I’m greatly amused. In 2008, former Gartner analyst Richard Stiennon said that NAC was worthless (see “Don’t even bother investing in Network Admission Control“). In a face-to-face debate on the topic a couple months later, Joel Snyder allegedly defeated Stiennon on the topic (and quite handily, if you agree with the account by then-NAC-vendor-CTO Alan Shimel). It’s interesting, then, that 2 years later Snyder has come out and basically declared the NAC market a complete mess and not really worth the cost.

Said Stiennon in 2008:

“Put it this way: Can you secure your network without NAC? Yes. Does NAC in anyway reduce your overall costs? No. Does NAC tie you down to one vendor’s eco-system? Yes, if you go down the Cisco, Juniper, or Microsoft route. Does NAC make you more secure? No.

“Then why would you invest in NAC?”

Read the rest of this entry »

Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service.  Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow.

And so we have another example of what can happen when data and communications are left unprotected.  You’re even susceptible to accidental disclosure of information.  What other accidents might occur?  One thing that comes to mind is accidental loss of bandwidth.  Someone who doesn’t know any better might turn on their laptop and find that they have Internet access.  What they didn’t realize is that they automatically connected to your network, and while they are streaming high-quality video, your employees are struggling to get their work done.

Accidents will happen.  If you must have a wireless network, and you still have not secured it, do something about it (hint: WPA2).

Have you ever looked into researching your family tree? Have you noticed what kind of information you can find out about people, especially older people who have been around since the 1930 census (and pretty soon, the 1940 census)? Upon death, social security numbers are published in the Social Security Death Index, and some of that information is still useful. For example, my father passed away in 2000, my mom still receives social security benefits based on his SSN – which is now public information. All of the joint accounts they had together are mostly still with his social. It would make it easy to steal the identity of a dead person. The SSDI is supposed to prevent that, but it doesn’t always work.

Additionally, genealogy searches turn up information about living people as well – things such as the US Public Records Index – which includes current address information and birthdate – all useful information if you’re searching for someone. By default, most web sites “hide” living relations in your family tree, but you have an option to make it public (and there are incentives to do so to find more about your family).

If you’re interested in genealogy, try using some of your skills to find information about someone not in your family tree (the older they are, the more likely you’ll find information), or if you know how to find information about people, there are genealogists waiting to talk to you to help them find long lost relatives.

This week, I registered for the next Document Interop Initiative (DII) workshop being held at Microsoft. (Details here)

The meet-up is centered around the new XML Advanced Electronic Signatures (XAdES) support in Office 2010. In my opinion, this is a great step forward for Office’s digital signature support, as XAdES provides the appropriate XML schemata to embed timestamps, revocation information and countersignatures within a digital signature on a document. Timestamp and embedded revocation support are two of the chief advantages that Acrobat digital signatures have held over Office for the past several years. Finally enabling this functionality will allow Office to compete with Acrobat on a more even playing field in terms of allowing robust, more auditable signature workflows.

I’m interested in seeing what updates, if any, have been made to the Office digital signature interface to support this new functionality. In current and previous versions of Office, digital signature validation, from a UI perspective, has been abysmal. There has simply been no way to determine *why* a signature is judged as invalid by Office when there are myriad possible causes for such a failure. For example, a signature may be invalid due to an altered document, which is far more of a concern than a signature being invalid due to revocation data being unavailable because the validation was performed offline. These circumstances can lead to different trust levels from the user.

It remains to be seen how well the XAdES support is implemented, but I’ll tentatively state, sight-unseen, that this is at least a step in the right direction.

I got a chance to see the Metasploit Express beta in action last week at NoVa Hackers. I was planning on writing about my impressions, but there is plenty out there from people who have spent a good deal more time in front of the beta than I have. Instead, I’m going to delve into pertinent questions a company should ask itself to see if Metasploit Express fits into the security program.

I am a fan of Core Impact, not only because they let me into their party at Blackhat Las Vegas last year. They make a good product. However, a common scenario I have seen in my experience as a security consultant is companies just purchasing flashy products without thinking about how these products will integrate into the security program. The Core Impact sales team comes in with their vulnerable machines and does the point-and-click to root. Then, the general consensus is “We’ve got to get that. It’s shiny!” The problem is when Core Impact shows up on the corporate network it doesn’t get any shells. Why? Because the customer is using Core Impact specifically for patch management which they already have under control. If a strong patch management system is already in place on the network, the default network scan from Core Impact will yield very little.

Metasploit Express builds off a very powerful open source tool with a wide variety of capabilities. It is quite possible that the product will be able to fill a gap in your security program. However, without researching your company’s needs, risks, and what Metasploit Express can do to meet them, you won’t get the most out of Metasploit Express. Sleek interfaces and support from Rapid7 cannot make up for a lack of understanding of your particular security needs.

On the whole, I’m glad to see Metasploit potentially reach a wider corporate audience with Metasploit Express. It seems in many cases Metasploit in its current form is considered a hack tool and passed over for products such as Core Impact that have a company backing and a hefty price tag. So long as I can still use community supported Metasploit for my everyday vulnerability research, I’m happy to see Metasploit get the piece of corporate pie it has long since earned.

PDF files have become commonplace on the Internet and in the business world, but they have also become favorite tools for attackers to deliver malicious payloads. While some problems may be mitigated by using an alternative PDF reader, many people have little choice but to use the standard Adobe Reader. In that situation, you can help protect yourself from many PDF-based attacks by following a few basic steps.

