The problem I am talking about is caused by being overly confident in the system provided thus leading to a false sense of security. Much like how the captain of the Titanic felt the puny iceberg was no match for his state of the art ship, so some people feel about being compromised after they implement the latest in security measures.

Lately we had some examples of this due to the high profile assassination in Dubai. As the news has been reporting over and over again the assassins entered the country using forged passports. The passports in question were biometric passports.  Biometric passports are hailed as the ultimate in security. Confidence is so high in their security that the Netherlands has even been trialing an automated passport scanning system, which a pair of ethical hackers managed to fool by getting a fake biometric passport in the name of Elvis Presley registered in a fake country approved.  I am not aware of any country that has gone fully automated; however, even just testing out such automated systems is, in my opinion, a sign of the danger that security can be to itself.  Simply considering automating such a critical security system means that there are some people who have huge faith in how infallible the system is and this in itself is a threat to security.  One should never have such a strong belief that a security system is infallible because, no matter how good it is, it still can, and will, be broken.

The issue isn’t limited exclusively to passports. This type of over confidence is present in more mundane situations. Time and time again I have been asked by a friend to help clean their machine from malware and when I ask them whether they had clicked on dubious attachments in emails they usually would have with the conviction that it was okay. Even if it were to be malicious they believed their antivirus software would protect them from any possible infection.

Companies are not immune to this way of thinking either. Deploying antivirus and patch management mechanisms are at times considered to be enough.  Additional tools such as vulnerability scanning, log management and perimeter security might be considered an unnecessary expense because they are regarded as a second layer of security, where the risk is already being mitigated though virus scanning and patch management. This is true to a point; however, you can never have blind faith that any antivirus software will detect every form of malware and you can never be totally sure that every vulnerability will be patched, and on time.

Going back to the title, Security is the enemy of Security, what does that mean exactly? I am obviously not suggesting that removing security measures will make everyone more secure. What I am trying to say is that no matter how much security one puts into place he should still work under the assumption that they will all fail. Don’t allow security to make you lazy. Anything suspicious, be it a link or an attachment, will still require the same diligence as if one had no antivirus / link scanner in place because if it’s malicious your security system might still fail to detect it.

Always remember that security is not the first line of defense, the user is. Security mechanisms are in place to protect the system when the user fails; they are not a magical filter that knows all good from bad.  There is also a third line of defense which protects the system in the event of the security mechanism itself failing, and that is the Administrator who monitors the system for intrusions and suspicious behavior. If a security system fails, the best you can hope for at that point is that the administrator detects the intrusion in a timely manner and takes corrective action before the damage spreads. These three tiers need to work in tandem. Security will be the enemy of itself if the user relaxes and takes risks under the assumption and ‘peace of mind’ that the security system will take care of any slipups caused by his actions. Security will also be its own enemy when the administrator feels s/he can neglect monitoring duties, confident that the policies in place which users follow and the security infrastructure will prevent any intrusions and malware from ever infiltrating the network.

Trust: Security, the enemy of Security is a post from Talk Tech To Me, a tech blog for network administrators.

Mike also links to a feature by frontline  of yet another school which also claimed to be monitoring their students at home through the webcam and other activities on the laptops they were given.

My first reaction was disbelief. Such level of monitoring on the school premises would be something I could maybe accept but at home after school hours? After reading the details on the class action suit my first thought was, is this even legal? I am no lawyer and have no idea if such behaviour is legal or not but it seems to me like a very bad case of invasion of privacy. After watching the frontline report in which the school official detailed their activity I wondered whether there is actually a loop hole being exploited? Companies are allowed to monitor employee emails because the employee would be using the company’s infrastructure to send the email through. From the frontline report I got the distinct impression that the school doesn’t turn on the camera to spy on their students but only monitor the output of the camera if it is already running. From a legal point of view I guess it might be the same argument as email. The school is only monitoring the usage of its device through its infrastructure (I am assuming they’re providing the student with internet access as well).

However let’s put the legality issue, on which I can only speculate, aside.  How is it that nowadays a school can even think about doing such a thing, much less action it? To me it sounds unbelievable and it’s not just schools, the news is full of stories about people monitoring spouses through hidden GPS devices in their cars, mobile phones with spy software installed on them. Technology has really moved forward these last few years and there are a lot of options for anyone who wants to spy on someone else. People seem to think that since you are able to spy on someone, then it’s okay to do so. Obviously this is not the case and shouldn’t be done even if it were.

