For the third issue of the Information Security and Strategy Carnival, I am pleased to present the following texts:

Paul Wilcox at Security Manor presents

• Spotting A Hoax Virus Warning and
• The 6 Most Common Internet Security Issues.

WM Media presents

• Creating A Website Using Social Networking Skills posted at Buy And Sell Websites, saying, "Aside from using blogs and WYSIWYG editors, there are a number of tools available on social networks that can help you build simple websites"
• Hazards Associated With Flash, Javascript and Applets posted at WM Media Blog.
  

Colleen Dick at Hot Dorkage presents Credit card security online: what you need to know.

Theme Lib at ThemeLib presents Be Careful of Fake Paypal Emails, a variant on the phishing/pharming attack method.

CMOE at CMOE - Strategic Thinking Blog presents Critical Elements of Strategic Leadership: Beyond Corporate Strategy

Marcus Hochstadt at Internet Business Guide presents Protecting Your Computer Using Deep Freeze

That concludes this edition. The next issue of the Information Security and Strategy Carnival is due on the 1st of August 2008.

Please send submissions by the 25th each month to e-mail:shortinfosec _at_ gmail dot com or submit them through the Blog Carnival Web Portal http://blogcarnival.com/bc/submit_3975.html

Related posts
Information Security and Strategy Carnival - Issue #1

Information Security and Strategy Carnival - Issue #2


Talkback and comments are most welcome

Different types of organizations have different views of IT. Usually, there are two general organizations: a Corporate IT and a Service Provider IT. There is a HUGE difference in the way things work in those IT organizations. By comparing these two organizations, here is a blueprint of a functional IT organization.

My first job was in an ISP. My second was in technical sales of a large corporate organization. In both functions I had to cooperate and work with the IT guys.

Corporate IT organization - a typical and frequent organizational structure within large companies. Their characteristics are as follows:

• Take time to react to requests - as specified in the policies and procedures
• Follow established procedures to the letter, but rarely object or try to improve them
• Document everything - as per the defined standards
• Focus on maintaining the services and/or calling up the supplier
• Have a very clear, usually multi-tiered organizational structure
• Within the structure, very few people are empowered to make decisions
• Have systematically planned and available budget for all required activities
• See the service as their job - they will maintain it and escalate as per the procedures. At the end of the day, the next shift takes over, and the employees will forget about it until the next day.
• In case of incident, will communicate the issue to other units for resolution.

Service Provider IT organization - a typical and frequent organizational structure within ISPs or smaller software development companies. Their characteristics are as follows:

• React as fast as possible to any request
• Usually avoid procedures, or have a very loose understanding of them. Constantly trying to change procedures to make their life easier
• Document some things - In a hurry, and rarely in a very usable form for anyone other then the author
• Focus on delivering a service as fast as possible
• Has an overlapping or flat organizational structure
• A lot of people are empowered to make a decision
• Have planned but rarely sufficient budget for all required activities - Tend to make the most out of current resources
• See the service as their own - they will do anything and everything to make it work. They take it very personally when things don't work.
• In case of incident, will help each other, even if it is only by bringing coffee to the other guys.

Both organizations clearly have strong points as well as problems which arise from their understanding of what is their job:

• Corporate IT is systematic but very rigid and usually slow to deliver a service.
• Service Provider IT is fast and customer oriented, but usually functions on the edge of chaos.

From the above characteristics, by taking a here is my proposal for the best functioning IT department:

• React as fast as possible to any request - try to minimize the specified reaction time in the policies and procedures
• Follow established procedures with exceptions - Document exceptions for review of procedures. If you find a procedure that hampers you, escalate to remedy it.
• Document everything, but don't be too strict about the standard - The team leader should be the manager of all the teams documentation - collects and organizes, but rarely writes.
• Focus on delivering the services ASAP, but in a coordinated effort - There is no "software error" or "hardware error". There IS AN ERROR . If the service is purchased from someone, all people should be aware of the service contract, so they can pester the supplier within the contract limits
• Have as flat an organizational structure as possible - Your team leaders should be few and chosen by efficiency and ability, not by seniority.
• Empower as many people as possible to make decisions, within their area of expertise.
• Promote a culture of "service ownership" - the IT teams should treat the service as more then just their job.
• Promote a culture of mutual assistance - In case of incident, everyone should pitch in together. To avoid procedural problems, a person with authority should be included and advised of the process

This ideal blueprint is not achieved overnight. But here are the steps that should get you there:

• Position the IT as a business - Establish a business aspect of IT's work and enforce it, including costs, profitability, head count, resources. Even strive to establish a brand for your IT within the corporation.
• Empower your teams - Encourage your teams to educate themselves, and delegate responsibility to them for parts or a whole service in your everyday portfolio. There is nothing more rewarding for an engineer then to see his creation in function and use.
• Encourage mutual cooperation instead of delegation or escalation - avoid the not my problem philosophy. Where ever possible, strive to resolve things with a horizontal communication
• Organize the teams for efficiency, not for seniority - Your most senior people may not be your best team leaders. Good leaders are readily visible in times of incidents and potential problems. It is then you can see who will step forward, direct, give advice, coordinate. You are the manager and accountable for the entire operation. So regardless of personal emotions, choose the best parts for your engine.
• Maintain procedural compliance - This is a very difficult part. This is a part where team leaders will have to step up and earn their salary. In all processes, strive to maintain efficiency while adhering to procedures as much as possible. Also remember that procedures are not set in stone, and can be changed.
• Award good work - Think out of the box. Contrary to the mantra "don't praise me, just pay me", there are hundreds of ways for a manager to award an employee. Here are some that i have seen to work beautifully
• verbal commendation in front of the peers;
• opportunity for education and training (usually costs much less then a raise);
• free personal time when needed;
• asking for advice and expert opinion on subjects;
• inclusion in strategic projects;
• delegating person as representative in intracorporate projects;
• corporate benefits - special discounts at stores for your team, team building trips

Talkback and comments are most welcome

On the 26th of June 2006, the official domains of ICANN, and IANA were hijacked by the NetDevilz Turkish hacking group.

The hackers group redirected visitors to the ICANN and IANA sites to another server hosted Atspace.com, specifically to 82.197.131.106.
There, they had the following defacement message (click on image for larger version)


ICANN is the Internet Corporation for Assigned Names and Numbers, and IANA is the Internet Assigned Numbers Authority - the very organizations that assign Domain Names!
So far, there is no definitive answer on how the hijacking was performed.

This event is another proof that every organization, regardless of size or expertise is vulnerable to hacker attacks.

Related posts
8 Tips for Securing from the Security expert
Citibank PIN Heist - Sources of Security Breach

Talkback and comments are most welcome

In many companies, the powerful firewall systems are considered these black boxes and protection by and in themselves. Such organizations tends not to control their firewalls properly. This often leaves the full responsibility of firewall management and rule setting on a small (and usually overworked) group of administrators.

The problem with such an approach is that the firewall administrators are the only ones that know and understand what rules and permissions are set on the firewalls. Furthermore, this puts the burden of proper security directly on their shoulders.

In case of a security breach, an audit may show that an improper configuration was set-up on the firewall, either intentionally or by mistake. But in any case, the administrator will then have the argument that he performed under the "best effort" principle, and didn't have the big picture or proper guidelines.

Therefore, it is very useful to create a Corporate Firewall Policy. This policy is a high level documents that will

• assure firewall setup compliant to the Corporate Security Policy
• provide a high level, easily readable description of the rules that must be applied to the firewalls
• regulate responsibilities for set-up and approval of rules
• regulate emergency changes to rules
• regulate audit and control of compliance to the policy
• Give the administrators the guidebook on what to actually set-up

Information Security Short Takes has prepared a Template document, that you can download and use as a basis for your own Firewall Policy.

Download the Firewall Configuration Policy Template HERE


Related posts
8 Tips for Securing from the Security expert
Be Aware of Security Risks of USB Flash Drives
Check Your DNS Zone Transfer Status
6 steps to securing your backup media

Talkback and comments are most welcome

Even a company with very high level of security awareness can become a victim to simple oversight. Such companies have implemented the works: network segregation; firewalls on all egress points; corporate antivirus with automatic updates; WSUS server. And yet, a lot of these companies are vulnerable, since they haven't patched or upgraded their security systems.

In the complex infrastructure of today's network, it is very easy to observe certain elements as self-sufficient black boxes, which you set-up and never need to touch. Even more so, since because of budget cuts you don't have enough manpower, or training, or both.

But your security systems are nothing more then computers, even if they have the appearance of strange black devices without a VGA or keyboard interface. And, as any computer, their operating systems have bugs and glitches, the programs that they are running (firewalls, IDS, routing) can have bugs and be compromised.

