Archive

Archive for July, 2009

Practice What You Preach

I was amused to read a Web posting (see http://hunger.hu/zf05.txt) claiming that the “I33t” group (a group of cyberattackers) had broken into Dan Kaminski, Kevin Mitnick, and Julien Tines’ systems. They backed up their claims by showing listings of transactions on the compromised systems. They appear to have gotten a particularly great sense of satisfaction from having broken into Mitnick’s system, as shown in the following portion of their posting:

Kevin Mitnick, hero to many, wet dream to Emmanuel Goldstein. Consider this a follow up to the cDc article. Kevin has become the media rep for the hacker community, something which he has grown further and further apart from ever since his release. Without John Markoff’s sensationalist reporting Kevin Mitnick would not have the notoriety that allows him to earn his money providing keynotes at conferences all over the world. Kevin is polluting the
media with bull***. Whilst we understand that owning him is something which has been done many, many times, we felt that not presenting his insecurity publicly would be wrong. Since 2003 this has been done three times of note
and Kevin has used his enormously powerful SOCIAL ENGINEERING techniques to escape with an unharmed repuation each time. The fact is that he cannot secure his systems because he does not know how.

I got a good laugh, because Mitnick (as well as the rest of the individuals mentioned in this posting) is considered by some to be an information security expert. For better or worse, he is frequently chosen to be a keynote speaker for information security conferences and is often hired as an information security consultant. Interestingly, Mitnick replied to the 133t group’s posting by saying in effect that it was no big deal that this group compromised his system because there was no sensitive information on it. Yes, believe it or not, Mitnick said this, and in saying this, he has revealed a lot about his knowledge (?) of information security.

Lamentably, what has happened to Kaminski, Mitnick and Tines has happened many times before. I remember how at Berkeley several individuals who worked in information security there had their machines compromised by engaging in dangerous actions such as opening attachments that they were not expecting. They quickly dismissed the fact that their machines had been compromised. What a message to the user community, the same community that the information security staff there blanketed with messages about engaging in safe computing practices. And I remember how a colleague who had achieved considerably prominence in information security had his machine compromised several times. He almost seem proud that this had happened—that he had been targeted by the computer criminal community.

It is a tragedy that some who posture themselves as information security gurus are for some reason unable to secure their own systems. The bottom line is that those of us who claim to be information security professionals must practice what we preach. If we cannot even secure our own systems, we should not be out there telling others anything about information security.

Categories: Uncategorized Tags:

Not Enough Qualified Security Professionals?

The Partnership for Public Service and Booz Allen Hamilton recently released the results and conclusions of a study they conducted concerning cyber attack-related risks that the US government faces. One overall conclusion of the study is that the US government will probably experience a shortage in the number of well-qualified information security professionals that it will have. Several factors, according to the study, contribute to the problem:

– A lack of well-qualified information security professionals in the first place

– The US government’s decentralized culture concerning human resource needs

– The hiring process itself. US government agencies and departments bungle their way through the hiring process. Many well-qualified information security professionals give up, rather than allow themselves to be strung along for many months without any progress in their effort to be hired.

– Front-line hiring managers and government personnel specialists do not see eye-to-eye concerning the qualifications information security specialists are supposed to have. Consequently, many well-qualified security professionals are not recognized as such, so they are overlooked in the hiring process.

Although part of the results and conclusions seem plausible to me, saying that there is a lack of well-qualified information security professionals smacks of something less than competent judgment for two reasons:

– In these hard times, we have a glut of exceptionally well-qualified information security professionals who are without work. I know many such individuals well, and I know first hand what many of them know and are capable of accomplishing. A large percentage of these individuals would love to have a job with the US government right now. Apparently, the US government as well the Partnership for Public Service and Booz Allen Hamilton are simply not aware of them and do not know how to connect with them, very possibly because none of the above is truly in the mainstream of information security.

