Why your small business needs a better firewall

When I set out to test a collection of new small business firewalls for Network World, I wanted to find a place that could illustrate their need. I was fortunate to find Mercury Labs, which despite their name is a video production and public relations company of about 10 people located in midtown St. Louis, not far away from my office. Over the course of a couple of weeks, I brought in several different unified threat management boxes to try out, including Check Point Software’s 640, Dell/Sonicwall’s NSA250MW, Elitecore Technologies’ Cyberoam CR35iNG, Fortinet’s FortiGate 100-D, Juniper Networks’ SSRX220H-POE, Kerio Technologies’ Control 1100, Sophos/Astaro’s UTM 220, and Watchguard Technolgies’ XTM330.

Mercury was instructive because before I got there, they didn’t really have a lot of protection on their Internet connection: the only device connected to their cable modem was an Apple Airport. Relying on NAT does not a firewall make. Over the course of my tests, they were intrigued to see the consistent number of attacks coming across the big bad Internet as we could capture them in real time. Think of a sewer line that is encased in clear plastic so you can see the flow of filth.

Several of the vendors sent in their techs to help me with the tests, something that I always welcome because we always find bugs in any product. In fact we found a killer bug in the top-rated product from Check Point. The tech was making some frantic calls back to his developers in Israel where they quickly found and fixed the bug and sent us the new firmware.

Small businesses have lots of choices when it comes to protecting their network. You can buy a home router for less than $50 from any number of consumer networking vendors, or you can spend more than $4,000 for one of the more than a dozen firewalls from the enterprise security vendors. The UTM products lie in between those price points.

The UTM products include more than just a firewall: there is intrusion detection and prevention, network-based anti-virus and anti-spam screening, virtual private network connections (VPNs), and content filtering on outbound Web browsing to prevent phishing and browser-based attacks.

I liked the Check Point UTM because it had a nice balance of simplicity and power, and it was also the cheapest of the boxes that I tested. It worked well on the mostly Mac network at Mercury, something not all of its competitors could claim. You can see a sample screen from Check Point’s box below.

You can see lots more screencaps here. And you can read my review in Network World here.

My thoughts on the NSA leaks

Like many of you, I have been reading and watching a lot about the latest leaks about the NSA Prism program. It has been a fascinating weekend. I want to share with you some of my own sources if you want to learn more about what is going on, apart from the sensational news headlines.

Coincidentally, last week I finished reading Andy Greenberg’s excellent book, This Machine Kills Secrets. Greenberg is a reporter for Forbes and the book covers the rise and fall of Wikileaks over the past several years. Some of this information is also presented in another excellent work, the documentary film “We Steal Secrets” by Alex Gibney (you can watch it on Amazon here). Both the book and the movie bring up all sorts of ironies about the conduct of Manning, Assange, and Lamo. The movie draws heavily on AIM chat logs.

Fortunately, we have this exceptional 12 minute video interview of Edward Snowden, the NSA leaker. It is well worth your time to watch. He raises some interesting points about his motivations and worldview.

More coincidence: Manning’s trial started last week, and the daily transcripts are available here.

I have a small personal connection: I first began corresponding with Lamo many years ago, and then actually met him when he crashed on my sofa in 2004. He is a curious character (you can read my thoughts about him in one of my Web Informant columns here), and obviously conflicted about his decision to turn in Manning. This topic and other things are captured in a recorded audio interview I did with him two years ago for ReadWrite (the article is here and I have uploaded the mp3 recording here).

So what is really possible about this NSA program? Your first stop should be a blog post by Alex Stamos, the CTO of Artemis Internet. He has an interesting taxonomy of the various possibilities of what Prism can’t or can do, based on the various conflicting statements from government and computer industry principals. It is well worth reading.

Robert Graham’s excellent Errata Security blog has some interesting comments also about the various claims and counter-claims. Many years ago he wrote a piece of software that demonstrates how the government can listen to Internet traffic. He says, “The PRISM program isn’t all that we fear, but more than we find tolerable.”

He also suggests that we ask questions of the major computer software vendors, such as “Have you changed what user information you log at the request of law enforcement?” I would welcome that dialog and clarification.

In another post where he talks about the responsibilities of the NSA, Graham states, “The IRS hires people with high-school diplomas, the NSA hires Ph.D.s with military service.” He claims that the lowly NSA staffer is very scrupulous about their mission.

To get an idea of what is possible, you should check out a story Wired magazine ran last year about the NSA’s new and as yet incomplete data center south of Salt Lake City.

Finally, you should also follow what Bruce Schneier is posting. He is always a thoughtful and insightful security analyst, and in this post he writes about the need for whistleblowers to force our governments to be open and to keep abuses under control. He also has a long list of questions that he’d like to have answers to, and how much we really don’t know.

Is Prism one of those abuses of power? Maybe, and maybe we will never find out really what it does.

