Infosec Red Card

At my new job, they take safety really seriously.  They want everyone to go home at the end of the day with all the fingers they came in with.   Not normally an issue for officeworkers, but the thought is nice.  It is really more appropriate for other divisions/branches of the company.

Each employee gets a physical safety red card, and are empowered to use it to stop work when there is an imminent danger or potential for physical harm.  Work resumes only when cleared by management.

Its a really cheesy way of deputizing everyone as a safety officer.  It reminds me a bit of the original Saturn model where a lineworker could shut down the assembly line.

It made me wonder, what about an infosec red card.   Hopefully at most companies, infosec can put a halt to a process forcing management to examine and address the risk.  Its possible that a company might train users well to refuse to act insecurely.  Not provide their password to the helpdesk.  Not to send sensitive information over clear text.  Not to allow tailgating.  Perhaps there should be an infosec red card as well.

 

Ordering Pizza

Even with Little Caesars expanding back into the DC area, there isn’t one that close to my house.  But we still get to enjoy their commercials.


In this commercial a husband asks the wife for the login password so he can order pizza.  She explains that Little Caesars has hot and ready pizza so you can just walk in and grab one.  The joke being that he didn’t realize she wasn’t telling him the password, so he starts typing.

Its funny though, one password construction method is to take a sentence and use the first letters.  So maybe when she said “Little Caesars has hot and ready pizza so you can just walk in and grab one. ” she really meant her password was LChh&rpsucjwiago.

Personal VPNs in a CDN World

I wrote about personal VPNs back in 2011.  Going on vacation, I wanted to avoid insecure wifi.  The best way to do this is through a personal VPN product.  This is still true today even with the increased use of SSL.  I still think this is a great use for these products.

Interest in encryption and personal VPN products has skyrocketed since the Snowden “revelation” that the government snoops on you (and lets not forget about Google).  People are interested in always on VPNs to restore a bit of privacy.

Do VPNs meet this goal, and what is the cost??

The VPN provider I use, has a page “Why Do I need a Personal VPN?”  Their list is a good summary of why you might use a personal vpn, but it has one example of why it sometimes isn’t so easy.

“You don’t want search engines, such as Google, Yahoo, AOL, and Bing recording and storing every Internet search you perform…..potentially forever.  Just like your ISP, Internet search engines record every search you do and tie it to your IP address.” 

Search engines are using cookies to track you.  Even if you dont log in, which they encourage you to do, they use cookies to know who you are.  IP address isn’t granular enough for them.  Shared computers, multiple computers behind an IP address.   You would need to take additional steps such as incognito mode to prevent all tracking.

“You live in, or are visiting, a country that engages in Internet censorship or monitoring of content.”

Fair enough, but people who employ encryption could find their themselves under suspicion just for that.

And there is also the case of Eldo Kim.  He sent a bomb threat to get out of a final exam.  He thought he covered his tracks using TOR.   But he used the campus wifi, so they were able to track who was using TOR at the time of the threat.  Are you going to think of everything when covering your tracks.

In general VPNs meet the goal of providing privacy.  But like anything you need to be aware of some gotchas.

There are also costs to using a VPN.  This is particularly true when used in a every day , always on method as would be necessary to avoid governmental, ISP and corporate snoops.  When just using a VPN to protect when on a hostile network, the speed impact may not be so noticeable.   But when at home, you have a big pipe.  50+ Mbps connections are becoming more common place.   The FCC is thinking of defining broadband as faster than 10 Mbps.  So why does my VPN pipe max out at 5 Mbps.   That’s quite a hit.  I haven’t asked my provider if that is a QoS per user, or an element of saturation.

There is also the issue of the CDN.  Content Delivery Networks move content to the ISP data center to provide faster response.   Netflix SuperHD was originally available only to users on their Open  Connect Network (CDN).   YouTube’s ISP rating system reports my ISP has tested HD quality and my VPN pipe doesn’t have HD quality.   My traffic through the VPN bypasses the locally cached content.  Performance is lost in the name of security.

Is this enough to keep you from using an ‘always on’ personal vpn?

Is Windows 8.1 April Update Installed?

With this weeks Microsoft updates, Windows 8.1 users must have the April 8.1 ‘update’ installed to continue to receive OS related patches.

Update:  Extended to June 10.  

This is rather confusing in so many ways.

  • Windows 8 users dont have this deadline.  The 8.1 update doesn’t apply to them.
  • Searching for information about this update is problematic because “Windows 8.1 update” searches generally result in information on upgrading from Windows 8 to 8.1.
  • Its not obvious to figure out if you have this oh so critical “update’ installed.

