What I get for cleaning my whiteboard

I'm not sure if that's supposed to be me but pretty good regardless!

Information Security Around The House : Part 2 : Packet Sniffers

Packet Sniffers

From the Wikipedia Article on Packet Sniffers:

A packet sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.

Why Banks Won't Follow Blizzard And Offer Security Tokens

Image via WikipediaAfter reading this article over at Errata Security and this article over at un-excogitate.org about Blizzard (makers of StarCraft and World of Warcraft) selling security token devices for €6 on their European website. In a nutshell, you have a small device that displays a random six digit number that corresponds to a number on a login server. Coupled with a username and password it meets the standards of two-factor authentication (something you know and something you have). The general sense I get from these two blogs and others I have read on the subject is that banks and other insitutions should be providing similar tokens to their customers. For instance:

Isn't it kind of funny when an online game has better security than most banks?
- Errata Security

If Blizzard is able to offer One Time Password Tokens for a MMORPG platform, then there is no longer a reason why your financial institute doesn’t offer the same.
- un-excogitate.org

I agree with the sentiment but I wanted to start a conversation regarding why you won't be seeing these tokens in the mail from your bank any time soon. The reason most banks, e-commerce sites, and even corporate VPN connections aren't protected by two-factor authentication can be broken down into a few reasons:

• cost: additional cost to customer, shipping, inventory, infrastructure, licensing, staff, overhead, etc.
• complexity: dealing with lost tokens, mistyped numbers causing locked acconts, countless help desk calls, etc. If you are locked out of your WoW account you can't play a game, when you are locked out of your bank account you can't pay bills, transfer funds, check your balance, etc. Simply put, the downside risk of customer convenience is greater than the upside risk of greater levels of security.
• motive: Blizzard is providing these tokens to help secure customers accounts, but also to further secure their future revenue stream and also to combat piracy and cheating, in short, it makes business sense. Banks don't typically suffer very much if a customer account is breached as they very rarely take the hit themselves but instead either insure against the loss (either federally or privately) or simply passing the costs onto customers.

That being said, I do believe that either through public pressure or government mandate eventually consumers will have various security tokens to access sites. Great security, right? Imagine this world: You have a token for your bank, one for your investments, one for work, one for your 401K, one for your medical provider, one for paypal, one for amazon, one for ... you get the point. People complain about having to change passwords every 90 days and having to use special characters, imagine when we start handing them devices to forget at home, lose, break, drop in the toilet, etc.

Perhaps there needs to be an OpenID style system of purchasing a security token that is centrally managed and can be accessed by multiple businesses. Verisign was demonstrating that very technology at the RSA conference this year. But until the technology becomes ubiquitous and cheap keep your passwords strong and your cookies safe.

YAR! IANA & ICANN Get Hijacked By Turkish Pirates

The net is abuzz about how ICANN & IANA were redirected for a short time on Friday. The Turkish hacker group NetDevilz posted the following message on icann.com, icann.net, iana.com, and iana-servers.com:

“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :)”

The hackers aren't saying how they pulled off the attack but smart money is on either some some of code injection. I can't imagine why every Internet-facing site isn't scanned daily for SQL Injection, XSS, CSRF, and similar vulnerabilities.

The reason why we (the good guys) should be scanning daily because they (the bad guys) are already performing the scans and will pounce within seconds of spotting a soft spot.

The administrators got the sites back online within 20 minutes but imagine if the hackers didn't publically expose the hack but instead started delivering malware or altering data. Scary stuff when it comes to organizations that manage the Internet's core infrastructure (routing & DNS).

Outsourced Call Centers + Security = !Sleep

An article over at Dark Reading entitled Hacking the Call Center got me thinking about some of the issues I have discovered with outsourcing call centers. I have written about one such issue here. I have found that business units assume that the call center is discrete with their data and that every customer is handled on separate systems. Nothing could be farther from the truth.

When you outsource call centers you may have your own phone numbers, assigned operators, and perhaps even a dedicated information system for tracking data. Let's assume best case scenario: How does the data travel to your "dedicated" server? Over their shared infrastructure? Yes! Now now, I know what you're about to say... "they could just put those operators on a separate VLAN, problem solved." Typically that would mean one of three scenarios:

1. That the phone and computer system is set up to dynamically change VLANs on the fly as operator desks are not "fixed" and often will need to handle more than one customer call at any time (they work in shifts and the person after you may get calls for a different client).
2. They create a separate infrastructure for each client which is:
• expensive, which would decrease the call centers economies of scale
• inefficient, if a client doesn't get calls on the weekend those cubes sit idle
3. They use VM, Citrix or some other virtual desktop environment which is expensive and difficult to maintain.

How do call centers handle this? They usually don't. Remember, they are all about handling large volumes of calls quickly, they are not usually overly concerned with information security as it doesn't help their bottom line.

So how do we solve some of these problems?

• First and foremost, only contract with data centers that are (and can prove) compliance with various standards such as PCI.
• Second, purchase (or write) software that encrypts all data as it hits the disk or get put into the database. Make sure you have key management processes in place to ensure your organization that can see the data.
• Third, either have the operators hit the audio kill button during credit card transactions or have intelligent software that will go through and perform hygiene on the data as it is saved to archive.
• Fourth, don't be afraid to send some auditors down to the location and verify that your security standards and policies are being followed. The only way providers care about your data and security standards is if you make them.

WiFi : Coming to a plane near you

There were tons of stories today regarding wireless broadband becoming available on an American Airlines flight tomorrow. I can't go into particulars regarding the service but think of it like a flying starbucks/hotel hotspot/portal. It will be AA branded and allow access to aa.com and other travel-related sites such as Frommer's but otherwise it will be completely owned and operated by Aircell. More information regarding this service and can be found at Aircell's press release.

Another article explaining why DLP is not a panacea for data loss

Great article over at Network World that sums up what I've been saying to anyone who'll listen to me that DLP and similar endeavors are ultimately doomed to fail because it is corporate culture that determines how data is handled. We can scan email, put application firewalls in place, deploy DLP all the way down to the desktop, and we still can't prevent the employee from taking a picture with their camera or sending a MMS or SMS message with corporate secrets nestled inside. Since this court ruling stating that SMS and MMS are off limits without a court order and there is no way to monitor them other than confiscating mobile phones as people walk in the door (that'll play well in the corner offices, right?). Ultimately, DLP will fail because enterprises will spend gobs of money deploying complex solutions, information will still leak, the article on page 1 of the Wall Street Journal will follow, the CIO will call the CISO into his office, WTF?!?! will ensue, heads roll, etc... DLP will have it's place in the enterprise to catch the oops factor but there needs to be a healthy dose of expectations management that comes with any data loss solution. If you want a bit more of a take on my DLP ideas, see my earlier post titled "Oops I Leaked My Data."

Information Security Around The House : Part 1 : IDS/IPS

This is the first in an ongoing series that will highlight how you can deploy information security solutions with everyday objects lying around the house. I will focus on technologies that aren't just for the enterprise and concepts that are important in information security today. I hope you enjoy.

Intrusion Detection System

Intrusion Prevention System

Amazon reader reviews of $500 ethernet cable are almost as funny as the price

This post isn't security related but since I used to terminate CAT 5/6 cables by the spool I thought I would share something hilarious I read on Boing Boing. I happened upon this post that linked to an Amazon.com product page for the Denon AKDL1 Dedicated Link Cable that costs... wait for it... $499.00 USD!!! The price alone made me crack up (and cry for those poor hapless souls that pay that much for an ethernet cable) but it's the reviews on that page that really made an impression. To sample just a few:

"A caution to people buying these: if you do not follow the "directional markings" on the cables, your music will play backwards. Please check that before mentioning it in your reviews." ... "I only gave it four stars in my review because I can't find music that is worthy enough to flow through this utterly perfect interconnect."

...

Don't buy these cables. Gold and silver are not good enough. If you're a serious audophile, superconducting cuprate-perovskite ceramic materials cooled to 60 kelvin is what your after."

I would love to add a snarky comment but this commenter says it all:

"You people shouldn't makes posts like this when I'm drinking tea...wiping it off my monitor is no fun, especially in the fourth dimension."

RE: EU decides to keep ineffective agency around to watch pwnage

I received this comment from Security4All (sorry, I don't know his/her name) in response to my post regarding ENISA being extended for another four years.

Blogger Security4all said... Of course, everybody is entitled to have his own opinion but yours seems a bit harsh. I think ENISA did some good work but if you can only 'advise' and not 'make' people/corporations do anything different. True it may not seem efficient. What improvements do you suggest we make?

I meant the post to be a bit more tongue-in-cheek than it appeared. I don't have anything against ENISA itself and think that coordination and education between entities is very important. That being said I think the idea of the government trying to insert itself into Internet security is an expensive, disruptive, and ultimately futile effort. You cannot secure something you don't control and you cannot force action without true authority, which this body does not have. I would suggest that the ENISA directive (REGULATION (EC) No 460/2004) be tweaked to give ENISA a bit more control over collaborative controls and standards which are currently deemed to be out of scope of ENISA and solely in the hands of the member countries. But alas, I understand the wheels of bureaucracy turn very slowly and ultimately I applaud the EU for forming the Agency. I will post a follow up article featuring ENISA and comparing it to the confusing assortment of regulatory and advisory bodies we have here in the US.