ITworld: Keep bad guys off your network by finding out where they live

The time is ripe to get started using location services in your enterprise. No matter that you have Foursquare check-in fatigue: this is a different aspect, and something that is useful and worth the time and has direct business benefit. More businesses are using location services such as geofencing to focus their marketing efforts and better secure their networks. Using location services can help you do your job better and cut your company’s overhead without spending a lot of additional capital.

You can read the article in ITworld here where I talk about using geofencing for network management and social media monitoring.

Solution Providers for Retail: GPS in Retail Stores Helps Convert Browsers to Buyers

In another post on geofencing, I mentioned efforts by a number of retailers to make use of location-based information. There is another perspective on location, that of the provider of the geospatial databases that drive many of the location-aware mobile apps that are being developed. Redlands, Calif.-based ESRI has been one of the leaders in this space. I spoke to two of their key managers about how they work with developers and how the business is changing.

You can read my post today on the SPfR blog here.

Favorite security stories of the week

Here are links to some of the more interesting security stories that I found around the Web. check out my Dice Security Talent Community for other links to important security resources.

1: Are Businesses Knowingly Infecting Their Web Visitors? (Dark Reading)

2: NetTraveler Cyber-Spying Campaign Swiped Data for Years(eWeek)

3:Botnets now routinely using P2P to evade detection, says Damballla (Techworld)

4: Maine may be first state to require a warrant for cellphone tracking (Network World)

5: Google’s certificate announcement contains a hidden surprise for Windows XP users (Sophs Naked Security)

6: How to secure your Facebook profile (Trend Micro Blog)

7: LinkedIn, Evernote Add Two-Factor Authentication (Information Week)

8: The secret to online safety: Lies, random characters, and a password manager (Ars Technica)

9: Google and the Zero-Day Conundrum (Fortinet Blog)

10: Get Set Null Java Security (FireEye Blog)

Slashdot: Monsanto expanding its data analytics

 

Monsanto is more infamous for growing its genetically modified crops than its use of software, but a series of corporate acquisitions and a new emphasis on tech solutions has transformed it into a firm that acts more like an innovative IT vendor than an agribusiness giant. They are a good example of how agribusiness companies are getting interested in data analytics that I wrote about for Slashdot last year.

Before an audience of entrepreneurs and civic leaders at a downtown St. Louis tech incubator entitled, “The Role of IT in Modern Agriculture,” Jim McCarter (the Entrepreneur in Residence for Monsanto) reviewed where the company’s IT efforts are going.

You can read my story posted in Slashdot today here about some of the nifty things they are doing.

TakeDownCon worth attending

Nationally-know security researchers and white-hat hackers came to the
Ameristar conference center outside of St. Louis this week as part of the first
“TakeDownCon” conference, organized by computer security firm
Parameter Security along with Hacker U and EC-Council.org. I attended part of the first of
a two day event, along with about 200 others from around the region.
EC-Council and Hacker U both offer a large selection of security courses.

The conference included a keynote from Charlie Miller, who now works
for Twitter in their security department, talking about what he did to
hack near field communications (NFC) on two different smartphones.
Miller, who lives in the St. Louis area, has been known for his
exploits of the Mac OS and iOS and was probably the most engaging
speaker of the day. He showed us that hacking is a lot of preparation
and understanding the entire NFC protocol stack and how a phone
interacts with the radio tags and signals. The exploit also
demonstrated that even for a communications method that has relatively
low bandwidth of just a few hundred kilobits, it is possible to find a
way to control a phone’s Web browser by focusing on the interactions
of this protocol with the rest of the phone’s software.

Another presentation was from a very young Georgia Weidman who now has
her own firm Bulb Security. She was working for Neohaphsis but decided
to leave when she recently won a DARPA grant to build a new hacking
tool that she calls SPF for Smartphone Pentest Framework. This allows you to exploit smartphones that have been jailbroken by downloading special hacking code without the
phone owner’s knowledge, showing how a Bring Your Own Device policy
can backfire without proper controls.

Salvador Grec from NoVA Infosec spoke about the process he goes
through to analyze malware and presented dozens of different tools
that he uses to understand how malware operates to infect and take
over computer networks.

TakeDownCon was a solid collection of content and speakers and well
attended. You might want to put it on your calendar for next year.

Solution Providers for Retail: How to Build Your First Geofence

Geofencing is the concept of restricting the location of your customers and potential customers by their location, so your retailers can better target promotions and fine-tune marketing. During the past several years, a number of new companies have been created to take advantage of it and produce smartphone applications, digital coupons, and manage your social media marketing campaigns with an eye to the neighborhood around a particular retail establishment.

In this story today for Solution Providers for Retail, I talk through some of the issues that VARs should think about before they go about building their first geofencing app.

A new form of cheating on your partner

A few weeks ago, my wife and I were out to dinner and she dropped what I first thought was a bombshell. She told me that she was cheating on me when I was out of town. What was more alarming was that she told me she was doing this by herself. But it wasn’t what you might think and her behavior had nothing to do with our love life.

