"Stay Safe" Cyber Security Blog

Flying Pigs at the Turn of the Tide: Microsoft is finally emerging as a leader the cyber security industry

Microsoft has been dealing with cyber treats for years both internally and with our customers, but just in case you haven’t noticed; there has been a significant change in the tide from both in the focus of such malevolent attacks and public perception of Microsoft ability to deal with those threats effectively.

To see the trends in Cyber Warfare, one needs to just read some of the headlines in The Latest Microsoft Security Intelligence Report or News articles and the focus of recent attacks now on the rise.

Just take a look at some recent news articles:

February 24^th 2009 – SQL Attacks - Half a Million Sites Already Owned -”Current epidemic of online SQL injection attacks maintains that over a half million sites were victimized by the threats during 2008 alone”

April 3^rd 2009 – VMware exploits - just how bad is it? - “When Tony reported on the release of new VMware patches on April 4th, we didn't immediately spot that the same day there was also a release of a for-pay exploit against CVE-2009-1244 (announced in VMSA-2009-0006).  Seems a few days later, there is also a white paper available -for pay as well-, and now also a flash video of the alleged exploit showing a XP client OS exploiting a Vista host OS (launching calc.exe). The video also comments that they get a data leak back from the host to the client”

April 14th 2009 - Attack Sneaks Rootkits Into Linux Kernel - “A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux “.  “One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says”

April 16^th 2009 - iBotnet: Researchers find signs of zombie Macs – “Writing in the current issue of Virus Bulletin (subscription required), researchers Mario Ballano Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice and OSX.Iservice.B — using different techniques to obtain the user’s password and take control of the infected Mac machine”

Contrast this with the trend of positive security reports from Gartner, Av-Comparatives and other Security experts raving about Microsoft’s SDL, security software and best practice guidance.

March 25^th 2009 - Gartner: No need to wait for Windows 7 SP1 - A Gartner analysis report recommends IT departments to depart from the usual SP1 milestone when deciding to deploy Windows 7

"Conventional wisdom has been that organizations need to wait for the first Service Pack to ship before they deploy a new client OS. This used to be a necessity. The availability of beta software to test the new product was not as broad as it is today, and people expected the initial release to be buggy and unstable. The first Service Pack usually would ship approximately nine to 12 months after the initial OS shipment, and would usually represent a marked improvement in stability. Today, SP1 does not represent the milestone it used to"

May 20^th 2009 - Adobe to release security updates a la Patch Tuesday - “Adobe said on Wednesday it will release quarterly security updates to coincide with Microsoft's Patch Tuesday as part of a new approach to product security for Adobe Reader and Acrobat. “

“All new code and features for Adobe Reader and Acrobat have been put through a Secure product Lifecycle that is similar to Microsoft's much-touted Security Development Lifecycle.”

June 10^th 2009 - Microsoft Ranks First in AV-Comparatives May Edition for Proactive Detection Testing! – “We are #1 this time!  And it is our first time scoring Advanced+ in AV-comparatives testing.  We scored very well on both ends: second best in detection rate and we had the fewest false positives. AV-Comparatives.org published the May edition of the proactive/retrospective testing of the May Edition….Our detection rate was…the second best among the participants, and we had the fewest false positive samples.

For details, please check AV-comparatives May edition published below: http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf”

June 29^th 2009 - Pigs fly! Microsoft leads in security – “Microsoft's success with Security Development Lifecycle has security experts buzzing and offers lessons…Many of the world's most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft.

"Microsoft becomes high priest of secure software development." - CNET

“As an industry we should recognize the sea change in Microsoft's approach to security… and encourage other vendors to follow Microsoft's lead." - SANS NewsBites

“In 2004 Microsoft was a couple years into its Trustworthy Computing Initiative but it remained the software company IT security practitioners hated with glee.... That's not so much the case today." -- Computerworld

"As repugnant as it sounds, Apple will need to take a page from Microsoft's book in this area. Years of combating viral threats, malware, and so on - CrunchGear

“It isn't just press talk alone. Every common security and vulnerability metric shows Microsoft's software security has dramatically improved over the years, especially compared to its main competitors. Vulnerabilities found by employees and external researchers are down well over half from just a few years ago. For some products, such as IIS and SQL Server, the improvement is startling going from dozens of exploits a year to barely a handful over five years.”

“Hackers have moved on from focusing on Windows holes to attacking third-party applications or social engineering the end-user as the primary attack vector. Patch Tuesday was derided when it first appeared. Now it has become a model for many other popularly attacked products, and vendors not using a regularly scheduled patch period are being asked to get on board by their customers.”

