Email advice for the rest of us

Coming up on the second anniversary of Security For All (no, this is not THAT entry – it’s coming) I realize that I’ve been remiss about the “For All” part of Security For All. Lately it’s been all about copyright enforcement shenanigans, e-discovery technicalities, Fourth Amendment, privacy issues and Captain X-Ploit parables and nary a peep about how a real person (read non-ultra-geek) can save what’s left of their privacy and avoid being abused on the Internet. I was particularly struck while reading this article entitled 10 things non-technical users don’t understand about your software (no, this isn’t about THAT article either – although it is quite good in a software engineering kind of way) wherein the author, Andy Brice, makes these points.

Techies are happy to play with software to see what it does. They aren’t usually too worried about trying things because they can rely on some combination to undo, version control and backups to reverse most changes and they can usually judge when a change won’t be reversible. Non-technical users aren’t so confident and won’t try things in the same way. In fact some of them seem to think that a wrong move could cause the computer to burst into flames.

Unskilled users often don’t realize how unskilled they are.

That is a nasty but common combination. The implications include users who are afraid of trying things out, because they might “break something” and when they need help don’t have the skill or experience to ask or even know what to ask. Recently I installed a new iMac for my mom. I made sure that she had all of the necessary security software installed and configured including a password safe, made sure that her iSight camera was working so that she could video chat and even transferred all of her photos, addresses and music. In other words she was ready to roll. Or so I assumed. The next day she called me in a panic because her “screen went blank” and the iMac appeared to be dead. After a great deal of troubleshooting over the phone I determined the root of the problem: the iMac was powered off and she didn’t know where to find the power button. So that great work configuring and securing her new computer was useless when she doesn’t know how to turn it on. All of the preceding is an epiphany and mea culpa. I’m returning to the roots of this blog (for this entry at least) with some email advice for everybody.

I’ve written about sending safe email before, but I recently came across this pair of articles by Chad Perrin in TechRepublic. This first, entitled Basic e-mail security tips and the follow-on Five tips for avoiding self-inflicted email security breaches. I’ve condensed these into a single list with my commentary, but you should definitely check out Chad’s full articles.

1. Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML — or “Original HTML” as some clients label the option.

Chad goes so far as to suggest that you use an email client that doesn’t render HTML at all. I wouldn’t go that far but I would agree that you shouldn’t automatically allow HTML. This is the default setting for most email clients. So let’s step back a second and explain some things. First off “HTML and XHTML” are computer “languages” that allow you to see nice page layouts, pictures, sounds and movies in your email. It’s the same stuff you see when you surf the web. A web page is usually HTML that is rendered (“translated”) by your web browser into all of those previously mentioned cool things. So since HTML can automatically download and display stuff like pictures, movies and music from the web, it can also download bad stuff like links to phishing sites or malware that looks like a picture or movie but is really something bad. So if this is the same thing that your web browser displays all the time, then why is it a problem with email? Unlike your web browser which doesn’t copy anything to your computer unless you allow it to, your email program makes a copy on your computer before it even tries to display it. So the bad stuff is already there just waiting to be activated. So be very careful before you “download pictures” in an email (your email program should ask first) and don’t select “always download pictures”. Even when they’re from Dear Old Aunt Alice. Especially if they’re from Dear Old Aunt Alice.

2. If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services such as Gmail, Hotmail, and Yahoo! Mail for e-mail you wish to keep private for any reason.

What he’s getting at here is that you should not use the “webmail” application with these services. That is don’t check your email from a web browser. All of the services mentioned are also POP3 or IMAP servers that your email program can get email from. Unfortunately this can be pretty tricky to set up and you will probably need to get some help to do it right. The main thing to realize is this: those “free” web-based email services aren’t free (sorry but Grandma was right – there is no free lunch). They make money from their advertisers and YOU are the product they offer to those advertisers. So all of those companies would prefer that you leak as much private information to them as possible. It makes you a more valuable product.

3. It’s always a good idea to ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker “listening in” on your authentication session with the mail server. If someone does this, that person can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers).

This is very important. It sounds technical – and it is  – but it’s not that hard to find out if your email program is set up right to do this. Just go to the “accounts” set up screen and make sure that the settings include something called “SSL” or “TLS”. If instead it says “cleartext authentication” or “password sent clear” that is bad. Most Internet Service Providers (ISPs)  have been doing “secure authentication” by default for years. They only support the older (bad) stuff for really old computers, but if you have been with your ISP for a long time then you might never have changed your original settings. Definitely check this out. Also be aware that the web-based email services mentioned earlier all have this feature as well, but it is not on by default. They would like everyone to be able to access their service even from broken old web browsers or old smart phones that don’t communicate the right way. That’s not for you. In Gmail (the one I use and know the most about) under the general settings there is a choice to “always use https” which is a fancy way of saying “use a secure connection”.

4. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances.

This is spot on. It may be convenient to check your email using a web browser on your laptop, iPad or Droid from Starbucks, but be aware that it’s also very convenient for the bad guys to see everything you do – from afar. I’ve written before about using public WiFi safely. The main point being – don’t be an idiot. There’s a reason public WiFi is called that.

5. Turn off automated addressing features: As communication software accumulates more and more automated convenience features, we’ll see more and more cases of accidentally selecting the wrong recipients. A prime example is Microsoft Outlook’s “dreaded auto-fill feature,” where it is all too easy to accidentally select a recipient adjacent to your intended recipient in the drop-down list.

Yes indeed. Your email software contains all sorts of convenient features with which you can easily shoot your foot off. Or at least seriously embarrass yourself. Just make sure that your outgoing message is really going to it’s intended recipients – and ONLY the intended recipients – before you hit SEND.

6. Use BCC when sending to multiple recipients: It’s a bad idea, from a security perspective, to share email addresses with people who have no need for them. It is also rude to share someone’s email address with strangers without permission. Every time you send out an email to multiple recipients with all the recipients’ names in the To: or CC: fields, you’re sharing all those email addresses with all the recipients.

I can’t count the number of times I have gotten email from a well-meaning friend or acquaintance that has added me to a mailing list where every email address on the list is visible to every recipient. In some cases I might even know many of the people on the list, but that doesn’t mean that they want an unsavory character like myself knowing their email address. In case you are interested – or are one of the egregious offenders I mentioned – I use special email rules for all emails I receive where I’m part of a mailing list. Special in the sense that the message goes straight to the trash and black-lists the sender’s address if there are multiple visible recipients. So long and don’t bother to keep in touch.

7. Save emails only in a safe place: No amount of encryption for sent emails will protect your privacy effectively if, after receiving and decrypting an email, you then store it in plain text on a machine to which other people have access. Sarah Palin found out the hard way that Webmail providers don’t do as good a job of ensuring stored email privacy as we might like.

Boy Howdy! I’ve also written about that very incident, in this entry about Sarah Palin and the great Yahoo! angst.The point here is one of the fundamental principles of security – be it information security or physical security - If you don’t control the location of the thing you want to protect, you can’t protect the thing. Whether it’s a classic car, the formula for Coca Cola or a email message. Last time I checked, you don’t have any control over Gmail, Yahoo! or Microsoft mail servers. You do, on the other hand, control your own computer. Learn from Sarah’s email mistakes.

8. Use private accounts for private emails: Any email you share with the world is likely to get targeted by spammers — both for purposes of sending mail to it and spoofing that email address in the From: field of the email headers. The more spammers and phishers spoof your email address that way, the more likely your email address is to end up on spam blocker blacklists.

If you are someone who insists on sending to mailing lists (we call that spam in the infosec biz) at least do it from some throwaway public email address you don’t care about – just like the real spammers. Because I guarantee that it won’t be long before real spammers are using that address anyway and then you won’t be able to send an email to anyone from that address. And for you Canadian readers, it’s probably best to avoid this behavior entirely as the Canadian government takes a rather dim view of spammers – intentional or otherwise.

9. Double-check the recipient, every time — especially on mailing lists: Accidentally replying directly to someone who sent an email to a mailing list, when you meant to reply to the list, isn’t a huge security issue. It can be kind of inconvenient, though, especially when you might never notice your email didn’t actually get to the mailing list.

This is a corollary to #5. So let’s just keep this real simple – avoid mailing lists. Sure they are convenient for sending out invitations to your soirée but seriously, how many times do you invite the exact same group of people to your soirées? And by the way, that mailing list you keep for sending out those funny jokes and videos – you know the one – where do you think those all end up? See #6 if you are really interested. Otherwise ignorance is bliss. And a complete waste of bandwidth.

Gray haired computing part 3

In part 1 of this series we talked about finding the right computer system and decried the lack of availability of such systems. In part 2 we talked about how to get connected with friends and family when access to a computer system is impossible or impractical. So in this part we’ll start from the assumption that the senior in question – most likely yourself, dear reader – already has a computer system that is more or less usable and are ready to do something fun and useful with it. How do you get from senior citizen to senior netizen, from lost in space to hacker space without being pwned in the process. Actually it’s easier than you think. In fact you probably already know a whole lot more than you realize.

First off let’s define some of this confusing cyberspeak. I mentioned being “pwned” so let’s start there:

In hacker jargon, pwn means to compromise or control, specifically another computer, web site, gateway device, or application.

Why would someone want to do that? As it turns out that’s big business these days. You’ve probably heard about botnets. Here’s what that means.

Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. Typically botnets are operated by criminal entities.

And what do those criminal entities do with botnets? Mostly they sell bandwidth and compute resources – from the pwned PCs (bots) – to spammers.

Spam is the abuse of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. The most widely recognized form of spam is e-mail spam.

Basically it breaks down like this: Your computer gets pwned and turned into a bot and becomes part of a botnet that is used to send spam like those “cheap viagra” emails that everybody receives.

Another thing you’ve probably heard about is phishing.

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Those are the two biggest threats on the internet. In fact they usually turn out to be a single threat. Here’s how that works: You get a phishing email that purports to be from your bank. Instead of sending you to your bank’s web site it links you to a malicious site that transfers malware to your computer, turning it into a bot.

Malware, short for malicious software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, including true viruses.

I’m guessing that right about now you are thinking “this sounds really complicated”. While plenty of companies,both legitimate and fraudulent, would like you to believe that, it’s actually not. In truth phishing and spreading malware is nothing more than con games being run in this new environment, the internet. The point being, it’s up to you to avoid being a mark. And this mainly requires a change in the way you think about communication over the internet.

I’ve written about this issue before in a post called the Technology generation gap.

There have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing.

You have to understand is that email is not like actual physical mail. It’s easy to get caught up in the abstraction of sending and receiving electronic mail. It appears to work exactly the same as sending or receiving correspondence. Only much faster. Unfortunately there are some dramatic differences between how mail and email work, and these differences make email significantly less private and reliable than mail. When you send a letter via mail it is picked up from a postal drop, transported through a series of post offices where it is postmarked and finally delivered to the intended recipient. Note that the same physical letter that was sent is received and the content of the letter often validates the identity of the sender. Junk mail is also easily identifiable as such. With email it works much differently. When an email message is sent, a copy is sent to and stored on the outgoing email server owned by the sender’s email provider. Then a copy of the message is broadcast over the internet and received, after any number of intermediate stops along the way, by the incoming email server owned by the recipient’s email provider. From there the recipient gets a copy of the email message. Note that there are at least 5 copies of the message created and stored on at least 5 different computers for that one email message. And the sender and recipient only have control over their respective copies. Also because email is by definition computer generated the content cannot be used to validate the sender’s identity. In other words, anyone can type “Dear Grama, … Love, Katey“, but it doesn’t make them Katey. Also, remember those postmarks on letters? They show you where the letter originated from. While email contains a record of where it was sent from, including all intermediate stops along the way, you can’t trust the voracity of this record. It can easily be “spoofed” to appear to be from anywhere the sender wishes. Furthermore since the bulk of the “daisy chain” of email message copies is not controlled by the sender or receiver it can be altered, corrupted or otherwise misused anywhere along the line and no one will be the wiser.

The next thing to understand is that the internet is designed to be anonymous. Just like the famous New Yorker cartoon: “On the internet nobody knows you’re a dog“. Unlike real life where we tend to trust people until they are proven to be untrustworthy, on the internet there are no people, as in actual living human beings, to trust. Actual humans are not directly responsible for a fair portion of internet traffic. Much of the content on the web is generated by bots or other automated processes. For us actual human internet users this requires a complete reversal of the way we’ve always thought about communication. In other words, we must assume that anything we get from the internet is suspect until proven otherwise. Guilty until proven innocent. This is the hardest thing for most of us who grew up before the information age to do. But it’s critical to understanding how the internet works.

The bottom line is this: Trust no one and don’t be an idiot. If it sounds too good to be true, it is. I mean seriously, when you see a scary message pop up on your screen like “your computer is infected with a terrible virus” ask yourself “why would anyone care about my computer?” The answer is obvious, and unless you enjoy being a sucker you’ll treat it the same way you would the street corner three-card-monty dealer. Move on. Nothing interesting here.

Now hold on there, bucko. It has to be more complicated than that. What about all that anti-virus stuff and anti-phishing services? What about Windows update? Well you got me there. The sad fact is that Microsoft Windows spawned a whole industry of snake oil products [Whoa! I knew I felt a conspiracy theory coming on!] that are now required for Windows users. But at least now the Microsoft serpents have eaten the other serpents [Woo Hoo! A vague biblical reference too!] with the introduction of Microsoft’s own anti-malware tools for free. So at least you won’t have to pony up annual subscriptions. Yet. So if you are running a Windows computer, threaten to cut the person who foisted it on you out of your will until they set this up for you. If you have a Mac or Linux computer just send the clever and generous person who gave you such good advice a digital smooch. But just remember, regardless of how much anti-malware stuff you have on your computer, or how up to date you are with all of those “security patches” you are still at risk if you act like an idiot. By contrast you could be running an old unpatched, unprotected Windows 2000 box and be just fine as long as you refuse to be a mark for online grifters.

So that’s the secret. Like most things in life, the easiest solution is the best.

The pirate you know…

Steve Ragan over at The Tech Herald reports a most curious situation in this post wherein the attempted closure of The Pirate Bay [don't worry the link is to Wikipedia, not TPB] is having some unintended side effects.

The number of new file-sharing sites hosting pirated copyrighted content skyrocketed over the last three months, according to McAfee’s Q3 Threats Report. The attempted closure of the infamous Pirate Bay site spawned clones and scams as criminals used the hype to spread Malware.

“The attempted shut down of The Pirate Bay led to an explosion of similar sites, many of which are malicious,” said Dave Marcus, director of security research and communications for McAfee Labs. “The sharing of illegal content online has not been quelled by the prosecution of The Pirate Bay founders, whose site was back online within 24 hours.”

Way to go, copyright crusaders. Not only did the attempts to shut down The Pirate Bay fail miserably, but now there are even more sites providing even more dubious services. That would be way more pirated content and way more nasty malware. And these newcomers don’t even have the amusing legal messages and responses pages [again not to worry, the link is to Hip Forums] of the original. Right about now I’m thinking that maybe you would have been better off to just stick with the pirate you know.

The entire McAfee Q3 Threats report may be found here.

Security For All First Birthday: Revisiting Using public Wi-Fi safely

Number 2 with a bullet on the First Annual Security For All Hit List was a surprise [to me anyway]. This post on March 16, 2009 titled Using public Wi-Fi safely was a review/amplification of this article by Rich Vázquez. So I came up with this great idea that I would do another review/amplification on my original review/amplification. Are you confused yet? Don’t worry you will be. Here are the high points.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

While this is certainly true, it’s a little light on actionable advice. Open Wi-Fi nets can be really useful if you want to do some innocuous web surfing or anything that doesn’t involve disclosure of sensitive information. Having said that, the unfortunate reality is that pretty much anything you would want to do online – including innocuous surfing – involves disclosure of sensitive information. The point is that if you want to use open public Wi-Fi you need to have your PC, whether it is running Windows, Mac OS/X or Linux, locked down tight. But what exactly does “locked down tight” mean? Turns out that is addressed in the next section.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

I’ll admit it, I’m not a fan of the concept of anti-virus. I think it’s a sucker game with no winners but the anti-virus vendors and professional hackers. Certainly not you, the user. But far be it from me to suggest that you dump your anti-virus. If you use Microsoft Windows, then you probably should continue using it. But if I were you, I’d certainly stop paying for it. There are free anti-malware suites available – including one from Microsoft – that are as good or even better than the subscription based stuff. Just remember to keep it updated. The main point here is that anti-virus is optional but a good firewall is critical. Mac OS/X and most distributions of Linux (certainly all of the popular distros) ship with a very good firewall. Unfortunately the firewall that ships with Windows XP and earlier is weak and should be replaced with one of the excellent third-party software firewalls available. Many for free. To understand why you need a firewall, you need to know what it is and how it works. So allow me to digress. If you already know this stuff then feel free to skip it. Or comment on what I got wrong or oversimplified.

[Begin Digression: Firewalls]

