Whatever Happened to Security For All?

Where have all your good words gone?
Where have all your stories gone?
From Where Have All Your Good Words Gone by Laura Gibson

Long, long ago, way back in December of 2011 the latest blog entry appeared in Security For All. What become of the author and his intrepid sidekicks Dr. Security and Captain X-Ploit has been the stuff of no small amount of speculation among the Information Security literati. Actually to my knowledge there has been no speculation at all. Small or otherwise. But I digress.

By way of excuses let me say that a whole bunch of stuff has happened since that last post around Christmas time. Primarily, in January I started  a new position as Software Architect for Trustwave. I could let you guess at my employer like I did back when I first started blogging while working at StillSecure, but anyone can look it up on LinkedIn so the thrill is gone. Also let me point out that Trustwave and Spiderlabs are quite well known in the blogosphere having several excellent corporate blogs. This is not one of them. Whatever I say here is strictly me and they have nothing to with it. Much less approve or disapprove. In any case I’ve been drinking from the firehose since January without much opportunity to do much of anything else.  Thus the reason for the 3 month hiatus of Security For All.

But I’m back. And so is the good Captain. So stay tuned.

Of screen doors and submarines – locking down your iPhone

It’s about as useless as
A screen door on a submarine
Faith without works baby
It just ain’t happenin’
From Screen Door by Rich Mullins

In a recent post, to the extent that any post here is recent, I wrote about the threat to personal privacy – yea even freedom posed by smart phones. Actually the threat was not so much from the smart phones themselves but the potential of exploitation of them by law enforcement contrary to your best interests. The obvious answer to this problem, as every portable computer using reader of this blog surely knows, is to fully encrypt the device. Locking that bad boy down tight will blow those law enforcement fishing expeditions out of the water. But alas, this is not a realistic option with most smart phones. There are several notable exceptions to this including the RIM Blackberry, mentioned in the earlier post,  which can be configured to be secure and some Linux-based smart phones such as the Nokia N900 described in this comment to that post by reader Gino.

There actually is a solution for full phone (filesystem) encryption: the Nokia N900, a Linux phone that supports Crypto LUKS. I know this for fact as I am typing this with one that has it :)

Albeit there is quite a bit of legwork needed and a fairly good bit of Linux knowledge required to set it up initially, it’s well worth the effort.

Unfortunately that excludes the many smart phone users, including myself, with iPhones. I did find some information in this article in Lifehacker entitled Common Sense Security for Your iPhone about locking down iPhones. To the extent that they can actually be “locked down”. Here are the high points.

Lock Your Phone
The most basic security precaution you can take is to make sure that your iPhone is using a passcode lock—and that the passcode lock will automatically engage after a brief period of inactivity.
Choose a Hard-to-Guess Passcode
On newer versions of iOS, you’ll have an additional option in the Passcode Lock settings labeled “Simple Passcode”. By default, “Simple Passcode” is on—and it essentially means that your passcode will need to be a 4 digit number that you’ll type when unlocking the phone. You can, and should, turn this setting off and enter a passcode that is more difficult to guess than the simple 4 digit pin.
Limit the Maximum Number of Unlock Attempts
To prevent someone from trying to break in to your phone if it’s stolen, take advantage of the setting at the bottom of the “Passcode Lock” settings page, labeled “Erase Data”. By default, this is set to off. Turning it on tells the iPhone to completely wipe the content of the device if 10 failed attempts to unlock the iPhone are recorded.
Take Advantage of the Free “Find My iPhone” App and Remote Data Wipe
Apple provides a great service called “Find My iPhone” that is available for free to any iOS device owner using their Apple ID (the same email address and password you use to purchase apps in the App Store). Complete instructions for setting up Find My iPhone are available on Apple’s Web Site. By default, the free Find My iPhone is only for 2010+ devices, but anyone can enable and use Find My iPhone on the 3GS and other pre-2010 devices. Here’s how.

While these are certainly valuable steps to take towards basic iPhone privacy, the efficacy vis-a-vis keeping out determined and well equipped snoopers is akin to locking the screen door on a submarine. This article by the oft-quoted [in this blog] Sharon Nelson of {ride the lightning} for the American Bar Association’s Law Practice Magazine entitled Why Lawyers Shouldn’t Use The IPhone: A Security Nightmare explains thusly.

The words iPhone and security do not belong in the same sentence, although you would never know it from the Apple marketing blitz. Some of the advertised features of the iPhone 3GS are the inclusion of encryption and remote wipe functions. As most folks know, encryption is a killer for computer forensic examiners and a fine way to protect your data. So what does encryption do for the 3GS? Not a heck of a lot. From my foxhole, it appears that encryption was an afterthought and not inherent in the iPhone design.

Jonathan Zdziarski has demonstrated how easy it is to gain access to a supposedly secure iPhone 3GS. Should we believe him? I certainly do, especially since I own his book on iPhone forensics and have personally seen the mountains and mountains of electronic evidence that is stored on an iPhone. The key to gaining access to the data is to extract a disk image from the device. First off you “jailbreak” the phone by placing it into recovery mode and installing a custom RAM disk to the iPhone. Jonathan mentions that the tools are only available to law enforcement (nice thought, but not so), but also acknowledges that it is fairly simple to develop your own. Several products like Red Sn0w and Purple Ra1n are freely available to “jailbreak” the phone. You then install a Secure Shell (SSH) client to port the raw disk image onto your computer.

Those of us in the forensic community know that sucking a disk image from an encrypted drive to a destination drive just gets you another encrypted image which is no earthly good to you. What makes the iPhone 3GS any different? This is the part where Apple is so very, very helpful. Even though the data on the iPhone disk is stored in an encrypted form, the iPhone actually decrypts the data as it feeds the zeros and ones through the SSH connection.

In order to secure your iPhone, make sure you configure an unlock code. Then again, perhaps you shouldn’t waste your time. Jonathan has another demo where he replaces the passcode file with one that contains a blank password, effectively removing the unlock code. How is this possible? Just like the previous explanation, putting the iPhone into recovery mode doesn’t require the passcode PIN.

Apple says losing your phone is not a problem, you just use the remote wipe feature to “kill” all of the personal data. There’s a problem with that too. The remote wipe feature requires that the iPhone be connected to the cellular network and removing the SIM card or placing the phone in a Faraday box would solve the network connection problem. Take the phone off the cellular network and you can take all day to retrieve the disk image (in an unencrypted form) from the iPhone.

Yep. Screen door on a submarine. In a follow up entry on {ride the lightning} Sharon finds even more reasons to declare “iPhone security” an oxymoron.

Most users are not aware that the iPhone conveniently creates a screenshot and saves it as a temporary file on the phone. Wired has an article that explains the how and why and is available at http://www.wired.com/gadgetlab/2008/09/hacker-says-sec/. The end result is that there is a very complete “audit trail” of activity that is done on an iPhone, even if the user doesn’t save any data. As an example, you can open a message that contains personally identifiable information and then immediately delete it. Guess what? All of that private data is on the phone until it is overwritten, which could be some time. As we mentioned in the article, the iPhone is an “evidence rich” device. These recoverable screenshots are one reason why and we’ve verified the existence of them through a ton of real world investigations. We’ve never seen this type of activity on any other phone.

Does all of this mean that the iPhone is the ONLY insecure cellular phone on the market? Obviously not, but it is at the top of our list, especially considering the hundreds of phones we get each year for evidence analysis. Any smartphone with a browser is subject to the same attacks and infection as any Internet user. We know many iPhone users are saying that security is the issue and is not unique to the iPhone. Perhaps the truth hurts. Security is a major issue for any law firm, but using a device that does not enforce PIN integrity is a little crazy in my book. I wouldn’t want to make that argument to a malpractice carrier.

Well so much for the delusions of privacy and security on the iPhone. I guess now we’re back to putting it in a bag in the trunk when we travel. At least in California. Or switching to Blackberry or N900 if we’re lawyers.

The dark side of post startup innovation

Todd at the Napera blog has two great articles here and here about how most of the innovation in network security comes from startups.

Breakthrough products like security appliances and virtualization were not pioneered by established industry behemoths, but originated with smaller companies willing to pioneer new product ideas and disrupt the status quo.

