Tom Olzak

Archive for the ‘Computers and Internet’ Category

They have the tools, just not the will…

In Application Security, Computers and Internet, Content Filtering, Cyber-warfare, Cybercrime, Data Security, Detection Controls on July 10, 2015 at 12:44

As the number of government records stolen increases, we continue asking why so much data was stolen over the past year without detection.  The answer seems to lie in an article by Michael Cooney.  It seems the U.S. government has a detection tool called EINSTEIN, but it is only partially implemented across scattered government networks.

One of the weaknesses in the EINSTEIN implementation is the lack of any behavior analysis.  For the most part, the government is only using signature-based detection.  This is a huge controls vulnerability.

What will it take for our bureaucratic quagmire of a government to implement the right controls.  Yes, all organizations are viable targets for attack.  However, detecting the attacks (e.g., anomalous network/system behavior, unexpected movement of data, etc.) is paramount to a good defense.  Looks like much of the U.S. government either doesn’t get it or doesn’t care.

CryptoWall continues to spread

In Computers and Internet, Content Filtering, Cybercrime, Data Security, Ransomware on July 3, 2015 at 04:00

CryptoWall, an instance of ransomware, is a growing threat.  Attackers use it to hold an organization’s resources hostage until they get something of value.  This costs Americans millions… and it’s getting worse (FBI, 2015).

Ransomware, like CryptoWall and Cryptolocker, encrypts media on the infected machine and all media attached to the machine.  It then demands hundreds or thousands of dollars before the attackers agree to decrypt the hostage data.

Defense against this attack method is getting harder, as attackers find new ways to deploy CryptoWall and Cryptolocker.  Advanced attack techniques often leverage human vulnerabilities to bypass security controls.

The FBI provides a long list of defensive measures.  However, businesses should begin by implementing a short list of controls that protect against all types of advanced malware, not just ransomware:  Web filtering, spam filtering, email malware filtering, and (likely most important) deny users local administrator access.  This is in addition to best practices that should already be in place, including network segmentation with an application server abstraction layer (end-user device-to-application servers-to-database servers) to help isolate critical data from infected end-user devices.

Wi-Fi Sense Creates New User-dependent Security Issue

In Access Controls, Computers and Internet, Wireless Security on July 3, 2015 at 04:00

For those who haven’t seen it yet, Windows 10 includes a feature, WiFi Sense, that allows a user’s friends to share WiFi access with others.  For example, Bob might allow Alice to access his access point.  With WiFi access, she never has to log in again to use Bob’s network.

This doesn’t necessarily give Alice access to network resources, just the Internet.  However, access to the access point provides opportunities for using it to commit a crime while putting the blame on Bob.  And then there’s the chance that the barrier between Bob’s guest network and his internal network isn’t as strong as it should be.

WiFi Sense challenges arise when Alice decides to share the access capability with her friends.  According to an article in Extreme Tech,

“WiFi Sense will automatically connect you to detected crowdsourced WiFi networks, acquire network information and provide “additional info” to networks that require it (it’s not clear exactly what constitutes additional info), and can be used to automatically share your WiFi password with your contacts on Facebook, Skype, and Outlook.

That last feature is the potentially controversial one. When you turn on this feature of WiFi Sense (and it’s not clear if the feature comes activated or not), it will request permission to connect to Outlook, Skype, and Facebook on your behalf. Other users on your friends list who also run Windows 10 will have their contact information shared with you as well, assuming they also enable the feature.”

So whether questionable people might have access to Bob’s access point depends on how Alice sets the switches during initial access.

WiFi Sense Selection

WiFi Sense Selection

Microsoft apparently has two solutions to this, neither of them acceptable to those of us who attempt to help keep systems secure.  First, Bob can change the name of his SSID to include an opt out tag, as shown below,

WiFi Sense SSID Opt Out

WiFi Sense SSID Opt Out

Or he can set up the connection for Alice and make sure her sharing settings are properly set.  Both options rely on Bob or Alice making the right choices.  No one in security believes relying on human behavior for security is a good idea.

Microsoft, what were you thinking?

Is email safer than a password?

In Access Controls, Computers and Internet, One Time Passwords, Password Management on July 1, 2015 at 20:02

According to a Register article, Small change to Medium takes large axe to passwords, Medium is providing an option to use email to login instead of passwords.  I registered at Medium to check it out and to see if I agree with the Register article about possible weakness.

Sign up is easy.  On the first screen, you choose whether to use a social network login (e.g., Twitter) or email.  I chose email.  After selecting topics I wanted to read about, Medium sent an email to me.  Using the email, I logged in.  No password, just a user ID.

I logged out and tried to log in again.  Medium asked me for my registration email using TLS 1.2 to encrypt the session.  I entered my email and almost immediately received a message from Medium.  The message provided a button I pushed, which took me to my home page at Medium.  Very fast, very efficient.

So is this safer than a password?  Almost everyone now accepts email as a secondary method of bypassing forgotten passwords.  It isn’t much of a stretch to use email as the primary authentication factor.  Further, users don’t have to write down passwords or remember a new password for every login.  But…

In an email-as-a-password world, email becomes a single-point-of-failure and a big target.  As long as users do better at password selection, this could still work.  What are the odds that we can train users (after trying for years) to use something other than 12345678 or Passw0rd.

The death of text CAPTCHA? I hope so…

In CAPTCHA, Computers and Internet, Security Management on February 22, 2013 at 20:25

In a Yahoo article posted yesterday (Internet advertisers kill text-based CAPTCHA – Yahoo! News), Mike Wehner writes about possible changes to text CAPTCHA hell.  Yes, I said hell.  I am nearing my sixth decade of life on this planet, and I sometimes have to give up and make a phone call when trying to use some of the inane CAPTCHA  implementations I encounter.  I am willing to suffer a second or two with ads to select.

I am not alone in my journey through the CAPTCHA quagmire.  According to Wehner, negotiating a CAPTCHA takes an average of 14 seconds.  Some take much, much longer.  This is leading some companies out of the swamps and toward ad-based verification.

Solve Media is the big player in this space, and the graphic below demonstrates how ad-based CAPTCHA works.  Instead of typing meaningless drivel, she enters text related to the displayed product.  Easy and designed to drill product messages into our heads.

From Solve Media Video

From Solve Media Video

I know.  Just one more way to commercialize the Web… but I don’t care.  If I can cut CAPTCHA frustration while helping vendors carry out Turing tests, I’m OK with this.  How about you?



%d bloggers like this: