Thursday, March 8, 2007

you can do all that or simply implement Dynamic Security

How to protect your network against Skype

Michael Gough

 

March 06, 2007 (Computerworld) The voice-over-IP and instant messaging (IM) application Skype has gone from obscurity to roughly 150 million users with about 6 million users online at any given time -- all in a matter of three years. Even with its popularity, though, there are security concerns, particularly when Skype is used in corporate networks.

Among people's security concerns are that Skype can be a security hole through which hackers can crawl, that it encrypts all communications and so its messaging can't be tracked, that it can use up too much network bandwidth and that it allows dangerous file transfers.

Skype is not an easy application to manage, but if you're concerned about Skype use on your network, there's plenty you can do to block it or make sure that it's used safely. (As to whether you should be concerned about Skype, that's another question -- for answers, see this article.) Read on to see how you can protect your network and its users against Skype dangers.

Finding Skype users on your network

The first thing you need to do is find out who is using Skype on your network. If you're using any of the many networking configuration management applications such as Microsoft SMS, LANDesk HP or OpenView Client Configuration Manager, you're all set. Just use their built-in tools.

If you don't use any of them, fear not; help is on the way. On my Web site SkypeTips.com, I have a sample script that you can customize called Skype_Check for Windows that does the following:

  • Checks if Skype is installed on PCs on the network, and creates a report of systems that have it.
  • Reports the version of Skype.
  • Checks to see if a proxy is set.
  • Checks the port Skype is using and reports it.
  • Checks if port 80 is enabled and reports it.
  • Checks the port being used and allows you to copy the corporate Shared.XML file with the correct settings.
  • Checks and disables file transfer and reports it.
  • Checks and disables the Skype API and reports it.

You can also use your login script to search for Skype.exe or use a script and execute it against your IP address scheme, attach it to each client with the appropriate admin account, and search for Skype and any existing XML or registry settings. And, of course, you can also use a configuration management application, as I mentioned previously, or use a combination of a script and configuration management application depending on your need to find, report, manage or prevent and delete Skype.

Blocking Skype

If you've decided that you want to ban Skype from your network, there are several things you can do. The simplest is to hunt down and kill every copy of Skype on every PC on the network. For those looking for a GUI tool to seek out and destroy Skype, a free utility called SkypeKiller will let you browse your network, get a report on systems using Skype and then delete Skype from those systems. SkypeKiller also lets you schedule the deletion. For systems that are not currently online, it will try them once they are back online.

You'll also want to make sure that users can't download and install Skype in the first place, so use network management tools to block network access to www.skype.com. That, by itself, won't be enough, though, because users can always get the application elsewhere. So block Skype from being installed on their systems using either your AD Group Policy options or by removing users administrator rights. You can also use your configuration management application to remove Skype and report when Skype is found during an inventory sweep.

One more idea: Run a check when users log in or use scripts to seek out, find and delete Skype. I've written such a script, called the Skype_Delete script for Windows, and it's available on my Web site.

Remote users pose the biggest challenge to administrators since they are not connected to your local network on a regular basis. So how do you manage them or delete Skype from their systems?

If you have a configuration management application, use it in concert with an agent that "phones home" when a PC is connected to the VPN, and then use VPN quarantine functions.

You could also wait until users log into the local network and then have a login script nab them, but again, many remote users with laptops will rarely, if ever, connect to the local network. To get around the problem, you can add Skype to your VPN logon policy to detect if Skype is used. You can then delete it when users log onto the VPN while you check to see if your remote users have their personal firewall and antivirus enabled and up to date.

Blocking Skype with Windows XP firewall (Service Pack 2)

If you are using Windows XP Service Pack 2 and the Windows firewall, there's a utility that Microsoft provides to control the firewall called netsh. You could get clever and use the netsh command to either remove Skype from the approved applications list or change the rule to make Skype use a bogus IP address. Here's how:

netsh firewall set allowedprogram C:\progra~1\Skype\phone\skype.exe Skype disable

netsh firewall set allowedprogram C:\progra~1\Skype\phone\skype.exe Skype enable custom 10.1.2.3

Blocking Skype at the network layer

So far, we have discussed blocking or deleting Skype on the client side. But there are more complex solutions for larger corporations or companies with high security needs, in particular, using a network-based Skype and IM blocking application. These hardware applications can be configured to recognize the specific protocols used for applications like Skype and then block their network traffic. They're costly, and because of that, not well suited for smaller organizations. There are several applications in this space such as Verso, Ipoque, Lynanda, SonicWall, Packeteer and others.

If you are using a proxy server like Squid for all Web access, then you could also configure it to block various Skype- and IM-related requests, just search Google for "Skype AND Squid" and you will find a wealth of information.

Managing Skype settings

What if you decide to allow people to use Skype, but want to manage the settings on all PCs on the network? You can use Active Directory Group Policy or use your configuration management application or scripts such as the sample I talked about previously. You'll be able to control Skype's behavior, such as preventing a system from becoming a Supernode, disabling file transfers, controlling which port and protocol Skype uses and several other settings. For a complete list of settings that can be set, refer to Skype's Guide for Network Admins.

Finally, if you want to monitor Skype on user systems, use your Windows logon script to run a check each time a user logs onto your network or in the "Run Key" on a laptop and report on whatever you are looking for.

 

the upcoming IDentiWall is the silver bullet of the Identity Theft fight

Texas counties illegally posting Social Security numbers online, AG says

Jaikumar Vijayan

 

March 05, 2007 (Computerworld) Like dozens of county governments around the country, Fort Bend County in Texas has for the past several years been posting public records containing Social Security numbers on its Web site. The records are accessible to anyone in the world with an Internet connection and are routinely sold to list brokers, real estate companies and mortgage firms.

On Feb. 23, Texas Attorney General Greg Abbot ruled that such disclosure of Social Security numbers in public documents is a violation of both state and federal privacy laws and is a criminal offense punishable by jail time and fines. The ruling followed an inquiry by Fort Bend's district attorney in 2005 about how its county clerk was expected to deal with Social Security numbers when they were present in public records.

Abbot's ruling has caused an uproar among county and district clerks in the state who are panicked by the prospect of being held criminally liable for actions they say were carried out as part of their normal business. Many have shut down or severely restricted public access to court records and are seeking help from state legislators who have hastily introduced a House bill seeking to absolve clerks of criminal and civil liabilities for disclosing confidential information.

The bill, sponsored by Texas Rep. Jim Keffer, also seeks to allow county and district clerks to continue disclosing such information in the future "notwithstanding" existing federal and state privacy laws.

"When we first saw the [attorney general's] opinion, we were just panicked. We were like, 'This couldn't be happening,'" said Janice Gray, district clerk at Coryell County and vice president of the County and District Clerks Association of Texas.

In response, Abbot said he would abate his opinion for 60 days while state legislators deliberate the issues raised by the ruling. "Immediately after the opinion was issued, legislative leaders contacted this office with serious concerns about logistical implications surrounding the rapid implementation of statutorily-mandated [Social Security number] confidentiality," he wrote in a Feb 28 note to Fort Bend county attorney Roy Cordes. "The real-world consequence [of the opinion] was a virtual halt to a tremendous amount of business and commerce in Texas," he said.

At issue is the controversial practice by many county governments of posting public records containing confidential personal information on the Internet without first redacting sensitive data.

The list of documents posted on county Web sites as part of the public record includes copies of property and tax records, motor vehicle information, and court files. In some cases, documents relating to military discharges, family court decisions, juvenile court records, probate law documents and death certificates are also available. Many of these documents include Social Security and driver's license numbers, bank account details and sometimes even protected health information.

Outraged privacy advocates have argued that putting the records online has greatly broadened access to the information and heightened the risk of misuse. They claim that the trend has made county Web sites a veritable treasure trove of information for identity thieves and other fraudsters.

County clerks such as Dianne Wilson of Fort Bend County, however, argue that much of the information has been freely available for public purchase and inspection at county offices for a very long time. "What we have always held is that we are the repository of the public record," Wilson said. "The public has the right to view and copy and purchase any public record. They have free access to it."

County clerks can't reject a document just because it contains confidential information, she said. Neither are they allowed under law to alter a public record. "We cannot tell you what to put in a document and what not to," she said. "We don't read the documents; we don't know if there is an [Social Security number] in it or not. We are not the ones that put it in there."

Abbot's ruling requires Texas counties to now redact Social Security numbers from public records before making them publicly available -- a monumental task, Gray said. It means having to go through millions of pages to first identify records containing the numbers, making copies of the pages and then blocking out the numbers on each copy. "You are talking about extra paper, extra storage and extra manpower" to do it, she said.

Until some sort of a compromise is reached, Abbot's opinion could seriously hinder public access to court records, both Gray and Wilson said. Others, however, dismissed those concerns. They said that such redactions have been already made elsewhere and that the technology for blocking sensitive information is available. They pointed to states such as Florida, where county governments are already redacting public records as mandated by a state law. Florida's Orange County in February 2006 completed an 18-month project in which it reviewed more than 30 million pages in more than 12 million public records for items such as Social Security numbers, bank account information and credit card numbers. In the end, 777,635 pages -- 2.6% of the total reviewed -- were found to have personal data that needed to be redacted.

