The InfoSec Blog

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

Toronto - OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

http://government.zdnet.com/?p=3874

There’s an old joke about a man brought before the court for breaking and entering, not because he was caught in the commission of a crime but because he was found in possession of housebreaking tools - crowbars, glass-cutter and so forth.

When found guilty by the judge he said “well you better convict me for rape as well since I have the tool for that“.

This case is neither new nor precedent setting as Alan Dershowitz pointed out … back in 1988 in this book “Taking Liberties“. Some of his orther books at Amazon are listed here.

http://news.cnet.com/8301-13505_3-9970323-16.html

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community’s respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn’t downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it
was so badly configured that it may well have already been hacked, said
Tami Loehrs, a forensics investigator hired by Fiola’s defense team. The
Microsoft Systems Management Server software on the laptop was
misconfigured and was not receiving critical software updates, and the
laptop’s Symantec antivirus software was either misconfigured or not
working properly, she said.

“He was handed a ticking time bomb,” she said.

In this case, it’s called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola.
Could this have happened with Linux or the Mac? Yes and maybe.

Yes, because weak IT yields weak security.

But maybe, because both of these Unix-like systems handle security much better than Windows traditionally has. But that’s not really the point.

No, what’s really the point is things like this and the case where a teacher was accused of exposing her class to
pornography.

The article ends with

Did Microsoft create this problem for Mr. Fiola? No. If anything, it
sounds like his IT department is to blame. But if it were me, I’d be
asking for a Mac when joining a new company. With the Mac, my odds of
having a Fiola-esque experience go down dramatically.

Which makes me think of another article I saw that indicates

MacOS experienced 50% growth as a primary development platform and 380% growth as a targeted platform during the period.

http://www.baselinemag.com/c/a/Messaging-and-Collaboration/Collabortion-Is-Still-a-Singular-Personal-Experience/?kc=BLBLBEMNL052908STR3

The primary collaboration tool today is still what it was 10 years ago: sending an e-mail attachment with a PowerPoint deck or Word document back and forth between two or more parties. It is a serial form of collaboration: I put together my work product, send it to you, and you send back your thoughts or changes. It is fraught with problems: I have
to wait to receive your revisions before adding my own, and if I don’t agree with them, we pretty much have to start the process from scratch.
I have seen documents that had more changes and comments than the original text.

I’ve long been a supporter of Wikis and similar whiteboard tools.
There are now on-line shareable mind-maps and flow-charters.

But it has to take a business change. And that’s coming slowly.

We’ve been talking about the ‘paperless office’ for decades but we still think in terms of paper. Our sending back and forth word documents illustrates this (not least of all when plain text e-mail would suffice). Many are hung-up on PDF not because its un-editable (I now always send out may key documents like resumes in PDF since I found recruiters were altering them!) not because they render the same on different platforms (unlike HTML and very much unlike MS-Word) but because they look like the printed page.

Or perhaps not.

The media talks of “Gen-X” that lives with their ‘berries and IM.
Well Whoopie Dee! They make out that my (?our?) generation are technically lame. Not so! We place more emphasis on utility than toys.
My father, who would be in his 80s now if he lived, was a MS MVP/Developer in his 70s, was much more of a gadgeteer than I am or ever was. I pioneered commercial applications of UNIX in the 70s, skipped MS-DOS and went to small systems UNIX from SCO and others, and was an early adopter of PDAs - The Newton. Many the non-technical people my
age that I know are tech-savvy; those who view me as an expert are all high level users.

And one thing about high level users - they use the technology for a function that is of value. No geekishness.

But one thing the author of this article forgets is that there are other social shifts. Whether they are the result of technology or not is beside the point. Intellectual and creative work is still primarily an individual activity and the ‘confluence’ is there to synchronise, organise and direct.

Databases, wikis, blogs, e-mail, IM, all the other tools are there to store and communicate. May of them get around the problems of traditional tools like paper (“you can’t grep dead trees”), physical presence, common language, different time zones and many others.

The article refers to “all those nifty Web 2.0 mashups” as if they were a Good Thing(R) on the one hand and then goes on to point out that they aren’t really about collaboration.

Perhaps one reason that tools like Lotus/IBM Notes and Microsoft’s Groove haven’t got much traction is that they don’t really reflect the way we work.

