An acquaintance recently pointed out that she had visited this blog to learn more about me and noted that there has not been a lot of useful content as of late. I do have to admit that I am trying to figure out what I want to use this forum to accomplish, so I apologize for the lack of current usefulness.
Originally I had planned to use this blog to help fuel a side-business in IT consulting for small businesses, eventually growing into strictly InfoSec consulting. After two SANS classes in the last year, thought, my skills and interests are moving in a more specific technical direction and I do not think that I am yet to a point where I can provide highly technical posts to push industry boundaries. I want to provide value, not marketing fluff, so I will need to see where I can add to the global body of knowledge in a productive manner.
I still enjoy helping small businesses learn about how to do things more securely and I am even more enamored with securing the confidentiality, integrity, and availability of information, so feel free to reach out if I can help you.
Otherwise, hey thanks for reading
Simple analogy? We often let our toddler play by herself in a playpen. The play pen is designed with her safety in mind: she only has access to things we give her and is therefore safe. Imagine that she discovers that by pushing on one wall a certain way, she can wriggle out. She now has access to many things she should not, like the garbage can, diaper pail, computers, dog food, pantry… mayhem quickly ensues.
Oracle and security researchers keep going back and forth as to whether or not they have patched it, but the general response in the Information Security community is that this is a powerful tool that is not really needed for modern websites. If you do not really need it, better to uninstall than to keep trying to patch. If you are not sure if you need Java, I suggest you turn it off and see if you run into issues, in which case you can turn it back on.
- “Unless it is absolutely necessary to run Java in web browsers, disable it” advises US Dept of Homeland Security
- US CERT Vulnerability Note VU#625617: Java 7 fails to restrict access to privileged code
- ZDNet: How to disable Java in your browser on Windows, Mac
What if you do need it, though? There are specific webinars that I need to attend that are Java-Based, so I have a separate browser used only for Java-based webinars. No checking Facebook or the Bank website, minimizing the risk of cross-pollination. As always, I would discourage allowing your browser to save passwords and login sessions as this can store information that other attacks can possibly retrieve.
Updating and patching browsers and other software is always a security best practice, some isolated circumstances result in workplace systems that cannot be patched or need outdated versions of software to run proprietary tools. The best strategy would be back in the hands of your security team, blocking Java access to the internet on your web proxy or application-layer firewall.
I had previously commented on Bruce Schneier’s continuing series of blog posts regarding the term the term “Security Theater” with regards to the TSA and similar public-reassuring efforts. A more recent post mentions the use of RFID tags to reassure new parents that they were safe from baby thieves.
Where we were for our daughter’s birth, they had a similar system, whith an RFID tag on the umbilical cord linked to alarms and special bracelets identifying parents and child. I actually thought the bracelets were good for the prevention of mixing up the babies. We had to spend a couple nights at the facility and every time that anybody brought back our daughter from routine poking and prodding sessions, they always just checked the bracelets to ensure that we had the same serial number as the infant. Not a bad idea as a simple check-safe.
What I found more interesting was the RFID tag attached to her umbilical stump. There was a sensor system hooked up to external doors with a strobe and sound alarm. What I found interesting, though, was that internal and external doors were only monitored and locked after hours. At one point, I was picking my daughter up from some sort of medical tomfoolery and saw a strobe flashing over a door nearby. I asked the nurse about it and she explained that it meant that the external door on the other side of it was propped open, so the alarm would go off if I approached with my baby. As I needed to go through the door to reach the elevator, I opened it alone to see what the issue was and discovered a contractor laying new flooring in the external lobby, with the unlocked security door propped open with a small hatchet. I explained that he had triggered the first stage alarm and asked him to close the door, which he did quickly.
This surprised me, though… why had nobody on staff noticed that the strobe had been going off and why was the contractor unaware of the physical security constraints related to his work? Obviously this alarm was not a major concern, but just something to show nervous parents, anxious about lurking babysnatchers…
Hacking: The Next Generation
Nitech Dhanjani, Brett Hardin, Billy Rios
C 2009 O’Reilly Media
Although a three-year old book, I was surprised to see how current and salient this book was. The approach is very hands-on and practical, with user-level examples, direct links to tools, and full code examples interspersed throughout the text.
The first topic covers the intelligence gathering phase of attacks, looking at how hackers would use everything from low-tech dumpster diving to more modern tactics like social engineering and mining the massive wealth of online information afforded by the shift to social media and self-publishing on blogs and the like.
