Site Review – LinkedIn

Who doesn’t know about LinkedIn by now?  This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?).  There are even blogs dedicated to helping you maximize your use of LinkedIn.  Really, what more can I add?

You probably already know the basics.  If you have an account on LinkedIn, you can add all the businesses associates you know to your account.  This gives you a sort of online Rolodex that you can access from anywhere.  Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well.  You can ask and answer questions and try to use the network to find contacts deeper within an organization.

It’s very useful for sales people and job hunters… and since everyone will likely be one or the other at some point in their career, most people are on it.

However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies.  On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.

This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?

The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers.  (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)

Another solution is to ignore the site altogether. If your data isn’t online it can’t be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.

Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person’s identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say “yes”, then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn’t address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.

Small Business Defense – Anti-spam

There are many anti-spam solutions in the market.  They tend to fall into a handful of types.  However, all of them must do the same thing:  somehow determine which emails are legitimate and which ones are not.  There are many ways to do this, and most of them use differing combinations of the same techniques.  Thus, the main distinguishing characteristic is where the antispam solution fits into the network.

Client Software

A common solution is to use software that plugs into the email clients.  This gives the user direct control over spam handling at the cost of requiring the spam to completely traverse the system and end up on the final computer.  Thus, the risk exists that any malicious software may exploit the client and then run directly on the target.  Additionally, the server must handle the additional load of processing spam and the administrator has no direct control of the anti-spam system.

This solution is generally not a good fit for businesses, though it can be quite effective for home-based users or businesses small enough so as to lack an I.T. department or contracted service.

Server Software

A traditional solution is to purchase anti-spam software for the server.  This gives the email administrator direct control over the way that the anti-spam system operates.  The users typically see an email folder that contains “known safe” spam messages.  Thus, the users are protected against problematic emails but still able to inspect the acceptable ones if they choose to do so.

This is the standard solution for businesses, and works fairly well, though it does result in emails still traversing the system and adding load to the mailserver.  As spam traffic increases, the resources of the server must be scaled up.  Since there is no control of the spam until it reaches the server, the business still risks denial of service by choosing this solution.

Appliances

One way to solve problem of the limitless scaling of server resources is to shift spam protection to an appliance.  In this solution, a dedicated device is placed between the Internet and the mail server which serves only to filter spam.  It is more complicated for the email administrator to manage, but it does keep everything within the control of the business.

Some of the larger businesses use this method.  It still requires email to enter the network, but it does protect the core systems against exploitation and limits the amount of email that the end users must sort through.

Cloud Solutions

Though “cloud” solutions are getting a lot of market buzz these days, some have been around for a long time.  In the anti-spam world, in particular, a cloud solution is often a good one.  With this solution, spam need not ever enter the business network.  The business is protected against malicious software and denial of service attacks.  The users don’t have to deal with spam at all.

However, nothing is perfect.  The main drawback to the cloud solution is that it inevitably delays email delivery.  In short, you are adding an additional layer of processing and network transport, so every single email is going to be slower. While email administrators often state that “email is not instantaneous”, the delays are often noticeable with this sort of solution.

Conclusion

As always, a balance must be struck.  You can emphasize usability — giving control to your users and risking both direct exploitation and the consumption of internal resources.  You can emphasize security — making email administration more difficult and delaying email delivery.  You can pick a solution anywhere along this spectrum, but no solution will ever be perfect.

What you can’t do, however, is nothing.

Small Business Attack – Spam

We’ve been battling spam for many years now.  We all know that the problem exists, and that it can be annoying… but sometimes it seems like the constant complaining of email administrators is even more annoying.  Is spam really such a big problem?

Let’s look at it for a minute…  The influx of email can slow the mail servers.  Manually sorting legitimate email from spam can reduce employee productivity.  In some environments, the adult nature of spam can cause HR issues.

So sure, spam can be annoying, but is it really a serious problem?

Though I try to keep this blog from getting overly technical (after all, there are technical security blogs far better than mine), I am afraid that I have to dig a bit into the labyrinthine mess that is SMTP.  The Simple Mail Transfer Protocol dates back to 1971 and is the method still used to transfer email today.  (Though it has been extended and tweaked many many (many) times.)  These days, it is far from simple but it is still deeply flawed.

At it’s heart are three problems:

First of all, the protocol is plain text.  This means that anyone who can read the network traffic as it flows from the sender to the receiver can read the message.  This allows attackers to read or alter messages as they go by, thereby preventing the receiver from knowing for certain that the messages are private or even reliable.

Secondly, the protocol is honorary.  Just as anyone can drop a letter into a mailbox and put on whatever return address they wish, anyone may send an email and forge any From addresses they want.

There are numerous technical measures that can be put in place to limit these two problems.  However none of them work perfectly and each them make the maintenance of the system increasingly complex.  If too many of them are implemented, you run an increasingly greater risk of email being greatly delayed or simply getting through at all.