And there are many variations in the way we work - even as individuals, depending on context.

Once upon a time an executive of a telegraph company predicted that the telephone would never catch on because people would not tolerate the continuous interruption. I can’t imagine what he’d think of today’s environment with cell phones that double as cameras that double as personal juke-boxes and movie theatres.

We all know what the telecommunication companies think of ’sharing’ using P2P and such legitimate alternatives to FTP as BitTorrent as well as multiple users sharing a single connection.

http://blog.wired.com/gadgets/2008/04/historys-five-b.html

There’s an import point here in the sub-text about manual controls.
Well, many actually.

One point is that of ‘being in control” vs “transparency”.
If all I want to do is listen to music or drive, then dropping a CD in a player or moving the selector past P, R and N make more sense. If I want fine control in any one of many ways then the manual controls make sense.

So what has this to do with Security?

Bruce Schneier has pointed out that security needs to be transparent and intuitive, but that means different things to different people.

To an end user it means no spam and no malware and intrusive pop-up adverts and no corruption and crashes or slowdowns. The ordinary user doesn’t want to be told to install patches or configure his personal firewall. He wants to write letters, balance his check-book, play games, watch videos or do the work he’s paid for. At many of my larger
client sites the IT department does its job well enough that the end users see nothing what so ever of the security process - I’ve discussed before how they don’t even have their AV enabled - its only there to satisfy the eternal auditors.

But there are people who do need the fine control, either professionally or as a self indulgence for their ego. For some people the array of knobs and sliders on their hi-fi, the ability to hit 6,000 RPM before moving out of first or having a menu interface that takes their attention off the job and has them fiddle around for a few critical seconds is very important.

In “The Inmates are Running the Asylum” (ISBN 0-672-31649-8) Alan Cooper talks about the way adding a computer to a previously established device can make it more like a computer than what it is supposed to be. The book is about user interface modelling and is a recommended read.

My first cell phone had a simple menu. The numbers, and ‘up/down’ lever and “go” button. I could operate it “blind”. Every phone I’ve had since then has a complicated multi-level menu that I have to look at in order to do even simple things.

Its the same with Cameras. My favourite is my old Canon A-1. It was one of the first generation of fully automatic cameras and only had automatic exposure control, which could be easily turned into manual without taking one’s eye from the viewfinder or being distracted from the job at hand - composing and taking the photograph.

We keep saying that security is everyone’s responsibility, but really its not, not in the sense that everyone has to be encumbered by clunky user interfaces that get in the way of doing the real job. And for most people, the details of security have nothing to do with their job.

There’s this idiot …

http://www.timesonline.co.uk/tol/sport/formula_1/article3221830.ece

Nigel Stepney, the former Ferrari mechanic who sparked the Ferrari/
McLaren Mercedes espionage scandal last year, has admitted that he
handed information to McLaren, but did not imagine that it would be used
by the Woking-based team to the degree that it was.

Why ever not?
Once he handed the information over it was outside his control.
What people do with it then is up to them, not up to him. Its not as if there was some binding contract and he can sue them for misuse of the information.

This boy is a fool to think he retains any control over the use of the information. Heck, by giving it away he shown that his employers don’t have control over the use to which its put, so why is he spouting nonsense like this:-

“I don’t feel responsible in anyway for what happened at McLaren,”
Stepney said in an interview due to be transmitted on Sky Sports World
Motor Sport show this evening.

This boy is a fool! Does he imagine everyone in the world is honest, is happy to abide by his agenda?

Or perhaps he’s a fool in a different way. Perhaps that’s all a smoke screen that he’s throwing up, hoping we’ll think him an innocent fool. Perhaps he’s fully aware of what he did and hopes we’ll think he’s just a naive and gullible idiot.

“Obviously it got a bit sensitive and somebody used information more
than I actually thought it [should have been] or not more than it should
have been, it should never have been used . . . to that extreme.”

And of course any leaked information could be put together with information from other sources, used to verify information obtained elsewhere, lead to other stuff … Anyone who has read things like David Kahn’s “The Codebreakers” or, perhaps more relevant to this guy the BBC documentary in May of last year.