URL Truncation

I know that this topic has been discussed ad nauseum in the past but I believe the more risks are discussed the better. So I humbly present some dead-horse beating for your reading pleasure. I have been spending a bit of time on twitter lately and have noticed that to save space (you are limited to 140 character messages) people use services such as TinyURL that truncate long URL strings into very short (22 characters or so) URL strings. The benefits of this are obvious since some links can be rather lengthy and would kill any message you wanted to add to the tweet. I myself have used it many times to send out links regarding blog posts, news, downloads, etc. The problem with this is that there is no way for the "clicker" to know that they are going to go to the website they think they will. So when I click on http://tinyurl.com/18r I may be going to about:blank or I may be going to a site hosting malicious javascript exposing me to cross-site scripting attacks, cross-site referrer forging, et. al. Unfortunately I don't see any fix for the problem since URL truncation is a very handy and sometimes necessary tool in order to communicate effectively. My defense? I run firefox loaded with the NoScript, safehistory, and safecache extenstions. I also only click on short URL links from people I know and trust. So ultimately we are back to following the same advice security folks have been doling out since the 90's... The more things change the more they stay the same. P.S. - I will be tweeting this post via TinyURL... oh the irony! :)

EU decides to keep ineffective agency around to watch pwnage

From the "We Gotta Look Like We're Doing Something" Desk. The EU is keeping ENISA around for another three years to keep an eye on the networks in Europe and to answer questions as entire countries are crippled (Estonia where you at?) by DDOS attacks and hacking, pirating, phishing, etc. go on unfettered. What we can expect from ENISA is more great quotes like "The need for secure networks, systems and services will certainly not suddenly disappear in 2012," from Andrea Pirotti the Executive Director of ENISA. Well said sir, well said. I feel safer already... until 2012 that is.

Is Google Making Us Stupid?

Is Google Making Us Stupid? Not security related but a very interesting article Nicholas Carr in the July/August issue of the Atlantic Monthly. I have noticed over the past six or seven years my ability to finish a book (or even a chapter for that matter) without skimming has diminished somewhat. Try as I might to read an actual book I can't seem to get through the whole thing without skipping words, paragraphs, even a page or two...

At least that was my initial thought about the article. I never did finish reading it. ;-)

PCI DSS OMG WTF of the Day

Image via Wikipedia

Credit Card numbers that are transcribed from speech (phone calls). So "1234 5678 9012 3456" would be "one two three four five six seven eight nine zero one two three four five six." It would be stored as part of an entire conversation so field level encryption isn't possible and encrypting the entire database is too expensive. What's a boy to do? Since I didn't have time to get guidance from our bank (they want to go live ASAP) I asked if we could stop transcribing after ten (10) numbers. That way we capture other number specific information such as times, dates, phone numbers, etc. but stop short of getting credit card numbers. The vendor seemed willing to do it since they already have similar decision-based processing rules that are used during transcription. Remember the PCI adage: No PAN, No Problem!

Old School ARP Spoofin'

Image by Coweater via Flickr

Surprise ARP attack draws attention - Network World The metasploit site was effected by an ARP spoofing attack that shunted traffic to a defaced server that was on the same VLAN within a hosted environment. This hack shows the inherent weakness in the hosted model. Eventually network and server virtualization will (hopefully) negate most of these older attacks since providers won't have to stuff 200+ servers into a single VLAN. Of course we will introduce all kinds of new problems (yet unknown) with virtualization but I'll take those new problems over these old ones.

Big Brother Loves You and is in Seat 27B

Airlines may be forced to fit antiterror cameras in seats - Times Online

I am no conspiracy theorist and I am certainly less paranoid than the typical information security professional but this one has me concerned on several fronts. First and foremost is what the architecture of such a beast would look like. Who will pay? According to the article the EU will expect the carriers to pay for these new systems. I can't see how the airlines with their non-existent profit margins and rising costs will be able to afford to design, deploy, and maintain these cameras and the communication gear needed to send the images to the terrestrial "mothership." I will assume the data will travel through an encrypted (SSL or IPSEC) tunnel via either satellites or terrestrial cellular towers. The costs associated with sending streaming video using either will be extremely expensive. Who will be watching? If this idea gathers momentum and is also mandated here in the US I can envision the TSA having juristiction and ownership of the systems involved in the processesing of the video streams. In Europe juristiction will become a major concern. As the plane passes over international boundaries where will this information go? Will the country of departure be watching the whole time? What about the country of termination? How about the countries between the departure and termination airports? What are the ramifications for countries that do not have similar statutes? Will a destination country that has this regulation allow an airplane from a non-participating departure country land? For instance, if country A has a law mandating cameras and country B does not, will an airliner from country B be allowed to land or take off from country A? What's the point? Quite honestly, this is the one that baffles me the most. This is very obviously what Bruce Schneier calls "Security Theater" and will have no real impact on our actual safety levels. I would hate to think that if I am coming back from a vacation sporting a nice tan and beard that the fact that I am sweating a bit and looking around nervously would mean anything more than the fact that I have a bit of gas but don't want to pollute the main cabin. I am not as concerned about the issue of privacy (you are of course in a public space and shouldn't have any expectation of privacy) but the idea of "big brother" watching me as I mouth the words to my favorite song or pick my nose when no(human)body is watching creeps me out to no end. My hope is that this is one of those ideas that are floated around to see if the public has the stomach for such a program. If not, my fear is that airline tickets will get even more expensive, we will be a little closer to a survaillance state, and in the end we will be no safer.