Beau's Computer Security Blog

Blog Comment Spammer Strikes

2009-06-07T12:38:00.003-04:00

There's a comment spammer hitting my blog. Some anti-virus company I've never heard of, possibly some rogue anti-malware. Lame. So I've turned on moderation for my old posts.

Wordlist Manipulation

2008-02-09T23:29:00.000-05:00

Today I wanted to append and/or prefix a brute force wordlist with some numbers, to generate some likely passwords. I couldn't find a good program to do this, so I tried my hand at some shell scripting. I got too ambitious and tried to add functions to remove duplicates (using the 'uniq' Unix command), sort the list (using the 'sort' Unix command) and do replacement (using the 'sed' Unix command). But all of these proved too time consuming to do right. I didn't want to force the list to be sorted alphabetically in case it was already sorted in a different way (likelihood of use, for example), so the 'uniq' command was useless. And the 'sort' command is so easy you might as well just use it alone. I didn't feel like putting the time into developing the "replace" function since I don't use it all that often (except for capitalizing the first letter, but Brutus has a tool to do that). So here's my script. Don't laugh, it's the first coding I've done since Dr. Scheme, about 5 years ago.


#!/bin/sh

##  listperm.sh - Takes a wordlist and performs permutations on it
##  Copyright (C) 2008 Beau Woods (beauwoods.com)
##
##  This program is free software: you can redistribute it and/or modify
##  it under the terms of the GNU General Public License as published by
##  the Free Software Foundation, either version 3 of the License, or
##  (at your option) any later version.
##
##  This program is distributed in the hope that it will be useful,
##  but WITHOUT ANY WARRANTY; without even the implied warranty of
##  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
##  GNU General Public License for more details.
##
##  You should have received a copy of the GNU General Public License
##  along with this program.  If not, see http://www.gnu.org/licenses/.

##  This script will take a wordlist and either prefix (-p) or append (-P)
##  each line with each line of the file it is to be combined with. For
##  modularity, it will generate new lists rather than overwriting the
##  old ones.

##  Command line options:
##  -in [filename] - This is the wordlist you want to permutate.
##  -out [filename] - This is the list of characters to add.
##  -p [filename] - This will prefix the wordlist with another list.
##  -P [filename] - This will append the wordlist with another list.

vflag=on
ops=0
while [ $# -gt 0 ]
do
 case "$1" in
  -in) infile=$2; shift;;
  -out) outfile=$2; shift;;
  -p) prefile=$2; shift;;
  -P) postfile=$2; shift;;
  *) echo "Error: Unexpected Argument: "$1; error=1; break;;
 esac
 shift
done
 
##  This if block will check to see if the input file is given and will
##  throw an error if not.
if [ -z $infile ]; then
 echo "Error: No input file specified."
 error=1;
fi

##  This if block will check to see if the output file is given and will
##  throw an error if not.
if [ -z $outfile ]; then
 echo "Error: No output file specified."
 error=1;
 else
 ##  This checks to see if the output file exists and if it does, throws
 ##  an error and exits the program. I don't want to clobber the file.
 if [ -f $outfile ]; then
  echo "Error: The output file already exists. Please delete it"
  echo "       and rerun the script."
  error=1;
 fi
 ##  OK, now that we know the file doesn't exist, let's create it!
 touch $outfile
fi

##  This if block checks to see if more than one permeutation operation
##  is called and if so, throws an error message.
if [ $ops -gt 1 ]; then
 echo "Error: Only one permeutation option may be run at once."
 error=1;
fi

if [ $error ]; then
 echo >&2
 echo "Options: -in [filename] -out [filename] -p [filename] -P [filename]"
 echo ""
 echo "  This script will take a wordlist and either prefix (-p) or append (-P)"
 echo "  each line with each line of the file it is to be combined with. For"
 echo "  modularity, it will generate new lists rather than overwriting the"
 echo "  old ones."
 echo ""
 echo "  Command line options:"
 echo "  -in [filename] - This is the wordlist you want to permutate."
 echo "  -out [filename] - This is the output file."
 echo "  -p [filename] - This will prefix the wordlist with another list."
 echo "  -P [filename] - This will append the wordlist with another list."
 echo ""
 exit 1;
fi

##  This will determine if we are doing a prefix or append operation and will
##  set the input file correctly. We could do this at the beginning, but if
##  the arguments are out of order then something might get clobbered.
if [ $prefile ]; then
 postfile=$infile;
 else
 if [ $postfile ]; then
  prefile=$infile;
 fi
fi

#####
##  OK, time to start doing work!
#####

##  This checks to see if the operation is a concatenation and combines the files.
for word in $(cat $prefile); do
 for i in $(cat $postfile); do
  echo "$word""$i" >> $outfile
 done
done

Shmoocon

2008-01-30T09:45:00.001-05:00

I'll be at Shmoocon in Washington, DC on the weekend after Valentine's Day. If anybody wants to meet up or something, get in touch with me.

Mac OS X Trojan Horse - Wolf in Sheep's Clothing?

2007-11-07T13:41:00.000-05:00

Recently, a Mac OS X Trojan Horse was spotted in the wild. Pretty much everyone reported on it. But the best analysis I've seen is at SecuriTeam.

This is not a new type of attack. There is no new vulnerability exploited. This is not a novel attack, such as a driver exploit. This does not use some new social engineering technique or distribution method. This is not the first instance of organized crime (presumably) attempting to make money from exploiting systems. So why is everybody making a big deal about the new malware? People are making a big deal about this one because of what it is not: a Microsoft attack.

This new Trojan Horse is the first one to take an established commercial malware framework to the Apple platform. For years, these fake codecs have troubled the Windows platform, making untold amounts of money for their creators. They hijack the user's Internet experience and target people inexperienced with computers. But until now, the relatively simple task of adapting these programs for the decade old operating system has been left undone. I believe that there are two reasons for this shift.

The number of people using Apple computers (and therefore OS X) has exploded over the last year and a half. I am currently sitting at a coffee shop and an informal survey shows that there are 12 Macs and only 6 PCs (including, unfortunately, mine). While this is an atypical distribution of hardware, it underscores the point. I know that most of these have been purchased within the last year and a half because they are almost all running on the Intel platform.

As the proportion of Mac users increases, the community is bound to decrease in computer experience. For the last few years, Apple has had a loyal core of customers who are technologically savvy and educated about proper use and maintenance of their machines. However, the recent adopters are typically more casual computer users. This statistic is based on anecdotal evidence, but it seems that most other observers have drawn the same conclusion.

These two trends, increased install base and decreased expertise, will continue upward as computer activities become increasingly platform independent. As more and more services are moved to a Web based format, the importance of a single operating system will diminish. However, malware will continue to exploit the underlying system resources because this is a viable source of income.

Criminal organizations' involvement in computer based crime has drastically risen in prevalence and sophistication over the last few years and there is no reason to believe that this will change. Just like with any money-making organization, these enterprises wish to maximize their revenue streams by exploiting new markets. In order to grow, new resources must be acquired. It appears that Apple computers have been firmly identified as a new resource for criminals.

And like any other emerging market, what is pioneered by one group will quickly be followed by other players. In other words, other criminal organizations will follow suit and develop their software for the OS X operating system to compete with this group's product offering. Eventually, this market segment will become more mature with a high percentage of organized criminals developing for both Windows and OS X platforms the way that other software makers do. What used to be a hobbiest market will be filled by mature product offerings.

If there is nothing new about a piece of malware, it should not be a big deal. But this one is a big deal that many people will only recognize too late. This Trojan Horse is something new precisely because it's just business as usual.

Long Time, No Post

2007-11-04T23:46:00.000-05:00

It's been quite a while since I posted last. Sorry, I've been busy. But I do keep my "Interesting Articles" section updated. That is over on the right side of your screen (assuming you're looking at my blog and not the RSS feed). That list is all of the articles that I have read in Google Reader and chosen to "share" via the button at the bottom of each story. I wish that there was a way that you could click to get all of the links, not just the last five or so. I'm sure that there is, I just don't know how to do it so if anybody does, drop me a line.

For the record, I am working on some other public stuff, but I'm going to keep that under wraps for now. Nothing groundbreaking or significant, just adding to the general InfoSec fluff out there. If I had as much time as I do ideas I'd live forever. Hopefully I can gt better at figuring out which ones are worth pursuing so I don't spend my time starting into things that I don't end up finishing.

Perfect Security Is Impossible

2007-09-03T21:11:00.000-04:00

I saw this post on securosis.com and it seemed like a great launching point for a discussion here. I want to take one point that he makes, that people seem to ask "what can I do to fix problems after the fact?" The fact that people ask this question hides a couple of addressable assumptions they often make about computer security.

The first of these is that computer problems should be addressed reactively, rather than proactively. Some people take the stance that they will always be vigilant, but many realize that they don't always do what they should. For example, most people know that they should have their vehicles serviced regularly for a multitude of maintenance issues, such as oil changes, brake replacement, tire rotation, check fluids, etc. But many of the drivers out there do not take these precautions as often as they should. Instead, they may take the attitude of "I'll fix it if it breaks." This may not necessarily be conscious decision, either; it may be that the "out of sight, out of mind" rule takes over, or that the owner is too busy to attend to it at the moment.

The reactive attitude also assumes that everything can be fixed and put back perfectly in place as it was. This assumption runs a little bit deeper in most people, because they do not really know how computers operate. On a car, a bent frame is not perfectly repairable; in our bodies, a removed organ does not grow back; in the universe, time flows only in one direction. Yet even mechanics, doctors, and scientists may not really understand that a computer can be broken in a way that is irreparable.

Fortunately, with computers we can address problems proactively. Computer security deals with protecting Confidentiality, Integrity, and Availability (the so-called C.I.A. triad). These are the three aspects of the rest of our lives that most of us attempt to protect, as well. It follows, then, that we should view our responsibilities towards our computers safe as we do our responsibilities to keeping ourselves safe.

Using caution applies to technology as with anything. Stay away from the seedier side of the Internet as you would stay away from the seedier side of the city you live in. If you need a hand deciding which are the well-lit streets and which are the back alleys, there are tools to help. McAfee Site Advisor is an excellent tool, and tends to err on the side of caution. K9 Web Protection will actually block many sites that you may wish to avoid, though it's not fool proof.

Be observant of your surroundings. If something seems not quite right, don't be afraid to be suspicious. If your computer is acting strangely or if the email from the IRS sounds fishy (phishy), then investigate the problem.

Be ready to take action. When you have determined that something strange is definitely going on, make sure you know what to do. If you don't know what to do, then know who you can speak with to find out. But more importantly, when you have figured out the proper action to take, don't delay! Many issues are exacerbated by doing nothing when you should be doing something (or vice-versa).

Finally, be prepared to fix or workaround the problem. Something will happen someday that will compromise the C.I.A. of your computer. Whether that means you delete the wrong files, you get a virus, or your house burns down, something will happen to your digital life someday. No one, even us geeks, is immune. Have backups, antivirus, etc. ready when you need them.

All of these lessons can, and should, be applied to the real world. Most of us understand this, even if we don't practice it every day. But too many people don't seem to realize that computers are not immune from the same physical realities of everything else. Either that or they are afraid to ask about these things. But Murphy's Law still applies, as does the principle that anyone can learn how to defend themselves against it.

More On What IT Wants To Tell You

2007-08-14T18:45:00.000-04:00

Last Tuesday, I was contacted by Vauhini Vara, author of the now infamous WSJ article published last week (FYI, if you haven't listened to the podcast related to the article, it's worth it) with advice on how to circumvent the IT security controls their companies had put in place. The email thanked me for my comments and asked for some help in writing a response to that article. I took a long time creating a response before realizing that I'd gotten way off topic from the request. So I have cleaned it up a bit and posted it below.

The follow up article was published today and is available to everyone for free, just as was the original article. While the latest does give a voice to some of the concerns many security professionals had, it seems to serve mainly to placate those with concerns. I don't believe this is something the author should be faulted for, but merely reflects everyone's interest in seeing the story be over. At the risk of seeming unappeasable, I think that the article lacks the intensity of the first and seems to demonstrate a lack of true understanding of the topic.

Again, I don't see this as Vauhini's fault, she has the near impossible task of taking something some people spend their entire lives doing and tries to boil it down to a couple of hundred words to fit into a column. Without an in depth understanding of the subject and a gift for succinctness (which I don't have), this is incredibly difficult to do. I would imagine that the only way to get this right would be to collaborate with a subject matter expert, allowing editing and revisions. But this is not appropriate to the typical journalistic process.

I won't spend any more time talking about this subject because there will never be complete agreement between IT security people and the employees over where an acceptable boundary is between protecting the organization and ease and freedom of use. There isn't even total agreement between employees or between IT security folks. So this post will, thankfully, be my last on the subject.

More thoughts on the topic
As I mentioned in my earlier post, the IT department is involved in businesses to enable productivity and to contribute to the bottom line. The information security professionals are there to provide technical oversight in the way that the physical security people do. Several things are involved in this oversight, like being involved in the design process, putting in place administrative and technical controls, and auditing the organization's procedures.

The difference between the physical security and information security is that physical security is something we are born and bred to recognize and respond to. Things like protecting valuable assets, restricting access to locations, and preventing attacks are well understood by people because they have had to deal with these issues all their lives. However, when computers are involved, it makes these same principles seem alien. Computers and information networks are incredibly complicated systems and understanding them is too large a task. Therefore it is difficult for people to have an intuitive sense of what security and usability balances are made.

In designing a good access control system, for example, it is widely acknowledged that access to a facility should be granted only to those people who have a need to be there. So systems have been put in place to make sure people walking into the building should be there, whether it is a security guard, an ID badge reader, etc. IT security is no different in practice. When we design, say wireless network, we also want to make sure that these precautions are taken. Having access to an organization's network can be just as damaging, more or less, as having physical access to the home office. While employees may recognize the potential danger in propping open a door to the outside, they may not realize that this is the same principle as bringing in a wireless access point from home.

One of the main interfaces, and problems, people have with IT security is web page filtering. They typically don't view it as anything but trying to keep them productive on the job. So they view circumventing this technology as a relatively benign thing to do, especially if they are taking a break. But productivity is almost certainly not the reason why the web blocker was brought into the network. Malicious content (whether hosted on reputable sites or on maliciously designed sites) and legal precautions (regulatory requirements, sexual discrimination law, etc.) top the list of reasons why IT security departments want to be able to block certain websites.

Along with filtering web content, monitoring Internet traffic is one of the important tasks that IT security personnel perform. In some industries, this is driven more by organizational needs than by regulatory requirements. Many companies and governmental institutions have a need to know what comes in and goes out of their network. Internet monitoring is one tool to help with this. In cases where secret, confidential, or regulated information is involved, knowing if it escapes the network is critical. This can be accidental, like a consultant emailing important documents to himself, or it can be malicious, like a key logging program transmitting credit card numbers a half a world away.

However, web filtering and monitoring devices have been tasked to try and decrease the amount of time employees spend not working while they are at work. And this is when most people come into conflict with the technology. A worker who wants to visit the New York Times webpage and finds it blocked may feel that these technical controls are unreasonable. This may, in turn, cause him or her to try to circumvent them in the process of doing normal business. For example, if an employee needs to send a log file to a vendor and it is too large to go out through the email system, using a web page to host the file might seem like an ideal way to get this done. However, if we pretend in this scenario that the log contains records of all patients admitted to the Emergency Department of a hospital, those records are exposed on the Internet for anyone to access.

With those things in mind, here are some tips to help people to work with, instead of against your IT security people. These positive suggestions will likely work better than their "don't do this" counterparts.

1. We're here to help you help the company make money. That's how we get fat bonuses and better toys! If you have a legitimate business need to do something that we're preventing, talk to us.

