Security Geek-Ed

Educating tomorrow’s INFOSEC professional

Security Geek-Ed

Keeping Up with The Joneses

March 10, 2011 · No Comments · Uncategorized

It’s a truism that many companies, after creating an initial security policy, fail to either enforce or amend that policy. Standing pat in the technology field is a recipe for creeping disaster. Witness the recent efforts by Microsoft to wean trailing-edge users from IE6. Old, creaky, bug-ridden, flaw-riddled as it may be, some organizations are grimly hanging because key applications will work with no other browser version.

This in itself might not be as bad if the use of this browser was restricted only to the corporate networks. Perhaps this was the original intent of the original security policy. But the policy in effect seems to have been written for desktop systems that never left the confines of the corporate office.

Consider the following. A company (we’ll call it BeanCo) is still distributing Windows XP, SP3 as it’s standard image for company-supplied computers (it’s ironic to see the XP login screen while looking at the Intel I-5, suitable for Windows 7 logo pasted on the front of the laptop). One of the things that the Windows XP firewall lacked was the ability to sense when the user had connected to an undefined (home/work, other) network, and ask what policy should be applied. If the answer was “big bad Internet,” certain capabilities (like file and printer sharing) were turned off.

Not so in the BeanCo standard release. All Windows sharing services are enabled by default. So turn them off at the  firewall, you say. Ah HA! Not so fast, Bunky! Turns out that the group policy doesn’t allow a user to manipulate the firewall rules. Bazinga! Hoist on your own petard.

Now, it might be the case that the IT group at BeanCo assumed that the employee grabbing a quick latte at Starbucks in the morning who wants to check their corporate email, would fire up the corporate VPN client and join the corporate network, implying that the availability of these services would be protected by corporate security products. Of course, these services haven’t been disabled on the local WiFi network. On the other hand, corporate email is available via the Internet using (you guessed it) IE6. No VPN there. And what might happen in the presence of a targeted phishing email  sent to the employee’s corporate address? Surfing to that address whilst in said coffee-shop doesn’t provide any of the corporate protection. Just you, your creaky old IE6, and a too-permissive set of firewall permissions.

It can cost a lot to keep up with the Joneses. It can cost even more if you don’t.

Tags:···

Google’s 2-factor Authentication

February 19, 2011 · No Comments · Uncategorized

Tags:

All The Words

February 17, 2011 · No Comments · Uncategorized

NIST just published a new report, The NIST Information Security Glossary of Key Information Security Terms. At 211 pages, it’s hard to think that something is missing, and yet … One nice thing about this doc is that it tracks the definition back to a source document, so you can read the original if you so desire. Now you can learn to talk correct, just like the real security x-pertz do. :)

Tags:

The Challenge of Hybrid Clouds

February 14, 2011 · No Comments · Uncategorized

In a post on the VMware Community’s blog,  AllwynSequeira had this to say

As we begin to deploy such hybrid clouds, we need to tackle several issues, even in the infrastructure layer, let alone higher level PaaS and application stacks. For example, networking topologies and architectures start to come into play. It is one thing to create air-gapped silos in enterprises, where network segmentation via VLAN/subnet delineation and hair-pinned firewalls, realize separate zones of trust. The holy grail of public cloud infrastructure is creation of banks of compute and storage resources on a fast converged fabric interconnect, and then being able to instantly allocate secure, elastic VDCs for enterprises to place their VM collections into. In this environment, there is a need for a programmable fabric, wherein trust zones are fungibly constructed around VM/storage collections, regardless of underlying network topology.

 

Easier said than done.

I couldn’t agree more. As an old network guy who now does security, the challenges of integrating such networks can’t be overstated, and will require the co-ordination and co-operation of virtualized network folks and virtualized computing folks. The vNet meets the vDataCenter.

And how do we teach this subject of virtualization and security?

Tags:

Safe Surfing

February 12, 2011 · No Comments · Uncategorized

I’ve chosen to run the following Firefox add-ins as a nod to better security and privacy while browsing. This list isn’t exhaustive, and there are certainly others. These are the ones I use as of Valentines’ Day, 2011.

  • Adblock Plus
  • BlackSheep (only on machines that have a chance of leaving my home and/or office)
  • Flashblock — in addition to NoScript
  • HTTPS-Everywhere — in response to FireSheep.
  • NoScript — the big one.
  • Ghostery — who’s tracking me.
  • BetterPrivacy — watch out for Flash LSOs

Ok, maybe this is “safer surf” instead of “safe surf”, but I think it will do.

Tags:

All We Like Sheep …

January 16, 2011 · No Comments · Uncategorized

My friend and colleague at Brandeis University, Ramesh Naggapan, wrote an interesting blog on Firesheep, BlackSheep, and HTTPS Everywhere. Well worth a read, and I heartily recommend HTTPS Everywhere. A nice little hack that involves URL re-writing for particular sites.

In addition, remember that network access over a public WiFi network (unencrypted) does put your communication at risk unless you’re either using a VPN to a remote location, or you are using an SSL-supported protocol such as HTTPS (or POPS, etc.) that encrypts your communication between your computer and the remote server. So, mehson, “let’s be careful out there.”

Tags:

The Promiscuous Web

January 16, 2011 · No Comments · Security, Uncategorized

Two things are starting to bug me.

First is loading content from a site using HTTP-S that also uses HTTP data. In IE, at least, this results in an annoying pop-up that asks: do you want to see content from this site that wasn’t delivered securely (or something like that). Every single time. Please, Web designers: take this into account when you’re designing your site.

Secondly, this is only exacerbated by promiscuous use of some sites to provide content. The resulting “mash-up” is like the proverbial cluster-phuX. Consider one site in particular: www.boston.com. I use AdBlock, NoScript. and Flashblock when browsing with Firefox. When I access boston.com I am asked to trust content from 12 sites. Usually it takes between 3 and 4 mouse-clicks (“temporarily allow”) for me to get a complete Web page.

As drive-by attacks via compromised  Web server become even more prevalent, I for one worry about these “mash-ups” of content (which has only been made worse with the advent of social networks [tweet/friend/mySpace/blog me]. I belong to the generation that still holds out some belief in privacy and a certain degree of anonymity in Web browsing (I’m OK with boston.com knowing about my page visits, but outbrain.com?) Not so much.

One final anecdote. I was using the thesaurus at Merriam-Webster (m-w.com) on day at work, when I got bounced out to the security page indicating that my access to a particular Web site had been blocked. Turns out m-w.com was loading advertising pages from a site that had purportedly been used to supply malware.

You can look it up.

Tags:

The Irony of the Cloud

March 16, 2009 · No Comments · Uncategorized

One of main information security issue facing corporations is that they simply don’t know what data they have, it’s sensitivity, nor where it’s located. Now, with the rush to cloud computing, these organizations can simply say: “Hey, we don’t know what data we have nor where it is because … it’s designed that way!. We don’t have to know where it is! And if don’t know where it is … how can we know what’s there!?”

OK, I jest. But it does illustrate to me that the abstraction/virtualization layers inserted between an application and its data can certainly obfuscate the assigning of responsibility for the protection of that data in accordance with its sensitivity and CIA. And do/will vendors offer services commensurate with that need? Right now, I for one am in the position of the old man who saw a dog ice-dancing. It wasn’t the he did it well … it was that he did it at all.

Tags:·

Skype and the role of privacy

February 28, 2009 · No Comments · Uncategorized

Bruce Schneier had a recent post that references an article in the Register available at <http://preview.tinyurl.com/a9hn2n>. Briefly stated, it appears that NSA is ready to pay a lot of money for someone to crack Skype encryption, mainly because more and more criminals (including terrorist organizations) are using this technology instead of phone calls. 

I won’t quote any more of the article: it’s definitely worth reading. And I still haven’t completely figured out where I stand on this. At this time, I reluctantly have to stand with those who say that the right to privacy is greater than the right to allow unlimited and unmonitored surveillance of private communication.  Perhaps I would feel differently if I believed that government agencies could be trusted to do the “right thing” with the data and with the right to access … but I don’t, and I think the evidence will bear me out on that. So if PGP and Skype keep my communications private: good. 

Tags:···

“Ain’t no free”

January 5, 2009 · No Comments · Uncategorized

or so says a wonderful song by NRBQ. I’m getting frustrated by writers who refer to applications and operating systems as “free” (as in beer, as in speech?) The real deal is more complicated than that. Any complex system is going to take time to learn, time to manage, time to update, etc. Youll also find bugs and mis-features, or features you want that no one else is willing to develop. None of this is “free.” It all reflects a commitment and an investment, as well as a “road not taken.” I’m reminded of a radio commercial for a transmission company in the Greater Boston area (and I can’t remember which one, sorry): “you can pay me now, or you can pay me later.”Free (no charge) software hides the cost at the back end.

So, yes, some software products can be obtained “free of charge.” No $$, paid for by the $0 bill. Just beware the hidden costs.

Tags: