CIPP Guide » InfoSec

Congressman Twitters Security Breach

jbrook — Mon, 09 Feb 2009 19:19:19 +0000

Personal responsibility. Within any organization, you have to trust someone. You put trust into somebody, expecting they will take the responsibility. Big lapses end up on the evening news. People typically think its the low paid administrative assistant who blunders through a social engineering exercise. Or maybe it’s the disgruntled system administrator trolling through the online personnelle files looking for something of value. Possibly the forgetful road warrior and the expectation that with more mobility, more information will be leaked.

A Wired Magazine correspondent documented the inadvertent disclosures through the use of GPS embedded into many of today’s cell phones. The NSA went through the trouble of securing the BarackBerry not only because he is the boss, but after hearing the vulnerabilities and mitigations, the residual risks were understood. I’m sure the Agency guys didn’t need to explain to him about leaving his phone in an adversary’s hands or randomly text messaging his buddies about hitting the bar later that night.

That’s why I’m puzzled by this weekend’s actions of Congressman Peter Hoekstra – former Chairman, and ranking member of the House Intelligence Committee. This is the guy supporting the warrant-less wiretapping, so that Al-Qaeda wouldn’t know US Intelligence was watching them. During what was supposed to be a secret congressional trip to Iraq, Hoekstra Twitters the details of the weekend trip. I understand a minor slip, those are planned for and around. From the Congressman’s tweets, it seems like he was trying to cause an incident, discussing travel coordination and locations with timestamps:

On the way to Andrews Air Force base.12 hour flight to mid east Be back on Mon instead of tues….3:28 PM Feb 4th

Just landed in Baghdad…..9:41 PM Feb 5th

Moved into green zone by helicopter Iraqi flag now over palace.Headed to new US embassy….11:56 PM Feb 5th

Talk about a lapse in responsibility. This isn’t even a judgement call – Hoekstra jeopardized all of his fellow travellers. Thankfully everyone returned safely home, at least according to Hoekstra’s last tweet:

Headed home!Situation in Iraq improves significantly.Afghanistan poses challenges!Lots of stuff to talk about when I get home Monday late pm

Even with the best policies and practices in place, everything hinges on the end user. Their understanding of each action that takes place and their role in the ultimate security/privacy of the whole is paramount to the success of the mission.

Privacy and Messaging through Postini

jbrook — Thu, 01 Jan 1970 03:59:59 +0000

Postini is Google’s 2006 acquisition for secure messaging, and a direct competitor to IronPort. All of their offerings surround Software As A Service (SAAS), matching directly with Google’s overall technology strategy. They provide several services, including web security, anti-spam/malware, mail filtering, and archival with indexing. The Data Leakage Prevention capabilities provide privacy protections through outbound communication filters. Additionally, there are management tools and continuity procedures appropriate for enterprise use.

Postini’s background technology stems from threat assessment and message parsing capabilities, grown through several years as a primary mail provider. There are two major patents, with a variety of claims following each one. The first patent surrounds on-demand message scanning and routing. The geographically distributed Postini data centers proxy all communications (corporate, wired, wireless, portal, etc) and filter the communications appropriately, removing viruses, spam etc. The second patent centers on threat detection and control, and methods for generating and processing a sender/ISP/country’s reputation and then acting accordingly.

The technology doesn’t seem that revolutionary today, and the online documentation frequently references the existence of prior art not mentioned in the patents. However, from a security perspective, the techniques Postini uses are sound. Communications between Postini and corporate mail servers are TLS encrypted. This allows additional features for Data Leakage Prevention by both companies. The Intrusion Detection, Anti-virus, and Anti-spam filters are all independent of the networking infrastructure, and likely include best of breed solutions whenever there’s not a better trade secret/patent in-house. Postini uses portals and web services for sending messages to non-subscriber recipients. The portals guarantee messages are not susceptible to a man-in-the-middle attack.

The Message Security and Message Delivery services offer content filtering for Data Leakage Prevention. There are consoles and rule engines for policy definition, as well as canned Personally Identifiable Information (PII) controls for things like Social Security Numbers or credit card information. The GUI apparently delivers enough rule granularity to at least filter attachment types and perform in message word detection.

Postini’s technology does not address malicious insider activities and could be its biggest weakness. This becomes more of an issue when examining the Google addition of archival and search. Site administrators may configure Postini for secure communications between corporate partner mail servers, and even make this a policy based requirement for some message delivery. This secure communication eliminates privacy issues between the corporate email servers and the Postini data centers. It does not, however, account for a messages time on disk or in use. Trusted insiders at the sender’s or recipient’s locations may manipulate or view messages. From a third party point of view, administrators at the Postini sites could possibly have enough access to circumvent many of the same protections. On Postini’s provider end, at least within Google, record access rights are strictly controlled with procedure.

