David's Cyber Security Page

Skype protocol Cracked?

VoIP service provider, Skype doesn't play well with others. Skype has built a compelling business and technology upon a set of closed, proprietary protocols. The details and use of these protocols have spawned much discussion, articles, speculation and even opened a market segment for Skype related products. Now we hear claims from the voipwiki about a group of Chinese engineers that they have

Building a Self-Healing Network (Servers)

Lately collegues and I have spent a fair about of time talking about Self Healing networks (more than just the Cisco marketing kind). I was interested to run across this article, appropriately named Building Self-Healing Networks on O'Reilly's ONLamp.com.

Wouldn't it be great to have our servers solve their own problems? System administrators would be free to work proactively, rather than reactively, to improve the quality of the network.

This is a noble goal, but few solutions have made it out of the lab and into the real world. Most real-world environments automate service monitoring, then notify a human to repair any detected fault. Other sites invest a large amount of time creating and maintaining a custom patchwork of scripts for detecting and repairing frequently recurring faults. This article demonstrates how to build a self-healing network infrastructure using mature open source software components that are widely used by system administrators. These components are NAGIOS and Cfengine.

Anyone have experience using these tools in a production environment, it seems like there might be issues, but is an interesting idea? Are there others thoughts/methods?

Data Theft lessons Learned part 1

Last week I had the opportunity to talk with a friend and colleague from McCombs School of Business (University of Texas at Austin) about their recent data theft which exposed personal information from an estimated 108,000 people.

The conversation was both illuminating and sobering and highlighted many of the challenges (okay, difficulties) we face in higher education.

Data theft is an issue of great concern not just for this University but to the public at large. With millions of people affected every year, improving data security is a critical public policy issue and a new imperative for all institutions and businesses. As a major educational center, the McCombs School is committed to applying its skills and resources toward creating solutions Â now and in the future. -- George W. Gau, Dean, McCombs School of Business

Dean Gau is right, data security is a problem for all of us, both as users and as computer professionals. As if to underscore the scope of the problem, within a week of this breach there were two others announced, including the high profile issue at the VA.

I'm hoping to entice a more detailed perspective from David Burns at UT. In the mean time, here are his initial thoughts and advice (in the form of a top 10, err 11 list)

Have a crisis plan! Go to the Educause site on incident response - http://educause.edu/content.asp?page_id=645&PARENT_ID=660&bhcp=1 - and use that material at length. I've attached one of the documents that we've been using. I just learned about this site at the regional Educause conference, so go to those too.
Have good home and cell phone numbers for ALL of your staff!! Let them know that there is some chance in the future that they may have to come in at weird times (mine were great about this, but I didn't have all the numbers I wanted)
Know who the players are. If you're involved in something bad enough to be brought to the attention of the President you may be dealing with a lot of people you've never met before. Get familiar with the high levels of the campus org chart. But also be familiar with who the people are who actually do stuff or have a lot of pull.
Don't underestimate the palliative properties of the possibility of an effective law enforcement effort. Having an idea that the bad guys could get caught (assuming there are bad guys) makes people happy. That translates into how you manage your incident response because you may want to let a bad situation continue to be bad for a bit if ISO (Information Security Office) can get involved very early. Be familiar with the requirements for having evidence that will stand up in court too.
The needs of the high-level decision makers for rapid assessment and action is matched only by their annoyance when details change or time/work is wasted. The pressure to deliver answers to wickedly complex problems in a very short time is intense. (To be fair, the people involved in this have reacted very, very well to bad news and changes, but it is still unpleasant when something you've said in the past, even when you've couched it as well as you can, is no longer the case) So is the likelihood that people you talk to will always be looking at the most optimistic side of things. That won't be an outlook you'll share, although the temptation to deliver good news is strong and best avoided.
It is called a "crisis" and not "happy-fun-time" for a reason. People's expectations may not always adjust accordingly, though.
ITS (central IT) has tremendous resources that they can bring to bear and top-flight managers when it comes to a crisis. I've really been stunned at what they can do, but it has sometimes been hard to articulate exactly what help we needed from them sometimes and that's been a bit of a frustration on both sides.
Develop a good relationship with ISO now because you'll need it later. (...redacted...) They won't just swoop in and take over, though, so you have to be ready for that. It helped to have explicit conversations spelling out who (us or ISO) was going to be responsible for what. In our case, ISO took the lead in chasing the bad guys while we focused on examining the data to find out who was impacted and how. That model will probably scale well.
There will have to be a website to send people to if there are large numbers involved (http://www.mccombs.utexas.edu/datatheft) . Designating an email address (or, even better, having a special one for your incident) for the public to use is good too, but you need to plan in advance about what you're going to do with the messages once they start coming in.
A call center is a great thing (we used the ITS help desk call center, which they augmented with extra staff and hours, because it could be stood up quickly and that was how they dealt with it in 2003. It was a good choice but a different call center may have been a better one to go with) , but look into some of the commercially-run ones and try to choose one now.
You can get a heck of a lot out of people if you bring food and drinks in on a regular basis. The money we've spent on pizza and sandwiches has been money very well spent. You, however, will probably not eat much and that will hurt you. So will the lack of sleep. We had people putting in huge hours and at some point we just had to send them home, even though we desperately wanted the work done, because they just weren't sharp enough to do it right.

