Friday, November 22, 2013

Reputation.com responds to Adobe breach, bravo!

Reputation.com emailed account holders on November 22nd , saying the following: 

(I apologize, they don't have this on their website or I'd link to it, so you'll just have to take my word for it.)
"We recently learned that a list that potentially contains email addresses, encrypted passwords and answers for security questions for Adobe Systems customer accounts has been published in numerous places on the Internet. Out of an abundance of caution and concern for our customers, we obtained a copy of this list of purported Adobe account information and cross-checked it against our customer account information.
You are receiving this email from us because your email address and possibly other compromising information is on this list. Because many customers use the same user names and passwords for multiple accounts, we wanted to alert you to this issue and remind you to log in and change your Reputation.com password if you believe it is the same as your Adobe account login information."
This is a great move from Reputation.com. They took a problem that wasn't theirs that affected a significant number of people and considered what it meant to their customer base. Based on that they took a risk, but did the right thing. They sent an email with their concern to their customers and made the recommendation to improve security and change passwords. This has the likely affect of reducing Reputation.com's account compromise issues, improving the customer experience and also reducing their overhead to support their customers.

Overall, a great idea, and so trivial to execute.

Bravo.

Tuesday, November 5, 2013

Epic hack on a Limo Service broker(?)

http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

(I think they're a broker for other local services.)

This is an epic hack, really. A treasure trove of information, from the who's who on the national and international stage. Key facets of the hack:

  1. 241,000 high- or no-limit American Express cards with expiration dates. High value in the underground card number sales markets.
  2. Travel schedules for national/international figures. Very interesting for some.
  3. Sometimes, companion information for national/international figures. Interesting or very interesting for some as well.
  4. Personal details about national/international figures, like Donald Trump wanting/needing a clear front seat (for a bodyguard or what?), or an alias people use when getting picked up.

The credit card numbers are a very impressive haul. Not so great for this company's PCI compliance, or American Express. Wonder if the business will stay afloat. This is a small organization, I'm assuming. One that has entered into the world of online payment processing and application development (with ColdFusion). In this case, making money took precedence over security of the platform, or the data...and they are paying for that decision.

Saturday, October 26, 2013

ST:TNG S4E3: Brothers, "private key" holds up over time, I think

Here's some Saturday morning fun.

I ran across a snippet of Star Trek: The Next Generation that is fun, from a security perspective. In Season 4, Episode 3, titled "Brothers" (YouTube), Data takes over (technical) control of the Enterprise in at the start of the episode and hurtles the ship and crew across the galaxy at warp 9.3 to some unknown destination. In order to do this, he has prevented others from taking over the ship again. (Sounds like a hacker, doesn't it?) Data has impersonated Picard and made sure all capabilities to enter in new commands are restricted.

Here's the dialog:

Data (impersonating Picard): Computer, establish a security code for access to all functions previously transferred to bridge.
Computer: Enter code.
Data (impersonating Picard): 17346721476C3278977763T732V 731171888732476789764376 lock 

Looking at this, I was curious if this code was sufficiently long to protect what Data wanted to do in this situation. After all the NCC-1701-D was built in the 24th century (2364 is where the ST:TNG series started). They have to have had significantly faster computers at that point.

So, some math. Looks like we have 10 digits and no distinction between upper or lower case, so 36 possible characters. The security code was 51 characters long.
  • 10+26 = 36 possible options 
  • 51 characters long 
  • Possible combinations: 2.351947044600255e+79
  • Or: 23,519,470,446,002,552,619,480,849,617, 690,081,539,337,173,577,026,375,375, 550,590,789,301,897,093,185,536

So, how long would would it take for a computer of the 24th century to crack this code through brute force (on average)? Well, we don't know, because ST:TNG used fictional computing measurements called quads, so there will be a gap in our assessment. Here's how it would lay out given our current way of thinking about computing power, using the GRC password checking tool, Haystack:


So...we find out it would take us 76.92 million trillion trillion trillion trillion centuries to look for the entire search space for this password, assuming we could guess 100,000,000,000,000 potential matches per second. For an average, we'd half that, but that's still a lot of time. I'd say Data has a chance at success in locking out the crew from taking back the ship!

And, if they had additional controls over guessing, like monitoring for failed attempts and time delays for additional guesses, he'd be good to go. Data would have little fear of the silly crew with their computer trying to guess the code in any reasonable time.

We find out later that he has been summoned by his father/builder/creator with a homing beacon, as his father's death is imminent. In the end, the show implies his dad passes on, and his unstable android brother Lor is back on the loose, with the custom emotion chip built by their father for Data, installed in Lor's brain.

Good fun!
Chris

Monday, June 17, 2013

Apple's iOS7 features good, but timing shameful...

(Full disclosure, I have an iPhone.)

Apple recently announced that they're going to add three features to try to make their phones and tablets less attractive to thieves. iOS7 will force you to re-enter your Apple ID to:

  1. erase data
  2. turn off Find My iPhone
  3. reactivate the phone after it has been erased remotely

I'd contend that Apple's long coveted iPhone has actually created this smartphone theft problem in the first place. Prior to everyone wanting the "cool smartphone", phone theft occurred, but it wasn't at the same scale. Once the Apple marketing machine kicked in and the iPhone/2/3/3GS/4/4S/5 came out and Apple fanboys and fangirls were acting snobbish about how superior their phone was to everything else on the market, people needed to have them. Those that are less scrupulous would then find ways to steal other's devices.

While I applaud the addition of these features by default, there is nothing preventing them from including these features now. You don't need a wholesale OS upgrade to get these featuresApple should have turned this on years ago, and we should not praise them for turning this on now. They could have helped to fix this problem any day of any week of any month for the last several years. I can only theorize why they haven't. Could it be that they were letting thieving and the drama that goes along with it help to drive up demand of their prized, and significantly profitable, devices?

One can only theorize...

In the mean time, read up on the Prey Project, and how you can activate some of these features on your phone today, like asking for an Apple ID to remove programs: http://preyproject.com/blog/2013/04/tip-stop-prey-from-being-deleted-on-iphone-ipad

Chris

Tuesday, May 7, 2013

New Security Awareness Video: Learn about Cloud Security

SANS just posted a new video that is aimed at educating your workforce on "the cloud" and how they should interact with and secure data that is kept with cloud service providers, whether they're a cloud storage, application or are providing other services.

I think it did a pretty good job in layman's terms, for business users, of explaining what "cloud" is and how to think about managing access for cloud services.

The video is here: http://www.securingthehuman.org/resources/ncsam







Friday, May 3, 2013

"Thinking Long Term can be Short Sighted"

I've been on a kick lately about getting the fundamentals down pat before people should devote significant time to advanced thinking and processes. I admit that it is very tactical, which most people don't think is that sexy. The problem is that if we only focus on the sexy, new advanced things, we lose sight of getting the bread-n-butter security things done. The things that provide 80% of the value of the team to the organization. Things like effective security monitoring, application security risk assessments and compliance programs. These things need to be solid before we can get into things that may provide value, but they're incremental improvements, not wholesale capabilities.

LinkedIn: Thinking Long Term Can be Short Sighted

Image credit: msittig, http://www.flickr.com/photos/msittig/2513955691/, cc


Monday, April 22, 2013

Applications are like puppies!



As I talked about in another blog post (Hoarding: an organizational phenomenon), hoarding applications can lead to an overwhelming and oppressive IT environment for the staff and the organization.

I like analogies. Buying an application is a lot like owning a puppy to people who have never owned a puppy before.
  1. Everyone loves looking at a puppy (just like the business thinking about buying an application).
  2. Everyone loves looking at the puppy do things (or for applications, capabilities and demos).
  3. Everyone imagines having a puppy being full of Frisbee and cuddle time (or for applications, the business operating like a scene out of The Coca-Cola Happiness Factory).
  4. At this point, everyone that wants a puppy agrees that it would be great to own a puppy. I mean, look at that picture! Isn't that puppy cute? How could you not want a puppy!?
Committing to a puppy is only a short term engagement. A puppy is only a puppy for a year, maybe. The reality is that you're truly commit to the full life cycle of a canine. Not only is your puppy a puppy, it will absolutely become a dog. It is inevitable. 

Applications have a similar life cycle. Commit to a puppy of application, when it is all cute and funny, you are also committing to the dog of an application, where you need to clean up after it and take it to the vet regularly, like  pay maintenance and for upkeep, including security updates. And...eventually, the dog becomes old and you'll need to put it down, just like old applications.

See, applications are like puppies!

