online security

May 30

terabits (and risks) under the sea

By alberg online security Comments Off

Satellites get all the glamor with their showy rocket liftoffs and space shuttle missions, but in reality, over 99% of intercontinental data traffic travels via undersea cables which crisscross the planet’s briny depths. These vital telephone and Internet links are exposed to a number of dangers ranging from seismic activity to misplaced ships’ anchors and fishing gear, to pirates and cable thieves, and when one of these links is broken, the effects can span countries or continents. Upping the risk level is the fact than a large number of cables converge at a small number of geographic choke points such as the Suez Canal, and the Malacca and Luzon Straits. When cables in these areas are damaged, there is a domino effect as traffic has to be rerouted to avoid the break.

In April of this year, the SeaMeWe-4 cable, which carries 89% of the traffic between the Middle East and Europe, was cut, severly impacting Internet and telephone communications between the two areas. In 2008, a series of cable cuts in the Middle East disrupted network access and spawned a number of conspiracy theories due to the fact that neither Iraq or Israel were affected. Back in 2006, a major earthquake cut the APCN2 cable connecting China, Hong Kong and other Asian countries bringing online commerce to a halt for days and resulting in network performance disruptions for months.

The good news is that notice is being taken – the IEEE held a “Global Summit on the Reliability of Global Underseas Communication Cable Infrstructure“ (ROGUCCI for those in the know) in Dubai in October 2009 where experts came from all over the world to discuss how to keep our undersea cables safe and secure. I took a look at the report from this conference and learned some other interesting facts about undersea cables:

Undersea cables are one of the rare places here on Earth that we get to see the effects of the speed of light. As data or voice traffic takes its journey through cables, there can be a delay of up to a tenth of a second, which can be heard by humans and interfere with time sensitive data communications. Satellite latency is even larger – this is one reason why all that intercontinental traffic can’t be rerouted via the heavens.

Every second, the planet’s undersea cables carry 30 terabytes of information from continent to continent – and more data is added to this torrent every day. (I think that 28T of that traffic is porn…)

When there is a cable failure, traffic must be rerouted by other cables, making the path taken by the data much longer, increasing latency and adding traffic to links which may already be congested. There is no Plan B for the undersea cable network.

Cable ships and their crews are a shared resource – the number of simultaneous repairs that can be performed is limited. Time to repair is also extended due to some countries’ bureaucratic permit processes which the repair ships must complete before entering their territorial waters to get to work. Cable ships are also a potential target for pirates – cable operators worry that pirates could take over a cable ship and demand a hefty ransom for its release, delaying repairs further. Pirates have already caused problems for cable laying off the coast of Africa.

Threats to cables are on the rise; they are strategic targets in times of war and are also threatened by the increasing mining of the ocean’s floor. However, the importance of undersea cables was acknowledged as far back as 1884, when the major powers of the time signed the International Convention for the Protection of Submarine Cables in Paris. Today, the International Cable Protection Committee lobbies internationally (hence the name) to keep our undersea cables safe and secure.

Undersea cable security needs to be on all of our agendas… the Internet links that allow me to post this blog entry from my hotel room in London are also the ones which major financial institutions use for moving money around the world and which an increasing amount of commerce depends on. Governernments need to safeguard cables and cable repair ships and most importantly, build the redundant links which will allow our planetary nervous system to recover from damage.

May 20

it’s (not always) nice to share…

By alberg best practices, online security Comments Off

Now that Facebook has made their privacy settings just a bit less complex than, say, the US Tax Code or particle physics, now would be a really good time to check your privacy settings and make sure that you are not sharing more personal information with the world (or at least to the Internet connected portion thereof) than you intended to.

The new settings default to sharing quite a bit of information – you may be (unpleasantly) surprised about what Facebook is telling the world about you.

This website provides a browser bookmarklet which will scan your privacy settings and let you know what you might want to change. Take five minutes to protect your online privacy…

May 13

i’m invincible! (you’re a looney!)

By alberg best practices, online security, worst practices Comments Off

We security professionals tend to underestimate our own vulnerability to threats like phishing. Here is a really good article by Cory Doctorow, who is most definitely not an Internet novice explaining how all of the wrong stars came into alignment to make him fall for a phishing attempt. Worth reading, especially if you think you are “smart enough” to recognize and avoid phishers’ bait.

- Posted using BlogPress from my iPad

May 02

massachusetts kicks data protection butt!

By alberg CSO, best practices, online security Comments Off

Data protection... Massachusetts style

Now I have two things which I really like about Massachussets – The Friendly Toast in Cambridge (mmm… Caribbean waffles) and their new data protection law. As of March 1, any organization which holds personnally identifiable information (PII) about residents of the Commonwealth must attest that they have a written information security plan designed to protect that information. And that PII maust be encrypted both when it travels over the wire and when it is stored in systems. Penalties for violation are quite hefty – $5,000 per violation and per record lost.

