Parable of the Prairie Dogs

The last time I got biblical with this weblog it caused a great deal of confusion, traffic and angst. In other words a whole lot of fun. This time is a little different, you see unlike biblical parables which are, presumably, with apologies to literal apologists, fictional stories that illustrate a larger truth this parable story is absolutely factual and stands as an allegory for security efforts. So without further ado:

Parable of the Prairie Dogs

In the town of Longmont, in the People’s Republic of Boulder, in the state of Colorado in the United States of America there was a small but thriving airport named for Vance Brand. Things were peaceful at the Vance Brand Airport until a rapidly increasing community of prairie dogs took up residence near the runways. These cute furry rodents have breeding habits not unlike their rabbit cousins. So soon there were many thousands of the little scamps doing what prairie dogs do, which is mostly eat, breed and dig. Lots of digging. Often on the edges of, or in the middle of the runways of Vance Brand Airport. Much to the chagrin of the Federal Aviation Administration and no doubt pilots who were often obliged to clean rodent entrails from their otherwise clean and shiny aircraft after the inevitable airplane/prairie dog confrontations which the aircraft invariably fared better, if not cleaner, than the unfortunate but plentiful rodents.

As a result the FAA informed the city of Longmont in a sternly worded missive that the prairie dogs must be not be allowed near the airport runways.

The Federal Aviation Administration told the city to get rid of the prairie dogs or risk forfeiting tens of thousands of dollars in grant money. The Colorado Aeronautics Division is withholding $85,000 in grant money for improvements at Vance Brand until the prairie dog issue is resolved.

So the city attempted the most obvious tactic when dealing with unwanted vermin. They poisoned them. Or tried to. Now, unbeknown to most outside the state of Colorado, the prairie dog, far from being considered “vermin”,  is a sacred animal to some in the People’s Republic of Boulder, of which the town of Longmont is part.

Animal activists are steamed that the city of Longmont decided to go forward with the killing of several hundred prairie dogs Friday at Vance Brand Municipal Airport, an extermination officials said was necessary to comply with federal aviation safety directives.

[The] interim director of the Boulder-based Prairie Dog Coalition, said Longmont didn’t take the time to seriously consider non-lethal ways of removing the animals from the vicinity of the airport’s runway and parachute drop zone.

“There’s always the option to work with other communities and cities to find re-location sites”, she said. “It’s not a mystery to look up and see what you can do instead of killing an animal.”

Unfortunately in the aforementioned other communities outside the People’s Republic, public opinion of the rodents is somewhat less tolerant. So attempts by the PRB to foist the prolific critters, alive, kicking, digging and breeding on to other communities are not met with enthusiasm. At least not positive enthusiasm.

So what’s an airport to do? With the threat of losing lots of Federal and State funding for Vance Brand Airport looming, the city of Longmont decided to build a fence to deny access to the cute but pesky rodents. Did I mention that prairie dogs dig? Really, really well. The fence had some unfortunate unintended consequences with apparently none of the intended consequences.

In a Sept. 10 letter, the FAA said a new fence not only failed to contain prairie dogs but also became a roosting place for birds, posing an additional threat to air traffic. In July, the city spent nearly $13,000 to replace a fence around a prairie dog colony. Airport workers have also applied poison four times since then to burrows outside the fenced-off colony.
Airport Manager said Monday it’s too soon to determine whether the fence has worked. He also disputed the FAA’s contention about birds, saying he’s never seen [any birds] on the fence.

And thus ends the Parable of the Prairie Dogs. Or rather it never ends. Just like our best efforts to protect our assets, while attempting to satisfy the naive requirements of our constituents and the conflicting restrictions placed on us by our funding sources and regulatory bodies. All while anticipating threats that don’t exist yet.

At the end of the day we wipe rodent guts off our planes and watch for birds on the fences.

Hackers everywhere! Really? No not really.

One of the things that really chaps my hide is when prosecutors use misuse a piece of legislation intended for a specific purpose to prosecute something completely (in my opinion) unrelated. I’ve written about just such shenanigans before here and here. In these cases it was all about trying to prosecute undocumented workers for identity theft. In another (truly) unrelated case outlined in this Ars Technica story a “creative interpretation” of one law is once again being attempted to prosecute something completely different.

The “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA) has turned out to be quite an asset to those looking to prosecute people for all manner of actions involving computers, even though it was originally meant to target hackers.

A company named LVRC Holdings filed a lawsuit against a former employee, his wife, and their independent consulting business. LVRC had accused [the former employee] of using company computers “without authorization” in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company.