More advanced technical attacks like Cross-site Scripting (XSS) and Cross Site Request Forgery (CSRF) are introduced next, but at a very technical level addressing experienced engineers and developers. Similarly, a chapter on the blended threat provides a great overview of Application Protocol Handlers weakness and Blended attacks. These two chapters were insightful and somewhat scary… very effective attacks and hard to defend against at either the personal or enterprise level.
A chapter on Protocol-based attacks and exploits (Telnet, FTP, SMTP, ARP) covers basic TCP/IP vulnerabilities and how they can be leveraged, including classic SMTP command line recon.
The usual attention is paid to current issues like Cloud security and mobile workforce. The former section discusses infrastructure and architecture used by industry leaders (Amazon, Google) and talks about hypothetical attacks in the cloud, like poisoning virtual machines, compromising management consoles, and using the cloud for phishing. The latter (mobile workforce) identifies risk incurred by the mobile devices, remote access, and tools like voicemail.
The authors discuss phishing, motivations, availability of phishing kits, and even phisher-on-phisher attacks. They then cover the use of online calendars and social media for social engineering, transitioning into a discussion of the value and techniques of directly targeting executives as opposed to opportunistic attacks. The final chapter covers an interesting pair of case studies. One covers a very low-tech use of social engineering and poor information controls to cause major damage to a company. The final looks at how the simplest controls can be forgotten in the quest to find that killer app to defend an enterprise.
No security measure guarantees that you are immune from hackers, but what follows is a best-practice set-up for WiFi that should offer reasonable protection. Basically, you want to change the default name and password, and you need to add encryption to prevent the general public from jumping on your network to steal your information or use your connection for nefarious deeds.
I plugged in an old WiFi access point (AP) and did a complete reset to factory settings. Looking at this back of the AP, I see that the default access address is http://192.168.0.227, default user is “admin” and default password is “password”. This information is freely available on the internet as well, so we will want to change this password as we configure the AP.
Entering http://192.168.0.227 into a browser and using the default credentials above, I am now able to set the AP up for home use. Every brand and model is different, so instead of a complete walkthrough, I will instead point out the default settings that you definitely ant to turn off.
First off, now that you know that everybody on the internet knows your default password, let’s change it. Most APs and routers will differentiate between LAN settings, WiFi settings, and Security settings
- Change the password, use a secure password and keep it somewhere safe .
- If you have the option, it is always safer to turn off the ability to manage remotely from the Internet or over WiFi… better to restrict configuration to a computer directly attached to the device.
- AP name or network name: Change from default, which advertises what brand of AP’s vulnerabilities an attacker should try first.
- Also, I disable SSID broadcast so that you have to already know the name of the network to connect instead of advertising to your neighbors
- Turn off Wi-Fi Protected Setup
- Select WPA2 Security. WEP and WPA may be options, but both are considered to be outdated and insecure
- I prefer AES as an encryption key, but as long as you pick a key, which one is not that important for home and small business use.
- Choose a secure password and write down the password and settings
As you become more comfortable with the technology, you can dig deeper into the manual to find ways to enhance your security. I also use MAC address filters and tweak a few other settings, but the base changes here should be a good start and make you reasonable secure.
All of a sudden, it seems, the news is full of stories about viruses and malware, massive data breaches, and hacker groups. One starts to wonder, what changed online and turned the internet into a battlezone?
Back in June, Freakonomics asked experts “Is There a Hacking Epidemic?” and “Why has there been such a spike in hacking recently?” and Bruce Schneier answered “I’m not sure there has been any recent increase of sophisticated cyberattacks. There has certainly been a recent increase in the press reporting incidences of sophisticated cyber attacks.”
It is true that better toolkits have evolved and that the advent of social networking has increased the level of valuable information available on the web, but the real answer is that the threat landscape is not the primary reason for increased awareness. Information assurance has become the latest public concern and sells news. In the media, attention can encourage more attention, so InfoSec is currently a hot topic for discussion. Organizations like Anonymous and LulzSec have capitalized on this attention for their own purposes, fueling even more attention and as the media jumps to put a face on the adversary. Although the threat level has been high for some time, the public is suddenly aware of the risks.
I see this as a very good thing. By increasing awareness, the media is assisting the information security community in their mission. People are one of the biggest potential weaknesses in a company’s information assurance strategy and the education of users is a critical task. Information Security is not an IT issue, but a core business issue. No expensive castle defenses can compensate for the guy who leaves the drawbridge down. Although most employees understand the importance of security and would agree to adhere to policy, they may have varying levels of actual commitment. When faced with a choice between compliance and expediency, the employee’s understanding of the policy and its validity combine with the perceived importance to that employee’s management will determine the choice made. This seems like an unlikely risk with little impact, but is actually of critical importance. A lack of employee understanding and commitment can defeat even the best laid strategy. By educating users as to the threat and the logic behind specific measures, InfoSec professionals can better ensure employee commitment to the overall security plan.
So this is where coverage by major media outlets helps our cause. When mainstream, respected sources report, the general public is less likely to discount security statements as paranoia and is more likely to listen.
The Wall Street Journal, one of the most read and respected business news sources, published an entire special section on the subject this week: The Journal Report: Leadership in Information Security. It provides a good overview, discussing the impact of social engineering, IT governance, entertainment and historical references, consumer dangers, and privacy.
The lead story, “What’s a Company’s Biggest Security Risk? You.” notes the increase in attention to phishing scams as a vector of concern. As other researchers have mentioned, increase public or semi-private sharing of information has lead to better, more accurate phishing. Even security giants like RSA (they made the digital token your company most likely gave you for accessing the corporate network from home) have fallen victim to simple attacks via email attachments, resulting in massive loss of revenue and public trust. The story also explains how non-malevolent circumvention of corporate IT and InfoSec policy for personal use can seriously impact a company’s defensive stance.
When I first joined my company’s security team, my boss and I discussed an otherwise honest employee who had built a secure, hidden tunnel to his home network to protect online banking and personal email traffic from snooping. I saw little risk, but my more experienced boss explained that we also could not see what sites he visited that might be known malware distributers, we could not see what virus attachments he might open, and were he to go rogue, we would not be able to tell if he was sending company information home. Fortunately the employee ceased activity without the need for even slight disciplinary action. He stopped tunneling out not because he was concerned that he would get in trouble, but because we explained the risk and he did not want to risk being the vector through which the company became infected. Information security succeeded in our mission through user education and commitment, instead of trying to enforce compliance.
One of the most simple and inexpensive defenses is to insist on strong passwords. Passwords are often the only form of authentication in use, so organizations must maximize their effectiveness. Unfortunately ease of memory and difficulty of compromise are opposing forces.
If a password is too simple, it can be easy for an adversary to guess. When allowed to pick passwords free-form, normal people tend to choose names, things, or dates that they will be able to remember easily. Unfortunately this increases the chance that a social engineer can guess the password given some knowledge of the user’s hobbies and interests (like, say, the sorts of things we broadcast on Twitter and Facebook).
Conversely, if the password is too complicated, though, the user will have to write it down, increasing the chance that somebody can find and exploit it. When an organization seeks to mitigate this risk and automates the generation of passwords using a random collection of characters, an adversary is more likely to find a password on a post-it note or saved in a text file. Remember the movie Wargames? Matthew Broderick’s character gains access to the school’s computer system because a secretary had the system password written on a post-it note under her keyboard.
Interestingly enough, mathematical models show that the complexity of the password has far more to do with password length than the character set used. The generally accepted equation for the number of combinations possible is (character set)(password length). For an eight character password from the standard keyboard set of 94 characters, nL = 948 = 6.10e15 combinations, so the probability of guessing correctly is 1/nL = 1/948 = 1.64e-16.
I attempted to improve on this formula in vain… if you find statistics and math amusing, be sure to read the separate blog post Where my math went horribly awry.
With modern computing tools, hackers can guess as many as a billion potential passwords per second. At this rate, they could guess your password in:
- 10 seconds for a password containing 5 characters
- 1,000 seconds for a password containing 6 characters
- 1 day for a password containing 7 characters
- 115 days for a password containing 8 characters
- 31 years for a password containing 9 characters
- 3,000 years for a password containing 10 characters
Demonstrated by the equation above we see that password length affects complexity more than the number of values each character can have, but hackers have an additional tool: the dictionary attack. These lists of words and commonly used passwords can be guessed in place of random characters, making something like “Passw0rd” a single guess and not just the combination of many letters. One must keep in mind that dictionary attacks render words into a single guessable unit, so “rover1” becomes a two-character password, not six.
By knowing more about you through social media research, they can narrow these lists of words down. Big fan of Star Trek? You can bet they would guess NCC-1701 first!
This is also my concern with passphrases, though. A recent xkcd comic suggests that due to length, passphrases are harder to crack and easier to remember, but if they are composed of normal words, a dictionary attack could be adjusted to use words in combination, reducing the passphrase into a couple guessable units again. A better solution would be to introduce the complexity of case and alternate characters into the passphrase words, but this again complicates the passphrase, increasing the likelihood that it will be written down or forgotten.
My suggested solution is to do what you can to balance complexity and ease of memory. As with many aspects of Information security, user education may be one of your strongest tools, explaining what makes a strong password and why you should not have it taped to the inside of your drawer. A tool like KeePass can help securely store and keep track of complex passwords.
To paraphrase Paul Steinbart, the effectiveness of any password depends on the password length, characters used, randomness, length of time used, and how secret the password is kept. On this last item, he notes:
“Passwords are like toothbrushes – you should not share them and you should change them periodically”
In Professor Paul Steinbart’s MSIM Information Security and Controls course (CIS 591 at ASU’s W.P. Carey) we discussed password strength and were introduced to the equation nL for determining the number of combinations possible, given a password L characters long where each character is selected from a set of n possible values.
For an eight character password from the standard keyboard set of 94 characters, nL = 948 = 6.10e15 combinations, so the probability of guessing correctly is 1/nL = 1/948 = 1.64e-16.
The illustrative purpose is to show how increasing the length of the password has a far greater effect on password strength than increasing the character set used.
Unfortunately, this class happened soon enough after my mandatory Statistics classes, leading to ego-driven extrapolation as to how I could use my recently-acquired knowledge to improve the calculations. I pondered this and thought that there must be a more precise way to determine the likelihood of a correct guess based on probability and binomial coefficients. The binomial distribution is used in Statistics to predict the likelihood of an event when one has two mutually exclusive and collectively exhaustive categories (e.g. has to be a successful or failed guess, cannot be both or neither) and the probability remains constant (a result does not change the probability of a subsequent result).
Applying the binomial distribution, we can determine P(x) as the probability for correct guess of x out of n characters, given probability p for each character. Solving this for the probability of guessing eight out of eight (0.0106 = one out of 94 possible characters):
My thoughts were that although this is not an exact match, for the purposes of Information Security, 0.000000000000000159 and 0.000000000000000164 are close enough to show the strength of the password in question.
My next thought, though was that if there is a finite distribution, should this not be Hypergeometric Distribution instead? The answer is no… the sampling is carried out with replacement as you can use the same value as many times as you want as opposed to only once. The probability of each attempt is therefore independent as per the definition of the binomial distribution.
My second concern was that the number of combinations of selecting X objects out of n objects is defined as follows:
So for eight characters from 94 possible characters:
= 111,315,063,717 eight-character combinations. (1.11e11)
This does not match up with nL = 948 = 6.10e15 as above, but this is because the equation is for combinations without repetitions, so we would actually need to use a different binomial coefficient:
Therefore, where: n= 94 and X= 8 as above,
So now we are seeing the potential for 2.02e11 eight-character combinations. Still far different from 6.10e15. Where am I going wrong?
My next epiphany was that I was using the wrong formulas. Combination is when order doesn’t matter; permutation is when the order does matter. In the case of passwords, order most definitely does matter.
In researching permutation, I came across the formula nPr for permutations possible in a set of r items from a set of n values. I calculate 94P8 = 4.49e15. Closer to nL = 948 = 6.10e15 but not quite there yet… what am I missing?
As it turns out, this is for selecting finite and unique items. I would again need a different formula if allowing for repetition as above. Realizing this, I dove further into the internet to determine what the formula to use for permutation with replacement.
Finally, I learned that the formula for permutation is: nr where n is the number of things to choose from, and you choose r of them (where repetition is allowed and order matters) which brings us back to (character set)(password length) expressed as nL
So there we are. A lot of wasted math only to arrive back at the formula we learned in class.
I have been going nuts trying to find a missing USB thumb drive over the past three weeks or so. It was a little 2Gb thing that I used for mobile content. I had vacation photos, my current resume, scanned PDFs of certifications and diplomas, and (more importantly to this forum) all of the half-completed blog posts that I had been working on over the last year or so.
Although this is a huge pain and stressor for me, it really illustrates several important issues; security best practices that I myself have hypocritically neglected:
Make regular backups of your data and keep them safe. I actually used to regularly copy all of the data from the thumb drive on my keychain into a folder named “fob” on my PC on a semi-regular basis. Why I did not continue this practice is lost upon me, as that backup would be a huge boon right about now…
I have a removable drive that I use to backup important data from my home computers in case of a fatal system crash, damaged hard drive, etc. I usually store it off site so that I do not lose my scans of important documents or every digital photo that I have ever taken should we have a fire or something.
Encrypt removable data storage (and non-removable data storage where practical). The removable drive above is an encrypted TrueCrypt volume to protect the confidentiality of the data stored. Ironically, I discovered that the thumb drive was missing after deciding that I should really copy the data over somewhere and encrypt it as I usually do for removable data storage (like literally every other thumb drive I have ever used!). TrueCrypt is a free program that can encrypt either a specific size volume or an entire disk. I use it to create “lockboxes” on computers and to perform whole-disk-encryption on laptop computers and removable storage media (with one rather embarrassing exception, of course!).
Keep your PII (Personally Identifiable Information) safe and secure. Fortunately there was little personal data on my missing thumb drive, but there are still many things that an identity thief could find useful. Scans of certificates, copies of cover letters and documents, and every note or handout I had from my Master’s program could all be used to increase the believability of a scam impersonating me. Although the database would be encrypted, I am very glad that my KeePass data was not on the lost device. Really, though, I had no reason to carry all of that around with me, so a better practice would have been to keep it secure in a lockbox on my PC instead of a very easy-to-lose fob. This is similar to why you would not want to carry a list of passwords in your wallet.
So what have I learned? Don’t put important, unencrypted information on a small and easy to misplace device! Friends have suggested DropBox or similar cloud-based solutions, but going forward, I will most likely rely on the fully-encrypted fob on my physical keychain, only store what I really need on it, and back it up weekly in case of loss.
There was quite a bit of news coverage this week regarding the information breech at Epsilon. I was asked whether or not this is something about which the average home internet user should be concerned.
Have you ever opted-in to receive marketing email from a company with which you do business? Companies like Epsilon are hired to maintain address lists and send out literally billions of emails each year on behalf of retailers, charities, banks, and other organizations. It is similar to spam, but is a legal and usually at least nominally invited form. According to the news reports and statements from Epsilon, hackers were able to compromise their databases and acquire an unknown number of email addresses and possibly the associated names. GovInfoSecurity has posted a list of the affected companies announced thus far, many of which are already notifying customers of the breech.
So no, they did not really get a lot of information, but yes, there is still a slight risk. In theory, by obtaining a list of addresses and names and assuming that they know the company that had them, criminals could use the information to refine phishing attempts into spearphishing attacks.
Phishing is an e-mail impersonating a business, usually a bank or other financial institution, designed to get the recipient to go to a web page designed to look like that business, to collect account information and steal funds from the recipient’s account.
Spearphishing is a newer development in which the attacker uses information that they already have about you to personalize the spam and increase its believability. This is one of the risks to which social media adds; a hacker can use information you post about yourself on the internet to craft a credible-sounding message. You are more likely to click on a scam link in an email that looks like it came from your bank or favorite business than from an unknown source.
The real answer, then, is that there is nothing of concern inherent to the information stolen in and of itself, but the risk of spearfishing has increased and internet users should be careful.
Beware of unsolicited emails with links or images claiming to be a bank or business. Mouse over the link and see if the browser message matches the alleged address. Companies with whom you have a business relationship are not really going to terminate that relationship if you did not go to a website or install some program… that just does not make sense. If you really think that it is legit, go to the company’s website as you normally would instead of following the email link. Better still, call the company’s helpdesk and see if they really sent you a notification.
Brian Krebs has posted a great article on Avoiding Phishing Scams if you want to read more. McAfee has a page with several useful articles on the subject (interlaced with a lot of marketing material about buying protection from them…) and notes that if you are determined to click the link and try, enter the wrong password first… a scam site won’t know and will accept your bad password!
So, as any IT person worth their salt will tell you, beware of weird emails and attachments, keep your computer patched and Anti-Virus signatures up to date, and always be skeptical.