules to Home Wi-Fi Security
Why don't you like my network?

Talkback and comments are most welcome

Microsoft Patch Reissued

A vulnerability of the Bluetooth stack of MS operating systems was patched in MS08-030. However, Microsoft re-releases the patch, to include MS Windows XP Service Pack 2 and 3.

Here is the statement by Christopher Budd of Microsoft

After we released MS08-030 we learned that the security updates for Windows XP SP2 and SP3 might not have been fully protecting against the issues discussed in that bulletin. As soon as we learned of that possibility, we mobilized our Software Security Incident Response Process (SSIRP) to investigate the issue.
Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not.
Our engineering teams immediately set to work to address the issue and release new versions of the security updates for Windows XP SP2 and SP3. These are available now and are being delivered through the same detection and deployment tools as the original update.


The amazing fact is that Microsoft did not manage to protect their product with the largest installed base of customers, ergo, the largest attack area.
This only goes to show that software patching even in very large companies can have errors.

On the user's side, this means that even if you are patching regularly, NEVER rely only on patches to maintain security

Talkback and comments are most welcome

Citibank PIN Heist - Sources of Security Breach

Citibank ATM's become the target of fraudulent withdrawals by at least two men this February. Allegedly, the entire incident was related to a computer security breach into Citibank's servers that process ATM transaction.

This is a first time that actual major financial fraud is related to a computer security incident. However, Citibank denied that any of their systems were compromised.

The Threat Level Blog of Wired magazine is following the story with a new development, in which new frauds are appearing and Citibank is replacing ATM cards to a number of their customers. In the letters sent to customers, Citibank is explaining the replacement with an "identified data compromise involving the credit and debit card payment system used by a third party ATM network"

Naturally, both Citibank and the authorities will not reveal details of the problem until it has been rectified, and even then certain elements may not be disclosed to the public. This series of events sheds a light on a different and largely omitted aspect of data security:

  1. Another organization's lapse in security can caused you a lot of grief and negative exposure
  2. Security breach of your information can easily be caused by a business partner whose security is not up to expectations
  3. The attackers will not always approach you, in order to steal from you

In today's networked business, there is no foolproof protection for your information. But in order to minimize the risk towards your business, exercise the following simple rules:

  1. Always agree on security levels for infrastructures and processes of your business partners.
  2. Make periodic audits that the agreed levels are respected and enforced
  3. Maintain vigilance on your information in the wild - the faster you identify that some information is in the wild, the less impact it will have on your business

Related posts

Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Update - Apple fixes the carpet bombing bug

Last week Shortinfosec published an analysis of Apple's decision to delay the carpet bombing fix until the next official release.
To say the least, this decision was not well accepted.

However, it seems that Apple is listening to the customers. Apple released an update that among other things, should fix the carpet bombing bug. You can read the details at Insanely Great http://www.insanely-great.com/news.php?id=9253

This is a very positive surprise from Apple. Keep up the good work!

Related Posts
Safari Carpet Bombing - A Bug in Different Context

Talkback and comments are most welcome

Rules for good Corporate Web Presence

In the era of Internet and communications, there are still a lot of organizations which have a poor or misconfigured web presence. This leads to unavailability, loss of contact with potential customers, and even reduced reputation due to bad or missing web presence.
This trend is especially true for public services and organizations where management is centralized and has pooor Internet awareness.
Here are a few examples of common mistakes:

  • Hosting a web site on a non-default port - very common when you hire very cheap webmasters or use the improperly trained administrator to set-up the web server. Several web servers are installing themselves TCP port 90 or 8080, for security reasons until the service is ready for commercial rollout. If the web server remains on port different from the default 80, some visitors may not be able to access it. This is especially true for visitors from large corporate networks, where proxy and security systems are often configured not to allow access to sites on non-standard ports.
  • Hosting a web site on an IP address - Without a domain name - a very old mistake, and one that was supposed to have vanished by now. It is difficult to communicate the IP address, it is difficult to remember an IP address, it is difficult to change and re communicate the IP address. It should NEVER be done.
  • Using IT for content management - Even if IT created the engine, prepared the server and started it, they should not be tasked with content management. Because of it's primary function, IT will always put a higher priority in maintenance of the infrastructure then on content management. This will lead to incomplete or outdated content.
  • Allowing for the domain name to be stolen - Bear in mind that your corporate domain name is yours only until the lease expires. It costs around 10 USD/year to renew the lease, but if you forget to renew before the lease expires, it's first come first serve principle. There are persons and even companies known as domain trolls, which target large organizations and good domain names, and wait for a mistake. If you forget to renew your lease, they can take it from you, and then they will blackmail you into buying it for a lot more then 10 USD. In the meantime, your corporate web presence is unavailable, or even replaced with content which may harm your corporate reputation.
Here are several rules for setting-up good corporate Web presence
  1. Outsource the hosting of a web site to a commercial hosting corporation - avoid using internal resources for web site and server management. Unless you have a very large and experienced team, your people will need to learn web hosting and maintenance on the job, and this can lead to poor quality, failures, even security holes.
  2. Confirm that your site is adhering to de-facto standards - insist on standardised TCP ports, registered domain names, and avoid any reference to an IP address.
  3. Maintain your site and domain availability - lease the domain name for several years in advance, and task the one person with personal responsibility to renew the lease on time
  4. Delegate content management to the business - Whatever is on the site, is business oriented, and should be maintained by the business. Each business unit should have a content manager, who should use a simple web based editor interface to manage content
Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Web Site that is not that easy to hack - Part 1 HOWTO
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks

Talkback and comments are most welcome

Another Bad D.M.C.A. - Canadian Bill C-61

Last week Bill C-61 was introduced in the Canadian parliament. Supposedly it protects digital media from copyright infringement. The danger in that law will not serve only to protect the copyright of music and video files, but will possibly hamper the usage of legally purchased material.

Here is a flagrant example. The Bill C-61 grants the copyright holders the right to demand damages from anyone who bypassed any sort of encryption, with a few exceptions regarding interoperability, encryption research and security.

  • 3v3n v3ry l4m3 3ncrypt1on.

If this bill is passed into law, and that you managed to read the above sentence, the author can claim that you breached an encryption algorithm, and sue you for $500 per infringement.

While the Dmitry Sklyarov incident should not be repeated, we can expect a lot of confusing and debatable infringements, like

  • Transferring your legally purchased music from a CD to your IPod
  • Playing a region 2/3/4/5/6 DVD that a visitor/tourist/student purchased legally and brought with him for his personal use
  • Using copy/paste from electronic books for quoting within research papers

So, if this bill is passed into law, here are several scenarios which can happen

  • Within the borders of Canada any company having a product with a ridiculously stupid or vulnerable encryption algorithm will be able to sue a the user who bypassed the vulnerability for his own use.
  • Even if such vulnerability is identified by a security expert, it may not be treated or corrected by the manufacturer, since they will deem to be protected by the letter of the law.
  • Even with the exceptions regarding interoperability, encryption research and security, Ethical security experts may be weary of analyzing and publishing vulnerabilities, since if they are challenged, they will need to prove their intent and that they didn't use the vulnerability for ANY infringement.

Related posts

Risk of losing backup media - real example

8 Tips for Securing from the Security expert

TrueCrypt Full Disk Encryption Review

5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

ITILv3 Foundations Training - Experiences

Last week I attended the official IT Service Management (ITILv3) Foundations training. The training is a 3 day boot camp, which covers the processes in the following ITILv3 areas

  • Service Strategy
  • Service Design
  • Service Transition
  • Service Operation
  • Continual Service Improvement
The training is an excellent tutorial for everyone who wish to advance their career into IT management. The topics touch both IT as well as business aspects of IT services. Anyone ever working in implementation or service maintenance (like ISP's or Internal IT) will find himself on familiar ground.
What's new is the excellent structure of the ITIL processes, starting from understanding customers and market needs, via preparing the service and appropriate quality levels, to actual installation, testing and operational maintenance of the service.
Usually, the trainees start relating their expiriences and find the gaps where they could have done things differently.

As I found on the Internet, the list price of the course is substantial (more then 2000 USD), but the knowledge is valuable. There are subsidised courses for those with a lower income, but you need to look for them.
Also, the boot camp usually includes the official certification exam. I would definitely recommend taking the certification.

Creating Good Software - Align expectations and development

The easiest way to create a bad product in custom development is to misunderstand the customers expectations. This is a discussion of risks that are brought by poor specification, poor understanding of business needs and the hurry to make a profit.

Medium size businesses are usually partnering with one or two software development companies. These businesses are entering a partnering relationship with the software company, and nearly always turn to them for their solution needs.

From a business perspective, this arrangement makes sense for both sides.

  1. The business has the guarantee that whatever new product is delivered will be able to seamlessly integrate with their current systems.
  2. The software development company has a broadened influence on the business and knows that they will extend their cooperation for at least several years more.
The problem with this arrangement is that the customer is trusting the software supplier to deliver any and all possible solutions, even those that aren't in the core product line of a software development company.