– By saying what they have said, the Partnership for Public Service and Booz Allen Hamilton have in effect impugned the reputation of information security itself. Perhaps these entities are not aware of the diligent efforts of great pioneers in this arena such as Hal Tipton and Micki Krause who spearheaded efforts to develop a Common Body of Knowledge and, ultimately, CISSP certification. It seems to me that the minimum qualifications for being a “well-qualified information security professional” would be a certain amount of practical experience in the arena and CISSP certification. The Partnership for Public Service and Booz Allen Hamilton do not seem to agree, however.

The rest of the surveyís findings make sense, but then again, the rest of the findings really only echo the obvious. Yes, we all know that a significant part of the US government’s problems is due to the fact that it is such a decentralized entity and that it is neither designed nor prepared to move forward on virtually any issue very quickly. I thus must question the value of the Partnership for Public Service and Booz Allen Hamilton’s study. Perhaps we can at least take heart in the fact that by paying these entities to conduct this survey, the US government has stimulated our ailing economy.

Categories: Uncategorized Tags:

The Recent Starbucks Hoax

I was at a conference in Southern California earlier this week. While reading my email, I noticed that there was a message in my queue from a longtime friend and colleague. I would never have expected the content of any message sent by him to be what it was—it was an announcement of a free pastry with the purchase of coffee at Starbucks on July 21. All you had to do, according to the message, was to print the coupon within the message and take it to a Starbucks acoffee shop.

Whenever I receive a message of this nature, the first thing I do is to immediately check out hoax buster sites. Sure enough, the first one that I hit (snopes.com) stated that the free pastry with the purchase of Starbucks coffee message was a hoax. After a second site that I also very much trust stated the same thing, I was convinced that the hoax message was bogus, and thus felt constrained to let everyone on the message distribution list know. I sent a short message saying “Sorry, but snopes.com and other anti-hoax sites say the Starbucks promotion is a hoax,” and nothing more.

What happened afterward did not exactly make my day. The sender of the message about the alleged Starbucks deal sent a series of message that in essence said “I checked it out, and I assure you that the deal is real.” That seemed a bit strange for two reasons:

• The so-called promotion was not anywhere on the Starbucks.com site.

• The original message, forwarded by the person who sent it to me, had a sender address that indicated it had come from Switzerland. Why would someone in Switzerland announce a Starbuck’s promotion?

I had lots to do, so I refrained from contributing to what was starting to amount to spam. Additionally, so what if people believed the hoax, went to a Starbucks shop to collect on the so-called deal, only to be disappointed. Starbucks shops are everywhere, so nobody would waste much time, and the worst that could happen would be that some people might waste a little gas and time, at the same time feeling disappointed or perhaps even a bit angry.

Tuesday, July 21 came, and curiosity compelled me to go to two nearby Starbucks shops and see if there would indeed be free pastry with a coffee purchase. No way—the people behind the counter looked at me as if I was crazy when I asked if there was such a deal. I walked back to my hotel room, got back on the Internet, and told my friend that I had checked out the so-called deal and found that there was none. He replied that he had gotten a free pastry, and so had a friend of his.

The detective in me compelled me to recheck the facts. There was still no word whatsoever about the alleged promotion on the Starbucks site. Then I ran into a nice posting on yet another hoax buster site. It said that the message about the so-called promotion was a hoax, but that some Starbucks stores were honoring the coupon even though they did not know it was bogus.

This is indeed a strange world in which we live. I’m glad that a few people got something for free despite the message about the alleged deal was specious. There is a lesson for information security professionals here, though. Granted, none of us is perfect, but we must do everything in our power to ensure that messages we create and also the ones we forward contain bona fide information. There is a lot of bogus information being spread over the Internet, and we need to do everything in our power to avoid being part of the problem. Doing a little detective work is the right solution. There are many great anti-hoax sites, and before we forward any kind of message containing claims, offers, promotions, and the like, we need to check out these sites out.

