The Security Skeptic

In Blog entry #311, I commented on what an unwise decision SecurePoint had made in hiring Sven Jaschan. ZDNet UK recently reported that SecurePoint's decision has cost them a partner. My exact words were "do you want Jaschan anywhere close to the source code for your firewall?

According to a news item by Dan Ilett, antivirus vendor H+BEDV Datentechnik shares my opinion. H+BEDV has decided to walk away from a partnership whereby SecurPoint firewalls would use H+BEDV's Antivirus software as their AV gateway offering.

Chief executive Tarj Auerbach sums up his company's reservations rather succinctly, and you gotta love his logic. If the antivirus engine in SecurePoint's firewall fails to detect a virus and that virus causes considerable damage, customers might be more than a little concerned over the fact that a former virus writer may have had his fingers in the code.

Tarj is quoted as suggesting that the whole incident might "smell a little bit stinky", which reminds me of a favorite saying of a former colleague, Marshall Rose:

If you wallow in the mud with pigs, ...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID332 by Dave Piscitello  

Firstbase Technologies has published a useful white paper on Portable Computing Device Security, one worth finding time to read.

I noticed while reading the paper that the authors don't mention undetected or malicious data

alteration or injection in their risk analysis. I think the potential for someone to change sensitive data and inject it into an enterprise from a mobile device or removable medium is significant, and deserves more attention than it commonly receives.

Imagine a scenario where an employee reports the following chronology of events: "My PDA was lost or stolen and remarkably, a rather decent fellow returned it to me." Where your average PDA user can express relief, security staffers have to view even noble acts such as these with some skepticism. An unsuspecting, non-technical employee might fail to detect that not only did the seemingly decent fellow "borrow" the device or removable media, but he altered the information, expecting that the corrupted data will be subsequently synchronized and uploaded into an organization. (Note that this is the same attack vector as a PDA-induced virus or trojan or keylogger).

Where's the harm? Imagine how subtle small changes to spreadsheet values or (worse) changes to an embedded calculation or formula might affect an audit, sales projection, or project assessment. Or perhaps the attacker modifies hyperlinks in word documents to lure employees to a phishing web site that has the look and feel of an employee Intranet, or B2C portal.

Bottom line? All manner of nasty activities are possible when someone has time, talent, and *your* data. The resulting incidents can be extremely hard to detect and resolve. As you develop your Mobile User Security Policy and implement security measures, don't overlook the data alteration risk.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID333 by Dave Piscitello  

At the recommendation of a posting at bug-traq, I listened to a 15 minute presentation on Windows Mobile Pocket PC Security by Seth Fogie of Airscanner. If you have a PPC, grab a cup of coffee and invest the time to listen to this audiocast. You'll learn quite a bit about PPC attacks such as forced resets embedded in attachments or downloads, viruses,and trojans that can be installed via removable (flash) memory when Autorun is enabled. You can also hear how attackers use PDAs as attack tools (especially over wireless LANs).

I gave a presentation on Mobile User Security at IPcomm 2004 in Las Vegas. Hopefully, you'll find my presentation a useful complement to Seth's audiocast.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID331 by Dave Piscitello  

Multifactor authentication - combining passwords and PINs with biometrics and tokens (something you have) - can dramatically improve your risk profile. Organizationsstill find numerous reasons to delay or reject most two-factor authentication methods. User adoption, cost per client, and lost token replacement costs are common concerns.

Perhaps we need to re-think the token form factor. For years, we have tried to make tokens small and unobtrusive. Keyfobs, for example, are small and convenient, as are credit card time tokens. Obviously, they are not convenient enough. For many users, tokens are one more object to deal with and for IT admins, they are one more object users will lose.