Google’s approach to pricing is the most attractive part of the Postini product. It follows the principals of scale, expecting more consumers at a lower tipping point. For $3 annually per user, Postini provides inbound email filtering (Message Filtering) for viruses, trojans, spam, etc… At $12 annually, Postini does the same for outbound messaging and adds content and attachment conttrols as well as policy monitoring and centralized administration (Message Security). The $25 per year includes the archival and search features Google threw into the mix (Message Discovery).

Password hacking with chocolate: Are women more susceptible to social engineering?

jbrook — Thu, 24 Apr 2008 10:00:01 +0000

The Mitnick attack. The 10 attack. Social Engineering. Each of these emphasize how readily people part with valuable information to someone posing as an IT staffer, a very attractive member of the opposite sex, or someone friendly. You may now add candy bars and women…

No matter how you slice it, the weakest point in any security program ends up being the end user. User training seems to work with frequency of message, but without hearing the importance of security it seems quickly forgotten.

That is of course, unless the message starts at the top with a strong corporate policy, well understood consequences, and swift consistent enforcement. During my security training (I believe my CISSP), the instructor shared an example of a large, Canadian company with a zero-tolerance policy toward password disclosure. A Sr. V.P. within the company did just that with his secretary. During an audit, the IT staff discovered the VP logged in while on travel in 2 separate places, checking email. The VP was immediately terminated, the secretary put on probation.

This information trickery is the same idea as pre-texting in the privacy world . A caller (typically) phones a target under some false pretext, such as a survey or sweepstakes winnings. After ‘verifying’ enough publicly available information, such as name, street address, phone number, additional information is provided incorrectly or incompletely, typically date of birth, mother’s maiden name, bank where winnings may be deposited or social security number to report the winnings to the IRS.

Once armed with this information, the assailant calls in to the bank after ‘losing’ their checkbook, or simply requesting a change of address. From there, enough information is in in hand to (hopefully only) clear out the checking account, or continue with a complete identity theft. Banks and retail merchants are recognizing this trend and are putting further and further measures in place to protect their customers.

Security is one of the five domains integral to the Certified Information Privacy Professional (CIPP) and for good reason. The chocolate and the sweepstakes winner are the same problem, and mitigated through the same policy and training. Now if we could just convince the user populous – if it seems to good to be true – it probably is.

eDiscovery – Could the obvious approach put too much private information into one spot?

jbrook — Wed, 23 Apr 2008 10:00:00 +0000

Electronic Discovery, or eDiscovery, is the digital analog to a court request for documents and files pertaining to a proceeding. As with anything digital, the courts expect discovery times in days and weeks, versus the months (years) given for paper files. Punishments for failure to produce could be regulatory, legislative, or may even include court based consequences such as contempt charges. In a recent survey by Information Security Magazine, only 28 percent of respondents knew how they would handle an eDiscovery request. Even knowing where to look seems a daunting task. I have trouble at times finding a matching pair of socks in a 2′ x 3′ drawer.

Well prepared companies develop policies. Some buy eDiscovery or search software. Even better prepared Configuration Managed CMMI level companies define procedures. They begin data inventories. This is where I see it becomes interesting…

A typical company has a lot more data lying around than they really expect. Think about a day in the life of an enterprise. Email, IM, network file shares, database records, log files, security devices, executive summary reports, backup tapes, the list goes on. That’s not even considering end workstations, laptops or PDAs (where the majority of people I know do their work) or decommissioned hardware (there’s still data on those things), CD-R/DVD-Rs or other removable media. I’m sure you see the point; there are a ton of sources. That’s only half the problem.

If you ever learn about government data classification, there are three reasons something’s classified. It contains important information, the source of the information is important, or the information amalgamated from various parts into one location makes it important. This is why identity thieves hack corporate databases; it’s the proverbial ‘where the money is’ or until now the most consolidated repository.

So now let’s offer them a juicier target! Put the map to Curly’s Gold, and the Lost Dutchman’s mine, and all the rest of them In one location. Insiders and outsiders alike should be clambering for it, with the idea that you can pick and choose what’s most interesting. Want the network architecture diagrams? IT admin’s machine, here’s the IP address. Customer Personally Identifiable Information (PII) database? Oracle server’s on the fourth floor, want the table configs. Corporate strategy or yet to be released financials, aisle 12…

This is why most government documents become classified. Someone did the hard research and heavy lifting. Anyone that can put their hands on it just has to cite the paragraphs they want to look omniscient, or at least very well informed. A perfect example is an enterprise firewall rule set; the outgoing Port Allows from one site don’t provide much; couple the complete configs of all of the boundary protections and you have something someone may do harm with.