Then there are the unintended consequences. Students are being brought up with the notion that they can’t trust anyone, not even their schools. They are being exposed to technology, which obviously is a great thing, but at the same time they are being taught that such technology is hostile to them.  Another unintended consequence could be that this laptop is the only computer with an internet connection at home and the child’s parents use it for internet banking or some other confidential activity. On the frontline feature it was obvious that monitoring on the machine was total and it was trivial for anyone monitoring to see all that was typed. What if a father logs on to his company’s network from his son’s laptop? The company he works for would be exposed.

As I claimed in many of my previous articles the attack vectors you need to protect yourself against are truly endless, although I have to admit that I didn’t really see this coming at all. One really needs to be vigilant and monitor his system for any suspicious activities as you really do not know where the next attack is from or who is watching you.

Spying – the new black? is a post from Talk Tech To Me, a tech blog for network administrators.

Notrax, the hacker in question, approached the challenge not by cracking the voice encryption algorithm itself but by installing a Trojan on the victim’s headset and intercepting the voice as it is being recorded from the cell phone’s microphone before it gets processed / encrypted. Simple and effective. Nearly all of the solutions were vulnerable to this approach. He sees this as a failure on the side of solution providers; this is what I do not agree with. I do not believe that the approach Notrax employed is something that such a solution needs to cater for. It is true that a few solutions detected something fishy going on and stopped the connection; kudos to them, if Notrax praised these solution for their effectiveness I wouldn’t have anything to comment against but shooting down others who didn’t detect the intrusion goes a bit overboard in my opinion.

Notrax claimed that this failing on the solution provider’s part means that their security is useless. He says that this means they don’t do what they advertise, since they claim that your calls will be secure whereas he easily managed to intercept the calls with a simple procedure. However, like I argued in a previous article, there is no such thing as absolutes in security. No solution can protect against every form of attack. Every device / software tries to secure its own little domain and whoever is implementing the security policy needs to not only understand this but build his strategy around this notion. Taking these secure calling solutions for instance, if I employ such a solution I don’t expect to be 100% secure against everything. No matter how well designed or how expensive it may be, do I expect such software to keep me safe from something as trivial as a person close by hearing me talk ( known as shoulder surfing)?  Of course not! What I would expect from such a solution is that if someone were to sniff / intercept the encrypted voice transmission he will have no way to reverse it in a timeframe that makes it useable.

Notrax’s approach required physical access to the phone and the ability to deploy software. If an attacker gets physical access to something you want to protect then you’re already in a lot of trouble. No solution will protect you after an event like that. Even those applications that detect something amiss and block the call; what’s to stop an attacker who has physical access to the phone from uninstalling them and instead installing a lookalike application with as many backdoors as the attacker wishes? Nothing! 

What I am trying to say is not that Notrax is wrong, he is right; his approach works and is definitely a threat; however, what I don’t agree with is that it’s the vendor’s fault. Physical security of the mobile phone is not their responsibility and his attack was, in my opinion, an attack against the physical security of the device and not the voice encryption solution. This attack vector cannot be protected against via software it can only be avoided if proper physical security is ensured. With physical access to the device one can simply hook a bug to the cell phone microphone itself and have everything transmitted unencrypted on any frequency the attacker wishes. No software solution will detect or block that.

What I want to say here is let’s keep focused on what we’re protecting against and definitely never assume that one solution will cover it all. Security is about identifying the risks, seeing which ones are worth mitigating and then adopting solutions that will mitigate them.

How Secure can Security be? is a post from Talk Tech To Me, a tech blog for network administrators.

Following this statement I really hope that such a statement is simply damage control on Shell’s part and that it does not truly believe the statement the company released. Whenever an organization is hit with something like this the implications are enormous and it’s definitely not something to take lightly. While the details published included names and phone numbers for the most part there is no guarantee that whoever perpetrated the leak doesn’t have access to additional information. Furthermore even with such limited information such as name and contact numbers a social engineer can use that information very effectively to infiltrate the organization.

