Site Review – Twitter
- At September 11, 2009
- By Josh More
- In Business Security
- 0
I think that everyone knows about Twitter by now. At first blush, one wouldn’t think that you could cram much information into just 140 characters… and one would probably be right. The signal to noise ratio on Twitter is exceptionally low.
However, despite it’s obvious flaws, people persist in using the site. Some use it keep in contact with friends. Some use it to communicate with business associates. Others just tie third-party systems into twitter and use it as a variant of an RSS feed.
However you use it, though, you should be aware of the security ramifications of the system. At it’s core, Twitter has two modes of operation. Everything you post is either fully public or protected (sorta private). So, the first question you have to ask yourself is whether you trust Twitter’s protection mechanism to keep your private data private. If you do, and you intend to broadcast private information, go ahead and use the protected mode. If, however, you wish to use the system for business, keeping it set to public makes the most sense. After all, you can’t promote a brand if you can’t be seen.
So, assuming that you are using Twitter publicly, you have to assume that anyone and everyone will be able to see your tweets. Thus, you should be careful with what you post. Keep in mind that, as with everything you put on the Internet, it will be there forever. Since you will change (like, both as a person and with regards to your company and career affiliation), your best bet is to just stay honest and polite. It’s pretty much inevitable that you will wind up looking stupid at some point, but you should probably be careful not to say anything that could come back to directly harm you.
So, the basic rules are the same as with most Internet sites.
- Be aware that everything you do is public.
- Try not to anything too unredemingly stupid.
Then you’re just left with the challenge of saying something useful in just 140 characters.
Small Business Defense – Network Exploration
- At September 10, 2009
- By Josh More
- In Business Security
- 0
Really, once they’re in, there is little you can do. If the attacker gets in too far, you’ll never know where the attacks are originating so unless you’re willing to build a completely new network with all new systems and applications, they’re there to stay.
One thing you can do is to segment your network ruthlessly. If sensitive traffic doesn’t traverse the weaker zones, an attacker will have a much harder time getting to the parts that matter. Another is to eliminate all the systems you can. A simpler network is easier to both maintain and to defend. If you know each and every system on the network and what it should be doing, it is easier to identify when odd things occur. You should also encrypt everything you can. Now, this isn’t a perfect solution, as in order to be useful the traffic has to be decryptable, but it does limit the number of targets that the attacker can find useful.
Lastly, you should familiarize yourself with the tools mentioned yesterday: Ettercap, DSniff and p0f. While it’s not about the tools, it is useful to understand what attackers can do. All three are available on the Backtrack LiveCD so you don’t even have to worry about installing them yourself (which can be tricky, depending on your OS).
Small Business Attack – Initial Exploitation
- At September 09, 2009
- By Josh More
- In Business Security
- 0
Thus far, I’ve talked about ways that attackers get in to your computers or network. I’ve not talked much about what they do once they’re there. Though there are a great many things that can happen once they get in, one of the first things done is to make sure that they can stay in. They may put backdoors into systems, set up secondary VPNs or modems or they may even sneak other systems onto your network.
Given that many networks aren’t fully mapped or even have tightly controlled access, there are many places on a network that a system can hide. One common trick is to walk into a business with a pre-programmed netbook or wall wart. This machine can then conduct passive network scanning and man in the middle attacks.
With tools like Ettercap, DSniff, p0f, an attacker can alter network traffic in transit while convincing both sides that things are fine. They can identify systems on the network while evading detection and check for important data crossing the network.
Yes, given time (a decreasing amount, sadly), they can do almost anything, but to start, they’ll explore the network and try to identify targets for future exploitation. The question is, what can you do about it?
Review Review – ComputerWorld's Free AV Wrapup
- At September 04, 2009
- By Josh More
- In Business Security
- 0
This week, ComputerWorld released a review of free anti-malware systems. The conclusions were much as one would expect, mostly that the free stuff works OK but the pay stuff is probably better. The free systems are ranked here, if you are so inclined.
So, really, there’s nothing new here. However, I do want to point out a few things:
- Only one system has phone support, and that costs $50 per instance.
- Many of them fund themselves with advertisements.
- Heuristic detection was pretty poor across the board.
- None of them update very frequently.
- Most of these companies have a for-pay version available as well.
I know that most of us are always looking to cut costs, but the sheer number of times that I have removed expired or non-functional anti-malware systems indicates to me that this is very important. Do not scrimp when it comes to security software. The good stuff costs real money for a reason.
If there is a problem, a reliable company will take care of you. The goal of a business in this space should be to help you maximize your profits. Sure, they have to cover their costs and make a bit of profit themselves, but attitude is extremely important. If they approach the problem of “people don’t want to pay for anti-malware” with “let’s constantly distract the users with popup ads”, do you think that they have your interests at heart? If they charge as much for one support instance as it does to buy a license with unlimited support, do they really want to help you? (And, do you think that they have an incentive to have you not experience problems?) If they make no distinction between “I am unable to login to World of Warcraft” and “I am unable to make payroll”, do you really want to work with them?
