Thursday, 05 October 2006
Well, honestly, it's about time.
Bloggers are all over the story, and are espousing a variety of opinions, but I have wondered for years when Microsoft would finally crack down on software thieves and simply not allow their software to run unless it was legitimately licensed. I'm responsible for cutting a big check each year to Microsoft to pay for the software we use at the company I work at. It costs me more, in effect, because others are taking without paying.
So, Windows Vista will detect piracy and take action. In Microsoft's words:
"Collectively termed the Microsoft Software Protection Platform, the new technologies will introduce improvements in how Microsoft software activates, is validated online and behaves when tampering or hacking is detected."
Thinking about this from a security guy's perspective, one thing bothers me: Turning off the anti-malware capabilities on unlicensed copies? Are you kidding me? That means the rest of the world falls victim to everyone out there that's running pirated Windows? Please, please, please change this one - Microsoft might be a victim, but no need to invite the rest of the world into that club. And it looks like Richi Jennings agrees with me on that one. That's just poor prioritization. Hopefully someone will rethink the approach in that specific area...
Elsewhere, Ed Bott at ZDNet has written a very good piece describing the changes and his thoughts on the matter. He has some important point, ones that Microsoft should make sure they have thought completely through and have a plan for - especially where it comes to Volume License customers. Those are the people you don't want to aggravate, for sure.
Among Bott's comments:
Microsoft denies that this is a "kill switch" for Windows Vista, even giving it a separate question and answer in its mock interview announcing the program. Technically, they're right, I suppose. Switching a PC into a degraded functionality where all you can do is browse the Internet doesn't kill it; but it's arguably a near-death experience. The accompanying white paper describes the experience in more detail:
By choosing "Access your computer with reduced functionality," the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features. [emphasis added]
My head practically exploded when I read this sentence describing the new, improved punishment regimen: "Windows Vista will have a reduced functionality mode but one that is enhanced." Enhanced reduced functionality? Orwell would be proud.
Snarky as ever, Engadget reports:
Well, Microsoft has fired the first salvo in this war on pirates -- according to The Associated Press, the Redmond crew will be taking "much harsher steps to curtail piracy" than in years past. First, the company will "deny access" to some of the "most anticipated features," including Windows Aero, the new GUI. Then, Vista will start issuing ransom demands (we're not kidding about this part), demanding that a legitimate copy be bought within 30 days, or else. What would such consequences entail? How about limiting Web access to an hour at a time? Further, what about not being able to open documents from the desktop or "run other programs such as Outlook e-mail software" ? However, the article goes on to say: "Microsoft said it won't stop a computer running pirated Vista software from working completely, and it will continue to deliver critical security updates." So for those of you keeping score, Microsoft wants to make using your computer as miserable as possible, while keeping it as "safe" as possible, ok?
People out there will whine and complain and say it's not fair, that it's all a bunch of red tape and people will be inconvenienced (and they might be right about that one point), and a million other things that go along with the typical victim mentality (sorry guys, but possession of stolen goods is illegal, even if it's inconvenient, and possessing stolen stuff unknowingly doesn't make the goods any less stolen). And Microsoft needs to make sure that legitimate users are not impacted in a truly meaningful and workable way. But the fact of the matter is that Microsoft is right on this one. In fact, it seems to me that if I ran a company that created software for use by consumers and businesses, and if I wanted to make sure it was being legitimately used and paid for, I'd just keep it from working at all if it was obviously stolen.
But the politics of huge-mega-corporation-attacked-by-angry-mob is a multi-billion-dollar business, apparently.
Glad to see they're finally doing something about it, though.
Some Techmeme-tracked discussion on the topic:
Tuesday, 03 October 2006
My job is all about catching bad guys, building great software to help do that, protecting information, and a variety of similar things. the company I work for builds software than somewhere around a third of the country uses in some manner to conduct financial transaction on the Internet, so the topic of security is important to me.
I'm regularly participating these days in interviews with members of the media, and recently one resulting story was published that I thought did a nice job of covering the bases regarding security in financial services and the human elements. What has to be recognized in order to succeed in this fight is that the user is not predictable, accountable or reliable. It's the truth, it's important to know, and it's a fact we have to plan for and design into our security models.
Read the story here: Finance on Windows - "For Your Eyes Only"
Wednesday, 09 August 2006
Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. From MSNBC:
"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes.
" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."
Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else?
How do we convince people, and what will it take?
Monday, 07 August 2006
UPDATE - AOL apologizes
(not as if it makes a difference at this point, though):
"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."
AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything you searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a "vanity" search?
