Made4Biz Dynamic IT Security News

Monday, February 12, 2007

County Coroner in Handcuffs - Gave out his password

Dynamic Security could have easily identified that the person logging in was not the coroner, since he or she was in the wrong place at the wrong time, or there were multiple logins.

Trust Isn’t Security

Frank Hayes February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.

Wait, it gets scarier. According to the grand jury, the reporters said Kirchner gave them the password because he didn’t want to be bothered with their phone calls asking for details about homicides, fatal accidents and suspicious deaths.

The reporters weren’t charged with illegally accessing the Web site, because they testified under immunity from prosecution. Kirchner has denied the charges against him.

But the grand jury report quotes e-mails and computer forensic evidence that paint an ugly portrait of the coroner (who apparently ignored security policies and gave away his password within weeks of taking office in 2004) and the reporters (who ignored “authorized personnel only” warnings and accessed confidential information hundreds of times over an 18-month period).

And where was IT all this time? Not noticing, mostly. Eventually, an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office. But that was only after one reporter mentioned in a news report that some information came from the Web site, and a reporter from a competing newspaper called the county to find out why he didn’t have access.

That’s when a supervisor realized there had been a security breach, a police investigation began, logs were checked, passwords were changed, and the grand jury went to work.

Until then, everyone apparently assumed that because users were trusted with the information on the emergency 911 Web site, they could be trusted to keep it secure. Now there’s a trusting IT department.

That trust was misplaced. And not just trust in the coroner. After the reporters’ intrusion was discovered, logs were scrutinized more carefully. In 2006, four emergency responders were prosecuted for giving out their passwords, and two other people were arrested for accessing the site.

According to the grand jury report, the results of those password leaks weren’t trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn’t. “That caller’s name was made known on the streets, and the caller was severely beaten in retaliation,” the grand jury report said.

We want to trust our users. We have to trust them, mostly — we can’t afford to watch them every second. And most of them are worthy of that trust.

But some aren’t.

Trusting is nice. It’s sociable. It’s convenient.

Don’t do it.

We have the technology to control network access to confidential information. Beyond passwords, we can limit users’ access with IP address whitelists and blacklists. We can use VPNs. We can scan logs after the fact, looking for IP addresses that don’t belong. We can’t catch every breach, but we likely can discover some accounts that have been compromised — and some users who can’t be trusted.

Yes, that gets ugly and unpleasant. So does what comes after: the why, the how-bad and the what-to-do-now.

But the alternative is a lot uglier. The results could be lost business and exposed customer information.

Or — as they’re learning in Lancaster — assaults and handcuffs. Frank Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.

Labels: Cybercrime, IT Security, Medical, Passwords

Wednesday, February 7, 2007

IT security goes mainstream at RSA Conference

How will IT security be integrated with physical access control??

"Protection from internal threats, such as accidental or malicious disclosure of confidential information, is expected to be a major topic this week. Websense is expected to unveil its new Content Protection Suite and McAfee also is entering the space crowded with smaller players such as Vontu, Code Green Networks and GTB Technologies."

OK - How will all of those be integrated? Does anyone really believe one company can provide all the answers?

Dynamic Security can integrate these systems if they have an interface...

Feb 6, 2007 3:39 PM

The annual RSA Conference is showing evidence of a maturing information security industry with an increasing role for big-name companies. The event has developed into an annual gathering for corporate IT pros and a showcase for hundreds of companies, small and large, that market security products and services to businesses.

Security is becoming more structured and part of the IT infrastructure at companies, instead of being added on later, analysts tell USA Today. Companies including Oracle, Microsoft, Sun Microsystems, Cisco Systems and Intel are vying for a piece of the pie, which may hurt the smaller industry players, they add.

"There seems to have been a recognition among some of the larger vendors that they can make money with security or, more likely, that they're not going to make any money if they don't have security in the future," said Gartner Analyst Ray Wagner. "That's certainly going to hurt some of the smaller vendors."

Case in point: Database giant Oracle for the first time will have a major presence at the RSA Conference. The company will promote its identity management products as well as software to secure the applications it sells to help large enterprises with things like accounting and human resources. Oracle CEO Larry Ellison is slated to deliver a keynote speech at the San Francisco event.

Microsoft Chairman Bill Gates kicked off the conference Tuesday in a keynote.

"In a lot of ways security is becoming more boring," Andrew Jaquith of the Yankee Group tells USA Today. "But boring is good. Boring means maturation. Boring means you're seeing large companies like IBM have a really rounded out security story. This is good for the mainstreaming of security into the way people run their business."

As products have become more mainstream, so have the RSA attendees. The bulk of the event is geared to less specialized visitors. "Security concerns are moving away from tech geeks with pocket protectors monitoring networks in a back closet somewhere, to something that business managers and more senior folks are concerned with," says George Tubin, an analyst with TowerGroup.

