Tuesday, December 30, 2008

Unleash the hounds!

Most security people are concerned with their current firewall or SSL-VPN, but some are already thinking about the future. We all know that the current line of security products are very secure, and we already have solutions for most current threats, but it's a cat-and-mouse game. We put up firewalls, and the hackers turn their attention to our Dial-up banks. We implement call-back, and they go after the VPN cluster. We get digital certificates and they start targeting our endpoints with Trojans. This is never going to end, of course, but the question is...what's next?

As long as there is money and computers in the world, there will be cyber criminals looking for ways to get them. The question of what threats and exploits are on the horizon is being asked not only by security professionals, but also by software development companies. The 1st company to predict the next threat will possibly the first to develop a solution for it, and capitalize on it when everybody rushes to buy it. So, how do you find the winning horse?

The major shift in the security industry lately was from network security to endpoint security. As security products for the network and the backbone have matured, attackers turned to exploiting the weakness of the human nature. Trojans and spyware became a global phenomenon, opening a channel for direct access to the corporate network through any desktop. Security companies quickly developed a slew of solutions - Anti spyware scanners, Endpoint lockdown mechanisms and Network Access Control systems. By now, most companies have implemented at least some of these, but there are more threats on the horizon.

Criminals are drawn to where the money is, and in the technology world, the money is where the DATA is. While the data in your servers and workstation is probably protected well enough, there are still some sources of data that are less protected. The 1st threat, as I see it, are mobile devices. Pretty much every phone in the world today can do everything a computer can - it can hold contacts, schedules, email and files, and often quite a lot of those. Usually, money can't be stolen directly off your phone, but the personal data can be easily used for identity theft, which can be used to hack the corporate network of your company. Imagine the phone of a company's IT manager being stolen...a list of vendors the company works with can be easily compiled, orders of hardware can be diverted, and passwords can be socially-engineered. If an attacker knows when your IT manager is on vacation or in long meetings, these timetables can be used to coordinate a focused attack. All this is not new, and Security solutions for phones are already quite advanced. Some solutions encrypt the phone's internal memory, so it can't be accessed without a password. Other solutions lock out the phone or format it when given a remote command through the carrier's network. There are, of course, quite a few anti malware products as well. One thing no one is doing yet is a way to prevent the phone from being lost. Cabs, airports, coffee shops - all are prime locations for forgetting your phone, and most are never recovered. Technologies such as RFID can be used to prevent this sort of loss, but it still doesn't have significant adopters.

Another abundant data mine is home networks. Securing a wireless home network isn't hard, but many people are still afraid to mess-around with their router's settings and just leave it open. Some people are concerned about sharing their bandwidth with driver-byers, but the real danger is that an unwanted guest might have unlimited access to your computers. Even if you setup a password on your computer, an attacker has all the time in the world to brute-force it, and it's likely that the average user won't check his event log and notice the failed attempts. Securing the home network is not that hard, really, but apparently, most people don't bother. Very few companies enforce a policy to prevent or control how their employees connect the company laptop to the home network, not to mention storing business files on the home PC. An ideal solution would be for the company to give its employees desktops, which would allow the company full control over what goes on inside it.

Buy every employee a PC, on the company dime? Am I crazy? Well, it will cost a pretty penny, but consider the costs for a minute. This could amount to several hundred dollars per year per employee, but would still be only a negligible part of the cost of an employee to the company. If it would prevent even a single attack, it could be well worth it. I'm not very optimistic that many companies will adopt this idea, but what should definitely happen is an improvement to home network security and cellular phone technologies. Instead of confusing dialog boxes about TKIP, AES, WEP, WPA and Hex Keys, a home router should be secure by default, and easy to configure. For example, a router could be pre-set to generate a random password and display it on a small LCD. The user will be asked to type it into his machines when connecting for the 1st time. Same goes for phones. Phones today are like Windows 3.11. You have to really try to set a lock on it. I think that settings a strong password should be the default action when getting it from the carrier, and only users who really want to and have the know-how can bypass it. No doubt it will be annoying to many, but so is locking your home every time you leave...and yet we are all OK with that! Currently, all router producers focus on performance and price, and I've yet to see even one that boasts better security. Same for phones - it's all about the music and easy texting, but not a single device that is safer. Will we ever learn?

Monday, December 15, 2008

There's no business like the scam business

Just a few days ago, the FTC has finally decided to act against Innovative Marketing, Inc. and ByteHosting Internet Services . These two companies are responsible for many, if not most, technical support calls received by pretty much every company in the world. Their variation of spyware nicknamed "Scareware" sneak in to computers and internet sites, and notify the user that his computer is infected with viruses, urging him to buy an anti-virus from these companies. The "warning" is false mostly, and it is designed and branded to look like a genuine notification from Microsoft or the operating system.