It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire.
Michael Arrington at TechCrunch wrote about it in his blog entry entitled "AOL Proudly Releases Massive Amounts of Private Data," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability.
Arrington: "AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."
When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch.
Yeah, and so much for the privacy of AOL's users. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again from Arrington:
"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. "
Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much.
Any would-be AOL boycotters better be prepared, though. Last we checked, you can't even cancel your account at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "Number One" in a list of things you'd really rather not be on...
Saturday, 05 August 2006
The U.S. Senate on Thursday ratified the first and only international treaty designed exclusively to combat computer crime. You can read the full text of the Council of Europe Convention on Cybercrime here.
What does this mean? Well, a lot of things. But all told, it means law enforcement officials from around the world will have a more agile, speedier, and more capable framework for cooperating in combating bad guys that are out to hurt others on the Internet. For those of us working to stop bad guys, it makes doing so more possible and can help remove some barriers that tend to get in the way. For those of us in the United States, the provisions are not really anything new. But for other countries that ratify, it means a much enhanced ability to work together.
The Senate did not consider an optional provision of the convention that deals with combating Internet hate speech, which would likely have run afoul of the First Amendment to the U.S. Constitution.
Summary of the Senate activity is in an article at news.com.
Friday, 28 July 2006
Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.
You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" your banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.
The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.
You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.
Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.
You get the picture.
So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.
We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.
There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.
For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?
Do you have any idea who the bad guys are?
That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.
Saturday, 08 July 2006
Looks like a new variant of an old virus is making the rounds.
I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.
Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.
Here is the info about the infected contents of the ZIP file (specifically the JPG file):
Scan type: Auto-Protect Scan
Event: Threat Found!
File: C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg
Location: C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip
Action taken: Delete succeeded : Access denied
Date found: Saturday, July 08, 2006 11:22:31 PM
If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.
CAPTION="Microsoft SMS Manager"
This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.
The original email I received is below. The subject line was "SMS Manager from Microsoft."
This email provides you information about new product from Microsoft
Corporation, called Microsoft SMS Manager.
These product would help your activities, you can send and receive SMS
messages through your PC with no charge before December 31, 2005 (trial
It's compatible with most of GSM and CDMA operators.
The Installation's document is attached (Microsoft SMS Manager.zip).
For further informations, please contact firstname.lastname@example.org
Saturday, 01 July 2006
The headline reads: "Credit card security rules to get update."
I see that and I think to myself, "Hey, cool."
Then I read the story.
What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."
Now, that's not so cool.
Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...
From CNET's News.com:
While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.
"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.
The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.
To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter, the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.
Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.
Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.
It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.
To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.
It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me. Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.
Monday, 05 June 2006
A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.
So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.
Up until today I was frustrated to no end with these events.
Now it's personal. Now I'm angry.
And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...
This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.
There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.
The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.
All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.
What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.
But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.
BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems. It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.
If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.
Did he say "negligent?" Yes, negligent. And I mean it.
It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.
So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?
Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.
Of the 2600+ organizations on the certificate register, there are only seven (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.
This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.
And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.
If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well.
The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.
So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.
What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?
Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.
Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.
Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.
Wednesday, 19 April 2006
If you run Firefox (or other Mozilla software based on the same codebase like Thunderbird) and have not upgraded it to the latest version (the latest Firefox - 22.214.171.124 - was released just last week), CERT says you really really need to.
"CERT advises people who use Mozilla's e-mail software, Thunderbird, and the Internet application suite Seamonkey to also upgrade to the latest versions (Thunderbird 1.5 and Seamonkey 1.0.1). CERT warned that any other products based on older Mozilla components, particularly the Gecko rendering engine, may also be affected.
"Firefox has traditionally been seen as being more secure than other Web browsers such as Microsoft's Internet Explorer. This is thought to be the first time that multiple vulnerabilities have been reported in Firefox and the Mozilla suite.
"Secunia warned that hackers could exploit the security holes to gain control of computer systems, conduct phishing attacks, and bypass security restrictions.
Users of Firefox can typically just click on the Firefox "Help" drop-down menu and then choose the "Check for Updates" option to see if they are running the latest version. If your version of Firefox does not have this option, you know you're way out of date and you should visit http://getfirefox.com right now and download the newest version ASAP.
