The very word ‘hacking’ is enough to make some people paranoid. Of course, it doesn’t help if they’re paranoid already.
Case in point: last week I was on a Certified Ethical Hacker (CEH) course in the UK. Right at the beginning, our instructor warned, “If anything goes wrong, even if the Coke machine breaks, we’ll get blamed”. And so it proved.
The training facility was alongside a hotel that is used by a number of training companies. In the bar, you’re likely to bump into all kinds of people. A couple of the lads on our course got talking to some people who refused to say what they did for a living or what kind of training they were doing. As it happens, we’d already discovered, by other means, that they were undercover police officers. I wasn’t there, but apparently, when they learned that we were hackers in training, their jaws hit the floor.
Sure enough, the next day the manager of our training company stormed into the classroom and read us the riot act. Someone, he alleged, had been hacking outside of our subnet. ‘Someone’ had complained they were being hacked. We all knew who that was.
It was nonsense, of course. Okay, we had a couple of minor glitches. One of the students thought it funny to email the trojan we’d just built to all his mates. (It would have been picked up by anti-virus software in a millisecond and, in any case, wouldn’t have worked outside our network.) And a fellow student and I caused the receptionist to have to reset the wi-fi access point. We’d been using the Zyxel device as a zombie in an NMAP Idle scan. But hey, that device was on our subnet and therefore classed as ‘fair game’.
It seems that no-one pays attention to that ‘ethical’ adjective. If they hear the word ‘hacker’ they feel under attack. Oh well…
Wikileaks has committed a cardinal security sin, and is busy trying to blame it on The Guardian.
It all revolves the infamous ‘Cablegate’ memos - the US diplomatic cables that Wikileaks has been peddling for some time now.
Wikileaks has been working with media organisations in an attempt to release the material in a piecemeal fashion. The reason for this is to cherry-pick the most significant material in order to make the greatest impact. And, although Julian Assange was at first somewhat indifferent to the possibly dangerous effects that publication might have on whistleblowers, informants and others mentioned in the cables, the media organisations have been making an effort to redact the cables to protect the innocent.
As The Guardian explains, in the early days, before Wikileaks fell out with the paper (and the New York Times) for refusing to worship at the alter of St Julian, Assange made the full archive of unredacted cables available to the paper, via a downloadable zip file. The file was encrypted with PGP to which the paper was given the password. The file was to be available for a limited time only.
At the same time, Assange distributed an encrypted archive, without revealing the password, to a select group of people. This was part of an insurance policy: Assange threatened to make the whole archive freely available if he was, for example, extradited to the US.
There’s hypocrisy in that, of course. If it is important for freedom and transparency that the cables should be published, why was Assange witholding them for personal reasons? Does he really conflate his own interests with those of the world? On the other hand, if it’s important that unredacted cables are not published, because of the damage they could cause to innocent people, then again Assange was being selfish and hypocritical for using them for his own self-interest.
It’s all moot now, of course.
The cables are out. One way or another (and with some pointing the finger at ex-Wikileaker Daniel Domscheit-Berg) the archive file has become readily available via torrents.
And the password?
Alas, he would. Yep, uber-hacker Assange reused a password. The insurance file, since leaked, can be decrypted using the same password. And boy, has it been decrypted. Head over to cryptome.org - the original, still operating and far superior whistleblower website - to get your own copy.
The reaction from Wikileaks was one of outrage, mixed with its usual brand of self-importance and martyrdom. While all but taking credit for the Arab Spring, the site has been frothing at the mouth about The Guardian and other media organisations, often descending to playground-level abuse. But the truth is, the fault lies squarely with Assange and Wikileaks and their ineptitude when it comes to security.
After all, Wikileaks has been touting these cables as the biggest thing since the Pentagon Papers. Surely, these of all files should have been secured with different passwords for separate files.
Wikileaks is now flooding the net with released cables. Now that it no longer has a monopoly on the material, it is indulging in a desperate bid to be first to publish. The organisation seems unaware that this nullifies its argument against The Guardian. It also dilutes their effect.
The biggest worry, though, is that Wikileaks has shown significant shortcomings when it comes to due diligence: it has demonstrated that it is not to be trusted when it comes to the custodianship of important material.
Let’s not forget that Wikileaks did not leak this material. Bradley Manning is accused of that and is paying a high price. Wikileaks is merely a conduit. And an incompetent one.
Not for the first time, the Anonymous activist collective is suffering some brand issues. It turns out that claiming you are ‘leaderless’ and ‘decentralised’ is something of a two-edged sword.
It’s also a lie, of course.
The concept is that anyone can operate under the Anonymous banner. There are no committees to attend, no leader from whom you need to seek approval. If you want to mount an operation and call it an Anonymous action … well, go right ahead.
Or maybe not. We’ve just seen two examples of where that causes some problems.
The one currently grabbing headlines is the so-called OpFacebook. A YouTube video by ‘Anonymous’ promises that everybody’s favourite personal data aggregator will be “destroyed” on Nov 5. And the video has all the classic hallmarks of Anonymous - it’s sufficiently pretentious and bombastic that you can’t help wondering if it’s meant to be funny.
Only it turns out that ‘Anonymous’ isn’t Anonymous, if you see what I mean. The ‘real’ Anonymous (the one, remember, with no leaders or centralisation) has been denouncing this operation as a fake. ‘Sabu’ (@anonymouSabu), the non-leader of Anonymous (and also, as it happens, LulzSec) has been especially active in denouncing this as a fraud and is practically begging the media to pay no attention to it.
So how does that work, exactly? Surely the whole concept of Anonymous is that, if I call myself an Anon, that’s enough. Who is Sabu to call this a fake? By what authority can he assert that this is not an Anonymous operation?
I’ve recently completed a long feature about Anonymous and LulzSec for the journal I edit, Network Security. During the research, I had a couple of IRC chats with Anons, via the irc.anonops.li server. Part of this touched on the ‘leaderless’ nature of the movement. I wanted to know how that assertion can be supported when there is clearly some direction from a core group. For example, the channels found on irc.anonops.li are regarded by pretty much everyone as the ‘official’ IRC channels. Some of the channel topics are used to set targets for the Low Orbit Ion Cannon (LOIC) - the DDoS tool used by Anons that has turned out to be so dangerous for its users. There are also channels used for co-ordinating operations that are not open to the likes of you and I - strictly invitation only. I wanted to know how this meshes with the leaderless concept.
I chatted with joepie91 who was at pains to point out that he did not speak in any official capacity, but just as one of many Anons. He did, however, have channel admin privileges in the #reporter channel set up to talk to the media, and most other people in the channel appeared to defer to him.
I asked him to explain a comment he made that, “anonymous =/= anonops”.
joepie91: anonops is just one network that is populated by Anons
joepie91: Anonymous is not a centralized entity
joepie91: there’s no member list, no ‘official representatives’, no leaders
So far so good. But I pointed out that someone gets to set targets in channel messages. The answer felt a little evasive, in that he largely just stated the obvious - that channel ops get to set the topics. But he also enlarged:
joepie91: if you don’t like operation payback, noone stops you from setting up a similar operation with similar targets but a different structure … if you disagree you can just walk away and set up your own … and noone will stop you
It seems that’s exactly what someone has done with OpFacebook. And now Anonymous seems not to like it.
But that’s not the only spat that’s been going on. When various Anonymous accounts were kicked off Google+, because they contravened the service’s rules on using real names, some Anons vowed to set up a social networking site just for Anons. It’s hard to see how the mechanics of social networking would fit with the idea of being Anonymous, but selah.
The result was AnonPlus, which has so far had a very sorry history. It started out using bog-standard forum software, but has mutated many times, shifting domains and hosting, constantly promising great things to come. With amusing irony, it has been hacked numerous times (as in the example above) and this led to a blow-up between Sabu and ‘higochoa’. Sabu, it seems, was particularly incensed at people believing that he, personally, had been hacked every time AnonPlus was defaced.
<Sabu> I am getting sick of hearing that *I* get hacked every week
In a more telling moment, Sabu says:
<Sabu> I suggest you either kill the project / stop using anonymous’ name
That suggests to me that Sabu feels at least some sense of proprietorship over the Anonymous brand. Maybe it’s time for Anonymous to decide whether it is genuinely going to embrace an anarchic policy of no enforced structure, or whether it should grow up a little and become a more organised activist force. The latter would be more interesting because, currently, its disorganised and chaotic approach is achieving very little.
Now that (allegedly) LulzSec spokesteen ‘Topiary’ has been arrested, and it’s only a matter of time before ‘Sabu’ is looking down the barrel of a law enforcement raid, maybe it’s time for a new group to take up the mantle of AntiSec.
We’ve already seen the rise of TrollzSec, which successfully outed Topiary’s true identity.
But there’s room for more on the open seas of hackerdom.
So, if you can watch Anonymous videos without laughing, own a pair of shades and can spell SQL, maybe it’s time to start your own script kiddie club. I offer the following as possible names:
SkullzSec - strictly for boneheads
DullzSec - we leak boring crap
ProllzSec - now anyone can be a hacker
DrollzSec - not funny, but maybe a tad amusing
GullzSec - for those who think security is strictly for the birds
NullzSec - hacking for zeroes
A backlash against Dropbox shows just how little people understand security.
It seems that some people actually fell for Dropbox’s early assertions that files stored on the system might be more secure than those on your hard disk (ignoring the fact that these files are actually stored in both locations). No-one, but no-one, has access to your files, claimed the company.
Later, Dropbox realised that it’s subject to the same laws as any other US organisation and was obliged to change its terms of service to admit that it would have to co-operate with US law enforcement. Indeed, the forces of law and order have acquired a new forensic tool specifically for examining Dropbox accounts - Dropbox Reader.
This evidently provoked fury among some users who feel they were duped. There were threats of defections.
The image of Dropbox as a safe haven hasn’t been helped, either, by its recent screw-up in which accounts were left unprotected for a few hours, no password required.
But here’s the thing: Dropbox is a cloud service. Why would you imagine the cloud is automatically secure?
Yes, I know, people are not properly informed about this stuff and can only make decisions based on what they’re told. So Dropbox should carry a good portion of the blame for this. But there’s also an element of common sense here.
I don’t care what promises a cloud supplier makes, I work by a simple rule: if the data is the slightest bit sensitive, it gets encrypted before it hits the net. And I don’t just mean I use SSL for the connection. Any sensitive files we store on Dropbox are either encrypted individually or stored inside a PGP-encrypted virtual disk.
That means employing data classification of some kind, but for us that’s not nearly as complicated as it seems. It’s a simple question with a yes/no answer: could this file be of use to someone with malicious intentions? If the answer’s ‘yes’, into the encrypted drive it goes. No data of the slightest value leaves our home network without being encrypted first. And our threshold for what’s considered sensitive is very low.
So here’s a handy motto: Encryption - don’t leave home without it.
The information security business is a bit like the world of 1970s French movies. At the time, these films had a reputation for being racy, of containing a lot of delicious naughtiness that was nevertheless somehow culturally uplifting. When you actually sat through them you found there was a lot of talking and very little action.
In the infosec domain I hear a lot about risk. Companies understand risk - or at least, go to great trouble to convince themselves they do. They have risk managers, risk metrics, godzillabytes of data measuring, delineating and analysing their risk posture so that they can decide on their risk appetite.