To counteract the centralized data repository threats from an infosec standpoint, we will put in place perimeter protections, audit the systems for hackers & insiders alike, instantiate policies as far as who should access what information with what sorts of separation of duties, etc… 10 years ago this was all pretty cutting edge and wild west gunslinger-esque. Today, it’s called industry best practices.

My question becomes one of Information Privacy and Policy: who’s keeping the snoops from browsing the celebrity hospital records? Or placing obviously needed controls prior to simply supplying all information available? Or when it’s just flat out wrong?

Seriously, who should have access? One of the better known companies that had to tackle this problem: Google. Every search made with Google winds up in a very big database with information such as IP addresses, search terms, etc. (ever read the privacy policy?). This much data in one spot is tempting, but it’s somewhat anonymized (recently), and according to Google security folks I’ve talked to, very well controlled by corporate policy and enforced with security protections. Only a handful of people have access, physical and logical. I would say Google may be the exception. Obviously, the end court will receive a redaction: if it’s pertinent to the case, they’re entitled to it by law. But someone has to do the sorting. Is it the attorneys, the IT staff, the management? Current Insider threats are hampered somewhat by the hard work of inventory and cataloging; they target the low-hanging fruit. Now, the most accessible jobs, probably interns and juniors, may be sorting the records considered for evidence.

What happens when the collected information comes from a company you worked for the past 20 years, and it comprises your whole life story, laid out on a silver hard drive platter? If they get parts of it wrong, producing inaccurate reports that slander your good name by opening lines of question well outside the original case? The Fair Credit Reporting Act legislation protects your credit info with the credit bureaus. Nothing right now controls eDiscovery accuracy. That’s not that big of a deal, with the idea being this info will ONLY be used in judicial proceedings or congressional hearings (steroids in baseball), and in those you start down the witness credibility path (I guess data creator credibility would be more accurate).

Do we need more legislation for protecting these huge information stores and location roadmaps, or can we rely even more heavily on information security professionals to instantiate further best practices? I’m a smaller government kind of guy, so I’d prefer industry policing. Unfortunately with the exception of the Payment Card Industry’s (PCI) work, the government has stepped in to clean up most of the debaucherous messes self regulatory models let through. Typically, once laws are enacted, industry conforms to the letter, doing the bare minimum to comply rather than what would be in the best interest of their customers. Just think of how far HIPPA falls short.

Obviously, there’s a great deal of work to be done with eDiscovery. Maybe the attorneys will make sure it’s done in the right way?

Hey, I found that black and grey argyle I was looking for…

Hacking attack targets epileptics

jbrook — Sun, 20 Apr 2008 19:05:21 +0000

I find ‘America’s Funniest Videos’ entertaining. I get ‘Jackass’… They scare people, gross them out, or generally bewilder. But they don’t intentionally go out and drop toilet bowls on people’s heads or put others lives in danger.

What I don’t get is the recent hack of the Epilepsy Foundation forums, changing posts so that they displayed flashing strobes and trippy patterns. I find this behavior reprehensible. To sully a non-profit’s reputation, and attack unsuspecting seizure disorder suffers, many of whom may be incapcitated by the strobes or patterns. Thankfully most of them probably don’t know what happened, essentially blacking out, except for an awful headache or coffee covered keyboard. The Epilepsy Foundation responded quickly, impresive for a Sunday, holiday, and a non-profit.

Seizures consist of multiple neurons in the brain firing out of sequence. The random firings may be localized and cause an absence episode, or generalized Tonic Clonic events (previously known as Grand Mal) where the afflicted lose muscle control and physically convulse.

After the main event, there are typically aftershocks. Just as after an earthquake the ground may move a little more easily, so too is the case for epileptics. People may be epsiode free for a year or more by successful diagnosis, drug therapy, or even brain surgery. They may have just resumed a normal lifestyle of heading to the grocery store or walking to the park, and now have to worry about something they would have been resistant to a week earlier. Imagine a fear of seizing in a crosswalk, or while chopping celery.

For a demonstration, do something honorable or with meaning. I find it one thing to engage in protests: ruin a fur with red paint, DoS or defile a website, or even common financial thievery. The Epilepsy Foundation attack is the digital equivalent to randomly finding a guy on the street and beating them up. Lawless anarchy must not be tolerated from a bunch of little hooligans.