When a computer communicates over a network there must be a way for other computers to find it. Otherwise no communication happens. Therefore each computer must have an address, not unlike a post office box. In order for any kind of communication to take place there must be at least two parties involved. Same with computers. Only computers have strict rules of etiquette governing conversations. There are always two distinct roles in a computer conversation. The server and the client. The server is the computer that is going to provide most of the information in the conversation. The client is the one asking for information. It’s easy to see this in action any time you connect to a web site. Your computer [acting as the client] contacts the web site computer [acting as the server] and requests information. The server sends the information in the form of a web page back to your client which displays it in your browser. So how did your computer [the client] know how to reach the server? And how did the server know where to send the reply? Remember those addresses I mentioned earlier? Well, the URL that you typed into your browser (or the link you clicked on) gets translated into one of those PO Boxes. But that’s only half the story. Each of those PO boxes is shared by a bunch of different services. So each PO box has a port for each of the services. When the message goes to a specific port in the PO box, the service listening for messages will respond. The service knows where to respond because there is a return address (including a port) in the message. If a service is not listening at it’s port or the port is not accepting messages this is referred to as the port being closed. Any messages sent there are ignored. Here is the critical thing to know about ports: Server ports are well-known and advertised (otherwise nobody would be able to start a conversation) but client ports are random and used for one and only one conversation. In other words when your client contacted that web site, the “http://” in the URL meant “send this message to port 80“, the HTTP port. Your client put a random port in the message return address so only replies to this particular message can get back to your client. By this time your probably wondering what this has to do with firewalls. Everything, actually. Stay with me. Something that might not be obvious is that every networked computer is both a client and a server. That’s right. Even your PC or Mac. This is where a firewall comes in. A firewall controls all of the ports on your computer. A good firewall will start with almost all ports closed. In other words if you want your computer to share folders with other computers (i.e. be a server for the share service) then the firewall needs to open the share service ports (139 and 445). Early Windows XP (before Service Pack 2) had lots of ports open by default. Stuff like Universal Plug and Play (UPNP) and Remote Registry. This was a really bad idea since black-hat hackers figured out ways to crash or abuse those services and get malware on your computer by sending malicious messages to those open ports. But if you have a firewall, you can close all ports that you don’t need. That way even if the service is listening for messages, it will never get them. And all those malicious messages will just be ignored. Further, a good bi-directional firewall watches for outgoing network messages. It knows that your browser and email program should be allowed to start conversations with other  computers (well duh, they wouldn’t be very useful if they couldn’t). But it will block and/or warn you when something it doesn’t recognize (say NastyMalware.exe) tries to start a conversation with another computer. That’s why firewalls are so important.

[End Digression: Firewalls]

[In response to Rich's advice that file sharing be turned off] Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Actually that just about covers it. There is never a good reason to have a Windows file server on an open Wi-Fi network. Period.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

There is no substitute for common sense. If you want to check your personal email from a Wi-Fi hotspot, sure go ahead. Much as we would like to believe the contrary, our personal mail is mundane, boring and of little value to anyone else. Your tax return, or your employer’s internal profit forecast are a completely different story.

Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently this article from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

In case you forgot, your Wi-Fi adapter is a radio. The hot spot wireless access point is also a radio. Radio waves go everywhere and can be received by anybody in range with a radio receiver tuned to the right frequency. It’s not just talk radio hosts that think this is a swell idea. But again, regardless of how well protected your Wi-Fi signal is, if there is sensitive information on the screen, where anybody within sight range can see it, it’s still exposed. Remember, if you stand naked in front of a window, even if the window has bulletproof glass, you’re still exposed.

Finally, as far as I know Rich still hasn’t joined the Security Bloggers Network. And he still should.

Do not fall for this

The folks over at MX Lab wrote this blog entry about a particularly nasty malware site they discovered recently.

When checking some URLs at MX Lab this one caught our attention because it is a nice trick to distribute malware. The trick is to attract people that want high speed internet for free. Don’t we all want this? I believe so but this one isn’t going to offer you high speed internet at all.

The website starts with a very nice offer:

Attention All Customers: March 19, 2009

Comcast High Speed Self Installation Kit v.4 is a special utility designed to boost the speed of your connection. This tool has advanced features of the 3rd generation high speed internet with multiple connections , download scheduling, and many more. It is free proposition for all Comcast clients (any connection) for 300 days.

The upshot is that they have you download an installer, named ComcastHSkit.exe, which actually installs a rootkit that turns off the Windows firewall and Security Center and then “phones home” to a notorious malicious site. Real nasty stuff.

The reason I’ve designated this as “particularly nasty” is that it looks like the real deal. The bad guys in this case have really done a good job of spoofing the kind of stuff that Comcast spams it’s customers (including me) with regularly. While I wouldn’t expect a network security savvy person to fall for this, sadly I can’t say the same for most folks. I know quite a few people who would see this kind of offer and, not unreasonably, want to take “Comcast” up on their offer to speed up their network connection. Especially here in Colorado where our broadband speeds are, well, not that speedy.

Give this a pass. You’ll be glad you did.

And thanks to the guys at MX Lab.

Using public Wi-Fi safely

Rich Vázquez, a fellow CISSP, has an article in the Georgetown Hutto/Taylor by way of Community Impact Newspaper entitled Ways to use public Wi-Fi safely. While generally good advice I feel compelled to, if not disagree exactly,  elaborate of some of his statements. So here goes.

The first thing to do in a public space is find the name of the network to connect to. Hackers sometimes set up similarly spelled networks, such as HavaHouse instead of JavaHouse. This is called an Evil Twin Attack. Once connected to the imitation network, hackers can get information from the computer and internet activity. It is important to verify the name of the intended network before connecting to one.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

Using anti-virus and firewall software is a front line of defense. A firewall prevents someone from finding a program on a computer that would allow them to connect and steal information. If a hacker can connect to a victim’s computer, he or she can also find a way to infect the victim’s computer with a virus and later steal private information. Many criminals collect information in large databases and work through the names over time. Some frauds are executed over many months or years, so victims may not realize their information or computer has been compromised until the criminal is ready to use it.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

File sharing is also a big risk. Many people have multiple computers in their homes and share files. If folder with family pictures or business documents is shared at home, those files will still be shared when connected in a public place and may be exposed to anyone else on the network.

Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Not every attack is high-tech. While engrossed in email or doing taxes online, someone may be sitting nearby carefully watching for user names, passwords or other personal information. This is called shoulder surfing. Social engineering can be a series of emails, phone calls or a conversation that tricks a victim into revealing information that can be used later to bypass security. That same person who was looking over a victim’s shoulder could start a conversation and during casual chatter find out additional personal information such as birthdays, names of children and names of pets — all commonly used passwords. Without ever touching a computer, a hacker could find out e-mail providers, banking information, and answers to commonly asked security questions.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

The easiest way to confirm a secure connection is to check for the https, with an s at the end, on a  website to verify that it is using basic encryption for the traffic. Errors on the page could also be an indicator to watch out for. Sites using https are using SSL Certificates, which help verify the website is authentic. The information sent between visitors and the website is also encrypted, or scrambled so that someone watching the network cannot read the information.

Encryption helps protect website visitors from wireless sniffing. Tools are available for free that enable information to be tracked as it moves on the network. Attackers can watch a website vistor’s traffic and use it to find passwords or even recreate a document or file sent to someone via the internet.

Again Rich makes a very important point. Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently an entry on the Security Bloggers Network (sorry I forget who, please set me straight since I’d really like to give credit where credit is due) described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

[UPDATE] The blog entry referenced earlier is from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security. In addition, I referenced it earlier in this blog in an entry entitled Save us from the other people

Check out Rich’s article, he’s got some great resouces listed. Maybe we can even convince him to blog with the SBN.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

  1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
  2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
  3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
  4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
  5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4.
  6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
  7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note - blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.

DRM is a security threat

For my entire career I’ve designed, developed, maintained and secured commercial software products. So it is definitely not lost on me that the revenue generated by sales of those software products is what pays my bills. If customers don’t pony up then my employers quit paying me. So believe me, I’m certainly not advocating that all software should be free (“as in free beer” to quote Mark Shuttleworth).

But at the same time I’m a software user. I use both open source software (free as in speech because I like to tweak it, and free as in beer because I’m cheap and I like beer) and commercial software that my wife thinks I spend too much money on. And I hate Digital Rights Management (DRM) software. Hate it. It’s inconvenient, intrusive and hey – I paid for the product and I don’t want DRM. For me that is reason enough.
Okay, I think most of us can agree that DRM is annoying and intrusive but how is that a threat to information security? Glad you asked. From a recent article on the Harvard Law Zeroday blog:

EA could help end DRM

The backlash over DRM has finally started to gather serious momentum. Everyday consumers started a campaign to give the highly anticipated game Spore one-star ratings on Amazon. Thousands of Amazon users labeled Spore a poor choice because of the SecuROM DRM system that is forced onto PC users machines that purchase the game. EA has backpedaled a bit and eased the restrictions on the number of installs per machine. They have even made a verbal (but unenforceable) promise to disable the DRM system by patch should they ever end of life the product. But so far EA refuses to give in to consumer demand that they simply get rid of the DRM system. They hold on to the claim that DRM helps reduce piracy. Yet 30 seconds of searching on a popular torrent site shows not only Spore but a cracked copy that totally removes all DRM from the game.
This is possibly the most insulting bit for consumers. People who are pirating the game actually enjoy more freedom in the sense that their system does not have SecuROM permanently installed onto the hard drive. In the recent class action suit the defendants publicly document how the DRM used in Spore remains installed even after the game has been removed from the users computer. SecuROM also operates at “Ring 0″ which is to say the core of the kernel layer which is clever in that it is hard to bypass the program yet dangerous because anything that goes wrong will completely destroy the users session. All of these facts are not made plain to consumers before purchasing the game. Only after they have purchased the game and start installation will they have the chance to read about the DRM system in the EULA. Retailers almost never allow returns on software once opened which leaves consumers who don’t agree with the surprise DRM in a very bad position.

