Friday, June 29, 2007

MS07-0056 and Chutzpah


For those of you that know what chutzpah is...scroll down a bit.

For those of you that don't know this beautiful Yiddish term, it is broadly defined as "insolence," "audacity," and "impertinence". But as with all Yiddish terms, the meaning is deeper than just that. It is someone who does something so bad and with so much courage that you hate him for what his done but admire the fact he had the guts to do it.

My best version of chutzpah is the thief that stole a whole bunch of clothes from a department store and the next day tried to exchange the ones that didn't fit.

So, MS07-0056.

If you are a security expert or just someone that patches regularly (which you SHOULD be doing!) you may recognise that MS07-0056 looks very similar to a Microsoft Advisory number. Almost, but not quite. Microsoft advisory numbers ar MS, the two digit year , dash and a three digit number.

Ms07-0056 is a fake version of an email advisory from Microsoft, complete with their logo and formal looking, no-nonsense, go-patch-now look. The email is very cleverly crafted and has a link at the bottom to fake patch which is really malware.

While phishing is not new and fake emails telling one to download stuff is not new, the fact that patch notifications are being used to distribute malware is just way over the line of what is bad and what is total chutzpah.

While we are on the topic.. you are still reading right.. I want to throw in some other examples of chutzpah: fake antivirus and spyware checkers, or even real ones that are themselves spyware.

We, as security professionals, drone on and on and on about people patching, installing spyware and antivirus tools and using them and keeping them up to date. And along come the enemy and attack us and at the same time sow doubt in our defenses.

The rule is still the same though....treat every link in every email as suspect.

And keep your antivirus up-to-date!

Thursday, June 28, 2007

Its MINE and its BEAUTIFUL!


My wife used to run a little craft shop and her biggest challenge was getting adults to be creative. When she asked someone straight out to do crafts they would usually reply "but I'm not arty" or some such nonsense. Everyone is artistic. We may not all be Picasso or Rembrandt but there is a little artiste inside all of us waiting to get out.

[For both of the guys who read this column for the Information Security bits (thanks mom, dad) , its coming near the end.]

All of these people have cellphones with their own rings tones, themes, personalizations. Even little things that hang off the aerial, little cases, etc etc

The ones that work have PCs that have custom desktops. It may be a soccer team, cute kittens, a nice colour, pictures of their kids etc.

People in the workplace have, in most cases, few opportunities to express themselves creatively. But it has to come out somehow. And hence, people change their desktops and cell phone rings.
This also leads to the attraction of blogging but more to facebook and its friends.

I imagine it would be possible to fill up 8 hours a day for a month customising facebook, adding friends, adding and removing applications, putting in information, getting more applications that need information, drawing, chatting etc etc. And the whole time you are using the creative part of your brain.

How does this relate to Information Security? Well, a big deal of time is spent understanding what users do. A user is a tricky resource to understand. Companies have to accept the fact that their employees need to express their creative side, and not just the advertising guys and the script writers, but Jeff in Accounting too.

The alternative is that users will find ways to bypass measures in place that stifle their creativity. They will spend loads of time on facebook, swap joke emails, download music through p2p or even just spend time by the watercooler.

Or maybe I'm being too lenient, maybe the technological answer is correct and we should just close down undesirable sites, use "managed desktops" where everything is tightened up etc.

But facebook can be used from a cell phone...

Wednesday, June 27, 2007

Paris Hilton could make you lose your virtual underwear.

Beware of Paris Hilton...

She may be behind bars but she can still hurt you..

Or rather, it is reported here that a site offering some private stuff of hers has been hacked. And, ironically, all those looking to get a taste of her private stuff have had their private details downloaded.

Think before you send your details over to "parisexposed.com" and its ilk, do you want the world to know, with pretty good certainty what you get up to? If privacy is like underwear on the Internet -you could get caught without it.

Nice term - horrible concept


Part of the reason I blog is to put my ideas down in something more tangible than fleeting thoughts, hence the name of the blog. Others can benefit from my thoughts but sometimes I use the blog to record interesting things I have heard and seen. This blog entry is about that.