Chris

photo credit: Roozbeh Rokni via photopin cc

Thursday, April 18, 2013

Hoarding: the organizational phenomenon



Applications are a key part of the success of companies these days. An organization's ability to create new capabilities and deliver new products often lies in the ability to execute on delivering new services with applications. It makes sense that we have applications, and even many applications. I've been thinking lately about the cost of supporting applications and infrastructure. As a security leader, I'm frequently thinking about what it costs to protect the organization from known and unknown IT security threats. The most significant threat is probably those same applications we all implement and use in an organization to propel the business forward. 

I believe many organizations, and specifically leaders, have a bad habit of implementing things. I've inherited half-baked SIEM tool implementations 3 times now, for instance. Some organizations have processes to try to curb overall spend on IT implementations, as well as ROI calculators that help in determining if that product is a good idea for the company to implement. Regardless of these processes, and despite these processes, if leaders are not careful and intentional about product implementations, organizations become like hoarders we see on reality TV shows on A&E or TLC. (Truth be told, I've watched a number of them. Hoarders: Buried Alive, for example.) 

Hoarders love to collect. Hoarders love to buy something, "own" it and bring it home. Organizations, meaning IT and the business, purchase and collect applications that feel (and maybe are) really valuable and really meaningful to the work that they perform. They are all beautiful and valuable when they're new to an organization. Leaders get credit for implementing new technology and enabling new capabilities in the organization. There is an all too common life cycle of products however:
  1. The teams implementing the product go from "fighting for it"  (insert appropriate long pause for the typical long implementation here) to "its implemented!" 
  2. Now the organization settles into a time where the operational teams are getting to know the product and working on operationalizing it; building processes, workflow, troubleshooting, etc. (some should have happened prior to implementation, for sure, but lots will happen after)
  3. At this point, it is "installed" and probably "operational". This product will sit in a portfolio of other applications that have been implemented and collected over the years. 
  4. Various teams pay various levels of attention to the, now old, apps. So, over time,  they sit and rot. They may be maintained...or not.
Hoarders are not good at assessing the value of something in relationship to what it costs to keep and maintain it. Eventually, you have a house full of things you've bought and no where to sit or sleep. In a company, the analog of running out of space is running out of budget. No organization can afford to keep every application going that they've purchased over the years, because:
  1. You may no longer have the budget to pay for the staff with the numerous and varied skills needed to maintain a diverse and sprawling application environment. 
  2. You may not find that the vendors will support the application versions you're running, security updates included.
  3. You may find that vendors are not willing to support out of date core IT infrastructure older platforms sit on.
  4. I, as an IT security function, will point out the affects of #2 and #3 on what is in the environment on a regular basis. 

Leaders are then forced to make a decision, which is a great thing. We need to consider what doesn't need to be maintained and can be removed from the environment. Unfortunately, leaders do not get much credit for dismantling old platforms. Sometimes they get credit for reducing overhead, but there's much more value than just reducing overhead. That is a culture problem that we need to change. Leaders should be rewarded for reducing complexity, reducing risk and reducing overhead. "A penny saved is a penny earned!" said Ben Franklin.

Unfortunately, we can't just call 1-800-Got-Junk and get rid of old applications. But I'd suggest some good directions to base actions: 
  1. create threshold for purchasing applications that involves exposing the risks and fully loaded expenses for an application, and use that to slow down expense sprawl
  2. create standards for the business and IT to follow, and be diligent about growing and tending those standards to meet and be predictive about the organization's needs.
  3. make sure that the cost of maintaining systems is appropriately attributed to where in the organization that system/application supports the business.
  4. make decisions to consolidate like applications.
  5. make decisions to consolidate vendors .
  6. make decisions to simplify the infrastructure.
In the end, I think the primary information security concern about the environments we operate in can be boiled down to being intentional about what we put into the environment. Know what the risk and commitments are before you take action and implement. 

Chris

photo credit: canonsnapper via photopin cc

Friday, March 29, 2013

Mashable talks about InfoSec competition!

Mashable has a great little article that talks about the mature and growing trend of information security competitions. The beauty of these competitions is that they typically have both offensive and defensive elements. The offensive side plays the "capture the flag", abbreviated as CTF in the infosec culture, by trying to break in to systems and networks and discover bits of clues that lead to the grand prize. This is a penetration testing competition, primarily. They serve as the "red team". This is how the the competition in the article worked.

