Risk Analysis at the AT&T Store

Risk Analysis at the AT&T Store

Smartphone shopping. More fun than a root canal, isn’t it?

I needed a new phone to bring to my employer’s BYOD program. I decided not to use my personal phone number with that, so my existing device was not under consideration. Also our BYOD program puts the device I bring onto the AT&T network, and my existing account with Google Fi would have to be dropped. For a wide variety of reasons, including my ability to have text-message conversations from a browser on a laptop, I do not want this to happen.

So this shopping occasion and conversations with some folks about it made me think through the risk assessment involved when we buy a smartphone. We are getting ready to take an on-body surveillance device with us everywhere we go. We’re taking on quite a bit of risk to our privacy, at least. It’s smart to minimize it where we can and make sure that whatever’s left is worth the benefit.

My main criterion was to find a model that came with as little software as possible pre-installed – especially software that can’t be uninstalled without rooting or jailbreaking the phone. A rooted or jailbroken phone won’t be accepted into our BYOD program.

I am especially concerned that social media applications Facebook, Twitter, and Instagram, not be on the phone out of the box. Recent analyses have shown that the Facebook app on a phone is reporting data about the phone’s user back to Facebook regardless of whether it’s in use. Regardless of whether the phone’s owner has logged in or not! The phone itself is enough of a unique identifier to make logging into Facebook almost superfluous. As someone who has otherwise deleted Facebook, purchasing a new phone with a back channel to Facebook on it is simply not on my agenda.

I wish I could say it surprised me to find that every Android phone in the store had Facebook pre-installed, and not removable. This took all the Android phones out of contention. While I am well aware of the many ways to clean this garbage off a phone, I need to be sure I can keep this phone compatible with that BYOD program. This constrains what I can do to make an Android phone usable.

So that turned my attention to iPhones. Happily, none of them comes pre-installed with any social media applications. Unhappily, the current models cost $800 and up. This reminds me of the fact that while a 70 inch “smart TV” is $900, a 70 inch monitor is $4500. This is because the maker of the monitor is not planning on spying on you through the device and selling the data taken to all comers.

The story has a happy ending; the store had some “obsolete” iPhone 6s units on sale, and I escaped with a bill of less than $200 and a safer phone.

Over/Under

Over/Under

Click Through for The Register Story

Starting Friday, Salesforce.Com had a fifteen-hour outage due to their having to “pull the plug” after a script went rogue and gave all comers full access to the database. Anyone logged in could do anything to anyone’s data.

Not cool. Restricting access was the right thing to do.

The interesting question in my mind is how people will evaluate this incident as it relates to their future judgment on the safety of SaaS platforms like Salesforce. I think people will overestimate the dangers for much the same reasons that many more people are afraid to fly than to drive.

When making estimates of danger, humans take the impact of an event much more seriously than the probability, especially if the probabilities are relatively small. Worse impacts cause us to overestimate probability, even where there is no correlation between the two. This leads to overly pessimistic projections on high-profile risks (Chinese hackers steal all our designs!). It also creates corresponding under-reactions to more present risks (Users can’t be bothered to use 2FA, easily get phished).

Success in information security, as well as business and life in general, depends on being able to view these numbers objectively. They’re just numbers, after all.

Lessons

Lessons

What’s old will be new again.  Or, as in the old Jewish proverb: “Who is wise? One who learns from every person.

My next infosec conference talk will be at the ISACA Western New York Controls & Compliance conference, on May 7

Lessons from the Orange Book will be a talk about how the “old” first principles of computer security still apply in the era of the Cloud and IoT.

After I deliver the talk I will blog a summary of it here.

So That Was BSides

So That Was BSides

Forrest Fuqua, coordinator of BSides Roc – featuring #hatchan

As cool as it was being at BSides Rochester yesterday, because of my role in it I did not get to attend any of the talks!

Jason Scott – Keynote

Lucky for me, almost all the talks are now or will soon be online! See the whole raft of videos here.

And then there’s #hatchan. It’s not just a hat, it’s an institution. It’s a WiFi hotspot. It’s a server. It’s hackable. At the end of the day, when he shut it down, there was an audible groan from a segment of the attendees.

Ransomware

Ransomware

You have probably seen news of businesses and institutions being attacked by ransomware, and having to pay tens of thousands of dollars to get rid of it. Names like CryptoLocker, Fusob and WannaCry have floated by. But, what is ransomware? How does it work? How can I avoid being stung?

Simply defined, ransomware is a specific type of malware that denies its victims the use of their data until a ransom is paid.