2. We love playing with new toys! We'd love to spend 50 grand on new wireless access points and have them around to play with. If you can help us build a business case to do that, we'll work with you.

3. Come to us with your problems and ask us to help. We may know an easier way of doing something through automation or simplification. Give us the opportunity and freedom to be flexible and creative when fixing your problem and we might amaze you!

4. We take our jobs seriously and have pride in our knowledge and skills. If you treat us with professional respect, we will do the same for you. If you are patient and friendly with us, we are more likely to want to help you. If you treat us well consistently, we don't forget it.

5. We enjoy being thanked and appreciated. Some things might take a lot of work or be especially challenging. Thanking us sincerely is the easiest way to show you recognize this. Baked goods and complimenting us to our boss is the best way to get us to work twice as hard for you next time!

Working in IT can give you quite a few good horror stories to share. IT security can produce some especially gruesome ones. Some of the stories are protected by confidentiality agreements or legal order, but many of these would not be safe to print anyway.

I won't give any specific stories about the type of pornography that I have seen in my job, but I have to say that I've seen more things than I could have imagined existed. While I haven't seen anything that would be illegal, I have certainly had my eyes opened to the variety of things that people find erotic.

My organization fought a network worm shortly after I became involved with information security. It wasn't a terribly destructive or widespread one, but we spent over 200 hours cleaning it up. After some investigation, it was determined that the worm exploited a new vulnerability and was probably brought in by someone using a personal laptop.

Several times a day, the Internet monitor alerts me to the fact that someone has sent their own (or sometimes a friend or associate) personal information out on the Internet. Whether it is their tax return being sent to their webmail address, their application for a car or payday loan or job, a background check for a tenant, many people don't realize that the information they send out can be seen by many people they don't intend. Most of the time we, try to contact the person or company responsible for the information to make sure that they are aware of the issue.

Occasionally, we have had viruses or spyware infect computers embedded in products that we are prohibited from working on and to which we do not have access. In these cases, we attempt to contact the vendor and, depending on the severity of the attack, treat the device as if it were nonfunctional, remove it from the workflow, and power it off.

Lack of communication is one of the biggest problems that we have. From things as simple as a vendor needing Internet access to do a presentation to departmental changes that will require hardware moves and substantial changes to organization software, sometimes people don't understand what is involved for us in doing that work. We can't always fix a problem immediately, even if we don't have a full schedule -- they take real time and effort.

How To Explain The Internet To Your Grandmother

2007-08-05T14:13:00.000-04:00

In an interview for my new job, I was asked how I would explain the Internet to my Grandmother. Wow, that one caught me unprepared. How would I even go about explaining something which has such great complexity to someone utterly unfamiliar with the concept? How would you do it? How do we explain technology to the technologically challenged?

I began by talking about the physical structure of the Internet: general purpose computing devices connected by optical and copper transmission conduits. I realized that it was wrong, so I began talking about what the Internet does: connecting people, organizations, data stores, etc. That wasn't quite right either, so I went on to explain what the Internet allows: shopping, chatting, referencing information, etc. This was better, but still not great. I made analogies to talking on the phone with a network of friends and to looking up words or concepts in an encyclopedia. Still not perfect, but I made an impression on the interviewer that was good enough to get a job offer.

But the question remained with me and I have thought about it quite a bit. The problem of how to explain anything to anyone is one that almost nobody is talking about how to do this. It really boils down to about three components: a near complete knowledge of the material, adequate knowledge of the audience, and an ability to relate the two. In answering my question, my problem was that I didn't do the latter two very well. I really don't know enough about what problems my Grandmother faces (out of milk, how to take care of a diabetic, what to do on Tuesday afternoon with the Great-Grandkids), how she solves them (going to the store, asking a physician, reading the local paper), how well her solutions take care of the problems (very well, moderately well, poorly), and what outstanding problems she still has (how to keep someone from wanting to eat cookies, nothing going on in town this Tuesday). And so not knowing these things, I cannot adequately explain to her how the Internet works in a way that she will understand as being relevant to her (posting questions on forums, researching helpful websites; lesser known events, new fun things to do around the house). Instead of doing this, I was trying to explain it to her from my point of view and taking only my concerns into account.

After doing some more thinking, I came to the conclusion that I was on the right track with my explanation, but for the wrong reason. I had the general groups right, but the format was all wrong. The key to understanding many systems is to think about them in three layers: What something is, what it does, and what it makes possible. The Internet then is a large number of copper, radio, or optical connections for a large number of general purpose machines around the world. It allows communication between these disparate machines by automated processes or by human users. It makes possible things like shopping, referencing, entertaining, etc. There is overlap between these categories, for example protocols could fit in the "what it is" and the "what it does" but in general, this is a good way to categorize and conceptualize these divisions.

The right way to come at explaining this system is to begin with the higher level, the "what it makes possible" part of the equation -- this is another reason why my explanation failed. Analogies can be an important part of this to make sure the audience understands. So I would begin by explaining to my Grandmother that she can order things online as she could do in a catalog. Or she can research and ask questions of doctors, others taking care of diabetics, researchers, etc. And she could find more local information, so maybe she could find a regular local event that the papers don't bother to include. This way, I have her attention and she is interested in learning how all of this is made possible.

That is when I would begin to explain the details of databases, webfront shopping, user generated content sites, trustworthiness of information, etc. I can tell her how Amazon is able to offer that reprint of a book she read as a girl when no local stores have even seemed to be able to order it for her. I can tell her that she can share her experiences caring for a diabetic with others to help them learn from her great experience. I can show her how her computer is a part of the global network and what that means in terms of responsibilities and freedoms.

Then if she is interested in learning the technical details and inner workings of the Internet (and what Grandmother wouldn't be), I can describe these things. I can talk to her about protocols, the OSI model, and the benefits of optical versus copper for data distribution. As this will probably be later in the day, it will be a perfect time to address these issues as they will ease her way into sleep. We may both pass out simultaneously when I get to the rainbow series of books.

If there is an information security lesson here, it is that you really can explain to others how technology works. You have to know your subject well, know your audience, and know how to connect the two. But the most important part of this is to get the audience interested quickly and draw them in by connecting the audience to the subject in a way that is meaningful to them. You can do this using third layer of my system model, the "what does it make possible" layer. Then you can delve deeper as is appropriate. It might be more difficult at first, but I think that it will become easier with more practice.

Don't Try To Con A Con Man

2007-08-03T21:50:00.000-04:00

Don't try to con a con man. This is the lesson learned from the 1988 movie, Dirty Rotten Scoundrels, starring Steve Martin and Michael Caine. (BTW, Steve's official website wins the prize of funniest and most bizarre of the week, narrowly edging out this one -- it's been a busy week, folks.) This lesson is one of the classic blunders. Unfortunately for one of Dateline NBC's producers, Michelle Madigan, she'd never heard the corollary "never try to social engineer a hacker."

You see, the trouble started when Ms. Madigan decided to try to infiltrate the (in)famous technology security convention, DefCon to get a story about the participants breaking the law. Of course this wouldn't be news, but neither is Dateline NBC (yes, a cheap shot, but c'mon -- have you seen this?). Apparently, the DefCon organizers have their own mole deep inside Dateline HQ who alerted them to the plan and sent along a picture. This photo was displayed before each lecture along with the message that she was attempting to deceptively gather information for a report. Apparently the assistant producer was lured to an ambush, was confronted, fled, and was hounded by people taking photos and videos. Sound familiar?

The takeaway here is that confronting an opponent on their own turf is a great way to get the opposite of the result you want. There have been several legitimate reporters (even kids!) and bloggers who have spoken with the kind of people who populate the virtual back alleys of the Internet. By being open and honest about their intentions, they usually manage to get a worthwhile interview. There are also several bloggers who have misrepresented themselves to get access to material from these people. But they were very careful about doing it and built up a trust relationship. I think the best advice here is to just be forthright and honest and leave the tricky and manipulative stuff to the professionals.

update: Here's a video, complete with crappy crowd participation boos and hisses, amateur videography, paparazzi style ambush journalism, etc. While turnabout is fair play, do you think that she's the only person who's misrepresented herself at DefCon? I doubt it. Show's over, get back to the presentations, folks. That's what we'll all be thinking about on Monday.

