I received an email earlier today from my bank which proudly announced upcoming changes to their on-line presence. This email spoke about the improved ease of use, and the increased security. Additional features, such as changes to bill pay, were also discussed.

It all sounded very nice.

That is, until I took a quick look at who this email was sent to.

The VP who sent this out put over 1200 email addresses in the CC field of this email. Thirty minutes later, he tried to “Recall” this message. (Recalls only work if the recipient is using the same email system as the sender. In this case, the sender was using Exchange, and I’m not…)

So, now I have over 1200 email addresses available to send spam to.

What’s the problem with this?

1. My email address is exposed to over 1200 other folks for them to use as they wish.
2. Most spam filters will block a message with over 10-15 recipients in the list. I’m surprised that this went through.
3. I work hard to keep that particular address from being available to others. Now at least 1200 other people have access to that one.
4. The credibility of the bank has just dropped. If they cannot protect my personal email address, am I to expect them to protect my personal banking info?

Yep, this is a fairly minor situation, but I’m left wondering if I should explore another bank to use…

- Dan

A few weeks ago I wrote about Why Trust is Important. In that post, the example of using your credit card at the gas station was presented, along with the assumptions about trust that are made.

Yesterday, there was an article posted at dark Reading detailing recent credit card skimming incidents at gas station pumps. It is reported that 180 gas stations in Utah were found to have skimming devices in the pumps.

Bruce Schneir is correct when he states that “The consumer can’t be expected to notice these things.”

What can you do? How about the following …

• Always pay with cash
• Use your credit card inside
• Keep all receipts and watch you statements closely
• Ride a horse

So, watch those statements. If you find charges that are not yours, contact your card company.

- Dan

*** Warning ***

This post is not directly related to information security.

Ok. So I just watched the press conference and apology from Tiger Woods, and I saw something that we rarely see. He took confessed the wrongfulness of his actions, and took personal responsibility for what he did. He “has a lot to atone for.”

Here’s what I like…

• He admitted his wrongdoing, unfaithfulness and affairs.
• He said that he is the only person to blame.
• He had convinced himself that he was above the rules.

Here’s what I don’t like…

• An apology took waaaaay too long in coming.
• I wish that he had lived up to the expected behavior of a man, and never made the decisions that led to his unfaithfulness.
• An apology took waaaay too long in coming. (yep, I know that I am repeating myself…) I am aware that sometimes the process of accepting responsibility for sinful actions, and the need for confession, takes a while.

None of us should be so arrogant as to think that we could never fall. Each of us should take active steps to avoid situations and actions that lead to this.

- Dan

It’s been over two weeks now since I installed a Verizon Wireless Network Extender at home. We can get a weak Verizon signal at our house, but it varies based upon where in the house the phone is. I wanted to have a way to reliably use my Verizon Wireless cell phones at home. That is why I got the Network Extender.

As you can imagine, results have been mixed…

What is the Network Extender?

It is a small box that attaches to your broadband Internet connection and creates a small cell for your cell phone to connect to. When inside that cell, or “bubble” as I have seen it referred, your cell phone talks to this little box rather than trying to find a signal from a far-away tower. Your conversation is routed across your Internet connection to Verizon’s servers and then to to other party.

What do I like about the Network Extender?

1. I like the idea of using broadband internet to allow cellular access in an area of weak cell phone signal.
2. Access to the Network Extender can be limited to only specified cell phone numbers.
3. A certain amount of management can be done on-line via the Verizon Wireless web site.
4. Our landline was out the past couple of days. With the Network Extender, we were still able to communicate with the outside world!

What do I not like about the Network Extender?

1. Following the published setup instructions did not work on my home network. I had to call tech support for more information. My connection t the Internet is very generic. They should include more information in the setup instructions.
2. I live in an area that was AllTel until last October. I couldn’t connect to the Network Extender with my cell phones, and so called Tech Support. Because of the migration from AllTel to Verizon, we have a hybrid PRL pushed out to our phones. The Tech Dude had to turn off the hybrid PRL, and then we had to do the *228, option 2 to get a Verizon-only PRL. (Of course, I had to take each phone to the one location in the house that get sufficient signal off of a Verizon tower in order to get the PRL update.) I’m still experimenting with my Moto Android to see if there is any impact on my reception and signal strength while out-and-about.
3. The cell phone needs to be within 15′ of the Network Extender to latch onto the femtocell for incoming or outgoing calls. Then the phone can go further away. I haven’t quite figured out the patterns of when the femtocell is used, and when it is not.
4. I had to configure my home router (linksys wrt610n) so that the Network Extender is the DMZ machine. This was one of the things that I needed to call tech support for. What if I had another machine using the DMZ configuration? How could I use both? The tech dude didn’t know what ports I needed to allow. I configured the wrt610n so that the Network Extender is the DMZ host.