Example scenario
Shortinfosec Democorp is using a Customer Relationship Management (CRM) system developet by ACME Software Devel. According to the new business model of Democorp, a new billing system is needed for proper invoicing of delivered goods and services. ACME Software Devel is invited to create the billing system. The requirements given from Shortinfosec Democorp are the following:
  • The system needs to generate invoice for all customers summing up all their outstanding charges
  • The system needs to be able to create discounts for VIP customers in the CRM system
  • The system needs to produce reports for invoiced and outstanding amounts
ACME Software Devel receives the specification, confirms ability to finish the job and creates a product. During testing of the delivered product, the following issues are raised by Shortinfosec Democorp:
  • The billing system does not interface with accounting, to track payments
  • The billing system does not calculate interest on late payments
  • The billing system operates with the current product set, and there is no flexible way to implement new products
  • The discounts are limited to fixed amount or fixed percentage for the VIP customers
  • The reporting aspect is limited to 2 reports
ACME Software Devel responds that these issues were not mentioned in the initial specification, and requests a 3 times increase in agreed price to deliver the required changes. After tense negotiations, ACME Software Devel is contracted to scrap their solution and provide interfaces for a third party billing system. Shortinfosec Democorp hires a consultant to define all requirements and issues an international RFP for the Billing System.

Analysis
The process described above was riddled with errors.
  1. The original specification given by Shortinfosec Democorp is quite poor and abstract - The project manager for the billing system did not do sufficient research to identify all the required aspects of the desired solution
  2. ACME Software Devel. assumed that the specification is final and that the product is very simple - The software company account manager and project managed did not expand the analysis with the customer to investigate all possible issues.
  3. Based on assumptions that the other side knows it all and will tell/do all that is needed both time and money were spent. - The process was at least doubled in costs and time frame.
  4. The entire exercise ended in tense relationship and diminished trust between both partners - Both parties were left dissatisfied by the other one, and a good business relationship was degraded.
Recommendations
While it can always be discussed that the responsibility for functional specifications falls on the buyer, the software development company should seize the opportunity to help or guide the buyer to produce a mutually agreed good product.
Here are several steps that should be taken to improve the cooperation between partners in creating a new software solution.
  1. Never assume that the specification is all the customer needs. If the specifications are too inconclusive or general, strive to specify them in greater detail. This will reduce the need for assumptions and possible incompatible design in the finished product.
  2. Research the market, see what is actually behind the simple sentence uttered by the buyer. For instance, the buyer might like the idea of a software managing the queues of people in front of their sales counters. But this software is known as customer flow management, and is an entire science of it's own.
  3. Establish a good and permanent collaboration with the buyer. Collaborate as much as possible in the early stages - even when the new requirement is still an idea. Always present
  4. If necessary (often it is, to reduce conflict of interest) suggest an external consultancy to assist the the buyer in the process of defining requirements, so that the finished specification is easy to follow.

Related posts

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software developmentSecurity challenges in software development

Talkback and comments are most welcome

Preventing Online Credit Card Theft - Revisited

Online Credit Card Theft is a very old and frequently discussed topic. And yet, a lot of people in the world are still victims to credit card theft. So, in a brief morning post, here are several simple pointers to minimize the risk of online theft.

  1. NEVER respond to e-mails claiming to be from your bank and requesting ANY account or personal information. Also, NEVER click on links contained in such mails
  2. NEVER give out information when receiving a telephone calls from someone claiming to be from your bank, and asking account or personal information.
  3. Alert your bank of all attempts described above - When reporting, don't press reply on a received e-mail. Call the bank's official phone number - printed on your credit card
  4. Buy from reputable sources - although there may be better deals at a smaller store's site, when exposing your credit card information online, use a trusted online store.
  5. Use a dedicated debit card for online purchases - Leave a minimal amount of funds on it, and don't use it in everyday purchases. When purchasing online, plan a day ahead and put some money on the debit card. Put just a little more then amount of money needed for the purchase. This way, you'll spend it immediately, and if the card data is stolen, the hackers can't use it - it has virtually no credit.
  6. In case of actual theft, treat it as any other crime - Immediately inform authorities and the store where you suspect your credit card info was stolen. The authorities will will send expert forensic team to analyze your equipment, as well as follow the money trail.
  7. Ask your bank to assist you in tracing the funds - This may have to be done by the authorities, by the bank will always comply. An extremely common error that hackers do is to transfer the money to their accounts, or purchase something very traceable (passing through customs, or having DHL tracking).
Related posts
Personal Data Protection - Anonymizing John Doe

Talkback and comments are most welcome

Be Aware of Security Risks of USB Flash Drives

In several occasions i noticed a trend by which companies are identifying and protecting themselves against information theft and virus infections from all electronic transport channels, like email, web, file transfers, p2p etc. Those same companies are flagrantly overlooking the risks related to physical transport media, especially USB flash drives

The older readership will certainly agree state that the USB flash drive is the new floppy. For the younger generations, the floppy disk (diskette) was a primary means of data transfer in the late 80ies and early 90ies - before the era of CD-RW and high speed Internet.