More sophisticated competitions have also a "blue team" that provides defensive, detective capabilities, that will also trying to block the penetration testers and keep systems up and running.

It is a ton of fun, and a challenge for everyone involved.

Mashable: Competition Seeks Next Generation of Cybersecurity Experts
http://mashable.com/2013/03/28/cyber-aces/

Cyber Aces
http://cyberaces.org/

Friday, March 15, 2013

Replaced Windows Home Server (WHS) with a Synology DiskStation

Over the course of the last year, I've come to the realization that I was going to be switching my Windows Home Server for something else. My issues weren't much different than anyone else's and my reasoning is familiar, but I thought I'd document them here so maybe it will help someone else think through the process and maybe they'll come to the same conclusion in their own situation.

Why I left Windows Home Server:

  • I was on Home Server v1 still because it worked. Home Server 2011 had issues, as far as I had heard on the Interwebnets.
  • Microsoft abandoned the Home Server platform. There was nothing after HS2011.
  • Plug-ins were weak. There were some, and they generally worked. There should have been more. After all, this is a generic server platform underneath. That never materialized.
  • My Shuttle XPC SN68G2 chassis was good enough (after having to replace two capacitors in the power circuit on the motherboard a couple years in), but I was running out of disk space and needed to buy more/new drives. I only had 3.5TB online. Sounds crazy to say that...
  • While I had faith I could bare metal restore a workstation that was backed up to the server, I highly questioned having to rebuild the server. Especially given the lack of support from MSFT, and the eventual lack of support from the Internet community.
Why I went to a Synology NAS:
  • I wasn't willing to go head-long into a full Windows server. That opened me up to other operating systems.
  • I was comfortable with this platform being back-ended by Linux. I didn't think I'd be doing a lot of super, command line or other customization, but I thought if it's based on Linux, there's the possibility of the Internet community turning up some cool things. 
  • No major OS to deal with. It is stripped down so there's less complication and less to be compromised, in theory.
  • Synology builds disk subsystems and NAS platforms for business. That inspires some confidence.
  • Great reviews.
Am I glad I have one now?
  • The management console is great. Seriously, this makes the platform.
  • I was right, by the way. There are some cool things you can do when you get into the guts and homebrew world. There are some restrictions, but you can manipulate things and use common Linux tools. Which is good.
  • The software capabilities of this server is crazy. Synology maintains and supports a dozen different very, very useful plugins that just work. Need a VPN? No problem. Need media streaming? Sure, there are multiple ones to do that. AND, on top of that, there is an active vendor community. I assume Synology works and helps vendors support their platform. It is really great, given where I came from on WHS.
  • Given Synology takes pride in their SOHO, home business. It is the equivalent of Honda racing teams bringing some of that technology to a Civic. It shows. The software is the same software they run on their commercial platforms. You see some of that in the console, but doesn't inhibit a home user in any way.
  • There are apps for Android and iOS to access and manage the server. W00t!
  • It just works. 
What don't I like/what would I like to see?
  • Hardware-based encryption would have been nice. The speed of the server is fine, but start doing a lot of that and I imagine you'd run into issues.
  • I'd love to have a Synology NAS-NAS backup solution that would encrypt the actual data. That way I could park one at my brother-in-law's or parent's house and they could have a server I could put vital data. They both have servers, but there's no option to encrypt the data, so it makes everyone feel a little weird about doing it.
  • That's really it...

Chris

Thursday, February 21, 2013

3D designs, fan designs, copyright

This is going to be interesting. I suspect there will be a middle ground found. We already have laws regarding copying someone's design. The question will be around "fan" work, and the ability of folks to be able to check for copyright and patents easily. AND, it will be up to the copyright/patent holder to hire lawyers and take people to court. So, if you don't have the cash, you won't be able to defend yourself from people copying your design.

http://readwrite.com/2013/02/20/3d-printing-will-be-the-next-big-copyright-fight

And once the 3D printing designs are out on the Internet, it is going to make it even more challenging to protect your own designs.

Chris

Thursday, February 14, 2013

Top 10 Reasons Valentines are Like Passwords

Valentines are like passwords, or is it passwords are like Valentines. I'll let you decide. These are pretty good. 

http://www.okta.com/blog/2013/02/top-10-reasons-valentines-are-like-passwords/


My favorite is: No one wants to change them when things are working