1. Make sure you have an up-to-date anti-malware program installed and running with automatic download of new virus definitions. Older tools may not scan for recent PDF-based threats.
2. Make sure you have the latest version of Adobe Reader. Enable automatic updates by opening Reader and choosing Edit > Preferences > Updater. Adobe regularly issues patches against new vulnerabilities.
3. Disable JavaScript in PDF files. This may affect certain features at times, such as PDF-based forms, but it’s better to enable JavaScript only when needed. In Reader, click Edit > Preferences > JavaScript and uncheck the box for “Enable Acrobat JavaScript.”
4. Disable Flash and multimedia in PDF files. Once again, this may prevent a few documents from loading some content, but embedded Flash is a common tool for exploiting Reader. Go to Edit > Preferences > Multimedia Trust (legacy) and either uncheck “Allow multimedia operations” or change the permissions on each listed player to “Prompt.” Be sure to check the settings for both trusted documents and other documents by changing the “Display Permissions for” option.
5. Disable attachments. Earlier this year, security researcher Didier Stevens uncovered a PDF behavior that could be used to launch commands outside of Reader. To avoid this problem, open Edit > Preferences > Trust Manager and uncheck the box marked “Allow opening of non-PDF file attachments with external applications.”
6. Configure your browser to show a download prompt for PDF files. The exact settings for this step will depend on your browser. Remove any plug-ins or add-ons for Adobe Reader, and check the settings for how your browser handles various file formats to check the behavior for PDF files. If you allow PDF files to open in the browser or open in Reader automatically, you may accidentally open a malicious file without realizing it.

These precautions are only a small part of keeping your computer protected against attack, but they will go a long way to help you avoid many threats involving PDF files.

Did you know that two thirds of all phishing attacks are sourced from a single group? This seems like a staggering statistic, except for the fact that we’ve already seen this before. Maybe those plans for world domination just might pay off…

This whole Facebook privacy scare seems to finally be taking its toll on the general public as it seems Google is showing a major increase in trends data sourced from people wanting to delete their accounts. This doesn’t really surprise me much either, as we’ve talked numerous times about how to secure yourself within Facebook. Let’s hope that emergency meeting that was supposed to take place today actually accomplished something.

One of the pioneers of PKI, Whit Diffie, landed a new position today as VP of information security and cryptography of the Internet’s key oversight agency for domain names. The ICANN doesn’t have that much control over many of the domain providers, but I like to think they have enough influence that if Diffie were to make some serious strides, the world could be a better place.

The Kish cypher is categorized as a technique for secure communication, similar in application to Quantum encryption and Public Key cryptography. The simplified explanation is that it works by measuring the resistance of the communication medium (i.e. a circuit, or some wire) between 2 parties. One party can “send” messages by changing the resistance of the medium (i.e. placing a resistor on the wire). The other party can “read” messages by deriving the difference between the amount that the resistance has changed and the amount of resistance they are contributing to the wire as well.

Ideally, an eavesdropper would not be able to read the messages since he can’t derive this difference (he doesn’t know both resistances), hence Kish’s usefulness for secure communication.

The cool part about Kish (besides its name) is that it’s such a simple system to build from a component standpoint. In fact, most of the infrastructure for this type of system already exists– the medium itself can be any single wire connecting two parties.

But how secure is it?

From the homepage:

- Status of the idealistic circuit scheme: Unconditionally secure; it has not been cracked.

- Status of the practical (non-ideal) system with inaccuracies and stray elements (hacking):
A small information leak of raw bits, similarly to quantum communicators. The amount of leaking information can be controlled (Alice and Bob determine the amount of information Eve can have). The scheme cannot be cracked but it can be jammed (similarly to quantum key exchange, when Eve randomly measures and supplies back a small fraction of photons; an operation which cannot be detected by Alice and Bob because it yields too small quantum error rate). However, for a major difference from quantum communicators, note that Alice and Bob are fully aware of all the information Eve knows. Thus they are in the position to discard or manipulate the information Eve has.

Apparently, it can hold its own from a security perspective (it’s certainly been scrutinized enough). And despite not winning any popularity contests, Kish’s unique physical nature means that there may be some very specific situations where it would be the only solution for secure communications.

Earlier this week, blogger and author Cory Doctorow published an account of how he fell victim to a phishing scheme:

I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).

And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.

I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.

Or so I thought, until I got phished last week.

Doctorow goes on to describe how a perfect storm of circumstances led to him logging in on a fake Twitter page. His story is an excellent reminder that no one, even those educated on security best practices, is entirely secure against every possible threat. All of us can overlook basic recommendations at times, get distracted as we try to get tasks done, or even encounter a targeted attack that’s convincingly crafted. The tale is also a reminder that the extra time spent in understanding threats, double-checking protections, and closely examining resources really can go a long way in keeping data safe.

Good security solutions have to take into account both prevention and response. It’s important for your business to prepare for threats, as Doctorow knew common steps to avoid phishing. Yet it’s also important to be ready and nimble in case that one attack succeeds. Dealing with compromised systems is never enjoyable, but it’s far worse to be caught off-guard and without a plan for such emergencies.

With the release of OpenDLP, more and more people are hearing about DLP. What is it and how does it work?

Fundamentally, security is about protecting important data – whatever that data happens to be – a formula, a trade secret, social security numbers, etc. We have all kinds of tools and techniques to help us encrypt and protect our data from someone outside of the company, but what about from people inside the company, people who go against company policy and use gmail, rapidshare, or other convenient tools to let them work at home or on the road? While seemingly innocent, these users are the ones that can cause the most problems.

Read the rest of this entry »