In those days Large corporations removed floppy drives from corporate pc's to prevent the employees from stealing information, or bringing in things like Tetris and GP2 (small racing game, fitte in 300kB).

Risks
This same trend is now being repeated via the USB flash drives. Here are the possible risks of using personal USB flash drives:

  1. An employee can take corporate documents home (excel sheets, word documents, even larger data-sets) - a very easy method of information theft. Even if done with the best possible intentions, like taking materials to work at home, a lot of such documents are forgotten on private USB drives, which leads to information leaks.
  2. An employee can bring pass time games downloaded from the Internet - there is no such thing as a free lunch. A lot of these "free" games are loaded with keyloggers, trojans and viruses, which will be brought in by the persons you trust - your employees!
  3. An employee can bring music to and from work (mostly pirated) - whether music increases productivity can be discussed, but should an audit occur, a lot of pirated mp3s will be found on the corporate network, leading to costly litigation.
  4. An unsupervised visitor may bring a USB flash drive and insert a malware through the Autorun function - It is very easy to enable Autorun on a USB Flash drive. The Autorun will run an executable and can possibly bring in a keylogger or trojan in the network.
Controls
It is very difficult to control the carrying of USB flash drives unless you enforce a full body search policy. So here are several steps that can be used to control their usage
  1. Institute a formal corporate policy banning the use of USB flash drives, subject to disciplinary action.
  2. Organize periodic awareness training for all employees on the risks of using USB flash drives. In the training, include a demo of a malicious attack which will install a trojan from a rogue USB.
  3. Disable Autorun on all drives
  4. Implement a technical policy preventing the use of USB flash drives on your network. This is usually done through Active Directory Group Policy in Windows. Here are two tutorials from Microsoft http://support.microsoft.com/kb/823732 and http://support.microsoft.com/kb/555324
Related posts
Check Your DNS Zone Transfer Status
6 steps to securing your backup media
8 Tips for Securing from the Security experts

Talkback and comments are most welcome

Check Your DNS Zone Transfer Status

The DNS service is a very low maintenance service. It is configured very easily, and runs with nearly no intervention. This is especially true for Windows DNS Servers. The downside of such ease of use means that the DNS server is often forgotten by the admins, and DNS security can be lacking.

The easiest attack that can be performed on a DNS server is a Zone Transfer. The Zone Transfer, also known as AXFR, is the method by which a primary and secondary DNS servers share updates about the domains for which they are authoritative.

The zone transfer being a standard DNS service function, can be requested by any system communicating via the DNS protocol. This includes the nslookup and dig programs, existent on every PC regardless of OS.

A standard security measure is to configure the DNS servers to refuse zone transfer requests except from specified IP addresses (usually the secondary DNS servers).

Here are the risks of not implementing Zone Transfer

Data Exposure

Even if querying individual DNS records is fully legal and required, if an attacker obtains a copy of the entire DNS zone for a domain, they will have a complete listing of all registered hosts in that domain. This would enable the attacker to easily identify the possible target machines and their IP addresses.

Denial of service

Unlike standard DNS queries, which are transported via UDP packets, the Zone Transfer requires a TCP connection. The TCP connection puts a much higher load on the server then an UDP request.
An attacker can craft a program that will perform multiple simultaneous Zone Transfer requests from a DNS server, thus making them slow and unresponsive. The primary effect of this attack is to disable normal requests and block regular users from resolving the required hostnames.

How to check
It is very easy to check whether your DNS server allows Zone Transfers. Start a command line, and run the program nslookup. On the nslookup prompt, type ls -d yourdomain.com (replace yourdomain.com with the name of your domain).
  • If you get a response like Query refused or Can't list domain you are ok.
  • If you instead get a list of hostnames, take measures to limit the Zone Transfers immediately.

Related posts
DHCP Security - The most overlooked service on the network
Why don't you like my network?

Talkback and comments are most welcome

Network Access Control - A Solution with Problems

A lot of companies lately are seeing that their employees attach personal and company laptops to corporate networks, and bring Trojans and viruses into the network. A defence mechanism for this risk is seen in Network Access Control (NAC) solutions. However, as all new solutions, this one can problems of its own.

The fundamental idea behind NAC is to allow the network to make access control decisions based on gathered intelligence about end-systems (laptops, computers).
To do this effectively, any NAC system needs to do the following

  1. Establish controls to allow/deny access at the network level.
  2. Gather information about the end-systems.

This means that the NAC system will need to integrate with network elements and have partial or full control over them (to enable/disable access), access to inventory software, and possibly even install a client agent on every end system.

