Book review: Detecting Malice by Robert Hansen

In his ebook Detecting Malice, Robert Hansen has a difficult task. To compile in one place a variety of attack descriptions and forensic methods for various Internet intrusions. He does a great job of covering the landscape, talking in plain language without a lot of technical jargon and with many clear examples. If you have never read packet captures this book will be an eye opener, and if you have some exposure to hacking tools and Web traces then you will do fine with the examples that he portrays.

Think that your Web site is immune from these exploits? Think again. Just about everyone has some kind of exposure, and part of understanding exactly what that is is being able to get into the bad guys’ mindset and see how they can penetrate your servers.

I highly recommend this book, well worth the time and money. It will stimulate your thinking and certainly raise your level of paranoia, and perhaps level of motivation, to lock things down.

PC World: Better endpoint security

While there are numerous security suites from Symantec, McAfee, and the like that provide firewall and anti-virus, they aren’t integrated programs: more a collection of software much the way Microsoft Office is a collection of word processing, spreadsheets, and presentation software.

Here are three different approaches: two software products from Symantec and eEye, and a combination of hardware and software from a relatively new company called Napera. All three of them combine firewalls, intrusion prevention with centralized management consoles and reports. You can read more in my column in today’s PC World here.

MarkMonitor BrandJacking Index: Financial Services brand abuse

Brand abuse is increasing, but more important than the sheer volume is the increased sophistication and the opportunistic nature of brandjackers, who are quick to take advantage of current events and popular concerns.

In this report, I look at brand abuse trends in the financial vertical, focusing on four major financial services brands and four terms associated with the financial crisis – foreclosure, mortgage, refinance and
unemployed. As the economy has worsened over the past months, we found that con artists have exploited consumers’ financial fears and uncertainties, and have rushed in to hijack well-known brands for their own profit. There has been a profound increase – 36 percent in one quarter – in the level
of phishing attacks as well as in cybersquatting.

You can download the entire report here on MarkMonitor’s site.

Keeping track of your Web site passwords

I have a dirty secret to share with you all today: until recently, I didn’t have a very good strategy for keeping track of my various Web site passwords and logins. Near my desk is a worn set of stapled sheets of paper with various notations about which username, email address, and password I have used to authenticate to its services. Luckily, I work alone, but still it bothers me that if someone were to break into my office, those special pieces of paper would probably be the most important thing to find. I know some of you use PostIt notes for this purpose, and keep them where no one would look, such as under your keyboards.

There is a better way, and I will get to it in a moment, but first I want to take you through what some of the other solutions that I have tried and rejected. Since I do most of my work on my laptop, why not just automate the credentials inside my browser? That is good for some of the sites that I use most frequently, but it isn’t very secure should someone get a hold of my laptop.

Another idea is OpenID.net, which is an open-source collection of Web sites that federates your identity, including Yahoo, MySpace, Facebook, and others. OpenID sounds really good, until you start to peek under the covers, and realize that if a phisher ever got ahold of just one authentication of yours at one site, they could pretty much gain access to the rest of your OpenID sites. This is more ‘phederated ID’ and a hacker’s paradise. The problem is that once you authenticate properly on one Web site, you can use your OpenID URL to gain access to anything else.

I have mentioned in previous missives Ping.fm and Quub.com that attempt to consolidate all of your social networking logins in one place, and be able to update your status messages across the board. But it is troubling when I get emails from Quub mentioning that they have upgraded their system and “had to clear everyone’s existing credentials that were encrypted with the old algorithm. Please re-enter your credentials under Settings …”

RoboForm is another solution, which basically automates the credentials and saves it in an encrypted spot on your hard drive. That is great, but what happens if you are using a different PC?

Another way is to use some form of two-factor authentication, so called because it uses something that you – and only you – have on your possession, such as a special and unique SecurID token. I have one for my PayPal account, it cost $5 and is well worth the added protection that it offers. Basically, no one else can use my account unless they use the token to sign in.

But the issue with these tokens is that you need one for each of your accounts. There are some vendors who are trying to get around this issue by using one’s cell phone as a second factor authentication tool including Phonefactor.com and FireID.com. Both require some integration of their tools into your applications, which isn’t very good if you want to apply them universally to all of your Web authentications. FireID’s solution involves using a special server that sits on my network, while PhoneFactor requires software agents to download to your desktop or to integrate into your Web applications.

So what else can you do? The service that I am trying out now is from Tricipher and called MyOneLogin.com. It costs $30 a year per user, and everything is done via their hosted service so there is nothing to download, other than an optional Firefox or IE browser plug-in to handle some tasks. You set up a special Web portal for your company, and then add your credentials to the various sites. It comes with hundreds of pre-set applications and works with either special knowledge questions (what was the name of your third-grade teacher) or with your cell phone. The good thing about MyOneLogin is that you can set it up and forget your passwords, because no matter where you are you can login to the portal and then to your applications. You can mix and match Web and internal apps, such as your VPN login, too, without any programming or installing any servers. And it is also a great solution if a company wants to keep control of these credentials to these sites, so when you leave you can’t take your logins with you.

