I have had my laptop stolen once, about five years ago, from the trunk of a locked car parked at a shopping mall. You never forget that experience of being violated, of being stupid. Here are some recommended strategies for IT managers to take to avoid this from happening to you, published today on eSecurity Planet.com here.
Remember Chance the Gardener character in Being There? “I like to watch tv” was his famous line. The problem with most business videos is that we produce a lot of unwatchable footage, especially those taken by security camera systems. And there aren’t any Chances around that want to watch them, either.
The trouble is that trying to find the one or two actionable events in all of that footage isn’t easy. As an example, take the story in today’s NY Times that mentions how the military is being buried under a massive pile of video footage from its Predator drones that are flying over Pakistan and Afghanistan. The situation is only going to get worse, as newer drone models will be sending streams from dozens of cameras within a few years.
The story has already been told about how the drones’ video feeds are available to anyone who has some minor software skills – the actual control channels are encrypted but the video transmissions aren’t. This is because many legit people need to see what they are broadcasting and the military hasn’t been able to implement any encrypted viewing packages on these streams.
In the Times article, a bunch of soldiers based in Hampton, Virgina sit in front of the screens and see it in real time, and then make screengrabs available to the right people via computer chat rooms. I hope for the sake of everyone involved that these chat rooms are encrypted, but the article didn’t say.
So how do we implement our automated Chance Gardner? There are a couple of technologies that can help here, but they aren’t easy or cheap to implement. One is the telestrator, the device made popular by John Madden and Monday Night Football where a commentator draws on the screen and you seen colored squiggles to highlight what is going on. The ones that Madden and the pros use are very expensive, but there are dozens of telestrator products available for the PC market, with some freeware products such as VideoMage Producer.
The telestrators are nice, but again, someone has to be watching the video and doing the electronic doodling. You need more than the fast-forward button to do this – ideally, you want some kind of automated system that can identify actionable moments on the video. This is what the next class of products does, called intelligent image analysis. They have computers to look at the stream and highlight particular activities that a human operator can come back to and review later.
This is what the company stoplift.com is doing with its retail checkout analysis systems. Typically, a retail store installs video cameras above each checkout aisle and records what the checker is doing as items pass through the point of sale scanning devices. There are all sorts of scams that can be used, such as “sweethearting” (a confederate is giving free items that aren’t scanned) and looking like you are scanning a bar code when you are just passing the item around and over to the bagger. So what is needed is a system that ties into your point of sale and can flag when these items aren’t rung up at the register. I got to see a demo last week and thought this was way cool. The company claims their software can have a six-month ROI and significantly reduce the cost of stolen goods. And the good news is that no one has to watch all the security tapes to see those few sweetheart moments.
Previous encryption products required a lot of effort towards key management and usually required a matched pair of programs to communicate between sender and receiver. That is thankfully a thing of the past, and there are several different products on the market today that make encryption easier, almost effortless
You can read the full article posted today in ITWorld here.
In his ebook Detecting Malice, Robert Hansen has a difficult task. To compile in one place a variety of attack descriptions and forensic methods for various Internet intrusions. He does a great job of covering the landscape, talking in plain language without a lot of technical jargon and with many clear examples. If you have never read packet captures this book will be an eye opener, and if you have some exposure to hacking tools and Web traces then you will do fine with the examples that he portrays.
Think that your Web site is immune from these exploits? Think again. Just about everyone has some kind of exposure, and part of understanding exactly what that is is being able to get into the bad guys’ mindset and see how they can penetrate your servers.
I highly recommend this book, well worth the time and money. It will stimulate your thinking and certainly raise your level of paranoia, and perhaps level of motivation, to lock things down.
While there are numerous security suites from Symantec, McAfee, and the like that provide firewall and anti-virus, they aren’t integrated programs: more a collection of software much the way Microsoft Office is a collection of word processing, spreadsheets, and presentation software.
Here are three different approaches: two software products from Symantec and eEye, and a combination of hardware and software from a relatively new company called Napera. All three of them combine firewalls, intrusion prevention with centralized management consoles and reports. You can read more in my column in today’s PC World here.
Brand abuse is increasing, but more important than the sheer volume is the increased sophistication and the opportunistic nature of brandjackers, who are quick to take advantage of current events and popular concerns.
In this report, I look at brand abuse trends in the financial vertical, focusing on four major financial services brands and four terms associated with the financial crisis – foreclosure, mortgage, refinance and
unemployed. As the economy has worsened over the past months, we found that con artists have exploited consumers’ financial fears and uncertainties, and have rushed in to hijack well-known brands for their own profit. There has been a profound increase – 36 percent in one quarter – in the level
of phishing attacks as well as in cybersquatting.
You can download the entire report here on MarkMonitor’s site.
In this edition of the Brandjacking Index, we look at the overall trends for exploits with four major financial services brands. As the economy has worsened over the past six months, we found that con artists have exploited consumers’ financial fears and uncertainties and rushed in to hijack well-known brands for their own profit. There has been a profound increase – 36% in one quarter — in the level of phishing attacks and cybersquatting abuse. More than 7,300 phony domains have been registered in the first quarter of 2009.
You can download the Brandjacking Index® – Spring 2009 report from MarkMonitor’s Web site here.
I have a dirty secret to share with you all today: until recently, I didn’t have a very good strategy for keeping track of my various Web site passwords and logins. Near my desk is a worn set of stapled sheets of paper with various notations about which username, email address, and password I have used to authenticate to its services. Luckily, I work alone, but still it bothers me that if someone were to break into my office, those special pieces of paper would probably be the most important thing to find. I know some of you use PostIt notes for this purpose, and keep them where no one would look, such as under your keyboards.
