2/17/05

What would your grade be?

InfoWorld reports "U.S. agencies receive D+ cybersecurity grade." And we're not talking about some insignificant agencies. (No offense meant.) Problem agencies include the Department of State, Department of Homeland Security (gasp!), and the Department of Commerce. Most improved were the Department of Transportation and the Department of Silly Walks. (I am joking about the latter.)

2/15/05

A Really Ugly Side of the Internet

Today in my RSS newsfeeds were a few items that got my stomach churning and my blood boiling. I'll add no other comments, except to point to a few of the on-line articles. The topic is child pornography.

Information Week's article The Privacy Lawyer: The Pain Behind The Pictures, is an introduction to why child-protection advocate Parry Aftab got involved in this fight. (WARNING: contains graphic descriptions).

Raising Public Awareness discusses a public awareness campaign.

These articles— Technology And The Fight Against Child Porn, Picture This: Should Google Filter Its Image Database?, and (via securitypipline) The Problem Is Getting Bigger—discuss the issue from various angles.

Learn more what you can do about it at picture of child

2/14/05

Seven Things to Help Keep Sanity and Equilibrium

In reading the Firewall-Wizards thread under the subject VPNmadness gets more support, I thought of a paper I wrote almost 5 years ago, entitled The Rise and Fall of Internet Security. Still relevant, and not just because I am lazy, I repost "The Seven Things to Help Keep Sanity and Equilibrium" here. No one needs to tell us how to play this tug-of-war. If we are security professionals, we are already engaged in it. How do we stay in the game, while providing security and providing usability in a way that occasionally permits us to relax? Security professionals must remember (at least) the following seven truisms.
  1. We ask for requirements, they give us solutions. It is very important to listen carefully and ask questions. When someone states "We need to allow the H.323 protocol through our firewall," they have given you a solution. You might not know whether it is the best solution, but you must recognize it for what it is and gently push back. "What is your requirement?" You see, the requirement is probably something along the lines of this: We need to easily and inexpensively audio or video conference between groups X and Y." By giving you the "solution," you might be forced into opening up more (perhaps insecure) services through your firewall. Their proposed "solution" might not even be the best one for the application they truly wish to employ.
  2. Many requirements are wants or desires in disguise. Sometimes you may be in a position to "grant wishes," but it is important from a security point of view to understand what are business requirements and what are not. "We need you to open up UDP port 2092." Might really mean, "I want to play Descent3 on the network with some of my buddies." Once you know the want or desire, if it is contrary to a security or acceptable use policy, you can explain why this request cannot be satisfied. While it won't make Descent3 users happy to know they cant play this RPG at work, treat the user as an adult by explaining a vulnerability, threat, and consequence that gave birth to the policy (see 3 as well).
  3. It all has to do with numbers. The fewer the numbers of {supported services, permitted connections, outsiders allowed in, insiders allowed out, cluelessness}, the easier securing the network will be. If every sales person (lets say 100 of them) needs access to the entire inside network (500 computers), utilizing any possible Internet service (65,000), we end up with a level 9 problem (3.25E9). If every sales person actually only needs access to send and receive e-mail and web access to the sales web server we end up with a level 2 problem (6E2). Which would you rather have to deal with, a level 2 or level 9 earthquake?
  4. The more granular (specific) we can be in our security measures, the easier it will be to secure the network at least, in the long run and the easier to provide services. This follows from number 2. Many corporate interoffice firewalls are configured to allow unlimited access from one site to another. It is far better to allow open access (if required) for only the required services between the offices. This is because...
  5. If you have mistakenly disabled a required service, you will hear about it. If you allow an insecure service over which someone can launch an attack, you may never know about it. This is a corollary to the axiom, "that which is not expressly permitted is prohibited." When unsure about a service, better to disable it and incur the temporary wrath of service users than to expose your network to attack.
  6. It is the responsibility of the clueful to clue in the clueless. We must remember that the clueless may and should make good and proper use of the Internet: this is a Good Thing. Simply put, it is a benefit for our jobs and our society that computers are accessible to almost anyone. People are not stupid just because they do not know that "macros" in a document running in word processor are actually programs and to be treated with suspicion. They do not have to know what is behind a web page in order to use it, but they should have enough security education your job perhaps to know when to stop and think ("Click here to infect your machine").
  7. Equilibrium is more than just good. Equilibrium is winning.

2/9/05

Eudora and Firefox Exploits

Vulnerabilities were announced in two of my favorite computer tools on the same day. As slashdot reports, The Shmoo Group showed off a "nasty browser exploit ... works in every browser *except* IE".

All the other browsers support International Domain Name (IDN) characters. Check out the demo.

The funny thing is, I had seen this just last week in an email message that was supposed to come from (uh oh) paypal. [See addendum below] I slide my mouse over the URL and... what-ho! It still said it was taking me to the real paypal site. But, being the bright guys I am, I told Eudora to show me the message source (in a text editor) and I saw that it was actually going to take me to -- well click on the URL above and look at what you see and display the html (the source) and you'll see.

The good news is that it is easy to fix without a new version of Firefox. The workaround, according to mozillaZine is
by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory ( Common profile locations).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line.
A simpler way -- entering "about:config" in Firefox's URL window, finding "network.enableIDN," and changing the value to "false" -- did not work.