Startups are clearly much more agile than “established industry behemoths” and most of their mid sized brethren. The passion, drive and commitment of the small team offsets the capital, expertise and experience of the larger, older outfits.

startups spend an order of magnitude more time talking to customers and thinking about the challenges customers face. Ideally, interacting with and thinking about customers should happen at every level of a company. To add to that focus, a product team in a startup has a lot more autonomy in making product decisions.

Having worked across the entire spectrum in my career as a software engineer – from a small “mom and pop” DoD contractor (literally: Mom was the Controller and Pop was the CTO) all the way to a Fortune 50 computer manufacturer (truly one of those “established industry behemoths”) – I have definitely seen this in action. In a small startup everyone is intimately familiar with the customers, whereas large corporations have to make concerted efforts to allow a design engineer to even have marginal contact with a customer – and that’s usually second hand through either a sales or marketing initiative.

So being a startup is swell and you can innovate the pants off the big boys. The force is strong with startups. But there is a dark side. You didn’t really expect anything else now did you?

The conundrum which is faced by all startups (who don’t get snatched up immediately post initial product release by one of those big fish) is how to get new customers and still keep existing customers happy by providing a stable value added upgrade path. It’s really hard to innovate out of this one. But you have to in order to make that next step from being a startup to being an established concern that is in it for the long haul. From some things I’ve witnessed on the engineering side where this innovation actually happens, I present this cautionary tale.

Startup creates first product – brilliant idea, incredibly fast time to market. The chief engineer is now the CTO, but spends a fair amount of time addressing customer concerns (i.e. putting out fires). As a result the CTO is well loved and well rewarded by customers and executive staff alike. So now it’s time for the next big release of the product. The CTO has very precise ideas about what new features are important and what failings must be addressed. In fact the CTO knows that the largest customer is poised for a huge purchase when that killer feature is added. Unfortunately the CTO is way too busy and valuable an asset to the business to focus on the mundane tasks of development any longer so developers are hired to get the next version and next product out to the breathlessly waiting customers and potential customers.

So lets pause here and take stock of the new developers’ situation. They have to update an existing code base which has been field patched (remember those firefighting drills) with a technical lead (our CTO) who doesn’t have time to spend mentoring anyone. And they have to do it quickly. The CEO recalls that the first release came after 6 months and the following 2 releases came on 3 month cycles. Now granted the CEO knows that the now-CTO is a bona fide savant, a true code ninja, but surely these new mere mortal programmers can get the next rev out in 6 months. 9 months tops. Besides they’ve promised customers and there are some big deals riding on this next release. So the show must go on.

Fast forward 9 months and the vaunted next release is dangerously close to slipping the release date. The executive staff is not too worried as they recall the 160 hour weeks that the now-CTO put in to get the product out. So the pep-talks begin to motivate the new programmers to “take one for the team” and get this release done on time no matter what.

We’ll stop this tale here. The aforementioned allegorical startup can still make a happy ending, but not without recognizing the realities of the dark side.

  1. Brilliant innovative engineers are rare. The dark side of being brilliant is that they rarely value mundane necessities like documentation. They know the code inside and out, so from their point of view it’s self-documenting.
  2. Competent engineers are not so rare. They are also not so expensive. Or fast. They need mundane stuff like documentation to accomplish their job.
  3. The ramp up time it takes to come up to speed on a new product such that you can enhance and maintain it always takes at least twice as many engineering hours as it took to develop it in the first place. Don’t believe me? No problem, you can find out on your own.
  4. All engineers come to the realization (usually sooner rather than later) that firefighters get rewarded. So they look for fires to put out rather than doing the critical but boring and largely unnoticed jobs like configuration management or refactoring for maintainability.
  5. Executive management is always willing to oblige firefighters. They like it when the customer’s problem is solved quickly. That’s in the job description.
  6. The original founding members of the startup usually have an equity position in the company. So they know that at least the potential is there to be very well rewarded if the company is successful. So they are willing to work insane hours and make huge sacrifices for the company because of the potential rewards. Later members are employees or contractors with no real equity stake in the company. When they work insane hours and make huge sacrifices they get to keep their jobs. And have a party. Until they burn out.
  7. Customers who have your product expect to get new features before they are willing to pony up for the next version. They also expect a smooth and painless upgrade path – even when they decide to skip 3 or 4 releases. This is probably the most difficult part of software development. And one that most of us don’t consider until it steps up to brazenly bite our backsides.
  8. Customers really want the features they want. For them. Not for the entire customer base or potential markets. For them. And they are happy to drive your product strategy – where they want it to go.

