Mythic Monday – Cupid, Psyche and Detection

So I was relaxing last night reading a bit of Lucius Apuleius, and got to the story of Cupid and Psyche.  Like many myths that have grown over the ages, this one is terribly long and complex, but I think we only have to look at the first part to learn the important lesson.

Leaving out all the important mythological bits about Venus being jealous and controlling love and Cupid’s arrows having a similar, but subtly different power, let’s get right to the point where Cupid and Psyche are living together.  Cupid and Psyche love one another (mostly due to certain arrow errors early in their acquaintance), but Cupid doesn’t want Psyche to know who he is, or it’ll upset his mom (Venus). Therefore, the rule is “Cupid gets to sleep with Psyche every night, but she’s not allowed to know who he is”. The second rule is “Cupid gets to abandon Psyche during daytime.” Though I may not personally agree with the rule, the point is that a security rule was in place.

Of course, this being a mythological tale, I’m sure that it shall surprise no one to learn that Psyche decides to spy on Cupid as he sleeps. She wanted to know that he wasn’t a snake (hey, who wouldn’t?), and lights a lamp (or candle, variations differ). Then, as would be expected, a drop of oil (or wax) falls on Cupid who wakes up and flies off, leaving her bereft. The reason being that “love cannot exist with suspicion”.

So, what we have here is a story where a rule was in place, the rule was violated and consequences occurred. By now, we as an industry are pretty good at making security rules. We’re harden systems, put up firewalls and write policy. We have all sorts of rules.  Examples:

  • No personal email at work
  • Only administrators may access production systems
  • No wireless connections allowed, this includes 802.11*, cellular devices and FM radio
  • All passwords must be a 48 characters long, contain a mix of upper case and lower case characters, numbers, punctuation and ǝpoɔıun

But, how good are we at checking that the rules are being followed? How often do you check firewall logs?  Do you regularly review which users have which permissions?  Do you scan for rogue wireless access points?  Do you run regular password audits?

Despite how stupid we may think Cupid’s rule may have been, he had a detection system in place, and was alerted to the spying.  Thus, he was able to take action.  Though I personally would have used a light-triggered system instead of waiting for my flesh to be burned, his system worked for him and he was able to enforce policy.

Can you?

Site Review – Plaxo

At first glance, Plaxo looks like a strange clone of Facebook and LinkedIn.  The second glance looks much like the first.  It identifies people you may now, allows you to make micro-bloggish updates and tries to organize your contacts for you.  All in all, a useful site, but nothing particularly special when compared to the many other sites that do that.

If you dig deeper though, you discover that it’s really more of a hybrid than you thought.  Plaxo takes the idea of “mash-up” to a whole new level.  When you setup your profile, you can link to numerous other social media sites.  It can tie into Flickr, Delicious, Live Journal, MySpace, Google, Facebook and more.  You can use it to keep track of your friends’ updates all in one place.

Of course, to do this, it also allows your friends to keep track of your updates.  Which sounds nice until you realize that you are basically also giving an unknown company complete access to your data on multiple sites… effectively making isolating a data leak impossible.

There are some security features in Plaxo that should help minimize this.  However, like most things, it all comes down to how much you trust the company.

On the plus side, Plaxo doesn’t list very many partners, just Comcast, WebIS Mobile Sync and Yahoo, so your data is likely safer than at some services.  The privacy policy is pretty good (the permanent opt-out is particularly nice), as are the terms of service.

On the negative side, Plaxo only functions well if all your other friends are also using Plaxo, so it tends to be a bit spammy.  It also requires ongoing maintenance for managing security settings.  It’s all well and good to post an update tagged as “friends-only”, but having to manage which people are in which friends groups on different sites is troublesome enough.  When you have an aggregator that has it’s own permissions model and doesn’t stay in sync with the groupings on other sites, the security concerns get far more complex.

So, unsurprisingly, it’s another one of those tools that has some risk, but the benefit may outweigh the risk… but only for a small percentage of the people out there.  If you decide to use Plaxo, go for it… but be careful.

Small Business Defense – Source Repositories and Honey Tokens

As mentioned yesterday, source code is a nice juicy target for an attacker. So, what can you do about it?