I was reading a blog and came across the term "intermittent variable reward". It is basically the quick happiness one gets from doing something that is repetitive but rewards you differently. The example given in the blog entry I was reading (see below) is a jackpot. You pull the handle and each time you get a different reward.

I think facebook is like that. Woo-hoo, a new friend, a new wall posting, a new comment, etc. MXit is even more like that. You are never sure when someone will contact you and what they will say. So hope is always there and the addiction comes very easily.

This is something I've been meaning to blog about for a long time but never really took the time until I saw something similar here but about "twitter" which I haven't really come into contact with much yet.

When I was in University I spent more time than I should have on IRC. I made some good friends along the way and found a beautiful wife. So, some good came out of it but I must say I was addicted to the the rush of seeing what is going to happen next even to the point where I would sit and stare at my computer screen doing nothing, just waiting. What a waste of time.

My brother-in-law is the next generation. Every time I see him he has his cell phone out and it is always beeping from some contact somewhere. MXit prides itself on being next to free but the amount of time spent on MXit by some of the youth of South Africa is scary.

And now I have a term for this addiction: "intermittent variable reward".

Tuesday, June 26, 2007

Information Security - its for Small Businesses too!


I am (about) number 30 in the Business section on Amatomu. For those of you who don't know what it is - it is a list of South African blogs, ranked and indexed.

I have read some of the blogs and am impressed at the quality of them and most of them (the business ones) seem to be aimed at small businesses, which is great.

But I am an Information Security blogger and from what I have seen - small businesses don't seem to take Information Security seriously.

For example, I went to a business the other day and they have me listed on their database. But they had my password on their system in plain text. Thank goodness I use a different password for each online service I use but I know some people that use their pin number as a password and some use the same password for every service. Sorry friend, your password is no longer secure.

When you sign up for a movie contract, where does the information go? Who has access to it? Are your credit card details listed, your ID number? If you have to fill in a piece of paper first, where does that go? You probably fill in enough stuff when taking out a movie contract to allow the young kid behind the counter to be able to impersonate you and mess you around.

When you had over your credit card in a restaurant, does the waiter take down all the numbers? More to the point - is this something the manager will look out for?

Does your lawyer, who works from home, keep all your information on his laptop? Or any of it? Is it encrypted? What if the laptop gets stolen? What if all the documents he is busy with for you get wiped out in a fire/virus attack/mistake? Does he do backups? Do you?

Its not like me to sow some fear, uncertainty and doubt but I think that small businesses need to play along.

For their clients and for themselves.

Friday, June 22, 2007

My Wall of Wisdom (Part 1)

When I moved from Network Security where the "what" of security is obvious and the "how" is not so obvious to Security Management where the "what" is not so obvious and the "how" is done by others I decided I needed to get a bigger picture view on Information Security.

This blog has been an invaluable asset as I wander along the path of elucidation. Also, as I read and search for wisdom I come across some gems. I have made myself a Wall of Wisdom with some choice quotes that I refer back to when I'm not sure what I should be doing.

I'm going to share one of them with you today. And others in the future.

My first challenge is that Information Security is seen as a technical task - get a firewall, get some antivirus, if you still have money - deploy PKI.

No.

Information Security is a business task. And in all things to do with business success or failure needs to be measured. How secure are you, right now? If you can't answer that, you are not doing Information Security right.

My quote is from Lord Kelvin who was a mathematical physicist, engineer and outstanding leader in the physical sciences. In a lecture to the Institution of Civil Engineers on 3 May 1883 he said:

"I often say that when you measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of Science, whatever the matter may be."

Wednesday, June 20, 2007

Sharing is Caring - but not with passwords.


This follows on from my previous post.

We all (should) know by now that we shouldn't share passwords.

But how many of us know exactly where we should use passwords on the internet?

Phishing and its elk have shown us that you can't trust website links that are sent to you via email.

