Not long ago, I posted about snooping admins and suggested some ways to prevent them from abusing their positions. Today, we have an example of an administrator who used his powers to prevent other admins from logging into the network.

Terry Childs, who had become disgruntled over discipline for poor performance, reconfigured the network so that only he had access. He has refused to surrender the password for his account, and at the time the linked article was written, work was still being done to regain access to the network.

So, we can add this to the list of things to be wary of when handing out permissions to administrators. It looks like they knew about a month ago that this guy was up to something, but he was still able to cause all this trouble. It’s good to see that the security of the network is strong enough to keep you out if you don’t have the right password, but maybe there should be some sort of emergency break-in procedure for a situation like this.

Another lesson to take from this is that dealing with people and their egos is a delicate task. It pays to be careful how you handle employees. Security is bound to fail when your own people are working against it.

I hate being advertised to. I can’t watch cable TV (which I already pay for), listen to the radio (even subscription satellite radio has ads now), goof off on the internet, play a video game, drive in my car, read a magazine, buy groceries, or check my e-mail/snail mail/answering machine without being bombarded by coupons, billboards, commercials, in-game ads, Google AdWords, spam, telemarketing, and third class junk mail. The sad fact is, advertising is everywhere.

Opinions and research vary widely on the question of how many advertisements Americans see during a typical day, with estimates ranging from a few hundred to a few thousand. (via Google Answers) So, it’s no surprise that the advertisement industry is always trying to come up with new and innovative ways to get you to see or listen to their pitch.

One new approach in the internet arena is behavior tracking – a system in which the advertisers work with your ISP to analyze your online behavior to target ads at you (Read about the debate in Congress here). I understand the need of ISPs to maintain logs for legal reasons, but sharing this type of information with anyone, least of all for the purpose of more ads is extremely distasteful to me.

The security problems surrounding spam (another annoying, ubiquitous form of advertising) are difficult enough to deal with. Now I have to deal with (more) privacy implications of ISPs tracking browsing behavior and sharing this with third parties? I wonder how much more degraded the state of security and privacy on the internet has to get before I have to scale back my activities to the essentials, like e-mail and online banking.

And now, for some Futurama:
Leela: Didn’t you have ads in the 21st century?”
Fry: Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games… and on buses and milk cartons and t-shirts, and bananas and written on the sky.
But not in dreams, no sirree.

According to the Federal Trade Commission’s report (pdf), it gets the job done.

Of the 72% of Americans who had registered their telephone numbers for the “Do-Not-Call Registry,” 18% reported that they currently received no telemarketing calls, 59% reported that Implementation of the national Do not Call Registry they still received some, but far fewer than before they signed onto the Registry, and 14% said they received some, but a little less than before they registered. In addition, when asked about renewing their registrations, 25% of registered consumers had already renewed and 71% were planning to renew.

I’ve never actually added my number to the registry because I didn’t feel a need to. I rarely get calls from solicitors and I tend to screen calls from unknown numbers anyway. But recently, I’ve been experiencing an increase in strange calls with unrecognized numbers. My typical reaction is to google the number or visit whocallsme.com — this usually tells me if it’s a telemarketer or not. But if this keeps up, I might consider adding my number to the list.

From a privacy standpoint, the existence of the list itself is important. Many people view unsolicited calls as an invasion of their privacy. The fact that so many people have placed their numbers on the registry indicates that people respond well to methods of privacy protection that are both easy to use and effective. If protecting your bank statement from dumpster divers, or protecting your phone from wiretaps was as simple as signing an opt-out list, perhaps there would be a decrease in cases of privacy violations and an increase in the number of citizens that feel secure.

The following will be a two part post on the current state of security. It will mostly be a self opinionated rant. But I’ll try to make some insightful comments. If you’ve followed the media for any amount of time lately you’ve heard countless stories about data leaks, data breaches, identity theft, all those uber scary things that keep you up at night.