Oh, and by the way, my friend and I are still very much friends…

Categories: Uncategorized Tags:

Trouble Brewing in the Cloud

You’ve probably read how administrators who work for the city of Los Angeles have recently decided to use Google e-mail services as well as Google information management services to use and store a variety of information, including city policy documents and police department information. These administrators anticipate considerable cost savings by using these Google services. Cheap is better in these hard times, but is cheap justified when information stored on computing systems is completely outside an organization’s control?

To deny that Google is extremely innovative would be totally specious. Google has in many ways defined technology during the first decade of 2000. At the same time, however, being an innovative information technology entity is by no means any kind of “end all.” We have by now seen too many companies and organizations that have arisen apparently out of nowhere, only to find out that security in their products and services were severely deficient. Microsoft, now Google’s arch enemy, is one of the very best examples. For years Microsoft released products that were severely deficient from an information security point of view. This company orchestrated attacks against individuals who pointed out vulnerabilities in its products instead of making desperately needed changes in its software development process. Microsoft eventually made many of these changes, and now Microsoft product users enjoy a much higher level of at least out-of-the-box security in the products that they use then ever before.

So what about the issue of information stored in the so-called Google cloud? As with everything in information security, the answer depends on many factors, of which cost versus benefits is normally the major one. Cash is a precious commodity in today’s hard times. Using Google’s so-called “cloud services for information management would on the surface thus seem extremely attractive. At the same time, however, the city of Los Angeles has by all indications not offered nor entered into any kind of service level agreement (SLA) with Google. As such, the city of Los Angeles is completely at Google’s mercy concerning the protection of its information. Such things should not be.

In many ways, Google is where Microsoft was in the mid-1990s. Google gives lip service to information security, but in reality it offers vulnerability-ridden products and services. Google should not by any stretch of the imagination be considered a leader in information security. Please count on collecting from me a free pastry from Starbucks (note: this is a joke based on the latest of Internet hoaxes) long before Google wins any kind of information security awards. Until Google achieves a better reputation in information security, users of Google’s so-called (and completely inappropriately named) cloud services should not trust Google’s email and information management services.

Will the city of Los Angeles should heed these words of caution? I would not count on it, but stay tuned…

Categories: Uncategorized Tags:

The IEEE 802.11n Standard: A Step Backwards for Security?

In 1997 the first IEEE 802.11 wireless standard was published. Since then, we’ve seen 802.11a, 11b, 11g, and 11i, and with each new standard have generally come numerous performance enhancements and new functionality. Although 11g is currently the reigning standard, 11i is the “tried and true” standard for anyone for whom security is a concern. 11i prescribes:

• Port authentication (authentication of a “supplicant” whose process has reached a port before the port is opened)
• Use of the Extensible Authentication Protocol (EAP)
• Secure key creation and key management mechanisms
• Robust Secure Network (RSN), replacing TKIP (Temporal Key Integrity Protocol) with CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
• Strong encryption of data in motion with AES (Advanced Encryption Standard) encryption instead of often justifiably maligned Wired Equivalent Privacy (WEP) encryption, the type of encryption in earlier 802.11 standards

I suspect that 11i would be more widely adopted if not for the cost associated with upgrading to this standard. The cost of upgrading wireless network interface cards (NICs) with special 11i-compatable NICs as well as purchasing 11i-compatable wireless access points is a hurdle (albeit not a overwhelming one) to many who are considering making this upgrade. Still, security-conscious organizations and individuals see the need for and implement 11i.

The 802.11n standard attempts to builds upon prior 802.11 standards by calling for multiple-input multiple-output (MIMO). Using multiple transmitter and receiver antennas, MIMO will deliver a capability called spatial multiplexing that will result in increased range of wireless networks. At the same time, it will support a bandwidth of over 400 Mbps, something that is even more impressive when the bandwidth of 11g (20 and more Mbps in the 2.4 GHz band and 54 Mbps over short distances) is considered. Whereas performance problems have frequently dogged wireless networks, these problems will become a thing of the past.