Based on that description, one might assume that [the employee] had used his or someone else’s credentials to break into the network after he quit, but that’s not exactly the case. As it turns out, [he] had e-mailed the documents to his home PC while he was still an employee at LVRC, using login information that the company admin had sent to him. The documents he e-mailed included a financial statement for the company, LVRC’s marketing budget, and admissions reports for patients, among other things. Not so coincidentally, [he] apparently did this while he was in talks to acquire part of LVRC. Those talks eventually broke down and [he] left the company.

[He] subsequently used the data to help his own consulting business, which he runs with his wife. You could argue that his actions were unethical and downright slimy, but LVRC brought charges under the CFAA, saying that he had gained unauthorized access to LVRC machines in order to get the data. LVRC had argued that [his] intent at the time of access determined whether or not he was authorized—basically, the company said he was committing a “thought crime.”

Now, I have no problem believing the defendant in this case is a sleazy weasel. But a hacker? Seriously, does that pass anyone’s laugh test? Apparently the Ninth Circuit Court of Appeals agrees with my assessment that regardless of the defendant’s ethics deficiency a hacker he was not.

The Ninth Circuit Court of Appeals has ruled, however, that it cannot be used to prosecute someone for being disloyal with company info after quitting—a decision that is being applauded by CFAA critics who want to limit the statute.

The Ninth Circuit judges disagreed with LVRC’s creative interpretation of “unauthorized access” by noting that [the then employee] had permission to access the computer at the time he sent the e-mails—because, of course, his job with LVRC required him to use that computer. “We hold that a person uses a computer ‘without authorization’… when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway,” the judges wrote.

(LVRC’s other point of contention was apparent evidence that [the now former employee] had logged onto the company website using his login credentials after he had left in order to mine traffic data, but the court noted that [he] provided “undisputed evidence” that at least two other employees had used his work PC after he left and that the company had apparently not wiped the machine.)

Though it’s clear that [the former employee] was acting against the interests of LVRC at the time he sent the documents, the CFAA was not written for cases like this.

Exactly. It should be noted that the CFAA has been notoriously misused in several other high profile cases including “MySpace Mom” Lori Drew, whose conviction was recently overturned due to this questionable interpretation of the CFAA. Also a domain registrar that spammed customers pretending to be Register.com. Certainly in both of these cases, the defendants engaged in deplorable and unethical behavior involving computers. But they were not by any definition “hackers”. Losers, maybe. Scum, probably. Hackers, not so much.

Baseball and e-discovery

It’s not often that I get to write about two of my favorite yet unrelated things in a single blog entry. In this serendipitous case the two things are Major League Baseball and E-discovery. Or more specifically a ruling about the discovery in the infamous steroids use by MLB players investigation. This entry in the Electronic Discovery Law blog sums the deliciously ugly business up nicely.

The Justice Department’s aggressive steroids probe has led the 9th U.S. Circuit Court of Appeals to enunciate a new set of Fourth Amendment protections for the digital age.

In an en banc opinion Wednesday that split conservatives on the court, Chief Judge Alex Kozinski said federal agents were wrong to seize swaths of drug test results from labs in Nevada and California.  The computer files taken by the government revealed information about far more people — including professional baseball players and others — than allowed by a search warrant.

Whoa! Let me get this straight, the U.S. Attorney’s office did a wholesale snatch of confidential information? To paraphrase a famous baseball quote, “Say ain’t so!

Or more appropriately given recent entries in Security For All, “It’s deja vu all over again“.

For complete details check out the Westlaw document (in MS Word format) with the full opinion.

Protecting your stuff

If you are a follower of  Security For All you are no doubt aware that the majority of post topics are related to data security, online privacy and protection of personal information. In other words Information Security. Less frequent, but definitely  relevant are posts about Physical Security. You know, post like this one entitled Nice stuff from DHS for your FDPP where you were told about how to create a Family Disaster Preparedness Plan (FDPP). That’s right, Physical Security is all about how to protect yourself, your family and your stuff. This article from Lifehacker titled Top 10 Tactics for Protecting Your Stuff has some great info about exactly that.

10. Sign your gear, add return incentives
Your wallet or purse already has your license in it for identification and mailing, but what about your other, possibly more expensive gear? You should definitely get a label on it. The ImHonest label service makes sense, if you want to protect your mailing address and give gadget finders an offer of a reward to return your gear. Homemade labels with an email address might be good enough for most, but for gadgets with memory cards inside, digitally signing with a .txt file makes sense as well.

