Tuesday, July 31, 2007

But Jack, isn't that hypocritical?

Maybe you are thinking "Why are you poking at business partners before looking at your own network?" Maybe that seems unfair or hypocritical.

Here's my logic- first, there are plenty of resources for helping to secure your systems (and I hope to add to them later), but not many that look outside- and almost none that apply to the small guy checking up on the big guys. Also, we pay some of the partners- franchisors, vendors and others- and that gives us the right to hold them accountable. We're the little guy, we are often required to use their systems, we can't opt out and still do business. These are their systems and it is their responsibility to secure them.

It is our responsibility to protect our systems and our interests. To me, that includes holding our partners accountable.

Jack

Partners and Security, Part 3

Continuing with our cursory look at our partners...

Navigate through the site, look for clues. Hover over links, note if the pages are scripted (file names and URLs ending in .asp/.aspx, .cgi, etc.) or basic html.

Look for help pages, do they give away anything? Is there help available before you log in? Are password recovery procedures listed? Anything questionable there?

Look for forms- fill out a few poorly and see if they handle mistakes gracefully. NOTE, I am not suggesting you try to break the application, do not enter "or one equals one" type entries in an attempt to hack the system. You don't have (are are highly unlikely to ever get) permission, so be nice. We are looking for common mistakes and simple oversights on the part of the developer(s).

If you do find errors, look at the error messages, they can tell you quite a bit. Google the errors, you may find some well known problems have been ignored.

Next time, we start using some tools to dig a little deeper into the website or application.

Jack

A Convert!

My wife is an intelligent woman (her fondness for me notwithstanding), but she has a "low-tech" job and is not particularly fond of computers. She does grudgingly admit that computers are good for some things, like email, searches and maps (but not much else). One of her work-related activities involves helping resolve personnel and contractual disputes- and that requires wading through a bewildering mass of contractual, policy and labor law documentation. She recently learned of an initiative to move most of the relevant documentation online and provide online management of active issues. Upon hearing of this wonderful new system, her first words were "How secure will it be?". A convert! In spite of the potential relief this would bring, her first thought was about the security of employment records.

She elaborated on her concerns- not only was she worried about the security of the website, she pointed out that the website in question currently required a username and password. Unfortunately, since the site doesn't currently have anything of value, she doesn't use a good password and doubts anyone else does- and doubts that will change.

She gets it. Maybe not the nuts and bolts, but the ideas. I don't know how much impact her concerns will have on the overall project, but in the big picture, every voice counts.

Jack

Tuesday, July 24, 2007

Mental Health, InfoSec and Playing with Fire

Someone said that all work and no play makes Jack a dull boy. That is a bit trite, but I do find that a break from work is a healthy thing. One of the hobbies that I don't really have the time to indulge is blacksmithing- but every summer the Cape Cod crew of the New England Blacksmiths demonstrates the craft at the Barnstable County Fair and I have been participating for the past few years. Even if I don't yet have the skill to turn out master works of art, there is something very satisfying about heating a chunk of metal in a forge and then whacking it with a hammer.

There is even a direct InfoSec link- I don't do it at the fair, but dropping the platters from a hard drive into the forge is a pretty good method of secure data destruction.

Jack

Thursday, July 19, 2007

Partners and Security, Part 2

Digging a little deeper into the security of business partners...

After reviewing the information you received, it is time to start looking a little deeper. Most of my experience is with web sites and web applications used for communications with vendors and franchisors, so that is where we will start.

Start with the basics. How do credentials get assigned? Are you sent a username and password in an email? (this is both very common and very bad). Do you have to reset your password at initial login? Do they even let you reset your own password? Does every user get their own credentials, or are you expected to share? Are logins encrypted? Are all transactions encrypted? Is the certificate valid?

Sadly, a large number of sites, even among financial institutions, will fail some of these checks. Companies that spend significant resources securing their "public" websites will frequently cut corners on their partner/affiliate websites, as if we aren't coming in from the same Internet. The whole Insider Threat concept is lost on them. Random attackers may not know what they can access once they are "inside", employees of partners already know what they are looking for.

Although some of the information you want is not as obvious in a web app as it is in a web site, you can still get what you need. Sometimes you can "break out" of Internet Explorer based web apps by simply pressing Ctrl-N; a new browser window will open with headers, footers and toolbars- revealing full URLs, certificates, etc. If that doesn't help with your applications, don't worry, you will need to fire up a sniffer and a proxy sooner or later anyway and they will give you what you need.

Next time, a little looking around before we break out the tools.

Jack

BeanSec!

I finally made it to a BeanSec!
BeanSec! is not to be confused with any other security group, meeting or conference- it is more of a social event, held on the third Wednesday of each month at the Enormous Room in Cambridge. But- it is a social event for security geeks. Want to know more? Then go!
Your genial host (for most evenings) is Christofer Hoff.

I had a great time and met some cool people. Sadly, I doubt that I'll make it to very many BeanSecs- they happen the same evening as two of my favorite user groups, SNENUG and BLU. I was already conflicted enough having to choose between the Southern New England Network Users Group and Boston Linux & Unix. Of course, they don't meet in a bar...

Thanks Chris!

Jack

Wednesday, July 18, 2007

iEnough iAlready with the iPhone!

The final word on the iPhone is at Will it Blend?



Yes, they do.

Jack

Sunday, July 15, 2007

The good things about small business IT

Sure, it is fun complaining about trying to implement security in small business IT, but there are some real advantages that help offset many of the problems we face.

People are a great example- we get to know them. You don't have to like all of them, but knowing a bit about the personalities in your company can bring some valuable insights. New exploit in the wild? You already know who your "high risk" end users are- you can focus on the people and machines that are the most likely to be exploited because of the nature of their work or their habits. You also know which users will actually listen when you tell them that no one is sending them anonymous eCards, so don't open them- and focus your efforts on the, let's just say "harder to train" end-users.

In small business, we have to do it all. On the other hand, in small business we get to do it all. We handle most projects from end to end and have a better understanding of complete systems because of the added perspective. We also get to know our networks and systems very well. We learn what to expect when lightning strikes or the power goes out. We have a pretty good idea which applications might break on Patch Tuesday and can plan accordingly. If we stop, think and apply this knowledge before we start new projects, we can prevent problems and create a more secure environment.

Small businesses often offer a better quality of work life than big corporations. It is still possible to find loyalty in smaller companies. Small companies are more likely to be flexible with schedules and other intangibles. At my "real job", we have just over one hundred employees; about a quarter have been with the company over eight years and four of us have been here over twenty. That doesn't count the owners or their family. And that's in an industry with an average annual turnover above fifty percent. I don't think you will find many corporations that can put up numbers like that.

Yes, sometimes we have to battle to simply get a password policy, forget having a good one. Sometimes we simply have to cut corners (so do the big guys). But there are real opportunities in small business IT, so use them to your advantage.

Jack

Monday, July 9, 2007

Time for an introduction

How rude, I haven't really introduced myself yet.

I am Jack Daniel. Really. It was dad's name, too. Long story for another day, but it has nothing to do with the black label/square bottle guy.

I am "the computer guy" for a family of small businesses south of Boston, Massachusetts. I have performed many different jobs throughout the years. IT has been part of my work since the late 80's and has been full-time since the late 90's. Like most small business IT people, I handle a wide variety of things, from changing toner cartridges for those "special" end-users to desktop support to network, server and security design, deployment and maintenance. I have been interested in information security for a while and have spent the past several years trying to absorb as much security information as I can.

I was not a hacker or even a computer enthusiast in school. In those days and for several years beyond, I was a car guy. But, it turns out that an interest in "how stuff works" and how to "build, break and fix stuff" translates well from one field to another- so I was well served by my years as a mechanic. There were several years of various management positions between twisting wrenches and twisted pairs, but please don't hold that against me.

I am also a technology "community activist". Since discovering user groups many years ago I have been active in several groups and have assumed some leadership roles in the local user group community. Community participation in general, and user groups in particular, will be a recurring theme in this blog.

When not working on or playing with computers I have a few non-tech hobbies that I wish I could spend more time with- wood carving, boat building and blacksmithing. Another group of things around the recurring themes of "how stuff works" and "build/break/fix stuff".

That's enough for now-
Jack

Friday, July 6, 2007

Are the vendors clueless, or are we?

One of the companies I support recently leased several new multifunction fax machines. From a security perspective, the experience was astounding. The vendor seemed to have no clue about the insecurity of the devices or the implications to our network that such machines could have. The vendor also had no respect for the network. They were annoyed that they couldn't just plug into any open jack and get on the network- and their "network guy" didn't understand why anyone would want to control network access. When I clawed my way up the support ladder to someone with a bit of security awareness, I was assured that I could contract with their consulting division and they would secure the devices for a "reasonable" fee. Call me crazy, but I think it would be "reasonable" to ship the things secure in the first place.

OK, Jack , how bad were these things? These machines have 466MHz CPUs, 384MB of RAM, and 40GB hard drives. How's that for a potential attack platform distributed throughout your network? A simple Nessus scan not only reveals numerous significant vulnerabilities, it locks up the management interface on the devices and they need an extended power-off to recover full functionality. At first I was only frustrated with the vendor. We are paying them to compromise the security of our environment, and they will fix their own shortcomings if we pay them even more. How can they get away with this?

Then it dawned on me, they get away with it because we let them.

Jack

Wednesday, July 4, 2007

Happy Birthday USA

Wednesday, July 4
It is ten in the morning and I'm drinking sangria and listening to classical guitar on Internet radio. A great start to the holiday.

Internet radio wasn't among the driving forces behind the American revolution, and certainly isn't the most pressing problem facing the republic today- but the threats to Internet radio are real and some may have far-reaching implications for anyone who creates content and wants retain control over their material, whether it is music, text or code. No political diatribe here, but if you are interested, look into the issue and act as you see fit. If you are not sure where to start, I would suggest savenetradio.org.

Happy July 4
Jack

Security and Business Partners

We all have to trust our business partners to take security seriously, but how can we be sure they live up to our expectations? We might not have the leverage that some big companies do, but we do have some tools available to help us. In the next few posts I will discuss some tips to help address security issues with your vendors and other business partners.

First, the easy ones- ask them for copies of their privacy and security policies. Next, ask for direct security and compliance contacts (not just their regular support information). While it is important to have this information, it is also important to make them realize that you are concerned and checking up on them. We all tend to behave better when we know we are being watched.

Look over the information you receive, and note the things you don't receive. Ask questions and raise concerns. If anything is especially troubling, bring it to your employer and explain why (without hysterics) you think it is a problem.

To be continued...

Jack

Sunday, July 1, 2007

Security Anecdote Theater, episode 2

Peter Ross, a master blacksmith at Colonial Williamsburg tells a story that I enjoy retelling-

Early in his career at Williamsburg, Peter was asked to make a reproduction of a lock from the Williamsburg collection. He carefully disassembled the original lock, inspected and measured every piece, and then made faithful reproductions of each component. When he tried to assemble the lock nothing fit. He filed, bent and reworked each piece until it finally went together and worked. Once the lock was complete, Peter was understandably impressed with his work and showed it off proudly. After the initial glow wore off, however, Peter noticed that the original lock was much nicer than his- it didn't show all of the signs of reworking and correction that his did. He reconciled himself to the obvious fact that the colonial era blacksmiths were simply better at the craft than he was.

As his skill and knowledge of the craft evolved Peter began to realize that his shortcoming was not in skill, but in perspective. Peter approached the task with the knowledge that careful measurement and replication will yield an exact duplicate- the modern view of manufacturing applied to an ancient craft. The original blacksmith made the first part of the lock from available material with little worry for exact measurements- because the second piece would be made to fit the first, and so on. The next lock made would probably look similar, but the parts wouldn't be interchangeable- but as long as both locks worked it didn't matter.

The colonial blacksmith had limited supplies of material and often had to reuse scrap due to the expense and scarcity of new stock. He also didn't have ready access to all of the tools that were available to smiths in England and the rest of Europe. The craft may be different, but in small business IT we face a similar situation- we often have very limited resources and must make do with what is available.

So, the next time you find something you would like to copy- whether its a network topology, directory services infrastructure, VPN deployment or even a hand-forged lock- start with your current situation in mind and work towards a functionally similar system. Make sure all the pieces fit together with each other and your environment, just don't get hung up on trying to make an exact duplicate.

Jack