“I challenge you to find anywhere near the amount of free resources on improving your software security from any other source.”

Summary:

Microsoft has made contributions with The Microsoft Security Development Lifecycle (SDL).  This SDL framework along with Microsoft’s free security tools, patch Tuesday example, and Microsoft’s Forefront Security products, have forced the trend of attacks to shift to 3^rd party and applications and low hanging fruit, and simultaneously bolstered Microsoft reputation as not only a security player, but a leader in the industry.

Look for more to come with the Forefront “Stirling” wave and Windows 7

Secure Applications - Part Deux

According to a study done by the Computer Security Institute and the FBI,

• 97% of interviewed companies and administrations were using antivirus
• 98% have a network firewall
• Yet, 15% have reported suffering from network intrusions

Almost every business and government is going to have ports 80/443 through their firewall, so that is where the bad guys are attacking us.  We need to change the focus of our thinking from Network & Operating System Security to Application Security.  Attackers are still using Buffer Overflows, SQL Injection and Cross Site Scripting attacks successfully and how many years have we known about these types of attacks as in IT, yet we still seem defenseless against them.

In just about every IT security conference I speak, most of the IT people in the room cannot explain what XSS or SQL Injection attack is or how to prevent such an attack.  We tend to think that since we have up-to-date antivirus, perimeter network firewalls, IDS and patched servers that we are fairly safe, and that's simply not true especially if our applications are not secure.  Our own applications if not coded securely nor published with a secure application firewall such as Microsoft Intelligent Application Gateway to protect the applications; the apps themselves become the portals into our internal data and the technology albatross around our necks as it were that give the bad guys money in their pockets and our agencies front page stories in the newspapers.

This week SAFECode.org released an excellent application security guide entitled "Fundamental Practices for Secure Software Development" which includes updated information from Michael Howard, a simple security guy from Microsoft and 15 other co-authors on how to write applications securely.  This is an excellent security guide not just for developers, but also for IT Management to review and understand at least the basic concepts to enable and empower our developers with the security training and tools needed to ensure that our applications are strategic assets for our businesses and governments.  Developers are usually great at what they code, but many do not necessarily understand security unless it's been part of their training curriculum or job functions, so IT as a whole needs to ensure we have security awareness, training, and tools for testing security for our developers as we do for our network engineers and firewall administrators.

The guide covers many aspects of Application Development that I did not address in my previous post Secure Applications - The Microsoft Way and is so well written and comprehensive, that I will not blog in detail on its contents here, but will instead encourage you to download it and read it for yourself and make sure you make this part of your security library:  Fundamental Practices for Secure Software Development.

Great Job SAFECode!!!

Defense-in-Depth vs. BitUnlocker: How to defeat Cold DRAM attacks using BitLocker, Power Options, and Physical Security

Princeton University published a paper this week entitled: Lest We Remember: Cold Boot Attacks on Encryption Keys which shows how an attacker can extract the contents of DRAM from a computer that is powered off and retrieve the encryption keys from memory offline and decrypt disks that were encrypted by many popular disk encryption software such as Microsoft BitLocker, FileVault, dm-crypt, and TrueCrypt on Linux, Vista and Mac OS 10 — using no special devices or materials.

They also published a video which includes a special form of this attack on BitLocker which they dubbed "BitUnlocker" which demonstrates the attack using the following method:

1. The machine is powered on and locked

2. They attach a USB disk

3. They cut power by removing the battery

4. They quickly replace the battery and restart the laptop

5. The computer boots to the external drive which copies everything in memory capturing most of the data still in DRAM.

6. The program then looks for the encryption keys offline.

The attack vectors are for computers using BitUnlocker that are machines that are sleeping, locked or in the case of BitLocker if there is no required PIN or USB Key.  Here is Microsoft's official response:

The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.

How do you defeat such an attack practically? - the answer is simply that you follow Microsoft's recommended best practice security and "Defense in Depth"  Here are my recommendations in order to Defeat BitUnlocker with BitLocker, Power Options, and Physical Security Best Practices:

You must have TPM 1.2, “TPM+PIN”  (or “TPM+USB”) configured, and machine must be in Hibernate or Powered Off state when not in use or when attacked by BitUnlocker.

Note:  If machine is still running and locked or only been shut off for a few seconds and attacked it is still vulnerable to this attack.  (This is where physical security is key).

The main attack vector is that non physically secured machines (i.e. laptops, PCs in unlocked buildings) that are not in use (in the hotel room or at the desk when you are at lunch), are still running (i.e. sleeping or active/locked).