There is a better way, and I will get to it in a moment, but first I want to take you through what some of the other solutions that I have tried and rejected. Since I do most of my work on my laptop, why not just automate the credentials inside my browser? That is good for some of the sites that I use most frequently, but it isn’t very secure should someone get a hold of my laptop.
Another idea is OpenID.net, which is an open-source collection of Web sites that federates your identity, including Yahoo, MySpace, Facebook, and others. OpenID sounds really good, until you start to peek under the covers, and realize that if a phisher ever got ahold of just one authentication of yours at one site, they could pretty much gain access to the rest of your OpenID sites. This is more ‘phederated ID’ and a hacker’s paradise. The problem is that once you authenticate properly on one Web site, you can use your OpenID URL to gain access to anything else.
I have mentioned in previous missives Ping.fm and Quub.com that attempt to consolidate all of your social networking logins in one place, and be able to update your status messages across the board. But it is troubling when I get emails from Quub mentioning that they have upgraded their system and “had to clear everyone’s existing credentials that were encrypted with the old algorithm. Please re-enter your credentials under Settings …”
RoboForm is another solution, which basically automates the credentials and saves it in an encrypted spot on your hard drive. That is great, but what happens if you are using a different PC?
Another way is to use some form of two-factor authentication, so called because it uses something that you – and only you – have on your possession, such as a special and unique SecurID token. I have one for my PayPal account, it cost $5 and is well worth the added protection that it offers. Basically, no one else can use my account unless they use the token to sign in.
But the issue with these tokens is that you need one for each of your accounts. There are some vendors who are trying to get around this issue by using one’s cell phone as a second factor authentication tool including Phonefactor.com and FireID.com. Both require some integration of their tools into your applications, which isn’t very good if you want to apply them universally to all of your Web authentications. FireID’s solution involves using a special server that sits on my network, while PhoneFactor requires software agents to download to your desktop or to integrate into your Web applications.
So what else can you do? The service that I am trying out now is from Tricipher and called MyOneLogin.com. It costs $30 a year per user, and everything is done via their hosted service so there is nothing to download, other than an optional Firefox or IE browser plug-in to handle some tasks. You set up a special Web portal for your company, and then add your credentials to the various sites. It comes with hundreds of pre-set applications and works with either special knowledge questions (what was the name of your third-grade teacher) or with your cell phone. The good thing about MyOneLogin is that you can set it up and forget your passwords, because no matter where you are you can login to the portal and then to your applications. You can mix and match Web and internal apps, such as your VPN login, too, without any programming or installing any servers. And it is also a great solution if a company wants to keep control of these credentials to these sites, so when you leave you can’t take your logins with you.
Look for one of my WebInformant.tv screencast video demos in the near future that will show you more about the service. And you can try it out for 30 days for free if you are interested. Maybe now I can finally toss those special pieces of paper – but first I will have to make sure to shred them!
This isn’t any April fool’s story, but a rather depressing one about how easy it is to compromise a corporate network. Markoff’s recent story in the New York Times got me looking for the research paper by Anderson and Nagaraja that should be required reading by anyone in the email and network security space.
The paper describes a determined attack on the exiled government offices of the Dalai Lama by purported agents of the Chinese government. It is a chilling account of how easy it is for hackers to penetrate a network with a little bit of social engineering and a lot of clever programming. While none of this is new, what is new is how it is getting harder to keep the bad guys out.
The Tibetan government contacted the authors of the paper when they observed suspicious diplomatic behavior. The authors found the following disturbing items:
What is interesting about this case was the combination of malware and “good guessing” – which is really what social engineering is anyway — by doing research on the Tibetan communications, to find plausible email addresses of their correspondents, so that the phished emails would be more likely to be opened by the exiled monks. The guessing was made easier given the nature of the Tibetan diaspora and how open the monks are about their activities and outreach.
Here is the nut graph of the report:
“Until recently, one might have assumed that it would take a ‘geek’ to write good malware, and someone with interpersonal skills to do the social manipulation. But the industrialisation of online crime over the past five years means that capably-written malware, which will not be detected by anti-virus programs, is now available on the market. All an attacker needs is the social skill and patience to work the malware from one person to another until enough machines have been compromised to complete the mission. What’s more, the ‘best practice’ advice that one sees in the corporate sector comes nowhere even close to preventing such an attack.”
So what countermeasures can a typical corporate IT person take? Certainly, encrypted email should be used more, and while this is something that I have written about for more than a decade, I probably will still be writing about it 10 years from now. (None of the Tibetan emails were encrypted.) Second, when possible, use separate networks for external communications that don’t contain operational elements of a company: don’t put your payroll on your SMTP mail servers, use firewalls or even physically separate networks, and so forth. The authors state: “It would in our view be prudent practice to run a high-value payment system on a PC that does not contain a browser or email client, or indeed any other software at all.” Of course, as the Internet becomes more pervasive, this becomes harder to do.
Next, don’t open unexpected attachments, and certainly be careful when receiving unexpected documents, even from your usual correspondents. And as we conduct more business over social sites like Facebook and LinkedIn, be wary of what you receive there as well: the bad guys are using fake accounts and expanding their reach to phishing these sites. Just because someone is your “friend” doesn’t mean that they are actually legit.
Finally, take a look at data leak prevention appliances and tools. While these are expensive, they can save your bacon and do a tremendous job at detecting abnormal situations. A good place to start is with Code Green Networks, one such product that I review over on my WebInformant.tv series of videos. The company tells me that every installation has resulted in finding someone doing something that they shouldn’t be doing within the first week of use.
I was a guest on the Security Break Live show on Blogtalk radio here. Steve Dispensa and I talk about what this kind of attack is and how you can try to prevent it.