A Look Back…

The subtitle of my blog is “Finding the balance between access and security.”  What I attempted to do with my blog was to look at information security issues.  Cybersecurity professionals are always trying to find the right mix between making something secure enough and at the same time, accessible.  In this process, there are always compromises. Most of the time, the right place to be is close to the middle.  But some things don’t have a clear, generally agreed on solution.

In many of the posts, the issues are pretty straightforward and I took a strong position on one side of the issue.  For example, I really think WikiLeaks founder, Julian Assange was completely wrong to post a malware program on his website instead of giving it to security professionals who could work on a defense against the software (17 September).  In other posts, I stayed firmly in the middle.  In my post about ethical hackers being paid to find security flaws in software (1 September), I stated they provide a valuable service so we can defend against unethical hackers.

I encountered the topics for my blog in the radio programs I listen to and the blogs I subscribe to at work.  It didn’t seem difficult to find topics to write about. Most of the sources were IT tech blogs and they simply caught my attention.  I subscribe to about 8 weekly blogs on a variety of topics.  Most weeks I don’t read all of them.

Since I was generally commenting on someone else’s blog post, I feel that I wasn’t really adding anything new.  If I wasn’t required to blog for this class, I would comment on the blog with my opinion. Still, it was an enjoyable experience.   It’s a lot more fun to write about something I feel strongly about.  Doing so in a blog makes me think it through and organize my thoughts better.  On at least one occasion, I actually changed my opinion before I was done writing.  

Criminals Get Caught by Weak Security

Apparently, criminals need to be more concerned about security, too!  US and European law enforcement agencies recently took down 400 illegal websites, arrested 17 people and confiscated drugs, money and computer equipment.  The websites were all using Tor, a web anonymity application that is used for accessing the "dark web"-- webpages that are not indexed by normal web browsers like Google or Bing.  Because the websites aren't easily accessible, they are popular with people who want to circumvent laws.  This includes political activists.  It also includes people who sell child porn, stolen credit card information, illegal drugs and weapons.

Tor is a browser on the surface, but it has a suite of applications that work with it to anonymize the path the data takes, add layers of encryption and hide the identity of the sender.  The user can access the dark web using Tor, but it isn't secure unless you configure and activate the additional applications.  Adding additional security such as adding more hops or additional layers of encryption slows down the data transfer.  Apparently, some criminals got complacent or impatient.

The specifics of how the criminals were caught isn't explained in the blog post, but my best guess is they cut corners with their security.  In this case, it worked out for the forces of good!



Nieva, R. (2014, November 7). Police skirt Tor anonymity software in shutting down illegal websites - CNET [Web log post]. Retrieved from http://www.cnet.com/news/authorities-skirt-tor-anonymity-software-in-shutting-down-illegal-websites/

/

Microsoft Gets a Little More Secure

I remember the early days of Microsoft Windows.  It was designed as a stand-alone operating system.  This made sense since the only way to connect to the Internet was through a modem and a phone line.  Dialup Internet access was expensive, too, so most didn't have access at first. As technology improved, security on a Windows PC didn't keep up.  We had to buy aftermarket anti-virus and malware software.  Just six years ago, Microsoft began offering free anti-virus software called Security Essentials for download on any Windows PC.  They're going to include more security features in Windows 10, the next generation of Windows scheduled for release in 2015.

According to Ed Bott of ZDNet, Windows 10 will be able to have 2 factor authentication built in, requiring a PIN or biometric, greatly reducing the threat of identity theft. The second factor will be the device - a tablet, laptop or PC.  It looks like this could be used for purchases with a cell phone and a PIN or fingerprint complete the transaction.  These features will also be available on enterprise computers as well, improving corporate security.  It looks like this will make bring-your-own-device secure enough to satisfy enterprise security professionals

Details will be coming as time goes by, but it's great to see Microsoft getting more serious about security.



Bott, E. (2014, October 22). Microsoft reveals audacious plans to tighten security with Windows 10.  Retreived from ZDNet; http://www.zdnet.com/microsoft-reveals-audacious-plans-to-tighten-security-with-windows-10-7000034963/?s_cid=e539&ttag=e539&ftag=TRE17cfd61

NIST Provides a Balanced Approach to the Cloud

The Federal government has just published it's first guidance on how to design and manage cloud computing.  They provide 10 requirements for cloud initiatives.  It's a well balanced document that looks at security as well as protections for the cloud service providers and the businesses who use them.  The guidance covers categories of accessibility, interoperability, performance, portability, and security technology.

