Information security

Many of my readers are curious about hacking, testing and the ins and outs of setting up a security testing facility.

So here goes a nice white paper authored by Harry Bulbrook at the Durham Technical Community college, explaining how to set up a secure lab for testing and learning. It is a year old, but it still is a great resource that enables you to easily set up and maintain your lab without interfering with your production network.

This Easter vacation I spent with my family and friends from Den Norske Turistforening (DNT).  We were tending a Tourist Cottage – a unique service the DNT offers nature loving people in Norway. The Tourist Cottage is a network of freely available cottages scattered around Norway – where you can sleep, restock food and at some of them even get dinner served.

We were at Høgevarde – a cottage that sleeps 27 people, and that have restaurant facilities. This year, the restaurant was managed by a team of contributors, myself included, where we offered hot food and drinks to the skiers who visited.

All well. So where is the security in all this?

Part of the concept of these cottages is to provide shelter to travelers in the high mountain. They serve as a resting place. And most importantly, they serve as a rescue point in the high mountain when you are in distress.

And during Easter in Norway, many people travel to the mountain. They use their skiing skills only this time of year, and their knowledge of the mountain dangers are usually what they read in the paper or watch on the TV. You know, there is a bit of a difference watching a winter storm on the TV, sitting in your warm city house, and actually being in the middle of a winter storm in the high mountains.

As we experienced first hand this Easter.

Thursday came the storm. It was not a surprise, as it had been forecasted. What was a bit of a surprise was the high number of visitors we had this day. Some of them where dressed properly, and carried full winter rescue equipment – including shovel.

Others where dressed highly inappropriate. One guy in particular came with his son and a dog. The dog and son wore suitable clothing, but the father came as if he where to take a quick walk in the forest.

They had their break, and headed back down towards the valley. We gave it no particular thought. Until half an hour later the father returned. This time alone. And blue – as only the cold can make you.

We heated him up with some toddy and soup. And he had learned an important lesson about the mountain – always be prepared and dress appropriately.

Later that day, a couple of the experienced mountaineers dressed him up, equipped him with map and compass (which we had to teach him how to use too), and followed him halfway down to the valley. On their way back to the cottage, they (the experienced ones) managed to loose their direction in the storm, and spent some precious time trying to navigate their way back.

Thanks to their experience and equipment (map, compass and GPS), they kept their heads cool and found their way back.

We can learn a lot by such experiences, and we can apply it to the corporate security world too.

For example:

–       Be prepared for eventualities like a winter storm. In the corporate world that means disaster and recovery planning. It also means appropriate training and user awareness. By being prepared, you bring with you the experience and tools required to help you survive a hopeless situation.

–       There is no shame in turning around. In the corporate world this means that when you see that you are not able to complete what you set out to do (implement a new security tool, developing a new method, applying a patch, changing configs etc), take a time out. Revert to a last known good configuration, and reconsider. Perhaps you need to ask for help from someone more experienced?

–       Know your surroundings. Some mountains are easier to descend than others. If your mountain is too big, dig in and stay alive. Your survival is more likely if you get off the mountain and down into the valley, but some mountains does not allow you to do that. Thus, you need to know which strategy to choose.  In the corporate world this means that you need to know your position and environment. Sometimes you can wait things off, other times you need to get off your high horse and reconsider your approach.

–       There is always sun after rain. No storm lasts forever. Keep a positive mind, and focus on staying alive while it lasts. Always remember that eventually (and it may feel like never), the storm will move on and the sun arrives. In the corporate world this means that when the storm is on; stay focused on your goals, while riding off the storm. Keep doing the things that works; build a positive – but realistic – image about the situation. It may be a virus that takes down the full network, or it may be a media disaster – no matter what it is, only by keeping your focus on short term “staying alive” activities while remembering that sun will eventually arrive, will you not only survive, but be a stronger organization when the storm is over.

 

The guy we dressed up?

He made it down to the valley. He spent Friday as a perfect host for his guests. And Saturday, when the storm was gone and the sun shone all over the mountain, he went back up to us. With his son and wife. And the equipment he borrowed. We shared toddy and a waffle.

And we share the experience.

I still do not know his name. But I got my compass back. And I know we both will be humble when preparing our next visit to the high mountains.

 

The following are 5 tips on working with policies in a corporation. They are simple and to the point.

Enforce the policies

Enforce the policies through incentives. Make sure that you use the policies, or they may be useless when you try to enforce it 5 years down the line.

