Step Awaaaaaaay From the Computer………..

We all know them. During my Help Desk tech support days, we called them the “Bermuda Triangles.” Everyone in the department dreaded them. If you looked at the Documents and Settings directory, you would see the login names of every single tech. Administrators and tech types bemoan the users who use their CD players as coffee holders and don’t know how to turn their computers on. Rants are all over the Internet discussing the clueless user (”luser”) that plagues Help Desks everywhere.

And somehow, the higher level the employee, seemingly the less technically savvy they are. I’ve lost count of the number of organizations I’ve audited that exempt the C-level executive from having to change his/her password, or disable complexity of passwords, because “they can’t seem to remember it.” And these are the people running the company? Amazing.

So, what is the solution to these folks? To Suzie in Accounting, who calls the Help Desk every 30 days after she changes her passwords? The call center employee who puts his post-it password on his monitor? The executive who calls every time he goes on a road trip because he forgets how to use the VPN?

Fortunately for us, Cisco has released a study that documents our difficulties. The study documents that 39 percent of IT professionals worldwide were more concerned about the threat from their own employees than the threat from outside hackers. But here’s the significant statistic for data loss:

Of those employees who reported loss or theft of a corporate device, 26 percent experienced more than one incident in the past year.

So, how do we help the “Triangles” of our company? First, we have to find them.

It’s true that every Help Desk has a list, but it’s usually a mental one, someone that “everyone knows.” We need to translate that information into actionable data. Not to punish, but to resolve a recurring cost to the IT department.

Management and business LOVE information that tells them how much something costs. If you can document how much time those folks are costing IT, you can make a business case for getting more user education to those employees, or better systems to resolve consistent problems. After all, it means they get more of IT time spent on projects, rather than Help Desk issues. That could be a big seller.

Use your Help Desk tickets to document and correlate spikes in service times and specific users that call in for the same problem. If someone keeps losing hardware, maybe it’s time to change the corporate Hardware Policy. If users keep forgetting their complex passwords, maybe it’s time for keyfob or RFID logins.

There are always options!

Educating Users (Yes, I Know….)

I can hear the collective eye-rolling from here. But guess what! New federal regulations are requiring security education from organizations as part of compliance:

SEC regulations for financial institutions http://www.sec.gov/index.htm
NERC regulations for utility organizations http://www.nerc.com/files/RSAW-CIP-004-1-060608.doc

According to a study just finished by Cisco, “Data leakage often results from risky behavior by employees who are unaware that their actions are unsafe. Some of this problem can be attributed to a lack of corporate policy or inadequate communication of corporate policies to employees. In other cases, IT professionals simply expect some degree of professionalism, security awareness, and common sense precautions on the part of employees-and don’t get it.

• 43 percent of IT professionals said they are not educating employees well enough.
• 19 percent of IT professionals said they have not communicated the security policy to employees well enough.”

The SEC regulations affect publicly traded companies, so if you regularly undergo SOX audits, this will definitely be part of the package. PCI has also had a requirement for quite some time. So, in short, you cannot escape. And besides, I suspect there are some things YOU can do to improve the understanding of your users. They are a very important part of YOUR network.

Who does your information security training? Have you taken a look at it lately? Is it any good, or just “CYA” material? See any improvements after training on the part of your user base? If not, maybe it’s time to change it.

How “user-friendly” is your organization/department for employees that want to ask computer-related security questions?

Are chronic problem users tracked, and their managers notified? (I love this idea…)

There is a rising tide of studies confirming that internal data theft and loss is far more costly to business than external attacks. All it takes is one user clicking on one phishing email to compromise company information (even a corporate email list is important). A monthly email from you explaining a topic, and inviting questions might result in a LARGE saving of YOUR time dealing with infections and information compromise.

And hey, you’ll be compliant! Auditors love you!

The Corporate Data “Grab”

A very well written article (rather unusual, in USAToday) on corporate espionage and data theft caught my eye today. I’d highly encourage you to take a look, even though it may make you nervous. It made ME nervous, but then, I’m supposed to be.

The article is on security researchers reporting the cybercrime shift from identity theft (the market has become saturated - enter dryly ironic comment of your choice here) to targeting anything they can get from corporate networks for selling at a later date.

If your company holds copyrighted material, patents, bids for proposals, financial planning for clients, business plans - all of these are targets for break-in artists. One PC can yield a treasure-trove of email corporate addresses so that targeted emails can be sent with specific payloads.

And because most of us have HTML-enabled email, those messages can have code never seen by the reader, which is executed when the email is opened - in the preview window.

(P.S., I know it’s pretty, but PLEASE turn HTML email off).

Consider where all that information is, and who has access to it. How do you know? This is the most common auditing question I ask. These thieves work very hard not to be found.

How could you catch these people?

1. Monitor your outbound firewall traffic - they have to deliver their data somewhere!
2. Block servers that don’t need to go to the Internet
3. utilize proxy servers for Internet access - for EVERYBODY (don’t exclude IT staff)
4. Utilize internal firewalls and secured subnets
5. Designate critical servers for Host-based intrusion detection agents

Make them work for it, or better yet, make it impossible.

