Old school MITM attack

In case you were thinking that Man In the Middle (MITM) attacks are a modern phenomenon unique to the internet, think again. Bruce Schneier has this article about Aspidistra.

Aspidistra was a World War II man-in-the-middle attack. The vulnerability that made it possible was that German broadcast stations were mostly broadcasting the same content from a central source; but during air raids, transmitters in the target area were switched off to prevent them being used for radio direction-finding of the target.

The exploit involved the very powerful (500KW) Aspidistra transmitter, coupled to a directional antenna farm. With that power, they could make it sound like a local station in the target area.

With a staff of fake announcers, a fake German band, and recordings of recent speeches from high-ranking Nazis, they would smoothly switch from merely relaying the German network to emulating it with their own staff. They could then make modifications to news broadcasts, occasionally creating panic and confusion.

Yep – those comsec boys have always been pretty sneaky.

7 Lessons SMBs can learn from big IT redux


David Strom has an interesting article in Network World about 7 Lessons That SMBs Can Learn from Big IT. It’s basically sound and definitely worth checking out. But there are some important gotchas and caveats that didn’t make the cut. So I thought I’d just stuff in a few extra ideas and warnings into the list.

1. Standardize on Desktops and Cell Phones to Reduce Support Differences

This is really a great idea, and you will definitely save money, pain and suffering by standardizing your hardware and software. This would work really swell in an ideal world where you started from zero – with no existing “legacy” equipment or software and were able to bring everything in completely new. Problem is, not only do you have legacy hardware and software, you also can’t afford to refresh every desktop or cell phone simultaneously. So what you are forced to do is review your standards continuously and develop a “refresh path plan” that takes into consideration that different departments (or users) have completely different refresh schedules. For example, you need to refresh engineering every year, but accounting can probably refresh every 3 years. This also leads to some gnarly incompatibilities with different versions of software. A notorious example of this is brought to you by Microsoft who chose a new, improved and decidedly not backward compatible format for Word documents in Office 2007. Finally there is the problem of what “standard” means to hardware vendors. Just for grins compare actual hardware – with the same SKU – that ships in early and later versions of a Dell model number. Just keep in mind that if you choose to save money by standardizing on consumer hardware you run the risk of incompatibilities even with the same model number.

2. Perform Off-Site Backups

Off-site backup are definitely a must have. But they must also be automatic. No transferring data by hand from one place to another. Recall those data breaches by way of lost backup tapes? David suggests some online solutions and even cites a nifty side effect of this method.

Earlier this summer, Damian Zikakis, a Michigan-based headhunter, had his laptop stolen when someone broke into his offices. He replaced it a few days later; and because he had used Mozy, he thought that he was covered in terms of being able to bring back his files from the Internet backup.

When Zikakis had a moment to examine the layout of his new machine, he “found several incriminating files. The individuals who had my computer did not realize that the Mozy client was installed and running in the background. They had also used PhotoBooth to take pictures of themselves and had downloaded a cell phone bill that had their name on it,” he says.

Another possibility is to utilize your web hosting provider or colocation service to provide backup and archive space. In any case, it has to be offsite, easy and automatic otherwise it just won’t work.

3. Use Hardware to Secure Your Internet Connection

An article like this really shouldn’t have to include a point this obvious. But sadly it does. Not only that, it cannot be stress strongly or often enough that you have to understand and configure your security hardware. You can’t just plug it in and be safe. Furthermore, the appropriate selection of a security solution is critical. No, they are not all created equal. And no, they don’t all do the same things. The hardware that David mentions by way of example is a Unified Threat Management (UTM) system which generally puts quite a bit of security functionality into a single box. UTMs basically secure your internet access and if you intend to become larger than an SMB you need to be aware that they don’t scale up that well. Also if your problem is access control, rather than internet security a Network Access Control (NAC) system might be more appropriate. Or you might need both. Or something lighter weight like StillSecure’s Cobia network platform. Or something completely different. The point is that while everyone agrees that you need something – just which something is a not a trivial question. There is no one size fits all security solution. Here’s where judicious use of your consulting budget makes a lot of sense. And no, I’m not a consultant. I just play one on the internet.

4. Use a VPN

If you don’t like eavesdroppers and you do anything remotely, you need a Virtual Private Network (VPN). Period. They are cheap, easy to set up and will probably even come with that UTM solution you are considering in #3. If you choose to do this in-house instead of a managed VPN services like the ones mentioned by David, make sure you have the internal expertise to handle it. Do not hire a contractor to set up your VPN. Either outsource it all or none of it.

5. Run Personal Firewalls, Especially on Windows PCs

Actually what this title should probably be is “Run a desktop security suite on Windows PCs and make sure that all endpoints are compliant to your policies before you let them on your network.” While that is certainly longer winded that David’s succinct title, it more accurately captures what he is saying. The point is that you should have a desktop security policy that specifies what software your network endpoints must be running and have a way to determine if your network endpoints are compliant to that policy. The best way to accomplish that is with a Network Access Control (NAC) solution, like the Napera appliance mentioned in the article. There is, as usual, more to the story. Once you determine that an endpoint is non-compliant you can’t quarantine them forever. You have to provide a remediation mechanism, preferably automated, so that they can get back to work as soon as possible. It’s been my experience that sales guys get really cranky if you quarantine them for a long time. And just try that with your CEO. Bet it only happens once. And if you are going to have a NAC solution in place, what about “guest” users – you know contractors, visiting product reps, partners. They all need varying levels of access to your network as well, while you still need to be protected. The point is that this isn’t as easy as slapping in an appliance and your endpoint compliance problems are solved. If a sales guy tells you different, hang up the phone. Now.

6. Rely on VoIP PBX for Your Phone System

This is definitely one of the biggest money and time savers you can do. The services associated with a good VoIP PBX system are killer and my experience with these systems has been excellent. The only caveat here is that you should definitely get VoIP as a managed service unless you have some really serious talent in-house. If you think you can just whip an Asterisk server on one of your Linux boxes and you are good to go, think again. VoIP is very cool and it isn’t that hard if you really know what you are doing. Which I don’t and you probably don’t either.

7. Have a Solid Test Plan for Adding New Technology

This is probably the most important point. Treat your technology test plan like an actual project. It’s not good enough to simply say, “Joe will look into it”. That’s not a plan. And it assumes that Joe will do it during his slack time (an IT guy with slack time – whoa!). What will actually happen is that Joe will call one or two vendors and talk to the nice sales folks and ultimately pick the one with the best swag or the hottest looking booth babes. Just pony up and do it right. It will save you beaucoup time, money, pain and suffering. And you stand a chance of actually developing some of that in-house expertise.

Prophecy for 2009


Last week Dr. Anton Chuvakin posted this succinct blog entry inquiring “Which Blogger Will Post 2009 Predictions First?” Since almost immediately Michael Janke posted “Janke’s Official 2009 Technology Predictions”, I guess I’m a little late (curses foiled by Janke again!). But not to be outdone and dying to try on my old testament prophet hat I decided to post my prophecy for 2009. Now for those less theologically inclined, prophecy is less about making predictions and more about connecting the dots, as in you have been behaving like this so expect that usually with a divine attribution. While I’m certainly no Ezra or Jeremiah I think I’m pretty safe with the following prophecy.

Beware ye greedy purveyors of unwise sub-prime mortgages and pernicious credit default swaps for your time of litigation is at hand.

It’s not hard to imagine that with all of the billions, yea even trillions, lost in the recent market collapse that there will be hell – or rather shareholders, FTC, FDIC, and litigants of all stripes – to pay. I think we can expect a a whole lot of work in the e-Discovery sector. But before the aforementioned greedy purveyors breathe any sighs of relief due to their carefully eliminated electronic tracks, just remember – this is not 1999 and courts are disinclined to cave in to the old “we lost the archive” or “the amount of data you are asking for is unmanageable” excuses. Take for example this case mentioned in the Electronic Discovery Blog wherein the defendant tried to convince the judge that the burden of producing the electronic evidence was too onerous, and then still failed to pony up when the court gave them direction.

In an ongoing dispute regarding discovery of e-mail on backup tapes, plaintiff requestor had asked for recovery of e-mail boxes on two backup tapes and had provided search terms. Defendant producers had searched only the mailboxes of seven individuals whom requestor had sought to depose. The court had granted requestor’s motion to compel producers to search all mailboxes on the tapes (as well as an additional tape selected by requestor) as the results were producing “meaningful discoverable information.” The court suggested however, “that Plaintiff be more artful with its search terms and that Plaintiff utilize a list of the people, provided by Defendants, to review whether all mailboxes needed to be searched. The court also granted Defendants the opportunity to narrow the search terms.”