Being the inquisitive sort, I decided to put a hub on the network drop going to the Network Extender and fired up Wireshark. It appears that the Network Extender is using IPSec to connect to the Verizon servers. I wonder if they are using VoIP protocols encapsulated in IPSec, or not…

I am thinking about sniffing the traffic for a bit longer and then removing the Network Extender from the DMZ and putting it back on the internal network. I will update this post if I try this.

- Dan

President Ronald Reagan said, “Trust, but verify.” I used to hold fast to that, but recently have learned that you cannot, nor should you, always verify.

Trust is a critical foundational element of life, government and information security.

Things would be different if trust was non-existant…

• Husbands and wives would always be paranoid.
• Negotiations between teachers and school boards would always go to impasse.
• You wouldn’t have any confidence in your antivirus or IDS system.

Right now, you’re probably saying that is the way things already are. To some extent you are right.

Distrust between two parties is as natural as entropy.

But, consider some of the ways that you do trust.

• You trust that the gas pump gives you what you pay for and that the meter is accurate.
• You trust that the government who puts the accreditation sticker on the gas pump has actually tested it.
• You trust that the person testing the gas pump knows how to accurately test it.
• You trust that the magnetic card reader for swiping your credit or debit card is not skimming that information.

Of course, there are many more examples.

• You trust Google to not share information about your searches, or the contents of your GMail account.
• You trust the security that your bank uses for your on-lne banking.
• You trust the validity of the certificates that are checked when accessing secure web sites.

Our society is built upon the expectation of trust. Sometimes people and organizations successfully show that they can be trusted. Othertimes, not.

Back to President Reagan…

There are times when I trust, but verify.

However, there are many more times when I trust, but either choose to not verify, or the risk is so low that it makes to sense to take the time to verify.

Carefully consider which times verification is important. It just might save the day for you sometime.

- Dan

I received a call this week from a friend who works in a small office. She had been out for a few days, and when she returned it became obvious that someone had been rummaging through the stuff on her desk.

Then, she started telling me that when she turned her computer on there was evidence that someone had been using her computer, as well.

Needless to say, she was pretty upset and wanted to know how she could tell who the offender was. She was hoping that there were some “tracks” somewhere that would tell here everything about who had been using her computer.

She wanted to confront the others in the office about accessing her computer and desk items while she was out.

Now, let’s look at some details from a common-sense perspective…

• The computer was configured so that it didn’t require a password to get into Windows. My recommendation was that she make the computer require a password to enter Windows. I suggested to her that the added security far outweighed any perceived inconvenience here.
• It also turns out that the computer in question is a notebook. She had just been turning the computer off at night and leaving it on her desk. Further inquiry led to the discovery that she had a locked file cabinet where she kept the important company information. My recommendation was to make it so the computer could not be accessed while she was not there. I suggested that she lock the notebook computer in the cabinet when she left the office for the day.
• Further questioning helped me to realize that the business has purchased this notebook computer a year ago, but there was no need for portability. So, why did they purchase a notebook? I couldn’t get a firm answer. My recommendation is that a notebook only be purchased if there is a need for portability, as portability makes theft of the computer easier.
• Regarding who and why someone accessed the computer without permission, there could be a variety of reasons. I suggested to her that she calmly discuss with her office-mates that it appeared someone had been looking for something while she was out. I also suggested that it is important she do this professionally, and to encourage them to call her is something is needed while she is out. These are people that she has to work with, and it is important that relationships not be antagonistic.

The conclusion is that this situation could have been averted with just a few simple actions.

Let’s all use common sense when approaching physical security.

- Dan

Basketball season is just ramping up at the collegiate level. After watching a game last night, I realized that there are at least 5 reasons why information security is like basketball.

Focusing on the small business, here goes…

1. Success requires more than just one person.
   

   We’ve all seen teams that tried to rely solely on one star player. They may have wins and that star player will have some tremendous stats, but often the team falters in the critical times, or in the playoffs.

   Similarly, there may be an InfoSec star at your business. But, everyone needs to be involved. The owners or top executives set direction and provide support. The technical staff should be cross-trained and understand how they work together. Users should be made aware of the role they play in safeguarding the company assets.

2. Everyone needs to work together.
   

   Have you seen a basketball team play and there are a few players that “haven’t seen a shot they won’t take”? That causes frustration and soon more players play like this.

   Protecting the assets of the company require that each person understand their role and responsibilities, and how they work together. One person may be the server guru and another the network dude and yet another the workstation expert. But when an incident arises, they need to be able to work together with a practiced response. There is no time to ego to get in the way.

3. Fundamentals are important.
   

   There is a reason why teams practice shooting, dribbling and running plays. Fundamentals can be the difference between winning and losing.

   Likewise, the fundamentals of information security should be practiced. Layer the defenses. Train the users and tech staff. Encrypt data. Lock the doors. De-activate accounts when people leave. Review logs. Follow good practices.

4. Someone needs to make the hard decisions.
   

   In basketball, the coach is the one who makes the hard decisions of who plays and who doesn’t. He sets the strategy and the game plan.

   InfoSec also needs someone to make the hard decisions. I’m talking policy here. We can help develop the policy, but support for development and following the policy must come from the very top of the command structure. They also must be willing to support policy enforcement. Otherwise, you’ll end up with multiple individuals trying to convince you to make policy exceptions just for them.

5. Rules are there for a reason.
   

   Rules allow each basketball team to know exactly what is allowable and what is not. Did that player travel? Was that a foul? Oh, and the referees are there to make sure that the rules are followed.

   Businesses are often required to follow a set of information security rules. Do you accept credit cards? Then you need to follow the PCI DSS rules. Are you a publicly traded company? You’ve got regulations to follow. Are you a financial institution? Regulations, again are a major player. These rules are set in place to protect the company and those it interacts with. InfoSec rules are there for a reason. Be sure to follow them. And, get to know you auditors. They can be very helpful in resolving deficiencies.

Basketball and information security… Who knew they had so much in common?

- Dan

For most folks, FREE is a word that they makes their ears perk up.

Microsoft Security Essentials is a FREE anti-virus and anti-spyware offering from Microsoft. They bill it as a light-weight product that has a smaller footprint than commercial products. It is intended for the home user. It can be found at www.microsoft.com/security_essentials/

Obviously, it runs on the Windows platform. You’ve no doubt noticed the Mac bias from other posts. My interest comes from supporting the XP Pro notebook my wife uses and the Vista Home Premium notebook that one of my son’s uses. Other extended family members also use Windows.

The installation was amazingly simple. But, before the install, you should uninstall any other AV products you may be running. Go to the Security Essentials site and download the installer. Double-click on the downloaded installer program and follow the prompts. When the install is done, Security Essentials does an update of the signatures, and then you are encouraged to do a complete system scan. That takes a while.

The scan produces a report of any threats that are detected on your computer.

The Security Essentials console is arranged in a reasonable fashion. There is the Home tab which gives a quick overview of the state of AV protection on your computer. The Update tab allows you to force an update of signatures. The History tab let you see what threats have been found and the action that was taken. Finally, the Settings tab allows for modification of behavior of Security Essentials. The defaults are reasonable.

Following installation, I noticed that there are two new processes using memory. On my test XP Pro test machine, msseces.exe uses 11,820K and MsMpEng.exe uses 70,052K.

Very few CPU cycles are used when doing real-time protection. But, you will notice a performance impact when a full scan is running. This is similar to what you would experience with other products.

In summary, Microsoft Security Essentials was very easy to download and install. I found it simpler to use than competing free products like AVG Free. Several independent labs tested the efficacy of the product during the beta period. They all report sufficient detection and remediation of threats.

So, if you have a Windows XP, Vista or 7 computer at home and don’t want to spring for a commercial product, it looks like Microsoft Security Essentials is a winner!

- Dan

Take a look at this article from Network World. It provides high-level descriptions of how you can get infected with malware even though you avoid shady or inappropriate websites.

7 Reasons Websites Are No Longer Safe – Network World

And so that you don’t have to read the long version, here is the short version…

1. Polluted ads
2. SQL Injection attacks
3. User-provided content
4. Stolen site credentials
5. Compromised hosting service
6. Local malware
7. Hacker-engineered fakes

Information technology professionals should take the time to understand each of these attack vectors. Users should look at this as an opportunity to increase their awareness.

- Dan

We currently have two dogs and usually have multiple cats. We’ve had snakes, lizards, fish, birds, hedgehogs and other critters as pets in the past.

So it was with great interest that I listened to the advertisement on the radio encouraging pet owners to take their pet to the veterinarian and have a semi-yearly risk and health assessment performed. This radio spot was sponsored by some veterinarian organization.

The selling point was that your pets may be exposed to diseases and parasites that you are unaware of and the assessment will help to detect and give a jump-start to remediation.

Wow! That sounds like what is done in information security.

• Pets (dogs) will wonder around and stick their nose in places where it doesn’t belong.
• Users will visit just about any Internet site – even ones they shouldn’t.
• Pets will pick up parasites just by running through the brush.
• Users will get a virus, trojan or some other malware just by clicking a link in some spam email.
• Pets will sometimes have to be put on a leash to keep them from running off.
• Content filters are sometimes necessary for users.

I could go on. The point is that just like with pets, we need to be constantly aware of the changing risks and take steps to adequately respond to that risk.

Who would have thought we could learn information security practices just by having pets?

- Dan