The law also requires businesses handling MA residents’ PII to take a number of steps that they should already be doing – having someone responsible for the infosec program, identifying risks, training personnel, preventing terminated employees from accessing the PII, secure authentication and the like. You can read the entire text of the law here…

It is about time and I hope that other states (and the federal government – call me a socialist) follow Massachusetts’ lead. Requiring businesses to take some very basic and inexpensive steps to protect our information from unauthorized access is quite reasonable. It seems to me that complying with the encryption requirements can be accomplished via an SSL cert, laptop encryption software (such as BitLocker, included with Windows 7 or FileVault on Macs), and use of database encryption features are just common sense, as is having an information security plan.

Bravo, MA!

Apr 17

the lies are in the eyes

By alberg best practices, online security Comments Off

Look into my eyes... to see if I am telling the truth

It seems that scientists found some evidence for the proverb “The eyes are the windows of the soul.”

In experiments conducted by researchers at University College London 11 volunteers were asked to answer a variety of personal questions with some truthful answers and some lies. While they were interviewed, the volunteers wore special eye tracking glasses which recorded their blink rate, where they were looking and for how long, and the sizes of their pupils. The scientists then created videos of computer generated avatars speaking the answers given. In half of the videos, the avatars’ eyes were fixed on the listener. In the other videos, the avatars’ eyes moved and reacted using the data from the eye tracking glasses.

The result? Of the 27 people shown the videos, 88% were able to identify truthful statements when eye movement was present, as opposed to a 70% detection rate when the avatars’ eyes were fixed. When asked to identify untrue statements, 48% of viewers had success when eye movement was present versus 39% when the avatars’ eyes were fixed.

While the researchers are not sure how the eye movements helped viewers in telling truth from lie, they did note that truth-tellers tended to hold the interviewer’s gaze for longer than fibbers and that the speaker’s pupils dilated more when they were prevaricating. The pupil response may be linked to the increased cognitive load needed to tell a lie.

The researchers state that their work could be helpful in making virtual worlds such as Second Life more useful for interactions like business meetings, where a level of trust between participants is required. My takeaway, of course, is that a cyber savvy virutal con man could make use faked avatar eye movements to gain his cyber victims’ trust. Back here in the real world, when the used car salesman tells you that the little beauty you are looking at was only driven by a little old lady to church on Sundays, watch those pupils!

Apr 04

return of the son of the attack of the killer PDFs

By alberg hacks, online security Comments Off

In the good old days (last week), you could feel somewhat safe opening PDF files as long as you had downloaded the latest Adobe Reader security fixes. Now it turns out that the hackers could have saved themselves a bunch of time and effort - it seems that a design flaw in the pdf file format can be used to embed and execute code in documents even if the reader is a good Internet citizen and has patched their system.

The user does have to cooperate a little bit… When the code is about to execute, a dialog box will appear and the user will have to click OK. Not to worry, nefarious malware authors, in addition to users’ propensities to click OK when asked, you can customize the dialog box to make it seem innocuous – “Click here to accept the license agreement, or “Click here to decrypt this document” are two ideas that come to mind.

If you are a super security savvy user who decided to abandon Adobe Reader in favor of the alternative Foxit Reader, you are in worse shape, smart guy. Versions of Foxit Reader prior to 3.2.1.0401 do not provide the dialog box warning – they just executes the embedded code. Foxit has issued an update and I suggest that you install it toot sweet…

I have not yet seen any information as to whether the Preview PDF reader which ships with the Mac will also execute code embedded in PDF files… I will update this post when I have further information… UPDATE (2010-04-07 – sources tell me that the attack does not work on files opened on Macs using Preview or Adobe Reader, but I have not verified this myself)

So… if you receive a PDF file which asks for a click on a dialog box when you open it, don’t click. Legitimate PDFs seldom require the user to take any further action to open them.

The whole Foxit issue got me thinking about the use of non supported software in corporate environments. I would guess that most organizations assume that Adobe Reader is installed and used on their computers. I would also guess that most corporate IT and info sec types are not aware of the existence or use in their organizations of alternative PDF readers like Foxit. For this reason, networks and information are put at additional risk, since any warnings and patches pushed out to the user community would not protect Foxit users. There are a few possible reactions to this problem:

Don’t allow users to install non approved software and enforce the policy with technical means.

Install software on your network which inventories new apps installed by users and provides you with an alert. In this case, you’ll have to follow up on these alerts and keep track of who has what oddball programs installed as well as keep an eye open for applicable security updates. More work for info sec, but, hey that’s why we get the big bucks.

Cross your fingers, rub your lucky rabbit foot and hang a horseshoe above your servers. Otherwise known as sticking your fingers in your ears and singing “la la la.”

If you can get away with number 1, more power to you (wearing my Dick Cheney hat here) from a security overlord point of view, but when wearing your business hat, it may turn out that the ability to install new apps helps more than it harms. That is why I am a fan of door number 2… work with your users rather than driving their bad security practices underground. Remember… Great CSOs enable AND protect the business.

Mar 16

CSOs need to walk the walk before they talk the talk

By alberg CSO, online security, worst practices Comments Off

According to this article from CSO Magazine’s web site, “several security execs expressed surprise” over the CISO of the Commonwealth of Pennsylvania found himself unemployed after making a speech at the RSA Security Conference describing a cyber security incident at his state’s motor vehicle agency without getting prior approval. As a CSO myself, I don’t understand why anyone is surprised – I think that this firing was pretty easy to predict and, unfortunately, deserved.

Yes, the incident that the CSO talked about was pretty minor – it involved what sounds like an application error that allowed some people to jump the line when scheduling driving tests – but that is not the point. Like most organizations, Pennsylvania’s government has a policy requiring employees to get prior approval before disclosing official matters. I am sure that the CSO was aware of this policy and as a security professional and as a C level employee, he had a dual responsibility in this matter – to follow policies like any other employee and to set an example for others in his organization to follow in security matters. He also had a responsibility to protect the image of his organization… at the very least, before speaking about this kind of an incident in public, he should have made sure that management was on board and that there was a public relations plan for any negative blowback.

Could this incident have been discussed in public without the need for firing? I think so, although the final decision should have come from management. Had the CSO given them a chance to weigh in, his participation in the RSA panel could have been a positive event for the DMV – showing lessons learned and all that.

If this particular CSO reported to me, I would have some serious questions about their judgment and their ability to safeguard confidential information. I think it would be really difficult to regain that trust after this kind of incident.

Don’t get me wrong – I feel badly that this person was fired – this was probably one negative incident in a career filled with accomplishment and service. But in the end, he made the choice that ended his employment.

OK – I just can’t resist one thing… The Security on this site page of the DMV’s website recommends the use of Netscape Navigator 4.7 or IE 5.0 or greater as secure browsers and then goes on to tout the agency’s use of the “most recent versions of security software”… DOH!

Jan 04

there ain’t no pill for stupidity…

By alberg online security, worst practices Comments Off

Here’s an interesting twist on the old Internet Pharmacy scam… we’ve all gotten those emails offering to sell us various pharmaceutical products without the need for a pesky prescription. Now, I’m assuming that all of the readers of this blog are smart enough to keep their credit cards in their wallets and hit delete. However, there are apparently enough dimbulbs out there to keep these guys in business. They order the pills and get… real drugs? expired drugs? fake drugs? Who knows?

Well the scammers have come up with a new way to extract further profits from the stupid… according to a news release from the US FDA, version 2.0 of the scam now comes with a twist. After taking an order for Rx free drugs, the scammers apparently come back for a second round – they call the purchaser posing as FDA agents or other law enforcement types and threaten the mark with fines, arrest, deportation, property searches and the like. The “agents” then tell their victims to provide a credit card or wire transfer the money to pay their fines and avoid further trouble.

This is the kind of thing that makes me wish I was unafflicted by a conscience… seems a lot easier than working for a living…

Tagged with: scams

Dec 22

an answer to your password problems…

By alberg best practices, hacks, online security, worst practices Comments Off

We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

Dec 22

Germany pays to clean malware from Windows PCs

By alberg best practices, online security Comments Off

OK, before I get started with this blog entry, I want to be up font with you. I have become a cliche… I am writing this from Starbucks whilst sipping a cafe mocha and leeching off their free ‘lectricity. I have truly become one of those stereotype bloggers. Shoot me now. Anyway, on with the post…

It seems that the German government is getting together with ISPs to set up a help line for citizens whose PCs are infected with malware. The ISPs will watch network traffic for signs of communications between zombie computers and their evil controllers. When the ISPs detect malware activity, they will direct users to a website with instructions on getting their computers free of viruses, worms, back doors and the like. For users who need additional help, 40 government employees will staff a call center dedicated to helping out. (This truly sounds like a job from hell…).

This is a great idea, which other countries should consider with one twist; vendors such as Microsoft, Apple, Adobe, and the like should be required to kick in some funding for this type of work. After all, it is their software which opens the doors to cybercriminals and (potentially) cyberterrorists. Maybe pegging the amount they have to pay to the number of security advisories issued by the CERT about their software would make sense. It would be pretty easy to gauge the success of this type of an effort by tracking and publishing stats on the numbers of infected machines before and after. As for the cost beyond the vendor kickins, there are a lot of places in the US federal budget to get the money from…

What do you think?

Previous Entries Next Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Scam preys on required TweetDeck update 2010/09/06
Russian Trojan blamed for credit card losses at US diner 2010/09/06
Privacy in iTunes Ping 2010/09/06

Links

Wired: Threat Level

Twitter

back on the bike after too long away... 45 mins and 11.7 milesSeptember 6, 2010 10:04
testing, 1, 2, 3, oopsie! http://is.gd/eXG6ySeptember 6, 2010 4:07
damn... since I left tokyo the other day, i'll miss the parade... http://bit.ly/a9dSYRAugust 29, 2010 9:40
ceo, cfo, pants on fire? http://is.gd/eJ1vmAugust 29, 2010 12:42
@carlohartelucci Since I am in Tokyo at the moment, had to subcontract to the yakuzaAugust 27, 2010 1:50

FYI

Housekeeping

Tools

Links

Social Links