Wireless: Get Ready to Kiss WPA Goodbye

The word is out in InfoSec circles that a practical attack method against WPA - enabled wireless access points has been announced and is to be presented at PacSec in Tokyo this week.

It used to be that only a dictionary attack against WPA-encrypted packets using a weak pre-shared key (PSK) was available; if you had a PSK of more than 8 characters, you could be reasonably assured that you were secure. Now, Erik Tews will be presenting his attack method, which uses a combination of protocol weaknesses and cryptographic weaknesses to compromise TKIP encryption. The attack lets the attacker inject seven packets into the network, per decrypt window.

There’s far reaching ramifications to this attack, but in short terms, this presentation means the days of WPA are numbered. Some of the attack code is known to be already available.

The attack focuses on TKIP encryption, and you may think that with AES enabled, you are safe. Not, however, if your router defaults back to TKIP to enable older clients to connect. Not all routers allow you to disable this feature, either. On some equipment AES is called WPA2 and TKIP is WPA. The WPA spec leaves support of CCMP(AES) optional while the WPA2 spec mandates both TKIP and AES capability.

What to do today (and believe me, I’m checking my home router, and will be auditing routers to this effect in the future; best believe that PCI will update their requirements quickly, as well)? Check your APs (access points) as follows:

Use only AES
Disable Negotiations to TKIP from CCMP(AES).
If you must use TKIP, rekey every 120 seconds.

Interestingly, the amount of time he is estimating is 15 minutes to crack WPA.

What to do going forward? Plan on upgrading your wireless access points sooner rather than later. It won’t be long before some joker is using this attack to break into businesses.

Still Up in the Cloud(s)

Per my previous post, it seems that there is suddenly a lot of discussion in the security blogosphere about cloud computing and the security (or lack) thereof. Seems a number of people have taken note of Microsoft’s entry (Azure) into Data Center business development. A lot of really good questions are being asked.

How are these environments going to be secured? I have yet to see anything solid provided. Evidently vendors are content to “wait” until businesspeople tell them what they want. What if they never ask? Where is there a baseline for systems? Access controls? Dare I say “secure software development lifecycle?”

Nothing yet.

For some painful laughter, try reading a poetic critique of cloud computing here from Christopher Hoff.

Follow that up with a dose of reality as to the real origin of “cloud” computing from Reuven Cohen:

I hate to tell you this, it wasn’t Amazon, IBM or even Sun who invented cloud computing. It was criminal technologists, mostly from eastern Europe who did. Looking back to the late 90’s and the use of decentralized “warez” darknets. These original private “clouds” are the first true cloud computing infrastructures seen in the wild. Even way back then the criminal syndicates had developed “service oriented architectures” and federated id systems including advanced encryption. It has taken more then 10 years before we actually started to see this type of sophisticated decentralization to start being adopted by traditional enterprises.

and you begin to see the general take on cloud computing as it is currently being described. I like “thin client” computing. You can put a lot of controls in place that allow a user to have a desktop of their own AND not allow any malware in beyond the next reboot. It makes me nervous to think about some big corporation holding all my data, but banks do it all the time with mainframe applications. That’s where Metavante and Jack Henry, for instance, make their money.

But how do we audit these clouds? It still comes down to WHO has ACCESS to WHAT.

Don’t Be Seduced Just Yet

I had a co-worker ask me yesterday what my opinion on “cloud computing” is, and whether it should be something they could recommend to clients. He had seen announcements about cloud computing from Microsoft

According to a 2008 paper published by IEEE Internet Computing “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, table computers, notebooks, wall computers, handhelds, sensors, monitors, etc.” Another criteria is that it be massively scalable.

“Cloud Computing” is almost the same as “SaaS” (software as a service), the difference being, according to Gartner, scalability.

What I found the most interesting was the statement from Microsoft: Windows Azure provides developers with on-demand compute and storage to host, scale, and manage Web applications on the Internet through Microsoft® data centers. (the bold emphasis is mine.)

So, a business runs all it’s core applications and stores all it’s data on Microsoft’s servers. Windows is actually developing Azure as a separate platform from Windows server and desktop apps. It’s all accessible anywhere from the Internet. I guess Microsoft has decided to get into the Data Center business arena along with IBM and HP.

This is probably a silly question, but what do you have if there is no Internet access? There seems to be a massive assumption that all business functions can be run over the Internet.

The ONE statement about security on their opening page was: Security supported by flexible Code Access Security policies and The built-in management services give monitoring and tracing capabilities.

That’s IT???? I admit it is a page pitched to software development, but shouldn’t secure software development and the security of data centers be in there anywhere? The FAQ offered up nothing on that topic, as well. It did, however, offer up pricing.

So, I’m going to be terribly cynical and say that this might be Microsoft’s approach to controlling the rampant software piracy of their products going on all over the world. How about promoting it as a “more secure platform?”

Other than being a marketing ploy, “cloud computing” sounds like “thin client” writ large. There may be some significant financial savings, if you have the right kind of business to use this platform. AND you want to turn your data security over to Microsoft.