Although the 11n standard can in many ways be considered a big breakthough in wireless local area network (WLAN) standards, something about them worries me, namely that this standard is void of content relevant to security. I’m concerned that this standard is one of the many standards that have emerged in the past that call for “bigger and better” functionality and improved performance at the expense of lack of inherent security. Additionally, I worry that the momentum that the 11i standard has enjoyed over the last few years will come to an end with the emergence of a new standard that promises so much, yet does not factor in security. I wonder why those who drafted the provisions of this standard lacked the wisdom that leads engineers and others to consider what the likely consequences are if security in a product is not built into it.

There is hope, however. The Enhanced Wireless Consortium (EWC), a group formed to speed up the development of the 11n standard, is developing a specification for achieving interoperability of forthcoming WLAN products. Hopefully, a few members of this consortium will start asking questions about security and do something accordingly. Something that would pave the way for compatibility between fast WLAN networks and WANs with high levels of security would be a major step forward. Additionally, the final version of the 11n standard has not yet been ratified. Ratification is not expected until November or December of this year. Who knows, perhaps someone on this standards group will come to his or her senses and wake members up to their blindness to security issues.

Categories: Uncategorized Tags:

CISSP Certification: More than Meets the Eye

Over the last few weeks I have spent most of my time frantically trying to upgrade a CISSP examination preparation course. I’ve had materials on this subject for years, but then again, I have not taught this course for a while. So when I examined the topics and issues that are covered by current CISSP exams, I had an eye opening experience. Frankly, I now realize that when it came to my estimation of the extent and difficulty of the information CISSP candidates must master, I had been like an ostrich with its head in the sand. Not a single expanded module was easy to put together. To cover some of the content, telecommunications and network security in particular, required an inordinate amount of painstaking effort. And the detail required in some of the modules, particularly the one about architecture, was considerable.

Things weren’t always this way. Nearly a decade and a half ago, CISSP certification covered many relevant areas, but it also covered areas that were rapidly becoming out-of-date. The technology domain, for example, had a large number of questions concerning mainframes and mainframe protocols when TCP/IP and Internet services had become dominantin real-world settings. Fortunately, things did not stay that way for long. To its credit, the ((ISC)2) made the necessary adjustments.

Given all the certifications that are available in the information security arena, it is easy to lose sight of just what it takes to gain CISSP certification. The number of knowledge domains has expanded from a puny six when I was much younger to ten. Candidates for CISSP certification must know everything from basic information security concepts to information security management, access models, security architectures, cryptography, telecommunications and network security, application security, operations security, business continuity and disaster recovery, physical security, and legal and regulatory statutes and compliance. If it takes all the work required to create an expanded course on these knowledge domains, I am sure that mastering all the concepts in these areas must be an at least (if not more) formidable task.

I suppose that what I have learned over the last two months should not have surprised me. Information security itself has grown into a much more complicated area than it was just a decade ago. The knowledge that information security professionals possessed then may have been appropriate for the challenges that surfaced at that time, but things have changed considerably since then. Technology has become more complex, the quantity and quality of threats have increased considerably, and resources have become scarcer. It is now clear to me that the CISSP exam has more than kept up with the changes that the information security field has experienced. Once again, I’d like to laud the virtues of CISSP certification and also especially give credit to the elected ((ISC)2) representatives and staff for their fine job in ensuring that obtaining this certification is an extremely high caliber achievement for information security professionals.

Categories: Uncategorized Tags:

Cyber Security Makes the Headlines

If you have been keeping up with world news you have certainly read about the cyber attacks that have been occurring against US government and South Korean computers. Interestingly, the MyDoom virus has been resurrected from the dead and modified in a manner that enables it to launch flooding attacks against these computers. The attacks are by no means sophisticated, but they are so prolific that they have brought Web sites such as whitehouse.gov to a virtual standstill.

Evidence is mounting that the attacks are from North Korea. According to one source, the North Korean army has a unit of cyber attackers; this unit was reportedly ordered to bring down South Korean communications networks.
Members of the South Korean parliamentary intelligence committee have recently stated that the South Korean National Intelligence Service has also pointed out that North Korea boasted last June that it was “fully ready for any form of high-tech war.”