Follow up policies with technology

Use technology to control and enforce the policies. Never develop policies to adapt to the technology - it must be the other way around. If in doubt, hire specialist.

Review and audit regularly

Technology, markets, regulations and people change all the time. Policies need to be audited and adopted as you go - regularly. Make sure employees are allowed to suggest changes. If errors are discovered - make sure to act swiftly to update the policy.

Corporate governance is key

Corporate Governance is not only a new buzzword. It is only a new name for an age-old best-practice.

1. Set targets / visions

2. Draw the path through strategies and tactics.

3. Compare the outcome with targets/vision.

4. Start over

The purpose is simply to put forward a set of methods to ensure quality, trace-ability and documentation. You can do it in large scale or small scale - the principles stay the same.

Remove the bad apples

Bad apples must be handled correctly. Get rid of them by using their forces and turning them into valuable gems.

Or, throw them out of the basket.

 

 

------------------------------

This is part two of the article Bad advice for good security, as appear on Risksopportunities 2007.

Part one is available here.

The size of the hacking/scamming/phishing criminals are increasing. We all know this. The size of the criminals available creates new market spaces. We know that too. Criminals tends lack ethics. We see evidence of that all the time! 

And here is a nice story to show you again the lack of ethics amongst the criminals - Mr. Brain offers his free phishing kit to aspiring scammers. Nice one, Mr. Brain! I bet they love it!

Only drawback - Mr. Brain gets a copy of all activities and all the information collected from the kits. And the scammers themselves get scammed!

Why Mr. Brain does it like this? We can only guess. What we do know is that it gets increasingly risky to run scams and phishing - as ISPs and law enforcement are now actively on the lookout. Thus, finding an ISP and running your scam yourself is no longer the best method.

Add to that the increasing number of dumb n00bs out there, wannabies who like to be Great Hackers, but lack skill, understanding and motivation. What do you get? A market for hacking tools. 

As with legitimate business, many different business models exists - selling tools and kits directly, revenue sharing - and now "information sharing" without consent.

I am quite sure that Mr. Brain have access to the infrastructure necessary to monetize on the information. And I am more sure that his clients - the wannabies above - have no or only little clue on how to monetize the same information.  And the poor n00b ends up scammed.

I must admit - I love it. 

I am ROFL imaging their faces when they realize they are 0wned.

Anton brought my attention to this article over at CIO. If you the slightest interest in data protection, I recommend the read! 

I have been using the new Plaxo Pulse feature - an attempt Plaxo is making to turn the address book update tool into a social and business network tool.

I see many issues, but those do not belong to my blog.

What do belong here is this error message I have received a few times. It says:

"Oops! There seems to be a problem. I'll tell you what... let us fix it and this can be our little secret."

I do like the fact that I do not have to see all the programming error message blah-blah that usually turns up when a web application have a hick-up. Doing so means the Plaxo team tries to make an effort to make their tool user friendly - a must for a web application IMO.

The problem with this error is the last part of it:

"Let us fix it and this can be OUR LITTLE SECRET."

Tell you what - if you do have a problem, you should fix it. Sure thing. But to ask me to keep it a secret? Wow, thank you but not thanks. If I keep it a secret, here is what might happen:

• You do not fix it
• Someone exploit it
• it is not one error, but many
  
• I get suspicious about your service (keep the error a secret - so no one else will know there is a problem)
• I will never know when you fix it (if you do - see above)
• I will stop trusting you
• others will stop trusting you

I suggest a different approach to such errors.

• First, be frank - earn my trust! You do this by telling me what is wrong , and what you are to do about it.
• Be direct - tell me what exactly is wrong. Do this by including an error code, and point me to a knowledge base. Chances are I will never look there, but if I wanted, now I can. You earn my trust.
• Tell me what you are going to do. If you know the issue, you are likely to have a plan to deal with it. No need to share the details - but let me know that you are going to do something, and preferably add a deadline.
• Do not single mindedly focus on making new functionalities - fix your errors too. I will NEVER use your new, cool features unless I trust your application first. Seeing the same (or what I perceive as the same) error for weeks, reduces my trust in you and your application. It is a loose-loose situation.

Plaxo, I suggest you change your error message with this one:

"Oops! There seems to be a problem! Tell you what. Let us fix it, so you can go about and enjoy our tool.

If you like, you can read about this error here! (link). We plan to fix this by the next patch, which is due by (some date)."

You might also want to include contact information - contact our support team - so the user gets an option to complain or ask around. Plenty of support management tools exists - this is not a big deal.

 

I promissed you a report from my guest lecture at the Norwegian school of Management BI.

First, thank you to all of you who gave me ideas and input to the workshop! Invaluable! And I thank a great deal of the success to you! You all know who you are!

 

On to the report then.

 

I was given the opportunity to host a guest lecture for the third year bachelor students at the Norwegian school of management BI. The study is a bachelor in IT management – i.e. these students are going to be the next generation CIO's, IT-managers and IT-directors out there.

 

Some of you might scream;

 

“Oah – what the hang glider – white-collars to be the IT-managers??? What about the nerdy-ness required? What about their technical knowhow? Do they even know how to configure a firewall?”

 

First of all – the CIO, the IT-director and the IT-manager – those are managerial jobs. Those are there to handle the business side of ICT. Those are there to execute the business strategy of ICT. The sooner you realize that, the better.

Secondly – the study is very interesting indeed. Agreed, they do not dwelve deeply into firewall administration – but they do dig into technology, ICT and the students are genuinely interested in the geeky side of things.

Thirdly – they bring business understanding and value to the table. They have been thought budgeting, reporting and economical analysis. They understand the relation between business goals, and the relevance those has to ICT.

 

So IMO, this study is very important and relevant. It provides the market with IT-managers with a sound combination of business understanding AND ICT-interest. These boys and girls can set up a network, while discussing implementation of business strategy with the CEO.

 

Now that is out of the hat, and I can move on :)

 

I got approval from Renny – the lecturer of the class – to run my guest lecture as a workshop. The purpose was simple – to actually have the students working instead of just listening or surfing.

 

I based the workshop upon the TJX case. I took some of the facts, without telling them that this was a true case of course. The facts I gave them included the size and time frame of the breach, and then I asked them to discuss the possibility of this being true or not.

 

As expected, discussion was on.

 

I then added some more details, and they where to role play being the the company, and decide what they should have done to prevent this to happen. They had to incorporate some theory that they where supposed to have studied too. This exercise was in groups of 4, and they spent some time finding the answers. A healthy discussion and plenum summary followed. Many great ideas and they realized the complexity of such a case.

 

Their last task was given them after I told the truth, and some more details. The task was to be the upper management, in the days after the breach was publicly known. They would have to decide what to do now – and the focus is of course to make the best business possible.

 

Taking into consideration that they where students, with no or little knowledge of running such huge operations as TJX are, they did very well indeed. Most importantly, I think they learned that business is about making a profit, while reducing risks.

 

According to the feedback after the session, the students enjoyed the workshop.

 

I know I loved the opportunity, and had great fun.

A while back, I needed an antispam tool for my blog comments. I decided to go with Akismet.

A few months down the line, my antispam solution have caught over 2 500 spams. 2 500 spam comments on my blog alone. I think that is a wast number - and can only assume what more popular blogs must handle.

According to Akismet, their service has caught more than 3 billion (as in 3,043,731,975) spam messages since they started. Their complete stats are available.

Thanks to Akismet, I am able to concentrate on doing the writing, and leaving the comments almost to itself. (So far, I have decided to approve all comments - I am now testing full automatic. You will soon discover if it works or not!)

The largest conference within IT, e-business, BI, security and CRM - the CNIT in Paris, is cancelled. 

I used to be there back in 2000, talking about the importance of multilingual e-business solutions in Europe. According to the press release below, the cancellation is due to technical security problems at the Paris Expo conference center.

The complete press release (French) is below:

 

 

Imagine you are a well know, global brand. Your brand includes several high value products with brands that are recognized by anyone. 

Would you protect your brands? Like trademarking them? Patenting the technology? Building public awareness? Promote and market them?

Sure you would.

What if someone then contacts you and tell you that your computers are spewing out spam. Covering your own products, your competitors products as well as any other kind of products we all receive in our inboxes. 

What would you do now?

I bet you would not dig your big, fat head into the sandbox and pretend that the spamming is not happening. I am sure you would instantly recognize the problem, and start investigating, and then clean out your closet. 

There is no way you would do as Pfizer does.

You see, many of the Viagra, Cialis and penis enlargment pill spams you get in your mailbox originate from within the Pfizer network, and Pfizer does nothing about it.  

Pfizer, it is time to realize you need to clean out your closet. if you are not sure how to do it yourself, I know of many who would love to offer a helping hand!