Why not leverage society's ageless attachment to jewelry and marry tokens with bling-bling? Suppose we combine PINs and passwords with something we *wear*? Why can't we marry proximity-sensing and two-factor authentication technology and incorporate these into

rings, earrings, and lapel pins? If these are not manly enough, integrate proximity technology with a watch or ID bracelet. Any jewelry item will do, so long as it invites users to wear it daily, and value highly it enough that they won't lose it. 18K gold rings may sound like an expensive outlay, until you factor the near-zero replacement costs and reduced account administration:-)

Silly? Perhaps. But "something you wear" really isn't that far-fetched. Many organizations require badges. Users historically do a better job of protecting the company IDs than tokens. If you don't want to go the jewelry route, is it so wrong to consider the integrated ID?

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID327 by Dave Piscitello  

Small and medium businesses are often faced with implementing security at a fraction of the cost larger enterprises might invest. In some cases, SMBs must make do with consumer-grade technology. Wireless vendors are beginning to recognize the untapped market SMBs represent, and wireless solutions with large enterprise features are more affordable.

Lisa Phifer and I periodically compare notes on small and medium business wireless deployment. Enough has changed - for the better! - that we've updated our security checklist for SMB wireless deployment. Find it here.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID330 by Dave Piscitello  

During a presentation I gave at IPcomm 2004, I was asked so many questions about IEEE 802.1x and the Extensible Authentication Protocol, I have re-posted a handout Lisa Phifer and I prepared for an ISSA meeting some time ago. Enjoy!

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID329 by Dave Piscitello  

One sure way to avoid identity theft is to resist clicking on hyperlinks embedded in potential phishing email addresses you receive. Now, even that "best practice" appears to be in question. Liberty Identity Theft Services and others report a no-click (zero-click) phishing attack, where simply opening an email message is enough to cause a malicious script to be executed.

The attack makes use of "preview windows" in email clients - yes, that convenient little window pane that shows you part of an email just became a window *pain*.

The script combines spyware and phishing techniques. From the spyware toolkit, the script employs browser hijacking: it modifies bookmarks (favorites) and redirects users to a spoofed web site. The site where the user is redirected is your basic phishing web site, i.e., one that presents what appears to be a legitimate request for personal, account and credit credit card information. (If you're unfamiliar with phishing in general, and what a phishing web site look like, read Anatomy of a Phishing Expedition.)

This attack might seem a bit more subtle than typical browser hijacks - users might not visit the modified bookmark and so may be unaware of the change - but phishing web sites don't remain online very long, so there's still a small window of opportunity. If you are running anti-spyware software such as SpywareGuard, you should be protected against browser hijacking. If you don't have browser hijack protection, you might try disabling the email preview feature on your email client. I suggest you consider one of the anti-spyware solutions I recommend here.

What a pane... er... pain.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID328 by Dave Piscitello  

As much as I try to avoid reacting to ten word sound bites, I admit haven't been able to avoid them since the election. After a week of victory crowing, many of the less-than-pithy post-election claims and promises are grinding me down.

They paint *such* a grim picture of the next four years.

Few would argue that the 2004 campaign was mean-spirited, at local, state, and federal levels. Candidates from all parties discredited, disparaged, and villified opponents. In the aftermath, the post-victory sound bites all suggest that 51% of American voters hold the other 49% in pretty low esteem.

We're patriotic; you're not...

We're strong; you're weak...

We have moral values; you don't...

Liberal thinking is evil!

We are as polarized a society as you could statistically imagine. I find it repulsive that anyone could suggest that the election results demonstrate that a majority of the U.S. population believes *Liberal Democrats* have no faith; are condemned to burn in hell for their rejection of Biblical law; harbor terrorists in their condos; and want the international community to dictate U.S. policy. I find it frightening that high-ranking party members and newly- or re-elected federal and state officials are espousing such thinking and flouting it publicly.

This is exclusionary thinking in the extreme. Exclusion is un-American. Patriots defend the rights of every American. The strong protect the weak. Those with moral values set examples. Liberal thinking tempers conservatism. If you don't agree, read the Constitution. And your Old and New Testaments.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID326 by Dave Piscitello  

During an NGN 2004 Boston session, Antispam: analyzing the alternatives, Paul Judge of CipherTrust offered an intriguingly simply root cause analysis of why spammers are motivated to spam:

"That’s where the money is..." More...

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID325 by Dave Piscitello