Of the more than 340 exhibitors at the RSA Conference in San Francisco's Moscone convention center, many companies in the security arena are using the event to announce new initiatives, products or product updates.

Protection from internal threats, such as accidental or malicious disclosure of confidential information, is expected to be a major topic this week. Websense is expected to unveil its new Content Protection Suite and McAfee also is entering the space crowded with smaller players such as Vontu, Code Green Networks and GTB Technologies.

Labels: IT Security, Security Integration, Security Policy

VA investigating another missing hard drive

Cybercrime pays and repeats itself. Dynamic Security could protect against unauthorized removal of equipment.

Grant Gross February 05, 2007 (IDG News Service) -- The Department of Veterans Affairs (VA) is investigating a missing hard drive containing the personal records of 48,000 military veterans, the agency said.

The external hard drive contained about 20,000 personal records that were not encrypted, according to information from Rep. Spencer Bachus (R-Ala.). A VA employee reported the hard drive missing from a Birmingham, Ala., agency facility on Jan. 22, according to a VA press release.

The VA and the FBI are investigating the missing hard drive, the VA said in its Friday press release. The VA's Office of Information and Technology is conducting a separate investigation, Secretary of Veterans Affairs Jim Nicholson said in a statement.

"We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved," Nicholson added.

In May 2006, the VA reported a laptop and hard drive containing the personal records of 26.5 million military veterans and their families had been stolen from an employee's home. Police later recovered the hardware, and the VA said computer forensics tests indicated thieves had not accessed the data. However, the theft set off criticism from several members of Congress about the VA's cybersecurity practices.

The hard drive in Alabama was used to back up information contained on an employee’s office computer and may have contained data from research projects the employee was involved in, as well as personal information, the VA said.

The VA Office of Inspector General has seized the employee’s computer and is analyzing its contents, the VA said. The VA is prepared to notify affected people and provide free credit monitoring, the agency said.

The VA will continue to aim to be a leader in protecting personal information, Nicholson said in his statement.

In August, the VA also reported that a desktop computer containing the personal information of 38,000 veterans was missing from the office of Unisys Corp., the subcontractor assisting at the agency's medical centers in Pittsburgh and Philadelphia.

The lost VA hardware prompted a congressional review of other U.S. government agencies, and agencies reported thousands of l

Labels: Defense, Information Loss, IT Security, Medical

IT security goes mainstream at RSA Conference

Business Security for business is big business...

IT security goes mainstream at RSA Conference

The annual RSA Conference is showing evidence of a maturing information security industry with an increasing role for big-name companies. The event has developed into an annual gathering for corporate IT pros and a showcase for hundreds of companies, small and large, that market security products and services to businesses. More here

Labels: Commercial, IT Security

Tuesday, February 6, 2007

The year 2007: A review through the crystal ball

The year 2007: A review through the crystal ball

It's the season of the end-of-the-year reviews. We have used our crystal ball to jump forwards a year to provide you the ultimate review of 2007 -- here and now.

2007 was the year of the super bots: Never before has malicious software been equipped with so many functions that help it to hide from antivirus software and to resist removal. The majority of malicious software programs used root kits, and their number doubled again on last years figure to over 500. Local privilege escalation vulnerabilities in Windows were increasingly exploited; accounts with restricted user rights were used to gain system rights. Initially, the protective functions in Windows Vista, which has been available for end customers since January, made it more difficult for malicious code to infiltrate the system. The crimeware scene responded and numerous vulnerabilities appeared as the year progressed and these were exploited to cancel or bypass the majority of the security functions. The user account protection (UAC), in particular, proved to be ineffective: Most users just confirmed any respective requests, since they did not undertand the displayed information.

While in 2006, DDoS attacks with botnets were mainly targeted at unwanted competitors, online betting offices and consumer protection sites, 2007 also saw large attacks launched on critical infrastructures. In April, the stock exchange nearly crashed, when a DDoS attack on the electronic trading system disconnected it from the Internet for several days, resulting in automated control programs loosing control and attempting to divest shares in a panic reaction.

When analysing this event, neither law enforcement agencies nor other specialists involved were able to switch off the responsible botnet with its decentralised control. The individual bots communicated with each other in a peer-to-peer structure, similar to those used for file sharing sites; the commands transferred in the Net were encrypted and had a digital signature.

An insurance company suffered significant damages, when a botnet attack cut off all the telephones in the entire company group for two days. While the Voice-over-IP infrastructure proved to yield operational cost savings, this was at the expense of system stability, when vulnerabilities of the SIP protocol were used for targeted attacks. So far, no explanation has been found for why the attacks stopped abruptly after two days; persistent rumours say that a six-digit sum changed hands.

For security software vendors, too, 2007 was a black year: The number of critical holes detected in products that had been designed to provide a higher degree of security was higher than ever before. For instance, various worms used zero-day exploits for holes in antivirus software to find a way into the system during the mail scanning process.

For the first time, underground prices for such zero-day exploits dropped in 2007, compared to the previous year. Insiders think this drop in prices was caused by a glut of such exploits, mainly due to the broad usage of simpler fuzzing tools. Bit by bit, these half-automated vulnerability scanners are uncovering the (security) sins of a whole generation of programmers.

Again, the share of web-based attacks experienced strong growth rates. However, malicious web sites did not so much exploit holes in browsers; rather, they used holes in media player plug-ins and software for Internet Explorer, Firefox and Opera, to infect PCs. The popularity of video portals such as YouTube, MyVideo and ClipFish, as well social networking sites, contributed to this development, with the MySpace worm being the sad culmination. For several weeks, this worm exploited a hole in the Flash Player to infect the PCs of hundreds of thousands of visitors, logged their surf patterns and chat activities and posted this information in public forums.

With many companies starting to migrate to Web 2.0, the security situation changed for the worse: Cross-site scripting holes on web servers became an epidemic plague. Defacing web sites advanced from an insider gag to mass entertainment when Jonathon Ross presented his favorite pages on the sites of Buckingham Palace, the Whitehouse and the Vatican. For a short time, the Xacks archive -- named after a combination from XSS and hack -- had even more page impressions than shooting star YouTube. Meanwhile the ministry of justice announced plans to impose penalties for accessing such manipulating URLs.

Traditional web applications did not get off scot-free either. After the "month of PHP bugs" in March 2007 and the subsequent intrusion into ten thousands of web servers, global web hosters were forced to take their servers off the Net for several days, until updates for the major PHP holes were available. In a study published in June 2007, the US-CERT recommended that PHP should not be used for critical environments. The National Infrastructure Security Coordination Centre advised against the usage of PHP on the servers deployed in state and public institutions and authorities and suggested using Ruby on Rails instead.

Regarding privacy issues, 2007 experienced a continuation of the payback trend: An increasing number of companies tried to buy off the onerous restrictions imposed on the usage of personal data. With attractive offerings, they enticed customers into accepting their terms and conditions that grant the respective providers freedom from restriction in this context. The case of an IP-TV provider, who sold his advertisers profiles containing his customers' viewing behaviours, including names and addresses, led to a public awakening after radical feminists outed two conservative politicians as regular viewers of a porno channel. Since then IP-TV providers have discussed committing themselves to not passing personal data to puckish third parties.

A slip-up also cast a shadow on search engine provider Google: Contrary to their own assertions, the data octopus had analysed and indexed all e-mails processed through their mail service. Due to a mistake made by an administrator, a database of the highly secret project was mirrored onto the external index servers, and as a result, the private mails of thousands of GMail users could be accessed via the search front-end for at least one hour. This event adds weight to warnings against a potential combination of data from the traditional search engine, Google Desktop, Google Analytics, YouTube and other Google services. Whether this will have consequences or not, will be revealed in our year 2008 review.

So let's just hope that our crystal ball is wrong...

Labels: IT Security, Security

Not by Firewalls alone: Firewall vulnerability using the NAT

The same trick can be used by hackers of course...

Jürgen Schmidt

The hole trick

How Skype & Co. get round firewalls

Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world.

Increasingly, computers are positioned behind firewalls to protect systems from internet threats. Ideally, the firewall function will be performed by a router, which also translates the PC's local network address to the public IP address (Network Address Translation, or NAT). This means an attacker cannot directly adress the PC from the outside - connections have to be established from the inside.

This is of course a problem when two computers behind NAT firewalls require to talk directly to each other - if, for example, their users want to call each other using Voice over IP (VoIP). The dilemma is clear - whichever party calls the other, the recipient's firewall will decline the apparent attack and will simply discard the data packets. The telephone call doesn't happen. Or at least that's what a network administrator would expect.

Punched

But anyone who has used the popular internet telephony software Skype knows that it works as smoothly behind a NAT firewall as it does if the PC is connected directly to the internet. The reason for this is that the inventors of Skype and similar software have come up with a solution.

Naturally every firewall must also let packets through into the local network - after all the user wants to view websites, read e-mails, etc. The firewall must therefore forward the relevant data packets from outside, to the workstation computer on the LAN. However it only does so, when it is convinced that a packet represents the response to an outgoing data packet. A NAT router therefore keeps tables of which internal computer has communicated with which external computer and which ports the two have used.

The trick used by VoIP software consists of persuading the firewall that a connection has been established, to which it should allocate subsequent incoming data packets. The fact that audio data for VoIP is sent using the connectionless UDP protocol acts to Skype's advantage. In contrast to TCP, which includes additional connection information in each packet, with UDP, a firewall sees only the addresses and ports of the source and destination systems. If, for an incoming UDP packet, these match an NAT table entry, it will pass the packet on to an internal computer with a clear conscience.

Switching

The switching server, with which both ends of a call are in constant contact, plays an important role when establishing a connection using Skype. This occurs via a TCP connection, which the clients themselves establish. The Skype server therefore always knows under what address a Skype user is currently available on the internet. Where possible the actual telephone connections do not run via the Skype server; rather, the clients exchange data directly.

Let's assume that Alice wants to call her friend Bob. Her Skype client tells the Skype server that she wants to do so. The Skype server already knows a bit about Alice. From the incoming query it sees that Alice is currently registered at the IP address 1.1.1.1 and a quick test reveals that her audio data always comes from UDP port 1414. The Skype server passes this information on to Bob's Skype client, which, according to its database, is currently registered at the IP address 2.2.2.2 and which, by preference uses UDP port 2828.


Step 1: Alice tries to call Bob, which signals Skype.

Bob's Skype program then punches a hole in its own network firewall: It sends a UDP packet to 1.1.1.1 port 1414. This is discarded by Alice's firewall, but Bob's firewall doesn't know that. It now thinks that anything which comes from 1.1.1.1 port 1414 and is addressed to Bob's IP address 2.2.2.2 and port 2828 is legitimate - it must be the response to the query which has just been sent.


Step 2: Bob tries to reach Alice, which punches a hole through Bob's Firewall.

Now the Skype server passes Bob's coordinates on to Alice, whose Skype application attempts to contact Bob at 2.2.2.2:2828. Bob's firewall sees the recognised sender address and passes the apparent response on to Bob's PC - and his Skype phone rings.


Step 3: Alice finally reaches Bobs computer through the hole.

Doing the rounds

This description is of course somewhat simplified - the details depend on the specific properties of the firewalls used. But it corresponds in principle to our observations of the process of establishing a connection between two Skype clients, each of which was behind a Linux firewall. The firewalls were configured with NAT for a LAN and permitted outgoing UDP traffic.

Linux' NAT functions have the VoIP friendly property of, at least initially, not changing the ports of outgoing packets. The NAT router merely replaces the private, local IP address with its own address - the UDP source port selected by Skype is retained. Only when multiple clients on the local network use the same source port does the NAT router stick its oar in and reset the port to a previously unused value. This is because each set of two IP addresses and ports must be able to be unambiguously assigned to a connection between two computers at all times. The router will subsequently have to reconstruct the internal IP address of the original sender from the response packet's destination port.

Other NAT routers will try to assign ports in a specific range, for example ports from 30,000 onwards, and translate UDP port 1414, if possible, to 31414. This is, of course, no problem for Skype - the procedure described above continues to work in a similar manner without limitations.

It becomes a little more complicated if a firewall simply assigns ports in sequence, like Check Point's FireWall-1: the first connection is assigned 30001, the next 30002, etc. The Skype server knows that Bob is talking to it from port 31234, but the connection to Alice will run via a different port. But even here Skype is able to outwit the firewall. It simply runs through the ports above 31234 in sequence, hoping at some point to stumble on the right one. But if this doesn't work first go, Skype doesn't give up. Bob's Skype opens a new connection to the Skype server, the source port of which is then used for a further sequence of probes.


Skype can do port scans. Here it suceeds on port 38901 and connects through the firewall.

Nevertheless, in very active networks Alice may not find the correct, open port. The same also applies for a particular type of firewall, which assigns every new connection to a random source port. The Skype server is then unable to tell Alice where to look for a suitable hole in Bob's firewall.

However, even then, Skype doesn't give up. In such cases a Skype server is then used as a relay. It accepts incoming connections from both Alice and Bob and relays the packets onwards. This solution is always possible, as long as the firewall permits outgoing UDP traffic. It involves, however, an additional load on the infrastructure, because all audio data has to run through Skype's servers. The extended packet transmission times can also result in an unpleasant delay.

Use of the procedure described above is not limited to Skype and is known as "UDP hole punching". Other network services such as the Hamachi gaming VPN application, which relies on peer-to-peer communication between computers behind firewalls, use similar procedures. A more developed form has even made it to the rank of a standard - RFC 3489 "Simple Traversal of UDP through NAT" (STUN) describes a protocol which with two STUN clients can get around the restrictions of NAT with the help of a STUN server in many cases. The draft Traversal Using Relay NAT (TURN) protocol describes a possible standard for relay servers.