The following will show you how to configure Bitlocker 1.2 with TPM + PIN configuration and to configure your Laptop to Hibernate or Shutdown (not Sleep) so that you will not be easily defeated by this attack.

1. Use Bitlocker with a TPM 1.2 with “TPM + PIN” configuration – This is Microsoft’s recommended most secure BitLocker option anyway, it basically requires a pin on boot and anytime it wakes up from Hibernation or started.  You can back up your recovery key to a network share – In my case, My Documents is mapped to a network server, so I can get to the recover the Key from another machine if I forget my pin.  Caution:  If you save your recovery key to a USB drive or print it and that USB drive or printed document is stolen with your laptop or lost, then you are at risk or even unable to recover your pin which I why I prefer a network drive that’s secured and backed up.

2. Configure BitLocker: Pre-Requisites & Step-by-Step Guide - For BitLocker to work, you must be running Vista Ultimate or Vista Enterprise edition and have at least two partitions on your hard disk.  Review http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b-8e855d549154/BitLocker_StepByStep.doc for minimum system requirements and disk partitioning information and basic BitLocker setup configuration, then proceeded to Step 3 to configure TPM+PIN.

3. Configure TPM+PIN (or TPM+USB)

To turn on BitLocker Drive Encryption with a TPM plus a PIN or with a TPM plus a startup key on a USB flash drive

1.   Click Start, type gpedit.msc in the Start Search box, and then press ENTER.

2.   If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

3.   In the Group Policy Object Editor console tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then double-click BitLocker Drive Encryption.

4.   Double-click the setting Control Panel Setup: Enable Advanced Startup Options. The Control Panel Setup: Enable Advanced Startup Options dialog box appears.

5.   Select the Enabled option. For TPM plus a PIN or startup key configurations, you do not need to change any further settings, but you can choose to require or disallow users to create a startup key or PIN. Click OK.

6.   Click Start, type gpupdate.exe /force in the Search box, and then press ENTER.Wait for the process to finish.

7.   Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

8.   If the User Account Control message appears, verify that the proposed action is what you requested, and then click Continue. For more information, see Additional Resources later in this document.

9.   On the BitLocker Drive Encryption page, click Turn On BitLocker on the system volume.

10.  On the Set BitLocker startup preferences page, select the startup option you want. You can choose only one of these options:

·      Require PIN at every startup. You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.

·      Require Startup USB key at every startup. You will see the Save your Startup Key page. Insert your USB flash drive, choose the drive location, and then click Save.

11.  On the Save the recovery password page, you will see the following options:

·      Save the password on a USB drive. Saves the password to a USB flash drive.

·      Save the password in a folder. Saves the password to a network drive or other location.

·      Print the password. Prints the password.

Important:

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker Drive Encryption enters a locked state (see Scenario 4: Recovering Data Protected by BitLocker Drive Encryption). This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session.

Choose any of these options to preserve the recovery password. Store recovery passwords apart from the computer for maximum security. To choose more than one recovery password storage method, select one, follow the wizard to determine the location for saving or printing, and then click Next. You can then repeat this step to choose additional recovery password storage methods.

12.  On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.

Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts. 

13.  If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the tool bar at the bottom of your screen or clicking on the Encryption balloon.

By completing this procedure, you have encrypted the operating system volume and created a recovery password unique to that volume. The next time you turn your computer on, the USB flash drive must be plugged into a USB port on the computer or you must enter your PIN. If you do not, you will not be able to access data on your encrypted volume. Store the startup key away from the computer to increase security. Without the startup key, or your PIN, you will need to go to recovery mode and supply the recovery password to access your data.

4. Choose a PIN with at least 7 numbers of which at least 4 digits are unique - For additional information please review: MSDN Blog - Finding a Secure Pin

5. If your machine is sufficiently fast, while you are in GPEDIT.MSC, I would recommend changing the “Configure Encryption Method” policy to “AES 256 bit with Diffuser” to reduce the chance of a Brute Force attack being successful.  More information on differences between 128-bit and 256-bit drive encryption are found at: http://windowshelp.microsoft.com/Windows/en-US/Help/c4500bf7-8392-4c38-a56e-d018a2438aa21033.mspx.  The default is 128 bit with Diffuser, but I am using 256 with no performance degradation.

6. From Control Panel->Power Options, Change the “Choose what the power  buttons do”  options from Sleep to Shutdown or Hibernate.  In my example below, I changed from Sleep to Hibernate.  The effect of this is that you will have a minute delay on shutting down and powering up your Laptop and you will be required to Enter a Pin

7. Once you have configured your power options, any time you start your machine, you will be required to enter your pin number, but the advantage here against the attack’s shown in the video are that the memory is written to disk which is protected by BitLocker in Hibernate mode. 