I read about the Eudora problem in my WatchGuard news feed. It requires an upgrade to Eudora or a switch to another e-mail client, such as Mozilla Thunderbird. I decided I would try to migrate to Thunderbird. I write about it here.

The suspect URL in my email was
http://www.paypal.com@aida-fans.de/phpkit/index.htm


Eric Johanson of The Shmoo Group wrote and corrected me:
This was using the 'username@domain' trick, which has been around for a while (and most of the browsers block or warn users these days).

Eudora to Thunderbird?

How I got here I describe in Eudora and Firefox Exploits. I won't write about how much or why I like Eudora. (I talk about it briefly in E-mail Security: We Still Don't Bother.) I decided now might be the time to migrate from Eudora to Thunderbird. This is a brief report on what I did.
  • First, I checked out whether TB had what I need in an e-mail client. This included
    • Email stored in text files
    • Use of the directory (folder) structure. (So, for example, if I have Inbox, Outbox, Trash, and a folder called Clients with 30 separate mailboxes under it, each mailbox is a separate file, and Clients is a folder with 30 mailboxes in it.)
    • Attachments stored separately from e-mail. The reason -- I sometimes need to get at my mail folder from a Linux computer and want to still be able to copy and open attachments without having to be at my desk using the email client program.
    • Mailboxes in a user-defined location. Because I sync my desktop and notebook PC and for backing up, I want my mail folder to be in "My Documents."
    • A bunch of other things including complex searches, filtering, and multiple identities
    • E-mail sync with Palm (I sometimes do email on it)
    TB had all these things directly or with extensions.
  • I backed up all my email (well, duh!)
  • I did a clean install
  • I did NOT set up e-mail accounts yet
  • I set up TB to store my Local directory (wherein all the email would go) in my preferred email location
  • I imported the Eudora address book. Worked!
  • I then imported Eudora settings. That worked. It made my email accounts. I went through and tweaked them... by default it had them all set up to 1) automatically check the email (I only autocheck my primary account) and all defaulted to (oh, ick) HTML formatted email.
  • Then I imported the mail folders. It seemed to work and put them under a "Eudora mail" folder. Well, I didn't want it there.
  • So, I exited, and in Windows went to the directory and cut and pasted the folders it had copied one level up in the TB mail folder. I restarted TB and it worked!
But, as I started to use it there was a showstopper. Some, not all, of the attachments had not been imported. (I knew something was up because the folder was smaller in size.)

I have a lot of attachments. I could find no description about that problem in a search, and didn't want to spend more time than the cost of a upgrade, so, I went to Plan B,

Plan B was to upgrade Eudora. Right now I have it runnin in sponsored mode. It is no bother to have a little advert on the screen. I will probably pay for it soon. It used to cost $30. Now, it costs $50. I've used and liked Eudora for 10 years or more, 8 or so years of that on my $30 purchase. You know... even in hard times, it is a small price to pay.

I'm upgrading Eudora and sticking with it.

2/4/05

Security Awareness Education is Not Enough

In August 2004 I talked about the effectiveness of security awareness education (in Report Suspicious Activity). I referred to the highway signs that say "REPORT SUSPICIOUS ACTIVITY - CALL 800 492 TIPS".

This morning as I drove by that same sign, I realized something. Unless something suspicious happens right before I see that sign, I will remember I should report something. I just won't remember the phone number to call.

An assessment of your security awareness education should include an analysis of what you are expecting of your people and how likely they are to be able to execute that which you expect with the tools available. Maybe you need to provide different tools. For example, you could issue laminated cards with reminders. Or you could make it easier to comply. (Could the highway phone number be more memorable, like "800-CALL-DHS?" Could we make sure local law enforcement can handle "suspicious activity" reports? Maryland State Police reminds us on signs what 3 digit number reaches them from mobile phones.

I now remember to report suspicious activity. But, will I remember how?

Hey, I just (4Feb05) learned the "TIPS" number here in Maryland gets you the Maryland Coordination and Analysis Center (MCAC). (No, I wasn't calling in suspicious activity.) I still think they need an easier phone number to remember. (Go ahead... click on the URL above. See what it translates to. I get an uglu URL with all sorts of tracking in it. Still, probably their webmaster isn't the person answering calls about suspicious activity.)

Notes from my prayer time today

I believe:
  • The 2 Great Commandments (1. Love the LORD your God with all your heart, ... soul, and ... mind. 2. Love your neighbor as yourself. (DEU 6:5, LEV 19:18; MAT 22:37-40))
  • we do #1 when doing #2
  • #2 starts with fellow-believers, but includes anyone on my path.
  • God does not require more than I can do in the strength of Christ
  • I must every moment be in fellowship with God
  • I can do all things through Christ
  • It is often easier with the support of brothers
  • It usually is best to break the task into steps.
God does not promise to show me the whole path to walk, just possible next steps

He will direct my steps to the correct next step as I commune with him

I get in trouble or despair whenever I take my eyes off of Jesus or start going it alone (which happens daily)

I tend to see the whole task and freeze rather than remember that today I am only responsible for today's step on the path

I forget to enjoy Him, to enjoy the tasks He gives me