Why did it take the FTC so much time to do something about this menace is beyond me, but the question is this - can the FTC really combat this sort of threat? Despite charging only 40$ for their software, both companies made millions of dollars, and that kind of incentive isn't going to go idle just because of some FTC barking. These companies, just like spammers and other shady or illegal operations have never cowered away from authority. In similar cases, the operators would usually disappear and re-start their operation somewhere else. Sometimes under a new name, and other times in another country. Innovative Marketing already has offices in Ukraine, pretty far from the FTCs grab. In fact, I suspect that there at least a few hundred people reading about this in the media and thinking "Hmmmmm...maybe I should start a business like that?"

The Spam market is a good analogy. We have been fighting spam for years now, and we've tried everything. We've enacted legislation , successfully sued spammers , developed technology to fight it and even raised awareness in the public , but Spam rates haven't decreased significantly. Why? Because as long as there's somebody who will buy it, there will be someone to sell it.

That sounds bleaker than I intended, but are we really going to have to live with these computer annoyances forever? I was never an optimist about human nature, and I'm afraid I can't be one here either. The human race has been battling crime since the dawn of time, and despite some very effective law enforcement and punishment systems, people are still stealing, hurting, killing and more. Bottom line? We shall always rejoice when spammers or other cyber terrorists are taken down, but the hard truth is that this is a fight that's never going to end. Maybe it's time to think of taking out some insurance...

Tuesday, December 9, 2008

The art of war

Although there's nothing nice about war, I'm using the title of Sun Tzu's famous work to raise this point: Is information security a science, or art? According to Ira Winkler of ISAG, it's definitely science, but I beg to differ. Ira raised this issue in a presentation a few months ago, and we debated this issue for a while.

According to Ira, dealing with information security is purely scientific. You learn the technology, tools, techniques and methods of the field. Whether you put that info to good or bad use is another matter, but at the bottom line, it's about knowledge and the ability to apply it.

If you ask me, I believe that hacking, and defending against hackers, is a lot more of an art than you might think. That's not to say it's not a science, but that it's much more than science. No doubt that to be any good at either side, you must learn the ropes. You need to learn your TCP/IP, understand networking, get familiar with tons of products, as well as their strengths and weaknesses, This, however, is just the first part. If you think about it, every major form of art is based on a lot of technical know-how. If you want to paint the new Mona Lisa, you need to learn how to stretch that canvas on the frame (yeah, today you can buy it pre-stretched, but you catch my drift, right?), select your colors, mix them properly, choose the brushes and start painting. To do it right, you should also learn some color theory, use of perspective and composition, the golden ratio etc. It's certainly possible to create a painting without any of those by just using a pencil or crayon and a piece of paper, but in most cases the outcome will be no more pretty, interesting or relevant than guessing someone's "1234" voice mail pin.

Basically, what I'm saying is that any art is based on some sort of technique that needs to be learned and perfected, and that while many people learn the principles of information security very thoroughly, only a handful of them have the skills to transcend the science and make it into art. This goes both for the hackers and crackers, and those who defend their company against them. It doesn't take much to install and configure a firewall, neither does it take much skill to run some well-documented exploit and break into something, but to be able to inventively use the existing technologies to circumvent a security mechanism or build an effective protection against undocumented or yet-unknown attacks is something else.

For example, let's take the well known SAMY worm that has been written by Samy Kamkar. This worm did not cause significant damage to anyone or anything, so it's a good example of a piece of art. MySpace is very well protected from users running most script commands, and so creating this worm took a lot of inventiveness by Kamkar. He spent weeks on weeks developing his code to circumvent all the various mechanisms, often inventing clever ways to sneak commands through the complex filters used by MySpace. Reading the final code (http://web.archive.org/web/20060208182348/namb.la/popular/tech.html) is not easy even for experienced web developers, but it's clearly a piece of digital poetry. A conventional poet would hunt for new metaphors or synonyms to express himself with rhyme and rhythm, similarly to how a worm writer looks for pieces of code that will "work", and that's the difference between the MySpace security team and Kamkar. The security team were just updating the filters occasionally, whenever a new way to sneak-in code was discovered. Similarly, most security managers update their systems or modify their configuration when new patches or attacks are discovered, but a rare few are as active as the hackers, spending their time researching and trying to come up with new better ways to secure their systems. One such guy, who manages security at a bank I once consulted to, was a perfect example. He spent almost no money on security products, and instead wrote mountains of scripts that blocked every attack I was aware of, and also quite a few things that were only theoretically possible back then.

Don't get me wrong - despite my praise for Karmar's work, I don't condone worm writing, and I don't mean to glorify the horrible things done by virus writers. What I am saying, though, is that hackers ARE artists, and to be able to fight back effectively, we need to become at least as artistic, or we'll always be on the defense. Maybe that's one of the reasons so many ex-hackers are making it so well in the security-officer profession? How to transform oneself from a technical expert to an artist is something that I can't tell anyone how to do, but it's certainly possible. Maybe as a first step, the CISSP certification should include some philosophy lessons, or at least a mandatory reading of the Art of War...

Wednesday, December 3, 2008

No Money=No Security?

The economic crisis is affecting everybody these days, and everybody is cutting expenses. This could mean a lost job or reduced benefits to some, but a popular way for companies to cope is by cancelling purchases of software and hardware. This is bad news for anybody who's selling anything, and many IT people will be heartbroken for having to live with an old mail server or domain controller, but a lot of companies are also postponing or cancelling upgrading their firewalls and other security products. Staying with an old piece of software or hardware for another year is certainly not fun, but when it comes to security, this is much more concerning. Information Security has always been hard to prove, and even today, many managers see it as a money hole. I'm afraid I can't do the talking for you, but here are some ways to save money without giving up security.

Unless you've been living on a tree, you must have heard of virtualization. This has many aspects, but for our purpose, I'm talking about consolidating several servers onto a single piece of hardware. This is still going to cost money, as a hosted server license costs the same, but instead of spending 20,000$ on 4 servers, you might save as much as half of that by buying a single, stronger server (You're going to need LOTS of ram!) and hosting the same 4 servers on it as virtual machines. Other than the hardware costs, using virtualization saves time, money and downtime. If your server suddenly dies, you don't have to wait several hours for tech support or parts - just move the disks to another server and you can bring up the virtual-machines almost immediately. Not convinced? How about electricity? Using one machine instead of many machines reduces the electricity bill both for the server's power consumption and cooling. Some virtualization products are given away for free, like Microsoft's Hyper-V 2008 server (http://www.microsoft.com/servers/hyper-v-server/how-to-get.mspx) and VMWare Server (http://www.vmware.com/products/server/) , so dive into it and give it a whirl!

You might not be able to afford that fancy SEM tool you've been dreaming about, but that doesn't mean you have to give up on the entire idea. Software like SEM costs an arm and a leg, but there are alternatives. I'm talking about outsourcing. Nowadays, you can outsource almost anything, including letting others watch over your servers. These kind of services are usually billable periodically and by server, and although this is more expensive in the long run, it allows better security without making huge investments. Another advantage is that the outsourced technicians might be better trained to handle emergencies, which could translate to a quicker solution in case of a virus outbreak or successful hacker attack. Not convinced? Some states and countries give better tax breaks for outsourced services than for purchased software, so this could be even cheaper than you or your manager thinks. Speaking of outsourcing, there are a lot of other services that could be outsourced, from backup to user management, so for any purchase you had to scrap, check out the outsourcing market for that area - you might be surprised at how secure you might get for a lot less money.

Play hard ball
When the economy is this bad, everybody takes some of the heat, and sales are down everywhere. This means that even robust companies that have multi-million dollar product sales are feeling it. It's also important to keep in mind that those who actually make the sales are people just like you and me. They have deadlines and quotas, and at times like these, they are anxious to protect their jobs. This means that they might go a long way in order to close another deal, esp. now (December). don't be afraid to play hard ball and negotiate. Many people feel that haggling is more appropriate for the downtown meat market, but you can afford to be a little less honorable. Play it cool and flaunt the offers you got from other vendors, and get your boss or colleague to play "bad cop-good cop". I've personally witnessed cases where such maneuvers led to 60% price reductions. Can you afford not to?

Lose some of that weight
We are all used to having a nice desktop with tons of disk space and resources, but with today's costs, it might be time to think about going thin. Thin clients have a lot of advantages, but the best one is saving money. The clients themselves are far from cheap - some cost more than a desktop, not to mention the Terminal Server costs and licensing, but it saves money in several other ways. A thin client is designed to do as little as possible, and consumes very little electricity. Some companies report a reduction of 30% on their electricity expenses after switching to thin clients. Not enough? how about support costs? Instead of having one technician per 60-70 workers, thin clients require very little support. There are no viruses, drivers, hard-drive crashes to deal with, and most problems can be fixed by a secretary (who replaces the damaged unit with a spare one). A company with 1000 employees might be able to reduce its IT staff from 15 people to just 2 or 3. Trimming people is not fun, but that might be what it takes to save the company from going under.

Tuesday, December 2, 2008

Stoneage 101

When you mention "Information Security" in front of people, most of them will shrug. "I ain't no computer guy", some might say. Truly, only very few people are "Computer Guys", but there's information anywhere, not just in computer, and so information security is no more "computers" than mice or speakers.

About a year ago, I was standing in line to buy a ticket to some concert. Apparently, the theatre was offering some sweet deal, by which you could pay for part of the ticket using reward-points accumulated with your credit card. As I was moving down the line, I noticed that the cashier was writing down on a piece of paper the credit card number of each buyer who elected to take advantage of this pitch. I raised my phone and took a snap of the cashier, and later, at home, with some image processing, I could easily decipher every number and name on the sheet.

The point of this little story is that had I been a less honest person, this little exercise in negligence could have easily led to a massive shopping spree, and this is a classic electronic fraud which has nothing to do with computers. It's easy to see who's at fault here, but blame aside, the lesson here is that information security flaws could be lurking everywhere. You could be completely computer-illiterate, but still throw out your credit card statements in the trash, thereby exposing yourself to fraud. In fact, one could say that computer-illiterate people are even more at risk than those who use computers all the time. At least when you have one, you would probably be aware of at least some of the dangers involved with open communication lines.

What you can do? 1st of all, open your eyes. Look around you. Do you have yellow notes sticking on your screen with private information that could be used to hurt you? Do you keep a bunch of sensitive documents in that unlocked top drawer in your cabinet? Is your trashcan full of documents that would go out to the public trash tomorrow, and may reveal a lot about you? If some of those are YES, here's your chance to get better. Next, open your spouse, kids, parents, family and friends ears too. Tell them this tale and help them think more critically about their data. Your parents told you when you were little that when you come in or out of the house, you should lock the door, right? That's a basic security measure that seems to go without saying, but it's up to you as a parent (now or in the future) to educate the next generation how to apply security to stuff other than doors and windows.

Monday, December 1, 2008

Is it safe?

After much debate, Israel's new smart ID Cards are going forward. This has been debated for the past 10 years, and seems that it's finally going to happen...but are we happy about it?

Israel is one of a handful of countries where every citizen is issued an ID card, and is required by law to carry it with him at all times. This immediately brings concerns about big-brother and that sort of thing, but I'm worried about some other stuff too. The "ID number" serves as the Israeli equivalent of the American SSN. Most official forms require it to be filled out, but despite the sensitivity of these numbers, the security level is astounding. A few years ago, the entire population registry database has been leaked to the internet, and now, everybody who knows how to use a browser or a P2P program can download it and search for anything. The software is called "Rishumon" or "Hipuson", and sometimes just "Mirsham" (registry in Hebrew), and it's about a 2 GB download. With this kind of data one can find anybody's ID number, as well as who are his parents, siblings and even neighbors. Are you scared yet? You should be, because Israel's ID cards are notoriously easy to forge. Sure, they use special paper and some anti-counterfeiting measures, but when you show it to a bank teller through the 1" glass, he won't notice if it's original, printed on some laser printer, or hand painted by a 4 year old. This has been tried and tested. What's even worse is the fact that there is so much demand for fake IDs - not only criminals and Identity thieves, but also illegal residents, which are flowing from the occupied territories on a daily basis, hoping to score some work in Israel.

So now you know why a smart ID is important. With something like that, it will be harder to steal someone's identity, but if the ID database has been leaked repeatedly (there were at least 4 "updates" to it since the year 2000), what happens if the smart-ID database gets leaked too? It's true that the hardware is more complicated, but it's still digital data, and if you can't trust the people who operate the entire thing, it could lead to a lot of problems. One of the aims of this program is to allow citizens to work with various government offices remotely, which takes the human factor out of the game. A crook with the right tools and inside-information can do pretty much everything with a slim chance of being detected. What then? Will they just replace all the IDs? Will they even notice it? I'm not so sure.

What I am sure of is that so much money is involved with this idea that it's definitely not the end of the mess. The process has been trusted in the hands of HP, who won the auction, but have earned a lot of scrutiny about their customer service in Israel. It's not a bad company, but if the past has taught us anything is that better hardware can't rid us of basic flaws in the system. In this case...the human factor.