Then, we have the final problem.  Though it doesn’t relate directly to SMTP, the fact is that email is not human readable (by most humans, anyway), so recipients have to use email clients. As always occurs, a handful of email clients have become the most popular and are analyzed by attackers for problems. Then, email messages can be forged and sent containing malicious code that will exploit a flaw in the email client.

So what does all this mean?

Basically, in addition to spam being annoying and the extensions we’ve built around it making the actual system work poorly, we have a situation where attackers can target specific people and run their own software directly on the targeted workstation.

So how do we protect against it?

Security Lessons from Nature – Anachoresis

Anachoresis.  The word can mean many things referring to hermitages, animals or bacteria.  Now, as interesting as the medical definition is, I am more interested in the zoological context today.  When the word is used in reference to little critters, it describes the habit of hiding in crevices to avoid predators.  If you’re a mouse, such a strategy works great.  You just scurry about eating seeds all day and when it’s time to sleep, you find a nice little hole and hide from all the cats that hunt at night.

The strategy, of course, is less effective when implemented by elephants.

As with most security strategies, this one works better for some animals than for others.  The same applies to businesses.  The equivalent strategy in the small business space is to try to “fly under the radar”.  Much like mice hiding in holes, this strategy is only effective so long as there are other mice around for the predators to pursue.  As soon as the easy prey is eaten, predators start learning other techniques to get at the more difficult prey. Lizards may lose their legs and evolve into snakes.  Mammals became more slender and supple and grew into weasels.

True, in the business space, an attacker would be much happier to take control of a multi-million dollar business than a sole proprietorship. However, if all the big attackers are pursuing the bigger prey, the smaller attackers are free to go after all the little businesses hiding out in holes… and they’ve been busy.

Just like snakes and weasels, worm-based malware will crawl around the Internet looking for the little cracks and crevices in the security around small businesses. Like shrews, automated malware spread and look for juicy targets, which, when found, can be targeted by all. Similarly, like biological viruses, digital viruses can infect a small business and just wait for the right conditions to execute a payload.

The point of this isn’t to scare you. Realistically, small businesses don’t face the same threats that large enterprises do. However, that doesn’t mean that they don’t face any. It’s one thing to use that justification to avoid spending large amounts of money on expensive protection that you may not need, but it’s quite another to think that just because there are fewer threats that you are safe. No matter how good it is at hiding, a mouse is not safe from a snake. Just as a mouse uses more than one security technique, businesses of all sizes should consider how much of a target they are, who wants to attack them and take appropriate action.

Hiding in the sand will only take you so far.

Mythic Monday – Superhero Teams

Some may call them movies for kids that never grew up, others may call them mythic legends of our time.  Whatever your stance, you might have noticed that superhero movies have been quite popular in recent years.  The most recent resurgence started with your basic theme of “ordinary person becomes a super hero at about the same time that an ordinary person becomes a super villain” (Spider-Man and Batman Begins).  More recently, it has morphed into “superheroes teaming up to fight against teams of super villains” (Spiderman 3 and X-Men: The Last Stand).

While the literary quality of such films is debateable, the big security lesson here is that when you’re being attacked on many fronts, it helps to team up. At present, there are threats from all fronts. Uncountable authors release numerous malicious software packages every day. The malware adjusts its own code to avoid detection and spread. Moreover, the majority of companies are often under direct attack by foreign nationals and direct competitors. All of these attacks are growing more subtle, so the challenge is not just in foiling the attackers but also in detecting them. In order to stand a chance, we have to team up too.

So how does this work in practice?

One way is to do what you’re doing now, spend a bit of time each day reading security news from various sources. These can be blogs, podcasts or news sites. Another way is to join groups, whether they are local or online. Local groups tend to meet once a month. The online groups, in contrast, usually do not have a specific meeting time but are very issue-focused. One member may post a question and others will step forward and help to answer it. Some groups are a combination of the above.

Just as being a member of a superhero team isn’t a weekend job, there has to be an ongoing commitment to be successful in a security group. In many cases, it doesn’t really matter which particular group you join so long as you are committed to it. While different groups have their own respective foci, any of them will be better than nothing.

The following are groups that I personally use in my day-to-day work:

  • ISSA Des Moines – A business-focused group focusing on education of the members.
  • Iowa Infragard – An information-sharing effort between the FBI and businesses. Local chapters exist in other areas.
  • SANS Advisory Board – Online group that assists its members with existing issues and helps guide the SANS certifications.
  • Central Iowa Area Linux Users Group – Iowa-based group focusing on Linux and Open Source technologies.  Other LUGs exist in other regions.
  • Agile Iowa – Iowa-based business-focused group to discuss Agile development practices.  It’s always good to get other points of view regarding what you are actually protecting.

There are, of course, others that I visit on the occasional basis, such as the Des Moines Web Geeks, and the Central Iowa Bloggers and The Virtualization User Group, but I realize that I have a limited amount of time, and it’s better to focus where I can be most effective.  Over time, I may have to narrow my commitments even further.

We may not have an security-focused Justice League or Avengers team, but we also don’t have many lone-wolf security superheroes.  So those of us that work in this field have to work together.  I hope to see you there.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.