It almost seems like the very technology we are creating and utilizing, is only making it easier for thefts to take place. Fifty years ago, if you wanted to try and purchase something in someone else’s name, you needed a physical ID, and a check. That check could be counter fitted or altered through check washing or whatever, but in order to use it, you still had to make a physical appearance. There was a personal touch to it. In order for a company to loose one million records or customer information, it would have required a truck to haul off boxes and boxes of paper records. Today these same tasks can take place with as little as a five second transaction online, or as simple as loosing a laptop or even a USB thumb drive.

With more and more people holding onto almost endless amounts of data, the responsibility of this has sky rocketed. And many people just can’t keep up. That’s why it takes teams of individuals to manage this data. It’s no long boxes of paper records, but terabytes of data. It’s becoming more common for threats to come from inside companies then for actually attacks or network breaches. Finding the right people to handle this data, and having the right amount of protections is almost as key. But can we really trust anyone?

Even those that are saying “my data is encrypted, it’s secure” – well how secure is it really. Computers are getting faster, and more numerous. It’s only a matter of time before encryption keys are broken. That’s assuming the code implementing them is correct (as we’ve discovered in a recent OpenSSL flaw [LINK]).

Software itself isn’t even reliable anymore. How many patches have you applied to your computer this month alone? No code is 100% secure. Back doors are found, limitations are reached, unexpected data is loaded. As great as technology can be, it still comes down to the one common source, human error. We will always make mistakes, and there will always be someone to find them.

So as I see it, we are a society built around laziness. We are slowly building up to our own demise, the gifts we continue to give ourselves, we also use to hurt each other. In the end, we are screwed.. ..or are we?

Stay tuned for my counter-rant, as I shed some light on all the dark little monsters that keep you up at night.

Smart security people learn from their adversary’s tactics, not shun them. Despite modern technology, broad operations, and publicity, the Mafia (particularly Italian mob) continues to survive. While the crimes they commit are deplorable, the security of the organization works using tried and true methods.

Here are some you can teach your employees and enforce without having a baseball bat.

• “Don’t Trust Nobody” – A good place to start; employees should never give any company information to anyone except the people they’re told to. Social engineering, spoofed emails, and enticing links all apply. Your firewalls should allow what you tell them to allow and nothing else. Start by having it lock down everything and work from there. Give your users the least amount of privileges they need to do their work and log as much as you can.

• “Talk to Me, Directly” – An email from some executive you’ve never heard of, being intimidated by someone in HR who wants your SSN (which they should already have), and any other strange requests should be verified. Employees should do directly to their immediate supervisor when in doubt. Unencrypted emails containing important information shouldn’t be sent – if possible get up and relay the message in person, refuse to send documents if they can’t be encrypted and signed with a digital signature (non-repudiation).

• “Keep Outsiders Out” – All business partner connections, 3rd party maintenance, and external developers should have an independent security assessment performed of them by security experts. Create separate network segments, monitor maintenance and hardware changes, and always escort visitors on your premises. Smaller companies, make sure to lock the doors to the office and secure any network closets and servers.

• “Be Respectful” – Too often in mob movies we see some underling getting picked on by his superiors. The result is usually “ratting out to the Feds”, equivalent to an employee changing jobs to a competitor or leaking proprietary information. Treating your employees poorly reduces the overall security of an organization since it undermines loyalty. As we learned in “A Bronx Tale” it is better to be loved than feared.

• Use Your Head Instead of A Notepad – Mob guys never write anything down for fear of leaving behind evidence. Users should be trained never to write down passwords, leave company documents out on their desks, or store unencrypted sensitive files on unprotected devices.

Security professionals and auditors should remember to learn from tactics and be cautious with methods. Make sure you have, in writing, the scope of any assessment/audit and make sure that the tools and techniques you use are OK with the company in question or you might get whacked. A good strategy with questionable tactics may make you the criminal.

What are some of the tricks you’ve learned from the bad guys?

I “grew up” surrounded by web application security – from a time when Achilles was the only useful proxy and everything was done by hand, to the current state of affairs, where automated tools and proxies are used on a regular basis. OWASP and WASC have been formed, and web application security is taken seriously. However, there are still many web applications that existed before this explosion in security awareness, and they’re still out “in the wild”.