But what if a friend (or what seems to be a friend) pops up on MSN Messenger or via email or facebook and tells you to "check out this cool site". You do it, you trust your friend's judgment and enter your password only to get caught out and your identity is used to send out the next bunch of "hey, check out this cool site" messages.

That is all in my last post which has a real world example of how one can get caught but the question is how do we define what is right and what is not?

My hotmail username and password is my MSN Messenger password and apparently opens up a whole bunch of access for me to other sites. This is the whole "passport", single-sign-on concept dreamed up by Microsoft. I sign on once to one of the "passport" sites and voila, all the other sites need no sign on. Amazing. Except that someone out there could hijack the system and pretend to be a "passport" site gaining them my password and access to all of my "passport" stuff.

Putting down Microsoft's security efforts is like running the 100 meters against a fish. Its too easy; but Google is starting to move in the same direction. My Google username and password gets me into gmail, igoogle, blogger, etc and the list will expand as Google buy more and more companies and bring more and more stuff out of their labs. I don't really use yahoo!'s services but I imagine that they are following the trend which is not limited to Google and Microsoft but is a general industry wide trend.

When I signed up for Blogger I didn't need a new username and password etc; I just logged on with my Google password. Blogger said that they are a Google company so, boom in goes the password. I did check things out first but that's just me, I doubt most people would.

Another thing that surprised me was when facebook asked me for my email username and password so it could check my email contacts against its subscriber base - not my facebook username and password but my online email username and password. This is obviously a service that a large number of people use or else it would have been taken down, freeing up some vital real estate on facebook's main page. Entering this information is optional, but if you do, you have to trust facebook will not store the information, if they do store it then you have to trust that they will store it securely, and not use it themselves except to check your contact list once. Do you trust facebook?

It seems there are no easy ways around this issue. You have to check to make sure that you trust each site you give another site's password to or, better still, don't share the passwords at all.

Tuesday, June 19, 2007

"1 for the show... 2 for the money"


Yes, the title is right. And this is finally a post that is actually useful (as opposed to interesting and useful somewhere down the line, I hope).

If a friend of yours on MSN Messenger messages you to look at a site that looks something along the lines of messengerweb don't go. Or, go but know the risks.

The title - confusing as it may be reflects the change in attitudes of the "blackhat" or "hacker" community.

1 - it used to be for show - how many site can you hack in 24 hours?, how many machines can you bring down?, is Google invulnerable?
2 - now its for the money.

The site above is an excellent example of this. It is packed full of Google adverts. So each time someone visits the site the owner gets a (very) small amount of money. The way to make that into a big amount is to get a large amount of people to visit.

There is the way I do it which is try to make good content and hope that people find it useful but there is another way - the way that site does it.

The site offers a dubious service to the people that log into it. You need to log in with your MSN credentials (which also happen to be your MSN passport and hotmail password). The site does some checking in its database for you (thats the service) and (this is the genius bit) uses the recently acquired MSN username and password to send a message (as you) to all of your contacts telling them about this "really cool" site and so the networking effect goes on until a lot of visits happen and the site owner makes a load of cash.

You have to accept the terms and conditions before connecting where it is spelled out in no uncertain terms what the site will do.

I got "fake announcements" from a number of technical people who had obviously
not only visited the site but also entered in their usernames and passwords.

To the general public: don't give up your password ever! Even when asked to on websites. The MSN password is for MSN only - not for other websites like messengerweb. Ask yourself before you enter any information onto a site - how much do I trust this site? Rather close the window if you are not sure

To security people: it looks like we have failed again if people are so keen and eager to just give away their passwords. We have to focus on the principals - "Don't share your password! Know where to use them and where not to" and not the modus operandi - "watch out for emails asking for your password or directing you to a bank website" because the principals don't change but the modus operandi do.

Technorati

I have joined Technorati. They need me to do a silly post to prove I own this blog. So here goes. You can safely ignore this post. Technorati Profile

A tale of two CEOs..