This boy’s a fool on many levels. How is any employer going to trust him ever again? It doens’t matter if his intentions were as he claims or is this patter is a smokescreen, he’s shown that he can’t be trusted and that is what matters.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045738&pageNumber=1

The computer magazines are full of “green’ and IBM is running adverts about green that are painting the server room walls green. Green is obviously one of the hot IT buzzwords.

But what about home computing?

With the advent of DSL and cable internet many homes are running “always on” internet. This is a big “multiplier”.

Those of us who are smart have a firewall at the CPE doing the ‘always on’ part. I also have a server that uses fetchmail to fetch the mail from all the mailboxes I have around the world, so limiting my exposure.

While there are very low energy consumption machines like the Asus or solar powered laptops or very low power hacks this is all leading edge stuff. Many homes are running “legacy” equipment.

My firewall, for example, is an old HP Vectra desktop. It also makes a nice support for my monitor. The monitor is ‘Energy Star’ compliant and powers itself down. My server and laptop are more modern and have energy saving features. Since I run Linux I make use of ‘powersave‘ to use the BIOS to throttle the CPU and shut-down disk activity.
Similar features exist for Windows.

The issue is “how many people use them?”

It would be nice for the green advocates if machines shipped with powersave features turned on, but its also easy to imagine grandma at her PC pecking out the letters while sending e-mail pausing to think what to say next and seeing her screen go blank. Panic sets in.

Ah, awareness. Always an issue.

So what does this have to do with security?
Well, apart from grandma panicking, this is one more thing that can affect issues such as availability. While a battery-conserving road-warrior will tolerate the delay of disk start-up, its not appropriate in many other settings. Certainly not in a server farm!

Often the IT world can become obsessed with issues that are tangential to its main focus. Being Green should be a corporate strategy, one that is systemic. There are many other ways that a corporation can cause energy to be consumed other than its own electrical demands.

Telecommuting might seem a good idea but do work out the details. Is it more energy efficient for workers to come to an office and turn their own home energy demands down? Crunch the numbers. It may be less expensive for the company, allow it to have smaller premises and energy demands, but all its doing if offloading its energy demands onto its telecommuters. Good for its own profits but short-sighted with respect to the community at large.

And “going green” by telecommuting has its own InfoSec risks!

On the face of it, this looks like a perfectly reasonable message with a perfectly reasonable URL from a perfectly reasonable address:

Dear Workopolis member,

Workopolis Technical Department requests you to complete Online Employer
Form.
This procedure is obligatory for all clients of Workopolis.
Please select the hyperlink and visit the address listed to access
Online Employer Form.

http://www.workopolis.com/database/employer_form

These instructions are to be sent to all Workopolis members.
—————————————————————
Copyright � 2007 workopolis.com. All Rights Reserved.

In reality, its HTML mail that is used to hide the real URL.
What I’ve shown in plain text above reads like this in HTML:

Please select the hyperlink and visit the address listed to access
Online Employer Form.


http://www.workopolis.com/database/employer_form?

What’s really there is http://www.workopolis.com.ieooo2.xz.cn/database/employer_form?session==79414285156108018779442998768454048168113142102426838

As you see, what you see and what you get aren’t the same.

My spam detector, spamassassin, is smart enough to spot this.
Its really crude spam!

X-Spam-Report:	* 1.7 HOST_EQ_D_D_D_D HOST_EQ_D_D_D_D
	* 2.9 RM_hm_EmtyMsgid Message ID is empty, or just spaces - probable spamsign
	* 0.1 SPOOF_OURI URI: URI has items in odd places
	* 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com
	* 2.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: ieooo2.xz.cn]
	* 1.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

But the really important thing is that a HTML message can hide reality.

Why do I mention this? For most of us its obvious.

Well at a recent ISSA meeting I spoke with another CISSP, a security manager with a local organization that has an operating budget of over 200 Million dollars. All their internal mail is “HTML” - he says that’s the standard, so the MUAs read mail as HTML by default. Mail from his is in proper MIME format, the text part as well as the HTML part. I pointed out that this means his organization is paying extra for storage and that it gets multiplied when mail is cc’d. He just said “well its the corporate standard“.

Now the corporation may not care that its paying extra for all that storage, after all, storage is cheap.

But humans have always been the weak link. Someone might get mail like this and click on the URL. We’ve been telling users for years not to open unsolicited attachments, but they still do. Why would we think they won’t click on URLs in mail messages.