I mean no disrespect to ComputerWorld here. I know that they serve both the consumer and business markets. I know that there is a place for free anti-malware systems in the consumer space (though I think it’s quite small). However, to answer the question “Can You Trust Free Antivirus Software?”, I’d have to answer unequivocally “no”. If you are in business, you should use a business-quality anti-malware suite. Even if you’re at home, if your business requires you to use your home system, it should also be protected by a business-class anti-malware suite.
Odds are that you know the cost of your time, and if you are unable to work because you get sick, you know what it’s worth to protect against that, that’s why we have health insurance (however it winds up being paid for in the U.S.). Similarly, if your computer gets sick, how will that impact you? Does your computer need health insurance too?
Small Business Defense – Steganography
- At September 03, 2009
- By Josh More
- In Business Security
- 0
First of all, I have to stress that this is a good news / bad news situation. The good news is that the vast majority of you have nothing to worry about from steganography. The bad news is that the reason steganography isn’t a threat is that you probably have a great many more holes that are easier for an attacker to exploit.
If an attacker can email out random files, that’s much simpler. If they can burn CDs or write to USB drives (remember that many MP3 players are also USB drives), they could do that. Some data could simply be printed out can carried off. Attackers could also transfer files away directly via many protocols such as HTTP, FTP and SCP.
So, realistically, you only have to worry about steganography if you’ve managed to close off all these other leak vectors. Most businesses haven’t, so the rest of this is probably not of much use to you. If you haven’t, start identifying valid outbound traffic and blocking everything else. That alone will likely take several months. Then come back and read the rest.
The easiest way to prevent steganography is to prevent the sharing out outbound files. This means blocking attachments in email, and severely limiting access to all other websites. This means no eBay, no Flickr, no Facebook. No external websites of any kind. Any site that allows users to post content should be off limit.
This leaves one major vector – public-facing web sites. Luckily, you have control over these, so you can directly manipulate the files. There are tools that can help you identify files that might contain hidden data. They work by mathematically analyzing the files and seeing if they are altered from a “normal” distribution. Another method would be to collect hash signatures for each file, and check for alteration. This does, however, require that you have absolute trust in the person creating the files and depends on the hash algorithms being secure. These days, that may not be such a safe bet.
So, as cool as this technology is, it’s important not to rely entirely upon it. There may be file types it cannot identify or new techniques to hide data. It may be better to configure the web server to only allow certain types of files (such as .jpg and .png files) and then attack the data source directly. Simply alter each image file and randomize the lower order bits. This way, it doesn’t matter if there was steganography in them or not. It’s removed before it goes online.
So, in conclusion, steganography is a real threat, but it is also more difficult to use than many other commonly existing holes in infrastructure. It’s not easy to deal with, and if you have other holes open, it’s probably not worth going after. However, if you can manage to deal with all the other threats, it’s worth considering.
Small Business Attack – Steganography
- At September 02, 2009
- By Josh More
- In Business Security
- 0
Steganography is talked about a lot in the security field, but not much outside of it. Though there are many forms of varying complexity, at it’s core all you need to know that steganography incolves hiding data inside of other data. It is commonly used with pictures, but it can be applied to pretty much any file. Any file that you may need to use in your business could be used as a conduit for other data.
Take, for example, this photo, which is on your website (maybe you sell bone adhesives, I don’t know):
Suppose that you had some top secret data that you wanted to hide (clearly highly confidential):
An attacker could use one of many tools to embed the highly confidential image within the safe one, and most people would be none the wiser. For example:
(For the technically inclined, I used stegotools and the last 2 bits to hide the image. Try it out if you like.)
It’s important to realize that this example is highly contrived. In the real world, attackers can use any file at all and any transport mechanism:
- Logos on a web site
- Press releases emailed out
- Financial documents on CD
If you have any confidential data at all, and any way to communicating with the public, the data can be leaked. How can you protect yourself?
(A thank you goes out to kordite and The Metro Library and Archive for making their images available on under the Creative Commons, and allowing me to make some really bad puns.)
Alert – Financial Processes Targeted
- At August 28, 2009
- By Josh More
- In Business Security
- 0
I normally avoid spreading word about specific attacks, as it is better for overall security to continuously strengthen your defenses and keep an eye out for strangeness. Focusing on attack types and general security practice tends to have a better overall result then trying to play whack-a-mole and knock down individual people or pieces of malware.
That said, there is a current threat that people should know about, so I want to do my part to boost the signal.
At issue is a specific piece of malware that is targeting people with access rights to financial systems. It generally arrives in the form of a targeted email (spear phishing) which then installs the malware. Once installed, the malware monitors the computer for financial transactions and will then make some additional ones.
What’s different here is that small businesses are being singled out. This is largely because they tend to have weaker security and audit controls when compared to the larger firms. So, though the larger firms tend to have more money to steal, stealing a smaller amount from a great many other business can net just as much. And after, a dollar is worth a dollar, no matter who it’s stolen from.
To protect against this attack, you have to keep one thing in mind — there is no guaranteed way to prevent it. All you can do it do your best to protect yourself and check transfers regularly to make sure that you’ve not been hit. In short, if your account people are not doing all of the below, your business is facing some serious risk:
- Using a two-factor authentication system (RSA tokens are the most popular) to login to the banking system.
- Using a dedicated workstation for financial transfers. This system should not have any email client installed and be firewalled to only access the necessary web systems.
- Enter into an agreement with your bank so that all transfers must be confirmed. A verbal confirmation originating from the bank is best, as that way the attackers cannot initiate a transfer and then call the bank to confirm it. If they cannot do that and you have to stay with them, look into email or SMS-based confirmation systems.
- Using a bank-enforced 24-48 hour hold on transfers.
- Check your accounts regularly and reconcile all transactions.
Check out the following links for more information:
I would like to thank Rob Lee for alerting many of us to this situation.
Small Business Defense – Web Filtering
- At August 27, 2009
- By Josh More
- In Business Security
- 0
The term Web Filtering has many connotations. On one side, employees (often younger ones) view it as a form of censorship. On the other, business owners do have the right to require that employees spend their time doing what they are paid to do. As is often the case, the best answer doesn’t really match either extreme.
Filtering technologies come in many flavors. They range from highly simplistic technologies that block specific domains to complex deployments that set rules for each user, matching them against a set of categories to block or allow. They can also give fine-grained control over operations like file downloading and updates.
The costs vary too. Generally, the more control you want, the more it will cost. While there are some open source solutions that you could deploy for free, they tend not to be robust enough to work well in enterprise environments. The dedicated appliances work well, but often require rearchitecting the network for implementation. Lastly, there are modules that can plug into your existing network equipment, but they may be a bit more expensive than you would like.
Of course, the challenge of using such a technology is often not technical. The problem is primarily a social one. Do you have the political environment where it is acceptable to monitor Internet traffic? Will users allow you to block access to sites that they’re used to visiting? Will management have a problem with you knowing the browsing habits of your fellow employees?
As usual, it’s best to start with a policy that specific controls what you will be doing and how the technology should work. Then you can start implementing the technology using the policy as a guide. At a minimum, you will want to define:
- which types of sites are to be permitted and which are not.
- which types of downloads are to be permitted (if any).
- what to do when employees are regularly found to be attempting to visit blocked sites.
- what “regularly found” may mean.
Lastly, before you implement the technology, it may be good to identify which types of applications you are using. Some of these filters support a “transparent” mode but some must be run as a proxy. Both methods work fine, but some applications may not be proxy-aware. This can determine both the solution selected and the mode of deployment.
Small Business Attack – Web Browsing
- At August 26, 2009
- By Josh More
- In Business Security
- 0
As much as we dislike it, a part of most people’s jobs these days involves waiting. Though they keep making computers faster and faster, there is still a bit of downtime involved. While in the past, this time might have been spent talking with coworkers, these days it is more likely to be spent online.
There are many ways to spend your time online, from shopping to reading news to social media. While there is nothing inherently wrong with being online, there are some concerns. From a business perspective, managers may be concerned about productivity. From a legal perspective, H.R. may be concerned about “inappropriate” sites. And, of course, from a security perspective, we would concerned that sites could be the source of a compromise of user data.
At issue is the fact that, while most malware runs directly on the computer, web malware can run inside the browser. If it doesn’t run locally, and is sourced from a web site, it cannot be blocked with traditional anti-malware (though newer malware is aware of this attack vector). If all the malware accesses is data, there isn’t a good way to identify valid data access from unintentional leaks.
So, how to you protect against this particular threat vector without completely banning employees from accessing the Internet? How do you manage to classify which websites are OK and which ones are not?
Site Review – LinkedIn
- At August 21, 2009
- By Josh More
- In Business Security
- 3
Who doesn’t know about LinkedIn by now? This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?). There are even blogs dedicated to helping you maximize your use of LinkedIn. Really, what more can I add?
You probably already know the basics. If you have an account on LinkedIn, you can add all the businesses associates you know to your account. This gives you a sort of online Rolodex that you can access from anywhere. Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well. You can ask and answer questions and try to use the network to find contacts deeper within an organization.
It’s very useful for sales people and job hunters… and since everyone will likely be one or the other at some point in their career, most people are on it.
However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies. On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.
This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?
The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers. (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)
Another solution is to ignore the site altogether. If your data isn’t online it can’t be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.
Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person’s identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say “yes”, then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn’t address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.