Can a startup successfully address these dark side issues? Absolutely. To be successful you have to. Will you fall victim to most of these at least once? Of course. I’ve never heard of any company that survived the transition to post-startup unscathed. But the one edge that a startup can never afford to relinquish is that customer focus that Todd describes in his articles.

May the force be with you.

Sarah Palin and the great Yahoo! angst

I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.

So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes! (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! – I like that one).

Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:

Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.

Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?

  1. What is the benefit received from a web-based email/calendar/contacts system?
  2. What are the information assets that would be exposed?
  3. What are the threats to those assets?
  4. How can those threats be mitigated?
  5. Given the value of the exposed assets, can the threats be mitigated sufficiently such that the risk can be accepted?
  6. Do the benefits outweigh the cost in money and risk?

So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.

In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.

The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.

I’ve already written a blog entry about password security and I also use some of the stuff outlined here.

The value of my exposed information assets is pathetically low – my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.

Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.

But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity – er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk – some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.

I’m pretty sure I wouldn’t get promoted to Vice President.

Nice stuff from DHS for your FDPP

In recent days the U.S. Department of Homeland Security (DHS) has been getting spanked pretty hard for being unprepared for cyberthreats. Since that mule has been pretty well beat to death, I’m not going to chime in on that. Instead, in the immortal words of the great philosopher sage Monty Python “And now for something completely different”.

I’d like you to know about something the DHS is doing right – the Ready Kids Campaign. From this press release on September 17:

Today the Department of Homeland Security’s Ready Kids Campaign announced with Sesame Workshop a new tool on emergency preparedness for parents of young children called “Let’s Get Ready!” This guide aims to get families planning together for emergencies through simple activities and games that focus on talking to young children about the people, places and things that will keep the family safe during an emergency.

“Emergencies can happen at any time with little or no warning and, as we’ve seen with recent natural disasters, personal and family preparedness are critically important,” said Erin Streeter, Director of the Ready Campaign. “‘Let’s Get Ready!’ gives parents the tools they need to talk to their young children in a very kid-friendly and non-threatening way and instill in them important information to help them deal with the unexpected.”

Specifically, the guide offers tips from Sesame Street’s and Rosita on how families can prepare their children for an emergency in age-appropriate ways such as:

  • Everyone, including young children, can play a role in planning for the unexpected.
  • Creating an emergency kit and plan that the entire family practices and shares is important.
  • Helping children learn personal information such as a phone number, their full names and the full names of their parents or caregivers, is helpful in case of any emergency.

If you have children you should definitely take advantage of this excellent resource. This is something that every family needs to consider seriously. Just like every business should have a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP),  (I’ll bet you were wondering how I was going to relate this to security) you need to have a Family Disaster Preparedness Plan (FDPP). Except that your  FDPP is way more important than any DRP or BCP because this is your family, not some business that we’re talking about. It’s critical to note that no disaster plan (or any plan for that matter) has value if all of the players don’t know their parts. In the same way that it is critical for a business to make sure all employees, especially those in leadership roles, have and understand current copies of the DRP and BCP documents, all members of your family, must understand your FDPP. Furthermore, (and this is where many if not most businesses fall down) you must practice the plan. That’s right, it’s very well and good to have a plan that calls for tuning the weather radio to the correct station in case of a tornado warning, but it doesn’t work too well if you don’t know what station that is or where to find the radio.

So this is where you can really leverage the “Let’s Get Ready!” resources. It can help you devise, disseminate and practice your family’s FDPP. While this specific program is targeted at families with young children, there are links on this page to many excellent resources. I will admit that I learned a few things and picked up some ideas for my family’s FDPP. According to the site, this month, as part of Emergency Preparedness month, Sesame Workshop will be distributing 150,000 of the free kits to families. These kits include not only the downloadable materials on the site, but a DVD that is great for young kids.