8. Please remember that the most dangerous automated attack vector here from the paper was using BitUnlocker to attack a machine that was “Sleeping” because the machine is still running memory is still active.  That gives a thief ample time to get access to the memory and cool it or launch the automated BitUnlocker attack at anytime.

When shutting off your Laptop or go into “Hibernate” all memory is written to disk which is now protected by BitLocker, however remember that there is still a few seconds to a couple of minutes where you need to watch your laptop after it shuts down while the DRAM diffuses its memory.

Once it’s shutdown or in hibernate mode and memory is diffused, BitUnlocker cannot access the key in memory if TPM+PIN is configured.  They will have to resort to Brute Force attack on the PIN which is very difficult because of built-in anti-hammering technology.

Home Router Hacks, VOIP Phishing & Driveby Pharming

A new era is dawning in mainstream hacking techniques that target devices that are not very well defended in most homes:  The routers that you get at your local retailer to protect your high-speed DSL or Cable connected PC from malevolent hackers is now the very platform that malefactors are using to steal your information, redirect your phone calls and to send you to data harvesting illegitimate banking web sites.

Drive-by Pharming:  Check out this article "Drive-by Pharming in the Wild" on Symantec's web site.  The basic form of attack was one in which the hack "modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site."  Many of the common home routers from D-Link, Linksys, and Netgear can be vulnerable to this attack not because of a vulnerability, but because the DEFAULT PASSWORD WAS NOT CHANGED on the router.  This type of attack will be less common in the business world assuming that the routers are well managed, but home users are slow to adopt security when they don't understand the risks or if its inconvenient or difficult to change.  How many home users even know how to login to their home router once its initially setup and configured?  This type of attack was only a theory last year, but now its REAL!

VOIP Call Jacking:  The next big wave that's coming in telephony is a new type of VOIP attack called "Call Jacking" which can be used both as a classic phishing attack to harvest information, but also as a toll fraud mechanism.  As with any technology that's widely adopted, Voice over IP telephone has grown tremendously in the past few years because of its low cost alternative to traditional telephone lines.  With this technology come new security challenges. VOIP may turn out to be more costly than we initially thought.

Home Router Hacks:  There is not currently a good way to get home users to update their routers with security patches and firmware upgrades.  Most users don't know they are vulnerable or how to fix a vulnerable home router, but Secunia lists at least 19 Linksys devices with 1 or more vulnerabilities, 24 D-link devices, and 11 Netgear devices.  The number of vulnerabilities and models listed do not really matter for how secure a home router may be in relation to the others - they are all state-of-the-art routers and firewalls that are being probed continually for weaknesses to exploit.  The manufacturers do issue advisories and patches for these devices, but home users rarely get the updates or even know they are at risk much of the time.

So what do we do about these new types of attacks?

Short term - we need to understand the changing landscape and educate users about these risks - chances are if you are reading this blog you are already concerned about security - go tell your friends, families and co-workers about security best practices and what to watch for.  Have them read good article on DNS spoofing and change default passwords on their Home Routers.  There are always going to be risks when online, we just need to minimize those risks when possible and changing the default password is a good start.

Long term - there needs to be a shift in how home devices are designed so that non-technical users be sure to use best practices and notified if their devices are not secured or configured properly.  Perhaps anti-phishing & malware technology should be built into the routers themselves. 

Summary:  Attackers are creative and will continue to get more sophisticated & go after the targets that are least likely to be detected and hardest to recover.  Some of these new kinds of attacks will never go through an anti-virus filter on a PC.  Because of that, I believe that Home Routers are a low hanging fruit for the next few years and will be one are that is targeted more and more.

Secure Web Applications - The Microsoft Way

A question came up this week on how to Secure Web Applications the Microsoft way.

Microsoft has extensive prescriptive guidance that applies to secure online applications.