Of course, it all turns to shit the second they get to their IT systems. When it comes to the risk of flood, fire, market downturns or zombie invasions, risk managers can show you graphs and tables that would convince anyone the firm is doing all it can reasonably be expected to do. With IT, well, it’s anybody’s guess, right?
There are some attempts at improving this situation with IT. The Common Vulnerability Scoring System (CVSS), for example, is one effort to put a number against some of the risks firms face with their technology. But understanding how much danger you actually face as a result of, say, the software you have installed is very tricky.
It’s not that people don’t want to understand this stuff - they just don’t know how and, even if they did, might not want to expend the necessary money and effort.
I wrote a piece on software insecurity for a Guardian supplement recently and the one refrain I heard over and over from the experts I talked to is that enterprises aren’t looking at their software infrastructure from a risk perspective.
Small wonder: analysing vulnerabilities in software is hard enough. People like OWASP are doing great work in trying to get developers and the people who pay them to make security an intrinsic part of the development process, but firms don’t want to pay for the extra effort needed and don’t like what it does to schedules. They want their software now. And as for existing code, yes you can run some automated pentests against it, but how much is that really going to tell you? Analysing vulnerabilities in existing code takes considerable skill - read: money.
And, of course, knowing that vulnerabilities exist is one thing. Analysing that in terms of risk is another.
Then there’s another worrying aspect to all this. Even if you can understand your vulnerabilities and can translate that into a meaningful risk metric, is that going to do any good?
When enterprises do all this risk analysis, are they really tasking themselves with fixing the problems? Or are they merely concerned with covering their asses when it comes to due diligence and compliance?
“Oh yes, we got hacked and all our customers’ information is now in the hands of heartless cyber-criminals. But not to worry: according to the regulatory requirements we did everything we could be expected to do given the risk.”
I’d like to suggest an addition to regulatory requirements. If you’re the CEO of an enterprise that is hacked using standard Metasploit modules or basic SQL injections, you go straight to jail.
Some of the recent stunts by online mayhem seekers LulzSec have highlighted (again) something we all know: it’s bad to use a password for more than one website.
Recently, LulzSec hacked porn site pron.com, obtaining customer logins and admin credentials for a number of other porn sites - all with passwords apparently stored in plain text. Leaving aside the embarrassment that will be caused by some of the account email addresses having .gov and .mil at the end, there’s a high likelihood that at least some of these credentials will be valid on other sites. LulzSec encouraged its followers to try logging into Facebook with them and, if successful, bring down shame on the luckless users. A tad unsporting that. Facebook responded by resetting passwords for any and all affected accounts.
At least the people most at risk from this stunt are likely to know about it. LulzSec’s only motivation appears to be glory-seeking. The group has certainly not espoused any coherent political, ethical or commercial agenda. Normally, when jackers purloin login credentials this way, they don’t tell the world. They’re after your money.
So getting your passwords in order is a smart idea.
I use LastPass to manage my online passwords. It’s not without its own risks. The service had a scare recently when its security was mildly compromised. And there’s an inherent paradox in the concept. LastPass enables you to create long, complex passwords using all four character types -uppercase, lowercase, numbers and non-alphanumeric (punctuation and ‘special’ characters). It will randomly generate these for you. (Okay, pedants - pseudo-randomly generate.) These are the kinds of password that are impossible to remember. Fortunately, LastPass remembers them for you and will enter them (automatically, if you want) into login forms.
That’s a good thing. The problem is that there’s one password it won’t remember for you - the master password you need to gain access to LastPass itself. In other words, the one password that you’re going to be motivated to write down, or make weak enough to remember, is the one that gives access to all your other passwords.
Oh well.
LastPass does have another very useful feature. It will run a security check on all your stored passwords. It looks for instances where you’ve used the same password on multiple sites and also judges the strength of each. It’s a sobering experience. I’ve just about finished the drudgery of changing my passwords on dozens of sites, ensuring each one is unique.
There is another benefit to carrying this check: it reminds you of sites you no longer use. And I think this is a security vulnerability that not enough people consider.
It may be just me, but I seem to have gone through a period where I would register at sites using one of a small pool of common passwords, all rather short and easy to crack, thinking ‘oh, I can’t think of anything stronger right now, I’ll fix that later’. And, of course, I never did.
Looking through my LastPass vault, I can see a surprisingly large number of sites where I’m registered but which I haven’t visited in a long while. The danger they pose is this: most of these sites are small or middle-ranking, the type that may not be the most secure. They’re the most likely kind of website to give up their password databases to hackers. Having now changed my passwords, any hackers would (hopefully) only have access to a password I don’t use anywhere else. But there’s always a risk that I’ve overlooked something. And, in any case, the hackers won’t know that, and will be encouraged, purely by my presence in the purloined database, to go pound on my other accounts.
It’s seems obvious to me that being registered at sites you don’t use is a small but real security risk.
So, as part of my current password hygeine practices, I’m revisiting these sites and closing down my accounts. I can only hope that they’ll actually delete my records (as they should), rather than simply marking them ‘inactive’.
Supporters of Wikileaks are dedicated to freedom of speech - until, that is, someone disagrees with them.
“Humankind,” wrote Eliot, “cannot stand very much reality”. And so it is with a bunch of self-styled net buccaneers calling itself LulzSec.
The US Public Broadcasting Service (PBS) - normally the darling of those with anti-corporate leanings - has suffered the ire of these ‘hacktivists’. Apparently, it screened a documentary about Wikileaks that was not entirely flattering. Such insults are not to be borne.
There is a distinct whiff of Anonymous about LulzSec - the same whimsical self-regard, the same adolescent posturing. (There is, for what it’s worth, a #lulzsec channel on irc.anonops.in. It’s unlikely to be any kind of official hangout - I was the only person in there when I checked it out.)