So get going on your own FDPP, and definitely check out the resources at DHS. Seriously, they’re not just about fighting terrorism and cyberthreats. Which I guess is a good thing. Sorry couldn’t resist.

Information on “Let’s Get Ready!” is here. Materials are available in English and Spanish.

Losing our History

My wife and I spent the Independence Day weekend this year in Washington DC. In addition to watching the fireworks from the base of the Iwo Jima memorial we visited a number of other memorials and museums. But probably the most amazing place we visited was the National Archives. Aside from the U.S. Constitution and Declaration of Independence, the National Archives is in fact an archive of the U.S. government’s correspondent, business and legal transactions some of which are on exhibit. These exhibits include excerpts from the infamous Nixon Watergate tapes to (my person favorite) a letter from a 10-year-old Fidel Castro to President Franklin D. Roosevelt dated November 6, 1940, asking for a “ten dollar bill green American” (maybe Roosevelt should have sent him the 10 bucks – you never know). The fact is that the National Archive is a repository of everything the U.S. Government is involved in. Everything. The good, the bad, the ugly. The greatest achievements, the finest moments and the things we would like to forget. Especially the things we’d like to forget. This is everything from the most visible, substantial and important documents like the U.S. Constitution to mundane interoffice correspondence, which can in the long run be just as important historically.

You might think that the digital age has made the job of the National Archives quite a bit easier. Unfortunately nothing could be further from the truth as this article from the New York Times points out.

Countless federal records are being lost to posterity because federal employees, grappling with a staggering growth in electronic records, do not regularly preserve the documents they create on government computers, send by e-mail and post on the Web. Federal agencies have rushed to embrace the Internet and new information technology, but their record-keeping efforts lag far behind.

Moreover, federal investigators have found widespread violations of federal record-keeping requirements. Many federal officials admit to a haphazard approach to preserving e-mail and other electronic records of their work. Indeed, many say they are unsure what materials they are supposed to preserve.

This confusion is causing alarm among historians, archivists, librarians, Congressional investigators and watchdog groups that want to trace the decision-making process and hold federal officials accountable. With the imminent change in administrations, the concern about lost records has become more acute.

While those conspiracy theory fans among us (okay, I admit it – but the truth is out there) prefer a more tantalizing threat like a shadowy cabal that secretly removes and suppresses information embarrassing or threatening to their members, the reality is much more mundane – and insidious. And it’s a whole lot harder to address.

“The Achilles’ heel of record-keeping is people,” said Jason R. Baron, the director of litigation at the National Archives. “We used to have secretaries. Now each of us with a desktop computer is his or her own record-keeper. That creates some very difficult problems.”

That’s right – it’s those pesky end users. You know, those regular folks who are just trying to get their job done as efficiently as possible. Yeah, those people who we never have the time or budget to provide with decent hardware and software. And forget about education (no money for that in this year’s budget). Oh, and the folks who actually control the purse strings don’t have “keep a public record of the stupid things we do” at the top of their must-fund list. (Yes! I knew I could slide a conspiracy theory in there).

All this is really patriotic, and sufficiently alarmist to get some good hits on Google, but what does it have to do with security, Mr. Security For All?

Actually – everything. Remember the CIA triad: Confidentiality, Integrity and Availability. This issue is fundamental to both Integrity and Availability. From Wikipedia:

  • Integrity – In information security, integrity means that data cannot be modified without authorization. Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files.
  • Availability – For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

I think we can all agree that not saving important information through neglect is the same thing as deleting important data. And when future generations – or a researcher today – can’t get access to an email that is germane to their research because it was never saved violates availability.

So how do we go about mitigating this threat? There is already a program in progress to bring the National Archives more fully into the 21st century, but it is not without it’s all too typical problems.

The National Archives is in the early stages of creating a permanent electronic record-keeping system, seeking help from the San Diego Supercomputer Center at the University of California, and from some of the nation’s best computer scientists.