9. Make your lunch look less appetizing
This falls under the category of ugly-as-deterrent, but office lunch thieves are a different kind of bandit. They (somewhat) know you, they (hopefully) don’t want to sell your goods, and they’re more of an opportunistic nuisance than a hit-and-run thief. Designer Sherwood Forlee’s faux-moldy anti-theft lunch bags, [are] for sale at $10 for 25 bags. Not a bad price for semi-reusable bags, but you can likely replicate the effect on your own with non-toxic paint or food dye.

8. Get a carry bag that doesn’t scream “Steal me!”
Carriers meant to look like a laptop, or have a generally high-tech appearance, do a great job of letting everyone know that something inside is expensive enough to buy a single-purpose bag for. Getting clever with your gear holders is a good way to ensure you always know which bag is yours, and that laptop-hunting thieves are less likely to nick yours. The newspaper sleeve is a good reference point, although it might get your laptop mistaken for a left-behind periodical. You can also cobble together a clever carrier made from old plastic bags, cardboard, a FedEx envelope, or even an old wetsuit.

7. Put a cute baby in your wallet
When researchers left 240 wallets scattered around the streets of Edinburgh, Scotland, they inserted an equal number of cute baby, puppy, family, and elderly pictures in them, along with a relevant mailing address. They received 42 percent of the wallets back overall, but 88 percent of the wallets with cute babies in them came back. The researchers suggest it has to do with an evolutionary instinct to preserve the young, so if it’s not terribly embarrassing, keep a cute baby in plain sight in your wallet or purse.

6. Destroy a credit card the right way
If you’re looking to ditch one of your expired or unused credit cards, don’t just give it one or two token scissor cuts and toss it where identity thieves would love to have a go at it. Try the method recommended by the Wallet Pop blog, which involves using a strong magnet and 15 cuts across your little debt recorder. Worried you’ll hurt your credit score by canceling your plastic? Don’t be—if you’ve got no balance, canceling a card can make sense.

5. Erase your hard drives the permanent way
40 percent of the used hard drives that can be bought on eBay [are loaded with personal data]. [You can use] a variety of total-erasure software [or] the security power of fire, magnets, and other physical disruption tools. You might not need to mount your hard drives and fire at them with real ammunition, but a quick read through our feature on properly erasing your physical media will make you want to truly cleanse your drives before donating, selling, or handing them off.

4. Uglify gear you don’t want grabbed
If the guts of your possessions are what matter to you most, and you don’t mind a little creative shoddiness, “uglifying” might be the way to go for your prized possessions. If a digital camera, a nice bike, or anything else you’re concerned about looks like it might be a nice target, consider creatively junking it up a bit.

3. Make little changes to prevent identity theft
Actively guarding your Social Security number takes patience and persuasion powers, but you usually don’t have to give it out. The Get Rich Slowly blog suggests keeping in mind the Three ‘D’s of identity theft protection—deter, detect, and defend, bolstered by the FTC’s identity theft tips. When you find a cheaper price at an off-brand store, use a virtual credit card to shield your real account from misplaced digits. Finally, be not afraid to bust out the shredder and feed it with the financial records you don’t need.

2. Know where to hide your money
A former burglar suggests that leaving a little bit of money in a few barely-hidden spots might save your living space, and your actual stash of cash, from being torn apart and tracked down by those who would take what you have. If you’re looking for a place to store emergency money that you’ll (almost) always have on you, the Cash “Can” keyring is a good bet against being burglarized.

1. Set up a laptop security system
Laptops hold a lot of data you probably don’t want in the open, and they’re not cheap to replace. We have a few suggestions on securing your laptop on multiple fronts. From inexpensive, physical laptop locks to webcam mugshot takers and missing computer trackers, a lot of tools are available for Windows and Mac machines that make it hard for a thief to walk away with your system, or make him wish he hadn’t if he makes it out the door with it.

I especially like the idea about cute baby pictures in your wallet. Now we know why grandparents get their wallets returned with more regularity.

Security For All First Birthday: Revisiting Technology generation gap

The #3 spot on the Security For All top posts list entitled Moving On, was about my experience as a Software Engineer at StillSecure on the eve of my departure for a new gig. If you have ever wondered about what it would be like to work for a cutting edge start-up in Colorado you should definitely check out the post. But since I don’t have anything to add or amplify in that post we’ll head straight to the 4th most popular post and revisit January 26, 2009 and the Technology generation gap.

The first occasion to get me thinking about this was when an older family friend was the victim of a fairly benign scam that essentially convinced her to forward some nasty political tripe to folks on her email list. Luckily no harm was done, other than embarrassing WTF responses from the message recipients. I was explaining to her that there are many unscrupulous people and other entities on the net that have no problem with misleading, lying and scamming anybody they can when she remarked that she thought it was “sad that you can’t trust people on the internet“. This remark kind of took me by surprise. I’ve always started from the assumption that internet content is not trustworthy. Not sad, that’s just the way the net works.

She was assuming that email was equivalent to handwritten correspondence from an entity that is known to you. While I was assuming that email is equivalent to bulk mail from an anonymous source. Now certainly there have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing. The point is that in my friend’s experience, a person who would lie, cheat or scam others was quickly discovered and was considered an anti-social aberration. And in general, you could trust most people. Not so on the internet, where there are no people to trust.

No people, as in actual living human beings, to trust. This has a number of other disturbing aspects that I take as a given but are shocking and appalling to my friend.

Actual humans are not directly responsible for a fair portion of internet traffic. Much of the content on the web is generated by bots or other automated processes. That’s why we have CAPTCHAs for everything from webmail sign-up to comments on blogs. Problem here is that the mitigation is often more annoying to older folks than the threat we’re trying to mitigate.

Another disturbing aspect is that web content generated directly by younger or more web savvy people can more accurately be attributed to their online persona. Think about it. Starting back in the early days of BBSs and propagated by AOL is the concept of screen name. Check out Facebook or YouTube – or even Security Bloggers Network and you’ll find a whole lot more “LonelyGirl16″ or “G@m3rBoy” IDs than “JoeSmith”. Be sure to check out the content that you find there. What you are looking at is performance art by the online persona of the author. Even here. What? You think I’m really this witty and urbane in real life? Well, okay maybe I am but the rest of those posers… But again I digress. The point is that my older friends treat email and social network posts as direct communication between themselves and other actual humans. They even use their real names. And give out real addresses. They don’t have an online persona, and don’t expect others to either.

Perhaps the most appalling aspect is that the allegory of the web most familiar to older people is print media. Newspapers and magazines. URLs are even referred to as web pages. Unfortunately this carries some very misleading and often dangerous assumptions. For example if a writer in People magazine writes “[hot Hollywood starlet de jour] is a slut”, People will certainly have to print a retraction and possibly face libel charges. But if Perez Hilton writes it in his celebrity gossip blog, well that’s just what Perez does. The point is that print media is held to a much higher standard of veracity than the web where anyone can post anything with very little chance of reprisal or responsibility. There are no standards of veracity on the web. Nor can there be. The dangerous part of this is that there are journalists and editors who don’t understand this. Recently sports publications and sports news outlets reported that Iranian football [soccer to us yanks] stars Javad Nekounam and Masoud Shojaei [who play for Spain] had been sacked due to an incident in a Pamplona nightclub. This story made the wire services and was widely reported. The source was a report on the Osasuna club’s web site. Problem is the site had been hacked and the report was bogus. You can read the real story here. Too bad – damage done.

The next occasion that caused further rumination on this subject was when I was helping my mom with a computer problem. She noticed that several names in her address book application were appearing out of alphabetical order. I diagnosed the problem easily – the names had leading spaces. Apparently the OS/X address book doesn’t do a trim on entry fields. So once I removed the offending space characters the sorting worked as expected. Try as I might, I could not explain this to my mother. She could not get her mind around the idea that a space character is ultimately a binary value like any other alphanumeric character. As far as she was concerned, when you hit the space bar on the keyboard it just “moves over” and doesn’t print anything. In other words a space is nothing. The absence of a letter. Kind of like electrons and holes from my EE days. A hole is where an electron is not. Therefore holes have a positive charge. Yeah like that.

Again I realized that we were having a fundamental disconnect. I’ve always realized that everything I see on a computer screen is an abstraction. At the lowest level it’s all just zeros and ones. Actually high and low voltages or positive and negative charges. Even the zeros and ones are an abstraction. The desktop and windows are an abstract paradigm. Not so with my mom. She sees literal windows or cute little boxes called windows when she looks at her monitor. She clicks on buttons, types stuff into forms and moves sliders up and down. It’s not abstract at all. It’s literal for her.

When you think about it, the information age introduced something unprecedented in human history: the central enabling agent. computers, inserted a layer of unreality between users and tasks. Stay with me here. Even relatively modern devices like telephones were intimately connected to the underlying task. Any abstraction, like say entering a phone number to connect to a specific party, was completely transparent – you entered in the number using a keypad or dial. Now look at my iPhone – a hand-held computer. I could still enter phone numbers from a keypad – a virtual, abstract, keypad – but I usually just touch the picture of the person I want to contact. And that contact can be SMS, IM, email or even a telephone call. Depending on the context of the underlying abstraction. The point is there are no actual walls in Facebook, no windows in Windows, no trashcan on your desktop and no desktop. Abstractions and allegories [or user paradigms if you prefer] all. Can’t wait for virtual reality? Good news – you don’t have to. Bad news – you probably don’t even recognize it.