DIY hole punching

With a few small utilities, you can try out UDP hole punching for yourself. The tools required, hping2 and netcat, can be found in most Linux distributions. Local is a computer behind a Linux firewall (local-fw) with a stateful firewall which only permits outgoing (UDP) connections. For simplicity, in our test the test computer remote was connected directly to the internet with no firewall.

Firstly start a UDP listener on UDP port 14141 on the local/1 console behind the firewall:

local/1# nc -u -l -p 14141

An external computer "remote" then attempts to contact it.

remote# echo "hello"  nc -p 53 -u local-fw 14141

However, as expected nothing is received on local/1 and, thanks to the firewall, nothing is returned to remote. Now on a second console, local/2, hping2, our universal tool for generating IP packets, punches a hole in the firewall:

local/2# hping2 -c 1 -2 -s 14141 -p 53 remote

As long as remote is behaving itself, it will send back a "port unreachable" response via ICMP - however this is of no consequence. On the second attempt

remote# echo "hello"  nc -p 53 -u local-fw 14141

the netcat listener on console local/1 then coughs up a "hello" - the UDP packet from outside has passed through the firewall and arrived at the computer behind it.

Network administrators who do not appreciate this sort of hole in their firewall and are worried about abuse, are left with only one option - they have to block outgoing UDP traffic, or limit it to essential individual cases. UDP is not required for normal internet communication anyway - the web, e-mail and suchlike all use TCP. Streaming protocols may, however, encounter problems, as they often use UDP because of the reduced overhead.

Astonishingly, hole punching also works with TCP. After an outgoing SYN packet the firewall / NAT router will forward incoming packets with suitable IP addresses and ports to the LAN even if they fail to confirm, or confirm the wrong sequence number (ACK). Linux firewalls at least, clearly fail to evaluate this information consistently. Establishing a TCP connection in this way is, however, not quite so simple, because Alice does not have the sequence number sent in Bob's first packet. The packet containing this information was discarded by her firewall.

Labels: Firewall, IT Security

Wednesday, January 31, 2007

10 Security Gotchas that you forgot...

Gotcha, Gotcha, Gotcha. Always forgetting something! Dynamic
Security can handle all these problems. It is like having central locking in
your automobile.

The 10 Most Overlooked Aspects of Security

NOVEMBER 29, 2006 | Feel like
you're forgetting something?

Most likely, you are.

Did you post
a surveillance camera in your server room? Check the trash can for discarded
disk drives that weren't wiped clean of sensitive data? Do a deep background
check on that new database administrator you hired? Look into that new
third-party security services offering?

Encrypt the backup of the
year-end financial data?

Gulp. Maybe you're not quite ready for the
holidays.

You'd better watch out. But don't cry, and don't pout, because
you're not alone. Most organizations have at least a few security issues that
have been lost in the shuffle, and it's not too late to give them some
attention.

So, with the help of Dark Reading's editorial advisory board,
we've compiled this list of The 10 Most Overlooked Aspects of IT Security, along
with the risks of skipping out on them, and some advice on how to attend to
them. Our research turned up a wide variety of opinions on these topics, many of
which are environment-dependent, so we're giving you this list in no particular
order. You decide which bases you've got covered -- and which ones need your
attention.

Consider this our contribution to your holiday shopping list.
Post 'em on your blog and the company intranet, pass them on to your colleagues
and business partners, all in good cheer. There is still plenty of time to make
your own list -- and check it twice.

(Editor's note: If there are other
commonly forgotten security measures you've just remembered, we'd love to hear
about them. Please send comments via the message board associated with this
story, not by email. All postings are completely anonymous.
Enjoy.)

Contents:

Page 2: Physical
security
Page 3: Proper
disposal of devices, storage media, and sensitive
documents
Page 4: Background
checks
Page 5: Getting
control of the at-home user
Page 6: Taking
advantage of built-in security functions
Page 7: Analyzing
trends in security log files
Page 8: Training
Page 9: Outsourcing
of security functions
Page 10: Encryption
Page 11: Integration
of security with software development

— The Staff, Dark
Reading

Next Page: Physical
security

The 10 Most Overlooked Aspects of
Security

1. Physical
security

NOVEMBER 29, 2006
| When you review your IT security architecture, you
probably don't consider your organization's physical security.
But that can be a lethal oversight.

"In order to truly achieve 'defense in depth,'
we have to think physical security as well as information
security. The best [logical] security can't prohibit a
physical theft of a server if the computer room is not
adequately protected," says Steve Delahunty, senior associate
with Booz Allen Hamilton.

More often than not, the people who do IT
security and the people who do physical security in large
organizations don't work with one another. Many small- to
mid-sized enterprise IT security groups may overlook physical
issues altogether. It's not until a building break-in occurs
that the two may even meet at all.

"It's always somebody else's fault when there's
a break-in in the building," says Steve Stasiukonis, vice
president and founder of Secure Network Technologies,
regarding IT security blaming facilities management and vice
versa. But IT security should be on the same team as the
facilities management group, he says.