Another thing Shell should definitely be concerned over is, if the attacker managed to get access to this data what else did he manage to get his hands on? How will this affect its workforce?  Will the resulting harassment lead to people leaving the company? Will the breach mean that some possible future employees will think twice before the joining the company fearing for their privacy? What about lost business? It is definitely to be expected that some companies will worry about their contractual and financial details being safe with the company! This can lead to lost deals and revenue.

What is definite is that such a breach causes one huge PR nightmare that will not go away by downplaying the breach; downplaying,  if anything, will make the situation worst.

As the proverb goes, prevention is better than cure and this was never more so than in the realm of security.  Once such a breach occurs the damage is done. Contingencies may limit the damage a little but in any case the resulting fall out is likely to be more expensive than protecting the system in the first place. I am obviously not claiming that Shell didn’t do its best to protect its data, that’s something I do not know and neither do I have a way of knowing. What I am trying to say is that one should do his best to avoid such an unfortunite situation. If one is to believe the disclosed letter, the attack was perpetrated by insiders. While Shell itself is sceptic of this claim it is really not that hard to believe.  Time and time again researchers have placed insider threats very high on the security risks organization’s face.  Worse yet, often organizations spend the majority of their security budget protecting the inside from the outside and not the inside from itself.  One would obviously do very well to remember that in security one loses as soon as the weakest link is compromised and not after the strongest measures fall.

Stories such as this should be an effective cautionary tale of what security is meant to avoid. While investing in end point security, the perimeter and access control might not bring any tangible ROI in the short term, if that one time cost can avoid an unpleasant situation such as this it would have more than paid for itself.

Shell’s Data Breach: A Security Spill? is a post from Talk Tech To Me, a tech blog for network administrators.

The reason why these USB drives were given this certification is because they were compliant and still are. Certification claims one thing and one thing alone – that whatever they certify complies with what the certification is all about. In case of FIPS 140-2 in order to achieve level 2 compliance all a USB drive needed were 2 things.

• Requirement to achieve level 1 consisted of the USB drive to use one of the certified cryptographic algorithms, which in this case they did since the algorithm used was AES 256 bit. 
• Requirements for Level 2 were compliance with level 1 and physical security for the device. Tamper proof seals or at least notification when physical tampering occurred.

The flaw discovered by SySS was that after entering a password which was validated using a number of cryptographical algorithms, the program would always send the same sequence of bytes, irrespective of the password, to unlock the drive. Obviously none of this has anything to do with FIPS 140-2 level 2 certification.

That being said just because the FIPS certification is not stating anything false even in light of this security flaw there is still a huge problem. When people decide to buy a secure USB drive it is quite safe to assume that they will first look at the certifications it has been given. FIPS 140-2 is the certification that government agencies use to decide on product applicability. What people will think when seeing a USB drive certified with such a certification is that if this is good enough for the government it will certainly be good for them. Very few people will stop to see what a FIPS 140-2 Level 2 certification really means. Even if people do check out what FIPS 140-2 level 2 is all about, it is unlikely that a person who is not into security will realize which parts have been tested and found compliant and which parts have had no actual oversight whatsoever. Finally even people in security who might ask these questions have no way of knowing how such a device really works by just looking at it! How is one supposed to know that this device is unlocked with a byte sequence that remains constant no matter what passwords are used?

The answer is that obviously you cannot. One has to TRUST that the certification process is enough to protect you. The same problem or possibly worse is with devices that have no certification because here you need to believe that the vendor tested the product well enough before shipping it with no independent oversight.  So what is one to do? The answer is never trust a device or system to be secure. This not to say that there is no need to buy a secure USB drive, it simply means do not trust that your data is completely safe because it is being stored on a USB drive which has certified encryption. If that USB drive is stolen, in most cases whoever stole it will not be able to gain access however there is no real guarantee of that.

These same arguments don’t apply solely to USB drives; they apply to any device and any certification. No certification claims that no matter what happens you’re safe with the certified device and this is an important point to keep in mind. If the certified device will be used in critical capacity it is essential that the first step in choosing such a device should be researching the certifications in question. Get familiar with what each one is claiming and look for devices that attain the requirements you seek. However keep in mind that no certification covers everything and tests everything. Risk can only be minimized never entirely eliminated. Remember there is no such thing as total security.

