Confidentiality of Work Email

January 24, 2011

An appellate court in California has ruled that attorney-client privilege does not apply to messages sent from a client using his or her corporate email account; the particular case was that of a young woman who felt that her employers had become hostile when learning of her pregnancy. The emails between her and her attorney were introduced at trial as evidence of her emotional state.

The emails were not considered confidential because the small business involved had a written policy declaring email to be monitored and intended for business use only. This is further proof of how important it is to have properly written and publicized security policies in a business environment.



Leave a Comment » | Legal | Permalink
Posted by matt

Definition Monday: Information Security

January 24, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Information Security.

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description; and perhaps I could never succeed in intelligibly doing so. But I know it when I see it.”

This famous quotation from Justice Potter Stewart is from the obscenity case of Jacobellis v. Ohio – the Justice is saying that he cannot come up with a succinct and simple definition of pornography, but he knows it when he sees it. If you will forgive the comparison, the same thing can often be said about Information Security.

It’s easy to tell when Information Security has failed. Credit card numbers stolen? Identity falsified? Web site defaced? “Secret” internal memos ended up on Wikileaks? These are all failures of Information Security, and most people would realize it – but that doesn’t get us any closer to a definition.

The classic definition of Information Security, the one that I generally work with, is simple: Information Security is the enforcement of the “CIA Triad” – Confidentiality, Integrity, and Availability.

Confidentiality means that only the proper people are allowed access to a piece of information. This is enforced via systems like Access Control Lists on files, encryption on data in transit, even relatively crude measures like locks on a file cabinet. If confidentiality is properly enforced, information is available to those who need it and (perhaps more importantly) not available to those with no right to it.

Integrity means that information cannot be modified without the caretakers of that information being aware of it. This is enforced with things like fingerprinting of data with hashes or digital signatures, auditing file access and modification, certificate hierarchies, and maintaining proper backups. Integrity means that you can be sure an email claiming to be from a bank or other trusted authority is actually from that entity.

Availability means that information is available when it is needed. It’s easy to maintain confidentiality and integrity on their own; carve the data into a stone tablet and drop it into the middle of a lake. The hard part is when you need to ensure that this information can be retrieved simply when it is needed. Availability is enforced with things like load-balanced server clusters, redundant network connections, UPSes and emergency generators, and “hot” or “warm” site disaster recovery plans.

Let’s take a look at how this triad applies to something commonplace – say, online banking. A bank’s website will require proper authentication before account details can be accessed; this is confidentiality. It will also maintain a proper balance in the account when money has not been deposited or withdrawn; that is, money will not magically appear or disappear, but rather will correspond to the sum of the debits and credits over time. This is integrity. Finally, the bank’s website will be available from the Internet 24 hours a day, 7 days a week, no matter what disasters befall the individual data centers hosting the site. This is availability. A proper Information Security plan, for your own company or for any other institution, must enforce the CIA Triad in order to be successful.

Leave a Comment » | Definitions | Permalink
Posted by matt

Websites for Sale

January 22, 2011

Ever wanted to have administrator access to a .edu or a .mil site? According to the blog at Imperva’s web site, now is your chance.

For prices ranging up to $499, you can purchase the credentials for full administrative access to a variety of sites. If you’d rather just have the PII (Personally Identifiable Information) instead, that’s also available.

Odds are good that this information and access was gathered using simple, automated, run-of-the-mill SQL Injection attacks and other simple web vulnerabilities. If your web site is running code written by amateurs, or even by seasoned programmers without the experience to write secure code on the web, you should probably look into a vulnerability assessment or code audit. After all, it’s better to find the hole yourself before the bad guys do, right?

Leave a Comment » | Networking | Permalink
Posted by matt

IPv4 Exhaustion

January 22, 2011

The central IANA pool of IPv4 addresses is expected to run out any day now, when the last five /8 address spaces are distributed to the Regional Internet Registries. This means that anyone who wants to join the Internet with a permanent address will either need to buy one from an existing owner, or look into moving to IPv6 instead.

If your organization needs more addresses in the future and doesn’t have an IPv6 migration plan – you could be in serious trouble very soon. Time to start on your research.

1 Comment | Networking | Permalink
Posted by matt

Facebook Mining

January 21, 2011

A young man in Sacramento is facing up to six years in prison for using Facebook profile information to hack into email accounts, then searching the “sent mail” folders for compromising photographs.