In many organizations, physical security is
often focused more on protecting copiers, printers, and fax
machines from theft -- not servers or computer equipment,
Stasiukonis says.

"A lot of companies are allocating surveillance
technology in the wrong places," he says, and not where
intruders are more likely to gain access, such as the cargo
landing where smokers take their breaks, or on the cafeteria
patio.

Leaving physical access to chance in these
areas makes it that much easier for an attacker to simply walk
in and make a network attack or other breach.

"A lot of attacks become much easier because of
physical security weaknesses," says Sean Kelly, technology
consultant for Consilium1, who does penetration testing for
clients. "It makes things a lot easier if you can walk in the
door. And you don't have to be a technical person to perform
these breaches -- it opens the door to a wider pool of data
thieves."

Social engineering is way too easy a ploy to
get a foot in the door, experts say. Stasiukonis, who stages
social engineering exploits for his clients to audit their
security, recently duped employees at a credit union client's
facility, posing as a copier repairman stopping by to "clean"
the copier machine.

"I busted into a credit union last week,
wearing one of those copier company t-shirts," Stasiukonis
says. "So I jacked in and grabbed the password and log-ins in
clear text and then [used them] to break in from the outside,
too."

Getting the IT and physical security teams
together is crucial to thwarting social engineering attacks
like these. But it's not easy to teach employees who to trust
and who not to trust.

"Social engineering is a huge issue no matter
what level of organization you're in," Consilium1's Kelly
says. "Security awareness training needs to stress more on
auditing and procedures to identify people you're giving
information to, and for questioning people without badges."

Next Page: Proper
disposal of devices, storage media, and sensitive
documents

The 10 Most Overlooked Aspects of
Security

2. Proper disposal of
devices, storage media, and sensitive
documents

NOVEMBER 29, 2006
| IT people hate dealing with trash. Attackers, on the
other hand, love it. That should tell you something right
there.

Each day, corporations dump tons of material on
the curb, most of it useless landfill. But companies that
don’t have strong policies on garbage disposal may be leaving
bits of gold for hackers seeking passwords, customer
information, or other sensitive data. And if they’re not
careful, those organizations may just be throwing out the keys
to their most valuable information.

One of the most frequently-overlooked treasures
for attackers is the discarded hard drive. As companies
upgrade their old machines, they often donate them to
recycling centers, charities, or simply mark them as trash.
But some IT departments are lax in their efforts to wipe those
old hard drives clean, creating potentially damaging data
leaks.

In a study published in August, researchers at
the U.K.’s
University of
Glamorgan and
Australia’s
Edith Cowan University bought more
than 300 hard drives in auctions and computer fairs all over
the world. What they found was a surprising array of data that
should have been erased long before the drives were sold or
tossed. Some of the data included payroll information,
employee names and photos, IP addresses, network information,
mobile phone numbers, copies of invoices, and financial
information such as bank and credit card accounts. (See Second-Hand Drives Yield First-Class
Data.)

And the problem isn’t limited to hard drives.
In a separate study also published in August, security firm
Trust Digital made similar purchases of used cell phones and
PDAs on eBay, and researchers were able to recover sensitive
data on nine of ten devices in the study.

”The file system on your cell phone or PDA is
just like the one on your PC’s hard drive,” said Norm
Laudermilch, CTO at Trust Digital. “If you delete a file,
you’re not really overwriting the data. All it’s doing is
changing the index of the file system, or the file’s
pointers.” (See Study: Used Cell Phones, PDAs Contain
Confidential Data.)

And companies shouldn’t overlook one of the
oldest forms of stolen data: paper trash, experts say. Jim
Stickley, CTO at penetration testing company TraceSecurity,
says he has found a wealth of sensitive information --
including user identities and passwords -- simply by
dumpster-diving on unshredded company trash. “Shred, shred,
shred,” he says. (See 'Analog Hackers' Overlooked,
Undetected.)

Next Page: Background
checks

The 10 Most Overlooked Aspects of
Security

3. Background
checks

NOVEMBER 29, 2006
| A background check? When did it
become necessary to do more than call references and verify
past employment?

It's easy and tempting to overlook the
character issue when hiring employees, or even managing them
over the long term. But as the strategic value and importance
of IT has risen, so has the need to make sure those with the
keys to the kingdom aren’t eavesdropping, stealing, or worse.

"It's become more the norm that companies
screen all their employees," said Jason Morris, president of
Background Information Services, Cleveland. "People quickly
realized that IT is one of their biggest liabilities -- when
employees take home data tapes, for example. So they may not
screen low-level carpet sweepers, but if they have access to
sensitive areas, employers screen."