In closing, security is a process. Each element you add to it will reduce the risk on a certain front. The biggest danger to this however is when a new added element seems so strong and reduces the risk so much that it makes the user neglect other parts, mistakenly thinking that this new element is enough to mitigate all other risks. This is never the case and it is essential to remember that one only needs to break the weak link to get through, and not the whole security echo system.

Trust – Certifications is a post from Talk Tech To Me, a tech blog for network administrators.

The biggest threat that such undiscovered exploits can cause is when they are used for a specific targeted goal like what happened to Google last week. Google was targeted by hackers. Various attacks originating from China were launched against Google and some other organizations. These attacks used a new, at the time unknown, exploit now called the Aurora Exploit. This exploit consisted of two parts. The actual exploit was hosted on a web server and a social engineering attack  got the victim to actually visit the infected link.  From Google’s analysis it seemed that the attack was targeted hoping to get access to the Gmail accounts of human rights activists in China.

The attack wasn’t targeted at Google itself alone but to at least another 20 organization in various industries, not just IT.

The vulnerability in question is a classic Buffer overflow that can be exploited to execute any code the attacker wishes. McAfee report that the version they saw downloaded the payload, an XORed Trojan disguised as a picture. Once downloaded the Trojan would be installed giving access of the compromised machine to the malicious attacker.

Every version of Internet Explorer since version 6 seems to be vulnerable to this attack except for Internet Explorer Version 8 provided DEP (Data Execution Prevention) is left Active.

Until a patch is issued by Microsoft  people should either not use Internet Explorer for the time being or if that’s not an option upgrade to Internet Explorer version 8 and ensure DEP is enabled (technically it should be by default)

This attack was basically what every security professional most dreads. That is when a group of skilled hackers get their hands on a vulnerability that is as yet unpatched and use it in a targeted way to gain access to something specific. Keeping your systems up to date would not protect against something unknown such as this. Anti-viruses will, in most cases, not help  before the malware is identified and definitions for it are distributed.  So what can one do to protect an organization from such a scenario?

Education can help mitigate the social engineering element of this attack. However this will never be 100% effective as social engineering attacks can be quite sophisticated and seem genuine. Monitor access to your systems, have mechanisms in place that can inform an administrator when unauthorized or suspicious connections are taking place. Have monitoring software that regularly scans the network for any changes that might occur such as new open ports, new software  installed, new users / groups or even new hardware that suddenly appears on a server or workstation. At the end of the day it might not always be possible to stop an intruder; however, if such an unfortunate event were to happen it is essential that monitoring mechanisms are in place that will advise the Administrator of the breach as soon as possible.

Finally an important aspect is to have a disaster recovery plan for an Intrusion / Trojan infection.  Having such a plan available can significantly reduce down time as well as the time it will take to stop the intruder.

Internet Explorer 0Day Vulnerability: The Aurora Exploit is a post from Talk Tech To Me, a tech blog for network administrators.

As if to prove the point the Wall Street Journal broke the story that insurgents in Iraq and Afghanistan were intercepting video feeds from U.S. Drones.  This happened because the drone transmitted whatever it was seeing unencrypted back via satellite. The reason why it was unencrypted? The Wall Street Journal reports that officials said they were aware of the problem but considered it unlikely that their local adversaries would have the know-how to exploit it, and this is what I really wanted to discuss in the following post.

There are various approaches to security. It is obviously impossible to secure everything; ultimately one does a risk assessment and decides on a good risk to cost ratio. A risk to cost ratio however is not a straight forward process of simply securing only the most visible threats, because the other threats are either too obscure or generally not thought about by hackers.  

In one of my very first articles I gave the following scenario: “Assume that someone has a house which he wants to secure and decides to go all the way and overdo it to get as close to the 100% security level as possible. He installs a vault door as his front door, puts bullet proof glass on all windows and puts titanium bars in front of each one of his windows. He has reinforced concrete on each wall making his home look like a bunker and even puts a guard at his front door on a 24-hour watch. Now let’s assume that for whatever reason he leaves a pretty flimsy back door maybe even facing a dark  alley way.”  

This drone episode made me remember this example as it fits perfectly. When you’re relying on something like that for security, none of your attackers will be able to breach your security because they lack the know-how or that a flaw is hidden well enough that no one will find it, you’re like the home owner of this fictitious scenario who left the flimsy backdoor that can be opened by a small kick because it faces a dark alley that is not frequented by anyone. However security is all lost when the weakest link is compromised and this is very important I can never stress this enough. To steal the valuables from our fictitious scenario’s home a thief doesn’t have to get around the security guard, bust the vault door, cut the titanium bars and get through the bullet proof glass and break down the Reinforced concrete. All he has to do is kick the back door, the one in the alley.

