Economic Uncertainty Affects Security Too

An article from Dark Reading touched on some very valid points with regards to the security at financial institutions. According to the article:

Penetration testers who work with bank clients say the fragile state of the banking community is making it easier for them to dupe understandably anxious bank employees. Bank employees are overly eager or easily coerced into cooperating with “auditors,” or into clicking on links purportedly from the bank about its own financial welfare.

Even though this is very bad from a security standpoint, it seems like a natural human response. However, if someone is able to walk into a bank merely posing as an auditor and without having their credentials checked or challenged, it’s possible for them to make off with a lot of sensitive information.

This type of behavior isn’t limited to just bank employees. Economy-induced anxiety can also affect the judgment of regular users. The most successful phishing attacks prey on a user’s familiarity or interest in the subject presented as bait. So a phishing email claiming to request important information from a bank customer might be more likely to succeed when the economy and specific financial institutions are in a state of flux.

In fact, it would be wise for both bank employees and bank customers to be MORE cautious during times of economic uncertainty, as attackers are notorious for taking advantage of such situations. It just goes to show– when it comes to security, we can’t afford to be careless.

Posted October 17 2008

Time to Re-Think CAPTCHA?

This week, reports have surfaced that spammer activity is increasing on Microsoft and Google sites that employ CAPTCHA. CAPTCHA is a method for distinguishing between human users and programs used to automatically enter information. Those who would like to create large amounts of e-mail accounts or efficiently add SPAM content to blog comments or message boards are constantly scheming new methods for circumventing CAPTCHAs. Meanwhile, web site administrators continue to invent creative techniques for detecting computers masquerading as human.

As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can be mistaken for lower-case if distorted the right way, and there is no feedback that allows me to correct myself if I can’t read it.

Now, I’m not saying that I have ever been completely fooled by a CAPTCHA to the point that I wasn’t able to create an account or post a comment. Humans will eventually get through, but if users find them difficult, and they no longer effectively prevent spamming, maybe more thought needs to be applied to the problem. Here are some suggestions I have found for methods to weed out spamming programs. (more…)

Posted October 3 2008

Internet Code of Conduct

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy […] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

Posted August 21 2008

Train Your Users To Think Like The Mafia

Smart security people learn from their adversary’s tactics, not shun them. Despite modern technology, broad operations, and publicity, the Mafia (particularly Italian mob) continues to survive. While the crimes they commit are deplorable, the security of the organization works using tried and true methods.

Here are some you can teach your employees and enforce without having a baseball bat.

  • “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the least amount of privileges they need to do their work and log as much as you can.
  • “Talk to Me, Directly” – An email from some executive you’ve never heard of, being intimidated by someone in HR who wants your SSN (which they should already have), and any other strange requests should be verified. Employees should do directly to their immediate supervisor when in doubt. Unencrypted emails containing important information shouldn’t be sent – if possible get up and relay the message in person, refuse to send documents if they can’t be encrypted and signed with a digital signature (non-repudiation).
  • “Keep Outsiders Out” – All business partner connections, 3rd party maintenance, and external developers should have an independent security assessment performed of them by security experts. Create separate network segments, monitor maintenance and hardware changes, and always escort visitors on your premises. Smaller companies, make sure to lock the doors to the office and secure any network closets and servers.
  • “Be Respectful” – Too often in mob movies we see some underling getting picked on by his superiors. The result is usually “ratting out to the Feds”, equivalent to an employee changing jobs to a competitor or leaking proprietary information. Treating your employees poorly reduces the overall security of an organization since it undermines loyalty. As we learned in “A Bronx Tale” it is better to be loved than feared.
  • Use Your Head Instead of A Notepad – Mob guys never write anything down for fear of leaving behind evidence. Users should be trained never to write down passwords, leave company documents out on their desks, or store unencrypted sensitive files on unprotected devices.

Security professionals and auditors should remember to learn from tactics and be cautious with methods. Make sure you have, in writing, the scope of any assessment/audit and make sure that the tools and techniques you use are OK with the company in question or you might get whacked. A good strategy with questionable tactics may make you the criminal.

What are some of the tricks you’ve learned from the bad guys?

Posted July 9 2008

Blame IT!

We’ve all heard about the stories involving EIBKAC such as using the CD-ROM drive as a coffee mug holder, and erasing the C:\Windows folder to free up space on your hard drive. InfoWorld has an informative article which turns these stories on their head, and provides stories about stupid IT administrator actions.

The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern.

  • Preconfiguring PCs with stone-age malware
    • Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair
  • Oh, you wanted to recover those backups?
    • An entire issue of BusinessWeek was lost when a hard drive crashed
  • Soup of the day: Social Security numbers
    • A school’s database of folks to send the weekly cafeteria menu into was completely unprotected and contained SSNs
  • The tool and the toolbar
    • The Alexa toolbar was used to crawl and cache sensitive parts of a company website
  • Paging Dr. Data Breach, please come to the IT morgue
    • Company took down firewalls to ease (sensitive) data migration, and then inexplicably never turned them back on

Next time you blame users for lax security, remember that the IT staff can be brain-dead as well.

Posted June 17 2008

Internal Audit Mentality

Information security implicitly goes against our evolutionary defenses. Humans, for much of their history have been concentrated in small groups and forced to defend external threats.

Disease, predators, other groups of people; internal threats were focused at the top. Leaders changed, but the pecking order or 20-50 hunter gatherers remained relatively constant.

A 13 year old couldn’t say, learn to wield a knife and kill the top guy simply by watching. Even if this were possible, it would be suicide for the individual and harm the groups chances of survival. Internal trust was built upon the fact that in order to survive, you had to trust one another…and carefully weigh your options.

All of this leads us to today, where we have several cyber users equivalent to God, who don’t even run the companies they reign over. A 13 year old can launch an attack capable of crippling an organization and without much personal risk.

So we approach our employees with cautious confidence. Most IT managers cite insider data leaks as their top fear. So why don’t companies perform more internal audits?

For starters it’s difficult – most people in positions of management have their own administrators perform internal audits. More importantly a poorly implemented audit can create their own trust issues.

You don’t want your administrators to feel untrusted, but you need to monitor what they are doing. A good way is through automation. Establishing a good log review policy and being transparent about the controls in place will help also.

In the end you want your administrators to establish a bond with your organization and ideals – not just your machines. Doing so leads to better security and efficiency and improves your external defenses at the same time.

Posted June 5 2008