When in operation, the NAC system should identify every end-system connecting to the network, authenticate it against a preset policy, verify it's compliance to antivirus levels, patch level and possibly group policy applied and take protective measures. The measures can range from simple denial of access, via message for manual update of systems to become compliant, to automatic updating of all required elements to make the system compliant.

Primary targets for NAC are financial institutions and large corporations with distributed offices. There are definite benefits from

An intelligent access control also system has it's drawbacks. I did an interview about the percieved risks of NAC implementation with a CEO, a Network Admin, a System Admin and a user of a company. Here are the problems that they identify :

The CEO's view
  1. A NAC is costly to implement - the costs are not only for the NAC system, we need to upgrade a lot of network equipment to be interoperable with the NAC
  2. A NAC will require a large effort to achieve full compliance on all end-systems. This will reflect in additional operating expenditures for the personnel effort.

The NetAdmin's view

  1. A NAC will include another element of potential failure to the network - possible poor maintenance or misconfiguration of the NAC system can cause huge problems

The SysAdmin's view

  1. A NAC will cause complexity in integration with other services (antivirus, active directory, patch management) and will become a critical point of failure - if the NAC fails, what will happen?

A user's view

  1. A NAC can cause immediate productivity problems if the NAC fails or misinterprets my end-system's compliance. Due to security policies in place, the remediation of such an event takes at least an hour.
  2. I would be very interested to see what will happen if the CEO's laptop is deemed non-compliant

Conclusions

Network Access Control is a good technology but the organization has to be extremely careful when to implement it. It is not a silver bullet, and risks and drawbacks need to be investigated and analyzed before embarking on the road of NAC implementation

Related articles

DHCP Security - The most overlooked service on the network

5 Rules to Home Wi-Fi Security

Why don't you like my network?

Talckback and comments are most welcome

Information Risks when Branching Software Versions

Branching of software versions is a regular and everyday process in software development. However, branching brings inherent information risks that require good controls and regular oversight. Here is an analysis of these risks and the possible controls to mitigate them.

Example scenario:
Shortinfosec Democorp has sold a software package to a customer company. The software package is rolled out in February and running well.
In June, the customer company is requesting a very specific upgrade.
Due to lack of resources, Democorp is scheduling the upgrade for the next planned version, which will happen at the end of the 12 month cycle (next February).
The customer company needs the upgrade asap, so it is agreed that the customer will create a patch for the software which will provide the required functionality. The patch is applied in July and running well.

During October Democorp software maintenance has prepared a patch that improves the performance of the overall solution. This patch is distributed to the customer and is applied to the system.
The next morning, the customer's data is corrupted, and needs to be restored from backup.

Analysis:
Incident management identifies that the customer created patch has failed and corrupted the data.
In depth analysis concludes that the performance patch has changed the underlying architecture of the software package, which caused the functional patch created by the customer company to fail.

This is a very common risk when failing to manage the possible branches of the software product and can sometimes lead to dire consequences.

Controls:
When preparing custom solution applications, it is quite common that the application management of the customer are allowed to create certain supporting elements around the core solution. In extreme situations, like the example, they may even intervene within the core solution with a temporary workaround.
All these in-house developed solutions are based on the documented technology and architecture of the core solution.
Here are several methods that can be used and combined, in order to mitigate the risks associated with the developed branches.
  1. Establish standard and documented API's so the customer can interface with the core solution without the nececity to intervene directly into it. Maintain the API's for backward compatibility, and announce compatibility impacting changes to the API's at least 1 year in advance.
  2. Establish a practice to inform the customer of any technology changes in each new version and patch.
  3. Establish a cooperation protocol between the manufacturer and customer by which all in-house developed code supported by a core solution should be acknowledged and confirmed by the software manufacturer. By this protocol, the in-house code can be then maintained by the software manufacturer, or the software manufacturer will have to specifically alert the customer of changes impacting the in-house developed code.
Written by guest blogger - Marija Spirovska, currently holding position of senior developer at a multinational software company.
ShortInfosec thanks for her contribution, and hopes that she will continue to contribute to this site.

Related posts
3 rules to keep attention to detail in Software Development
8 Golden Rules of Change Management
Application security - too much function brings problems
Security risks and measures in software development
Security challenges in software development

Talkback and comments are most welcome

Safari Carpet Bombing - A Bug in Different Context

The past weeks the issue with Apple's Safari browser have received very high media coverage.

For a short recap, the “carpet bombing” vulnerability will dump a large number of files in the users desktop from a malicious web site without any action from the user.

The issue that i would like to stress is that Apple has clasified this problem as a 'nuisance', and has sheduled it's fix for sometime this fall. It is a perfect example of the different views that customers and software companies take on the same issue.

In the previous analysis on the subject, we presented the most frequent reasons for this behaviour of the software companies

  1. There are insufficient human resources to address the issue
  2. There are profitable change requests or projects to to address, so this element is merely postponed since the software company will not see a profit from engaging their resources into correcting this problem.
  3. The problem is caused by a design flaw in the system, that is either very difficult or impossible to rectify in a reasonable time and within reasonable budget

Apple's reasons are to shrug off the 'carpet bombing' flaw are unknown at the moment. But I fear that Apple forgets several critical facts of the current state of things

  1. The Safari browser is not the only browser on the market, even for MacOS systems.
  2. The price of all browsers is the same - ZERO USD.
  3. Users are becoming highly aware of their security, and wish to be well protected by the vendors (remember the notoriety of security issues in Microsoft)

In the descriped environment, there will be adverse impact from Apple's decision, with people abandoning Safari in favor of other browsers. And if Steve Jobs wants to promote Apple as a platform, this is not the way to go.

Related posts

http://www.shortinfosec.net/2008/04/sla-lesson-software-bug-blues.html
http://blogs.zdnet.com/security/?p=1212
http://www.theregister.co.uk/2008/05/15/apple_safari_carpet_bombing_vuln/

Talkback and comments are most welcome

Creating secure CD/DVD media for transport usingTruecrypt

Continuing the discussion about securing your backup media in transit, here is a tutorial on how to create a very secure media for public transport.

The target is to create a CD/DVD media that will contain a highly protected sensitive information. For this example, the sensitive information is a System State Backup of a Domain Controller, as per the example in http://www.shortinfosec.net/2008/06/6-steps-to-securing-your-backup-media.html

The process is as follows

  1. Create a Truecrypt encrypted volume. Use dual encryption with different algorithms. The example uses Twofish-AES combination.
  2. Name the volume file using a non-descript name, and protect the volume using a strong password.
  3. Repeat steps 1 and 2 two more times, creating volumes of similar or same size as the first one, with similar file names.
  4. The process in the example creates the files aws.ade, asq.dew and awd.adss
  5. Mount one of the volumes (the example uses aws.ade volume) and save the sensitive file inside the volume.
  6. Dismount the volume and burn all three files aws.ade, asq.dew and awd.adss to a CD
  7. Place the CD inside a tamper-evident envelope with non-repeatable serial number and record the serial number.
  8. Send the CD by courier. Call the recipient via a cell phone call and dictate the decrypting password and the file name containing the encrypted data.
Here is a video clip demonstrating the process of creation of secure media, using Truecrypt




Related posts
Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Risk of losing backup media - real example

My post about security about 6 steps to securing your backup media has sparked up comments that my example scenario is very grim and will not happen. Here is a real example of that grim scenario:

In 2005, LaSalle Bank Corp lost a tape containing confidential data of 2,000,000 residential mortgages. The tape listed mortgage customer names, accounts, payment histories and Social Security numbers. The tape was lost in the mail, while en route to a credit reporting bureau.

The tape was later recovered after missing for several weeks. Since the data was not encrypted, and there was no method to identify that the tape has been read or tampered with, LaSalle Bank Corp maintained high level of protection for customers from potential identity theft.
This has lead to undisclosed costs covered by the bank.

The bank has since abandoned transferring physical tapes to credit bureaus in favor of electronically sending encrypted files.

Here are several articles regarding this issue.
http://findarticles.com/p/articles/mi_hb5273/is_200512/ai_n20825812
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1153797,00.html

Related articles
6 steps to securing your backup media
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

6 steps to securing your backup media

Companies use significant resources to secure their production systems. The security of backup elements of the same infrastructure, especially the backup files are overlooked. This lack of security can be an excellent opportunity for an attacker.

Update: Here is an example of the risks associated with improper protection of backup media

Example scenario:
One of Shortinfosec Democorp branch office Domain Controllers has failed. A support expert is invited to assist, and he suggests to install a new server and restore the DC from system state backup of the failed one, thus retaining the SID of the old DC and other special configurations that have been implemented. The backup is kept at head office, and is sent on a CD via courier.
The CD is received, restored to the new server, and everything is good as new.

Two days later, a hacker attacks the Shortinfosec Democorp. The investigation concludes that the attacker used a domain user name and password to enter the computer system. The investigation concludes that the only possible breach of security was during the transport of the System State CD via courier.

Analysis:
The attacker has infiltrated the courier company used by Shortinfosec Democorp, and paid the courier to make a copy of all CD-s that are transited for Democorp. This can be performed even easier if the CD-s are sent via public mail, where a large number of personnel have access to sent material.
From the copy of the System State, the attacker recreated multiple clones of the domain controller in a VMware lab environment, and performed the following attacks in parallel:

  1. Scanned the dumped clone for vulnerable services.
  2. Performed enumeration of the domain users contained on the domain controller.
  3. Performed brute force attack of the domain users contained on the domain controller. Any lockout was bypassed by simply restoring a copy of the clone and continuing with the attack
  4. Performed systematic social engineering attack on targeted domain users to contained on the domain controller.
Conclusions and recommendations:
A good attacker is the one you have to be weary most about. Such an attacker will use any method to collect information, including media theft.

  1. Any backup media must therefore adhere to the following recommendations:
  2. All individual media containers with backup media should be sealed with a tamper evident unique label (a tamper evident bar code label with non-repeating serial number)
  3. All such media must be logged, with dates of creation and tamper evidence protection label code. The log must be kept in two copies, one accompanying the tape and one kept by a person of authority which has no direct access to media containing backup (internal auditor, security officer).
  4. All media containing information (erased and containing backup) must be kept in a locked enclosure with controlled access.
  5. If backup is kept on a system (file server), the system must be configured for FULL AUDIT audit on access of all files. Audit logs must be regularly reviewed by a person of authority which has no direct access to media containing backup (internal auditor, security officer).
  6. When the need arises to transfer media to another location, all transport methods must be treated as hostile. The media containing backup should be encrypted, and decryption keys should be transported by different channel. Also, all media must be protected by tamper evident labels with non-repeatable serial numbers, or placed in a tamper evident envelope with non-repeatable serial numbers.
Update: Here is an example on Creating secure media for transport with Truecrypt

Related posts
Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop


Talckback and comments are most welcome

Measures for Improving Data Integrity through Application Version Control

All corporate data within a company should be subject to the CIA triad: Confidentiality, Integrity and Availability. One of the elements that can become a risk to data integrity is an incorrect version of software.

Example scenario:
The IT department rolls out a new version of the CRM application at Shortinfosec Democorp.
Due to specific requirements of the director of sales, his assistant's computer does not update the CRM application automatically. At the moment of the rollout, her computer was off, and was unreachable for a manual update.

The following morning, the director of sales gets a call from a VIP customer with a new order for a high-end network analyzer. He calls up his assistant and instructs her to insert new order into the CRM. The assistant uses her CRM program and inserts the new order.
As a result, the order multiplies to all VIP customers, which triggers a lot of confusion in account and order management until it is resolved.

Analysis
During the rollout of the new version of the CRM program, the CRM database was updated to function with the new version of the front end. This included a modification in the engine that manages orders, and resulted in erroneous.

Recommendations
Incoherent versions of frontend and backend can create any number of problems with the underlying data, corrupt it or even destroy it. The following measures should be implemented to mitigate the risk to data integrity from wrong versions:

  1. The software manufacturer should implement a function within the application which will compare the application version to an expected current version stored in the database.
  2. The expected current version should be updated within the application database during the rollout, using a standardised and documented process delivered by the software manufacturer.
  3. If the application version does not match the expected current version, it should either visually and audibly alert the user of the incoherence, or refuse to function.
  4. The company that purchases the application must implement a policy by which employees will immediately alert IT when they see a message of wrong version.
Related posts
3 rules to keep attention to detail in Software Development
8 Golden Rules of Change Management
Application security - too much function brings problems


Talkback and comments are most welcome

Example - SMTP message spoofing

I got reactions from readers regarding my Spear Phishing post, that creating a perfect spoofed e-mail representing the manager is impossible. Although I agree with this opinion, I must stress that the attacker can create a near perfect spoofed message.

Here is how:
All he needs is an open relay mail server - a mail server that will accept and relay e-maiil messages regardless of sender and recipient parameters.
Then, he needs to telnet to port 25 of this server (SMTP port) and send the following set of commands:
helo server
mail from: sender@frauddomain.com

rcpt to: recipient@targetdomain.com

data
This is a customised fraud message


Regards

Fraudster

.


After each message, the server will reply with appropriate acceptance codes. The . on the last row is not an error, that is the message end delimiter.

Using this method, the attacker will not be able to spoof ONLY the IP address of the SMTP server that relayed the message. Although this information is contained in the message header, very few people are trained to read it, and it is quite difficult to train non-technical personnel to read the header.

Here is a video clip demonstrating the spoofing process


Related posts
Tutorial - Measures for minimizing Spear Phishing Attacks

Talkback and comments are most welcome

8 Steps to Better Securing Your Job Application

The average resume of any person contains a significant amount of personal data that is submitted in good faith to persons and companies that we rarely know. This is especially true when applying for a position through a recruiting agency. While most agencies have strictly legal business goals, there can be some malicious or alternate motives involved. Therefore, certain amount of due diligence must be exercised before submitting your resume.