This is exactly the tricky part of security. One must first identify all the possible attack vectors, how to reinforce them, what the cost will be and how much more secure that cost is going to make us. The tricky part at this point is communicating this to management especially if their background doesn’t include any IT security at all.

It is to be expected that their first reaction would be to try and cut expenses by what they might initially see as redundant. I would expect questions such as, why do we need an antivirus system if we have a firewall? Why would we need a patching system in place if we have antivirus? Why do we need to control USB when it’s only company employees who have physical access to these computers? Why do we need a firewall to control our remote logging system when it’s not even running on a standard port? No one will find it!

These are all questions that one might face when coming up with a proposal for tackling security on their systems. It is our responsibility to convey to them the message that it is essential to cover all bases. Nothing is really extra or unnecessary because an attacker doesn’t need to get through all our defenses but only through our weakest one.

How to handle security is a post from Talk Tech To Me, a tech blog for network administrators.

This brings us to today’s article about trust. Trust can actually be the element that turns our security system into our own enemy. What happens when a user on a corporate network receives a suspicious email with a questionable attachment? Will he play it safe and delete it or will he quickly opening think that since it went through the corporate security system it must be harmless? What about the user who downloads a tool off the internet without worrying about its source? Will he worry that it might contain viruses or Trojans knowing that his system is protected by the corporate anti virus solution or will he feel safe believe the anti virus will protect him from any possible malware?

Hopefully the answer to these questions is that people will still be responsible but alas I think the truth is more close to the Shop keeper using his fake banknote counterfeit detector pen. The pen says it is okay so I don’t need to look closely at bank note and verify the other security systems implemented in money! This is yet another threat to security one needs to keep in mind.

The problem doesn’t end there either. A lot of things can easily be spoofed, mobile numbers in text messages, telephone numbers in VoIP gateways, from field in an email address, hyperlinks and more. Each of these things can make the target implicitly trust the source. Even us who work in security, do we ever check the route of an email? Or do we simply rely on the from field to decide who sent it? The only time we check the route of an email is if it looks suspicious. What is worst still is people will most often trust the source more then the contents of the message. If one were to receive a spoofed text message, changed to look like its coming from a spouse and the message contains a message like: hey a friend of mine is coming to collect $200 I owe him, please give it to him as I will be busy in a meeting, will obviously pay you back. I will contact you later when I finish as I need to run right now. There is a good chance such a scam will work easily. Would it work just as well if such a message would be received from an unknown number? Most likely not but why? It’s the same message isn’t it? The reason is in the first instance we have the trust of the source so we automatically trust the message.

Mitigating these scenarios is not easy. In the case were employees trust too much in the corporate malware protection could be mitigated using Policy and education but some will still believe that since they are protected by an antivirus then they can safely run whatever they want knowing the antivirus will protect them. From a systems point of view the best option is probably not to rely on any one system. Having multiple ant viruses can help mitigate the problem a little but even employing this doesn’t guarantee 100% security, obviously nothing really does.

The second scenario is even worst. Mitigating against social engineering attacks that manage to effectively make the target believe they are coming from a legitimate trustworthy source is even more difficult.  Unless the message is very suspicious it’s very likely that it will have the desired effect that the attacker intended. There is no effective way to protect against it either. The only option is educating users that these fields can easily be manipulated and if a message says it is coming from person x this is not necessarily so. As a technology solution the only option that I can think of is maybe disallowing emails with the local domain in their from field when they are received inbound but this might have a detrimental effect in that it might be the case that such an email is legitimate sent by an employee from his laptop while being offsite. There is no solution and education is most likely the only effective weapon.

Trust – The Enemy of Security? is a post from Talk Tech To Me, a tech blog for network administrators.

In a world where a sizable part of any company’s assets or management thereof resides in a computer system, it is more than sensible to expect those systems to be as highly protected as possible. In most cases all the protection hinges on a number of words, one for each person accessing the system. Obviously it’s to be expected that various strategies and policies were created during the computer age to keep these words as safe as possible –  I am obviously talking about the Password.

Security has always been a tricky thing and password policy has been especially taxing for a long time. The biggest problem is that sometimes, policies intended to help strengthen the company’s security, end up hindering it;  this has never been truer than with the history of passwords.

Frequency of Forced Password Change

A common password protection policy is to have the user change the password on a periodic rotation. It can be as short as 30 days; some employ a longer timeframe of 180 days and most settle in the middle with 90 days. The idea behind this policy is if someone were to compromise the password his access will be  limited to that timeframe until the password is changed. Furthermore a brute force attack that is trying to be stealthy / not lock the account by only attempting a few passwords a day as opposed to as many as possible will have its run invalidated after the password changes since the new password might be a combination that it already tried.

The intention here is obviously good; however, it is dangerous due to its unintended consequences. If the user has no complexity rules he is quite likely to choose an easy password because it is difficult to come up with a new password every time. If he does have complexity rules preventing him from creating easy to remember passwords then he will write it down, and possibly attach it to the monitor for everyone to see. The best you can hope for at this point is that maybe the user will still have a small sense of security left in him in which case he might tape the password to the bottom of his keyboard but that’s it.  When forced to come up with and remember a new complex password periodically you can bet that he will write it down somewhere. Furthermore in some cases people still try to stick to the same password and get around restrictions such as not being able to use the last 6 password with something like adding a sequential number after the same old password and simply adding 1 to it each time they’re forced to change the password.

Complex Password Policy

Another common policy is to enforce a password complexity policy. Such as, a password must: be at least 8 characters long, have multiple case letters and numbers. The idea here is to make the life of a brute force attack difficult by ensuring that many  combinations need to be tried out.

The risk here is users who find it hard to remember what they created and end up writing it down or using a simple complex password that’s so common it’s like having no password at all, such as “P4ssword”.

IT generates password for users

One thing you can always count from users is that they will always come up with a password that is a lot easier then you intended. Force users to create a password that has both letters and digits and lower case and upper case and you can be sure more than one will come up with “P4ssword” or a variation of it. Another thing you can be sure is that such a password and all of its variation are in various, if not all, password cracking dictionaries.

To mitigate this problem some companies do not allow users to create their own passwords but the IT department generates one for them.

The password generated will surely be strong however it’s likely that it will be impossible to remember especially since the user will have nothing to relate it to. Being unable to remember it, this nearly forces the user to write it down making the strong password useless.

Every single system has its own password

The idea here is very straight forward. If one password is compromised the rest of the systems are still secure because they have a different password.

The idea is great; however, it’s already hard to have a user create one or two strong passwords that he needs to remember. The more passwords you force him to create and remember the more likely he will make them easy to remember. In the worst cases it will be small variations of the same easy to remember password.

What should one do?

How can one tackle this scenario? Should we ignore all the security recommendations? Are they useless? Obviously the answer is no. However it is important to find a good balance. Policy that will frustrate the user is more likely to be ignored than policy which doesn’t inconvenience him much. Ultimately it all boils down to personal choice and finding the right balance. It can also boil down to shifting some of the risk from the password itself to the infrastructure or procedures such as monitoring.

Below are some suggestions:

Password Frequency

Personally I would not go with a small password change timeframe. I would set it to at least 180 days. I would then mitigate the extra risk this generates with better monitoring by tracking each successful connection which doesn’t originate from the usual/allowed IP addresses as well as successful logins outside of work time and take pro-active action when this happens.

Password Complexity

Passwords need to be complex. I would not however just put in a complexity policy and leave it at that. I would also include a little education with it. It can be just a guideline document or maybe better still a small one to one talk with someone from IT that would explain what the policy is about and more importantly some tips and tricks to new employees as part of their orientation. Tips and tricks will be discussed further on in this article.

Password generated by IT for users

I would definitely avoid this. Having passwords generated by IT will result in complex passwords that are impossible for the user to remember. The desired strength benefit will be far outweighed by the added risk of having the password written down, possibly in plain sight.

Multiple Passwords

I would also recommend that as much as possible there should be a few or even one unified authentication system. The biggest benefit would be that a single system is easier to implement and test, thus one can ensure that it is well implemented and robust. Secondly it’s by far better to have one password that is strong than multiple weak passwords. I would also stress again the importance of monitoring. Action should be taken immediately when a breach happens.  This however is a personal choice. Having one authentication system with only one password means that anyone breaching the system will have access to everything. That being said, it is quite likely that someone who has breached one system will quickly breach more so it might be an acceptable risk.