A while back I went to a lecture that opened my eyes and inspired me. It is what I look back on when times are dark and enables me to think "Information Security is possible".

The talk was started by the CEO of a large financial institution which is also heavily involved in the medical industry. Alarm bells should be ringing... because the information they have floating around their network is so private - its scary.

The CEO of the company started the talk and told us how secure they are now and how they are working on getting more secure and more to the point - how come he knows.

It seems it wasn't always that way but they are working on getting more secure. They started with a framework, defined goals, worked out a plan and ways to measure their security posture.

And it is something they are very proud of. In fact, that the CEO can talk security already is something special. That he is aware at any one time how secure he is, is more special. Well done to them.

I also had a chance to talk to someone from their competition. I mentioned this inspiring talk and asked this person how secure they are - he told me about firewalls, VPNs and that they had a "full PKI installation with non-repudiation" but gave me no measurables - just product talk. In short, he doesn't know.

There are (apparently) 2 companies in South Africa that are fully ISO27001 certified. I'm not sure what these are but 2 is a very small number. Hopefully, companies will wake up to the realities and as South Africa does more business with overseas companies, hopefully information security will become a selling point.

Monday, June 18, 2007

Elucidate


This is not promotion for my business. Maybe if "blogging" (and other cool web 2.0 technologies)
had been so popular three years ago then my business would have survived.

No, it is much more important than that.

When I was trying to pick out a name for my (then) consulting business I literally picked up a dictionary and tried to find a cool name that had not been used. I also wanted to stay away from things that had strange placements of lowercase letters like "e" (e-security) and "i" (iSecureU) and "x" (x-pert consulting). I ended up with "elucidate" which is a lovely word that flows off the tongue.

When I gave up my business due to more pressing issues and rejoined the workforce as a normal lemming, I kept the term close to my heart.

Most of my time is spent on the cutting edge, I definitely don't "take up too much space" as the phrase goes. Hence, my time is spent in areas where I don't (yet) have a clue what I am doing but neither does the rest of the world. I like it here, its not too crowded and its interesting; like climbing up a steep cliff wall with no rope is "interesting".

A better analogy is probably: my work life is like doing a puzzle without the box lid to help, with pieces that all fit together (even incorrectly) and some that don't even belong. Sometimes I'll find a few that just have to work together and I have a sense of enlightenment. I can then pass this on to others without them having to do the hard work.

Its a good feeling.

It is a total sense of clarity - lucid.

I should have probably posted this blog entry first because it gives the clearest insight into myself and what I strive for and how I do it.

Now, go back and read all my blog entries all over again. ;)

Thursday, June 14, 2007

Information security done wrong can kill!

...really.

This morning I took a look at an article in the New York Times about the Virginia Tech Report.

This report was requested by the American President after Seung Hui Cho shot 27 students and 5 faculty members to death at Virginia Tech’s Blacksburg campus on April 16.

His mental health was shown to be questionable and he had been ordered by a Judge to undergo a psychiatric evaluation. But due to privacy restrictions when he applied for a weapon there was no record of this and he was legally able to acquire one.

When I say "privacy restrictions" I actually mean "assumed privacy restrictions". According to the report (and as stated in an article on examiner.com) schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

So, they would rather "fail safe" as such and not release any information. Even though, in this case it would have saved lives.

Rule number one when dealing with people who are trusted with information - they need to know what they can and can't do with it and rules have to be crystal clear.

Kudos to the American government for seeing the problem and reacting to it by proposing a Federal bill.

Tuesday, June 12, 2007

And Now for Some Bible Education (Part 3)

Finally, just a word of thanks to Jewishanswers.org who put me in contact with Rabbi Seinfeld (yes, really) who helped me find the information I needed for these posts.

A rabbi with a blog sounds like the start of a jewish joke but his blog is interesting and I have bookmarked it.

The actual article I used for my blog is here. And is from commentary on Exodus 18.

And Now for Some Bible Education (Part 2)

So.. how does that affect us?

I find in some cases it makes sense to take a hard line on something and not compromise. Sometimes you also just know the answer. You can't really be certain of your security posture if you have 20% of all passwords being "password", sometimes you have to compromise a bit - you have to allow some traffic through your firewall.

I like to think that I am more of an Aaron person - I find it easier to analyse, debate and discuss than research and enforce. Which makes me a pretty good Information Security consultant. I have different people, with different agendas all coming at me and I need to find a balance.

I fully expect those people to have the agendas that they do and while things can get heated when someone doesn't understand why I can't fully agree with them, I actually prefer them to have strong ideas. That way I can make a good decision.

Every InfoSec consultant will be stuck in the middle of a few factors, the CSO who wants everything perfectly secured (pull out the Internet cable and lock the doors), the CIO who wants everything up and running and the CEO who doesn't care as long as business gets done. You also have 1,000,001 vendors who all think that their product is perfect and does everything. You have the law makers who want to push laws that protect everyone. You have your wife and kids who want you at home all the time (or at least every night and weekend). Another example is ISACA who believe everything can be solved through risk analysis.

And the sad truth is that you can't make all of these people happy. You have to compromise.

Each of these people is a "moses" - they know their point exactly. They see the world in black and white. A technical salesperson (assuming they are trustworthy and their product is reasonably competent) will know all the good about his/her product. They know all the bad it can eradicate and the risks it can mitigate. They may know about competitors products and how choices were made - some companies decided to use agents, some use no agents. They will stand by their products. They will not budge and so they shouldn't.

I do have a bit of bias and where I can I push Open Source software but I am aware that it doesn't work for everything and that is where I take my Moses cap off and put on an Aaron cap. I know how good Check Point's firewall software is but when it comes time to do NAC I need to judge fairly.

Speaking of Open Source software - the community is made up of people who are Moses-types and Aaron types. Richard Stallman is very much a moses type. Linus Torlvalds is more of an Aaron-type when it comes to license issues but more of a Moses-type when it comes to some aspects of kernel programming.

They are both successful because they have managed to be the kinds of personality they need to be when they need to be that kind.

Monday, June 11, 2007

And Now for Some Bible Education (Part 1)

Information Security is new and fresh and waiting for ideas to mold it. So, I like to look around at older pieces of wisdom in which to help me make decisions on a daily basis.

I was reading the debate between Alan and Michael and it reminded me about an email I got a while back sent to me by a mailing list of interesting lessons from the Torah (Bible books: Genesis to Deuteronomy). I lost the email but I have never forgotten the lesson due to it being very powerful and insightful.(Not inciteful).

Bare with me... there are Information Security lessons and life lessons to be learned here.

Yitro who is Moses' father-in-law comes to visit him after he has left Egypt and tells Moses to appoint judges for his own well being and those of the people. Which makes sense for Moses - he is a busy guy, let someone else do the judging.

But why for the people? They have access to the greatest prophet in history. Moses could judge perfectly. The reason is that you don't want someone who can judge perfectly. Sometimes you need someone who can compromise. This person was Aaron who saw the grey and not the black and white of being sure.

So, Aaron can do something Moses can't which makes him more important than Moses. Wrong. It makes him different.

And here is the moral of the story. Some people are Moses and see black and white and some people are Aaron. And most people are both but at different times.

I think the challenge is to be able to see when to be one or the other.

[TBC]

Friday, June 1, 2007

eNatis (Part 2) - Quick Quote

Hi,

The Beeld newspaper did all the hard work for me so here is a quote from their newspaper:

Beeld can now reveal the conclusions of the report, which is the second of three audits compiled by the A-G:

  • it is possible to hack into eNatis;
  • one does not need a password to log on as an eNatis administrator;
  • documents on eNatis are not secured; and
  • eNatis files can be circulated unprotected without any problem.
  • This is just a quick post on what the newspaper has to say. I will reply with more information and some analysis soon.


    The full article is here.