Danger Will Robinson, Danger

It may give more meaning to the term "blue screen of death", but it seems we have entered a whole new world of medicine.

No, I'm not talking about wifi enabled morphine pumps, rather we are now in there era where robots and computers can perform remote, unassisted heart surgery!

Take a 35 year old Italian man with a heart condition, add a robot surgeon, a dash of insanity adventure and 50 minutes later we have entered a new era.

Check this quote from Engadget.com:

Even though there were about a million doctors on hand to monitor Dr. Carlo Pappone's robosurgeon doing its detailed work on a 34-year-old Italian patient suffering from atrial fibrillation (heart flutters), we can't help but wonder if a juxtaposed "0" and "1" in the bot's code is all it would take to drive a scalpel somewhere that it isn't supposed to go. Luckily for the pioneering patient, the 50-minute surgery went off without a hitch...

As we enter this, ehhh, brave new world, I hope we think carefully about the security and safety of computers that have direct access to patient care. It's one thing to get a computer virus that crashes your laptop, but another altogether when a computer virus crashes you.

What do you think?

Hack my ride

Many people have a hard enough time making sure that their computer is patched and up-to-date. Now that some hackers are targeting cars, we may soon have to make sure the Buick has the latest security patches as well.

It seems that some car thieves have turned hacker (or is it the other way around) and are beginning to target cars with keyless entry systems.

While many computer-based security systems on automobiles require some type of key, mechanical or otherwise, start the engine, so-called "keyless"setups require only the presence of a key fob to start the engine.

The expert gang suspected of stealing two of David Beckhams BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the cars computer, open the doors, and start the engine.

The article on leftlanenews.com goes one to tell the story of how David Beckham's Beemersdisappearingearing.

The Leftlane Perspective: Many modern cars now rely on software entirely for security. Gone are the days where microchips supplemented mechanical locks as an additional security measure. In the case of true keyless systems, software is the only thing between a thief and your car. As computers become more powerful, will stealing cars become even easier? Never mind future cars with better security what about todays cars a few years down the road? With cars as inexpensive as the Toyota Camry offering entirely keyless systems, these concerns a relevant to all consumers.

While we are still a long way from GM Tuesdays, it does give you something to think about. For me, I am glad my ride is a bit more low tech.

Time to carry a portable shredder?

I should know better. I've heard the story over an over again. Despite all of that, I was still surprised by how easy it was to leverage a discarded boarding pass into a slew of personal data, including passport number, nationality, address, travel history, etc.

Some of these aren't a big leap. Armed with a name and a couple of guesses about home city and bam, you've got address, phone number, tax records and the like.

If the expert was right, this stub would enable me to access Broer's personal information, including his passport number, date of birth and nationality. It would provide the building blocks for stealing his identity, ruining his future travel plans - and even allow me to fake his passport.

The quote is from an article in the online edition of the Guardian Newspaper in the UK. But by exposing a flaw in British Airline's web security, the article demonstrates how it was trivial to get and change passport numbers and other personal information.

It is an interesting read on many levels. On one level it has lessons for web developers on why security is important and how seemingly straight forward decisions can have unintended consequences.

On another it gives us a reminder on the line between security and privacy, especially where visitors to the US are concerned. On yet another level, it illustrates how precarious our online identities are.

What do you think? Do we shred everything? Bury our head in the sand? Or continue to take reasonable precautions and hope for the best?

Links:
The Guardian Online article
Original post from Lifehacker.com

Security conference in a box

Educause and Internet2 have posted their proceedings (aka presentations, etc) from this month's security conference. There are some good ideas and presentations from this conference, I only wish that I was able to attend more of them.

Looking back at the list of pressos, there are a few that I did not attend that stood out at first glance:

The Challenge: Securing a Large Multicampus Network
Mining Flows for Intrusion Data
The Botherd is Coming! How Education and Technology Can Stop the Stampede

These are the ones that jumped out at me. What do you find interesting? Take a look and post a comment on your thoughts.