This is the avenue by which a prepared attacker can gain access into your network.

Example Scenario
A number of e-mails destined for the company were undelivered, and a customer is complaining that he cannot communicate properly. An investigation concludes that the Intrusion Protection System (IPS) falsely identifies the e-mails as malicious and drops the IP packets of the SMTP session. The protection feature of the IPS is disabled.
2 days later, the mail server is compromised by a malicious attacker.

Analysis
Due to a bug in the IPS software, it created a large number of false positives, while also successfully blocking actual malicious attacks. A new version of the IPS software was available but wasn't installed. After the disabling of the protective feature, a bot net performed an automatic attack and discovered that the infrastructure is vulnerable to the malicious message

Recommendations

1. When purchasing security systems, apart from purchasing a subscription service to attack/virus signatures, always include an agreement for regular update of the engine/operating system. It is a good idea to task the supplier with proactive responsibility to inform you of the available updates.
2. In parallel, task an internal person/team with reviewing the advisories from the manufacturer of equipment, in order to plan upgrades or patching for the infrastructure operating systems. These persons should primarily observe advisories for: firewalls and other security equipment; network infrastructure; services and servers which are contactable from the outside
3. An attack can usually be blocked in more then one spots on the attack path. Maintain a layered defense, with updated versions of software and up-to-date patches on all levels. Even if you fall behind on patch level on one layer, you are relatively safe with the other layers in place until you fix the issue.

Related posts

Check Your DNS Zone Transfer Status

DHCP Security - The most overlooked service on the network
5 Rules to Home Wi-Fi Security
Why don't you like my network?

Talkback and comments are most welcome

A vulnerability of the Bluetooth stack of MS operating systems was patched in MS08-030. However, Microsoft re-releases the patch, to include MS Windows XP Service Pack 2 and 3.

Here is the statement by Christopher Budd of Microsoft

After we released MS08-030 we learned that the security updates for Windows XP SP2 and SP3 might not have been fully protecting against the issues discussed in that bulletin. As soon as we learned of that possibility, we mobilized our Software Security Incident Response Process (SSIRP) to investigate the issue.
Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not.
Our engineering teams immediately set to work to address the issue and release new versions of the security updates for Windows XP SP2 and SP3. These are available now and are being delivered through the same detection and deployment tools as the original update.

The amazing fact is that Microsoft did not manage to protect their product with the largest installed base of customers, ergo, the largest attack area.
This only goes to show that software patching even in very large companies can have errors.

On the user's side, this means that even if you are patching regularly, NEVER rely only on patches to maintain security

Talkback and comments are most welcome

Citibank ATM's become the target of fraudulent withdrawals by at least two men this February. Allegedly, the entire incident was related to a computer security breach into Citibank's servers that process ATM transaction.

This is a first time that actual major financial fraud is related to a computer security incident. However, Citibank denied that any of their systems were compromised.

The Threat Level Blog of Wired magazine is following the story with a new development, in which new frauds are appearing and Citibank is replacing ATM cards to a number of their customers. In the letters sent to customers, Citibank is explaining the replacement with an "identified data compromise involving the credit and debit card payment system used by a third party ATM network"

Naturally, both Citibank and the authorities will not reveal details of the problem until it has been rectified, and even then certain elements may not be disclosed to the public. This series of events sheds a light on a different and largely omitted aspect of data security:

1. Another organization's lapse in security can caused you a lot of grief and negative exposure
2. Security breach of your information can easily be caused by a business partner whose security is not up to expectations
3. The attackers will not always approach you, in order to steal from you

In today's networked business, there is no foolproof protection for your information. But in order to minimize the risk towards your business, exercise the following simple rules:

1. Always agree on security levels for infrastructures and processes of your business partners.
2. Make periodic audits that the agreed levels are respected and enforced
3. Maintain vigilance on your information in the wild - the faster you identify that some information is in the wild, the less impact it will have on your business

Related posts

Risk of losing backup media - real example
8 Tips for Securing from the Security expert
TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Last week Shortinfosec published an analysis of Apple's decision to delay the carpet bombing fix until the next official release.
To say the least, this decision was not well accepted.

However, it seems that Apple is listening to the customers. Apple released an update that among other things, should fix the carpet bombing bug. You can read the details at Insanely Great http://www.insanely-great.com/news.php?id=9253

This is a very positive surprise from Apple. Keep up the good work!

Related Posts
Safari Carpet Bombing - A Bug in Different Context

Talkback and comments are most welcome

In the era of Internet and communications, there are still a lot of organizations which have a poor or misconfigured web presence. This leads to unavailability, loss of contact with potential customers, and even reduced reputation due to bad or missing web presence.
This trend is especially true for public services and organizations where management is centralized and has pooor Internet awareness.
Here are a few examples of common mistakes:

• Hosting a web site on a non-default port - very common when you hire very cheap webmasters or use the improperly trained administrator to set-up the web server. Several web servers are installing themselves TCP port 90 or 8080, for security reasons until the service is ready for commercial rollout. If the web server remains on port different from the default 80, some visitors may not be able to access it. This is especially true for visitors from large corporate networks, where proxy and security systems are often configured not to allow access to sites on non-standard ports.
• Hosting a web site on an IP address - Without a domain name - a very old mistake, and one that was supposed to have vanished by now. It is difficult to communicate the IP address, it is difficult to remember an IP address, it is difficult to change and re communicate the IP address. It should NEVER be done.
• Using IT for content management - Even if IT created the engine, prepared the server and started it, they should not be tasked with content management. Because of it's primary function, IT will always put a higher priority in maintenance of the infrastructure then on content management. This will lead to incomplete or outdated content.
• Allowing for the domain name to be stolen - Bear in mind that your corporate domain name is yours only until the lease expires. It costs around 10 USD/year to renew the lease, but if you forget to renew before the lease expires, it's first come first serve principle. There are persons and even companies known as domain trolls, which target large organizations and good domain names, and wait for a mistake. If you forget to renew your lease, they can take it from you, and then they will blackmail you into buying it for a lot more then 10 USD. In the meantime, your corporate web presence is unavailable, or even replaced with content which may harm your corporate reputation.

Here are several rules for setting-up good corporate Web presence

1. Outsource the hosting of a web site to a commercial hosting corporation - avoid using internal resources for web site and server management. Unless you have a very large and experienced team, your people will need to learn web hosting and maintenance on the job, and this can lead to poor quality, failures, even security holes.
2. Confirm that your site is adhering to de-facto standards - insist on standardised TCP ports, registered domain names, and avoid any reference to an IP address.
3. Maintain your site and domain availability - lease the domain name for several years in advance, and task the one person with personal responsibility to renew the lease on time
4. Delegate content management to the business - Whatever is on the site, is business oriented, and should be maintained by the business. Each business unit should have a content manager, who should use a simple web based editor interface to manage content

Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Web Site that is not that easy to hack - Part 1 HOWTO
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks

Talkback and comments are most welcome

Last week Bill C-61 was introduced in the Canadian parliament. Supposedly it protects digital media from copyright infringement. The danger in that law will not serve only to protect the copyright of music and video files, but will possibly hamper the usage of legally purchased material.

Here is a flagrant example. The Bill C-61 grants the copyright holders the right to demand damages from anyone who bypassed any sort of encryption, with a few exceptions regarding interoperability, encryption research and security.

• 3v3n v3ry l4m3 3ncrypt1on.

If this bill is passed into law, and that you managed to read the above sentence, the author can claim that you breached an encryption algorithm, and sue you for $500 per infringement.

While the Dmitry Sklyarov incident should not be repeated, we can expect a lot of confusing and debatable infringements, like

• Transferring your legally purchased music from a CD to your IPod
• Playing a region 2/3/4/5/6 DVD that a visitor/tourist/student purchased legally and brought with him for his personal use
• Using copy/paste from electronic books for quoting within research papers

So, if this bill is passed into law, here are several scenarios which can happen

• Within the borders of Canada any company having a product with a ridiculously stupid or vulnerable encryption algorithm will be able to sue a the user who bypassed the vulnerability for his own use.
• Even if such vulnerability is identified by a security expert, it may not be treated or corrected by the manufacturer, since they will deem to be protected by the letter of the law.
• Even with the exceptions regarding interoperability, encryption research and security, Ethical security experts may be weary of analyzing and publishing vulnerabilities, since if they are challenged, they will need to prove their intent and that they didn't use the vulnerability for ANY infringement.

Related posts

Risk of losing backup media - real example

8 Tips for Securing from the Security expert

TrueCrypt Full Disk Encryption Review

5 rules to Protecting Information on your Laptop

Talkback and comments are most welcome

Last week I attended the official IT Service Management (ITILv3) Foundations training. The training is a 3 day boot camp, which covers the processes in the following ITILv3 areas

• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

The training is an excellent tutorial for everyone who wish to advance their career into IT management. The topics touch both IT as well as business aspects of IT services. Anyone ever working in implementation or service maintenance (like ISP's or Internal IT) will find himself on familiar ground.
What's new is the excellent structure of the ITIL processes, starting from understanding customers and market needs, via preparing the service and appropriate quality levels, to actual installation, testing and operational maintenance of the service.
Usually, the trainees start relating their expiriences and find the gaps where they could have done things differently.

As I found on the Internet, the list price of the course is substantial (more then 2000 USD), but the knowledge is valuable. There are subsidised courses for those with a lower income, but you need to look for them.
Also, the boot camp usually includes the official certification exam. I would definitely recommend taking the certification.

The easiest way to create a bad product in custom development is to misunderstand the customers expectations. This is a discussion of risks that are brought by poor specification, poor understanding of business needs and the hurry to make a profit.

Medium size businesses are usually partnering with one or two software development companies. These businesses are entering a partnering relationship with the software company, and nearly always turn to them for their solution needs.

From a business perspective, this arrangement makes sense for both sides.

1. The business has the guarantee that whatever new product is delivered will be able to seamlessly integrate with their current systems.
2. The software development company has a broadened influence on the business and knows that they will extend their cooperation for at least several years more.

The problem with this arrangement is that the customer is trusting the software supplier to deliver any and all possible solutions, even those that aren't in the core product line of a software development company.

Example scenario
Shortinfosec Democorp is using a Customer Relationship Management (CRM) system developet by ACME Software Devel. According to the new business model of Democorp, a new billing system is needed for proper invoicing of delivered goods and services. ACME Software Devel is invited to create the billing system. The requirements given from Shortinfosec Democorp are the following:

• The system needs to generate invoice for all customers summing up all their outstanding charges
• The system needs to be able to create discounts for VIP customers in the CRM system
• The system needs to produce reports for invoiced and outstanding amounts

ACME Software Devel receives the specification, confirms ability to finish the job and creates a product. During testing of the delivered product, the following issues are raised by Shortinfosec Democorp:

• The billing system does not interface with accounting, to track payments
• The billing system does not calculate interest on late payments
• The billing system operates with the current product set, and there is no flexible way to implement new products
• The discounts are limited to fixed amount or fixed percentage for the VIP customers
• The reporting aspect is limited to 2 reports

ACME Software Devel responds that these issues were not mentioned in the initial specification, and requests a 3 times increase in agreed price to deliver the required changes. After tense negotiations, ACME Software Devel is contracted to scrap their solution and provide interfaces for a third party billing system. Shortinfosec Democorp hires a consultant to define all requirements and issues an international RFP for the Billing System.

Analysis
The process described above was riddled with errors.

1. The original specification given by Shortinfosec Democorp is quite poor and abstract - The project manager for the billing system did not do sufficient research to identify all the required aspects of the desired solution
2. ACME Software Devel. assumed that the specification is final and that the product is very simple - The software company account manager and project managed did not expand the analysis with the customer to investigate all possible issues.
3. Based on assumptions that the other side knows it all and will tell/do all that is needed both time and money were spent. - The process was at least doubled in costs and time frame.
4. The entire exercise ended in tense relationship and diminished trust between both partners - Both parties were left dissatisfied by the other one, and a good business relationship was degraded.

Recommendations
While it can always be discussed that the responsibility for functional specifications falls on the buyer, the software development company should seize the opportunity to help or guide the buyer to produce a mutually agreed good product.
Here are several steps that should be taken to improve the cooperation between partners in creating a new software solution.

1. Never assume that the specification is all the customer needs. If the specifications are too inconclusive or general, strive to specify them in greater detail. This will reduce the need for assumptions and possible incompatible design in the finished product.
2. Research the market, see what is actually behind the simple sentence uttered by the buyer. For instance, the buyer might like the idea of a software managing the queues of people in front of their sales counters. But this software is known as customer flow management, and is an entire science of it's own.
3. Establish a good and permanent collaboration with the buyer. Collaborate as much as possible in the early stages - even when the new requirement is still an idea. Always present
4. If necessary (often it is, to reduce conflict of interest) suggest an external consultancy to assist the the buyer in the process of defining requirements, so that the finished specification is easy to follow.

Related posts

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software developmentSecurity challenges in software development

Talkback and comments are most welcome