The reasons my colleague at the ISSA offered included “HTML offers formatting options that our users require. Plain Text does not.” But that was with no explanation of why they might need those options.

Personally I think that’s a specious answer. For EVERY message? We do fine here with plain text.

HTML mail represents a risk. User’s need to be educated to realize that. A baseline policy of “all mail should be html” also means all readers default to html and so can hide what’s really in the message. Not least of all, there have been bugs in the html rendering code in the past that have led to exploits. Does anyone really think that users won’t click on the URLs in mail from the outside?

Perhaps you also need a front-end ’sanitizer’ like http://www.impsec.org/email-tools/procmail-security.html
or http://mailtools.anomy.net/ which is the one I recommend.

Perhaps you need to be wary about MIME e-mail in general, both HTML mail and attachments.

http://blogs.zdnet.com/hardware/?p=922&tag=nl.e539

Indeed. But not yet.

You can run 64-bit Linux or Windows but many drivers aer not there yet. If we are talking about servers then its probably not a problem, and if your server has 64-bit hardware then you should be running a 64-bit OS; but for the desktop thinks like Adobe Flash and man video and audio codecs aren’t here yet.

While on the whole I’m happy with my 17″ Compaq X6050 (I wish it were lighter, though!) it and my tower server both have this limit on the number of slots for RAM. The thing here is that I want a large screen and disk, this is a ‘desktop replacement’. Yes, there are plenty of small and light machines out there. The Asus EEE PC come in at under a kilogram but it has 7″ TFT LCD with LED backlight @ 800×480. It is is a subnotebook, about the size of a hardback book. That’s great, as a ‘pocket book’, if you work that way. But I’ll stick with paper and pen or my trusty old Newton. When I want a computer I want a proper computer, and that means a proper display. Perhaps one day we will have display that are ’smart paper’ and can unfold.
This limit on memory represents some serous brain damage on the part of the designers.

As this article points out, RAM is cheap and getting cheaper. Tiger Direct in the USA have been selling 512 megabyte DDR2 for US$9.99 recently. Even here in the Great White North where prices are marked up astronomically and
retailers don’t care that the loonie is stronger than the greenback I can get a 1 gigabyte DDR2 for C$29.99 on the high-street with no shopping around. The same for my laptop is a little over twice the price at the same outlet. If I got down to the Computer Strip at College and Spadina in Toronto I can find 512M DDR2 for C$12.
When memory and address space was expensive we had to be parsimonious and ended up with virtual memory (and other) systems. We also had the phrase “virtual memory means virtual performance“.

The “56k limit” of DOS running on an 8088 (or a Z-80 if you remember CP/M) and roll-in-roll out memory management fitted in with the economics back then. Even if you were willing to shell out for more memory the hardware wouldn’t support it, the chips simply couldn’t address it.

So what has changed? Well the chips can address it, but if I were to shell out for 16 gigabytes of memory … the hardware won’t support it. The motherboards don’t have enough slots.

Well, sort of. In one sense motherbaords are just another commodity, but that also means most of the are clustered in capability and performacne. Oh, there are exceptions! Here’s a “monster truck” that supports 16Gbytes of RAM. And you can add to that whatever memory is on the video card.

Great for your server; great for your desktop. But what about the laptop? And lets not forget that more and more individuals and corporations are moving to laptops. The lure of mobility, of wireless networking, of telecomuting and much else is very strong.
I suppose this might be yet another example of the “failure of imagination” syndrome that has always beset this and other industries, the designers and policy wonks simply can’t imagine why anyone would want to do “THAT!” It seems only time and a slow evolution of the marketplace brings about change.

But what we have here is, as this article describes, an economic force. I can easily afford to buy large disks and large amounts of memory, more than my cabinet and motherboard can cope with. While I can always run a SCSI cable to another chassis, there is really no simple way I can add more memory than the motherboard has slots for. And with the laptop I am even more constrained.
More and more applications are using large memory spaces. Perhaps applications will drive development of hardware. Consider these statistics. Half of the machines are 2G or more. When the hardware developers will be able to tout more slots as a way to sell more gear, it will happen.
Even so, it may well be an iterative a re-run of the old 1950s attitude towards automobiles:- planned obsolescence. Many people think so, but items that last tend to become cultural icons - classic automobiles and of course the Newton.