Security For All First Birthday: Revisiting Using public Wi-Fi safely

Number 2 with a bullet on the First Annual Security For All Hit List was a surprise [to me anyway]. This post on March 16, 2009 titled Using public Wi-Fi safely was a review/amplification of this article by Rich Vázquez. So I came up with this great idea that I would do another review/amplification on my original review/amplification. Are you confused yet? Don’t worry you will be. Here are the high points.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

While this is certainly true, it’s a little light on actionable advice. Open Wi-Fi nets can be really useful if you want to do some innocuous web surfing or anything that doesn’t involve disclosure of sensitive information. Having said that, the unfortunate reality is that pretty much anything you would want to do online – including innocuous surfing – involves disclosure of sensitive information. The point is that if you want to use open public Wi-Fi you need to have your PC, whether it is running Windows, Mac OS/X or Linux, locked down tight. But what exactly does “locked down tight” mean? Turns out that is addressed in the next section.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

I’ll admit it, I’m not a fan of the concept of anti-virus. I think it’s a sucker game with no winners but the anti-virus vendors and professional hackers. Certainly not you, the user. But far be it from me to suggest that you dump your anti-virus. If you use Microsoft Windows, then you probably should continue using it. But if I were you, I’d certainly stop paying for it. There are free anti-malware suites available – including one from Microsoft – that are as good or even better than the subscription based stuff. Just remember to keep it updated. The main point here is that anti-virus is optional but a good firewall is critical. Mac OS/X and most distributions of Linux (certainly all of the popular distros) ship with a very good firewall. Unfortunately the firewall that ships with Windows XP and earlier is weak and should be replaced with one of the excellent third-party software firewalls available. Many for free. To understand why you need a firewall, you need to know what it is and how it works. So allow me to digress. If you already know this stuff then feel free to skip it. Or comment on what I got wrong or oversimplified.

[Begin Digression: Firewalls]

When a computer communicates over a network there must be a way for other computers to find it. Otherwise no communication happens. Therefore each computer must have an address, not unlike a post office box. In order for any kind of communication to take place there must be at least two parties involved. Same with computers. Only computers have strict rules of etiquette governing conversations. There are always two distinct roles in a computer conversation. The server and the client. The server is the computer that is going to provide most of the information in the conversation. The client is the one asking for information. It’s easy to see this in action any time you connect to a web site. Your computer [acting as the client] contacts the web site computer [acting as the server] and requests information. The server sends the information in the form of a web page back to your client which displays it in your browser. So how did your computer [the client] know how to reach the server? And how did the server know where to send the reply? Remember those addresses I mentioned earlier? Well, the URL that you typed into your browser (or the link you clicked on) gets translated into one of those PO Boxes. But that’s only half the story. Each of those PO boxes is shared by a bunch of different services. So each PO box has a port for each of the services. When the message goes to a specific port in the PO box, the service listening for messages will respond. The service knows where to respond because there is a return address (including a port) in the message. If a service is not listening at it’s port or the port is not accepting messages this is referred to as the port being closed. Any messages sent there are ignored. Here is the critical thing to know about ports: Server ports are well-known and advertised (otherwise nobody would be able to start a conversation) but client ports are random and used for one and only one conversation. In other words when your client contacted that web site, the “http://” in the URL meant “send this message to port 80“, the HTTP port. Your client put a random port in the message return address so only replies to this particular message can get back to your client. By this time your probably wondering what this has to do with firewalls. Everything, actually. Stay with me. Something that might not be obvious is that every networked computer is both a client and a server. That’s right. Even your PC or Mac. This is where a firewall comes in. A firewall controls all of the ports on your computer. A good firewall will start with almost all ports closed. In other words if you want your computer to share folders with other computers (i.e. be a server for the share service) then the firewall needs to open the share service ports (139 and 445). Early Windows XP (before Service Pack 2) had lots of ports open by default. Stuff like Universal Plug and Play (UPNP) and Remote Registry. This was a really bad idea since black-hat hackers figured out ways to crash or abuse those services and get malware on your computer by sending malicious messages to those open ports. But if you have a firewall, you can close all ports that you don’t need. That way even if the service is listening for messages, it will never get them. And all those malicious messages will just be ignored. Further, a good bi-directional firewall watches for outgoing network messages. It knows that your browser and email program should be allowed to start conversations with other  computers (well duh, they wouldn’t be very useful if they couldn’t). But it will block and/or warn you when something it doesn’t recognize (say NastyMalware.exe) tries to start a conversation with another computer. That’s why firewalls are so important.

[End Digression: Firewalls]

[In response to Rich's advice that file sharing be turned off] Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Actually that just about covers it. There is never a good reason to have a Windows file server on an open Wi-Fi network. Period.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

There is no substitute for common sense. If you want to check your personal email from a Wi-Fi hotspot, sure go ahead. Much as we would like to believe the contrary, our personal mail is mundane, boring and of little value to anyone else. Your tax return, or your employer’s internal profit forecast are a completely different story.

Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently this article from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

In case you forgot, your Wi-Fi adapter is a radio. The hot spot wireless access point is also a radio. Radio waves go everywhere and can be received by anybody in range with a radio receiver tuned to the right frequency. It’s not just talk radio hosts that think this is a swell idea. But again, regardless of how well protected your Wi-Fi signal is, if there is sensitive information on the screen, where anybody within sight range can see it, it’s still exposed. Remember, if you stand naked in front of a window, even if the window has bulletproof glass, you’re still exposed.

Finally, as far as I know Rich still hasn’t joined the Security Bloggers Network. And he still should.

Security For All First Birthday: Revisiting Forrester and NAP

By a fairly large margin the most popular and contentious post in the first year of Security For All [if you discount one entitled Prophecy for 2009 which got tons of hits I suspect by mistake due to the clever title] was the September 24, 2008 post entitled I so want to be a Forrester analyst wherein this report on the state of Network Access Control (NAC) by Forrester pegged the old BS-O-meter.

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

I responded with the following assertions.

Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base.

As of now there is one, count ‘em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you.

There was feedback. Todd from Napera responded thusly.

Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.
A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.
Also, NAP does not require Vista Business – just Vista.

There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind.
Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.

There were several exchanges of ideas and the following conclusion was reached with respect to Napera’s product and Microsoft’s NAP.

The Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. It is a third party NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.

Additional information was provided by Joe Davies, Senior Program Manager of the NAP Team at Microsoft.

Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.

So what has changed in the State of NAC and NAP in the year following the infamous Forrester report? Well for one thing no one (at least no one sane) proclaimed 2009 as the Year of NAC. Which was a good thing. But were we to give credence to the Forrester report we might expect that NAP or NAP -based solutions would be dominating the NAC market by now. Well guess what didn’t happen. That’s not to say that NAP development has ceased. In fact there are now eight additional SHA/SHVs that are available from third-party vendors – including an offering from Korean UNETsystem that reportedly brings NAP to Linux and Mac OS/X – and three additional SHA/SHVs that are available from Microsoft. As far as I can tell, the market penetration and predicted dominance failed to occur primarily because enterprises stayed away from Vista in droves. Partly because of the crippled economy but mostly because, well, Vista sucks. And actually useful NAC systems – yes this includes NAP – are not trivial to design, deploy and maintain. Furthermore the adoption of Windows 2008 server has been somewhat less successful than some had predicted. All of which conspires to make the analysis of the Forrester report even more amusing now than it was 12 months ago.

The really significant change in the NAC landscape during the last year is actually systemic to the information security business – the move to security as a service and managed security services. Yep – information security is moving into the cloud. Since NAC is definitely one of the trickier services to move into said cloud, we’re only now beginning to see it happen. StillSecure acquired ProtectPoint and now offers managed security services based on several StillSecure products. It’s a safe bet that their Safe Access NAC product has got to near the top of Alan’s “cloud it” list. Napera announced a beta program in July for a new online service, codenamed Cobalt that “will give you an advanced look at your network and the state of every computer connected to a compatible switch.

Oh yeah, and Microsoft announced a free consumer security offering codenamed Morro that directly competes with three of the eight third-party vendors who have those NAP SHA/SHVs. Wonder how that’s working out.

And I still so want to be a Forrester analyst.

Security For All is one year old!


Happy Birthday!
Happy Birthday to you!

Well it`s time to celebrate your birthday,
It happens every year.
We`ll eat a lot of broccoli, and drink a lot of beer.