In addition to verifying education and previous
employment, Morris encourages making sure there are no
unexplained gaps in a candidate's job history. Are they
claiming MCSE or Cisco router certifications? Get it
confirmed, he suggests. "Driver's records could also be a good
measure of responsibility, as are credit reports."

A basic check might include SSN verification,
address history, and a search of county records for felonies
and misdemeanors. Background research can get even more
detailed (and expensive) with searches of sex offender
databases, state and national archives, even international
resources.

So how much should a company expect to spend on
a background check? "It varies, but a good rule of thumb is
one day's salary" for the position for which you're hiring,
Morris says. "It can be a lot less too."

Doug Shields, president of Secure Networks
finds less value in sifting through official records and
prefers to drill down more on what he calls "character
issues."

Shields, who worked at the CIA for nine years,
is more interested in why a prospect left his last job, or if
he was an Eagle scout, for example. "That may sound hokey, but
it tells you something."

You can also learn about character issues by
asking a candidate how they safeguard their own data. Do they
use encryption on their personal laptop? Have they even set up
a wireless LAN at home, and if so what security protocol did
they use? The answers will tell you something about
consistency and follow-through, Fields suggests.

And while screening before employment begins is
great, it doesn't help much if you don't continue to keep tabs
of some sort on employees. "If they go bad over time, you're
not going to know about it" unless there's continued
monitoring, Shields explains. "It doesn't matter what industry
you're in. You have to make sure your stuff is secure and that
people only have access to things they should have access
to."

Next Page: Getting
control of the at-home user

The 10 Most Overlooked Aspects of
Security

4. Getting control of the
at-home user

NOVEMBER 29, 2006
| Out of sight, of out mind. Many IT departments
carefully watch their employees in the office, but they fail
to monitor just what software their users are installing or
what hardware (think thumb drives and iPods) they're plugging
into their desktop or laptop machines at home -- or who else
may have access to those machines.

The rash of laptop losses and thefts at major
corporations and government agencies over the past year has
red-flagged the problem of securing data when it leaves
company premises. But what about the machines that sit in home
offices where telecommuters work daily, or company executives
work after-hours? And what happens when a user's home is
broken into and his laptop or PC stolen?

"The problem companies face with home workers
is that the security boundary with the Internet has been
extended to hundreds, even thousands of remote locations,"
says Geoff Bennett, director of product marketing at
StreamShield. "The odds of a weak point are multiplied
exponentially."

Ironically, top execs can be the biggest
weakest links in the home-user chain. "The CEO and CFO want to
store sensitive information locally on their laptops because
they don't want to worry about VPNing in," says Consilium1's
Kelly.

Few IT organizations have the means to restrict
user-access when it's not on-site: Home users may leave their
machines connected to the company network, or give passwords
out to family or friends. And watch out for those
technologically precocious kids in the house.

"In one instance, a CEO’s kid got on his
machine and renamed critical financial files. The firm was
unable to do a planned stockholders' meeting as a result,"
says Rob Enderle, principal analyst with the Enderle Group.
"End point security remains important especially if the
equipment isn’t on premise."

Security assessments are rarely, if ever, done
of the homes of these users, Enderle says.

And now, as home users increasingly become the
targets of phishing attacks and botnet attacks, the
company-issued laptop and the user's home PC with VPN access
can leave the corporate network at risk. "If their machine has
turned into a zombie and has access through a VPN to the
corporation, the corporation is clearly exposed," Enderle
says.

Most zombie infections use keylogging, which
captures password information. And a zombie PC also becomes a
spam pipeline, says StreamShield's Bennett, which can wreak
havoc since most corporate email systems are configured to
filter inbound, not outbound, spam.

"The assumption is that one's own employees are
not likely to send spam. But a compromised PC will act as a
spam relay," he says, which could result in the company's
legitimate email being blacklisted by other organizations.

One way to lock down home users is to eliminate
VPN access and instead use biometric, multi-factor
authentication to email and "the most limited set of resources
needed to do the job," Enderle says.

A home security audit is also helpful, as well
as training home users how to best protect their computer and
the company network. "And the computer accessing the corporate
resources should remain administered and patched, and
protected to a degree sufficient for the level of access the
remote employee has."

Next Page: Taking
advantage of built-in security functions

The 10 Most Overlooked Aspects of
Security

5. Taking advantage of
built-in security functions

NOVEMBER 29, 2006
| Security is big business these days, and hardware
vendors know it. As a result, many hardware vendors have begun
to build security features directly into their devices, giving
them out-of-the-box capabilities that are often unexplored or
overlooked.

One of the best examples of this phenomenon is
the Trusted Computing Group’s Trusted Platform Module (TPM)
1.2, a set of specifications that enables vendors to add a
"security chip" microprocessor to any PC. TPM 1.1 chips made
by vendors such as Atmel, Broadcom, and Infineon, have become
standard issue on most PC hardware, but PCs that use TPM 1.2
only began shipping in the first half of this
year.