I see, it’s that nasty malware that they foist on users’ machines that is the security threat. Sorry, good guess, but no cigar. That’s nasty for sure, but there is a very real and significant threat that is inherent to all intrusive DRM. To illustrate this I will defer to someone familiar with Electronic Arts (EA) software and who has way more gamer cred than me, my son Nick Webster. He reviewed the article above and responded thusly:

Atari implemented the same sort of system on Alone in the Dark. AITD didn’t get any cracks and remained untorrentable largely due to the suckiness of the game, crackers didn’t waste their time on such a poor excuse for a game.
That MIGHT be why EA is claiming DRM works, cuz no one stole Atari’s AITD. You can clearly see their logic, “They had this really BAD game that no one wants to play, but it had DRM so no one stole it. DRM MUST WORK!!!”. Assuming you haven’t suffered brain damage you can obviously see where their logic is wrong. The REAL solution to keep people from stealing your game WAS hit upon in AITD, though, just make the game BAD and have Yahtzee FLAME it that seems to help.
My general tactic with all of this is to just NOT EVER buy EA games. So far the only game I’ve  seen with any sort of REASONABLE DRM is UT3. They let you install it on as many comps as you want, you just can’t have more than 15 people logged ONLINE with your code at ONCE. Seems fair, right?
Or if you MUST be nasty about your DRM the BEST tactic is the old school one, leave some music on the CD that will be needed to load the game. Then the no-cd-cracks will hinder game play and frustrate the player, as Daemon Tools requires lots of work to get it to actually let you play games OFF the ISO.
Anyway… as a side note I DID go rate spore a 1 on Amazon the current rating for the game is like 1.5 stars… glad to see there are a lot of us out there.

Note: apparently Yahtzee doesn’t like Spore much either – so Nick could be on to something here!

Still not see it? I’m not surprised. It’s because Nick and the Zeroday author were both vague yet obvious in suggesting how to deal with intrusive DRM: They don’tthey torrent a cracked version of the software. This is where the very real and present security threat lies. Not only are warez sites notorious for purveying malware, but there are companies like MediaDefender that actually inject “spoof files into the [torrent distributors] network without permission … as part of its antipiracy efforts to dilute the pool of pirated content online”. Yikes! In fact this particular “antipiracy” effort caused a serious Denial of Service (DOS) attack on the popular – and completely legitimate – Revision3 network. So what happens when an employee decides to download a Spore crack from a warez site on your corporate network? Or what happens when your kid decides to grab it on your home network (note to self – check those firewall and IDS logs!).

The bottom line is this – at best DRM is ineffective and is counterproductive to the vendors antipiracy efforts. It is ineffective because people who want to steal your software and bypass the DRM can do it quite easily and it is counterproductive to your antipiracy efforts because it’s easier for users to deal with the pirates than it is to deal with the DRM. And what about the real sales lost due to DRM. Not the bogus sales lost to piracy (I posit that people who steal your software would not have paid for it, ergo they cannot be counted as lost sales), but the real sales. Some due in part to the free advertising you get from piracy. That’s right, I can’t count the number of software packages I have purchased after trying a “borrowed” copy. Nowadays I rarely have to resort to anything as nefarious as “borrowing” software since most shareware (I’m partial to small independent software developers) now employ a “try before you buy” model where I can try the full unencumbered program for several weeks before buying it. Just ask my wife how effective this model is – based on my software spending habits. But even though I can easily “borrow” a copy of Spore to try it out before I pony up $50 American, I absolutely will not consider it as long as EA insists on forcing the DRM on me. I may, however, go to Amazon and give Spore a 1-star rating.

But the point of this rant is: When your company implements a strictly self-serving mechanism that not only is ineffective in accomplishing it’s intended purpose, but has the (presumably) unintended consequence of promoting risky and (potentially) illegal behavior that increases the threat exposure on the network, I have a real problem with that. Sure we can disallow all P2P activity on our business networks – but what about users who need access to legitimate groups that rely on torrents to distribute their software like the Fedora project? Or we can teach our children that stealing software is wrong and they should always pay for it – but what about software that forcibly installs malware like EA’s SecuROM? I think the better lesson is “vote with your wallet” – don’t buy bad stuff that you don’t want – especially if it’s bundled with something you do want.

So how about it, EA? Why not do everyone a service and just say “no!” to stupid ideas like DRM. You won’t have to pay for it, and we won’t have to put up with it. Sounds like a win-win to me. And maybe I’ll consider buying your software instead of flaming you. Hey fifty bucks is fifty bucks. Or do you really need to suck up to Sony that badly. Whoa I better stop here – I feel a great conspiracy theory coming on.

NAC: answering the right questions

Let me start this off by setting a baseline. I know a lot about Network Access Control (NAC). A real lot. I  work on (as in design, develop and support) what is arguably the industry leading and undeniably the best NAC solution in the industry. I’ll let you guess, since I’m not a shill for my employer. Don’t get paid for it, don’t do it, don’t care. Just say no to marketing. In any case, I know a lot about NAC.