From “Happy Birthday” by Weird Al Yankovic

This week marks the first birthday of the Security for All blog. And a very interesting year it has been. During that time a whole bunch of stuff happened. Not in any particular order:

  • The USA has a new President and is going on the biggest shopping spree in recorded history. [Not that the former administration didn't try.]
  • Apple launched a new OS (OS/X 10.6 – Snow Leopard) that left PowerPC users out in the cold. [Makes me want to run out and buy a new Intel Mac Pro to replace my 4 year old G5 Mac Pro. Not.]
  • Microsoft gave Windows XP a reprieve on end of life after the less than stellar performance of Vista. [But Windows 7 is coming real soon now and then you can dump Windows XP boxes for something better. Like Linux.]
  • Security vendors came, went, were bought, sold, scrapped, salvaged and repackaged for new markets. [And that was just McAfee and Symantec.]
  • The global economy tanked so there are precious few new or surviving markets for anything. [It's brutal out there!]
  • I took a new job. [Left StillSecure for InfoPrint Solutions, who insists via social media policy that I reveal that they are my employer. Apparently they've never read Security For All.]
  • The RIAA won a case. Appeals still pending. [Won is such a strong word. I prefer weaseled or skanked.]
  • Kai Roer was in a nasty auto accident, but is doing well and blogging. [Get well, Kai. We miss you!]
  • Alan Shimel put StillSecure on FaceBook. [Now they can friend you.]
  • Dr. Anton Chuvakin went rogue freelance. [Who knows what mischief lurks in the heart of Anton?]
  • The world didn’t end when the Large Hadron Collider fired up. Or failed to fire up. [It could happen!]
  • I’m gaining Twitter followers – even though I never, ever tweet. [I sent exactly one tweet. To get free software.]
  • McColo was shut down and for one brief shining moment the world got some spam relief. [But you have to admire the resilience of those spammers.]
  • The Cloud took over the world. Or so marketeers would have us believe. [You can't just sell the same old stuff. Cloud it!]

Looking back I’m surprised by a number of things about the Security For All blog. Not in any particular order:

  • Posts that I thought would really draw comments didn’t. [Hey - at least I thought it was interesting.]
  • Posts that I never expected drew all kinds of attention. [Who knew that e-Discovery and litigation were so hot?]
  • Things that I promised a followup on never materialized. [Actually this isn't a surprise - I'm lazy.]
  • I’m still on decent terms with Alan Shimel, Mitchell Ashley, Martin McKeay, Richard Janke and other Security Bloggers who apparently don’t mind that I’m just making this up as I go. [They still comment. Nicely too.]
  • Security For All is still going strong. [My attention span usually isn't this long.]

So in honor of the birthday blog and in addition to the swell lists [Did I mention I like lists? A lot.] there are going to be some changes. If it ain’t broke fix it anyway, right? Actually the only change is a new theme. That’s a CSS theme, not content. Yeah I know you were hoping for something a bit more, shall we say… coherent. Let me know what you think.

But wait there’s more! This week we’ll be revisiting the most popular posts from the first year of Security For All. I’ll actually do the updates and follow-ons as promised so long ago [I'll bet you were wondering how I was going to fit that in].

Thanks for your support and encouragement. Stay tuned.

Everybody must get phished

Did you catch this post from the Homeland Security Blogwatch? [emphasis is mine]

Some e-mails purporting to be from the Homeland Security Department’s intelligence division were fake and contained malicious software.

The e-mails actually originated from Internet addresses in Latvia and Russia, according to a three-page alert from the Homeland Security Department’s counterintelligence unit.

These fake e-mails were sent to officials in the Defense Department and to state and local officials since June. The spyware appears to be criminal, according to the alert. But counterintelligence officials “cannot discount that targeting of DHS partners and DoD personnel may be for other purposes.”

Um… Sounds like pretty standard phishing or bot-hunting stuff to me. So I’m wondering what the “other purposes” may be. Maybe the sinister other purpose is to see if someone in the DoD or state and local officials is stupid enough to open the spyware and reveal some valuable information? But wait – isn’t that exactly the purpose of all spyware? Is it the fact that the emails were purporting to be from DHS (as opposed to say a bank) or that the targeted users were DHS partners and DoD personnel (as opposed to say you or me) that makes this somehow more nefarious? Arguably it’s a higher value target. Although if the source is my bank and the target is me I have a hard time swallowing that argument. However true it may be. The sad truth is that everybody gets phished. Whether or not you get pwned is entirely up to you.

More ID Theft, Privacy, Fear and Loathing in Colorado

Meanwhile, back at the ranch…

Recently I wrote about the long, strange and continuing saga of the identity theft investigation known as “Operation Numbers Game” being prosecuted by Weld County [Colorado] District Attorney Ken Buck. You can read all about it in this post but here is a very brief recap.