Defense in Depth

1.       Start by building on a Secure Platform:

·         Windows Server 2003 with latest Service Pack - http://www.microsoft.com/windowsserver2003/default.mspx

·         Windows SQL Server 2005 with Latest Service Pack http://www.microsoft.com/sql/default.mspx

·         Implement Microsoft Best Practice Security Guidance for Servers - http://www.microsoft.com/technet/security/guidance/serversecurity.mspx

2.       Build the application using best practice Secure Coding techniques

·         Secure Coding Guidelines - http://msdn2.microsoft.com/en-us/library/d55zzx87.aspx

·         Writing Secure Code - http://msdn2.microsoft.com/en-us/security/aa570401.aspx

3.       Be aware of common threats to Applications and avoid SQL Injection & Cross Site Scripting attacks:

·         “Stop SQL Injection Attacks Before They Stop You” - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection

·         “How To: Protect From SQL Injection in ASP.NET” - http://msdn2.microsoft.com/en-us/library/ms998271.aspx

·         “How to Prevent Cross Site Scripting” - http://support.microsoft.com/kb/252985

·         “Anti-Cross Site Scripting Library” - http://msdn2.microsoft.com/en-us/security/aa973814.aspx

4.       Use Network based Firewall at the perimeter –Forefront Edge: ISA 2006

·         Secure remote access - http://www.microsoft.com/forefront/edgesecurity/sra.mspx

·         Network protection against Floods & Attacks - http://www.microsoft.com/technet/isa/2006/flood_resiliency.mspx

5.       Access the Application securely by Publishing through the Firewall & using appropriate security

·         Publish Site using Forefront Edge Internet Application Gateway (IAG) with Application Layer Firewall - http://www.microsoft.com/forefront/edgesecurity/iag/default.mspx

·         IAG Secure Remote Access White Papers - http://www.microsoft.com/forefront/edgesecurity/iag/whitepapers.mspx

·         Use the practice of Least Privilege account access - http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

6.       Audit your Firewall, Application and Operating System Logs

·         Audit Active Directory - http://support.microsoft.com/kb/814595

·         Audit Policy - http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx

·         Audit ISA - http://www.microsoft.com/technet/isa/2006/security_guide.mspx

7.       Use Secure Authentication Mechanisms (IAG can use AD, Kerberos, RADIUS, LDAP etc…)

·         IIS Authentication - http://support.microsoft.com/kb/324274

·         Kerberos Authentication in Windows Server 2003 http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

8.       Use Host based Antivirus & Antimalware protection on Clients and Servers

·         Forefront Client Security - http://www.microsoft.com/forefront/clientsecurity/default.mspx

9.       Keep all systems patched with latest Security Patches using Microsoft Update or WSUS

·         Microsoft Windows Server Update Services (WSUS) - http://technet.microsoft.com/en-us/wsus/default.aspx

·         How to keep your Windows up-to-date - http://support.microsoft.com/kb/311047

·          Patch 3^rd party products that are not managed by Microsoft

o   Backup Software

o    Zip or Compression Utilities

o    Antivirus

o    IE Plug-ins

o   Management Software

o   etc….

Note:  A System that is Fully Patched with Microsoft Updates can be vulnerable by un-patched vulnerable software with a driver or running with administrator privileges. 

10.   Remember the CIA Triad of security of Confidentiality, Integrity, and Availability

There are a number of other considerations to consider as well focusing on these 3

·         Backups of Server 2003 & SQL 2005 Database

a.       http://www.microsoft.com/technet/prodtechnol/sql/2005/bkupssas.mspx

b.      http://technet.microsoft.com/en-us/library/aa998799.aspx

c.    http://technet.microsoft.com/en-us/library/ms175477.aspx

·         Load Balancing & Clustering

a.       http://technet2.microsoft.com/WindowsServer/en/Library/1611cae3-5865-4897-a186-7e6ebd8855cb1033.mspx?mfr=true

b.      http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/2d5977cf-06b7-4d4b-8e8c-ce083ac8a6ee.mspx?mfr=true

·         High Availability & Disaster Recovery

a.       http://www.microsoft.com/technet/security/guidance/disasterrecovery.mspx

b.      http://www.microsoft.com/technet/windowsserver/sharepoint/V2/reskit/c2861881x.mspx

c.       http://technet.microsoft.com/en-us/sqlserver/bb331801.aspx

·         File Encryption (EFS & BitLocker)

a.       http://www.microsoft.com/technet/security/guidance/cryptographyetc/efs.mspx

b.      http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx

Note: BitLocker will be available in Windows Server 2008  http://technet2.microsoft.com/WindowsVista/en/library/58358421-a7f5-4c97-ab41-2bcc61a58a701033.mspx?mfr=true

·         Rights Management Services (RMS)  

a.       http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

b.      http://www.microsoft.com/windowsserver2003/techinfo/overview/rm.mspx

Case Study

The Infrastructure of www.microsoft.com, Microsoft Update, and the Download Center

 http://download.microsoft.com/download/6/2/b/62bae197-0d3d-4dbb-913a-acd21c57a2c7/DRJ_MSCom_Design_for_Resilience_FINAL.ppt 

Conclusion

These are a few things to consider, but the key is to thinking about Defense in Depth and end-to-end security of the Data, Systems, Network Infrastructure, and Application.

You need to know first how to secure the application, but then you need to know how to identify threats when security is being tested and/or compromised and how to respond to those threats.

Why Social Engineering always works :(

What is Social Engineering & why should you care?

Social engineering (security) - a definition from Wikipedia:

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.  While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

Basically it’s applied Used Car Sales tactics to the workplace in order to trick people giving out computer passwords and security codes over the phone, by mail or in person.

Kevin Mitnik who was arguably the most infamous hacker in U.S. history wrote a book called “The Art of Deception” in which he exposes the weakness in human security when people are deceived.  The book described on Mitnik’s website state: “he [Mitnik] illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent”

It’s really quite easy to bypass security rules, firewalls and policies if a user is authorized to do so as part of their daily job. That’s why we don’t give out passwords.  But really all you have to do is ask for a password and people will give it to you if they think you are trying to help them.

How it works:  If you want to gain illegal unauthorized access to a computer system, just call up the company in the phone directory, press zero for the operator, and ask for the department of your choice.  You then simply ask an employee who answers to give you their user Employee ID, Username and Password using what every angle fits your style.  Help Desk & HR are usually often good choices to impersonate.

Why use the phone?  It’s easier to conceal our nervous expressions when we lie.  We can disguise our voice much easier than we can our countenance.  We can do it anonymously without recognition of our true self.  And using the phone is much easier than hacking into a network using traditional technological means and methods.

The attacked employee when called will be busy most of the time doing their job and would rather not think about why they are getting a call from you as the supposed Help Desk technician or the local Human Resources Representative, they just want to get back to work.  In fact if you like to talk, you can ask about their pets, favorite ball team, and their kids, and see if they don’t open up to you and spill the beans to just about any question you want.

Why?  It’s probably because, we naturally trust people on the phone at work.  At home we feel someone is always trying to sell us something and are a little more cautious especially with all the news stories on identity theft and phishing scams via email.  We have caller block and do not call lists in our house, and we have antivirus, firewall, and phishing filters in our browsers, but there is something magical about a corporate office that gives us a sense of security that our employer screens our calls for us.  We don’t feel threatened and we genuinely want to help people in need and especially want to cooperate with those individuals trying to solve a problem for us at work.

So what can you do?

1.       ASK QUESTIONS?

If someone phones or appears and asks you for information that you know is confidential company, client or personal information, don’t be afraid to ask them a few questions yourself.

Sample questions taken from http://www.nd.gov/itd/security/start/soceng4.htm

2.       RECOGNIZE SUSPICIOUS BEHAVIOR

·         If you hold a clipboard while talking on a cell phone, people will hold the company doors open for you and let you in almost any building.  Remember that Uniforms and Clipboards are cheap.

·         Passwords are Personal – Helpdesk should never ask you to give them your password, and if you reset a password with one provided by the helpdesk, change it immediately.

·         If you didn’t ask for help – be surprised when someone offers to fix something.

3.       RESPOND TO SOCIAL ENGINEERING ATTACKS

Report questionable behavior to Security or Management

Additional Resources:

How to Protect Insiders from Social Engineering Threats (Microsoft)

A Multi-Level Defense Against Social Engineering (SANS)

Other links are available from:

http://www.securityfocus.com/infocus/1527

Online Internet Safety Resources

Here are some resources from the Microsoft' Internet Safety Toolkit below to help keep you kids and family safe online:

• StaySafe.org (http://www.staysafe.org) - Educational site intended to help consumers understand both the positive aspects of the Internet as well as how to manage a variety of safety and security issues that exist online

• Be Web Aware (http://www.bewebaware.org) - National, bilingual public education program on Internet safety designed to ensure that young Canadians benefit from the Internet, while being safe and responsible in their online activities

• Safe Kids Worldwide (http://www.safekids.org) - Global network of organizations whose mission is to prevent accidental childhood injury, a leading killer of children 14 and under

• WebSafe Crackerz (http://www.websafecrackerz.com) - Interactive games and puzzles designed to help teenagers and offer strategies for dealing with different situations online including spam, phishing, and scams

• GetNetWise (http://www.getnetwise.org) - Public service offered by a coalition of Internet industry corporations and public interest organizations that want Internet users to be only "one click away" from the resources they need to make informed decisions about their and their family's use of the Internet