Microsoft’s only mention of “risk” - Windows Azure provides you, the developer, with a scalable platform and a rich development environment that allows you to focus on the business logic of your application without worrying about operational constraints or lock-in,” didn’t get me to “wow.” How often has security lagged far behind software development and what is Microsoft doing to change that? From this announcement, nothing.

More on Cell Phone (IN)Security

I’m having very mixed feelings, I must say, on what I’ve been reading about accessing information from cell phones. On the one hand, in my line of work, which occasionally includes forensics, I’m pleased to see new tools come out that make my job that much easier. The Cell Seizure Investigator “stick” from Paraben for under $500 is a great new piece of equipment for pulling all information off of a corporate cell phone.

On the other hand, knowing that there is a quick tool to pull all the data off my phone in five minutes or so doesn’t give me warm feelings inside. Given that there isn’t really a secure delete function that is available, anything that is on my phone could be recovered in the same way we can recover deleted data from a hard drive. When will we have the ability to encrypt the storage on these things?

I have seen some early reports of cell phones that use biometric identification, but none that appear to be here in the USA.

I have run across a free tool for deleting data on your cell phone by recellular.com that offers some software based on model of phone. Not all models are covered, and I haven’t had a chance to test it out. If you do, please let me know your results.

In the meantime, review what is on your cell phone, and keep it to a minimum!

Physical Security Part II

The most secure Data Centers I’ve seen utilize electronic access cards of some type that have a good reporting mechanism, right down to which door. Of course, these systems don’t do you a bit of good if no one looks at the logs, but that seems to be the exception, rather than the rule. Thank goodness!

I’ve seen some systems that you must swipe in order to exit, as well as enter. This seems a smart way to make sure employees and cards are being utilized properly. Also, doors should alarm if they are propped open or not quite secured. Depends on how much you value your data, doesn’t it?

Camera systems can be a very good alternative to swipe cards, but ONLY if you have sufficient coverage of the area you’re trying to secure. I tested a system that could see me going up the steps to the Data Center, but didn’t capture me until I was two feet from the door. If I scuttled sideways to the right, it missed me entirely! We adjusted that camera together.
Does your system overlap all areas inside the Data Center? Can you track where someone goes throughout the area?

Finally, is your camera system secured away from the Data Center? Make sure only specific people have access, and make sure the captures are stored securely. How long should you keep them? I’d say a year, which would give you a good period of time to track back possible miscreants. But it really depends on your storage space. If you can use WORM (Write Once, Read Many) storage, even better.

Ultimately, it does come down to your employees. I can’t tell you how many times I’ve slid in the door behind someone holding an armful of books and thanking them for holding the door. If someone strange is sitting in the conference room, it could be me hacking your network. Just ’cause I’m a lady dressed in a really nice business suit doesn’t mean a thing.

How are you disposing of your physical computer equipment? Never underestimate the ability of people to be lazy and just “toss” stuff. Find a way to securely wipe your data OR transfer the risk by hiring someone that will give you a certified receipt that THEY have destroyed it for you. Expensive? Probably? More expensive? Getting your company’s name in the paper.

ATMs with Bugs - At the Grocery Store

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.

Let’s Get Physical

When I do an audit, or a penetration test, I start by walking around the building, both inside, outside, and sometimes even on the roof. In my travels, I’ll leave my business card where I can gain unauthorized access. How often am I successful? 95% of the time.

I mentally catalog the exterior doors, the signs on them, and I keep an eye on whether people use them a lot. Then I monitor where the smokers go; I’ve often been able to enter a building undetected that way.

From there, I move to the Data Center. How many doors? Do the doors close firmly and immediately behind whoever enters? I’ve gotten in that way, too.

How about door locks? At a business I was at recently, they were still using push-button locks with a four digit code. After the fourth visit to the server room, I had the code in my head. They couldn’t recall when the last time was they had changed the code, either.

Keys? How many keys are there? I’ve never seen a key that couldn’t be duplicated. How about having to deal with when they get lost? One memorable evening, I went around the IT staff’s desks, looking in desk drawers (in pen tests, all “politeness” is off). I found a very nice key ring labeled “Server Room.”

What about contractors or cleaning people? Does someone escort them while they’re in there, or are they left to their own devices? As boring as that is, leaving someone alone with the corporate crown jewels is equivalent to unlocking the barn door. Are the server cages secured? Are there segments to your Data Center, so that the really significant equipment is in a further secured area inside the Data Center?

I recently visited a really nice Data Center, and the Security guys were very proud of their camera system. It was an excellent system, covering all the doors. But what about once someone actually gets in? What are they doing? Where do they go? The company used a lot of subcontractors, and I pitched to the Security guys the idea that they needed cameras for all areas of the Data Center, not just the doors.

They needed to be able to see where someone went down the server rows to do their work. It’s great physical evidence that says it all in a court of law. If someone says they didn’t touch that server, and you have pictures showing them walking down that row and stopping at that rack, well, game over.

We often think about hacking or breaches as something that is completed with some esoteric piece of magical computer code. I think like the bad guys: what’s the easiest way in?