"Right now, what you have is a lot of these counties [in Texas] running down to the state legislature and trying to scare them," said Peter MacKoul, president of HIPAA Solutions LC, a Sugar Land, Texas-based consultancy. "They want legislators to write a law running against the [attorney general's] opinion. What they are saying is that it is too difficult to comply with the AG's ruling."

According to MacKoul, at least some of the pressure on the legislators is coming from businesses that have a vested interest in keeping public records online. "Fort Bend sold 20 million un-redacted documents to a Florida list broker for about $2,500," MacKoul said. The same documents would have cost $1 apiece at the courthouse. "There are some business interests who don't want privacy rules," McKoul said.

MacKoul's company was hired by Fort Bend County in 2005 to perform a Health Insurance Portability and Accountability Act audit of its Web site and discovered numerous violations of the law. In some cases, records containing detailed health information were easily accessible from the county's public Web site, he said.

The fact that Fort Bend county has become a focus in the latest controversy is because it failed to act on some of the issues mentioned in MacKoul's report, said David Bloys a retired private investigator who publishes a newsletter called "News for Public Officials" in Shallowater, Texas.

Bloys has been chronicling privacy breaches at county government Web sites in Texas and other states and has been critical of the way Fort Bend handled the issue. "It appears that if the county clerk had taken some of the recommendations in the report seriously, much of the current problem would not exist. Instead, she ignored the recommendations," he said.

Fort Bend County Commissioner Andy Meyers said that he has opposed the county's practice of posting confidential information. "People do not know that their personal information is included in a document that is posted on the Internet," he said. They have not been given any notification in the past that their Social Security numbers and other confidential information would be posted in public records on the Internet and therefore have a reasonable expectation that it will be kept private, Meyers said.

So far though, he has been unable to stop the clerk from posting the information, he said. "The county clerk disagreed with me. She said she had the authority to do so," Meyers said. "I still have been unable to find under state law where she has the authority to post anything on the Internet."

With Abbot's ruling still set to take effect in 60 days, a vote by by two-thirds of both the House and the Senate is needed for Keffer's bill to become effective immediately, he said. "I don't know if they have the two-third votes," he said. "The question is whether [legislators] are going to want to vote on making it legal to post Social Security numbers and other confidential information to the public Web," he said, "I am not sure they are going to vote for that."

 

this "insiders job" aught to be stopped. Dynamic Security is up to the challenge

Wal-Mart fires technician who recorded phone calls

Systems tech also intercepted text messages, retailer says

Nicole Maestri  

 

March 05, 2007 (Reuters) -- CHICAGO - Wal-Mart Stores Inc. said today it fired a systems technician for intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization.

Wal-Mart, the world's largest retailer, said an internal investigation found the technician had monitored and recorded phone calls between Wal-Mart public relations employees and a New York Times Co. reporter between September and January.

The Bentonville, Ark.-based retailer also said the technician, who worked in its information systems division, intercepted and stored text messages that contained certain key words, including those sent by people in the Bentonville area who were not Wal-Mart employees.

Wal-Mart spokeswoman Mona Williams said on a call with reporters that the technician "did this on his own."

While interviews with the technician gave the retailer an idea as to why he recorded the calls, Williams said she could not disclose the reasons because the case has been turned over to federal investigators.

Wal-Mart's disclosures come after a corporate spying scandal that erupted in September at Hewlett-Packard Co., in which the computer company disclosed it had undertaken an aggressive investigation to learn the source of boardroom leaks to the news media.

At HP, private investigators posed as board members, employees and journalists to obtain phone records in a deception known as "pretexting." The scandal led to the departures of several HP executives.

Policy violations 

Wal-Mart said the phone recordings were not authorized by the company and violated its policy of forbidding such activity without prior written approval from the legal department.

The retailer also said the interception of text messages and pages that don't involve Wal-Mart associates is not authorized by its policies under any circumstances.

"We are troubled by what appears to be inappropriate taping of our reporter's conversations," said New York Times spokeswoman Diane McNulty. "At this point, we don't know many of the key facts, such as what the purpose of this taping was and the extent, if any, to which the action was authorized."

She said Michael Barbaro was the reporter whose calls were taped.

Williams said Wal-Mart had called the New York Times to apologize for the recordings. While a handful of other conversations were recorded, Williams said none of those involved other reporters, public speakers or Wal-Mart critic groups such as Wake-Up Wal-Mart.

Williams said the technician's supervisor was also fired, and the retailer has removed the recording equipment and related hardware from its system.

Wal-Mart has kept the U.S. attorney for the Western District of Arkansas informed of the investigation and the U.S. attorney told the retailer on March 1 that his office would conduct an investigation of the pager intercepts and the recording of phone calls.

 

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc