TSC Trusted Advisors’ Blog

Googleland!

A few days ago I sent out a tweet about an epiphany I had regarding Google. Why isn’t Google considered a utility? I think I know why but let’s start here: they’re considered part of the critical infrastructure, Google affects most of the world population, and Google can affect the events of governments and political relations. So, what part of this should continue to go unregulated?

Let’s go through a quick recap. Google produces a search engine that collects huge amounts of information from the Internet, scrapes personal information that it makes available to the government, creates web-based applications that more and more people are using to exchange sensitive information, and their assurance program still sucks. They’ve had outages and their license agreement absolves them of any responsibility or accountability. I should point out that after their last outage they did apologize. Good for Google.

Back to the recap: world reach, unrestricted access to worldwide data, and the ability to screw with governments and people. Hell, Google’s not a utility, Google’s a country!

From what I’ve heard, Google has its own brand of internal politics, there’s infighting and maneuvering and the result is poorly engineered products and bad decisions. Yep, I’m thinking Google’s a country. A self-interested country that’s not really concerned with the impact of their decisions, but a country never the less.

I remember another business/country: Ma Bell. It’s time for the US Government to sit up and take notice. They missed their chance with the Savings and Loans, Microsoft, and most recently Big Banking. When they miss we pay.

I think that it’s about time for the government to recognize the fact that information is just like power, water and sewage. It must continue to flow but in a way that’s beneficial to the public. After all, governments are supposed to be by the people and for the people, not the other way around. I think that Google’s lost their way and may need some gentle prodding by the government to remind them that they’re not to do any evil – even if it’s unintentional evil.

Posted in Cyber crime, Fraud, Software Security, privacy | No Comments » | Mark Kadrich

The 4 Horses of the Cyber Apocalypse

OK, calling it the apocalypse may be a bit alarmist – unless you’re a victim of evolving cyber crime. It’s really sad when it’s the very government and utilities that you rely on for live giving services that work erode your privacy and security. So, four events occurred to spur me on to write this entry. I didn’t connect the dots until recently. Few things scare me but this situation is one of them.

The first event: A few weeks ago there was a knock at the door at home. When I answered there was a well-dressed young man with a clipboard and a very official looking ID and permit hanging from his neck. He introduced himself and said he worked for a local alarm company called ABC security. I told him I had an alarm and the next question shocked me: he asked me if I knew which of my neighbors didn’t have alarms! He said it would save him a bunch of time instead of going door-to-door. I told him that all my neighbors had alarms and bid him good day. The door wasn’t even closed before I was speed-dialing SJPD. When the cops showed up 10 minutes later there was no sign of my well-dressed sales person. That was a few weeks ago.

The second event: Early last week one of my neighbors approached me while I was unloading my car after a session of Death-by-Costco. She was very serious and obviously very agitated. She kept looking around as if she expected to be followed. Once I heard her story I understood her agitation: her house had been burglarized the week before.

The third event: Last week the Silicon Valley chapter of the ISSA had their monthly meeting (3^rd Tuesday of each month) and at the end of the meeting one of the members quite angrily wanted to know why industrial security wasn’t on the list of important security trends for the chapter in 2010.

The fourth event: I got a notice from PG&E that they were going to install a smart meter on my house and that if I had an issue with it that was too bad. OK, they were “politically correct” when they said it but how many ways can you say “tough nuts”?

So what’s the connection?

Allow me to digress for a bit. Back in the pre-Internet days, when someone wanted to steal your identity they had to do a lot of legwork. They had to research people, family, friends, jobs, life and death, and it took time. A lot of it. Now, criminals can take advantage of aggregated information and stealing identities has become a small criminal industry within the greater scheme of Internet crime.

Getting back to my well-dressed perp, he was casing the neighborhood and relying on the good nature of people to collect information about their neighbors. He took his information and used it to craft a burglary plan that, after 8 break-ins, seems to have been pretty successful. Even in light of the fact that there are photos of the perps and their car, SJPD has yet to apprehend a suspect.