Also, of use to corporate IT people is the Firefox Community Edition package from FrontMotion that includes features to do MSI installs and leverage associated Active Directory ADM files to manage Group Policy security functionality in Windows domains. Companies using this package can apply the patched versions in an automated, simpler and reliable fashion. Larger organizations that don't use such a package have to deal with either a more complicated update process or reliance on end users to perform the updates - which is never 100% successful, even in the smallest shops. Version-wise, it's important to note that FrontMotion's MSI installers tend to lag a bit behind the Firefox official releases (when a new FireFox release is issued, the FrontMotion crew uses it to create the new MSI installers and ADM files), so keep this in mind when deciding how to deploy.
Sunday, 19 February 2006
On Friday Microsoft released a the latest version of their anti-malware product, which is now called Windows® Defender (Beta 2). This software replaces the product formally known as Microsoft Antispyware. There's both 32- and 64-bit versions available to download.
I've installed it and it runs just fine, but I get an error when it tries to update itself with the latest detection signatures. I'll try a reboot and see what happens a little later on. Hopefully that will help.
The new UI is nicely done, and I like the fact that you don't have to be an administrator to run Defender.
From the Windows Defender download site:
Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.
This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft’s growing understanding of the spyware landscape.
Specific features of Windows Defender Beta 2 include:
- A redesigned and simplified user interface – Incorporating feedback from our customers, the Windows Defender UI has been redesigned to make common tasks easier to accomplish with a warning system that adapts alert levels according to the severity of a threat so that it is less intrusive overall, but still ensures the user does not miss the most urgent alerts.
- Improved detection and removal – Based on a new engine, Windows Defender is able to detect and remove more threats posed by spyware and other potentially unwanted software. Real Time Protection has also been enhanced to better monitor key points in the operating system for changes.
- Protection for all users – Windows Defender can be run by all users on a computer with or without administrative privileges. This ensures that all users on a computer are protected by Windows Defender.
- Support for 64-bit platforms, accessibility and localization - Windows Defender Beta 2 also adds support for accessibility and 64-bit platforms. Microsoft also plans to release German and Japanese localized versions of Windows Defender Beta 2 soon after the availability of the English versions. Use WindowsDefenderX64.msi for 64-bit platforms.
Saturday, 28 January 2006
Published just this month, an important whitepaper is now available that provides authoritative information about applying the "don't run as admin" concept in the real world.
Should you care? Yes. Absolutely. Why? Because running as an administrator or high-privileged user opens the door to malicious software ruling your world by potentially damaging your computer and data, compromising confidential information, and harming your company's reputation and business relationships. Put simply, you should do it because it's now possible, because with Windows Vista it will be enabled in terrific ways that reduce the pain, and just because it makes obvious good sense.
Users will download and install software they're not supposed to. Policies don't solve technology problems. Rather they guide solutions to people problems. Users will take CDs they bought with a major record label on the sleeve and stick them in their CD-ROM drives, whether or not they are supposed to, and we've all learned recently that you cannot trust major record labels to product safe, appropriate software. Users will surf to web sites and (regardless of how much education and prevention you do, and how many times you tell them to never click on that stupid thing that says their computer might be infected) they'll click and download and even install software that wreaks havoc, logs keystrokes or any one of a thousand other bad things.
People and process changes and preventions are important - don't get me wrong. We need to educate and provide standards, and we still need to hold people accountable for behavior. But that does not remove from us the responsibility to make proper and correct technology decisions when it comes to operation and implementation security. Period.
People, process and technology - it's a combination of all three of these, in careful balance, that makes a true security ecosystem work.
But making changes like this is, honestly, something that most business and technology people avoid, because they're afraid they won't be able to operate that way. Or they're afraid someone will complain. Sorry guys, not a good enough reason, not anymore.
So... What's the problem we're trying to solve? From the paper:
"A significant factor that increases the risks from malicious software is the tendency to give users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, e-mail clients, and instant messaging programs, also have administrative rights. If these programs activate malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised Web site or by clicking a link in an e-mail message."
The approach into which the least-user model falls is a layered security, defense-in-depth style. We cannot rely solely upon one layer of security to solve all our malware problems, and the fact is this: If all computer users already ran with least-privileged accounts, the incidents of malware (spyware, adware, etc) would be significantly less. In the real world, we are stuck in a position of needing to make a change, but for the future we will do well to remember how taking the easier route early in a technology phase can come back to bite us later.
"A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.
"The LUA approach can significantly mitigate the risks from malicious software and accidental incorrect configuration. However, because the LUA approach requires organizations to plan, test, and support limited access configurations, this approach can generate significant costs and challenges. These costs can include redevelopment of custom programs, changes to operational procedures, and deployment of additional tools."