Producers failed to provide the list suggested by the court and did not narrow the search terms. The results of the search produced thousands of documents, and producers sought relief from being required to review and produce all of the results.

In weighing the circumstances, the court acknowledged the massive amounts of electronic information which had been involved in the case, along with the burdens of working with it. However, “the court gave Defendants numerous tools by which to reduce the burden of e-mail discovery, including an opportunity to limit Plaintiff’s search terms and an opportunity to provide a list by which the number of peoples and the number of boxes being searched could be reduced. Defendants did not take advantage of these opportunities. Defendants must now lie in the bed that they have made.”

That’s harsh, but hey, like I said this ain’t 1999, and today’s courts have been to this rodeo a few times, cowpokes. Or how about this case from the Electronic Discovery Blog wherein the defendant tried to argue that the only person who understood their email system was a consultant from Switzerland who refused to testify. Sorry, no takers on this excuse either.

Producer had argued that the requested information was irrelevant to requestor’s claims, and that the only source of information on producer’s systems was an independent consultant in Switzerland who had refused to testify. The court observed that the designated deponent has a duty of being knowledgeable on the subject matter identified in the area of inquiry. A corporation must prepare its selected deponent to adequately testify not only on matters known by the deponent, but also on subjects that the entity should reasonably know.” The court further stated:

In modern litigation, discovery almost always involves the production of documents stored on computers, servers and other electronic facilities. It is commonplace in litigation to inquire of a corporate defendant the steps it took to find and produce documents relating to the litigation, as well as the corporation’s electronic document storage and retrieval systems, in order to ensure that discovery was diligently completed. Where a defendant has failed to produce any meaningful documents in response to Plaintiff’s discovery requests, the need for and relevance of this inquiry is unquestionable.

Looks like the days when you could dazzle ’em with your brilliance or baffle ’em with your steer manure have waned considerably. Playing ignorant doesn’t seem to fly either.

So back to the prophecy. Expect litigation. Lots of litigation. And don’t expect  sympathetic courts. We bailed them out so we could crucify them. How very biblical. Thus spake the prophet Joseph.

Symantec finds the underground cyber economy

I'm shocked, shocked

The Security for all “I’m Shocked, Shocked!” award goes to Symantec, who according to this article in MacWorld has uncovered an underground cyber economy. In case you are very young or not into classic movies, the award name comes from this classic dialog in Casablanca.

Rick: How can you close me up? On what grounds?
Captain Renault: I’m shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
Captain Renault: Everybody out at once!

That’s right folks, I’m shocked, shocked to find that there is an underground cyber economy! In any case here is some of the big news that those crack Symantec investigators uncovered in their year long study.

Stolen credit cards topped the list of items for sale, and made up 31 per cent of all the goods on offer, while bank details were second most popular with 20 per cent.

While stolen credit card numbers sell for as little as between $0.10 and $25 per card, the average advertised stolen credit card limit observed by Symantec was more than $4,000. Symantec has calculated that the potential worth of all credit cards advertised during the reporting period was $5.3 billion.

The research also found that credit card information is often sold to fraudsters in bulk, with discounts or free numbers provided with larger purchases.

Yikes! Say it ain’t so Symantec! You mean that all those stolen credit card numbers end up for sale on the internet. I’m shocked, shocked! But wait there’s more.

During the 12-month period Symantec found 69,130 distinct active advertisers and 44,321,095 total messages posted to underground forums. Many are invitation-only forums, while IRC chat channels are also a popular way for cyber criminals to sell and share information.

Underground forums? On the internet? I’m shocked, shocked!

Seriously though, this study by Big Yellow is definitely valuable in that it puts some real numbers to stuff we all know has been going on for a long time. I’m hoping that CSOs can use these numbers to scare thier C-level cohorts into ponying up for programs to protect customer data – especially those credit card numbers. But what I’d really like to see is a study that correlates specific batches of bank card numbers for sale to specific breaches. Yeah – we already know where the stolen goods are being fenced, what we’d really like to know is who are the negligent bozos that lost them. When that happens I will truly be shocked, shocked.

Get Safe Online


Last week was the fourth annual Get Safe Online Week in the UK. Like most Americans, I wasn’t paying attention and didn’t hear about it until after the fact. But, better late than never. That’s because the Get Safe Online folks, whose founding members include CSIA, HSBC, Microsoft and SOCA, have an excellent site with a lot of great resources. The site is targeted to beginners, but links to some pretty serious stuff as it can when one of your founders is the Serious Organised Crime Agency (SOCA).


Definitely give this URL to the online neophytes in your life. And go there yourself. Be sure and take the Test Your Safety Skills quiz. I got 9 out of 10. While I might argue about whether I should have received a perfect score, it made me think. And it was definitely worthwhile. Check it out.

Is suing your customers for fun and profit unconstitutional?


The entertainment industry has always baffled me. That’s probably why I never became a pop star. Well that and lack of talent. Actually, I understand the entertainment part of the industry, it’s the copyright policing groups like the Recording Industry Association of America (RIAA) that confuse me. This group is infamous for their Gestapo-esque tactics including lawsuits against file-sharing teens who pirate copyrighted content. The rationale goes something like this. Actually, exactly like this. I quote the RIAA:

It’s commonly known as piracy, but it’s a too benign term that doesn’t even begin to adequately describe the toll that music theft takes on the many artists, songwriters, musicians, record label employees and others whose hard work and great talent make music possible.

Music theft can take various forms: individuals who illegally upload or download music online, online companies who build businesses based on theft and encourage users to break the law, or criminals manufacturing mass numbers of counterfeit CDs for sale on street corners, in flea markets or at retail stores. Across the board, this theft has hurt the music community, with thousands of layoffs, songwriters out of work and new artists having a harder time getting signed and breaking into the business.

One credible analysis by the Institute for Policy Innovation concludes that global music piracy causes $12.5 billion of economic losses every year, 71,060 U.S. jobs lost, a loss of $2.7 billion in workers’ earnings, and a loss of $422 million in tax revenues, $291 million in personal income tax and $131 million in lost corporate income and production taxes.  For copies of the report, please visit www.ipi.org.

And so the gallant RIAA ventures forth to sue those scoundrels into submission. Thereby, no doubt, recouping some of the $12 billion pilfered. In what universe does this make any sense? Our customers aren’t buying our products because our business model sucks, so we sue them. You bet.

Yeah, but if you were one of those poor starving musicians who are championed by the RIAA you might have a different opinion. Might I? Let me tell you pilgrim, I am one of those poor starving musicians (well a poor musician at any rate) and like many of my more talented and famous peers, such as David Draiman and Janis Ian, I get nothing from the RIAA. Except severe gluteous maximus irritation. I think David Draiman summed it up pretty well in an interview with the San Francisco Chronicle.

“This is not rocket science–instead of spending all this money litigating against kids who are the people they’re trying to sell things to in the first place, they have to learn how to effectively use the Internet.” Draiman asserts that the actions taken by the Recording Industry Association of America (RIAA) are protecting corporate profits, not artists: “For the artists, my ass…I didn’t ask them to protect me, and I don’t want their protection.”

So is this going to be another interminable, pointless rant about the RIAA? Fortunately, no. It’s not.

Finally a breath of fresh sanity stands against the RIAA legal juggernaut.  A Harvard law professor, Charles Nesson, along with two third year law students have hit back hard on the RIAA’s efforts in a court filing, where it’s noted that the very basis for many of the RIAA’s lawsuits is very likely unconstitutional.

Imagine a statute which, in the name of deterrence, provides for a $750 fine for each mile-per-hour that a driver exceeds the speed limit, with the fine escalating to $150,000 per mile over the limit if the driver knew he or she was speeding. Imagine that the fines are not publicized, and most drivers do not know they exist. Imagine that enforcement of the fines is put in the hands of a private, self-interested police force, that has no political accountability, that can pursue any defendant it chooses at its own whim, that can accept or reject payoffs in exchange for not prosecuting the tickets, and that pockets for itself all payoffs and fines. Imagine that a significant percentage of these fines were never contested, regardless of whether they had merit, because the individuals being fined have limited financial resources and little idea of whether they can prevail in front of an objective judicial body.