The requirements push for setting the standards high for security and clear and consistent guidance in developing service agreements, good quality metrics and reliability.  In reality, this is just the guidance that provides the roadmap for where cloud computing should be implemented from the viewpoint of the federal government.  NIST is an agency of the Department of Commerce, so they are focused on both business interests as well as protecting businesses.  There are at least 3 more publications to be written and revisions of existing governance in the works.

NIST seems to be one government agency that is actually helpful.

McKendrick, J. (2014, October 25). NIST puts a sharper point on cloud computing | ZDNet [Web log post]. Retrieved from http://www.zdnet.com/nist-puts-a-sharper-point-on-cloud-computing-7000034990/

National Institute of Standards and Technology. (2014). US Government Cloud Computing Technology Roadmap Volume I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-293.pdf

Finally! A Secure SmartPhone!

The worlds first smartphone designed with security in mind was released in June this year.  The maker, SGP Technologies, states the phone is "Secure by design".  As a smartphone it has all the same basic features any user would expect, 3G GPS, Bluetooth, Wifi 802.11 b/g/n, a camera  and lots of sensors.  But where it really sets itself apart from the rest of the market is the security features.

 At the heart of the phone is the modified Android version 4.4 called PrivateOS.  Unlike the standard Android, all Google services are removed and standard applications like email, browser and cloud storage are generic (not Gmail, Chrome or Dropbox) so they don't have services gathering data on the user.  Other security features have been added such as encryption and a VPN client as well as a suite of security apps from Silent Circle, creator of Android and Apple security apps such as Silent Phone, Silent Text and Silent Contacts.  These apps encrypt the stored data and transmit securely.  Other features are remote wipe and full disk encryption.

The best feature is the Security Center.  After installing any new applications, the services that you have to allow to set them up can be disabled individually.  For example for a mapping application you can disable access to your address book and phone ID, but keep location services running.

The cost of all this security is that the phone doesn't come with an App Store.  This is because the app stores themselves are insecure.  Installing any additional apps will make the phone less secure.One other problem is that the phone doesn't have any malware protection installed.

All in all, it's great to have a secure Android smartphone on the market.  The benefit of security comes at the cost of convenience that all those insecure apps bring.  Maybe we will be able to keep our privacy and still enjoy the convenience of always being connected someday.  We just got closer!



Malenkovich, S. (2014, October 22). Blackphone review: is a secure smartphone possible? [Weblog post]. Retrieved from Kapersky Lab Daily Blog website:  http://blog.kaspersky.com/blackphone-review/

SGP Technologies.  (2014).  Blackphone.  https://www.blackphone.ch/

Humans are the Weakest Link in Security

IBM has just released its 2014 Cyber Security Intelligence Index.  Much of the information presented seemed like the same old news.  Humans intentionally instigated 95% of the attacks and that's not really surprising.  Computers don't hate us and have no reason to steal personal information, trade secrets or credit card numbers.  What I found surprising is that social engineering is still a preferred method for these malicious attacks.  Ohlhorst points out the engineering is getting more targeted;

IBM correctly identifies how social networking has impacted IT security and makes the point "Rather than seeing a particular enterprise as a single entity, attackers now also look at an enterprise as collections of individuals. That means they decide to target specific people instead of enterprise infrastructures or applications. In other words, the personal lives and business activities of employees can be leveraged to target an enterprise."

IBM says the average security breach costs the company $3.5 million.  If 5% of the employees at your company are the inadvertent actors they target, are they trained to see social engineering methods? My employer has about 2000 people working in my building, so that means 100 of them are likely to provide the access an attacker wants. Is it worth the time and effort for companies to take this threat seriously and train employees more thoroughly?


Ohlhorst, F. (2014, October 8). IBM says most security breaches are due to human error.  Retrieved from TechRepublic website:  http://www.techrepublic.com/article/ibm-says-most-security-breaches-are-eue-to-human-error.

IBM. (2014).  2014 Cyber Security Intelligence Index.  http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic/

Microsoft needs to Stop Trying to Do Everything

The latest test results of independent antivirus test lab AV-Test Institute were released recently and Microsoft System Center Endpoint Protection, the Corporate version, came in dead last.  The Home version, Microsoft Security Essentials, also performed poorly.

 AV-Test Institute reported on 33 antivirus applications, 9 corporate applications and 24 home applications.  They have a very comprehensive testing process that uses 150- to 200 current real-world threats.  They evaluate the software for the following categories;

 Protection - effectiveness against virus and malware threats

 Performance – impact of the software on the performance of the computer

Usability – detection of false positives

Microsoft’s corporate version only detected 74% of the real-world virus and malware threats compared to the industry average of 96%. The home version did slightly better.   The software performed well in the other two categories.  All other vendors performance was rated 96% or better.  Microsoft needs to go back to doing what they do best – Application software for servers and PC’s.  Antivirus software is specialized and it’s apparent they don’t do it well. 

Kassner, M. (2014, October 6). Microsoft scores poorly in latest virus protection test for Windows 7 - TechRepublic [Web log post]. Retrieved from http://www.techrepublic.com/article/microsoft-scores-poorly-in-latest-virus-protection-test-for-windows-7.

Social Engineering - Train Your Users to be Secure!

After my last post about passwords, I thought I should address another common problem in security - social engineering.  As a customer support computer professional, I work with users regularly that offer me their passwords so I can fix their computers.  I always try to impress on them that anyone who is authorized to fix their computer will have the credentials (authorized access) to do so.  Maybe I need to take a different approach - fear.

I commonly hear users tell me that their access is so low that no one could possibly use their password to access anything important.  That attitude is the problem.  If what they can access isn't important, why do is it protected with passwords at all?  Everyone needs to learn to think defensively about security.

In addition to all the hardware and software protections we put in place, we need to train our users to be suspicious and skeptical.  Patrick Lambert says we need to "drill into our users that they should regard all links and attachments with a high degree of skepticism" to reduce phishing.  We should also stress to them that there should be few if any reasons to share their login credentials.  Educating them on the usefulness of even small amounts of data should be reinforced at every opportunity.  Any time you can make them stop and think is a good thing.

Social Engineering is still the easiest way for bad people to gain access to a network.  We need to implement controls to protect our networks from our own innocent friendliness, but teaching suspicion will go a long way to help, since controls can't protect against authorized access if it's given away.




Lambert, P. (2014, September 26). Social engineering red flags and tips for training users [Web log post]. Retrieved from TechRepublic Blog website: http://www.techrepublic.com/blog/it-security/social-engineering-red-flags-and-tips-for-training-users/

Passwords: Not Too Short, Not Too Long

I used to work with a guy who had a password that was over 32 characters long.  I know this because he ranted to me that our enterprise policy only allowed a 32 character password and he didn't feel he should have to shorten his password due to a bad policy.  Is a long password actually more secure?  I don't think so, especially for the average employee.

My experience as a computer support technician is that the average employee will write down any password that he or she thinks is too complex.  The Open Web Application Security Project recommends a maximum password length, stating "The longer the password, the more likely people are to enter them incorrectly for your system."  Now you end up with a greater security threat from a longer password because it was written down or it interrupts work because it has to be reset.

So is a "short" password insecure?  Brien Posey in a recent blog post first tested a dictionary based crack, then a brute force approach to hacking an 8 character password on a zip file on his personal computer.  He used the standard rules of a mix of upper and lower case letters, special characters and numbers.  While he was waiting for the software running on multiple servers to render his password, he did the math on the total number of possible combinations - 669 quadrillion possible combinations.  At that point he abandoned the quest to break the password.

Creating a secure password doesn't have to be difficult.  The process I recommend is to use a line from a song or poem or favorite saying.  Take the first letter of each word and mix it up with a special character or letter in place of some of the letters.  For example;

I need to get into this file and edit something becomes In2gitf&es

It's easy to remember, complex, not guessable or a dictionary word and easy to come up with a new one when this one expires in 90 days or so.

Oh say can you see by the dawns early light becomes 0scysbtde1 
(the O becomes a zero and the L switches to a one)

This will work as long as you don't whistle the tune every time you log in!



Posey, B. (2013, August 14). How important is Password Complexity? [Web log post]. Retrieved from Redmond Magazine website: http://redmondmag.com/articles/2013/08/14/password-complexity.aspx

Open Web Application Security Project (OWASP) (2014, September 23). Password Length and Complexity. Retrieved from OWASP Website: https://owasp.org/index.php/Password_length_%26_complexity

I'm Solidly on the Side of Security on This One...

WikiLeaks, the organization that has published classified information in the interest of openness has gone too far this time.  On September 15th, WikiLeaks founder, Julian Assange has posted "weaponized malware" on his website, including the password, because "Better scrutiny leads to reduced corruption and stronger democracies in all society’s institutions, including government, corporations and other organisations".  This software is designed for spying and hides itself from antivirus software.  There are versions that work on every major operating system including all common mobile versions.  His specific reason for releasing the software is so that security and privacy researchers can develop better detection techniques.  Is this guy serious!

David Gewirts, a blogger for ZDNet, says this is the equivalent of handing out vials of the ebola virus at the local mall so an antidote can be developed by biotech companies.  I agree with Gewirts.  The world became less safe today.  

Asange, Edward Snowden and others like them see themselves as heroes, protecting the world by disclosing secrets.  While there is value in doing so, it should be done responsibly.  Assange could've given the software to security companies and publicized that he had done so and achieved his goal of helping to develop better detection.  Now he's made it available to every script kiddie, mobster and corrupt government in the world.  Many will use it before there's a fix for it.  They may see themselves as making the world a better place, but in reality they took more of our freedom away and gave it to cybercriminals world wide.  



WikiLeaks. (2014). About. https://wikileaks.org/About.html

Gewirtz, D.  (2014, September 16). WikiLeaks posts 'weaponized malware' for all to download. [Web log post]. Retrieved from ZDNet website: http://www.zdnet.com/astonishingly-irresponsible-wikileaks-posts-weaponized-malware-for-all-to-download-7000033716.

Balancing Privacy and National Security

Hillary Clinton recently spoke at a tech meeting in San Francisco.  When I read the blog post summarizing her speech, she expressed some opinions about the tension between the NSA and their attempts to protect us from terrorist threats against the right to privacy.  Should our government collect data on everyone in order to potentially track down terrorist threats?  How much is too much?

I wish I could say I've formed strong opinions about how much data the government (and private companies like Google and Amazon) should be allowed to keep.  We live in a world where technology has developed faster than our ability to understand the underlying implications of many conveniences.  Just owning a cell phone means giving up a significant amount of privacy. Enabling all the cool functionality takes all of it away.  Google keeps the history of your movements if you have an Android phone and turn the GPS on.  While that's kinda creepy, it sure is cool to have a personal GPS device with you at all times.  Mine has gotten me "unlost" too many times to count.

So I choose to keep my Android phone.  I keep my GPS and other widgets turned off most of the time.  I'm not a terrorist and I doubt the government will ever think I am.  I choose not to engage in illegal activities, so I don't worry about surveillance cameras watching me when I'm in public places.  I keep stuff in the cloud, but I do so carefully.  I'm careful what I post on Facebook.

I get a sense of security knowing the government has facial recognition software.  I don't mind them logging my cell phone calls.  I save time by not getting lost as often as I used to and I appreciate Amazon's suggestions for cool stuff I should buy.  I'll take the good with the bad.



King, Rachel. (2014, August 8). Hillary Clinton talks NSA and privacy, data security, tech jobs in San Francisco [Web log post]. Retrieved from ZDNet website: http://www.zdnet.com/hillary-clinton-talks-nsa-and-privacy-data-security-tech-jobs-in-san-francisco-7000033094/

Leonhard, Woody.  (2014, September 4). Why the U.S. needs better privacy laws, now! Windows Secrets, 447. Retrieved from http://windowssecrets.com/newsletter/why-the-u-s-needs-better-privacy-laws-now/

Do Ethical Hackers make for better security?

I was recently listening to my favorite news station on the radio, NPR's Morning Edition.  During the weekly All Tech Considered they had an article called When Hackers Test For Flaws, They Might Earn Cash — Or Threats.  It caused me to wonder if people trained in hacking skills are better at security.  Obviously, they do find security weaknesses using the same techniques the "bad guys" use.  If they pass their findings on to the companies that sell the insecure products, they're providing a valuable service.  But, as the title suggests, they aren't always appreciated.

These hackers have training that allows them to find these exploits, and there's no question they're smart.  Finding and fixing these flaws makes all of us more secure.  Since I'm pursuing my MS in Cybersecurity, would it make sense to also learn how to "hack" or will by employer feel threatened if I do so?

I guess I would say it takes both kinds of security professionals.  Whether they work together or apart on the same problem, I expect the end result will be better security.