Small and large organizations (of all types) are faced with this problem. While it's not the end of the world, it's often not a trivial task to change to a least-privileged computing model if you're already deployed in a mode where all users are administrators. This is common in software companies and other place where people have liberal privileges in order to provide ultimate flexibility in their development and design world.
I should also note that in Windows Vista, the next version of Windows, there are significant improvements in the operating system that will make it completely feasible to apply a least-privilege user model to every single computer, while affording users the ability to install software and make appropriate configuration changes in a controlled and safer environment. In my opinion, any shop that deploys Vista when it's available and does not take advantage of this security capability is negligent (and there will be many companies where that will happen, just watch). Find out more about Windows Vista User Account Control (UAC) at the Microsoft Technet site pages that cover the subject, and be sure to read and subscribe to the UAC Team Blog.
I highly recommend this whitepaper. It cuts to the chase and explains things in a clear and concise way, while addressing real world concerns and providing links and references to third-party tools and information. If you run a network or a dev shop, or if you're in any way responsible for secure computing, this is a paper you need to get familiar with.
Description and summary of the whitepaper from the Microsoft download page:
This 100-level technical white paper provides information on the principle of least privilege and describes how to apply it to user accounts on Windows XP. The paper covers the following topics:
- Risks associated with administrative privileges
- Definition of the principle of least privilege
- Definition of the least-privileged user account (LUA) approach
- Benefits of the LUA approach
- Risk, security, usability, and cost tradeoffs
- Implementing the LUA approach
- Future developments
This paper also describes at a high-level the issues that affect implementation of the LUA approach and provides useful links to other online resources that explain these concepts in more detail.
Thursday, 26 January 2006
Microsoft Security VP Mike Nash answers a stack of questions posed by Slashdot readers. The Q&A is pretty good. Nash provides substantial answers to some fairly pointed questions. One thing is clear, both in the answers and in my own experience: Security is hard - if in no other way, then from the standpoint of overcoming the many cultural and technical hurdles.
Nash covers a broad range of important topics and addressed many, many issues. Click on over to read, but here's a very brief couple of excerpts:
On code security and secure code review processes:
"Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated."
And on the cultural challenges of prioritizing security:
"Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."
If you're even tangentially involved in security for your organization, and especially if you're a technology company, this Q&A is definitely worth the read.
Sunday, 15 January 2006
As tends to happen from time to time, some sudden attention on the 'net (starting with the Security Fix blog at Washington Post) has been paid in the last couple days to what has been misleadingly described in some places as a "flaw" in the Windows wireless networking functionality. In reality, that's not quite the case. Rather, the potential problem (which some might argue is actually a feature) is related to an understood standard computer configuration (some would say "as-designed") of the spec governing dynamic configuration of IPv4 link-local addresses (RFC 3927 - see part 5). The authors of the spec even noted the potential risks and discussed the importance of taking that risk into consideration in design and deployment:
"The use of IPv4 Link-Local Addresses may open a network host to new attacks. In particular, a host that previously did not have an IP address, and no IP stack running, was not susceptible to IP-based attacks. By configuring a working address, the host may now be vulnerable to IP-based attacks." (read the spec)
Unfortunately, some have stated incorrectly that this represents an unknown or recently-discovered security hole or flaw. That's just not the case. This is, however, something that people should be aware of if they use or manage portable computers with wireless networking cards.
The problem has to do with the fact that the last wireless network name (or SSID) you successfully connected with is reused and associated with the generic IP address that gets assigned when your wireless card can't find a network to associate with, so someone who is also assigned an IP In that block and who knows what they're doing might try to connect to your computer using that network name and the generic IP address subnet. Yeah, it's technical but it's not too hard to protect yourself.
The first thing you should already have in place - and if you don't, you need to take care of this now - is a firewall to protect access to and from your computer. It's amazing how many problems can be mostly or completely mitigated with a decent and properly configured firewall. If you block incoming traffic with the firewall, then access to the wireless adapter is nowhere near as big of a deal.
On the technical side, there are a couple things that can be done to resolve the specific issue at hand. The most logical (and second most technical) step is to configure the network adapter in Windows to only allow infrastructure connections (to access points), and not Ad-Hoc connections (to other wireless cards in peer-to-peer mode). This can be done individually (on a specific computer by the user or administrator) or in a more automated fashion across a security domain (see below).
On a Windows computer, you can also get all geeked out (this is a more technical step) and disable the feature that automatically assigns the generic dynamic IP address when DHCP server is present (this auto-assign feature is sometimes referred to as APIPA - see this page for details on disabling it if interested, but use at your own risk, it involves editing the registry). It's this common and predictable IP address space that could potentially allow someone else to try to snoop into your computer, if you had none of the other standard protections - like firewalls and directory security - in place.
An even better option - where available - is to have your Windows Domain administrators control the setting for any group of computers managed by the domain's Group Policy. To do this, navigate in the Group Policy editor to:
Computer Configuration > Windows Settings > Security Settings >Wireless Networks
You notice there's nothing listed in that section by default - That's because you have to create your own policy if you want to take advantage of the features available. To do so, right click in the empty space and choose to create a new wireless policy. You'll give it a friendly name and the wizard will walk you through the steps required to set up your new policy. On the properties page (see below), you'll note an option is available to specify the network types to which you want to allow access. You can choose "Access point (infrastructure) networks only." Note that selecting this will force all computers to which the policy is applied to access point networks (so the wireless peer-to-peer networking without an access point - which is exactly the issue we're trying to mitigate - will no longer work).
Some companies use these settings to ensure the only wireless networks that business computers access are ones that are pre-approved, but that means a tradeoff between security and convenience, and road warriors often desire and need to use public access points for any of a number of reasons. How deeply and widely you apply the policies is a business decision - just be sure to consider all the potential business effects and consequences.
Note again that fixing a problem in just one place or in just one layer is most certainly not the right way to solve problems like this. Rather, taking a defense-in-depth approach, where you block access at as many layers as possible, is the way to approach network security issues.
For example, let's go back to enabling the software firewall on your computer - whether it be the Windows Firewall that is part of Windows XP SP2, or a third party firewall by a company like Symantec or others. This is another critical layer. Having a properly configured firewall in place helps to ensure access to your computer is protected, even if the wireless connection is "open." Layering protections allows you to be sure the problems are kept out, and also provides a possible mechanism to temporarily relax any one of the protections when needed in order to accomplish a specific task.
Thursday, 05 January 2006
A patch for the truly nasty WMF vulnerability on all versions of Windows has just been pushed out in an extra release by Microsoft. It is described in Security Bulletin MS06-001. It's available for your WSUS server and from Microsoft Update, or you can get it by downloading it from the links on the security bulletin web page.
This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin. Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This is a huge one - super critical, as there are many exploits in the wild that are actively taking advantage of this vulnerability. UPDATE NOW!
Wednesday, 30 November 2005
Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.
First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of.
- If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
- Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
- Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
- Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
- Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.
Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.
Tuesday, 29 November 2005
It's a question many of us in the security field have been asking for some time. How is a user supposed to know they are on the correct web site when they enter their credentials or make an online purchase? How are they supposed to know when it's not the trusted site they're on?
I was having a side conversation about more ways to solve this problem with some coworkers today (common topic in our line of work), and this evening I ran across some details on the IEBlog discussing how Microsoft is dealing with it in IE7 (found via Mark Harrison). And other browser vendors are playing nicely, too. Ahh, solving problems is such a good thing to see... Nice!
IEBlog: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers
Here are some visuals that show what the user expeience looks and feels like in the dev versions. Visit the link above to get the complete details.
Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter
Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter
Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)
Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)
Tuesday, 22 November 2005
I was on the phone with a professional contact today, a guy who happens to do cybercrime and anti-fraud work in his job as a special agent for the FBI. That's a part of what I do in my day job, by the way - help chase down bad guys on the 'net and interact with law enforcement to shut them down. It's a fairly effective way to keep one foot in the door of my previous career (police work) and at the same time be firmly planted in the computer technology world. I also get to working with some really smart people who build great software that is used to prevent fraudsters from reaching victims.
Anyhow... So I was on the phone with my anti-fraud cohort, and he had that "FBI-agent-having-a-rough-day" sound in his voice. He's one of these guys who's always very positive, but it was clear quite a bit of work had been cut out for him and his coworkers over the past day or two.
It turns out there's a new set of fake emails running around that try to look like they came from the FBI or the CIA, and which have an attachment that is actually a virus.
Now, let's get one thing completely clear: If you ever get an unsolicited email that has a file attached, DO NOT OPEN THE ATTACHMENT. It doesn't matter if it's from the President of the United States or the Creator of of the Universe... Email is inherently insecure, and if it looks out of place, it probably is. You can read the FBI's press release about the situation here, which describes the fake emails in some detail.
This is just another example of social engineering and the fact that given the opportunity, people will fall for almost anything. Oh - and if you don't have antivirus protection at your email service provider, change providers now. Seriously. Get a GMail or Hotmail account or something.