Of course, Elliot brings up some good points about her refusing press credentials, the irony of the "spot the Fed" competition she hoped to join, and the fact that even bloggers apply for press passes to avoid this treatment. So maybe I'm off base by thinking that it's only a funny story with the slow news weekend coming up. Decide for yourselves, folks.

(At Least) Ten Things The WSJ Got Wrong

2007-07-31T09:46:00.001-04:00

I have just been reading an article on the Wall Street Journal site called "Ten Things Your IT Department Won't Tell You." The article is about how and why companies don't let you do certain things on their computers and on their networks, and how you can get around these security controls. The article completely misses the point of the security controls. I'm with the IT department, and I want to tell you why and how the WSJ got it wrong.

Security features are put in place to protect the confidentiality, integrity, and availability of assets of a company. This does not vary much from place to place, this is the stated reason for putting most security measures in place. Most security practitioners don't even view employees' productivity as an asset; if there is a productivity problem, the burden of enforcement lies with the employee's manager or supervisor. From personal experience, I can tell you that I have much better things to do with my time than to try and see who has been trying to get to YouTube or Playboy. But if you circumvent our security measures, I'm required by regulations, guidelines, and company procedures to investigate the incident.

This brings me to one of the biggest things that the WSJ article seems to miss: We can see you doing what you are doing! Many organizations, due to regulations such as HIPAA, SOX, GLBA, PCI DSS, etc. are required to put in place tools to give visibility into electronic communications. This means that wherever you work, you probably have somebody looking over your shoulder. In my organization, we use a monitor that lets us see any unencrypted communication going out to the Internet. We have rules built in the monitor that will log and alert us when certain keywords or other data are transmitted.

For instance we have rules built to detect people circumventing our website blocker by using a proxy site or software. This is relatively easy most of the time because the transmission still goes in cleartext and so the monitor picks up on the site categories. And if you use an encrypted proxy, we can usually still see that because we have access to all of the proxy lists that are available, just like everyone else does. We can still tell that people are circumventing our security tools.

Our policies and the regulations we follow require that these violations to be documented and reported. In many cases, this leads to disciplinary action against en employee. Several people here have been fired for violating our security measures. This does not just include the use of proxy servers, but extends to unauthorized use of USB drives, installing unlicensed and unapproved software, bringing in a laptop to use peer-to-peer software, etc. Just because you are able to do something doesn't mean you are authorized to do it. And just because you get away with it the first time with no repercussions doesn't mean that we don't care or don't know.

Now that I have established that point, let me address the first point that I made: the policies and procedures we institute are not arbitrary! Aside from the regulatory requirements I listed above, we have good reasons for putting in place the restrictions that we do. These policies are designed to reduce support costs, protect the computers and network from viruses and malware, decrease the likelihood of an unintended information disclosure, and reduce bandwidth costs.
So here's "(At Least) Ten Things The WSJ Got Wrong."
1. We don't want you sending big files through email because it is expensive. Do you know how much it costs to buy more disk space for your email server? About $4 per GB (2x 300GB Ultra SCSI 320). If you have a legitimate business purpose for sending a large file, call us up. We'd love to help you and make sure that the file gets sent the right way. Especially if it is a case where the release of the information must be regulated. Just don't ask us to help you forward the latest movie trailer or funny video clip you downloaded.

2. We don't want you to use unauthorized software because it drives support costs up and could get us into a lot of trouble. No, we won't let you use Limewire to download the hottest software, songs, and movies. If the BSA, RIAA, or MPAA catch you, we are the ones who get sued -- that's a huge liability! Not to mention the performance hit on the network and the bandwidth costs.

If something you use or install causes conflicts with one of our applications or changes some obscure settings, are you going to pay to get the computer back up and running properly? Nope, we eat that cost too. We have a limited set of software that we approve because this is what we support and it is what our software vendors support. If IE7 or Firefox won't work with the web application somebody else built, we don't have the resources to fix it.

3. We block certain websites because they could create a hostile workplace, are associated with virues or spyware, or suck up all our bandwidth. If someone visits an adult website and another employee or customer sees it, we can be sued. Do you really need to do that at work anyway?

Quite a few of the websites that we block host viruses or spyware or act as relay points for keystroke loggers. Anti-Virus won't catch everything -- it has to update multiple times per day just to stay abreast of the latest threats, some of which can shut down the protective software altogether.

Streaming video and audio sites can consume huge amounts of bandwidth. Even though they are streamlined for distribution, they can still be hogs if several people are using them at once. For simplicity's sake, let's assume that streaming audio will eat up 64kbps and streaming video uses 128kbps. Some use more, very few use less. And let's assume that your company has a 10mbps connection to the Internet. Some simple math says that 150 listeners or 75 viewers will totally saturate the connection. But this doesn't count those people visiting websites, any applications which require Internet connectivity, email, etc. Not only that, but the streaming media protocols typically try and gulp up as much bandwidth as they can at once, which may generate 5-10x as much traffic at any one time. In practice, if about 20 people on this Internet connection are using YouTube or listening to a radio station, you will notice a big slowdown when visiting websites.

4. Most of the time, clearing out your Internet Browser files doesn't help anyone. If you get a virus or any other nasty malicious software on your computer, clearing out your browser files makes it harder for us to track down and prevent next time. And most of the time, it won't even cover your tracks if you've been someplace you shouldn't have been. There's a reason we've got forensic tools at our disposal. We can usually get that information off your hard drive, and even if we can't your activity is still being logged by our network forensic tools. If you don't want your employer to know what sites you visit, don't go there on his dime.

5. Don't cause a data leak by taking your documents home without checking with us first. Call your IT department and see how they want you to work at home. Odds are, we have a way to do this or can come up with something to allow it. If we can't, talk to your boss about it and make sure they know you'll be working on your own time to increase your productivity. Doing one of these two things will help to make sure you can get your work done and that we can keep the data protected. Email, portable storage, online file sharing, and other methods are NOT designed to keep confidential information safe, they're designed to spread this information as easily as possible! You'll do yourself and your organization a favor if you play by the rules on this one.

6. If you store your work documents online, a hundred bad things can happen to them. In addition to the reasons I mentioned in #5, there are other things that can go wrong with online storage. If you're storing your important files with a free online storage site for a backup or as your only copy, don't. Encrypted data needs a key to unlock it -- are you going to make sure it's safely and securely stored? These things get lost or stolen all the time and then the data is gone or is available to anyone. And online companies don't have the best track record for keeping your data available. Google, who tries to permanently store all online data, has lost accounts, messages, and files many times from Blogger and Gmail. Your organization backs up the data stored with them (or should) and those backups are ensured against loss or theft. This is the right way to go about it.

7. Web mail and instant messenger conversations should never be used to send private or confidential data. Only a few web mail providers, such as Hushmail, provide SSL encrypted communication by default. This means that anything you view in your web mail can be viewed by our monitoring tools. Yup, from that email confirmation when you applied to our competitor to the naughty photos your girlfriend sent you, we can see it. And web mail doesn't have a great record for privacy anyway; Hotmail and Gmail have had several flaws that have allowed attackers to gain access to hundreds or thousands of mailboxes at a time. Not great if you've got any emails with your Social Security Number, bank account number, credit card online account password, etc.

Instant messaging isn't much better. Though you can add encryption to your conversations, the software tends to fail silently, not alerting you to the fact that the messages you're sending are unencrypted. Also, the person on the other side has to have set up their client to encrypt the messages too. If you're going to chat with your buddies, do it outside of work for your own benefit.

8. Forwarding your company email to your personal account is a bad idea. If an email is sent from one email box to another on the same system, the message stays as safe as your email system. However if you forward that outside your organization's security perimeter, it can be very bad news. To begin with, you're probably going to be sending the message unencrypted to your personal mail server. From there, when you check your mail it will probably be unencrypted. Then if that mail is forwarded to your cell phone or PDA it is probaly left unencrypted on the mobile data network. This is just a bad idea all the way around. If getting your email outside of work will help you do work, odds are your IT department and/or your boss will help to accommodate you to increase your productivity. Just ask.

9. Checking personal mail on your company PDA or Blackberry isn't all that bad, just don't expect the IT staff to help you do it. The only places where this would be a bad idea from a security standpoint is in highly secure environments where secret or top secret information is being passed around. But that doesn't just include the military, it also applies to anyone who has access to information that might be highly desirable to others. There are not many viruses out there that target mobile platforms and those that do don't spread by email. However, it is conceivable that a specifically created multi platform virus could work its way into your network this way.

But you'll want to think about things carefully before you do this. Many organizations have a Blackberry Enterprise Server that controls the flow of data to and from the handheld device. So it might be that your mail is going through your company's network to get to you. If that bothers you, don't set it up this way.

10. We don't care about your productivity unless you work for the IT department. Your productivity is your boss's problem. We may help him or her to trace your online activity, but we don't really care. But keep in mind that we can still see what you're doing on the Internet, and part of somebody's job might be to generate reports for managers so that they can see what you are doing.

11. The IT Department should be your friend, not your enemy! Information Technology is a business enabling tool for your organization. We're here to make the business more profitable and to help you do your job. Sometimes it doesn't come across that way, but I can guarantee that this is the way your CEO sees it. If you can make a good case that something would increase your productivity and improve the business appreciably, odds are you can get it implemented.

Just because you don't know a way to do something doesn't mean we don't have a good way to do it. One of the things that strikes me most about these points is that many IT shops already have approved methods to do them. If you have a legitimate business use for doing something, odds are we've got you covered. Whether it's getting to your documents at home, checking email from the road, or surfing the 'net in your free time, ask us! If we can reduce the amount of work we have to and help you out at the same time, it'd be silly not to.

Remember, your IT staff is comprised of people who have the same desires and face the same problems. We have motivations to do things, and figuring those out can help you get what you want. Pitch the same thing two different ways and you can get two different responses. If you are able to let us know how it benefits us, you're much more likely to get your way. Together we can figure out a system that can make it possible. Treat us like a friend and you might be surprised what we'll help you with.

update: There are lots of other good responses to this article out in the Blogosphere, some of which I have listed below. Security violations are up today, as is the paperwork I've now got to do to report them. But this can be a good thing for those of us who are out there protecting our networks. We can help educate the people who have the power to change these things as well as the people who want to get around the security measures. We have to work a little harder on the front end, but it pays off in the long run.

Andy, IT Guy
The Daily Incite
terminal23
RiskAnalys.is
Realtime Community
Layer 8
bloginfosec.com
InfoWorld
IT Security, the view from here

A New Job

2007-07-30T14:00:00.000-04:00

As of August 10th, I will no longer be in my old position, and on August 13th, I will begin at a new job with a different company. This job will give me a better chance to work with people in my industry, as well as afford me the chance to travel more. While it was a hard decision, it was ultimately the right choice for me. I loved working with the folks I have and working for my boss, but it is time to move on. Hopefully both this and my travel blog will become more active as I have more relevant experiences to share.

Schneier on the TSA

2007-07-30T09:44:00.000-04:00

Bruce Schneier has been quite vocally critical of the Transportation Safety Administration in the past about what he calls "security theater." Well it appears that somebody over there was listening and wanted to address it. That somebody was the head of the administration. He invited Bruce to have a conversation with him and publish it on the blog in order to increase the transparency of the department. The first post in this series shows that even the TSA has a sense of humor about itself and makes a fairly persuasive argument that they actually are trying to keep us safe, not just piss everybody off.

I'm really looking forward to seeing the rest of the conversation and hope that it helps to make the public more aware of the incredibly difficult job that these guys are trying to do. To actually be effective as a government agency requires a ton of work and dedication. But I think the TSA has begun to turn a corner and is headed in the right direction. After seeing their response to the "sippy cup" story, I realized that somebody over there was paying attention. They've got a website up now to set the record straight, or at least tell their side of the story and defend themselves. They've also been vocal about having security that actually, you know, makes us safer rather than just looks good.

Reminder: CitySec Tonight!

2007-07-25T10:13:00.000-04:00

REMINDER: CitySec Atlanta tonight! Show up at The Brick Store Pub at 6pm for some HotHillBillySec. Does that sound dirty to anybody else or do I just have a dirty mind?

Google Declares Sister Website "great website"

2007-07-19T12:55:00.001-04:00

It's official! My travel blog has been given the extraordinary epithet "great website" by the all-knowing Google. Actually, it wasn't Google, but a search user.

I was digging through my Analytics report this morning and saw this gem:
This says that someone found my website by searching for the term "great website". Two someone, actually. While that is a great compliment, a little looking revealed that it was because I linked to National Geographic's Picture of the Day site and called it great.

I searched the first 20 pages of Google results for my website but couldn't find it. I figured that the people who found the site by that link must have looked awful hard for it. But then I realized that their results were likely different from mine the way the search giant's algorithms work. From what I've read, they calculate probabilities of what you're actually looking for using your unique site visits to guide them. All of this is really just a fancy way of saying "Google tracks you."

There's probably a good post to be made about how Google's privacy policies leave you vulnerable to all kinds of information disclosure vulnerabilities. Or about how these meta search words can be skewed in subtle ways to target less sophistocated users with malware. But I don't have the time right now to work those up, so use those analytical skills I've been urging you to develop.

It's Not In The Blinky Things

2007-07-10T08:15:00.000-04:00

I read a really good passage today from a book called "Zen 24/7" by Philip Toshio Sudo. It was talking about how Zen views security. In this philosophy, security is viewed as a part of self-reliance and individual responsibility. You are responsible for your own security because you, and only you, are responsible for you. In this Zen passage, Sudo says "Lose your money, you still have the means to live. Lose your identification, you still have your identity "

The line about money may or may not apply to people in our world, but it will always be relevant to those who live by the simple ways the book advocates. If you lose all of your money, you still have yourself, and you can make the money again. If you are stripped of all your possessions, you are left naked to the bare substance of who you are. If you know yourself as who you are, as opposed to what you own, this is not a crippling turn of events.

The line about identification is a little more difficult and requires some clarification. Sudo is not talking about identity the way security professionals and the media does, in the vein of identity theft. Instead, he and the Zen philosophies think of identity of who you know yourself to be. From this point of view, the word "identification" in the sentence can be thought of as "identity" the way the western world thinks of it. In other words, "Lose your identity, you still have who you are."

Zen is filled with this way of looking at the world: "You are the only one who lives your life and who is wholly in charge of how it comes out, and you can not live for anyone else." "No matter what happens to you, it is all just another step in the path along the journey that is your life." These are two very different ways of thinking to the way we typically look at life. Sometimes we are more connected to other peoples' lives than to our own -- even going so far as to try to tell others how to live them or to let them tell us how to live. But in the end, no one but us lives through the ramifications of our decisions and behaviors. And we cannot live through those that others make.

We tend to think of security as someone else's responsibility, and that is how most voices on the Internet talk about it. It is Amazon's responsibility, or Visa, or the government. But it's not their responsibility to take care of us, it's ours. We can change our behavior so that we only use disposable credit card numbers online or just pay cash to an actual person. We can drive instead of fly, or walk rather than drive. Security always comes at its own price, whether that is money, convenience, or privacy.

So keep these things in mind when you are thinking about security. Not all ways are right for all people. You have to decide what is right for you because you have to do it and live with the results. As Sudo tells us, "The security lies not in the money, the credit card, or the license. It lies in you."

Atlanta CitySec

2007-07-09T13:43:00.001-04:00

This is to announce the first Atlanta meeting of a group called CitySec. The group is a loose affiliation of people in the Information Security field who facilitate grass-roots meetings of others in the industry. The meetings are very informal and usually take place in a bar or some similar laid-back setting. Here is more information about the meetings in general:
http://citysec.org/forums/1/topics/9

And the thread for the Atlanta meeting, specifically:
http://citysec.org/forums/1/topics/20

The meeting will be held on Wednesday, July 25th, at 6pm at The Brick Store Pub in Downtown Decatur. Their website is http://www.brickstorepub.com if you need directions or more information. We hope to see you there!

Online Storage Safe Isn't Safe

2007-07-06T09:50:00.000-04:00

Online storage has been around for a while. It's the idea that you can put your digital stuff online and access it anywhere. It's a great way to transfer files or to keep a backup of things you don't want to lose. In addition to the sites which will store any filetype, dedicated sites exist to store photo, video, music, and text documents.

We've gotten so used to things being online that some people have put almost all their documents online. I have plenty of pictures and videos stored there and am increasing the percentage of these things that I store there. These services are making it easier and easier to store things online. Youtube even has a feature called Quick Capture that takes video directly from a webcam to the online service without storing it anywhere on your computer first. Eye-Fi is a product that can send photos direct from your camera to many photo sites.

However, this can become a problem if people keep their ONLY copies of documents and media online. This morning, Flickr was inaccessable for me -- I'm not sure if the site was down or if it was a localized issue (update: Yahoo! was down for a while). I was just trying to put up my latest photoblog entry, so it was not a big deal. But imagine if I'd been scheduled to make a presentation and stored my only copy on a site that was down. I've seen similar things happen to presenters, it's not pretty.

I'm able to get to Flickr now, and the presenters were eventually able to work through their technical glitches. But what if the storage site lost all that data? Most of them have clauses in the agreement you have to click through that indemnifies them in case of a loss of this kind. Losing data is more common on the Internet than many people realize, especially with beta services. Big companies are no less susceptible to this than the small startups.

There are also privacy issues with these services. If you post your company's financial reports to Google Docs, your CFO will probably be pretty upset with you. If you accidentally upload very personal photos to one of the photo sharing sites, it may stay there forever. If a prospective employer does a Google search and comes across a video of you in a manner not befitting their standards, they can refuse to hire you. These things are not far fetched, similar things have all happened.

Online media and file storage services are great for convenience and sharing. But you should keep in mind that they are just as susceptible to failure as anything else. And they are just as, in not more, accessible than public records. That goes for any information you might post on the Internet. So keep that in mind when you post the video of yourself drinking tequila with Paris Hilton and link it from your MySpace page. And make sure you've got a backup of anything important you keep online.

Security Font

2007-06-29T14:07:00.000-04:00

I have just designed the most secure font ever. At least it is to my knowledge. You can get it here. Below is a screenshot of the font in action.

update: The screenshot was not showing up because either Firefox or Blogger decided that dragging and dropping a file into the blogger interface should try to link to the file on my computer rather than putting it on some photo upload site. So now the pic is up there. Sorry for the trouble and thanks to Anonymous for pointing it out.

If It's Not Verified, It's Not Secure

2007-06-21T18:30:00.000-04:00

Today at the data center, I was scheduled to upgrade one of our systems. I was pretty well prepared and was just going through some final checks as I waited for the download of the new software to complete. I had already shut down the services and made a final backup, so I decided to try the restore feature to make sure it would work later after the upgrade was complete. It didn't work, and neither did the other 3 sets of backups I tried!

As mistakes go, having not tested this backup would have been a huge one! All of the data that was on the server would have been completely lost. This represents not just the time to recreate some of the documents and settings, but would have involved several different groups and would have left the server down for at least 3-4 days!

A call to the manufacturer's tech support line was helpful and it turned out that there was a hidden failure in the backups that can only be discovered on doing a test like I did. This wasn't in their documentation for the backup feature, nor was it in their documentation for the upgrade procedure. If I hadn't been diligent enough to test out the restore procedure, I would have had a major problem on my hands. The fact that my boss just left for vacation and the vendor was about to close for the weekend would have made the problem worse.

I trusted that the backup would work, but it didn't. The reason why is a bit too obscure for this blog, but it is something I never could have imagined. In fact, the engineers for the vendor seemed perplexed by it, too. With all of the pieces still intact, it is easy to figure out why the system failed. But if I had already installed the upgrade, there would be only guesses as to why the failure had happened. This is why you should always test your backups to make sure they will do what you think they will.

And you should check other systems that you use, too. In the computer security world, penetration testers help check out our security. Shows like "It Takes A Thief" do the same thing for peoples' home security. In some cases, even the most well planned and implemented systems can be broken. But most of the time there are holes in the design or execution that make the difference.

Effective systems design the verification into them. This is one of the strengths of the scientific process of peer review. It ensures that others can replicate results that one researcher finds. Because fraud, mistakes, and interpretation can distort the facts, the scientific community needs to make sure that these things are minimized. This ensures that our body of knowledge surges closer and closer to the truth of the world.

This reminds me of a scene from "Road Trip" where the kids are talking about jumping over a broken bridge in a car. They do a lot of calculating and thinking about it and decide that the distance really isn't that far and they can make it. And then they just happen to test it out by putting just a little bit of weight on the other side of the bridge. The bridge collapses. That was the easy way to find out their plan would have fallen apart with the bridge. Of course in the movie they went for it anyway, but at least they KNEW it wouldn't work.

update: It turns out that the backups were failing because they were being uploaded to a FTP server in the wrong mode. The client didn't properly change to "binary" mode and instead was sending files as "ASCII". Many servers automatically determine that the file is binary and transmit in the correct mode despite it being the client's responsibility. However, ours doesn't.

Stop Swatting At Flies

2007-06-11T11:00:00.000-04:00

I saw a great post today over at the IT Toolbox site. It talks about stepping back and making sure you know the whole situation before you start acting. It's well written and accessible to anyone. If you don't understand the part about the proxy server and the help desk tickets, just skip it. I can't say what he does any better, so I'll just let Chief, the Security Monkey do my talking for me.

But since his last post was about blogs not adding content, merely linking to sites with content, I guess I'll have to do some real work here. The chief's blog is one of a handful which are informative, but not targeted at the latest research or trends. Instead, these blogs usually focus on techniques instead of results. I think everybody needs to have a few of these blogs in their regular reading list to make sure they remember the basics. But maybe I'm biased, since that is what kind of a blog I run here.

Knowing the processes that go into the results is the key to really understanding what the results say. It is fine to read the conclusions that story authors come to, but unless you understand how they came to those conclusions and can form your own, you might as well just use a Jump to Conclusions Mat. Understanding the basics and the underlying causes for things allows you to be skeptical and to see what people try to cover up, gloss over, or outright miss. As the chief's post makes clear, when you know how and why something does what it does, it is much easier to know how to change it. You can stop swatting at flies and get them out of your way for good.

Finish The Job

2007-05-24T16:48:00.001-04:00

I'm a big fan of Tom Clancy type spy thriller novels. I just read a book which reminds me of these, and which Clancy himself called "A spy story for the 90's -- and it's all true." The book is called The Cuckoo's Egg by Cliff Stoll. I won't give away any spoilers here, but you can read the collective summary if you want to know what happens.

This is a classic story of what happens when you see something out of place and instead of just fixing the problem you really investigate. You start digging and pretty soon you find that there are dozens of things that need to be reworked, and dozens more that need to be done and done right. With no funding for a project, it can be damn near impossible to carve the time out of your paying job to do them, so most go undone. In his book, Cliff doesn't let his main issues fall to the wayside, he sticks with them and sees that things get done as well as they can be.

While the book is nearly 20 years old, the lessons it teaches are true today. Cliff has to overcome sloppy practices, a determined and perseverant adversary, invasion of his personal life, lack of support from those he is trying to help, etc. And in the end, he is essentially unrewarded for his efforts. These are problems that security professionals -- and many others -- face every day. But Cliff won't back down or give up, he is able to look at the problem as an opportunity to learn and explore. His reward comes from the joy of discovery, from seeing the problem to its conclusion, and making connections with people in the same situation.

It's easy to respect and admire someone like this, but it's not as easy to become them ourselves. It is much easier to push things off to another day or let things drop by the wayside as we hurtle along through life. But I think that one of the things that makes me happiest is when I pursue the things that Cliff did: truth, discovery, and resolution. It also tends to make the products of my work better because we care about what I am doing, not just trying to get it done so I can move on to something else.

It's hard to be enthusiastic about every aspect of we all do for a living. In fact, if we really enjoy doing something and decide to make money from it, we will soon find that we enjoy it less. But what would it take to do every task like we enjoyed it? Probably not that much more effort than we already put into it. That could be changing the duty enough to make it more interesting, like turning it into a game. Or it could mean trying to learn all you can from theories to history to other techniques. Or it might just mean that you embrace the unembraceable and focus on being as good as you can.

But you've got to find some way to persevere through the difficult jobs to get to the end. In Information Security, it is absolutely essential to do things right and see them through to completion. It is like that in many other fields and aspects of our lives. If you give up or half-ass it at any point, it diminishes the results of your labor. But working hard through every step gives a great feeling of accomplishment and self-esteem as well as makes for a better end result.

Simplify, Simplify, Simplify

2007-05-22T13:31:00.000-04:00

I am back from my recent hiatus and have finally gotten caught up enough to write a couple of lines here. While on trips, it always becomes obvious how much better a simple solution is when compared with a complicated one. For example, when trying to backup images from a camera. It was a hassle to try to get them onto the computer then to a jump drive or a flickr.com account.

A much easier solution would be to use a device to dump the pictures directly to an iPod. The Apple iPod Camera Connector is the descriptively named device made by Apple to do the job. It works pretty well, too. It will even move RAW photos, though the iPod can't display them. This helped out greatly since my friend had dozens of gigs worth of these large photos and no way to store them to make room for more. While this certainly wasn't the simplest solution, it worked well and stayed within our budget.

With simple solutions, it is easy to see their flaws and compensate. The problems which can occur in a system increase exponentially with complexity. In other words, the more things that are involved, the more likely something is to go wrong and the more difficult they will be to solve. When giving directions to my house, I usually give them a route with very few turns. Because the directions are simple, they can be more precise and are easier to follow.

Also, the more difficult and complex something is to use, the less likely people are to use it. To stay with the example above, I drive a very simple route home from work every day. I could probably shave 5-10% off my trip time by taking alternate routes depending on conditions and using back streets rather than the main ones. However, this adds stress to my drive and introduces frustrations. Using the most direct route, I can sit back and relax on my drive, focusing instead on my music or on what I'll do with my free time.

Reducing the complexity of a system usually increases its security (or decreases its likelihood of failure). If a process requires four easy steps, it is much more likely to be followed closely than a similar process which requires several times more steps. In automated systems, more steps means that there are more places to troubleshoot when a problem arises. More worrisome, the more likely a single step is to fail silently and/or catastrophically.

So KISS! That Wikipedia link can elaborate for you if you are interested, but repeating what others have written is not keeping it simple. I'd hate to multiply entities beyond necessity, so I'll quit while I'm ahead.

How Not to Fix a Problem

2006-11-07T22:36:00.000-05:00

I haven't posted in a couple of weeks (oops, I forgot!), so I figured I would put something up quickly that's fairly relevant to the typical blog posts and is somewhat topical. Posting this last week would have given you, dear reader, time to observe more and be a bit more informed about the issues discussed.

If you're in the United States, you had the opportunity to choose the lesser of two evils today and vote for many of your government officials. If you are in the rest of the world, I'm sure you can feel our pain. But maybe not as much pain as many of us actually feel. See we use these electronic voting machines here which are not very well liked. If you haven't heard about this by now, consider yourself lucky.

Now don't get me wrong, some of these things probably work well. But nobody is ever going to hear about things that work as well as they should. For those unsung heroes who designed these machines, I salute you. For the others, please find a suicide cult and join it soon.

I'm not going to go through and rehash old arguments made by others. If you want to read those, you'll find plenty of links. The basic problems are that the machines are difficult to use, they frequently break, and it's possible to manipulate the votes. And instead of fixing the problems, the companies that make them are fighting people who expose the flaws.

What the companies should be doing is making "bulletproof" devices and inviting people to try and break them. There should be no question whatsoever that things are on the up-and-up when it comes to our freedom. Further, there should be independent code audits and security tests to verify that there are no ways to breach the integrity of the machines. In fact, I'm one of the people who thinks that the code should be opened up for review by everyone. Why not leverage the power of a million or so people looking over the code for any problems? Publish the code! You only have something to lose if it's broken and insecure and you've been hiding that fact.

With these devices, you don't design them so they can work, you design so they can't fail! Take a look at ATMs -- they do this for the most part. Very few people accidentally pull out stamps when they mean to withdraw money. Diebold, one of the largest manufacturers of voting machines also makes ATMs. They obviously have the expertise to make touch screen self service devices work, so why is it so hard to actually pull it off?

Every system has its advantages and disadvantages when compared to others, but there is almost always a way to design a system that creates fewer disadvantages than the current system, while increasing the advantages. When something works consistently and intuitively, there may still be ways to tweak the system to get greater efficiency. But the electronic voting machines seem to have created a problem just as big as the one that they purport to solve. Votes are still being counted inconsistently, ballot tampering is still possible, and the devices have added unreliability and complexity to the system.

Ideally, a perfect solution will be efficient, simple to understand, intuitive to operate, and will minimize the possibility of mistakes. Which brings us to our lesson for today: A solution should not fix some problems only to create different, bigger ones! That seems to obvious to have to state, but often times people lose sight of the basics and need to be reminded of them. It happens to us all at one time or another, so it's worth pointing out.

Lock Up Your Valuables

2006-10-26T21:28:00.000-04:00

If you're going to keep backups of your important information, it only makes sense to protect those backups. This is doubly true if you're storing your backups off site. If you have your backups on the internet, this is a no-brainer. The best way to do this is to put the data in some kind of container that is locked away digitally. No one can see through the container, and nobody can open it without the key. In the digital world, this is accomplished by encryption.

There are several types of stored data encryption software, from FOSS to Top Secret; from mobile phone software to hardened enterprise appliances; from file-by-file to whole disk. Each of these types has its place in the world of Information Security. I will attempt to treat the most relevant ones here. Hopefully by the end of this post you'll know what encryption is, why it's important to encrypt your valuable data, and what the best method is for you.

Encryption and cryptography are much too broad to cover in depth here, but if you'd like to learn more about its history, it's details, and its uses, I recommend you start with the Wikipedia page and with Bruce Schneier's best known books, Applied Cryptography and Practical Cryptography. I haven't read either of these, but I have a decent idea of the principle ideas behind cryptography and encryption. I have neither the aptitude nor the desire to learn more about these fields. Here is a very brief explanation and history of cryptography and encryption, which may or may not be technically accurate (but it's close enough).

Cryptography is the use of codes or ciphers to transmit information between two parties in clear view in order to make the meaning of the message incomprehensible. Both parties must have a key to decrypt the code. This can be done by memorizing a substitution pattern, by using a physical device, by using a computer to keep track of the encryption and decryption code, by making use of a one-time pad, etc. Each of these has its advantages and disadvantages. As a general rule, usability comes at the cost of security. All cryptographic techniques can be broken by modern computers given enough time, but some are easier than others due to flawed implementation.

The earliest cyphers were simple letter or word substitute cyphers, such as replacing each character with a number or letter. Julius Caesar used a cipher named after him which relied on both parties having a cylinder of equal size -- a physical decryption key of sorts. Not a whole lot happened until the advent of basic computers -- in the mid 1800s by Charles Babbage! But during World War II, the use of cryptography (and cryptanalysis) really took off. The most famous bits of cryptography during this era were the Enigma machine and the Polish mathematicians' breaking of this (by hand, no less), the American decoding of the Japanese diplomatic and, after Pearl Harbor, tactical encryption, and the American Marines' use of Navajo "Code Talkers" to relay messages to and from the front lines. Modern powerful multipurpose computing machines have ushered in the age of Modern Cryptography and its various methods and techniques for encryption.

Now that the obligatory background information, we can start on the meat of the post. I find that it is best to think of encryption software by its functionality. What does the software do and how can that be useful? In this sense, there are three categories of stored data encryption: file level encryption, file vault encryption, and whole disk encryption. Note that I will not be discussing cryptographic protocols, such as SSL/TLS, for securing data as it crosses a network.

File level encryption or filesystem level encryption is a method of encrypting individual files on a disk. Usually this requires the user to manually select to encrypt a file. Some software allows the user to specify that a directory in its entirety is encrypted, including new documents created or put into this directory. Windows uses the Encrypting File System (EFS), and OS X uses their FileVault. Each of these automate decryption when the user logs into the computer. However, this means that anyone who has access to this login has access to the sensitive files. It also makes transporting the files encrypted a challenge: they are decrypted in transit, but are difficult to copy when encrypted (or rather, they are difficult to decrypt after they have been moved when encrypted). Other programs can be used which can overcome the latter difficulty, but which do not solve the first one and may not provide the same ease of use as the integrated products.

What I call "file vault encryption" others call "disk encryption". I think this is easily confused with "full disk encryption" so I will continue to use my terminology, despite the possible confusion with Apple's FileVault. Whatever you want to call it, file vault encryption creates a single file in which all data is stored encrypted. Typically the software will mount this file as an additional hard drive in your computer, making access to the data easy. This type of encryption is very easy to transfer to another computer or to medium -- you just copy the single file. However, it typically requires entering a secondary password after logging into the computer.

Full disk encryption or whole disk encryption usually refers to encrypting the entire boot device. This ensures that all of the data on the disk will be encrypted, including temporary files, working files like the ones Microsoft Word creates, and the scratch disk or virtual memory. Encrypting all of this data is most appropriate for mobile computers which are likely to be lost or stolen. However, this security costs performance. Also, once the user logs into the computer, all files are copied and transmitted unencrypted. In addition to the fact that transporting the data requires additional encryption, if the hard drive is damaged or if the boot sector is overwritten, the data is essentially irretrievable.

Of these three types, each has its proper use. The least useful type of stored data encryption of the three is the file level encryption. It offers the fewest benefits with the highest risks. In fact, I would argue that it is completely useless in comparison with file vault encryption, which performs many of the same functions with the added bonus of transportability. In addition, the fact that the vault is mounted to a drive letter clearly delineates which data is encrypted and which data is not encrypted. Full disk encryption should be used anywhere the risk of computer theft or loss is moderate, in addition to some high security environments. And some form of encryption should be used on all backed up data.

Of the many dozens of attacks where personal information has been lost, it is unclear how many were preventable by encrypting the data. However, it is a good bet that every lost or stolen laptop or backup tape would have yielded no data if proper encryption methods had been used. And many of the hacking incidents may have been preventable if the sensitive information had been encrypted properly. While it may seem costly for a company to implement, the encryption software and practices cost hardly anything compared to an incident like the Department of Veteran's Affairs suffered.

The take away lesson here is to keep your important stuff protected. It's not enough to just keep it in a safe place, you should keep it in a secure place. Whether that is a safety deposit box at your bank, a safe in your home, or a vault at Ft. Knox, you can't afford to let your valuables just sit around unprotected. How cheap it would seem in retrospect to buy a safe than to try replacing a family heirloom after it is stolen.

Backups

2006-10-19T23:22:00.000-04:00

This tip will either be a waste of time or it will save you more grief than you can imagine. Backing up your important information can make the difference between taking 10 minutes to restore your data versus weeks and hundreds of dollars to get none to all of it back. I lost my data once and didn't have the money to spend restoring, so I spent over a year and a half trying out different software and techniques before I was finally able to rebuild the data I lost -- a lot of irreplacable pictures.

So now that you know you should be backing up your data, how do you do that? The first step is to identify what you want to back up. This isn't as easy as it might sound at first. Things tend to get scattered all across your hard drive, floppies, CDs, etc. The only thing worse than not backing up anything is backing up everything but a key document -- by the time you realize you've lost it, it may be be too late to recover. Once you've got it all collected, find a spot on your hard drive where you can store everything.

Now that the first step is completed, it's time to look at your backup options. Which backup method you choose is largely a matter of personal preference. The four general ways to backup data are online, nearline, offline, and offsite. There are benefits to each, as well as drawbacks. Here are some brief descriptions.

Online storage backups are not really backups, they are redundancies in the way the data is stored, meaning that a single dead hard drive does not lead to data loss. However, for the purposes of our discussion, it can be considered a method of backup. Typical online storage would be something like an internal RAID with fault tolerance, NAS/SAN, or some other method of keeping data instantly accessible and current in the event of a failure. Also, you don't have to think about performing backups, data is automatically backed up whenever you change or update it. However, in the event of a complete system failure, all information will be lost. This could be due to theft, lightning and other natural disasters, structure failure, fire, etc.

Nearline storage allows you to keep data close at hand, but not fully current or instantly accessible. This would be a true replication of data, so that it exists both on the computer and on another device. Typical nearline storage devices are USB flash drives, external hard drives, secondary internal hard drives, or any other type of storage usually connected to the computer or across a network. The backed up data is quick and easy to access in the event of a primary storage failure. This type of backup is probably most common in home environments.

Offline storage is that which is backed up, usually on removable media such as blank CDs or DVDs (optical media), floppy disks, zip disks, storage tapes, etc. These media are easily stored elsewhere, since they are typically much cheaper and more portable than the other solutions. Offline storage requires that you locate the media and put it in a reader attached to your computer. One of the biggest problems with this type of storage is that sometimes the media goes bad. This is especially true for optical media.

Offsite storage is typically an offline storage system where some or all of the media is kept in another physical location. For example, if you backup your home computer's data to DVD and store the DVD in your desk drawer at work, you have an offsite backup. This may accomplish your goals just fine, or you may want to look at a more secure solution, such as a safety deposit box or a professional service which will pick up and store your media.

Another form of offsite storage is internet-based storage. There are plenty of sites out there that will give you free storage, from free web hosts, to file sharing sites, to dedicated backup sites, to jumbo sized email hosts. Some of these are better than others for keeping backups of sensitive information. For example, the backup sites linked all claim to encrypt your data so that only you can retrieve it. In general, I don't trust proprietary encryption and I don't trust somebody else to encrypt the data for me. So you'll probably want to encrypt it before uploading (that's a topic for another day...).

While any data backup is better than none at all, I recommend keeping a few different backups using different methods. My important data resides in several locations. First, it is on my local hard drive. Once a week or so I copy this to a file server running a RAID. Every once in a while I'll copy the backup to an internet-based offline storage system. This ensures that I can survive several failures without loss of data.

Don't forget how critical your backups are! Don't store the backups where they may get stolen, lost, damaged, or otherwise be useless. Also don't forget to keep this data secured and/or encrypted. And it might be handy to test your backups regularly to make sure you can restore the information. Many businesses learn these lessons the hard way by losing their only copy of data, by having the information leak out because they treated their backups as if they were blank, or by not being able to get their data back when they really needed it. I warned you.

Businesses pracitce "Risk Management," determining an acceptable amount of risk to allow as a tradeoff for cost. But they're only protecting their money; you have to protect much more valuable property. Whether you're backing up your Great Grandmother's cookie recipé, your college thesis paper, or your pictures of your kids' first Christmas, these things are irreplacable. With the free tools outlined here, the only cost to you is your time.

The final lesson in data backup is trust. Backups are an insurance policy and the most important part of insuring against loss is trust. So don't listen to the lizard or the duck when they tell you that cheap insurance is better. The truth is that if you ever have to cash in one of these things, they'd better pay off. If you don't have 110% confidence that you can recover quickly and easily after a disaster, then it's time to start looking for somebody that you can trust to make that happen.