Denial of service attacks and website defacement are the preferred forms of protest for Anonymous. They are high-profile acts that require little effort, minimal skill and involve relatively little risk. There is, of course, the unfortunate side-effect that the downing of a website effectively denies the legitimate owner of free speech. This form of hactivism is a way of shutting up those whose opinions differ from yours.
It seems that LulzSec is gearing up for more attacks on Sony - the target du jour of Anonymous. Meanwhile, the group is basking in the attention garnered by the PBS stunt - and getting attention was probably half the point in the first place.
The Internet is a powerful medium for activism and deserves to be used as such. But hacktivism needs to be driven by more than petulance. If the Internet is to serve as a place for taking a principled stand, it’s important that it does not acquire a reputation for immature pranks. Vandalism is not an effective way of engaging in complex debates about political responsibility, freedom of information or digital rights.
LulzSec has yet to elucidate any meaningful principles or agenda, other than a desire to show off in public. Assuming it has a genuine ethical purpose behind its behaviour, perhaps these will be spelled out on a forthcoming website. Let’s hope so.
There is yet another example of how so-called ‘hacker’ laws can actually diminish security.
According to a post on DarkReading, a researcher who goes by the name of Acidgen is being threatened with criminal and civil suits by a firm whose software contains a security vulnerability. Acidgen found the stack buffer overflow in Music Maker 16 and made the mistake of telling the vendor, Magix AG.
Not only did Acidgen give the Magix a full description of the firm’s faulty software, he also provided exploit code and offered to help fix the problem.
So how did Magix react? By threatening Acidgen with Germany’s three year-old hacker law - the same one that makes it illegal to possess tools commonly used by security researchers, such as NMAP, Metasploit or Nessus, just because they’re also used by black hats.
This response by Magix isn’t just arrogant and stupid - although it’s certainly both of those things - it also shows a callous disregard for the safety of the company’s customers.
If there were any justice in the world, software firms would be liable for the security of their products. If there were genuine civil or criminal consequences for pushing out code with security vulnerabilities it might finally persuade these firms to invest in proper security training for developers. And they might actually get around to doing genuine risk analysis and security audits as part of the Software Development Lifecycle (SDLC).
As things stand, software companies are too focused on shipping their code. Security is an afterthought, if it’s considered at all. It needs to become an integral part of development processes and culture.
Magix needs to understand that Acidgen is not the chief threat to its customers: Magix’s own shortcomings in shipping faulty code is the problem. The company should own up to its responsibility to ensure its software does not put its customers at risk, call off its attack lawyers, thank Acidgen and fix the problem.
It’s long been claimed that Apple platforms have been free of malware mainly because they represent such a small niche of the market that it wasn’t worth the effort creating viruses and trojans for them.
Not any more.
In fact, Apple has had such a significant share of the market for so long that it’s a wonder we haven’t seen more malware. What’s more, given the high price of Apple kit, and therefore the high income levels of Mac owners, there’s a case for arguing that they represent a strong target for ID thieves and banking trojans. ;)
Now that Apple has surpassed Microsoft in market cap, revenue and earnings, that ‘not worth bothering’ argument is looking weaker by the second. What’s more, Apple platforms tend to be somewhat more homogenised than Windows (or even Android) ones, as Apple sells both the hardware and software and systems have a greater tendency to be updated to recent versions.
And there’s another stat, rather less well known, that makes me think that Apple has now come out of obscurity and should be in the crosshairs of malware writers.
I was talking recently to Bradford Networks, a vendor of networking software that provides auto-discovery of attached devices. The firm is especially strong in the education market - mainly universities. And I was told that, particularly in the US, up to 95% of the devices being attached are Apple kit.
That’s not a misprint. And remember that the remaining 5% isn’t just Windows laptops - it’s Wiis, Playstations and Android devices.
I expect that proportion to change, with Android taking a rapidly larger share (which it probably has already - remember, the figure was up to 95%). Nonetheless, it means that the next generation of business people is one habituated to Apple.
Now, Apple fans will claim that the lack of malware on their platform of choice is down to greater inherent security, with none of that nonsense with autorun, ActiveX or {insert the 10 top malware-friendly Microsoft technologies of your choice}. *nix fans will say that Apple’s decision to base OS X on BSD is the reason it’s so sound.
Hmmm.
The fact is, OS X has its vulnerabilities. Apple keeps patching them, although rather slowly at times.
All the malware tools, from Sub7 and Zeus/SpyEye through cryptors to delivery mechanisms, are Windows-based and Windows-oriented, so one possible reason for Apple’s relative immunity is the effort needed for the bad guys to re-tool. And why would they when they can still make millions from Windows users?
And there’s another reason for Apple users to feel less smug. Exploits have wound their way up through the stack, less frequently targeting the OS and working increasingly at the application layer. Many attacks are browser-based or are mounted through services like Facebook. Add to that the prevalence of social engineering-based tactics - many of which are effectively platform independent - and you have a computing landscape rich in threats for Apple users.
This really is the time for Mac and iPhone users to wake up. Me? I’m heading over to Sophos to download its free AV package for Macs. It won’t make any difference but I’ll feel better.
Well, we’ve all had a jolly good time getting hysterical about the alleged ‘tracking’ of our movements by our iPhones. Even the revelation that Android devices do a similar thing hasn’t stopped the Apple-bashing.
Nor was the hysteria dampened all that much by Apple’s somewhat tardy explanation, in which it admits that some of the data collection is due to bugs that will be fixed soon.
What exactly is the problem? If you listened to the mainstream (ie, technologically challenged) press, and even some of the tech websites, you’d come away believing that the iPhone is tracking your every move and reporting back to Apple. The data is gathered by your iPhone, downloaded to your computer when you sync the device and then squirrelled away by covert channels to the dark dungeons of Apple’s global surveillance operations. Or something.
Well, of course, it’s nothing of the sort. The iPhone is keeping a cache of cellphone towers and wifi access points somewhere in the vicinity of the places you’ve been. It’s doing that in order to provide geolocation services more rapidly when you ask for them. Although GPS is the principle method of obtaining location data, it can be slow. If your phone has been sleeping, or you’ve been out of sight of the satellites, re-acquiring those satellites can take a while. And all that time you’re tapping your toes impatiently, frustrated that you can’t get information on the nearest Domino’s pizza emporium.
Apple (and others) use crowdsourced data about the locations of cell towers and wifi hotspots as an additional triangulation method. Your iPhone provides this data to Apple anonymously — ie, they don’t know who has recently been strolling through the red light district of Amsterdam, only that someone has.
So, no Big Brother looking over your shoulder, but there are other threats, right?
I’m a big fan of privacy. For example, I have my Facebook settings screwed down so tight that people sometimes have trouble finding me, which is fine. So I was rather worried about the implications of all this tracking data being on both my phone and my laptop.
If someone were to steal my kit, they’d have a nice little database of my movements. I’m not entirely sure what a thief would do with this data. In fact, compared with the potential goldmine of information they’d have in my emails, the geolocation data seems pretty meagre. So the risk there seems very low to me.
And it’s precisely because my emails and other files contain data that I take precautions with my laptop — with strong passwords and encrypted disks. Those precautions pretty much secure against the iPhone location data issue too, as much as you ever can be secure. And it any case, when it comes to the backup file on the laptop, Apple supplied a solution long ago. In iTunes there’s the option to ‘Encrypt iPhone backup’. Just give that a nice secure password and problem solved. And you know what ‘secure password’ means, right? If not, you’ve got bigger problems than geolocation data on your iPhone.
As for the phone itself, few (if any) thieves are going to have the technical smarts to extract the data from it. But that may not be true of others who might desire it.
I’m thinking, of course, of the authorities. It has been mooted by privacy advocates (praise be upon them) that the phone would be a treasure trove for law enforcement officers and spooks investigating suspects. Some reports suggest that law enforcement in the US regularly mines this data. But I have serious doubts about how much value they derive from it.
For one thing, the data is far from accurate when it comes to your movements. I checked mine with iPhoneTracker (having temporarily switched off encryption in order to do so), and although it was vaguely correct in displaying the general areas I’d visited, some of the data points were wildly off track. Apple, in its explanation, says that the data points may include cell towers scores of miles from where you’ve been.
The map above shows some of my data in iPhoneTracker. I’ve never even heard of a lot of those place, let alone been there. And although it shows a couple of the places I’ve been, you could have got that information from reading my blogs and Facebook and Twitter updates. This stuff is not classified.
Also, the data only shows where the phone has been. The authorities would still face the challenge of proving that you were the one carrying the phone at the time. So although it might be of some limited value to them, compared to other data they might find on your machine, it doesn’t seem worth worrying about all that much.
Apple says one of the errors it made is in retaining this data for too long. In my own case, there were data entries going back a year. The firm says a week should be enough, and it’s about to make that fix.
The positive part of all this is that the excitement this issue generated would seem to demonstrate a laudable awareness of the importance of personal data. Data privacy is an issue that should concern us. But as with all areas of information security, it’s a matter of balancing benefits and risk.
The risk here is extremely low. And I’d put the threat posed by this information much, much lower than that of the geolocation data people regularly make available via, say, Twitter and Flickr (where such information is often embedded in images). Those two services combined with a tool like Cree.py should have far more people worried.
#IBM #Infosec — IBM recently opened its Institute for Advanced Security, based in Brussels, with the avowed aim of helping companies and academics better understand cyber-threats and how to deal with them. IBM believes there is a need for a new conduit to help information flow between the public and private sectors. It also wants to provide easier access to its own research, services, products and experts.
At the recent Infosec show in London, I got a chance to catch up with the Institute’s director, Martin Borrett. Having spent the previous day at Security BSides, I was feeling a tad jaded about the progress we’re making in computer security (something I wrote about here), and wondered if he feels the same.
“We certainly spend a lot of time telling people it’s about people, process and technology,” he says, “that you may have the best cryptographic algorithms in the world, but if your people aren’t educated about security and take some responsibility, it won’t be enough. And I probably talk about this every year … But it just seems like it’s an endless conversation, that we keep having again and again.”
He sees parallels with health education, and thinks that IT security professionals might learn something from the way that governments have tackled major health issues with literature, alerts and healthchecks. “There’s a lot of discussion in Europe about how we educate citizens,” he says, “about how we make them aware: should we have a kind of health programme for security?”
Borrett says he is constantly banging the drum for more education. “I think everyone needs to be a stakeholder in this at some level,” he says. “I don’t think we can burden every citizen with every problem, but everyone has to take some responsibility. In real life we know how to take risks, like crossing the road, whether to do business with someone, whether to get on the plane, all these normal things. We need to get to that situation in the cyber world, where it’s just another normal part of life and people make the appropriate decisions.”
It’s possibly a generational thing, too, he says. While we make progress in some areas, new generations of employees are accustomed to new generations of technology and have different attitudes to go with them. And so the strides that have been made in educating people about security are lost in the change.
Consumerisation
This, of course, brings us to consumerisation, the buzzword of this year’s Infosec.
“The work/life balance is shifting, the boundaries are shifting, it’s less clear when you’re at work and at home, when you’re dealing with corporate data and personal data,” says Borrett. “I think that makes it very difficult for people to understand what sensible security practices are for themselves, both for their personal data and the companies they’re working for.”
He sees organisations falling into three camps. Perhaps 20% have simply acquiesced to consumer devices in the workplace because they accept that they can’t stop employees using them.
“Probably the majority, say 60%, see it as absolutely inevitable but they’re trying to hold back the floodgates,” he says. “They recognise the need and are trying to put measures in place, trying to slow it up while they put in appropriate controls, trying to understand what the risks are, and so on. And there’s probably 20%, maybe less, saying ‘no, you can’t do that — it’s not acceptable’.”
But how tenable a position is that last one, long term? Not very, thinks Borrett, because the demand for these devices is coming from the top — C-level execs. “They’re not necessarily security literate, so they don’t see the risk, they just want to make their life better, more efficient,” he says. “So the people at the very top of these organisations, who are very hard to say no to, because they run the business, are asking for it.”
So how do you deal with this issue? Borrett points to IBM’s own approach which is to draw up a matrix. Along one axis are all the various devices, from servers and desktops through to iPhones and BlackBerrys (listed separately, rather than being bundled under ‘smartphones’ — a reasonable level of granularity is needed here). Along the other axis are the various functions you might perform with these devices. If there’s a tick in the box where device and function coincide, you can use the device for that task. Some devices — such as servers and BlackBerrys — get ticks all the way across. Some, like iPhones, are more restricted in what you’re allowed to do with them — until the firm can find a solution to deal with the perceived risks (for example, it’s using Juniper software on some phones to detect malware and make them safe for emailing).
Defence in depth
Borrett agrees that this issue is giving a boost to the old concept of defence in depth, and to encryption. “Over the past two years, I’ve seen a rise in encryption,” he says. “You could say it’s a foundational control. As it’s become more available, easier to do, with fewer performance issues, more and more people are encrypting data.”
As for defence in depth: “That’s an interesting one. It’s something we believe in. I certainly believe that you need a series of controls at different layers, not relying on any one protection mechanism. There are people who think that the network is so perforated that there’s no point in defence in depth, that the defence needs to be really close to the asset, that you have to put things around the data because everyone’s inside the network anyway. I’m a very pragmatic sort of person — I think you need a range of measures, and you have to educate the people and have the right policies and processes that are not too arduous, not too overbearing, but just right and fit for purpose.”
Risk analysis
One of the key hurdles is how poorly we understand risk when it comes to IT or information. While many firms now employ risk managers, who perfectly understand the risk of the building burning down (and how to quantify that), when they get to IT, everything goes a little fuzzy.
“I agree,” says Borrett. “I think it’s because it’s very hard to measure. This is one of the things we struggle with. It leads to questions around how much should we spend on security, how much is enough, how effective is my security, what’s the business impact if I don’t do this?”
A major challenge is developing the tools and techniques to measure and quantify the risk. Borrett believes that regulation has probably made it somewhat easier because it provides a kind of bar against which firms must measure themselves. But for too many companies, it’s still just a box-ticking exercise.
“I still come back to the idea that the most effective organisations are those that do security from the ground up, security by design, who understand the risk and put in the appropriate controls,” he says. “They’re best placed, but generally I think people are struggling with this issue. And there’s a strong desire in companies to have a real-time view of it. You meet CISOs and other senior executives across industry wanting this better view — ideally real-time — of what their risks are, and that’s quite difficult.”
With other business risks, and in the compliance domain, there are plenty of tools that allow firms to say, ‘fine, we’ve done our risk work, we understand it and it’s gets signed off. “But on the IT side,” says Borrett, “I don’t think we’re there.”
Cloudy issues
Like everyone else, Borrett sees continuing, and unresolved, issues around cloud security. The general feeling I got at Infosec was, ‘oh yeah, cloud, that’s a problem’ before moving the conversation on to this year’s hot topic, consumerisation.
Of course, IBM sells cloud services, and Borrett says they’ve seen a big uptake recently, so you might expect Borrett to be a little more upbeat. Indeed, he seems to feel that cloud security issues can be addressed, but he stops well short of the ‘it’s just like an outsourced datacentre’ attitude.
“Compliance is still a big issue,” he says, “it’s not going to go away. Companies are still struggling to do it in an automated and efficient way rather than a firedrill method. That’s still a problem, largely because of the volume and diversity of systems they have to deal with, with large volumes of data.”
Classifying that data is also a struggle for many firms — at least those that are bothering to try. When I ask Borrett how many people are doing data classification, and doing it properly, he laughs and is reluctant to answer at first, but finally says: “I’d be speculating … but there’s a lot of work to be done. It’s a big gaping hole. I’m surprised there isn’t a lot more focus on it given what a big problem it potentially is. Maybe organisations don’t see the risk, and maybe the regulations don’t cover it specifically.”
He adds: “It is coming up the radar. There are certain organisations in Europe, particularly worried about Wikileaks syndrome, very concerned about pieces of information ending up on Wikileaks, and they’ve got vast amounts of information not necessarily very well classified or controlled, and they’re struggling with it. Certain industries that generate big volumes of data are particularly susceptible to this.”
Auditing challenge
There are other considerations with cloud, too. Borrett points to the problem over where data is located — not just because of the well-debated issue of regulatory compliance, but also because of the difficulty of ensuring that data is in the right state. Where service suppliers are employing multiple datacentres, for availability, efficiency and resilience, your data may be moved constantly between them, or between servers within them. With a traditional, outsourced datacentre, you pretty much know where your data is and if, for example, you delete some information, you can be sure that it’s gone and isn’t still on a machine somewhere.
“With cloud, there’s more distribution of resources, more virtualisation,” says Borrett, and he sees that virtualisation technology as being under increasing attack.
Then there’s the thorny issue of auditing cloud suppliers. I ask him if IBM will allow customers’ auditors into its cloud service datacentres. The answer, of course, is no. Like many other cloud suppliers, IBM trades on its reputation, backed up by SLAs — and the fact that its cloud services have evolved out of many years of experience with datacentre outsourcing.
“Taking your question in a different direction,” he says, “while we don’t let external auditors into our environment, I don’t think they’d have a big problem there. But I think with other cloud providers, they could find it quite difficult to audit the cloud environment. I’ve spoken to some auditors and they are not comfortable with cloud.”
IBM’s environment is configured much like a traditional datacentre, he says. “But in some of these cloud environments, it’s not like that at all. You can’t be sure where the application’s running. In fact, the application’s being scaled down on this rack of servers and scaled up over there because the workload’s picking up — it’s being reprovisioned. I don’t think auditors have got their heads around that.”
#BSidesLondon #Infosec - At Infosec (or Infosecurity Europe 2011 to give it the full majesty of its title, which no-one ever uses) it was all business. Security is a large industry, with expensive toys and big-budget services. Infosec is like any trade show: there are bright, impressive stands and bright, eager people who will impress on you that this is an industry with exciting solutions that are taking us safely into the new millennium.
Over at Security BSides London, it was still 1990. That’s not a reflection of the attendees or the event (although the percentage of beards and ponytails was much, much higher at BSides). It’s simply that, in spite of the new toys, concepts and protocols, for all that we have developed next-generation firewalls and algorithmic intrusion detection and behavioural analysis, security continues to be undermined by the very people tasked with enforcing it.
For example, there was a very funny presentation by Steve Lord of pen-testing firm Mandalorian, during which he recounted a number of war stories. In one of these tales, he’d reached the point where he’d pwned an administrator’s account at the target firm. “Can you guess what the password was?” he asked the audience. As one, the delegates chanted “password” - the correct reply.
That’s not an isolated example.
The fact is that security is difficult. IT systems are astoundingly complex. New vulnerabilities arise all the time as new techologies emerge, and many of these will be turned into exploits. The sad fact is, though, that pen-testers and malicious hackers alike will continue to gain entry to organisations’ systems through flaws that should have vanished years ago - including weak passwords.
BSides was an invaluable reality check - the flipside of Infosec. The latter is about boasting of solutions whereas BSides, attended mainly by pen-testers and infosecurity consultants, was a timely reminder that these solutions are far from perfect.
The presentations at BSides ranged from a demonstration how how a relatively clueless script kiddie could write an undetectable trojan, through tunnelling via protocols never intended for the task, to how to present the risk created software in a way that even business executives might understand it. It was, in short, about the very real, practical issues of security as seen by those on the front line.
I was probably a bit too sniffy about what goes on at Infosec - it’s an important event. The commercial component of the security business, as expressed by the show, is crucially important. A lot of what these companies do does work, and without it we’d be screwed. At the very least, these solutions provide a baseline of protection that keeps out the riff-raff. And if used properly (and there’s the rub) these products and services are capable of very high levels of security indeed.
But if the admin password for your shiny new next-gen firewall or IPS is ‘password’, then, really, why did you bother?
#infosec - If you bring your own smartphone or tablet to work, you’re not alone. Opinions vary about how much of a problem this presents to an organisation’s information security, but ‘consumerisation’ was the topic you just couldn’t escape at this year’s InfoSecurity show.
Yes, cloud was big too. But then it has been for some time and I got the impression that some people were getting a little tired of cloud being the main topic of conversation. Now, consumerisation - the incursion of devices like the iPad and Android phones into the workplace, often as a result of people bringing their own equipment into work - has given infosecurity firms and specialists something new to worry about. I caught up with a few of them at the show.
“The devices are changing so quickly and the functionality is changing so quickly,” says Adrian Davis, principal research analyst at the ISF. “The pace is relentless. We’re now getting 3G- and 4G-enabled devices within the organisation’s perimeter and yet so much IT security activity still focuses on things like patching servers.”
On Android and iOS platforms, the situation isn’t made any easier by the sheer number of apps that people are bringing into the corporate environment. Given how cheap the apps are (often free) people tend to be fairly careless about what they’re downloading. And while Android has suffered some significant exploits, the ridigly controlled Apple ecosystem isn’t immune: that very control encourages people to jailbreak their devices.
The degree of concern varies, though. “People who have a real problem with consumerisation tend to be those stuck in an old mould,” said Jon Geater, director of technical strategy at Thales. Like everyone else, he recognises the dangers of corporate data finding its way on to personal devices and of having hard-to-control wifi- and 3G-equipped devices, beyond the direct control of the IT department, inside the organisational perimeter. But he is fairly confident that solutions are available.
Going deep
For Geater, as well as many others, it’s all about defence in depth, an old concept that has acquired a new relevance. “You need internal defences with levels of access rights appropriate to various parts of the IT estate,” he says. “Different assets require different security.”
The solution is likely to be a mix of technologies and approaches. One interesting piece of the puzzle, for example, is a solution from Bradford Networks (which wasn’t exhibiting at Infosec, but I met up with CEO Gary Mead and Scott Tyson, channel manager for EMEA, in the press room).
The firm’s background is in Network Access Control (NAC) but its offering now goes well beyond that. Bradford’s system is all about identifying devices on a network and it has been particuarly strong in the education market. Every year, thousands of new students descend on universities, all demanding access to the network. Bradford’s solution automates the process of discovering what devices are accessing the network and then building policies around that. (One customer discovered a cupboard full of servers it had forgotten about.)
Typically, each student will be allowed to connect up to five devices — laptop, smartphone, maybe even a Playstation. But there are restrictions on where that connection can be made - in the student’s dorm room is fine, but if the same person appropriates the network socket belonging to the library’s printer, that will be spotted automatically and action initiated. That action could be immediate disconnection or simple a ticket raised with tech support, according to the policies you implement.
The system isn’t concerned with data - it doesn’t look at that - so there’s no Deep Packet Inspection (DPI) or other potentially intrusive behaviour. Its focus is on devices and it sits alongside other systems that monitor behaviour.
Now corporates are beating a path to Bradford’s door. They want that kind of visibility for their own systems. Traditionally, enterprises have focused on the perimeter. Anything inside it carried at least some level of implicit trust. With Bradford’s model, nothing is trusted by default. And as the corporate perimeter has evaporated, enterprises now need the ability to monitor what’s happening at all levels.
The monitoring is continuous, too. The discovery is not a one-off process when the system is installed. Every time a device is plugged into the network, it’s spotted and analysed to see if it’s known and is allowed to be connected at that point.
Acceptable behaviour
The Bradford solution doesn’t attempt to work out what people are doing with those connections, but other systems do.
Lancope’s NetFlow offering, for instance, analyses network flow data. It looks at what’s happening in all parts of the network and can flag changes in behaviour or anomalies in data according to a ‘concern index’. Adam Powers, Lancope’s CTO, claims it’s especially effective at spotting filesharing and botnet activity, and can even map the propagation of a worm across the system. But all manner of activity can be spotted. “A lot of this revolves around acceptable use,” says Powers.
Similarly, a solution by Q1 Labs will examine events generated across your entire network, looking for unusual behaviour. Making sense of events is a tough job. In spite of the rise of the commercial Security Information and Event Management (SIEM) market, logs often go unregarded, sometimes because of the sheer volume of events generated.
“There are customer sites out there with millions of events a day,” says Steve Jenkins, VP EMEA. “We can reduce that. One major oil company has five billion events a day, and we take that down to 25-50 potential threats. Over time, you build a picture of the environment — you learn the behaviour of your specific network.”
As this filtering process is rule-based, this still leaves open some questions about how good those rules are, and how confident you can be that you’re not missing threats. But if used effectively, this approach could help reduce the noise level and give greater situational awareness.
For Sophos, part of the solution is in migrating security down to the endpoint - not just anti-malware but also capabilities such as encryption. Paul Ducklin, head of technology for Asia Pacific and Naked Security blogger, believes that encryption is going to play an ever-greater part in this story, an opinion echoed by several of the people I spoke to: a ‘revival’ is how one put it.
Human solution
So there are some technological answers to the problem. And also, perhaps, some encouraging signs of a positive human response.
While ‘user education’ has been something of a joke within the security community, Ducklin at Sophos believes there are signs that people are becoming more security aware. He points to the common sight in enterprises of people carrying two phones -the company-issued phone (typically a BlackBerry) and their own, private device. “They don’t want to mix company and personal data,” he says.
When it comes to those personal devices, the very fact that they are owned by the individual employee may be an advantage. Davies gives the analogy of company cars. Back when the firm provided the car, as well as insurance and maintenance, people had a careless attitude. So what if you have a scrape? It’s just a company car. Now, it’s more common for employees to receive allowances to use their own cars - and they’re correspondingly more careful.
“Most people take security of their own devices seriously,” said Ducklin, but adds, “usually only after they’ve suffered a problem.”
Fact of life
The inevitable conclusion is that consumerisation is a fact of life.
“It’s being pushed from the top, so it’s unstoppable - especially with iPads,” says Peter Wood, CEO of First Base Technologies and committee member of ISACA.
Personal devices will find their way on to your premises. (At Security BSides, held at the same time as Infosec, one consultant, who had done significant work in the UK health service, told me it wasn’t uncommon to find patients bringing in their own wifi hubs.) So most companies would be best advised to accept it and implement the systems and processes to deal with it.
“Ultimately, it all comes back to risk,” says Davis. “These are tools, and you need to decide if you want to use them to aid your business. And there are big issues around educating your users.”
Wood agrees. “The equation’s about risk versus business benefit,” he says. “And so businesses will have to come up with a strategy.”
Stop using that iPad now! That’s the warning from Sophos for those of you who: a) are concerned about data theft; and b) don’t know what day it is. Here’s the press release:
Sophos warns: iPad 2 and other mobile devices vulnerable to proximity theft
Aptly-named “substrate hack” could steal data from uncovered devices - but metallic crisp packets can provide temporary “polar foil” fix
IT security and control firm Sophos is warning users of smartphones and tablet computers - including the popular Apple iPad and iPad 2 - to temporarily refrain from using the devices following the discovery that data can be stolen from unprotected devices through a surprisingly simple proximity attack dubbed a “substrate hack” by SophosLabs.
The attack - the exact details of which are not being released to the public to prevent the exploit being used by cybercriminals - involves data leaking through the substrate itself - the hybrid metal/plastic container - of devices that are left uncovered.
“It’s scary to think that all those many millions of smartphones and tablets out there are susceptible to a relatively simple attack through the substrate in which the devices themselves are packaged,” said a spokesperson for Sophos Naked Security.
“One reliable countermeasure, evaluated in tests at SophosLabs, is to keep your tablet-type device or phone wrapped in plasticated aluminum, like the material used in crisp packets. Of course, this removes the ability to make calls or access the internet, but keeps your data much safer, both when you are using the device and when it is at rest.”
Until a patch has been issued by device manufacturers, concerned members of the public can reduce the risk of a substrate attack by shielding their devices with lightweight metallised plastic or cardboard. Crisp packets are ideal. This sort of shield forms a “polar foil” around the device and greatly reduces the risk of data theft.
However, SophosLabs researchers warn that cylindrical shields, such as Pringles cans, should not be used. Despite their metallic coating and obvious benefits over crisp packets in sturdiness, durability and hygiene, Pringles cans - as WiFi hackers know only too well - act as antennas, boosting rather than attenuating any putative data leakage signal.
For more information, including images, please visit the Sophos Naked Security site: http://nakedsecurity.sophos.com/2011/04/01/apple-ipad-vulnerable-to-data-loss-through-substrate-hack/
It doesn’t say if a tin-foil hat will work as well as a crisp packet…