I'll tell ya one thing... Whoever had cohones enough to construct that virus variety to send email pretending to be from the FBI is in for a rude awakening. Seriously, seriously stupid move. Heh.
Sunday, 13 November 2005
I've been a T-Mobile Hot Spot subscriber for more than a year now. I have used it all over the country, and it's always there when I need it, whether I am traveling or if I'm just dropping into a Starbucks for coffee on a whim. It lets me leave my desk and still work from time to time - and we all have those times when the value of sitting in a coffee shop where no one can find you in person is seriously valuable.
One thing that's always frustrated me is the fact that I always have to open the web browser and load some random page to authenticate to the HotSpot service. It's a pain, and today (while sitting here logged onto a Starbucks HotSpot in Beaverton, Oregon) I decided to see if there was anything available to automate the process for me.
You can imagine how stupid/ignorant/DOH! I felt when my google search pointed me right back to T-Mobile's web site, where I found a description of their Connection Manager software. After hitting the 'back' button on the browser a few times to return to the page confirming I was signed on, I decided to read that page for the first time and sure enough, right there in the menu bar is a link to "Download Connection Manager." Heh.
Turn off your speakers if you're in the coffee shop before you click on the link, though, or you'll quickly become the target of startled stares from everyone else in the shop when the completely unnecessary Flash movie with LOUD SOUND. Kinda like this (you'll need those speakers back on again, dude).
Download the file, run the installer, and choose from a completely goofy skinned app or a Neapolitan-colored stylized app. I chose the lesser of the two evils.
Then things got interesting. It immediately required me to disable the Wireless Zero Configuration Service in Windows XP, which will no doubt break everything else I had set up for wireless connections prior to installing this thing. It sure as hell better work... Why can't things be simple an non-intrusive?
Now, clearly this software does more than automatically log you onto their regular WiFi HotSpot network. It sees a WPA-protected network, which means encryption and privacy. +1 for that. And the the EDGE/GPRS options obviously refer to using their data cards to connect from the road. Cool to have that in one place. Too bad there's no task bar icon when the app in on the screen.
The interface works well and there's really a whole slew of options. One of the coolest was the fact that when I went to the "Tools>Settings" menu and chose the "VPN" tab, it automatically detected my Cisco Systems VPN client and all of it's profiles and let me choose which to use when clicking the big, fat "VPN" button in the T-Mobile UI. It works great, and I'm connected as I type. Nice feature:
VPN options dialog - click to view full size
Perhaps one of the greatest benefits of using the software is the availability of the secured wireless network. Seems like they could offer this without having to install custom software, but oh well...
Access to a secured network - click to view full size
Here's where the automatic logon happens - they give you the opportunity to provide your T-Mobile account name and password, and you can save it for later use:
Save your credentials to authenticate automatically later - click to view full size
Of course, it failed miserably when I first tried. I had to randomly select a whole slew of messy windows that kept popping up when I was trying to fill in the account dialog. Some of them were especially helpful:
Not sure what they're wanting with this dialog
But eventually (after fighting several windows that continually took focus away from the "enter your authentication info" dialog box) I found success:
Success - click to view full size
Sure enough, wireless zero config is disabled and I am connected using their software. Good enough for now, but that will likely have to change due to the complexity of some of the networks I have to access with this thing. We'll see.
As I was typing this, without warning yet another random box pops up and steals focus. Apparently it was downloading every single T-Mobile HotSpot location in the entire freakin' world. Weeee... Anyhow, it was bit confusing for a second, and all these windows just popping up, downloading stuff without asking and stealing focus are aggravating and just plain bad design. But it does work:
Random pop-ups everywhere - click to view full size
So... Despite the fact that it's custom, proprietary software, there are some cool things in this app. For example, the Available Networks dialog is better than anything built into Windows:
Nice network list visuals - click to view full size
Well, I'll leave it installed for now. Maybe I'll get lucky and the other networks I access will just work. Not counting on it though. Heh.
Somewhere there must be a third-party app that will automagically log me on. Just haven't found one yet. Maybe I'll make one.
Saturday, 29 October 2005
The future of identity is in flux, and now is the time for those of us working in the field - and for those of you who have an identity (yeah, all of you) - to wake up, stand up and get informed. Seriously. If you wait, you'll be to late. Now is the time to know what the problem is and now is the time to do something about it. I will be writing about the topic more and more here, because it matters to me. A lot. It's a problem. It needs to be fixed, grown up, evolved... the right way. Time to get involved. Time to do it right - meaning "right" by the people.