Look for one of my WebInformant.tv screencast video demos in the near future that will show you more about the service. And you can try it out for 30 days for free if you are interested. Maybe now I can finally toss those special pieces of paper – but first I will have to make sure to shred them!

How to stay secure in these insecure times

This isn’t any April fool’s story, but a rather depressing one about how easy it is to compromise a corporate network. Markoff’s recent story in the New York Times got me looking for the research paper by Anderson and Nagaraja that should be required reading by anyone in the email and network security space.

The paper describes a determined attack on the exiled government offices of the Dalai Lama by purported agents of the Chinese government. It is a chilling account of how easy it is for hackers to penetrate a network with a little bit of social engineering and a lot of clever programming. While none of this is new, what is new is how it is getting harder to keep the bad guys out.

The Tibetan government contacted the authors of the paper when they observed suspicious diplomatic behavior. The authors found the following disturbing items:

•      A number of successful logins were observed to the Tibetan’s US-based hosting accounts that came from Chinese IP addresses, none of which originated with genuine Tibetan users,
•      Social engineering tactics were used to obtain the email identities of many Tibetan government officials who were then sent a number of phished emails
•      The emails contained rootkit programs masquerading as ordinary documents from apparently legit sources
•      Once the attachments were opened by Tibetan monks by mistake, the rootkits were then used to obtain more information and compromise other users on the network.

What is interesting about this case was the combination of malware and “good guessing” – which is really what social engineering is anyway — by doing research on the Tibetan communications, to find plausible email addresses of their correspondents, so that the phished emails would be more likely to be opened by the exiled monks. The guessing was made easier given the nature of the Tibetan diaspora and how open the monks are about their activities and outreach.

Here is the nut graph of the report:

“Until recently, one might have assumed that it would take a ‘geek’ to write good malware, and someone with interpersonal skills to do the social manipulation. But the industrialisation of online crime over the past five years means that capably-written malware, which will not be detected by anti-virus programs, is now available on the market. All an attacker needs is the social skill and patience to work the malware from one person to another until enough machines have been compromised to complete the mission. What’s more, the ‘best practice’ advice that one sees in the corporate sector comes nowhere even close to preventing such an attack.”

So what countermeasures can a typical corporate IT person take? Certainly, encrypted email should be used more, and while this is something that I have written about for more than a decade, I probably will still be writing about it 10 years from now. (None of the Tibetan emails were encrypted.) Second, when possible, use separate networks for external communications that don’t contain operational elements of a company: don’t put your payroll on your SMTP mail servers, use firewalls or even physically separate networks, and so forth. The authors state:  “It would in our view be prudent practice to run a high-value payment system on a PC that does not contain a browser or email client, or indeed any other software at all.” Of course, as the Internet becomes more pervasive, this becomes harder to do.

Next, don’t open unexpected attachments, and certainly be careful when receiving unexpected documents, even from your usual correspondents. And as we conduct more business over social sites like Facebook and LinkedIn, be wary of what you receive there as well: the bad guys are using fake accounts and expanding their reach to phishing these sites. Just because someone is your “friend” doesn’t mean that they are actually legit.

Finally, take a look at data leak prevention appliances and tools. While these are expensive, they can save your bacon and do a tremendous job at detecting abnormal situations. A good place to start is with Code Green Networks, one such product that I review over on my WebInformant.tv series of videos. The company tells me that every installation has resulted in finding someone doing something that they shouldn’t be doing within the first week of use.

Podcast on Man in the middle attacks

I was a guest on the Security Break Live show on Blogtalk radio here. Steve Dispensa and I talk about what this kind of attack is and how you can try to prevent it.

PC World: Use OpenDNS To Protect Your Business Network

If you aren’t using OpenDNS to protect your small business network, now is the time to take the few minutes to set it up. It is well worth the investment, it is free, and it will protect you from any number of issues in the future. And you might get better browsing performance as a result that your users will thank you for.

You can read more of the column that posted this week in PC World here.

Ten ways to inexpensively augment your current IT security infrastructure

I will be doing this webinar tomorrow at 1 pm ET for TechTarget’s SearchSecurity.com web site, you can start at this URL.

I will present ten different ways that a midmarket IT organization can improve its threat management and network security posture. I will review a critical strategy going forward into an economic recession: making only minimum investments in new tools and finding products that don’t require a great deal of increased manpower to implement and manage. The webcast will focus on midmarket IT strategies that either don’t cost a lot of money, or at least provide fast returns on the investments.

PC World: Protecting your data with whole disk encryption

I want to review another series of tools that can be useful protection as well: doing whole-disk encryption of your hard drives across your enterprise. The idea that even if your laptop falls into the wrong hands, no one besides yourself will be able to read any of the files stored on it. When you boot your PC, you need to enter a password, otherwise the data in each file is scrambled, and no one else can gain access to your files.

You can read more of my column in PC World here.

PC World: Recovering your laptop from theft

This week I begin a new series of columns for PC World entitled “Net Work” that will focus on practical solutions for networking and communications problems for SMBs. My first piece is about how you can protect your laptop when you travel.

I have had my laptop stolen once, about four years ago, from the trunk of a locked car parked at a shopping mall. You never forget that experience of being violated, of being stupid. There are a lot of ways that you can be proactive here, and you can read the column for more details.