It seems that the “security questions” that are intended to be used in the event of a forgotten password are often much, much easier to guess the answers to than the password they are equivalent to. As I recall, Sarah Palin’s email hack was the same sort of thing.

Leave a Comment » | Social Engineering | Permalink
Posted by matt

Cisco’s 2010 Report

January 21, 2011

Cisco’s report on security trends from last calendar year [Warning: PDF File] has been released, and it’s an interesting read. Among the highlights:

  • An increase in attacks targeting iOS and other mobile platforms. In the past, desktop and server Windows operating systems were the main target of attackers; it appears that they are now after the sensitive information on mobile devices as well.
  • An uptick in the use of Java as a mechanism for exploits, both as a language for writing tools and the JRE as a target.
  • For the first time in memory, global spam volumes were actually down this year (though the volume did increase in Europe)

If you’re interested in the current global landscape in information security, this report is definitely worth a quick read.

Leave a Comment » | Uncategorized | Permalink
Posted by matt

Rogue GSM

January 21, 2011

An interesting demonstration at Black Hat DC, proving how easy it is to create a fake GSM network and lure unsuspecting users into connecting to it.

From the article:

Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network.

Weinmann, who is researching vulnerabilities in cellular networks, said that with the right equipment, the range for the rogue GSM station he built can be 35 kilometers.

Once someone is connected to a GSM station you own, of course, that means that their voice traffic will pass through it and can be easily recorded. Perhaps it’s time for an overhaul of the Clinton-era code underlying the GSM networks.

Leave a Comment » | Smartphones, Syndicated | Permalink
Posted by matt

Icelandic Espionage

January 21, 2011

An unmarked computer with an encrypted drive was found in the Icelandic Parliament building recently. It has no markings, no fingerprints, no serial numbers, and the police who discovered it powered it down without taking a forensic image of the contents. This computer was attached by an unknown party directly to the internal network for the Icelandic government.

This is an excellent example of the necessity of proper physical security in a network environment. All of the firewall mojo in the world is useless if someone can just plug anything they like into your network, or (even worse) connect to it from the outside using an official or rogue wireless access point.

So, how would you defend against an attack like this?

One possibility would be to use managed switches with 802.1x capability; this requires each device connected to the network to be authenticated against a RADIUS server. If you’re especially paranoid, you can require multifactor authentication using smart cards or tokens to ensure that authentication with a stolen passphrase is impossible.

A simpler route would be to only “light up” network ports that have been requested, in writing, with the names of the requestors recorded in a central repository. MAC locking can be used to make sure that only the approved device is used in that port. This isn’t as bulletproof, of course – you’re expecting all employees to follow a procedure 100% of the time, you need to make sure the ports that are no longer in use are turned off, and a sophisticated attacker would clone an authorized MAC address and use it on another device. But it’s still better than nothing.

Leave a Comment » | Physical Security | Permalink
Posted by matt

Fake AV

January 20, 2011

One of the more common malware scams these days is fake antivirus popups – these are browser windows dolled up to look like Windows Vista or Windows 7 and designed to trick the unwary user into thinking that his or her computer is infested with something malicious. According to the Internet Storm Center, there is another outbreak of these on Twitter today.

Generally, there are two different attacks going on here. The first is that the browser is generally downloading and attempting to execute some malware payload while the fake AV is distracting the user. Some go even farther, prompting the user to enter credit card details to buy the “full version” of the software. The full version does nothing, of course, but by the time the victim realizes that, he or she is already out the money and has turned the credit card number over to a pack of criminals.

This is bad.

If you get an antivirus popup, be absolutely certain that it is from a legitimate piece of software running on your computer. As you can see from the screen shot above, these false ones often fail to obscure the location bar and the other browser controls; some are more sophisticated than others, of course, but most of them are fairly obvious fakes like the one above. And remember that no legitimate antivirus vendor will accost you for additional payment to remove a virus. That’s another sign that you’re being duped.

Leave a Comment » | Malware, Windows | Permalink
Posted by matt

Soundminer

January 20, 2011

Security researchers have developed an application for Android phones that listens to phone calls, and records any credit card numbers or PINs that are spoken or entered on the keypad.

The Android platform does require the user to explicitly allow the application to have access to Phone features at install time, but this is more of a social engineering issue than anything else. Disguising this as another app in a trojan horse scenario would be trivial.

Leave a Comment » | Smartphones | Permalink
Posted by matt

« Previous Entries
Next Entries »