So - click the link in the below message. Seriously. Do it. As a bonus, not only will you learn about identity and how and why it works (and doesn't), you'll also get to see an excellent presentation by an excellent presenter (Dick Hardt of Sxip » pronounced ( skip ) as in "skip").
Here is the email I sent to my team at work yesterday, after Scott (another uber-presenter) sent me the link:
From: Greg Hughes
Sent: Friday, October 28, 2005 10:48 AM
To: [edited] Security
Subject: Security Stuff - Watch this presentation
Watch this sometime today (or the day you get this email). Seriously. Consider it an assignment. J
As you watch, think about his topic (which is critical) and think about his presentation style.
There will be a pop-quiz.
Tuesday, 12 July 2005
Hopefully you don't need this advice because you've been victimized, but this is something everyone should know.
If you ever become a victim of online fraud or any other form of fraud where you believe or know your personal information has been obtained or used improperly, there are a number of things you need to do. Microsoft's Security at Home team has put together a list of things you should do. They include:
- Close any affected accounts - both verbally on the phone and in documented written form
- Place a fraud alert on your credit reports - will all the credit reporting agencies
- Contact the proper authorities - both federal (FTC) and local (police or sheriff's office)
- Record and save everything - document, document, document
That's all good advice in general. Additional resources and more specific information is available on their web site.
Wednesday, 06 July 2005
Over on Microsoft's Channel 9, Scoble's posted a new video of Kim Cameron, who has a weblog called the Identity Blog. He discusses identity and trust, and what it will take to build a single-experience trusted system for common identification. It's an interesting conversation. I've read his weblog for a while now, so it's good to see him speak about this.
"Identity is like the Hotel California of Technology - you can come but you can never leave. We have a lot of work to do."
This is a topic that is near and dear to my professional heart. Identity protection and theft is something I deal with every day. It's complicated. It's not easy. It's a goose chase at times. There are almost no standards. But it's of great importance right now. The people I manage and work with are super-talented and are building a couple terrific pieces of security software right now, software intended to protect people who do critical personal transactions on the Internet, and to catch the bad guys that try to steal and use your personal information.
Where I work we are charged with protecting the identities and assets of people who are doing critical financial transactions with their banks and credit unions. To us this stuff matters - it matters a lot. And it should matter to anyone that's doing business on the 'net and everyone who writes software used to do business on the 'net.
"It's impossible to be too paranoid about this ... We have to be paranoid."
The video is about 55 minutes, and it's worth the time for people who are concerned (or who should be concerned) about the topic. You'll need to get about two-thirds of the way through it til you get to Cameron's "Laws of Identity," which are akin to pure gold in their simplicity. Go watch.
Sunday, 03 July 2005
Last week I went on a mission trip with our church youth group. It was fun (for the short time I was able to be there), and a good experience. One of the youth talked to me for awhile about a book I gave him and the other group members several months ago.
The book is called "Always Use Protection - A Teen's Guide to Safe Computing." It has its own web site, and is a great conversational read for both teens and adults. The author, Dan Appleman, wrote it with the assistance of youth he works with - they were his editors and reviewers, and because of that it is a great book for young and old people alike.
I had given the books to the youth group members during a meeting, and we'd discussed some of the content. Now my young friend has continued reading it (as have several of the others in the group), and as a result he understands his computer much better than most kids his age.
I had used the book to talk to the youth about security and safety in the computer world, and so they could have an excellent reference for them as they grow up to become the next digeratti. I'm a security and IT guy by trade, so it was not too much of a stretch for me to take this on - but the book enhances the experience, and is a permanent fixture for these young people to use and learn from over time.
In fact, when we returned to Portland, the young man's grandmother had her own glowingly positive review when she picked him up. Apparently she's been reading it as well, and found it easy to understand and quite useful.
So Dan, if you happen to see this, know that your book is doing good work with good people. And thanks for that.
Also - Dan was interviewed on Microsoft's Channel 9 a while back in a series of very good segments - so hey kids, check them out:
Saturday, 11 June 2005
More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.
Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:
I posted a question on the PCWorld forum and your name came up regarding my question. My issue was regarding passwords. I am a Realtor and our main access to the MLS is starting to require password changes monthly. This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control. I asked for opinions on software and also philosophy. I'd like to hear your opinion. Thanks and I'm looking forward to reading your response.
My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.
Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.
My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.
As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:
- Upper-case alpha characters (A-Z)
- Lower-case alpha characters (a-z)
- Numeric characters (0-9)
- Punctuation or other special characters (!@#$%&(*?>< etc.)
In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.
Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.