Example Scenario
A subsidiary of Shortinfosec Democorp - Shortinfosec Human Capital publishes the following ad in the papers, on Monster.com and Linkedin.com

Shortinfosec Human Capital is evaluating applications for the position of
The Manager of Information Technology for a reputable Telco company.

The successful applicant must have at least 7 years experience in Information Technology, specifically in telco IT ops infrastructure with BSS system on Oracle Databases and IBM Storage Systems, with a minimum of 3 years experience in position in which he/she was responsible for team management.

We offer a very competitive compensation package.

Analysis
This is an opportunity to which a very large number of applicants will jump to. The ad contains a filtering factor, which targets the position to a specific group - a telco company whose Billing System database system is Oracle, and the Storage System is IBM.

Within 2 weeks of the post, Shortinfosec Human Capital has a names, addresses, emails, phone numbers, entire CVs of employees of several companies who have the described infrastructure.
If Shortinfosec Human Capital is on the level, it will select a candidate and destroy all other records.

If Shortinfosec Human Capital is just a front, here are the grim options:

  1. The ad is a front for analysis of employees that are ready to jump ship, or to shift to a competitor. In such a case, the company that hired Shortinfosec Human Capital will receive a list of their employees that may then be subject to unfair treatment. In another scenario, Shortinfosec Human Capital may sell information to several companies about their respective employees that are prepared or preparing to leave.
  2. The ad is a front for a well planned security attack. With the collected information, the attacker has a list of people with knowledge of infrastructure, access to administrative privileges, and are generally trusted by the organization. They can be further targeted for blackmail, resource theft (laptop with corporate data) or can be referred to in a social engineering attack
  3. The ad is a front for a hacker attack on specific infrastructure, that investigates which companies have a specific infrastructure with known flaws, which can then be targeted for specific attack

Recommendations

Before applying for a job, especially on an Internet published ad, take a couple of hours to investigate the publisher. There is no silver bullet for total protection, but the following steps will help you to weed out most of the malicious ad publishers:

  1. Analyze the domain name of the publishing agency - is the registered company the same as the name in the ad?
  2. Check when was the domain registered and use wayback machine to check that the web site was consistent with their advertised line business for at least 2 years - be very weary of brand new companies, or companies not having a web site
  3. Check that they have a physical address, and that it is consistent over a longer period (again, wayback machine)
  4. Check the ad boards, to see whether the same companies published other ads before
  5. If you were contacted directly, try to find out how did they reach you/hear about you
  6. Look for a privacy statement on their web site, and even in the ad. - print out these pages and save them - if all else fails, they may be usable in legal actions.
  7. Use Linked in connections to possibly get referrals of the work of the publisher
  8. Be careful of PO Box addresses, if such exist, take extra care to confirm that they in the above 6 steps, and even contact the publisher via phone to again confirm the PO Box number.
Related posts
Tutorial - Measures for minimizing Spear Phishing Attacks
Understanding Penetration Testing Methodology


Talkback and comments are most welcome

Information Security and Strategy Carnival - Issue #2

For the second issue of the Information Security and Strategy Carnival, I am pleased to present the following texts:

Paul Wilcox at Security Manor has published a good article on protecting minors that manage their own web portals - the amount of information available for the author and the owner of the domain is significant to say the least. With such information collected, they can become targets for all sorts of criminal acts.
Full story - Parents - Do Your Kids Have Their Own Website?

Rich Maltzman, PMP over at Scope crêpe discusses risk analysis from the point of view of project management in his article
The Big Yellow Taxi of Project Management

Laura Milligan at Bootstrapper discusses productive searching in Google (maybe hacks is unwarranted :))
50+ Google Reader Productivity Hacks

The Leadership in action blog has a great article on changes in an organization
Acknowledging the Pain: Change in an Organization

Last but not least, the WM Media blog discusses the pros of outsourcing your web design
Should You Build Your Own Website or Hire a Designer?
I would like to add a few cons, like the risk of dependency on the designer for all further changes, the risk of cost rise for maintenance, and the risk of the designer stopping or refusing work (for example, found a better job). Is it good to outsource? Yes, but with proper steps to ensure a mutually beneficial relationship.


The next issue of the Information Security and Strategy Carnival is due on the 1st of July 2008.

Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot com or submit them through the Blog Carnival Web Portal http://blogcarnival.com/bc/submit_3975.html

Related posts
Information Security and Strategy Carnival - Issue #1


Talkback and comments are most welcome

Designed by Posicionamiento Web