The electronic archive is behind schedule and over budget. But officials say they hope that the project, being developed with Lockheed Martin, will be able to take in huge quantities of White House records when President Bush leaves office in January.

As a point of reference 32 million White House e-mail messages were preserved as records of the Clinton administration. The National Archives expects to receive hundreds of millions from the Bush White House. And since disputes over White House records have occurred at the end of the last three administrations, we can count on more litigation in January.

So here’s a bold idea: why not take the money that will be flushed down the litigation rat hole and put it towards the electronic record-keeping system? Oh, but wait, that would mean that politicians would have to be subject to the same laws, standards and directives that all government employees are. Or maybe Lockheed Martin could get some help from the IBM Almaden research guys on storing, indexing and accessing insane amounts of information since the Webfountain project went dark. Or underground. (Yes! another conspiracy theory reference).

In any case this is a risk that must be managed – and soon – before we lose what amounts to our civic cultural heritage.

NAC: answering the right questions

Let me start this off by setting a baseline. I know a lot about Network Access Control (NAC). A real lot. I  work on (as in design, develop and support) what is arguably the industry leading and undeniably the best NAC solution in the industry. I’ll let you guess, since I’m not a shill for my employer. Don’t get paid for it, don’t do it, don’t care. Just say no to marketing. In any case, I know a lot about NAC.

So I sign up for a videocast entitled “NAC: Answering the hard questions” which has this intriguing abstract (emphasis mine):

A recent survey showed that of the companies that already have NAC deployed, 36% said their networks became infected with malware anyway. Clearly, there are still plenty of questions about NAC that need to be addressed. In this video, Joel Snyder, one of the top NAC experts in the industry, will help viewers answer the most pressing questions surrounding this technology, including:

  • How do you handle lying endpoints?
  • How does NAC extend to branch offices?
  • How much does NAC’s effectiveness rely on the security of your network infrastructure?
  • And more

I’ve tried to find the source of this study because those afflicted 36% really need to check out my earlier posting “Security Ideas for your mom part 1″. Wherein I enumerate the most important ideas (in my humble opinion) that your mom needs to know about secure computing. Let me quote myself from idea #2:

“don’t use something you don’t understand.”

You see Network Access Control does not directly prevent your network from being infected by malware. What it does, when configured correctly, is verify the security posture of your network endpoints before allowing them access to your network. In other words, a good NAC system will check to see that a PC requesting access to your network has whatever Anti-Virus programs you require installed and that the engine and signatures are up to date, but it will not check to see if the endpoint is already infected with a virus or if the AV package itself is worthwhile. Furthermore, NAC systems have the facility to “white list” certain endpoints since it’s usually a career limiting move (CLM) to quarantine the CEO’s PC. But if your CEO likes to surf for porn on said PC, it might be a CLM, but it’s still not a bad idea for security. So the general statement you can make about NAC is that it will only validate and enforce compliance to your security policy. It will do nothing to make sure your policy doesn’t suck or that you haven’t swiss-cheesed it to allow unlimited access to clueless VIPs. So let me say this once and for all – NAC is not magic. It is not a silver bullet. It will only enforce your network access policies, regardless of how lame they are, and only then if you configure the system correctly.

So I watched the videocast. I’d actually recommend it. Dr. Joel Snyder is a very sharp guy even if he relies a bit heavily on vendor marketing. Since I couldn’t find a place to comment on the site that hosted the videocast (Bitpipe), I decided to comment here. Okay, I was planning on commenting here anyway.