The first thing to do is to make sure that you have the ability to detect whether an attacker was able to make changes to your code. To do this, you need a way to ensure that you have a good clean reference copy of what the code should be. The easiest way to do this is to use a revision control system. Though there are many, I prefer subversion, as it is both free and fairly easy to use. Once your code is checked into your revision control system, it’s easy to look for differences in running code and stored code. In addition, if you are compiling your code (or converting it into bytecode), you can keep all the code in the system. Then, you can add strict access rules to the repository and gain an extra layer of defense.

So, that takes care of protecting your assets and helps you confirm if they are stolen, but how do you detect the theft in the first place in case someone does get through? That’s where a “honey token” system comes in. This sort of system is often installed at the edge of your network and simply checks all outgoing traffic for certain key words and phrases. It’s fairly easy to come up with specific strings to embed into your source code (or other intellectual property of interest), and then set these systems to look for them. They’re not perfect and may miss transfers that are compressed or encrypted, but they’re better than nothing.

And after all, protecting your assets is a matter of incremental improvement.

Small Business Attack – Type of Data: Source Code

One of the types of data that may exist on your network is that of source code. Though it’s more likely to be there if you are an I.T. company, a great many companies out there have custom written business applications. Though users will generally use the application either by clicking an icon on their desktop or accessing it via a web browser, the real “nuts and bolts” of the application likely lays in the source code.

Traditionally, the term “source code” refers to the raw code that is written by people and later compiled into another format to be used by a computer. There are other forms of code, like bytecode, interpreted code, etc. However, the point of this entry is not about the differences. For the purposes of this post, “source code” means “business logic that both humans and computers can read”. (I’m sure I just upset some tech purists that read this blog.)

The important thing to realize, as a business owner, is that the applications that you use often reveal a huge amount of data about how you do business. There are likely flowcharts and checklists out on a shared drive somewhere. There may be a technical manual or five somewhere. However, we are in a digital age, and a lot of effort is being put forth to automate repetitive tasks and use technology to accelerate the speed with which business can be done. In short, more and more of the key business activities are being move to the computer. This is great for efficiency… but it also provides a great target for an attacker.

If an attacker gets a checklist, they might learn what problems your business commonly has. They might be able to misrepresent themselves as a client and abuse the checklist to gain further information about your business. They might find their own flaws in your procedure and use it to make your competitors more efficient. But if they can get the source code to one of your systems, they gain much much more.

The code that runs your systems might contain usernames and passwords that interface with other systems. It contains detailed business logic. It might even mention identified, but not repaired problems in your business. An attacker could not only duplicate much of your business, but they might also be able to integrate with your billing and sales systems, and steal money and client lists. They might be able to access exist customer accounts and take anything they want.

In short, they’d be able to do anything that you can do, and since they don’t have the overhead to develop it in the first place, they could to it better, faster and cheaper.

How are you protecting yourself?

Security lessons from Nature – The Pacific Barreleye

How could I not read about the Pacific Barreleye without mentioning it here?  The fish, like most, lives in the water.  Like many, it lives in the deep water.  Like very few, it likes to eat siphonophores, a type of stringy jellyfish with lots of stinging cells. Like no others I know, it has a transparent head.

Really.

The theory here is that it uses the transparent head and scales to protect it’s eyes from it’s stinging prey.  The video (which is here) looks a bit like computer rendering to me, but I know that there are transparent fish (boring link here) and mentions of this fish predate the recent news, so odds are that it’s real.  What’s fascinating is that this critter is using transparency as a defense as well as an attack.

For years, people in the I.T. industry have been saying that we need to be more transparent in our business dealings.  Attempts to make transparent software have resulted in open source software that is taking the market by storm.  Opening up business processes have shown similar results.

In the security field, “transparency” often refers to security controls that the user doesn’t notice.  These may be subtle barriers around the wrong actions tied with subtle rewards around the right actions. Sometimes it involves considerable monitoring and reaction only to known danger. In the physical world, these can be RFID tags and sensors that help prevent theft. In the electronic world, it can involve “watermarking” intellectual property or encrypting data for archival purposes. Security doesn’t have to get in the way, and making it as unobtrusive as possible can often make it more effective.

Of course, nature figured this out long ago.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.