The investigation began in October after a Texas man told Greeley authorities someone was using his identity. The suspect in that case told authorities he was filing his taxes with a Greeley tax preparer that catered to Latinos in the city about 60 miles north of Denver.

That prompted the sheriff and district attorney to search the business of tax preparer, hoping to find proof that people were working with Social Security numbers that weren’t theirs, and filing taxes with government-issued taxpayer identification numbers.

And the saga continues. This time with the ACLU maintaining that “Operation Numbers Game” was a “fishing expedition” as covered in this article by AP writer Ivan Moreno, printed in the Denver Post.

Attorneys for the American Civil Liberties Union maintain Weld County authorities went on a “fishing expedition” when they seized thousands of tax documents from suspected illegal immigrants for an identity theft investigation.

The ACLU has asked the Colorado Supreme Court to uphold a District Court ruling that stopped the investigation in April. The judge ruled that Weld County authorities violated people’s privacy and had no probable cause to inspect so many confidential taxpayer records.

Weld’s sheriff and district attorney said in their appeal last month they had substantial evidence to believe hundreds of suspected undocumented immigrants were stealing people’s identities to work in the U.S.

The ACLU said in its Supreme Court brief that except for the suspect accused of stealing the Texas’ man’s identity, investigators had no probable cause to search the thousands of records of other taxpayers.The ACLU said the investigation of [the tax preparer's] business was akin to getting a search warrant for a hotel where drug dealers are known to stay, and then going through every room to look for drugs.

Four district judges have agreed with the ACLU’s argument that Weld County’s search warrant was unconstitutional; one judge called it “breathtaking in its expansiveness.”

Yeah. What he said. But Weld County is still doggedly pursuing this alleged [by district court judges, the ACLU, and pretty much anybody paying attention] gross violation of civil liberties, claiming that “it was impossible to identify individual suspects in the search warrant because the case centered on identity theft“. Seriously guys, in the folksy words of a recent president, “that dog don’t hunt”. What really makes this attempt at injustice so egregious is that according to immigration experts, this is the “first and only time authorities have used confidential records from an income tax preparer to prosecute undocumented immigrants“. Now I don’t know about you, but the idea that authorities could seize my confidential tax records by virtue of the fact that my tax preparer might have some clients that might be undocumented workers makes me a tad uneasy. Actually quite a bit more than a tad.  And heaven forfend that I should have a Latino surname. And that, my friends, is a statement with ugly implications.

But the ultimate irony of this fiasco is that should “Operation Numbers Game” achieve it’s goals and be completely successful (hey, some folks think wish it could happen) it would be a bad business move for Weld County. The Mexican American Legal Defense & Education Fund sums it up nicely.

The Mexican American Legal Defense & Education Fund also filed a brief with the Supreme Court Friday supporting the ACLU’s arguments. That brief says the confidentiality of tax records is necessary to avoid “the creation of an underground economy,” in which illegal immigrants don’t comply with tax laws, depriving the government of much-needed revenue.

Here’s the deal. I have actual direct firsthand experience with the horrors of this kind of “identity theft”. Several years ago my wife’s social security number was appropriated by (presumably) an undocumented worker in Texas so that they could work. And pay payroll taxes. She discovered this when the IRS contacted her regarding her failure to report income from an agriculture job in Texas. After the initial WTF moment it was pretty easy to convince the IRS of the impracticality of running a business in Colorado and picking vegetables in Texas simultaneously. Especially since the IRS gets to keep the payroll taxes collected from my wife’s impersonator. Bottom line: the damage to the “victim” consisted of several annoying yet amusing contacts from the IRS and the government got some money for nothing. Terrifying stuff.

Finally in an unrelated story, Weld County District Attorney Ken Buck announced that he is still in the race for the Republican nomination for Colorado’s U.S. Senate seat.

Buck said he was swayed by the “hundreds” of e-mails and phone calls he received over the weekend urging him not to get out of the race just because it appeared as if the National Republican Senatorial Committee was behind former Lt. Gov. Jane Norton.
“The feedback was huge. I never knew Perry had so many friends,” Buck said with a laugh, referring to his wife, former vice chairwoman of the state Republican Party.
Buck said it was “Washington, D.C., insiders” who were behind the “shenanigans” to try to influence the race.

Unrelated. ‘Nuff said.

For anyone interested in the details of this case, you can find more press coverage as well as the court documents here:
http://www.aclu-co.org/docket/200821/200821_description.html

Thanks to Erik Maulbetsch