I recently discovered a very good TED presentation by James Lyne, it is definitely a goodie. In his presentation, “Everyday cybercrime – and what you can do about it” https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it he provides an excellent introduction into internet security. His entertaining style fits well with the content and the 17 minute presentation covers key material. This should be on everyone’s play list as he debunks common myths about cybercrime. A Sophos page with some helpful followup tips can be found over at https://sophos.com/wifi with the emphasis wifi services.
I came across the SANS Security Awareness Tip of The Day recently. It includes a daily tip that explains how people can better protect themselves in a digital world with suggestions on what your social media privacy setting should be to guidance on technology rules for visiting children.
So why not add it to your bookmarks or your RSS reader
Dan Geer is a voice in the IT Security world that should be listened to, and he has co-authored a short but intense article in the IEEE S&P Cleartext column that addresses the reality of the rapidly-changing threats that we all face.
“Stand Your Ground” has a few key messages, which I’ll try to summarise :-
- Minimise the number of targets; stop adding new services without effective defences, remove old services. Use the savings to fund better security for what remains.
- Distrust the internal network; distrust any service that is not continually verified. Defend against outbound traffic as well as inbound traffic.
- Do not assume perfection is possible; plan for failure modes that reduce services sensibly. Reduce the time-to-repair with automation instead of extending the mean-time-between-failure.
In an article from Wired thieves allegedly stole half a million Australian credit card numbers. The raid on an unnamed business in Australia used keystroke logging software on POS terminals then transferred the information back to Eastern Europe. The POS terminals had default passwords and stored transaction data insecurely. They were accessed using an unsecured Microsoft Remote Desktop connection. But the notable quote is
“The network was setup by some local suppliers who didn’t understand IT security,” Det. Sup. Marden told the magazine. “It was a disaster waiting to happen.”
As is often the case in many incidents, most of the layers of defence were turned off, left with default values, or just were not considered necessary. Had any one of the following been in place this particular incident could have been averted: changed the vendors default password, forced access to the terminals via a VPN, AV software on the workstations, IDS on outward network traffic, logging and monitoring of authentication services. Lastly, had the Aussie business performed an independent information security audit these would have been identified and the costly compromise could have been avoided.
I’ve just picked up a nice new entry on the “Falsehoods [people] believe about [topic]” meme … this one is “Falsehoods programmers believe about networks” and comes from Errata Security, a very good resource.
Here’s the top 5 :-
- Data on the network cannot be altered.
- Encrypted data on the network cannot be altered.
- Data cannot be accidentally corrupted, because TCP has checksums and Ethernet has CRCs
- If it’s inside my perimeter firewall, that means I have total control over it
- If it doesn’t return an error, then send() sent all the data that was asked of it.
A small list at the end is “Falsehoods network administrators believe about networks” …
- There is no IPv6 on my network
- NAT automatically blocks all inbound attacks
- We know all the devices attached to our network at any given time
- There are always 24 hours in a day.
- Months have either 30 or 31 days.
- Years have 365 days.
- February is always 28 days long.
- Any 24-hour period will always begin and end in the same day (or week, or month).
- People have exactly one canonical full name.
- People have exactly one full name which they go by.
- People’s names fit within a certain defined amount of space.
- People’s names do not change.
- People’s names change, but only at a certain enumerated set of events.
- People’s names are written in ASCII.
- People’s names are written in any single character set.
- People’s names are all mapped in Unicode code points.
- People’s names are case sensitive.
- People’s names are case insensitive.
I was delighted by a recent post on the SANS web site from Johannes B. Ullrich. In his article he lists 5 documents that deal with hardening OSX. For those that don’t know, hardening is the process is securing a computer by reducing the vulnerable attack surface. I was only aware of the Apple documentation and not the others. Ullrich notes that the Apple documents do not cover OS X Lion (10.7). This is disappointing as I would have thought that Apple would have been more proactive given their increasing market share.
Anyway the list included below and anyone exposing an Apple to the internet is advised to check the documents to make sure that they have enabled sufficient sheilding to withstand probes and attacks.
Update: Megaupload lawyers report that user data may be destroyed by the end of this week (30 Jan – 5 Feb 2012)
This isn’t a post about copyright infringement. This is a post about backing up your data.
Popular file-sharing site Megaupload was shut down on 19 January 2012, and it’s owners arrested. Of course, all the servers have been seized as evidence, and therefore all uploaded content, including non-infringing files that are not under investigation, is unavailable indefinitely.
- Always keep backups of important files
- Cloud storage can fail
- You are always responsible for your data.
Disclaimer: I use Spideroak (the free version) and I’m very happy with it. I’m not endorsing them, just informing you that they exist. I have not used Wuala, but their security mechanism appears to be very similar.
For those interested in confirming or checking the secure configuration of their operating systems the National Security Agency (NSA) have some hardening documents available. These cover Apple Mac, Microsoft Windows and Linux operating systems. Generally, hardening is a process that reduces the attack surface or the number of vulnerabilities exposed to attackers. Often this is achieved through disabling unused services, uninstalling unused software, and removing unnecessary user accounts and is considered an essential step in maintaining a trusted computing environment.