The RIAA intimidates and steamrolls accused infringers into settling before they have their day in court and before the courts can weigh the merits of their defenses. The inherent dangers in allowing a single interest group, desperate in the face of technological change, led by a voracious, cohesive, extraordinarily well-funded and deeply experienced legal team doing battle with pro se defendants, armed with a statute written by them and lobbied and quietly passed through a compliant congress, to march defendants through the federal courts to make examples out of them should lead this Court to say “stop.”

What can you add to that? Except So long, and thanks for all the fish. And you go Charles!

OLPC G1G1 2008

The One Laptop Per Child (OLPC) organization, creators and purveyors of those cute green and white XO laptops, have announced another Give One, Get One (G1G1) program for 2008. In case you are unfamiliar with last year’s G1G1 program, its a deal where buyers pay for two XO laptops, get one machine for themselves and the other is donated to a school child in a developing nation. This year the program will run from November 17 until December 31, and the details will be similar to those from last year’s program:

$199 to give a laptop to a child in the developing world.
$399 to give a laptop to a child in the developing world and get a laptop.

In addition it was announced that OLPC G1G1 2008 will be run through Amazon, which will not only solve some of the delivery issues that G1G1 2007 had, but will also make G1G1 2008 open to Europe.

When it goes on sale the XO laptop is expected to cost £268 (313 euros) and should be available in 27 EU nations as well as Switzerland, Russia and Turkey.

The Give One, Get One programme was first run in the US in November and December 2007. The OLPC organisation claims it sold almost 190,000 machines via the scheme.

Despite the success of the scheme, it drew criticism because the OLPC group had trouble delivering machines to those who had ordered one. In a bid to resolve these issues, it signed up with Amazon in September 2008.

The OLPC News site has this handy FAQ snippet about European G1G1 2008.

  1. When will G1G1 v2 be available in Europe? Monday, November 17, just like in the United States.
  2. At what price?Around $399 | £254 | €312 (No VAT will be applied only shipping costs!).
  3. Which countries will be included? The 27 member states of the EU, plus Switzerland, Russia and Turkey.
  4. Will we get customized keyboards? No, there will only be English/International keyboards.
  5. Which power-plugs will be available? European and UK.
  6. How will I be able to order or donate? Also via Amazon’s online-store at amazon.com/xo from where you will be redirected to amazon.co.uk.

Aside from the excellent opportunity to contribute to a worthy cause, these are killer little devices. From the OLPC wiki:

The laptop is not a cost-reduced version of today’s laptop; we have fundamentally reconsidered personal computer architecture—hardware, software, and display. Unlike any laptop ever built, the laptop:

  • Creates its own mesh network out of the box. Each machine is a full-time wireless router. Children—as well as their teachers and families—in the remotest regions of the globe will be connected both to one another and to the Internet.
  • Features a 7.5-inch, 1200×900-pixel, TFT screen and self-refreshing display with higher resolution (200 DPI) than 95% of the laptops on the market today. Two display modes are available: a transmissive, full-color mode; and a reflective, high-resolution mode that is sunlight readable. Both of these modes consume very little power: the transmissive mode consumes one watt—about one seventh of the average LCD power consumption in a laptop; and the reflective mode consumes a miserly 0.2 watts.
  • Can selectively suspend operation of its CPU, which makes possible further remarkable power savings. The laptop nominally consumes less than two watts—less than one tenth of what a standard laptop consumes—so little that laptop can be recharged by human power. This is a critical advance for the half-billion children who have no access to electricity.

Since last year some significant enhancements (“enhancements” in this context means “truly epic hacks”) have moved the XO well beyond a child’s edutainment toy. For example there are alternate user interfaces for adults to replace the Sugar interface that runs over the Fedora OS.

Thanks to the tireless efforts of many, we have a whole range of options for these newest XO laptop owners:

And yes, there is also the Windows XO option for those special kids in Peru, but until a pirate hack appears that’s not an option for G1G1’ers.

Note: In case you really want to see that “pirate hack”, I know this guy…

You can use an XO as a DVD player – a manually or solar rechargable DVD player! Or use it as a rather large mobile phone via Skype. Or an inexpensive e-book reader with thousands of free e-books – take that Kindle! The XO is eminently hackable with almost all of the user apps and glue written in Python and readily available for the tweaking enjoyment of the user! In other words a truly educational device.

So if you know someone who could benefit from this great technology – like your kids, or your parents, or a budding hacker, or yourself – or if you would just like to support the OLPC effort, now is your golden opportunity. Do it and you can join my mesh net.