So I sign up for a videocast entitled “NAC: Answering the hard questions” which has this intriguing abstract (emphasis mine):

A recent survey showed that of the companies that already have NAC deployed, 36% said their networks became infected with malware anyway. Clearly, there are still plenty of questions about NAC that need to be addressed. In this video, Joel Snyder, one of the top NAC experts in the industry, will help viewers answer the most pressing questions surrounding this technology, including:

  • How do you handle lying endpoints?
  • How does NAC extend to branch offices?
  • How much does NAC’s effectiveness rely on the security of your network infrastructure?
  • And more

I’ve tried to find the source of this study because those afflicted 36% really need to check out my earlier posting “Security Ideas for your mom part 1″. Wherein I enumerate the most important ideas (in my humble opinion) that your mom needs to know about secure computing. Let me quote myself from idea #2:

“don’t use something you don’t understand.”

You see Network Access Control does not directly prevent your network from being infected by malware. What it does, when configured correctly, is verify the security posture of your network endpoints before allowing them access to your network. In other words, a good NAC system will check to see that a PC requesting access to your network has whatever Anti-Virus programs you require installed and that the engine and signatures are up to date, but it will not check to see if the endpoint is already infected with a virus or if the AV package itself is worthwhile. Furthermore, NAC systems have the facility to “white list” certain endpoints since it’s usually a career limiting move (CLM) to quarantine the CEO’s PC. But if your CEO likes to surf for porn on said PC, it might be a CLM, but it’s still not a bad idea for security. So the general statement you can make about NAC is that it will only validate and enforce compliance to your security policy. It will do nothing to make sure your policy doesn’t suck or that you haven’t swiss-cheesed it to allow unlimited access to clueless VIPs. So let me say this once and for all – NAC is not magic. It is not a silver bullet. It will only enforce your network access policies, regardless of how lame they are, and only then if you configure the system correctly.

So I watched the videocast. I’d actually recommend it. Dr. Joel Snyder is a very sharp guy even if he relies a bit heavily on vendor marketing. Since I couldn’t find a place to comment on the site that hosted the videocast (Bitpipe), I decided to comment here. Okay, I was planning on commenting here anyway.

How do you handle lying endpoints? Well, if you are one of the NAC products that Dr. Joel is familiar with, apparently rather badly. He references the Trusted Computing Group (TCG) Trusted Network Connect (TNC) architecture to point out that ultimately system health telemetry originates from sensors on the endpoint itself (Integrity Measurement Collectors (IMC) in TNC lingo). Yep, that’s a problem all right – with the TNC reference architecture. He correctly concludes that some other mechanism (e.g. TCG Trusted Platform Module (TPM)) must be utilized to assure the integrity of the client-based sensors. Okay, how about this idea instead: lets start by assuming that all endpoints are lying (or are capable of lying) and instead of relying on the endpoint to give us a statement of health, have our Policy Decision Point check for itself. There are NAC products (at least one) that do this today. And it works really well. And it can even be done without any kind of agent software installed on the endpoint. Is it magic? No – just really clever design (if I say so myself). Now there are clearly some advantages to the TNC take on this, most obvious is that the vendor of the endpoint security software you want to check for compliance is in the best position to know the health of their stuff and they can build their own IMCs. Problem is, when you have Vendor A’s AV and Vendor B’s firewall and Vendor C’s HIDS running on Vendor M’s platform you are trusting that these vendors will play nicely with each other. Even when they have competing products. You bet.

How much does NAC’s effectiveness rely on the security of your network infrastructure? Dr. Joel answers this one with an emphatic “a lot”. Thereby earning him the Security For All GOTO award for his outstanding Grasp Of The Obvious. Of course NAC’s effectiveness relies on the security of your network infrastructure – in fact, it is predicated on it. If your network infrastructure is not secure, NAC will certainly not make it so. In fact I would go so far as to say that slapping NAC into an insecure environment is no more than security theater – users see it and think they are more secure, while nothing (good) really happens securitywise. To be fair, Dr. Joel is mostly warning NAC implementers to be aware that in all likelihood you will have NAC enforcement at the edge of your network and that it does, in fact, become another attack surface. Of course, it was probably already an attack surface before NAC was added to the picture. The point is that if you are using old leaky routers and switches, or a bad network security architecture you should probably take care of that stuff before you even think about adding NAC into the mix.

Marketeer’s have done an outstanding job of overhyping NAC. The fact that Dr. Joel even has to make himself a candidate for the GOTO award (and my bothering to award it to him), is a testament to how successful NAC vendors have been at getting folks to breathe their exhaust. And it does everyone a disservice. NAC is not magic. There is no silver bullet. Period.

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

  • Use Common Sense
  • Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.