Companies that have begun using TPM packages,
such as Wave Systems’ Embassy Trust Suite 5.1, are giving it a
thumbs up. "Using TPM and Embassy Trust Suite has made a huge
difference in the way we administer security," says Chris
Cahalin, network manager at Papa Gino's, which operates some
400 restaurants throughout New
England. "It's not only made our client machines
and files more secure, but it's given us a lot more control in
IT."

ETS 5.1 is a set of security tools and
applications that leverage TPM chips to encrypt files,
folders, and passwords on a laptop or PC, leaving the key only
in the hands of the end user and the IT department. The keys
can be given out in the form of smart cards, or the user can
be authenticated via biometrics or digital
certificate.

The net result is that users of TPM 1.2 and ETS
1.1 can lock their hard drives, folders, and files via an
encryption key that can only be decrypted by the authorized
user. A thief can't read any of the files on a stolen TPM
laptop, and even users inside the company can be locked out of
sensitive files on any end station.

Although most new PCs have TPM, many
enterprises have yet to turn on their functionality, concedes
Steven Sprague, president and CEO of Wave Systems. "I would
encourage every enterprise to take a few of their new PCs into
the lab, turn on this technology, and see what it can do," he
says. "It'll change the way they look at end-user
security."

Most experts see TPM as a boon for enterprises because it
is a standard that works uniformly across vendors and PC
models. But they are more wary of proprietary built-in
security capabilities that are now being added to
consumer-oriented machines.

Over the last few weeks, PC hardware vendors have been
rolling out security technology at a rapid rate. On Nov. 1,
Hitachi Global Storage Technologies announced that it will
offer optional hardware encryption on all of its new 2.5-inch
disk drives, which are expected to ship at a rate of a million
units per quarter in early 2007. That announcement came on the
heels of new drives from Seagate Technology, which will not
only offer hard drive encryption but also multi-factor
authentication options that would make it impossible for
unauthorized users to access any data on the hard drive. (See
Dark
Reading)

Labels: IT Security, Security, Security Integration

US Military Roadmap: 'Fight the Net

IT Security Problems Recognized by the Military

US Military Roadmap: 'Fight the Net'

JANUARY 30, 2007 | Ground operations, air operations, maritime operations -- and now, information operations? That's right -- the U.S. military wants to add information operations as a new military core competency, according to a newly declassified Defense Department document called the "Information Operations Roadmap." The 78-page document, written in October 2003 and signed by former Defense Secretary Donald Rumsfeld (complete with blacked-out blocks of classified text), was obtained via the Freedom of Information Act by the National Security Archive at George Washington University and reported by BBC News. It provides a sneak-peek into the military's ambitious goals for information operations: using/fighting the Internet, improving psychological operations (psyops), and dominating the electromagnetic spectrum. Bottom line: Information is crucial to the military's success.

"Fight the Net" is a major recurring theme of the document. Given the rise in hacker and cybercrime risks to U.S. businesses, the military should fight the Internet as if it were an "enemy weapons system," the document says. It also points out that networks are becoming more vulnerable and calls for a defense-in-depth strategy for "providing Combatant Commanders with the tools necessary to preserve warfighting capability." The document hints about the use of "offensive cyber tools" and computer network attacks as well as integrated weapons systems, but much of that section is classified, and therefore sketchy. Sean Kelly, business technology consultant with Consilium1, says the "fight the net" campaign is the wrong approach. "I agree that our Defense Department needs to have strong security strategies for defending our information systems -- especially intelligence databases, as well as key communications channels," Kelly says. "I would hope that our Defense Department would employ some of the best and brightest network security professionals to develop a strategy that identifies and protects -- through monitoring and taking action where necessary, [a] good old fashioned incident response program -- high-risk areas of its own networks as well as on the Internet." The military's IO Roadmap also includes improving psyops, which today are more "reactive" and "not well organized," according to the document, including better using technology -- radio, television, print, and Web -- to spread the word.

But one of the most compelling issues in the roadmap was the military's interest in getting control of the electromagnetic spectrum. "To prevail in an information-centric fight, it is increasingly important that our forces dominate the electromagnetic spectrum with attack capabilities," according to the document. Kelly says controlling the electromagnetic spectrum is extreme. "Instead of taking an 'us against the world' approach, we should be collaborating with other nations to identify threats and develop a plan address known vulnerabilities," he says. "We can decide how we want to defend our internal interests and network infrastructure, but we should not be seeking the ability to have full control over the electromagnetic spectrum." Defense Department officials were not available for comment in time for this posting.

Labels: Defense, IT Security