How do you handle lying endpoints? Well, if you are one of the NAC products that Dr. Joel is familiar with, apparently rather badly. He references the Trusted Computing Group (TCG) Trusted Network Connect (TNC) architecture to point out that ultimately system health telemetry originates from sensors on the endpoint itself (Integrity Measurement Collectors (IMC) in TNC lingo). Yep, that’s a problem all right – with the TNC reference architecture. He correctly concludes that some other mechanism (e.g. TCG Trusted Platform Module (TPM)) must be utilized to assure the integrity of the client-based sensors. Okay, how about this idea instead: lets start by assuming that all endpoints are lying (or are capable of lying) and instead of relying on the endpoint to give us a statement of health, have our Policy Decision Point check for itself. There are NAC products (at least one) that do this today. And it works really well. And it can even be done without any kind of agent software installed on the endpoint. Is it magic? No – just really clever design (if I say so myself). Now there are clearly some advantages to the TNC take on this, most obvious is that the vendor of the endpoint security software you want to check for compliance is in the best position to know the health of their stuff and they can build their own IMCs. Problem is, when you have Vendor A’s AV and Vendor B’s firewall and Vendor C’s HIDS running on Vendor M’s platform you are trusting that these vendors will play nicely with each other. Even when they have competing products. You bet.

How much does NAC’s effectiveness rely on the security of your network infrastructure? Dr. Joel answers this one with an emphatic “a lot”. Thereby earning him the Security For All GOTO award for his outstanding Grasp Of The Obvious. Of course NAC’s effectiveness relies on the security of your network infrastructure – in fact, it is predicated on it. If your network infrastructure is not secure, NAC will certainly not make it so. In fact I would go so far as to say that slapping NAC into an insecure environment is no more than security theater – users see it and think they are more secure, while nothing (good) really happens securitywise. To be fair, Dr. Joel is mostly warning NAC implementers to be aware that in all likelihood you will have NAC enforcement at the edge of your network and that it does, in fact, become another attack surface. Of course, it was probably already an attack surface before NAC was added to the picture. The point is that if you are using old leaky routers and switches, or a bad network security architecture you should probably take care of that stuff before you even think about adding NAC into the mix.

Marketeer’s have done an outstanding job of overhyping NAC. The fact that Dr. Joel even has to make himself a candidate for the GOTO award (and my bothering to award it to him), is a testament to how successful NAC vendors have been at getting folks to breathe their exhaust. And it does everyone a disservice. NAC is not magic. There is no silver bullet. Period.

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

  • Use Common Sense
  • Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.

Security ideas for your mom part 1

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.

Welcome to Security For All

Blackhawk Helicopter

Blackhawk Helicopter

It’s apropos that I’m starting this blog while enjoying the security theater accompanying the Democratic National Convention here in Denver. Specifically I’m watching the blackhawk helicopters patrolling our  friendly skies. I enjoy watching them so I’m not complaining. The point is that while it seems so obvious, preventing a terrorist attack is hardly an important element of their mission. Because that is what almost everyone thinks that security means in this context.

You see security is all about risk management and threat mitigation. So what would you think the risk of a terrorist attack occurring in Denver during the DNC – that could be mitigated by attack helicopters – would be? I’m thinking somewhere between slim and none (closer to none). So if a terrorist attack is the threat you are trying to mitigate then attack helicopters are great security theater. Fun but useless.

Now don’t interpret this as an indictment of the Department of Homeland Security. On the contrary, I believe that an important part of their mission is security theater. “Now just hold on a minute!” I hear you saying, “didn’t you just say that security theater is useless?”. Well you’ve got me. What I meant was that it’s useless in the context of actually mitigating a threat. It’s extremely useful in the sense that it shows that our government is is taking steps to protect us. Steps we can see. And we FEEL better about it. The reality of this situation is that a terrorist attack is not one of the risks being addressed by the blackhawks and security theater is just a nice side effect.

So how does this apply to you? Well, again it depends on the context (doesn’t it always?). If you are a large corporation – like the many vying for my attention and sage advice (hey, it could happen) – security is about managing the risks to your IT infrastructure, protecting your information and complying to the standards and regulations of your particular industry. If you are a small business security is about managing the risks around the communication channels to your employees and customers like making sure those channels are highly available (if your web site isn’t available your customers can’t buy anything) and that those channels are safe for both you and your customers to use (you really don’t want somebody hijacking your customers’ information or using your web site to distribute malware). If you are an individual, security is mostly about mitigating the risks of connecting to the internet without the benefit of high priced network hardware and an IT department (your kids and your son-in-law aren’t really an IT department). The point is that security has different priorities to those with different risks. I’ll address each of these different situations in detail in upcoming posts.

But right now I’m going outside and watch the blackhawks.