Now toss in the anonymity that the Internet supplies, shake in a few network and application vulnerabilities, sprinkle in a few million smart meters, and you have a recipe for more disaster. Smart meters are those meters that the power companies are trying to install on peoples homes to control power usage during high peak loads so the ancient and neglected power grid doesn’t collapse during said high loads. The advantage to power customers, according to the marketing, is that they can track their usage over the Internet! Yay! (That was the criminals cheering BTW)

Now criminals don’t have to risk getting caught on the streets, they can case your house from the safety of their criminal lair! Or their parents house…or where ever they’re living.

TSC analyzed an RFQ from a major power supplier regarding smart meters and the supporting infrastructure and came to the conclusion that power companies still don’t have a clue about security. It’s the next step in the chain of cyber crime – remote casing of your home using the very web sites that the power companies are using to convince customers that smart meters are a good idea.

I’m upgrading my alarm tomorrow and then I’m calling my power company to tell them to get their security act together. Perhaps you should too.

Posted in Cyber crime, Fraud, privacy | No Comments » | Mark Kadrich

Password Authentication Takes Another Poke In the Eye

On January 4th as reported on DarkReading and DataBreaches, Lincoln National Corporation notified the New Hampshire Attorney General’s Office of a major security breach affecting 1.2 million people. In addition to the internal cost of investigating the breach and bringing in an external forensics team; in addition to planning and executing remediation activities; in addition to the brand impact and loss of trust in the marketplace, Lincoln National had to cut checks for identity and credit monitoring services for all affected users.

So, was it the theft of vast swathes of personal data? Was it a parade of credit card numbers marching off into the distance? Was it, the now so old school, three men wearing ski masks scurrying out the rear entrance carrying bags with “Loot” written on them?

No. It was that some of their system users were caught sharing passwords. This is a classic “cautionary tale” ( as your grandmother might have said) about how users making poor choices about security issues can impact a corporation in a real way.

So how can you defend against password sharing? Assuming that you already have a policy that prohibits it, I think there are three vectors to consider:

• Training and education
• Making non-compliance difficult
• Monitoring and detection

Clearly, people have to be trained to know that they shouldn’t share passwords. But there are several problems that make this ineffective as the main defense. First, most people don’t care and so will forget. Many users will just not understand or even make the mental connection between what they were told was unacceptable and their subsequent errant behavior. Second (and my favorite), is the common case where people know that it is not allowed but do it anyway in the belief that they are saving the company from itself by ignoring policies that obstruct efficient business operations. You can try either carrot- or stick-based initiatives, but ultimately anything that absolutely depends on users making smart choices is doomed to failure.

So make non-compliance hard. The most obvious solution here is multifactor authentication (MFA). If logging in requires a password and a physical token of some sort (OTP or PKI certificate for example) or some other second factor that cannot be as easily shared as a password, then you are starting to protect people from their own poor judgment. Though I am generally skeptical of the value of password lifetime limits, this is one case where they do help. If the password must be changed every month, then sharing it with others can start to become a burden as the improperly credentialed users need to find out what the new value is from the original owner repeatedly.

Monitoring and detection can be hard to do. It is possible to describe scenario details that a system could use to distinguish valid use cases from people with shared passwords, but they are complex, difficult to implement and subject to many false positives. If a user logs in from two IP addresses within a short time window, that could be a bad thing — but it might also mean they moved from their desk to a conference room with their laptop and switched to using a WWAN link. Geolocation helps…until people go on a business trip. This begins to feel more like an exercise in fraud detection with the consequent vagueness and probabilistic results that you get in that field.

Another concern here is when you want to protect passwords to systems that you do not actually manage. For example, financial services companies often form partnerships and supplier relationships that entail their staff logging into an upstream provider’s system. If the people who want to enforce a password policy do not have direct command and control over the systems in question, it seriously impacts their ability to implement MFA or monitoring solutions.

Bottom Line: Authentication Proxy

So really, the ideal solution is some form of authentication proxy. Allow the user to authenticate locally where you have control and then assert their identity to the remote relying system. This means not letting the user know the password to the remote system. Once they have logged in to your satisfaction locally, the system enters a password into the remote system on their behalf. If the technology components used are mature enough, they may support SAML assertions or such-like to do this gracefully.

This approach gives you the control to enforce MFA and monitoring locally and to leverage that value on remote systems. Then you can just outlaw all passwords that are not managed by such a system and perhaps even watch for those at the perimeter in some cases.

Posted in Enterprise Security | No Comments » | Andy Cottrell

Life, the Universe, and Howard Schmidt

It’s nice to see the potential for things to go right. What I’m talking about is the appointment of Howard Schmidt to the position of U.S. Cybersecurity Czar. Now, there are those out there that think that this is a bad move. I happen to disagree and I’ll tell you why. When I first met Howard he was at Microsoft preaching the gospel of security to folks that didn’t seem interested. But he kept at it and we see the results today; Microsoft has a software assurance program that is slowly making headway.

Howard understands that innovation, hard work, and patience are the main legs on the success tripod. You’re probably saying “innovation and hard work sure, but why patience?” Because when you’re dealing with large organizations if you don’t have patience you go nuts. And I can’t think of a larger organization then the US Government. Yes, it’s even bigger than Microsoft.

There are those that say that Howard wasn’t the first choice and I understand why. The way the job is presently structured, Howard has a lot of responsibility and little authority to get it done. It takes a brave person to step into that breach. Add to that the politics in D.C. and the fact that you have to make a lot of people happy at the same time and it gets complicated in short order. Although Howard will politic, he will tell people what they may not be ready to hear and he’ll use new and innovative methods and tools that may make some nervous. I say good.

Howard is up against a pretty tough rock, right next to a very hard place. There are legacy systems as well as legacy politics at work here. There are places that have to be fixed that the public isn’t even supposed to know exist, but if they fail, we’re in deep dark trouble. But Howard is in a unique position to take advantage of technology and processes that only someone with his unique experience in the public and private sectors can have. He’ll know what will work and how much time it will take for the solution to percolate to success. I trusted Howard enough to write the forward to my book Endpoint Security, and I trust he’s smart enough to write a plan that protects the cyber interests of the U.S. Government and in doing so the people of the United States.

I believe that the Universe took a turn in the right direction last month. I’m going to sleep a little better tonight. The only thing that may keep me up a little bit is whether Obama is going to give him the actual authority to get it done.

Posted in Enterprise Security, Software Security, privacy | No Comments » | Mark Kadrich

Chatting with the CTO of Intelliden

So I was talking with the CTO of Intelliden (www.intelliden.com), a guy named Glen Tindal. I spend a lot of time talking with folks trying to understand what’s keeping them up at night and what’s working in their environments. Sometimes, like this chat with Glen, it’s just about why things are still broken. So it was with some surprise that as I listened to Glen talk that I heard my very words about how the network and the endpoints need to work together instead of the present, almost adversarial, model of two technologies that happen to share the same network space. Our discussion got a bit more specific in that we discussed how the OS and the underlying network need to cooperate in a more seamless manner. In the interest of full disclosure, Intelliden has a product that combines information from network objects into a central management console. (No, TSC hasn’t tested it so I can’t comment on it but Glen seems like a sharp guy.) Glen asked me if I thought there was a company poised to take advantage of an integrated network/OS environment and never being at a loss for opinion, I told him. (If you’d like to know feel free to email me) He was surprised but he had formulated a similar answer – just with different players.

The bottom line was that we both agreed that a couple of major players are going to have to merge their solutions in ways that haven’t been done in the past. The one issue that I’m sure will pop up though is the specter of unfair competitive advantage. I suppose that there will always be folks that would rather have a hackable computer instead of a few monolithic technology companies.

Posted in Enterprise Security, Software Security | No Comments » | Mark Kadrich

Train Wreck in Progress!

Every once in a while I get to watch something that is just eerily fascinating. This is one of those times. Human nature, the economy, and the legal system have come together to create a perfect environment for the destruction of a company. I was always amazed at companies that shed their sales people when they fall on hard times. I’ve been saying it for years, when it’s money or security that money always wins. I’m seeing it first hand. I’m watching a company that has eliminated all their full-time security employees to save money and they’re going to pay a heavy price. As they were handing their last security person his walking papers, a nasty piece of malware began to circulate on their network. How do I know? The last security person out the door told me. He had been tracking it for a couple of days and was getting ready to take action when he was told he didn’t work there any more.

He wasn’t the only security person out the door either. I know of at least 2 other security professionals that have been let go because their former employer didn’t see the value in keeping them on.

What amazes me is the notion that if there’s no alarms that they don’t need security! A good security program will keep the noise to a minimum while protecting critical information. A CIO shouldn’t have hear about every tiny alarm or alert.

Therein lays the problem: we do a good job while our PR machine rusts! No noise must mean no threats! We need to do a better job of articulating the value of a well run and maintained security program. Unfortunately, I know of one company that is going to learn that lesson the hard way.

Posted in Enterprise Security | No Comments » | Mark Kadrich

Privacy Surrendered

I just finished writing an article for the ISSA Journal on privacy. During the research I came to the conclusion that there is another shoe left to drop - corporate privacy. I consider corporate privacy the aggregate of the obvious things like intellectual property and private data, but I also think that it should contain a provision for employees private information. What if some enterprising thief decides to target your organization? What will they learn about the people at your company? Will they be able to use it against an individual or will they be able to extort the entire organization? You need to know what’s out there. What’s on the facebook page of your employees? Is there anything compromising on flickr? It’s amazing what people will post about themselves!

Posted in Uncategorized | No Comments » | Mark Kadrich

Red Flags Rule is really Red Herring Rule

The Red Flags Rule, an outgrowth of the Fair and Accurate Credit Transactions Act of 2003, or as I’m going to call it, the Future Assurance of Consulting Transactions Act of 2003, is another example of bureaucrats trying to solve a criminal problem with technology. FACT’s aim is to stem the tide of identity theft by forcing organizations that deal with credit information to implement a fraud detection program that will supposedly slow down and prevent identity theft incidents. So, starting in November, anyone that offers credit, such as car dealerships, utility companies, or telecom companies, must now implement a credit fraud detection program.

Will this engender warm and fuzzy feelings in the general public? It sure will! I’m feeling better already knowing that the local car dealerships will be implementing more complicated and of course, even more expensive procedures designed to ensure that someone doesn’t buy a car with my credit. That is, assuming that the car dealerships are still in business after the recession’s over.

What might these procedures look like, you might ask? Good question! At the very basic level, they will compare the address that you put on your credit application with the one that comes back in the credit report. If they don’t match, that’s what the geniuses in Congress call a “red flag.” Thanks to FACT, you will now have to find out why they don’t match.

Now, I’m thinking that nobody will use the excuse “I just bought a house” for a while so we should be good there. The other side of that coin, “my house just foreclosed” would probably be a “negative indicator” if you’re trying to buy a new car as well, so there goes that excuse. Thanks to Red Flags, bad guys will stick out like a sore thumb! OK, that was sarcastic because the bad guys are going to be armed with really good excuses and the dealerships are desperate so if you’re warm and breathing….

The bottom line here is that the Red Flag Rule creates a great opportunity for a lot of consultants to charge small businesses a lot of money they don’t have for a set of processes that really won’t be making much of a dent in the problem of identity theft. The idea being that the desired outcome of FACT is good, but the implementation is still way too fuzzy.

Watch out! Learn what is really required of you and what you need to do to protect your customers, your business, and be compliant with Red Flags. Then we might actually see the tide change.

Posted in Fraud, Software Security | No Comments » | Mark Kadrich

What the hell is going on over at Apple?

How do you release a product that has such a basic flaw in it that one of the fundamental tools that this product provides can be used to turn it into a zombie? What I’m talking about is the newest security flaw to hit the iPhone, the SMS vulnerability. (http://hothardware.com/News/iPhone-SMS-Vulnerability-Found-Getting-Patched/)

I’m amazed that something like this leaked through their system. But I guess that’s the question here: what is their system? Many people complain that Apple doesn’t listen when people complain about things. They’re too closed. I’ve had that experience myself with the wifi issue on my MacBook Pro. The MBP had unreliable connectivity to access points. The issue was documented all over the Internet. Folks had workarounds that would provide temporary relief, but nothing permanent. I could see it happening! But when I brought my computer into an Apple store they denied that there was any issue at all!

The lesson that Apple should take away from this is two-fold. First, you can’t solve a problem until you admit that you have one and second, there’s no substitute for a well designed and implemented product development process. In this case, one that takes into account the security issues. What this recent posting says is that even though Apple is one of the most improved vendors around with regard to their ability eliminate software flaws, they have a process that is still generating them!

As much as I’d like to offer a solution, the best I can say right now is be careful who you give your phone number to until this is fixed. For most of us, that cat is already out of the bag!

Maybe the answer is to get another phone?

Oh, and Apple, it wouldn’t hurt to spring for a little independent 3^rd party validation of your products. It would help Apple, and it would help the folks that depend on your technology.

Posted in Mobile Security, Software Security | No Comments » | Mark Kadrich

Why are people surprised about ongoing security breaches?

I’ve been reading a lot of press recently about breaches and vulnerabilities. Nothing particularly new there - it happens all the time. But for some reason I am beginning to get annoyed at the now customary tone of surprise and fear. Surprise, I suppose, that the technology that we so heavily rely upon could fail us in this way, leading to fear, presumably, that any ‘new technology initiative’ is doomed to failure because computers are inherently insecure.

This annoys me mostly because the correct response is not surprise and fear. It should be anger.

There is nothing inherently insecure about a piece of technology like a PC or a server. It only becomes dangerous when it is built into an ill-conceived solution. It’s not the technology’s fault, it’s the way we use it.

So if all we need to do is use this stuff properly, why do these data disasters happen? It’s because the people in charge don’t care enough!!!

If there were a spate of bridges falling down across the country, people wouldn’t be wringing their hands an anguish wishing that the world was a better place and lamenting how hard it is to build bridges and how unsafe they are. There would be a massive effort to ensure that bridges are built properly. People who build bridges without involving a structural engineer would go to jail. But instead with IT, it seems we just throw a bunch of software developers and systems engineers at a problem and hope that some of them know something about security (and when they don’t, there’s always Wikipedia. Right?).

There was a breach earlier this week at webhostingtalk.com where the attackers found a flaw at their backup site and used that to gain access to their main site and steal all the user data. A cunning attack, sure. But nothing that couldn’t be prevented by a suitable security design and testing regime supported by robust and sufficient policy and audit. But what irks me the most about this event was the comment on their forum from one of their members: “Welcome to the Internet. There’s really no reason to make a huge issue out of this. Simply change your password(s) and move on.” This is a community of people who are responsible for running the very sites that we worry about–and here is a webmaster publicly stating that he doesn’t really care, total system compromise and data loss is not a big deal.

What we need is more outrage at these events. From users, management, owners and investors, and from regulators of all descriptions. I am fed up with hearing “We can’t afford to invest in security right now, we are barely funded for development work.” or “We could add more security but we would lose users because it would be inconvenient.”

Building a bridge that may fall down is never accepted as an option, so should it be for the security of IT products and applications.

Next time you read about a breach, please don’t be sad…BE ANGRY.

Posted in Uncategorized | No Comments » | Andy Cottrell