Training

One might have the strongest password in the world but if it is not well protected it will effectively become weaker than the easiest of passwords. Users must be  taught how to take care of their passwords –  never write them down; never  use them on a wireless connection that isn’t properly secured in the care of the company or directly of the user; never  use the password inside of an internet café and  never store it in a file on your computer or mobile phone.

Tips and Tricks

The biggest enemy of a strong password is always the difficulty to remember it.. This however can be mitigated if the password is created the right way. There are various tricks in order to achieve this. The easiest would be to use a phrase, substitute a letter with a number and add a fixed amount to each number to break the leet speak pattern.

Step by Step Example:

1. Select a phrase: DoNotAccessMyData
2. Change o to 0: D0N0TAccessMyData
3. Add 1 to the digits: D1N1TAccessMyData

Only one letter to digit conversion was performed so as to make it easier.

There are more advanced tricks as well such as selecting a phrase, using the first letter of each word as part of the password and using alternating case and changing letters to digits and adding a fixed amount to it. Example:

1. Select a phrase of at least 8 words: My Computer Is Secure If I Use This Password And Do Not Write It Down
2. This gets converted to: McIsIiUtPaDnWiD
3. Changing I to 1 and s to 2: Mc1211UtPaDnW1D
4. Adding 1 to remove the leet speak pattern: Mc2322UtPaDnW2D

This is a little harder to remember but impossible to guess and a lot of combinations to brute force.

Some things that you should not do if you want a strong password:

• Never use a password from an example such as the ones above
• Do not simply convert words to leet speak, try to avoid it as much as possible
• Do not use names as passwords
• Do not use normal words in any language as a password
• Do not use personal information such as telephone number, spouse name, children’s name or even pet’s name as a password as these are guessable (even if no one in the universe knows your cat is called Thomas, Thomas is a name that is surely to be found in a hacking dictionary)
• Do not write down the password

Closing Thoughts

No matter how many precautions you take and even if every user of a system follows every recommendation to the letter you’re always risking that at some point in time a password will be compromised. There are a lot of ways in which this can happen: Interception, Social Engineering, Compromise, exploit of the Authentication mechanism, key logger and more. The best approach is to assume that one day the system will be compromised and act accordingly. Be sure to put monitors in place to detect any unauthorized access, be it a login outside working hours to a login from a new unusual IP address. It is a lot more desirable to get a false notification than giving a hacker who compromised your system time to gain a foothold on your system.

It is also important to consider that the password is only part of the equation. The infrastructure on which the password is used needs to be secure itself. If no one needs outside access to the internal network then make sure that it is blocked by a firewall. If only a few need access then explicitly allow access to only their machines. Monitoring events generated by a machine can indicate that a machine is under attack. If the same host is repeatedly trying to break in extra measures can be taken to stop him and also have the account disabled after a certain amount of failed logins.

Protecting your assets using one word – The Password is a post from Talk Tech To Me, a tech blog for network administrators.

USB Drives

The obvious threat everyone thinks about when mentioning USB security is the USB storage devices. This device is small, it is portable, it is inconspicuous enough to easily hide and it can store a lot of data. The obvious threat here comes in the form of  a disgruntled employee copying your source code or client list before he leaves the company; however, it is not just that. It can introduce viruses, Trojans and even illegal software / media onto your network, and potentially  go even further than that.

USB Switchblade

When U3 developed a system where a small partition on a USB storage drive is automatically treated by Windows as a CD ROM drive so that it can auto run programs on the USB drive, it opened the doors to a new attack vector. The USB Switchblade required that one simply inserts the USB drive on the target computer and it would automatically and silently steal information about the computer, password hashes and any other data.

That was the first generation and then came the USB Hacksaw. The problem with Switchblade was that you had limited time for the attack to be successful.  It is easy to convince the victim to plug in USB storage in their system. They can be convinced by asking the victim to print a file on that USB drive or to look at something stored on that same USB drive, a report or pictures. While this is happening the USB would silently copy items but due to the time constraints the Switchblade attack could only copy files that resided in specific directories. There was no time to  have the attacking program search all hard drives. Hacksaw fixed that. The first time the malicious USB drive containing the Hacksaw attack is plugged in; it will install a small program. This program will run automatically and will search the hard drive for interesting files such as documents and passwords. The attacker can then safely remove the drive within seconds. He then stays patient for an hour or two while the program on the victim’s computer gathers the files into its own folder. Once enough time passes the attacker goes back and inserts the USB drive again. This second time the program installed previously will copy all the data it found since it was first activated back to the USB drive. This was only the first version; futures implementations had software that simply sent the found files remotely by email and technically the same method can be used to deploy any malware including root kits and backdoors.

In order to protect against USB drive copying and switchblade attacks, the best option would be to disable USB access if this is not required. If USB is required then  software that allows control and can restrict access to only devices which are allowed based on classes or even device serial number can be used.

USB Key Loggers

Key loggers have always been a threat to any business. They can be used to compromise passwords,  steal source code, intelligence, credit card numbers and confidential company secrets. With software key loggers, some antivirus solutions and other anti malware software can be used to detect them. However it is not so easy with USB key loggers. These insidious devices connect between the keyboard and the computer’s USB port and they record every key press. They can store more than a year’s worth of key presses. Once installed they can be hard to detect, since they’re small and people do not generally go looking behind computers to see that nothing was added. However the risk is great. If a malicious employee wants to steal company information in most cases it would be trivial for him to install such a device and once he does it is very unlikely that he will get caught.

Mitigating this can be quite tricky. The best approach would be to ensure physical security on the machines by, for example, locking offices when people leave. Alternatively if the data is sensitive enough it might be possible to protect against such devices by actually installing a USB monitoring tool to block any device including input devices and simply whitelist the keyboard and mouse you want to use. However this would be quite labor intensive to do on each machine, but it’s probably  the only sure way to protect against this device. Even this might not be 100% effective since future key loggers might  simply clone the keyboard serial as well.

USB Wireless Devices

Wireless is another obvious device that can be a threat to the company. Risks here are both incidental and intentional. Incidental threats can come from employees hooking up a wireless access point to the network so that they can use their laptop wirelessly with the intention of actually increasing productivity. Intentional threats can include cases where malicious people hook up the access point with the intention of actually getting illegal access from outside the building where it is safer to operate. There are actually documented cases where this type of attack was actually carried out.

Back in 2004 a post office in Haifa, Israel was broken into. After an inventory found nothing missing the matter was dropped believing the thieves got scared and ran before taking anything. However a few days later large unauthorized transaction were detected and another inspection found a rouge access point. The thieves hadn’t run away with nothing, they had in fact planted a wireless access point to give them access from outside whenever they wanted.

Cases such as this – adding of unauthorized devices to the network indicate clearly the need to keep a hardware inventory. There are solutions that periodically scan the network and alert the administrator when new hardware is added or even removed. This allows an administrator to detect the change quickly and be able to act in a timely manner.

Delivery Methods

In all cases the hardest part for an attacker is delivery. Does an attacker only carry out inside jobs or does he need to break into a company to get physical access to his target? Obviously there are a lot of options for someone determined especially if this is a targeted attack. What if the attacker pays a janitor to hook up the USB drive to the highest ranking manager’s machine and then retrieve it the next day? During that day it would have copied countless credentials and if it key logged as well it would also have copied a lot of confidential information. If the attacker is particularly daring he might also open a backdoor on that machine; however, if the attacker doesn’t go that far it is a good bet that the whole operation can be completed without anyone ever discovering it.

If the attacker feels that bribing people is too risky there are other options. Purposely dropping a compromised USB drive using the hacksaw method in front of the company premises or during a conference that employees are attending might see one of them pick it up and there’s a good chance that the first thing they will do is insert it in their computer to see what it contains. At this stage it could gather data and send it by email or open a back door. The possibilities are endless and frightening.

Conclusion

There are various risks to a computer system through an attack targeting USB. A lot of these attacks are ideal for inside jobs but a clever attacker might find other ways to target a specific company or even a specific person. The threat posed by USB should not be underestimated. Physical security and USB management software can be a great help in protecting an organization from such attacks.

Hacking Devices – USB is a post from Talk Tech To Me, a tech blog for network administrators.