What she was talking about was this. She was watching by herself one of our favorite TV shows that we had recorded on our DVR. When I was out of town, she watched the show without me. Okay, I’ll admit that it took a few minutes before my heart rate returned to normal. But she isn’t the only one using the cheating term in that fashion.

Apparently, Netflix is too. In a survey last month, it found that 10% of couples who were in a committed relationship – meaning that they agreed to watch the same movies or shows together – cheated on each other. They even produced this charming video to illustrate their point of “watching ahead”:

Certainly, this is alarming and something that should be addressed by the moral leaders of our times. (Jimmy Kimmel has already weighed in.) Video streaming has enabled this entire culture of binge viewing: you start at episode n and keep watching several series one after another until you reach 3 am exhausted. I first got into this mode on a trip last year to Australia, when I found the entire first season of Homeland on the plane’s video system. The 12-hour flight was almost long enough to watch all 12 episodes. This certainly made the flight pass quicker.

But is your marriage healthy enough to stand up to your video streaming contract, let alone the other kinds? Are we going to see video streaming fidelity being written into pre-nups now? This is the new area that technology brings us in modern living. It is bad enough that we have to trust our partners not to view particular websites of questionable content (I won’t go into details, but I think you know what I mean). Now we have to worry about what other things that can pass for joint entertainment too.

In the Netflix ad, the female partner has obviously seen the movie that the couple is supposedly watching together for the first time, and faking her reactions to particular plot points before her male partner makes her come clean. I guess this shows that we have a lot more to worry about (female) fakery than we once thought. Life was so simple, back when we had to buy or rent the actual DVDs or go to the movie theater, or had to record to VHS tapes.

Like other kinds of potential cheating, you can avoid the eventual nastiness if you take the time to communicate with your partner about your rights and obligations. And whether you have enough Internet bandwidth when you are out of town too.

I’d love to hear your thoughts about what you and your partner are doing about this important social issue, and whether you too have watched ahead of your partner.

Time to use two factor authentication

Last week Twitter became the latest to adopt additional security measures to protect logins using a second authentication factor, joining Apple iTunes, Google Apps, Facebook and others. The idea is to join something that you know, such as a password (that is often and unfortunately shared among other Web services) with something that only you have, such as your cellphone number or an app that runs on your phone.

It wasn’t all that long ago that the small “tokens” the size of key fobs were the sole method that could be used to protect logins. These devices generated a one-time password code that changed every 30 seconds or so automatically, and when you logged into one of your accounts you had to type in the right code that was shown on the device. But toting tokens is too much trouble: they get lost or you leave them at home when you need them elsewhere. A much better solution is to use your phone to generate these one-time codes. So I recently looked at several two factor security tools for a review that was published in Network World. These are tools that are used by enterprises to protect their entire collection of logins to a diverse set of applications, such as internal websites, client/server databases and Web apps. Of the eight tools, SecureAuth’s IdP came out on tops.

In my review I looked at how easy it was to provision new users, what kind of apps you can protect with the tool, and what kinds of protective measures you can deploy for the additional authentication steps. There are many different kinds of tokens (as you can see from the picture above from SafeNet, one of the products that I tested), apart from the traditional key fob type: you can use SMS messages (which is what Twitter and Google use), you can download a special smartphone app that creates the one-time codes, you can use actual voice calls or send emails.

None of these tools are simple for an IT staff to setup, however. They have lots of moving parts and require security specialists from different parts of the IT infrastructure to coordinate their efforts.

The Twitter two factor authentication (they call it account verification)  is somewhat confusing: you have to go to Account, then check the box on Account Security to enable it. Then you have to ensure that your email address and phone numbers are added to your account.

Part of the bigger problem — not just for Twitter — is that all Web services vendors slipstream in their two factor authentication feature without you necessarily knowing about it. If you haven’t kept up with the vendor’s blog or if the feature hasn’t been widely reported, you don’t know it has been added. For example, Google added two factor to its Gmail accounts several years ago, but not initially to its hosted email accounts. Unless you are ultra paranoid or a security geek, chances are you don’t know about the feature.

Another part of the problem is that frankly, providing the second factor is annoying, an extra step to keep your account secure. Chances are that you won’t be very motivated to use it, unless your account has been compromised in the past, say the recent past. (See the use case of people doing backups after they lose their hard drives.) This is where the two factor tools that I reviewed come in handy: if your company has deployed one of these, it actually can making logging into your accounts easier rather than harder, using a single sign-on to authenticate you to multiple accounts. SecureAuth and Okta come out near the top in this area too.

Given the numerous and now infamous Twitter account compromises over the past couple of years, I am glad to see them deploy two factor authentication.While many of these could still have happened with the additional authentication, they are a good thing to deploy and if you have a corporate Twitter account, you should set this up soon. And if you haven’t yet set it up on your other Web accounts, take some time this week to do so.