The fact that yet another round of attacks has been launched should come as no surprise, yet something about these attacks is very much worth noting—they were the headlines in many newspapers last week. Information security-related stories hardly ever make the headlines. To the best of my knowledge, the last time this happened was when the Melissa virus propagated so fast and so widely. Before that, John Markoff’s New York Times write up of break-ins into US military and government computers during Operation Desert Storm and Desert Shield was to the best of my recollection the most recent time before the New York Times story broke that an information security-related story made the news.

Every cloud has a silver lining, and the recent attacks are no exception. Although they have been costly, expensive, and disruptive to the US and South Korean governments, they have once again brought information security to the forefront. The average reader has probably not been influenced one way or another by the news, but there is a good chance that many senior managers have been. Senior managers tend to pay close attention to headlines in newspapers as well as anything that makes the front page in the Wall Street Journal. By being so prominent in the news, the recent cyber attacks have done more in helping educate and make more aware many senior managers than some of the best information security education and awareness programs ever could have. And the fact that Web site availability is being disrupted is particularly relevant to senior managers, given that so many businesses are so dependent on their Web sites being available for their livelihood.

The attacks will continue for a while, but eventually they will subside. It is unlikely that any new lessons learned will result from the attacks. After all, most US government agencies and departments still have a long way to go when it comes to information security, and if information security did not appreciably improve after much more severe attacks such as the Titan Rain attacks, it is improbable that information within these agencies and departments will change once the current attacks are over. But hopefully an impression on senior management has been made, one that just may be the difference to many information security practices concerning the amount of resources and support that senior management gives. And if that happens, as dreadful as the current attacks have been, something worthwhile will emerge from the proverbial rubble.

Categories: Uncategorized Tags:

Secure Web Programming

July 10th, 2009 No comments

Web Programming in and of itself is not the issue, so much as the Security of the Web Programming. Over the years there have been many people involved in “programming websites.” The distinction must be made here between a real web programmer and a web page designer. It is the dynamic back-end systems that typically create security vulnerabilities on web servers. Static web pages that do little more than show some content are not likely to cause havoc.

A Web Programmer is typically involved in a server-side language such as PHP, ASP, and other languages that are optimized for web applications. My specialty is Secure PHP & MySQL programming, especially for web and database programming applications. This does not negate the ability to comment on web security for ASP and other languages, as they all operate pretty much the same, just with different command structures and spellings. Data flows the same way, and potential security vulnerabilities are about the same. The only exceptions are associated with a Microsoft Web Server, which inherently provides regular security flaws and problems. Read more…

Categories: Uncategorized Tags:

White House Among Targets of Sweeping Cyber Attack

By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer
http://news.yahoo.com/s/ap/20090708/ap_on_go_ot/us_us_cyber_attack

WASHINGTON – The powerful attack that overwhelmed computers at U.S. and South Korean government agencies for days was even broader than initially realized, also targeting the White House, the Pentagon and the New York Stock Exchange.

Other targets of the attack included the National Security Agency, Homeland Security Department, State Department, the Nasdaq stock market and The Washington Post, according to an early analysis of the malicious software used in the attacks. Many of the organizations appeared to successfully blunt the sustained computer assaults.

The Associated Press obtained the target list from security experts analyzing the attacks. It was not immediately clear who might be responsible or what their motives were. South Korean intelligence officials believe the attacks were carried out by North Korea or pro-Pyongyang forces. Read more…

Categories: Uncategorized Tags:

Federal Web Sites Knocked Out By Cyber Attack

By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer – Wed Jul 8, 12:45 am ET
http://news.yahoo.com/s/ap/20090708/ap_on_go_ot/us_cyber_attack

WASHINGTON – A widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime, The Associated Press has learned.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Cyber attacks on South Korea government and private sites also may be linked, officials there said. Read more…

Categories: Uncategorized Tags: