“It’s those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren’t changed from the default. Intego advises users remove those settings.”

Following graphic shows the Safari setting in Snow Leopard.

Uncheck this box!

I guess it’s time for less Windows-bashing and a little more attention to Mac security…

First we learn that any employee at Dropbox has access to our data. According to the Dropbox site,

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The problem I had with this was the lack of communication to customers that this was the case.  Many of us understood that NOBODY could access our data.  Well, no problem.  I simply used TrueCrypt to encrypt sensitive data.  This was inconvenient and caused some performance issues.

As regular listener of Security Now, I decided to try the highly recommended Carbonite.  Not only does it back up all my data, but all my Office files and PDFs are available via my iPad and iPhone.  In addition, nobody can access my files but me…  Finally, the cost is pretty low: $59 per year for unlimited storage.

After testing Carbonite, I wasn’t yet ready to drop Dropbox.  However, today I read that they left all files available to the public for four hours yesterday.  (sigh).  I guess it was too much to expect a great cloud file respository to actually be secure, too.

Whenever we perform an action, or fail to act, there are consequences.  A popular zen teaching uses an analogy of picking up a stick; if you pick up a stick holding one end, the other comes with it.  The same is true of sharing personal information online.  There is always the chance  your information will fall into the wrong hands.  Whether or not you share your information should be a matter of trust, of your assessment of risk.

Trust varies between online services.  For example, the steps my bank takes to protect my information are regulated and pretty strong–not perfect, but strong enough for me to take the risk of using its online services.  On the other hand, I would never post anything I don’t want the world to know about on Facebook.

Social networks are not heavily regulated… yet.  And we don’t want them to be.  I don’t want the government sticking its finger into everything I do online.  So, I need to take some responsibility for my actions and not complain to my congressman or senator when my pictures of my last frat party compromise my integrity and that of several others.  Knowing Facebook is a social network, designed for SHARING, why would I assume the risk of putting sensitive content there?  Why would I place my trust in any social networking service?

The same is true of doing business online.  There are differences in how “due diligence” is defined between online business services.  It is our responsibility to ask the right questions before using any service.  If we don’t, we are just as responsible as the service provider when data is stolen… or worse.  Further, regular audits or other assessments are necessary to ensure initial trust does not drift in the wrong direction.

Before sharing your business or personal information with anyone, ask yourself how much you trust the other guy.  If the answer is, “not as far as I can throw him,” then go somewhere else.

“WordPress.com was hit with another wave of attacks today (the fourth in two days) that caused issues again,” he said. “This time we were able to recover more quickly, and also determined one of the targets to be a Chinese-language site which appears to be also blocked on Baidu [China's largest search engine]. The vast majority of the attacks were coming from China (98%) with a little bit of Japan and Korea mixed in.”

The SAS 70 was never intended to be a test of the effectiveness of an organization’s security controls.  Rather, it simply checks to see if controls are in place–controls as defined by the audited organization’s own management.

In the article, SAS 70 replacement: SSAE 16 – CSO Online – Security and Risk, CSO’s Bill Brenner takes a look at something that may strengthen SAS 70… a replacement.

If it’s for security, why bother? I can access Facebook and Twitter from my iPhone and iPad using other tools. For example, I sent a Facebook post (just because I could) using my email. I continued to receive friend updates via email and text messaging. I could also post photos or video from my iPhone. So any HIPAA compliance intent is fully circumvented.

If the hospital is blocking social networking to preserve bandwidth, it needs to reconsider. Today’s patients–and their families–have integrated 24/7 social contact into their lifestyles. Blocking access is simply a poor business decision.

Finally, they may block blogging before my next visit, given that I am writing this on my iPad will sitting in my mom’s room…

First, make sure you can centrally manage all handheld devices that connect.  Yes, this includes user-owned devices.  If you allow them to connect to company email or the company’s internally facing WiFi network, then you have some additional rights.  The most basic of these is the right to wipe lost or stolen devices.  This also includes wiping any user-owned device in the possession of a departing employee.  They don’t get to take data along to the next employer…

RIM provides this in its enterprise server offering.  iPhone and Android phones are manageable via Microsoft Exchange.  It doesn’t matter how you do it, but place a policy in place, wrap some processes around it, and enforce central management across all devices–including those owned by C-level managers.  Yes, they lose their phones, too.

The other must-have security control is central policy management.  Again, if data for which you’re responsible is on a device, you have the responsibility to protect it.  So creating mandatory password or PIN policies is a necessary part of handheld device security.  No, your users won’t like this.  But, hey, it’s sensitive data.  They need to compromise a little.

Next, if you allow handhelds to connect to your network, you have to protect yourself from slowly emerging malware threats.  No, there aren’t a lot now.  But there weren’t a lot of viruses around when PCs first started appearing on desktops.  Maybe if we’d paid more attention then, we’d have less problems how.  In any case, it is never too early to start looking at packages available from all the major anti-malware solution vendors.  And make sure whatever you select is centrally manageable.  Not all vendors get this yet.

Finally, consider encrypting sensitive data on the phones.  Yes, I understand that many encryption solutions for handhelds are easily cracked.  So does that mean you do nothing to protect your data?  Let’s face it, the password or PIN protection isn’t much either.  The best way to prevent data breaches caused by compromised phones is to follow a very basic rule–don’t put allow it to be put there in the first place.

There are other things you can do, but these are the “absolutely must-haves,” in my opinion.  Hold off the hordes until you have the right infrastructure in place and broad support for your efforts.

The number of non-IT network-connected devices is rapidly increasing.  As organizations find it easier to achieve compliance with non-data related regulations by using automation, and as they learn that they can squeeze a few more dollars into EBIT by automatically adjusting utility use, for example, the demand for these devices is accelerating.  However, many security managers may find themselves in conversations in which they either have no idea about the security risks associated with these devices, or  in which they are forced to stop money-saving projects because they are not ready to handle the additional controls.  In either case, they may find themselves updating their resumes.

What are Non-IT Devices?

Non-IT devices fall into two categories: sensor and control.  Sensor devices collect, aggregate, and report status of key elements of the real world.  Examples include:

• Security cameras
• Devices that monitor key production events
• Energy meters

Control devices not only monitor real world status, they can also affect it by automatically making changes to it.   Examples include:

• Environmental control systems
• Security systems that react to events in real-time
• Temperature controls that maintain heat or cold within acceptable ranges

Devices in these categories are not new to the workplace.  What is new is the increasing demand to connect them to the network.  The traffic resulting from this connectivity is known as machine to machine (M2M) networking.

Security Concerns

When I first encountered M2M networking, the most obvious security challenge was vendor access to the systems.  Access for support is important to ensure continued operation, and sometimes outsourced monitoring, of sensor input.  In many cases, vendors will also make adjustments via control devices to maintain environmental or production tolerances within limits defined by the customer.

For example, there are government health regulations covering the temperature of water in dishwashers used in skilled nursing facilities.  The long term health care company for which I worked decided that compliance was more probable if the water temperature was monitored at all times.  So it contracted with a vendor that specialized in this.  The vendor supplied all connections to the dishwashers and to the vendor-supplied PC used to collect the temperature information.  However, vendor staff needed access to the system 24/7.  This required them having access to our network.  We eventually figured this out, but it required weeks of planning, testing, and implementation of a vendor-specific VLAN to allow access to the control systems while blocking access to the rest of the network.

Although the monitoring of water temperature lacks sensitive data, this is not the case with security cameras.  At the same health care organization, facility administrators increasingly demanded implementation of network-connected security cameras.  In addition to vendor access for maintenance, a new challenge was introduced; the output from cameras had to be stored on the local facility server.

Two major issues immediately arise when taking and storing video.  First, HIPAA requires that patient information, including pictures, must be tightly controlled.  Second, legal discovery would require searching through or providing all video to the requesting party.  We had to work through these issues before allowing implementation.

The Final Word

We can’t stop the increasing use of non-IT devices.  Instead, we must prepare to protect them and our network.  I recommend starting by writing a policy that governs implementation and use of vendor- or operations-managed, non-IT devices.  I found that this helped people understand what they could or could or could not do when selecting a solution.  The policy should include management’s expectations regarding anti-malware protection and patch management for the M2M systems.

I also recommend taking another look at your network and security architectures.  Make sure you have the necessary walls built between M2M network segments and the rest of the network.  For example, non-IT devices and IT devices may have to share the same wires and network components, but they don’t have to ride on the same VLANs.

1. What are the manual tasks that support the process?
2. What are the human and technical resources necessary to enable the process?
3. What other processes feed data to or receive data from this process?
4. Is it reasonable and appropriate to build redundancy into the system?
5. What is the maximum tolerable downtime of the process (how long can the process be broken without causing irreparable harm to the business)?
6. Based on current capabilities, what is the recovery time if one or more of the components is broken or missing (including processes that feed this process)?
7. Based on current capabilities, what is the recovery time following a catastrophic event (disaster recovery)?

It takes a group representing a cross-section of the organization to answer these questions.  Note that the planning is around processes, not systems.  Processes are enabled by systems and manual tasks.  For example, questions 4, 6, and 7 should include manual workarounds if automated tasks fail.  (A process is something like processing payroll with expected outcomes including checks for employees, tax payments, etc.)

Once the questions are initially answered, a remediation action plan is created to mitigate risk (shorten recovery time).  Risk mitigation takes two forms: interim and long-term.  Interim mitigation includes workarounds to enable critical outcomes while recovery tasks are performed.

When the action plan is complete, the team should once again answer questions 6 and 7.  If recovery times are not shorter than maximum tolerable downtime, additional remediation steps should be identified.  This cycle repeats until maximum tolerable downtime exceeds recovery time.

According to an article last week in the New York Times,

“[University of Michigan researchers] infiltrated the District of Columbia’s online voting system last week. They changed all votes for mayor to Master Control Pro and elected HAL 9000 the council chairman. The blaring University of Michigan fight song played whenever a new ballot was successfully cast” (Wheaton, 8 Oct 2010).

To be fair, this is a pilot project by the District’s Board of Elections.  However, I always thought “pilot’” meant seeing how it works in the real world.  So it should also mean setting security for testing system trust.  One reason why this is necessary was included in the same article:

“[Professor J. Alex Halderman] said he also saw signs that computer users in Iran and China were trying to crack the system’s master password — which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless” (ibid.)

In addition to immediate attempts by our “enemies” to hack into the system, we decided to practice global good will by leaving the vendor password in place for anyone who wanted into our system.  What a novel idea regarding how to meet the cyber-crime and warfare challenges we increasingly face.

In case you haven’t yet gotten the message across to your network engineers or internal support personnel, this might be something you can use as an attention-getter (instead of the bat you’ve placed strategically next to your filing cabinet.

This is just one more example of the dysfunction of our government information handling capability.

Existing rules stipulate that illegally accessing and interfering with computers, servers and data is punishable as a criminal offence. The proposed directive will maintain and strengthen current provisions. But it will also specifically address and punish those who build, use and sell tools and software designed to carry out cyber-attacks.

via EU to up its defence against cyber attacks | EurActiv.

Will this be another governmental knee-jerk reaction, or will reason and common-sense prevail…?  Yes, I know.  They’re politicians, but I can hope, can’t I?

Well, Spamhaus claims it has found the answer.  Using a tightly controlled whitelist–membership is possible upon invitation by another member–Spamhaus says it provides comprehensive email filtering, free and without all the management issues faced by many enterprises.

“Unlike traditional whitelists, the Spamhaus Whitelist is not a service to help bulk mail senders improve delivery rates. You can not whitelist an IP address or domain that is used for sending marketing or soliciting bulk email, or used for sending any email on behalf of third parties. This rule therefore automatically excludes makes not eligible for whitelisting Email Service Providers, ISP customer mail relays and mail servers used by third-parties, and all bulk mailing list servers and services,” the company said in its explanation of the service.

(Source: Spamhaus Debuts New Whitelist Service | threatpost.)

Setup is easy and well documented at the Spamhaus site. At a high level,

The Spamhaus Whitelist is actually made up of two whitelists: an IP address whitelist called the ‘SWL’ and a domain whitelist called the ‘DWL’. These are published as swl.spamhaus.org and dwl.spamhaus.org respectively.

The SWL is both an IPv4 and IPv6 whitelist. It responds to queries of either IPv4 or IPv6 addresses. (Note: IPv6 handling is not yet active. Spamhaus estimates IPv6 service starting in 2011)

The DWL is a VBR (vouch-by-reference) domain whitelist designed to automate DKIM certification.

(Source: Spamhaus.org, 2010)

So what happens if a sender abuses their membership in the whitelist?  Since the new service is in beta, we really don’t have any examples of deviant behavior.  However,

Spamhaus is reserving the right to revoke whitelist status for any email etiquette transgressions, such as the distribution of bulk mail of any type. The whitelist will be maintained in both IP addresses and domain name forms as two separate, but matched, lists. Controls mean no domain or IP address that is on the Spamhaus Project blocklist can ever be whitelisted.

(Source: Spamhaus debuts whitelist service, The Register, 28 September 2010)

Note that this service uses DKIM, something Microsoft Exchange DOES NOT support.  There are third-party solutions (example) that make Exchange compatible.  But if you use Exchange, I recommend adding a front end solution, like Barracuda Spam Firewall, between the Internet and your mail servers.  Other DKIM-compatible solutions are listed at DKIM.org.

The vulnerability can be remotely exploited to read specific ViewState values and cookies and to download files from a server without possessing the necessary authority. The Padding Oracle Exploitation Tool (Poet) is able to take advantage of this kind of vulnerability. Affected products include Microsoft SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 and Windows SharePoint Services 2.0.

via Emergency patch for ASP.NET vulnerability on its way – The H Security: News and Features.

Figure A shows an electricity meter in Scotland.  According to an article in Evening Times (the source of the photo), criminals have found a way to crack the key used to increase the prepaid amount customers can load into their meters.

“The pre-paid power meters use a key system. Normally people visit a shop to put credit on their key, which they then take home and slot into their meter.

The conmen have cracked the system and can go into people’s houses and put credit on their machine using a hacked key. If they use this, it can be detected the next time they top up their key legitimately.”

And that isn’t all.  Apparently the criminals correctly tell the owner of the meter that the hacking will be detected the next time they want to “legally” recharge the prepaid amount; they don’t seem to care if they can save a few bucks–or pounds.  It just means that the customer is tied to the criminal for power updates.

This is simply a bad idea waiting to make a victim of the power company.  The utility placed an unprotected device into the homes of their customers and relied on customer behavior to protect the interests of the utility.  Something is very wrong with this picture.

No, it isn’t right that people steal power.  But human nature being what it is, what did ScottishPower expect.  This is a good lesson for anyone who has to deploy systems, whether meters or desktops.

According to the Haystack website,

“Haystack is a computer program that allows full, uncensored access to the internet even in areas with heavy internet filtering such as Iran. We use a novel approach to obfuscating traffic that is exceptionally difficult to detect, much less block, but which at the same time allows users to security use normal web browsers and network applications.

[...]

Haystack hides traffic to any from the internet at large inside traffic that looks like perfectly normal web connections to innocuous sites. The Haystack client connects to our servers which in turn talk to websites on behalf of our users.”

This sounds like a great idea.  Think of the uses for a product that allows Iranians–and maybe eventually Chinese, North Koreans, etc.–to access uncensored opinion and news.  Of course, it would have to do this without government officials being able to see what users are accessing.  And although Haystack was supposed to do this, it apparently fails miserably.

According to a tweet by security researcher Jacob Appelbaum,

“Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.”

In other words, if you are living in Iran and hoping freely to to surf the Web AND stay out of an Iranian prison, this is probably not the software for you.  So the Censorship Research Center (CRC) pulled the product.  Probably a good idea…

So what went wrong?  The main developer of Haystack resigned publicly and sent a letter to the Liberationtech mailing list.  In the letter, Daniel Colascione takes a lot of the responsibility for releasing what was supposed to be a test application–maybe closer to a proof of concept.  According to Colascione, it was not intended for public distribution or use by people who might put their physical freedom in jeopardy.  However, hype prevailed at the CRC, launching the product into public view and setting unreasonable and incorrect expectations.

Dan Goodin writes in a 14 September 2010 article in The Register,

The Guardian, for instance, named Censorship Research Center Executive Director Austin Heap the the 2010 Innovator of the Year and called Haystack “a key technology used by Iranians to disseminate information outside the country in the protests that followed the disputed election result in June 2009.” Newsweek, the BBC, Forbes, Salon.com, and The Atlantic have also lauded the project, even though Heap now says it never made it out of development and wasn’t widely used.

At this time, no one really knows if anyone put themselves in danger by using the software.  But let’s be honest; when something is hyped this much, it inevitably makes it to users’ desktops.  Based on on my quick research into this incident, this seems more like mismanagement than the intended release of really bad software.  It looks like the CRC was carried away on the tide of growing acclaim and took the public along for the ride.  Another instance of the media getting carried away?

In any case, I think there are at least two lessons to learn from this event.

1. Never let potentially prison-causing software out of its cage until it is fully tested by numerous security researchers trying very hard to break it.
2. Never get carried away by the hype surrounding a new product.  Do you own research into the product and its capabilities.  We can’t rely on much of the media responsibly to do this.

“So the Adobe [zero-day] is using DEP+ASLR Bypass with a binary that is signed with stolen certificate!” said “Neeraj,” who works as a senior security research engineer for Nevis Network, an Indian firm. “That’s how future attacks gonna be. Scary!”

via Newest Adobe zero-day PDF exploit ‘scary,’ says researcher.

Yes, this is scary for organizations that have become complacent about protecting their certificates.  Managers tend to forget about certificate protection unless it is touted in the press or they are surprised by misuse of a cert that leaked into the wrong hands.

Certificate management is not only important for the signing organization.  It is also critical for user trust related to Web services access.  If users can no longer count on certificates to verify site authenticity, for example, what will that do to e-commerce?

So what’s the big deal?  This is just one instance in a world of hundreds of thousands of commonly used certs.  Well, the problem is that the organization whose cert was stolen had to shut down Web-facing operations until a new cert was obtained.  Think revenue loss and customer dissatisfaction.  On top of those concerns, there is the FUD (fear, uncertainty, and doubt) spread via the media and around the multi-function device at the office (the replacement for the venerable water cooler as the dissemination point for office gossip…) causing mass hysteria about the dangers of the dark, foreboding forces on the Web.

In my experience, certificates are often not managed properly, putting organizations at serious risk of a business continuity event–or worse.  Certificates, whether personal or organizational, are your electronic identity.  Lose it and game over.

For some simple guidelines for protecting certificates, see Protecting ECA Software-Based Certificates.

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”

via NIST.gov – Computer Security Division – Computer Security Resource Center.