• iSafe (http://www.isafe.org) - Worldwide leader in Internet safety education; incorporates classroom curriculum with dynamic community outreach to empower students, teachers, parents, law enforcement, and concerned adults to make the Internet a safer place

• International Centre for Missing & Exploited Children (http://www.icmec.org) – Global agency that promotes the safety and well-being of children through activism, policy development and multinational coordination

• Interpol (http://www.interpol.int) - International police organization that facilitates crossborder police cooperation, and supports and assists all organizations, authorities, and services whose mission is to prevent or combat international crime

• UNICEF (http://www.unicef.org) – Global advocate for the protection of children's rights dedicated to providing long-term humanitarian and developmental assistance to children and parents in developing countries

• ECPAT (http://www.ecpat.net) - Network of organizations and individuals working together to eliminate the commercial sexual exploitation of children

• INHOPE (http://inhope.org) - International association that supports Internet hotlines in their aim to respond to reports of illegal content to make the Internet safer

• Childnet International (http://www.childnet-int.org) - Non-profit organization that works in partnership with others around the world to help make the Internet a great and safe place for children

• SafeKids.com (http://www.safekids.com) – Resources to help families make the Internet and technology fun, safe, and productive

• Net Family News (http://netfamilynews.org) – Non-profit public service providing a forum and "kid-tech news" for parents and educators in more than 50 countries

• Microsoft Security At Home (http://www.microsoft.com/protect) – Information and resources to help the public protect their computers, protect themselves, and protect their families

• Center for Safe and Responsible Internet Use (http://csriu.org) – Organization providing provide outreach services addressing the issues of the safe and responsible use of the Internet Microsoft Internet Safety Toolkit | 21

• WiredSafety (http://www.wiredsafety.org) – Online safety, education, and help group that offers help for online victims of cyber-crime and harassment, assistance to law enforcement worldwide on preventing and investigating cyber-crimes, and information on all aspects of online safety, privacy and security.

• National Council for Motherhood and Childhood (http://www.nccm.org.eg) – Egyptian organization dedicated to supporting childhood and motherhood from a rights-based approach

• NetAlert Limited (http://netalert.net.au) – Non-profit community organization established by the Australian government

In addition to these education resources above, I have also provided a list of Family Protection Software reviewed on:

http://www.filterguide.com/ratings.htm

Best Parental Control Software Review - "Editor's Choice"

http://www.filterguide.com/ratings.htm

While I cannot guarantee the reliability of these 3^rd party sites and services, I do hope these resources are a helpful start in educating yourself and others about online cyber threats and responsible ways to deal with those threats.

:

Espionage & Counter Intelligence for the "Average Joe"

Today in the news there was a story of a major security breach where nuclear secrets were stolen from Oak Ridge National Laboratory.  A contract employee allegedly obtained highly classified information on uranium enrichment to be sold to a foreign country.  See the news article on MSNBC:  National lab worker accused of stealing secrets.  It’s a stark reminder again that information is both valuable and important, and people who want said information and are willing to sacrifice and go to great extents to obtain it.

It reminded me that I recently had the opportunity to attend the “Five Pillars of Executive Leadership in a Non Secure World Conference” in Research Triangle Park, NC sponsored by the North Carolina Technology Association (NCTA).  The conference focused on corporate security as a business ethic, and was discussed in light of potential criminal & terrorist attacks against U.S. citizens.

The 5 pillars referenced in the seminar’s name were:

1.      Protecting People

2.      Physical Security

3.      Intellectual Property Protection

4.      Cyber Security

5.      Business Continuity Planning

The conference which targeted business leaders addressed identity theft, terrorism and natural disasters, but what I was most intrigued by was threat of Industrial Espionage especially when travelling and Counter Intelligence efforts that can be conducted by everyday Average Joe’s carrying laptops & cell phones.  It suddenly occurred to me: I am that “Average Joe” and so are you!!!

Definitions:  from Wikipedia

Counter Intelligence – Efforts designed to prevent enemy intelligence organizations & competitors from successfully gathering and collecting intelligence.

Espionage – The practice of obtaining information about an organization that is considered secret or confidential without the permission of the holder of the information.

What can we do?

Armed with just a little bit of knowledge, we can stay alert and use security best practice when travelling to minimize risk to our physical safety and the intellectual property stored digitally in our bags and pockets.  We need to take responsibility to protect ourselves, our businesses & effectively the U.S. government from losing sensitive information or secrets including intellectual property, financials, or secret formulas that would give competitors a competitive business or military advantage.

Some examples of Espionage:

•          A foreign airport official confiscates your corporate laptop to “Check it” – after duplicating your drive, it is returned to you apparently undamaged.

