You are currently browsing the Hayes On Security weblog archives for April, 2009.
27 April 2009 by Jeff Hayes.
The question of the day is: will the swine flu evolve into a real pandemic or is it just a SARS-like scare?
We have one group of people, including many nations’ public health commissions, that feel the borders should be shut, international travel to certain countries halted and/or all entrants from certain countries be scanned for fever prior too being allowed entrance. We have another group, including the current Obama administration, that is taking a wait and see approach.
One group is willing to hit us in the face and another willing to tell us they may hit us in the face sometime in the future on a date and time yet to be determined.
What’s the impact of the swine flu — any flu or disease – to a business man or woman? It can impact travel, shipping, sales, workers and personnel. If your business is travel and hospitality, and Mexico key to your business, the swine flu is not your friend. If you have a plant or facility in a tagged country/city/area, will may be delays in shipping? Will there be a significant number of employees or partners that cannot come to work to the point it will impact your products or services?
Politics aside, the business person needs to be prudent. Precautions need to be made to safeguard operations. I might postpone traveling to Mexico for a few weeks. I might survey employees and assess their recent or upcoming travel plans, as well as family members or close friends. I would definitely make sure I had a contingency plan in place to deal with mass infection.
Google is mapping the H1N1 Swine Flu cases in North America. The numbers are not overly high yet. We all get the flu on occasion. Is this one going to be any different? Who knows? But this one is worth following because of its impact on younger adults, generally a hardier section of society.
Panic is not in order; prudent behavior and extra precautions probably are.
Posted in Personal Security | Print | 1 Comment »
23 April 2009 by Jeff Hayes.
As far as social networking sites go, Twitter poses a different security threat than the other popular ones with a business use like Facebook and LinkedIn.
In the case of the later two, by and large users add people they know. In Facebook, you add a friend. In LinkedIn, you add a contact. There is less motivation to build your number of friends and contacts. With Twitter, the hype around it is to have as many followers as possible.
There are people with very little to say that have thousands of followers. Many of these are very active: the owner does a good job posting on a regular basis. Others seem to exist for no other purpose than to have followers.
One thing that is very common with Twitter is to embed URLs in your 140 character message. Someone makes a statement about whatever and adds a link as supporting material. Makes for good dialogue and surfing.
Because of the 140 character limitation, URLs are often shortened. You can take an enormously long URL and reduce it to less than 25 characters. There are dozens of sites that do this for free: TinyURL, NCANE, Sturly, and TubeURL. Even Twitter will do this automatically for longer URLs. The problem with this is the new URL masks the actual URL: you do not see it until you land on the actual page directed by the shortened URL.
Hence the security problem with Twitter is clear: users follow just about everyone (hoping others will follow them) and URLs are masked. It is an ideal environment for exploitation via malicious web sites.
Nevertheless, I use Twitter. I have a few accounts spanning personal and business uses. If you are interested in following myCSO tweets, then follow me on Twitter.
Some other interesting Twitter security links are listed below:
Posted in Social Network Security | Print | No Comments »
16 April 2009 by Jeff Hayes.
Kidnapping is not something many of us think about. However individuals from wealthier nations and multinational companies traveling in certain regions of the world should be aware of the possibility.
Having traveled to nearly 30 countries, most of my business trips and assignments have been to western nations where kidnapping risks for business travelers are lower. Trips within certain areas of Latin America, Southeast Asia and the Middle East have higher kidnapping risks.
Kidnappers are motivated by money. The most likely victims are those individuals that are or appear to be the wealthiest. For those people, it behoove their firm to take proactive measures, namely counter-surveillance techniques, along the lines of the U.S. Secret Service. If the financial potential is high, the criminals will do their due diligence with their own surveillance. Counter-surveillance is hard, time-consuming, and costly, but effective.
For the average business travelers to high-risk areas, they do not have the luxury of a security detachment. In all my trips, I have either traveled alone (75 percent of the time) or with one other person. What I have done in each case is to have a local contact provide me some intelligence on local travel conditions (starting at the airport), hotels, restaurants, and any tourist traps. I personally do not favor U.S.-based hotel chains in these nations or touristy places frequented by westerners. I am their for business first and foremost. And it is my preference that if I do have some spare time at the end of a trip, I will experience things dealing with the local culture and not the main tourist guide recommendations.
The U.S. State Department provides travel help, suggestions and advisories. However, i personally do not give what they same much credence. They mean well but they are overly paranoid in their recommendations. They hope to avoid being sued for not warning people in advance – its CYA policy. The government will state, for example, not to travel to Lebanon (where I went earlier this year). Certainly there are areas that are not overly kind to Americans (Beqaa Valley or Southern Lebanon), but most of the nation is perfectly fine for business travelers. (In fact, I would not hesitate taking my family.)
Seeing soldiers on the streets with automatic weapon in some countries may be a concern for some; I tend to be more along the line of being somewhat comforted. Nevertheless, some good advise is if you are confronted with a hostage situation, it is better to not get in the car or van if you can avoid it. Being a hostage is way down on the list of things I want to experience. How to be a hostage is a different issue and beyond my pay grade.
Larger and more well-off firms should take the necessary precautions for their c-level executives and staff (as appropriate). Smaller and less well-off firms, should take prudent measures to personal safety. Given the lower risk, that may be all that is required.
Posted in Personal Security | Print | No Comments »
12 April 2009 by Jeff Hayes.
The 1 April 2009 Senate Bill S.773 is no joke, though much of might fit that label. The so-called Cybersecurity Act of 2009, sponsored by Sen. John Rockefeller [D, WV] and co-sponsored by Sen. Evan Bayh [D, IN], Sen. Bill Nelson [D, FL] and Sen. Olympia Snowe [R, ME] is designed to:
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.
Some of the key items are:
Whereas having a national cybersecurity program is merited, one must be careful in how much control to give the federal government. It is one thing for it to put restrictions on the what, when, why and how of federal agency security, it is another when it starts mandating what states, local governments and private businesses must do.
The bill will give the federal government (the President) the power to “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.” They shut down air traffic in the country in 2003 for a few days after 9/11; this would be similar.
How much power and control would it allocate to the major ISPs? How will the states fund the requirements? Will the business requirements and costs be overbearing for businesses? The federal government did it with Sarbanes-Oxley; this smells similar.
This is one to watch closely. Because it is sponsored by Democrats (Snowe is closer to a Democrat than a Republican), most of their bills look plausible at first glance but are binding and liberty-restricting when the details are examined.
Posted in Homeland Security | Print | No Comments »
8 April 2009 by Jeff Hayes.
As a product manager for many computer networking and security products, one thing I was able to address multiple times across multiple product lines was to make sure our products supported the Network Time Protocol. NTP was originally defined clear back in 1985 and is now detailed in RFC 1305. A client/server model, it is used by routers, switches, security appliances and many other classes of computing equipment.
Having consistent time stamps is essential for reliable logs and automated processes. A reliable time stamp is essential in forensics and in chain of custody verification.
According to a 2007 studyby Florian Buchholz and Brett Tjaden, James Madison University in Virginia, more than a quarter of the Web servers on the Internet have their clocks off by more than 10 seconds.
During their six-month study of more than 8,000 Web servers, they found that systems with the wrong time frequently drifted—or jumped—in unpredictable ways. Some systems would get steadily slower or faster, and then jump back to the correct time. Other systems were rock solid in the rate that time passed, but they were off from the correct time by minutes, hours, days or even years. Some systems followed the wrong rules for Daylight Savings Time. And some servers appeared to have multiple wrong times—that is, one query to the server would return one time offset, and other query would return a completely different time offset, and then subsequent queries would alternate between the two.
Luckily, enough product managers and developers have made sure that NTP is a standard product feature. All major operating systems across all platforms from PCs, servers, network and security equipment to mobile phones and modern handheld units support NTP. They typically sync up on boot and regularly check the NTP time servers to minimize float.
Smaller businesses should make sure that their networking, security and server systems all support a validated NTP implementation. Making sure it is activated across the infrastructure is a simple thing to do in the good housekeeping world of information security.
Posted in Infrastructure Security | Print | No Comments »
3 April 2009 by Jeff Hayes.
I have read with interest over the years about people concerned that unauthorized access to electric provider’s command and control center (any utility for that matter) will result in losing control over the power distribution. The fear goes that “the intruder could shut down power to a city, a neighborhood, a specific building; chaos would ensue.”
An article this week in Computerworld commented on a report released by IOActive, a Seattle-based security consultancy. It mentioned that an ”emerging network of intelligent power switches, called the Smart Grid, could be taken down by a cyberattack.”
Whereas I do not doubt the possibility, I question the likelihood.
Where does the primary concern rest with this? Probably with the electric utility.
What about the average business? Should they be concerned? Should there be an action item here? Hardly. Just good security practices. Deploy UPS units; back-up data in multiple locations, and create disaster recovery and contingency plans.
Power grid hacking is one thing I never lay awake at night thinking about. I doubt the utility plant manager does either — protecting his operation against these types of outages is part of his daily job.
Update 4/8/09: The latest is that cyberspies from China, Russia, etc. have penetrated the U.S. electrical grid and left behind Trojans software programs. The scary thing is that the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies.
Posted in Infrastructure Security | Print | No Comments »