In the past, to determine what operating system I”m running, I would generally run ‘winver’ at Start – Run.  (of course that requires enabling the ‘run’ box on the start menu).  Or you might go to the command prompt and run ‘ver’.   This doesn’t work because 8.1 ‘update’ isn’t a service pack.  It doesn’t show up there.    Next I tried running systeminfo | findstr /B /C:”OS Name” /C:”OS Version”   This didn’t help me either.

Windows 8.1 update is a patch not a service pack, so it should show up in add remove programs.   In Control Panel open Add / Remove Programs.   Click on View Installed Programs.   In the upper right hand corner where it says ‘search for updates’ type KB2919355.   If Windows 8.1 Update is installed, one result will be returned, the non-descriptively named Update for Microsoft Windows (KB2919355).

If it is not installed, and you do have Windows 8.1, make sure you have the prereq installed.

Note that if you get your updates from WSUS or SCCM, Windows 8.1 security updates will be available for 120 days from release of this update rather than the 30 days allotted to everyone else.

 

DLP

Data Loss Prevention has been a hot topic as of late.

In the past I always believed that DLP was only effective where you had a data labeling program.  Otherwise its just another product that doesn’t work well when you cant answer where the important information is.  Over time, I also became more concerned with throwing tech solutions at a people problem.  With that view, and no one asking for it, DLP never made it onto the priority list.

I’ve seen point solutions such as email gateways that look for credit card numbers.  And they find numbers everywhere they look.  And that is when you’re looking for something specific.  Something that can even be verified.   (luhn)  How will it deal with data.  Can DLP occur at all without management buy in.

There are some interesting possibilities.  Perhaps you have a particular webserver and nothing from that server should go out.  Perhaps you have templates.   And while the content might change somewhat, the DLP sees enough similarity to match.

A good DLP solution also allows enough flexibility in warning, quarantining (with release a possibility), and blocking.

 

Closed

closedIts been fun, and I hope that I’ve helped or informed in some small way these many years.   But its become clear that work policies and vender sensitivities dont allow for the type of blogging that I’d like to do.   Stay safe out there.

The Case of the Mixed Content

Recently a problem came up with some required training hosted on our Learning Mangement System.   Users would receive a warning “Only Secure Content is Displayed”.  While users could click ‘show content’ they received an error message ‘unable to connect to LMS’.   They could watch the training video still, but were not shown as completing the assignment in the LMS.

Mixed content refers to websites that contain some elements in HTTPS and other elements in HTTP.   An attacker could replace elements presented in HTTP, compromising the security of your computer and your access to the “secure” website.  Microsoft has an extensive writeup on IE9 and mixed content here.You would expect that upone clicking ‘show all content’ that the LMS presentation would work correctly.   But in this case the reload of the page to add the insecure content appears to have broken some sort of connection, probably authentication.

To troubleshoot this issue, I installed Fiddler, and enabled SSL description.   I then recorded traffic while reproducing the issue.   I was able to quickly determine that the HTTP content was a call to Google Fonts.   I then searched the Fiddler logs to determine which file included code with this call.    The change was tested and implemented with no further issues.   Microsoft summarizes the steps in this article.   To that I would add you need to enable SSL decryption in Fiddler, and may need to install a plugin to decompress content.

Be careful little hands what you type

see update at bottom of story

A story today in The Atlantic Wire tells the story of a couple who searched wrong.   There is also a writeup from the wife about her husband’s experience.

They searched for backpacks and later searched for pressure cookers.   Obviously, this could only be the work of a terrorist cell.

The question that comes to mind first is how did the government know?  Google searches are generally SSL encrypted.   This would have to be access at the Google servers.

The next thing that comes to mind is who will make the first parody add for a Google Search competitor.   “Use Google, and get a visit from big brother.”

After September 11th, people demanded to know why the intelligence community didn’t put the pieces together.   But this isn’t putting pieces together.   This is sifting everyone’s lives looking for evidence.  It reminds me of pre-Internet when the police might try to get access to library records because Lord knows reading Catcher in the Rye means you’re about to commit murder.

postscript-

The Atlantic Wire uses a stock photo showing a swat team with a shield at the door of a house.   This is irresponsible journalism.   The write-up from the wife describes six men in casual clothing

Update:

The Suffolk County PD has reportedly issued a press release.  This release is not currently on their website.  But a copy is posted at outsidethebeltway.com

Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based computer company regarding suspicious computer searches conducted by a recently released employee. The former employee’s computer searches took place on this employee’s workplace computer. On that computer, the employee searched the terms “pressure cooker bombs” and “backpacks.”

So, that answers how the police became involved.  It wasn’t NSA intercepts.  The big brother here was the company IT guy.