worst practices

Jan 27

all your encryption passwords are belong to the cops

By alberg deep thoughts, privacy, worst practices No Comments »

...but you do have to give up your passwords

Interesting and depressing post from Ars Technica:

A federal judge has ruled that a Colorado woman can be compelled to decrypt her encrypted laptop so that the police can inspect it for incriminating evidence. The woman, Ramona Fricosu, is a defendant in a mortgage scam case. She had argued that the Fifth Amendment’s privilege against self-incrimination protected her from having to disclose the password to her hard drive, which was encrypted using PGP Desktop.

The rest of the sordid details can be found here.

It seems to me that forcing someone to reveal a password to a computer which might contain incriminating documents should be construed in the same way as forcing them to provide other self incriminating testimony. Just saying…

Nov 28

noted – the russian internet becomes more opaque

By alberg online security, useful stuff, worst practices Comments Off

Interesting post from security and cyberwarfare blog Digital Dao on how changes in Russian law will make it more difficult for foreign firms and investigators to track down the owners of .ru domains used for nefarious purposes. Not a positive development.

Oct 14

security wtf of the week

By alberg online security, worst practices Comments Off

Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…

SC Magazine:
Security Researcher Threatened with Vulnerability Repair Bill

A couple of observations about the article…

The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.

It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account. Whoever designed/wrote that application needs some serious re-edumacation at the very least. Maybe these are the folks who should be paying to fix the vulnerability.

I’m not sure why they are demanding the researcher’s computer. The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.

I’ll bet that plenty of people at this organization are wishing that this incident never hit the news. Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging. If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.

So, to sum things up… WTF!

Aug 18

it never ceases to amaze me…

By alberg hacks, worst practices Comments Off

…how often companies botch the termination process for an employee with “destroy the network access” and are then shocked, shocked I tells ya, when the network, is in fact, destroyed. This week’s episode is especially chock full of security fail… Network administrator dude resigns from company over a dispute with a senior manager. His former manager (and close friend) convinces company to keep said dude on as a consultant due to his deep knowledge of said company’s networks (FAIL!!!). Fast forward a few months… the manager/friend now finds out that *he* is about to be laid off. He refuses to hand over some passwords and his buddy logs in using valid credentials from a local McDonalds and deletes a bunch of VMs… according to a story on Wired’s Threat Level Blog…

“The Feb. 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,” according to the complaint filed against him, which asserted that the hack cost Shionogi about $300,000. That figure rose to $800,000 in later court documents.

Really, really basic controls broke down here… if someone with “destroy the network access” is upset enough to leave the company (especially in a crappy economy like we are in now) – show them the freaking door and cut all of their access before it hits them in the ass on the way out! And don’t allow vital knowledge to accumulate in one person’s head, making them irreplaceable. Finally, make sure that there are checks and balances in the termination process to insure that these steps are completed quickly and properly. This is infosec 101, people!

May 14

it’s not always nice to share

By alberg hacks, online security, privacy, worst practices Comments Off

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

May 09

a post mortem tribute to (less than) mediocrity

By alberg Paranoid Peeps, worst practices Comments Off

He may look like Inspector Clouseau, but... oh, wait...

I love the obituaries in UK newspapers… none of that namby pamby covering up of the dearly departed’s foibles or less than stellar achievements. This past week, the Telegraph ran a (sort of) tribute to Colonel Albert Bachmann who in the words of the of the obit writer, “had reduced the Swiss military intelligence agency, in which he had mysteriously managed to rise to a senior role, to a state bordering on chaos, not to mention bankruptcy. So catastrophic was his impact that, when he was finally unmasked, many assumed he must be a double agent. He was not.”

Read all about it here…

May 02

cloud security outlook… still, well, cloudy

By alberg best practices, CSO, malware, online security, worst practices Comments Off

Cloud storage provider DropBox provides a great example of some of the security issues that individuals and companies face when entrusting sensitive data to the cloud. Over the past few weeks, DropBox has made the news twice regarding its security and we all know that making the news is generally not a good thing when it comes to security.

Dropbox’s first issue came up in early April, when a security researcher named Derek Newton discovered a significant weakness in the service’s authentication mechanism. One of the primary benefits of DropBox is that it allows the user to set up synchronized file systems across multiple devices. When files are added to, modified on or deleted from any DropBox enabled computer, iPhone, iPad or other device, the changes are automatically replicated to all of the other devices associated with the user’s account. This is a really useful feature for many people. In order for this file synchronization to work properly, you need to install a piece of software on each device used to access your account. Newton found that the Windows DropBox client stores the information needed to access the DropBox server in a configuration file which contains a “host ID” used to authenticate to DropBox. Simply by copying this file to another computer with the DropBox software installed on it, an attacker would have full read/write access to the files in the DropBox account.

This opens up a whole range of possibilities for attackers. For instance, it would be possible to write malware which specifically looks for the DropBox configuration file and sends it back to the attacker. Once an attacker has the configuration file, they would have continued access to the compromised DropBox account even after the malware was removed from the user’s computer. The user would have to remove their own computer from the list of devices allowed to access their DropBox account and reinstall the software to close the door on the attacker.

As of today, the vulnerability still exists… DropBox plans to rollout a software update which would make the configuration file useless on a second machine, but has not provided a timeline for remediation. I would recommend not using DropBox until such a fix is made.

DropBox also made the news for a change in their terms of service. The original terms of service assured users that since their files were stored in encrypted form on the DropBox servers, DropBox employees could not peek into their data. Well, it turns out that this is not exactly the case. A “limited number” of DropBox employees do, in fact, have the ability to decrypt user files in order to comply with law enforcement requests for data in connection with an investigation. Now, I understand that DropBox wants to be a good corporate citizen, but there is a significant distinction between “our employees can’t read your data” and “only some of our employees can read your data.” I applaud DropBox for making their terms of service clearer (and more accurate), but this incident (and the reaction from DropBox users) is an example of one of the major problems facing users and organizations when they make the decision to move their data to the cloud.

The problem is two fold… customers don’t know the right questions to ask and vendors just don’t seem to understand that users require security for their cloud data, even if they cannot exactly describe what security measures they are looking for. A recent Ponemon survey on cloud computing providers’ views of the security of their services showed that among survey respondents (who we can assume are amongst the more security aware providers), vendors had the least confidence regarding some important security features of their services, such as

Their ability to authenticate users before granting access
Their ability to prevent or curtail external attacks
Their ability to encrypt sensitive or confidential information assets whenever feasible
Their ability to determine the root cause of cyber attacks

It is clear to me that many individuals and business are rushing in to take advantage of the cost advantages and convenience of cloud computing without knowing how safe or unsafe their information is while it rests in the cloud. The efforts of organizations like the Cloud Security Alliance to develop baseline language, best practices and assessment tools are a step in the right direction, but the road to cloud security is still foggy and treacherous.

Jan 12

bus-ted

By alberg hacks, online security, worst practices Comments Off

Back in May, I wrote about the Commonwealth of Massachusetts’ kick ass new data protection law, which looked like it could really encourage companies doing business in the state to pay more attention to the security of customer information. Well, since the law’s passage, there has not been any enforcement action in connection with it, and the MA Attorney General has not issued any guidance for companies as to how to comply with the law’s provisions. This my be about to change, however, thanks to a recently reported breach of the credit card numbers and personal information of 1800 MA residents (amongst a total of 110,000 records stolen) resulting from a hack of the web server of New York City based CitySights (a tour bus operator). I really hope that MA throws the proverbial book at these guys. For one thing, they violated both PCI standards and common sense by storing credit card CVV2 codes with the associated credit card numbers. More importantly, they consistently mistake me for a tourist as I walk around midtown and try to sell me tour bus tickets. Do I look like a freakin tourist???

Sep 06

testing, 1, 2, 3, oopsie!

By alberg deep thoughts, online security, systemic risk, worst practices Comments Off

Last week, an experiment conducted by Duke University and the European RIPE Network Control Center got a little bit out of hand, interrupting Internet traffic in 60 countries worldwide. In all, about one percent of Internet traffic was affected by the test gone awry. One percent of Internet traffic does not sound like a lot – most of that traffic was probably illegal file sharing, lolcats and porn, but what if your Internet based business was affected? My employer (who shall remain nameless and whose opinions this post does not reflect) is an Internet based business in which the value of each (time sensitive) transaction is probably thousands of times the average for the rest of the net. We were not affected by the testers’ little oopsie, but had we been, the potential losses would have been significant. I am sure my company is not the only one in such a situation.

Yes, Cisco did fix the bug which caused this particular outage, but I think that this incident points out some questions that really need to be answered:

Should researchers be conducting experiments on the Internet with potential for widespread negative impact on a shared business resource? If someone ran this type of potentially disruptive testing on my company’s network during business hours, I’d be looking for them to be fired, sued, arrested and forced to listen to this album for the rest of their lives. Researchers need to realize that the Internet is the planet’s “production network” with no “maintenance window” and that the same best practices we follow in the enterprise (separate test environment, for example) need to be followed when tinkering with its innards.

Had someone experienced significant financial losses due to this experiment, what would its recourse be? No one expects the Internet to be free of glitches and outages, but in this case, a conscious decision was made to do something which could reasonably be expected to cause problems. Could there be lawsuits here? Are the researchers exposing their organizations to potentially ginormous liability? If the damaged party was in, say, Asia, who would have jurisdiction over the case and where would it be tried?

In an era where cyberspace is increasingly recognized as a “battlespace,” could an experiment such as this (on a larger scale) be mistaken for a cyber attack and possibly lead to real world hostilities?

Researchers and governments should take this opportunity to stop and think about the “rules of the road” for the global Internet. Long ago, we all recognized that the oceans are a common resource and that we need a Law of the Sea to allow us to agree on what is and is not acceptable on the bounding main. It seems to me that the Internet is the sea of the 21st century and needs a similar set of supranational rules to ensure that it accessible to all. Are you listening, UN?

Aug 25

the great helium shortage of 2035?

By alberg systemic risk, worst practices Comments Off

It turns out that helium is important for more than party balloons and making our voices high and squeaky… and that we may run out of the stuff in spite of the fact that it is the second most abundant element in the universe (after hydrogen). Amongst atomic element number 2′s many uses are cryogenics (required for MRI scans) and the manufacture of semiconductors, optic fiber and liquid crystal displays. Here on Earth, there is a finite supply of helium, half of which sits in the US Government’s Federal Helium Program stockpiles. In 1996, the US Congress decided to mandate that the entire stockpile be sold off by 2015. The result? Bargain basement helium prices which encourage waste. Many of the applications for helium can be designed to recapture and reuse the gas, but since the stuff is so cheap, there is no incentive for users to manage the supplies in a sane manner. As a result, we could run out of the gas within 25 years.

Currently, there is no commercially viable way to make more helium – our supplies here on Earth are the result of radioactive decay, and extracting helium from the air would result in prices many thousands of times higher than today (think $100 for a single party balloon). And I shudder to think how much a big screen TV would cost in a helium poor world (now we are talking an emergency the public can understand).

Seems to me that Congress screwed up here and we still have time to fix the problem – simply raise the price of helium to a point where it makes sense to conserve the stuff. It seems to me that the need for helium is going to grow over the coming years and we are setting ourselves up for a totally avoidable problem – time to write the congress-creatures…

Previous Entries

Free WordPress Themes

Twitter - @alberg

"There are those who are happy and those who are wise" - D. ByrneFebruary 2, 2012 2:30
Android malware alert... http://t.co/3BOIl1iBJanuary 29, 2012 10:18
@White_Woolf I have been pushing for this as well, but just can't get Seth on board... life is cruelJanuary 23, 2012 3:12
My momma said, to get things done, you better not mess with Major Tom.January 18, 2012 2:27
malware hijacks us dod smartcards for access to secret stuff... http://t.co/fZDylFxwJanuary 13, 2012 8:34

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

Lost your password?

FYI

Housekeeping

Tools

Social Links