•          Your cell phone is used as a bug to eavesdrop on your “private” business  conversation

•          A foreign government gives or sells your business data to your foreign competitor.

•          A contract worker at a nuclear lab obtains classified secrets with intent to sell them.

Some useful travel tips:

1.      Never let a laptop out of your sight in an airport & use encrypted drives (i.e. BitLocker Drive Encryption) so that only a piece of hardware, but no data is stolen with the computer.

2.       Never, ever, check your laptop (or other valuables) with your luggage.

3.       Assume any conversation on phones to be public & do not disclose business confidential data on phones in  foreign country

4.       Assume any Internet activity to be public, so be sure to encrypt any communication that need to be private.  For example do not send sensitive work-related e-mail from a public hotspot.

5.       When overseas, contact the U.S. Embassy and let them know where you are staying & when traveling away from your hotel. 

6.       Stay in hotel floors between 2^nd and 6^th floors.  Avoid first floor rooms especially if it faces a parking lot as theft is most convenient for criminals to easily reach.  Avoid rooms above the 6^th floor as many fire departments are unable to reach rooms higher than 6^th floor with a ladder.

7.       In regions highly susceptible to terrorism, you may want to consider using a local hotel instead of a mainstream hotel chains that may be targeted simply because of its affiliation with a country.

8.       Never leave valuables in a hotel with business sensitive information.  If you use a room safe, it may protect against a curious maid, but will not keep out trained professionals who want your data.

9.       Don’t leave passwords or dial-in remote access numbers attached to labels on your computer or in your laptop case

10.   Espionage is theft of information not hardware, so someone may just want a copy of your drive.   The airport official may bring your laptop back and nothing may be missing from your room when you noticed it looks like someone had been in your stuff – but that doesn’t mean nothing was taken.

Further Reading & Useful Travel Safety Links:

http://travel.state.gov

http://www.state.gov/travelandbusiness

“Theft While Traveling” on the U.S. Department of Energy website

Industrial Espionage ‘Real and out there’ – by Will Smale – BBC News

You don't have to be a Rocket Scientist to stay safe online.

Simply following a few basic safety tips can minimize your risk of being hacked; having your identity stolen; or accidently exposing your children to adult content on the Web.

How?  Take the time to understand the threats and how to respond to them.  Realize that the Internet is a dangerous place with people you have never met who want your stuff, time, money, kids affection & ideas.  There is lots of good stuff online, but we need to responsible, educated & wise in cyberspace as we are in the real world.

If I've heard it once, I've heard it a dozen times: "I don't really have anything important on my computer" - That's simply not true!  It's like leaving the keys in your car ignition with the windows rolled down.  The thief is likely to use your auto as a getaway car in a bank robbery.

Do you bank online?  Your passwords can be stolen!

Do you send email to friends & family?  Your addresses can be harvested for spam!

Do you have family photos?  Your pictures can be posted online for strangers to view!

Almost any data can be exploited or sold, and even if you really have nothing but an empty PC connected to the Internet,  it's important to the bad guys who can use it as a Botnet weapon of mass disruption (a zombie as it were) without your  permission or knowledge.  Your compromised machine can be used to attack innocent victims & the FBI will track the attack to your house, not the attacker’s.

In fact many of the problems with cyberthreats to families are not the result of a sophisticated hacker attack or advanced targeted viruses.  They are the result of home users not taking the time to follow basic online safety rules that can protect their family.

What can you do?

1.     Understand the 10 Immutable Laws of Security:

            Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

            Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

            Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

            Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

            Law #5: Weak passwords trump strong security

            Law #6: A computer is only as secure as the administrator is trustworthy

            Law #7: Encrypted data is only as secure as the decryption key

            Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

            Law #9: Absolute anonymity isn't practical, in real life or on the Web

            Law #10: Technology is not a panacea

2.     Discover more safety information online:

Read the FBI's: "A Parent's Guide to Internet Safety"

http://www.fbi.gov/publications/pguide/pguidee.htm

Visit Microsoft's "Protect Your Family" site:

http://www.microsoft.com/protect/family/default.mspx

Review online safety tips from StaySafe.org:

http://staysafe.org

4.     Use Parental Controls & Internet filters to protect your kids from potentially harmful or unwanted Internet content.

-Use built-in Windows Vista Parental Controls

-Use 3rd party filters such as InternetSafety.com, CyberPatrol.com or NetNanny

5.     Don't talk to strangers or give out personally identifiable information to anyone you don't trust:

-Parents often teach their kids to not talk to strangers in real life, and cyberspace should be no different!