I think you'll find that most experts will agree with the above recommendations.
Maintaining passwords and passphrases securely - helpful software
Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.
RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.
But none of that matters if you can't solve the real problem
But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.
The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:
Cleo is my Cat!
Cleo get off the freaking furniture darnit!
You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:
Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
Pow bang boom! Oh wow did you see that?
Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.
You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.
There's no perect answer - some unthinking person with no concern for security will throw in a wrench
Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.
** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.
By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).
But Dr. Johansson's the one who's really got it covered...
For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:
The Great Debate: Pass Phrases vs. Passwords
- Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
- Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
- Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy
I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.
Friday, 18 February 2005
Microsoft has published what is a typically-simple, top-layer look at what the authors position as important information for parents to help them protect their kids online... But, while it's certainly a start, it won't get parents far enough.
If parents want to have a better understanding of what kids do online that can get them in trouble, there are other better, more complete resources out there for both kids and parents. Remember that learning together will prevent many problems, and creates a communication "common ground" for families in an area where kids often have the knowledge advantage.
But - if you're completely lost when you see words like "133t5p33k" or "!337$p34k," this short article at microsoft.com is geared toward you.
© Copyright 2007 Greg Hughes
This work is licensed under a Creative Commons License
This page was rendered at Sunday, 07 January 2007 17:48:56 (Pacific Standard Time, UTC-08:00)
newtelligence dasBlog 1.9.6315.0
"Computers used to take up entire buildings, now they just take up our entire lives."
"So how do you know what is the right path to choose to get the result that you desire? And the honest answer is this... You won't. And accepting that greatly eases the anxiety of your life experience."
Syndication [XML] and .net Alerts
For lazy, highly-technical or enlightened people, get this site's content without the use of a web browser. I use FeedDemon
for this, but you can choose your own. Subscribe - click the icon for my feed
... or sign up for Microsoft Alerts to receive updates through your MSN Messenger, e-mail, or mobile device. Click the orange button thingie to sign up with your Passport account:
Drop me an email:
Mobile Phone: 503-970-1753
Add me to MSN Messenger
|January, 2007 (4)
|December, 2006 (16)
|November, 2006 (4)
|October, 2006 (23)
|September, 2006 (18)
|August, 2006 (21)
|July, 2006 (34)
|June, 2006 (25)
|May, 2006 (21)
|April, 2006 (20)
|March, 2006 (17)
|February, 2006 (35)
|January, 2006 (30)
|December, 2005 (25)
|November, 2005 (39)
|October, 2005 (38)
|September, 2005 (51)
|August, 2005 (33)
|July, 2005 (21)
|June, 2005 (35)
|May, 2005 (56)
|April, 2005 (54)
|March, 2005 (62)
|February, 2005 (28)
|January, 2005 (61)
|December, 2004 (78)
|November, 2004 (58)
|October, 2004 (55)
|September, 2004 (64)
|August, 2004 (53)
|July, 2004 (65)
|June, 2004 (50)
|May, 2004 (49)
|April, 2004 (26)
|March, 2004 (20)
|February, 2004 (26)
|January, 2004 (28)
|December, 2003 (12)
|October, 2003 (8)
|September, 2003 (11)
|August, 2003 (1)
On this page
Search and Translate this Site
Blog Posting Categories
| Alex Scoble
Alex is a coworker who blogs about a variety of IT-related topics.
| Brent Strange
Brent is a cool dude, a coworker and a great QA guy. His blog is, appropriately, focused on QA and testing technology.
| Chris Brooks
Chris is my "dotted-line" boss at work and an avid board gamer. He always has some new info about top-notch board games you may have never heard of, so if you're into them, you should check out this blog.
| Chris Pirillo
Lockergnome by trade, Chris is always up to something new. If you are not familiar with the Lockergnome newsletters, be sure to check them out, too.
| Matthew Lapworth
Matt's a coworker of mine and software developer. He seems to enjoy extreme sports. That's fine as long as he doesn't, like, die or something.
| Milind Pandit
Milind writes about all sorts of interesting stuff. He's worked at our employer longer than I have, which pretty much makes him old as dirt in company time. :)
| MSFT Security Bulletins [RSS]
RSS feed for all Microsoft security bulletins provides an always-up-to-date list of updates along with complete descriptions of each.
Rory Blyth is one of the funniest and most thought-provoking bloggers I read. And I blame him for everything. Literally.
| Scott Hanselman
Scott's computerzen blog is a popular spot for all things .net and innovative. And I work with him. He's one of the smartest guys I know, and arguably the best technical presenter around.
Who Links Here