You are currently browsing the Hayes On Security weblog archives for March, 2009.
26 March 2009 by Jeff Hayes.
I am a telecommuter. Over the past 13 years, I have worked some of the time out of my home office, in some cases 100 percent of the time. For the past three years, it has been at least 75 percent of the time, going into the office twice a week on average to coordinate face-to-face with my colleagues.
About 15 years ago, I worked for a mid-sized company that had a dual-authentication policy for remote access – clear text dial-up with SecurID one-time password authenticaton. At the time, we were on the leading edge.
Aside for the SecurID token, in all my professional working life, I do not recall ever being given a remote computing policy by a company I worked for. However, as a security professional, I have realized the importance of following sound practices. I have taken matters into my own hands. Some of the thigs I have done and encourage thers to do are as follows. Some of them were addressed in a recent CSO article, 4 Telecommunicating Security Mistation.
I love working form home. I tend to work more hours, as I am always at work. But it is worth it to me. A few simple rules can help preserve that flexibility while securing the computing and networking processes.
Posted in Remote Access | Print | 1 Comment »
25 March 2009 by Jeff Hayes.
Easlier this week, Cenzic, a web application security company, describe in it’s Q3-Q4 Trends Report (30 page PDF) that the web vulnerabilities and attacks through Web applications continue to grow.
The total number of reported vulnerabilities went up to 2,835, an increase of more than 10 percent from the first half, of which the percentage of vulnerabilities relating to Web applications hit a staggering 80 percent.
Some key findings include:
A few months ago, a company I was working with had its web server completely taken over by a some Chinese-bourn bot. The server was running Windows Server 2003 and IIS (version old). It had not been patched for a couple of years. It was co-located at a reputiable firm in Salt Lake City (XMission). There was no system managment contract with them — just rack space for a decent Dell server and a Cisco PIX firewall (which also had not been updated for a few years).
The reason it was in the secure data center was because of an application that was running that was used occasionally by a third party which required it to be in a physically secured location. The XMission data center, though not Ft. Knox, was good enough. The weakness was in the server.
This bot had taken total control over the server. As we stried to identify the cause of the outage (the server was no longer serving up Web pages), we noticied some strange processes running. We stopped them, or at least we tried. Within two or three seconds, they’d start right back up again. This server was really hosed.
The initial plan was to re-install Windows Server 2003 and IIS, and update them to the latest patch levels. Turns out, no one was in possession of the media or the license. With no real technical know-how in the firm or longer term plan to hire or outsource, the plan that was agreed upon was to move it to a managed data center.
This turned out to be the right decision. The people who manage the site (Portal Web Hosting in Aberdeen, SD) were willing to offer a deal that was actually cheaper and more extensive than what XMission was offering — secure data center, on-site technical assistance and server management, and a dedicated server running up-to-date Windows Server 2008, IIS and dedicated firewall.
Moral of the story: if you don’t have the technical resources, budget or need to do it yourself, don’t. There are plenty of solid firms that can provided a business with a reliable and guaranteed web server solution. Make sure they have a plan to do regular vulnerability scans and to keep the software patched appropriately.
Posted in Web Security | Print | No Comments »
20 March 2009 by Jeff Hayes.
When I was a kid, I was into collecting different beer cans (empty). After 2-3 years of it, I had around 400 different brands — a collection I was proud of, at least until my mom told me they had to go. I got these cans by digging through trash cans. We had a number of large apartment complexes within a mile of our house and Saturday mornings were for dumpster diving. Besides the beer can ‘gold’ I found, I would come across some interesting things, at least in the eyes of a 12-14 year old. I was amazed at what people threw away: from working electrical appliances, lamps and still-good household wares to books, records and magazines (and oh the porn was an eye full for a young fellow).
When I was was a senior in high school and the year afterwards, I have a job at the Federal Reserve Bank of Cleveland. Initially I was an archive clerk and later a check sorting machine operator. As an archive clerk, one of my jobs was at the end of the working day to collect all of the paper waste in the facility. Along with another person I would select through a rotational means, we would sort through that trash looking for misplaced checks. Almost every week, we would find one that slipped through. These checks ranged from a few hundred to a few thousand dollars. One time, we found a million dollar plus check in the trash.
Today, whether at home or at work, we probably have a policy about shredding any confidential documents or documents with any personal information on them. Like the checks that made it into the trash, occasionally confidential or personal paperwork misses the shredder and winds up in the dumpster out back along with the lunch wrappers, nasal tissues and general rubbish.
What’s in the dumpster? Credit card names and numbers? Bank account names and numbers? Account statements? Hard drives? USB thumb drives? 5.25″ or 3.5″diskettes or storage tapes that no one uses any more?
Like we did at the Federal reserve, I wonder how many businesses would be well-suited to sort through the daily trash prior to sending it into the dark parking lot? One man’s trash is another man’s treasure, which can be exploited or sold on the black market.
Posted in Social Network Security | Print | No Comments »
14 March 2009 by Jeff Hayes.
I am a big user and proponent of social networks. I have personal and work-related Facebook, Twitter, YouTube, Flickr, Photobucket, Imageshack and LinkedIn accounts.
I read a comment recently “that any company using Web 2.0 tools will inevitably face strong, and potentially embarrassing, criticism. No company is perfect, and some customers will complain about anything. That’s why some companies are still cautious about engaging with social networks.”
Unfortunately, this paints a false sense of security. It is erroneous to assume that if you elect not to participate in social networks as a business, you will not have bad Internet publicity. If people have negative opinions about your products, services or business in general, they will find a public vehicle to voice them.
It is a good practice to have a common voice for the firm. It is wise to limit those with log-in and posting privileges that officially represent the company on these Web 2.0 sites. It gets too noisy without some control. It is also a good idea to control offensive language. Other than that, let the opinions be voiced and heard. The more people you have engaged in evangelizing the company’s message, the better.
Encourage employees, customers, prospects, partners, suppliers, investors to discuss the company in “Web 2.0″ formats. Monitor those posts. Contribute. When negatives come up, address them head-on and quickly. Don’t spin the comments as if trying to sway opinions like some blowhard politician. People see through this. Give honest comments. Don’t get defensive or offensive. Take the high road.
Seth Godin recently wrote “the closer you get to someone, something, some brand, some organization… the harder it is to demonize it, objectify it or hate it. So, if you want to not be hated, open up. Let people in. Engage. Interact.”
Social networks are great. Web 2.0 sites allow firms to fine tune and target their marketing message at very little cost. There are very little security issues that can be effectively controlled. Times are a changing … in a good way.
Posted in Social Network Security | Print | No Comments »
13 March 2009 by Jeff Hayes.
There is a real nice article on Network World online written by Mark O’Neill on SOA Security: the Basics.
Service Oriented Architecture (SOA) is an architectural approach which involves applications being exposed as “services”. Originally, services in SOA were associated with a stack of technologies which included SOAP, WSDL, and UDDI. [snip] More recently, Cloud services such as Amazon’s Simple Queuing Service (SQS) may be used alongside local servimsces, to create a “hybrid” SOA environment.
Why does a smaller business care about this? I worked for a small business (less than 20 employees) that built and sold content filtering software, now part of Blue Coat. SOAP was a protocol we used quite a bit. Even though we were a “security company,”the security of that protocol was only slightly considered. (I am sure they have addressed this, as that was four years ago.) SOA security vulnerabilities include:
Many, if not most, mission-critical applications leverage the browser as the user’s interface. Authentication is secured via SSL, X.509, XML Encryption, Kerberos and WS-Security. As more firms move to cloud computing, SOA is a key component. Firms need to be sure that no private, unprotected data is sent to the cloud.
Posted in Cloud Computing | Print | No Comments »
12 March 2009 by Jeff Hayes.
In my ITT Tech Windows Server and security class this week, I had my students read and discuss an anonymously written article from the February and March issues of CSO magazine: “Undercover: The Company That Did Everything Wrong.”
It was written from a security consultancy’s perspective. It was brought in two days after a phishing email opened up the entire organization to a Russian hacking group. This group was using the targeted company as a hacking demonstration from a hacker conference in St. Petersburg. Some of the lessons learned were:
It is impossible to plan for everything, but a little bit of planning can go a long way when an incident does occur.
Most of my students will handle a full range of IT functions in a small company, less than 100 employees. They will be tasked from everything from desktop and server configuration to switch and router ownership, from firewall and overall information security to physical security. Not a week goes by that I do not hammer home the importance of a) thorough and well-written security policies, b) a test bed for all supported systems and c) an incident response plan that is re-evaluated, updated and assessed on a regular basis.
The California company in this two-part article did everything wrong. But they were smart enough to bring in some people that could assess the situation and take corrective action. Learning from our mistakes should be the common denominator for all of life’s mishaps.
Posted in Incident Response | Print | 1 Comment »
9 March 2009 by Jeff Hayes.
I am a followers of the Boing Boing blog. Today, there was a helpful post on how Verizon Wireless customers can opt out of Verizon’s personal information sharing scheme.
I am a Verizon Wireless customers and was able to follow the simple directions and change my pravacy settings.
In an attempt to be helpful,the author Rob Beschizza, included his phone number in the explaination. I have no interest in his number…don’t know him and would never call him.
Goes to show that even the most helpful, even on the topic or privacy, is not immune to simple mistakes — let’s just call it an oversite.
Posted in Privacy | Print | No Comments »