Ransomware attacks typically operate as follows:

  • The trojan is installed on the victim computer system
  • It collects a list of the files it can access that it will encrypt
  • It contacts a central server, operated by the attacker
  • The server generates a unique encryption key for that victim, which will be stored on the server and sent to the trojan program on the victim machine
  • The trojan encrypts the targeted files using that key. In modern examples, this encryption is quite strong
  • Once the encryption is complete the trojan destroys its local copy of the key
  • The trojan then communicates to the victim that the files have been encrypted,
  • It offers to provide decryption after a payment is made, usually within a fairly narrow time window.

Ransomware gains access to victim machines through the usual malware routes: users click on dodgy links in email, or open malicious file attachments. Web pages or banner ads that have been compromised can provide “drive-by” downloads of all kinds of malware. Whereas other malware may join victim computers to botnets, get them to start mining cryptocurrency, or participate in distributed denial-of-service attacks, ransomware has the simple goal to get money to its operators immediately.

The files that ransomware encrypts are usually documents and spreadsheets, images, music and video files, HTML and source code files, and ZIP archives. Ransomware does not typically attack the other software on the system. Thus, a victim’s copy of Office and Photoshop may be undamaged, but all their work in those systems will be unusable. Also of note: most ransomware encrypts files on all available network shares as well as the local disk. So a small office can be wiped out from just one infected computer, since small offices often only have a single hierarchy of file shares and everyone can get to them.

If implemented well — and it frequently is — the server-to-trojan protocol of generating a key, encrypting with it and then discarding the local copy of that key is extremely difficult to crack. When a business confronts a ransom demand, often the cheapest way to get back into operation is to pay the attacker. Despite all the larger reasons that this is a horrible idea, the equation of paying $X to get the decryption key against a possible $X00 to $X000 to recreate all the data makes the decision to pay a no-brainer. The sole glimmer of good news here is this: the vast majority of attackers, when paid, actually provide the key and allow recovery of the data. In some cases, they have even provided technical support to assist “customers” having difficulty doing the decryption. Why? If they do not keep up a reputation for providing what is paid for, the “market” will stop paying them and seek alternate means of recovery. And they just want the money.

There is one strong defense against ransomware: backups. The backups should be as current as is practical. Real-time backups are ideal but not always feasible. But if a business is only facing the prospect of recreating one or two days of data as opposed to weeks or years, then a decision not to pay off criminals becomes much more reasonable. To be safe from the encryption of a ransomware attack, backups should be stored somewhere that is not constantly connected to the main systems, or in any case not accessible as a normal file share. So if you run a backup system in the office that places all the backups on a server, do not also use that server to host file shares.

With good recent backups in hand, the strategy for responding to a ransomware attack is much less stressful: clean or re-image the machines affected, restore the data, get back to work. As I am fond of saying, security, done correctly, is almost boring.

Ads Just Keep Getting Worse

Ads Just Keep Getting Worse

“Relevant” is the ad industry’s current excuse for all the spying, tracking and intruding on our lives that they are currently tormenting us with.

Good NYTimes article through here – click!

They “need” to suck down every aspect of our personal lives and habits and idle thoughts… so they can show us better sneaker ads. Sneaker ads that creepily show up the minute we register to run in a 5K. Or walk past a Foot Locker.

This is why I block all ads, everywhere on the Internet. I was reading the descriptions of what it’s like for people experiencing this kind of ad stalking and I have to admit: I can’t relate. I experience exactly none of it. And I’m glad.

When media websites grouse at me for running an ad-blocker, I mentally respond, well, make the ad experience less hideous. Make it less of a personal violation. Wipe out the malware. But these things, they will not do. Instead, they scold and threaten. So if a site still won’t allow me to proceed without white-listing it in my ad blocker, fine. I move on with life.

And oh yeah… if you think it’s not getting worse… the New York Times article linked above mentions ad-blocking as a possible course of action. Not too long ago, that was a glaring omission.

And the creepiest of all, the mother lode of creepy, is Facebook. #DeleteFacebook!

Anyway. Get uBlock Origin for all your PC browsers. Brave for mobile, and add Better Blocker for iOS. The mobile solutions aren’t as comprehensive as the PC, but they are the best I’ve found so far.

Breaches

Breaches

Not Beaches!  BReaches!

Ah yes, breaches.  Not really a much better movie, I’m afraid, yet we keep seeing it over and over.  Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up.

They do seem to arrive in clusters, also.  The latest one-two punch is Marriott, then Quora.  Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest records were exposed.  Credit cards, passport info, all the good juicy stuff.

This revelation was followed-up last night by Quora revealing that “only” 100 million-with-an-M records were breached.  This email notification went out overnight and resulted in 150,000 people going, Dammit, my Quora account got hacked! and 99,850,000 people going, Wait… what?  I have a Quora account?

In any case, the odds are very good that you have been among the nine-or-ten digit totals of a few data breaches already.  Here are a few tips on how you can deal with this and get on with life

  1. Take the monitoring.  When they offer you credit monitoring free for a year or so, take it.  Can’t hurt.  Worth the price. But you probably won’t need it because of the other things you are going to do on this list, like…
  2. Freeze your credit.  Go to each of the major credit reporting agencies’ websites (EquifaxExperian, TransUnion) and follow their process for freezing your credit reports.  Yes, this will make impulsively opening new credit accounts more difficult.   Why do you say that like it’s a bad thing?
  3. Check your statements.  Look for any phony activity.  Your issuer will make good on anything you report as fraudulent on your credit cards if you report it promptly.  Don’t wait.  By the way: banks are not obligated the same way to make good on fraudulent activity on debit cards – even if you use them as a credit card at the point of sale.  So in general, don’t do that.  I only use my debit card in the bank’s ATMs.
  4. Check your credit report.  Like a lawyer, the credit report checking site you want is not on TV!  Ignore all the catchy jingles and flying pigs with smartphones, and go to the only non-scammy site out there: annualcreditreport.com
  5. Manage your passwords.  We’ve talked about it in the past: how your passwords need to be different at every site you log into.  If they got your Quora password, let that be all they got.  For those of you who are not already using a password manager, the best advice I have is this:  START USING A PASSWORD MANAGER RFN.  There are things sites can do to make a password-file data breach lower impact;  hashing and salting are not just cooking techniques!  But not every site does the right things, and not every site does the things right.  And it only takes one failure to give everyone a bad day.  So you have to protect yourself, and using complex passwords that are unique per site is how you do that.  And the only way to keep those passwords all straight is with a password manager.
  6. Enable Two-Factor Everywhere.  Two-factor authentication is becoming widely popular since the vast majority of sites are now able to leverage things like Google Authenticator apps on users’ smartphones.  This means that dedicated hardware tokens are no longer required, and the barrier to users adopting it for their own logins are as low as they can be now.  Be sure you use this wherever it’s available: it means the difference between a password compromise being annoying vs. Game Over.

If you can get yourself to where you are doing these six things, Breaches can be another movie that you just make fun of.

IT v Security

IT v Security

One of my best friends is an IT guy, with about the same amount of career experience as I have.  (We’re old, get it?)

When we get together, I notice that we each show the distinctive mindset of our specialties: he’s always thinking, How can I get this to work?  And I’m always thinking, How can I break this?

And yet, it was he who sent me this:

Don’t be put off by the length – the time will fly by
Uptime 3: Climate Change

Uptime 3: Climate Change

Data centers with thousands of computers in concentrated amounts of floor space do have to expend enormous amounts of energy keeping things cool.  Your home data center can almost entirely ignore this issue, except where your computers have to be enclosed.

Server Closet.  Or at least, a server IN A closet.

At some point, you will want some of your servers out of sight.  Any machine that provides some service via the network without being needed in front of you is a server.  Home aesthetics will at some point demand that the thing get out of sight.

Your computer’s case has one or more fans that circulate air through it for cooling.  The fan draws in room air, heats it some with heat generated by the components operating inside, and then ejects it back into the room.  A typical room is large enough to absorb this without moving the needle much on the overall room temperature, so the process can continue more or less indefinitely.

The problem you encounter when putting a computer into a closet is, soon after the door is closed the computer is drawing in and heating already rather-hot air, and the temperature in the closet starts rising.  Much over 95F/35C, and you’re going to start having components on your system board begin to behave erratically or fail.

So don’t let things in there get too hot.  Check if it’s heating up steadily in there, and open the door a bit if you have to.  If you can, add a vent at the bottom of the door, and an exhaust fan or two at the top.  If you get a couple of 180mm fans that are designed to be installed is computer cases, you can probably work out how to power them outside a case, and you will find that they are really, really quiet.

Note: however you route your network cables in and out of the closet, be sure the door is not pinching them every time it opens or closes.  Eventually, a conductor in there will break and you will get to 1) do a really “fun” troubleshooting session, then 2) shop for a new network cable. 

Another thing you will want to avoid during the heating season is letting the air get too dry.  If that happens, you will have a tendency to build up static electric charge on yourself as you move around.  You can potentially zap your computers when you touch them, damaging random expensive things inside them. 

If you can add humidity to your environment, do so.  Get the relative humidity to about 50%, give or take 10%.  But (and this is important!) do NOT use a misting humidifier, one that sprays droplets into the air to evaporate there.  Be sure to use a humidifier that evaporates the water inside it, so the vapor that comes out is pure water.  If your humidifier sends droplets of tap water into the air, when the water evaporates, it will let the salts and minerals dissolved in it float down to the surfaces in the room, forming a fine white dust that you will see everywhere.  This dust has the potential to short out connections on printed circuit boards, causing all kinds of very expensive havoc.

Also don’t let the wiring in your server closet get away from you.  Like this guy did.

There are worse than this.  See /r/cablegore