Unlike the thick client area where the majority of “major” applications are controlled by larger development firms (Windows, Oracle, etc) with security departments, web applications are written by everyone and their brother Joe. There are some large development houses writing web apps, but a good majority are developed “in-house” by developers that may have not have any kind of security training. I suspect that this will start to change as it did with thick client development as well. Until then, at least security is on people’s radar and most development groups have at least one person who is familiar with security, or they hire companies that are familiar to help them with the development.

The landscape has certainly changed as I’ve “grown” along with it.

Google announced that it has released ratproxy their passive web analysis tool. It kind of “rides along with you” in order to determine what areas may be an issue. Since it can “ride along”, it can also scan restricted areas requiring authentication. It’s not a replacement for some of the more active scanners – webscarab and paros but it could certainly help the more casual user determine potential issues. It doesn’t, however, let you fiddle with the HTTP request/responses as the other proxies do. Play with it, see how you like it before adding it to your arsenal, but I think it will be a great addition.

Last week, the world’s top computer scientists gathered to discuss security and the weaknesses created by putting it in the hands of people. It was the first “Security and Human Behavior” conference, and many experts on human behavior were invited to help the attendees understand how criminals use social engineering to circumvent security technology.

Here are some interesting topics that came out of this conference:

A study soon to be published will reveal when we are more likely to surrender private information about ourselves. One conclusion was that we are more likely to answer private questions when we are not given any assurance of confidentiality because it makes us suddenly aware of our privacy.

Another set of research looks into the question of improving the fallback password system that many sites employ. Instead of asking questions that might even be difficult for the true user to answer, the proposed method has the user choose things that they like and dislike from a list.

Finally, this MSNBC posting reveals a new idea in security training that was presented at the conference. Instead of periodic reminders to be wary of phishing and e-mail attachments, companies may attempt to fool their own employees. Those who fail the tests would learn by shame or possibly by hearing about it in an employee review.

Dell recently sponsored a study on the number of laptops lost in airports. The findings are a little surprising— apparently, they estimate that over 12 thousand laptops are lost each week at airports across the United States.

The source study can be read here. (pdf)

Potentially more frightening is the fact that the majority of these laptops go unclaimed and are eventually “disposed of.” According to the study:

Only 33% of laptops lost and found in airports are reclaimed. The other 67% of subsequently found laptops remain in the airport until they are disposed of. As a result, there are potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.

This goes beyond the loss of physical data. Sure, the laptops cost money, and losing one will always carry at least the monetary cost of the hardware. But, the fact that these laptops can (and probably do) contain some sensitive information is certainly more worrisome. Either private data belonging to the owner, or private data belonging to the company the owner might work for may be at risk.

It seems perfectly possible for a shady individual to walk up to the “lost and found,” give a detailed description of a common laptop make and model, and walk away with a shiny new laptop that might contain information worth more than the device itself.

With the rapid explosion of the laptop / portable-computer industry, it becomes more and more important for users (and companies) safeguard the information stored on them. For the average user with little technical knowledge, an often over-looked technique would be the simple act of labeling the laptop with their contact information. At least this would allow a good Samaritan or the airport staff to potentially return it to the rightful owner.

The web becomes a more threatening place each and every day. This is especially evident due to the uptick in legitimate websites being compromised to push malware. ScanLife reported increase of over 400 percent last month.

So, what is going to help alleviate these threats? I’m pushing for more secure code. Microsoft issued a security advisory last week that offered companies free tools to help scan for SQL injection vulnerabilities.

Another area that’s helping to secure code is the new PCI Data Security Standard section 6.6 guidelines that just went into effect. Under the new rules, merchants need to implement a web application firewall and/or conduct a complete code review by a 3rd party.

It is vital that secure code become a standard in all development. Let’s hope these extra steps by PCI and additional help from companies like Microsoft can give the industry the nudging they need.