Mythic Monday – The Song of Roland

The Song or Roland tells the tale of King Charlemagne and his knight Roland. The tale is long and complex (and nicely summarized here), but the important thing is near the end.

Roland and his knights are ambushed. There’s possibility of success, but they keep fighting on. Roland has but one option remaining, and that is to sound his horn and summon reinforcements. However, to require help would not honorable, and Roland would rather die than be dishonored. Things get so bad that Roland’s friend implores him to blow on his horn three times, and Roland in his pride, chooses not to.

Then, at the end, when all is truly lost, Roland finally sounds his horn and dies with the effort. The king hears and comes to the battlefield and avenges the dead.

So, what can we learn from this?

I think that the most important lesson is pretty obvious: blow the horn before everyone dies. Or, in modern vernacular, swallow your pride and ask for help.

It’s no news to anyone that a lot of businesses are struggling right now. The economy is in a state of turmoil, and while a lot people say that you can make money whether the stock market moves up, down or sideways, the simple fact is that things are hard when the future is even less predictable than usual. Existing vendors may change your credit terms, clients may demand a higher value from you for what they’re paying. Competitors may choose to compete in ways that may not be ethical or fair.

What can you do about this? There’s one simple option: ask for help.

There is a lot of talk about business being cut-throat and numerous stories about business partners that took advantage of one another. However, at least in the small business market, the opposite is also true. People help each other out.

Sure, there are high-priced consultants who will come in and give you advice. There are also well-intentioned friends who might help you out for free. But don’t forget about the tons of mid-range business people that are willing to lend a hand for modest fees and/or the trading of services. Odds are that there is a relatively workable solution to your business problem and a cheaper or more efficient way to do things. However, if you never ask for help, you may never find them.

There is also no point of waiting until everyone around is dead or dying (or laid off) before you call for help. If you wait too long, your business just serves as a tale of warning to others (much like The Song of Roland, actually).

Remember, we may be competitors, clients or vendors, but we actually are all in this together. It does no one any good to stand by and idly watch as small businesses fall like dominoes. We can help each other out… so long as we know who to help.

Tool Review – ExifTool

The EXchangable Image File format (EXIF) is a method that image files use to store data about the image. It’s often referenced in relation to the image files producted by digital cameras. These files often store data about the camera that took the photo, the settings of the camera, whether or not the flash went off and other data. This is very useful in categorizing the images.

ExifTool is a neat little tool that allows you to dig into this information. It’s available for Windows, Linux and Mac, and lets you look inside your photos. Let’s look at an example. This is what results in my running the tool against a photo that I took on a recent trip:

$ exiftool dsc_6497.jpg
ExifTool Version Number         : 7.42
File Name                       : dsc_6497.jpg
Directory                       : .
File Size                       : 5.9 MB
File Modification Date/Time     : 2009:02:15 17:50:13
File Type                       : JPEG
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Make                            : NIKON CORPORATION
Camera Model Name               : NIKON D200
Orientation                     : Horizontal (normal)
X Resolution                    : 300
Y Resolution                    : 300
Resolution Unit                 : inches
Software                        : f-spot version 0.5.0.3
Modify Date                     : 2009:02:15 17:50:13
Y Cb Cr Positioning             : Co-sited
Exposure Time                   : 1/320
F Number                        : 7.1
Exposure Program                : Aperture-priority AE
ISO                             : 100
Exif Version                    : 0221
Date/Time Original              : 2009:01:25 23:44:02
Create Date                     : 2009:01:25 17:44:02
Components Configuration        : YCbCr
Compressed Bits Per Pixel       : 4
Exposure Compensation           : 0
Max Aperture Value              : 5.7
Metering Mode                   : Multi-segment
Flash                           : No Flash
Focal Length                    : 400.0 mm
Maker Note Version              : 2.10
Color Mode                      : Color
Quality                         : Fine
White Balance                   : Sunny
Focus Mode                      : AF-C
Flash Setting                   : Normal
Flash Type                      :
White Balance Fine Tune         : -2
Color Balance 1                 : 1.8359375 1.35546875 1 1
Program Shift                   : 0
Exposure Difference             : 0
Warning                         : Bad NikonPreview directory
Flash Exposure Compensation     : 0
ISO Setting                     : 100
Image Boundary                  : 0 0 3872 2592
Flash Exposure Bracket Value    : 0.0
Exposure Bracket Value          : 0
Crop Hi Speed                   : Off (3904x2616 cropped to 3904x2616 at pixel 0,0)
Serial Number                   :
Image Authentication            : Off
Tone Comp                       : Auto
Lens Type                       : D VR
Lens                            : 80-400mm f/4.5-5.6
Flash Mode                      : Did Not Fire
AF Area Mode                    : Dynamic Area
AF Point                        : Center
AF Points In Focus              : Center
Shooting Mode                   : Continuous, Auto ISO
Auto Bracket Release            : Manual Release
Color Hue                       : Mode1
Light Source                    : Natural
Shot Info Version               : 0207
Vibration Reduction             : On (1)
Hue Adjustment                  : 0
Noise Reduction                 : Off
WB RGGB Levels                  : 470 256 256 347
Lens Data Version               : 0201
Exit Pupil Position             : 128.0 mm
AF Aperture                     : 5.7
Focus Position                  : 0x03
Focus Distance                  : 59.57 m
Lens ID Number                  : 101
Lens F Stops                    : 5.67
Min Focal Length                : 80.0 mm
Max Focal Length                : 403.2 mm
Max Aperture At Min Focal       : 4.5
Max Aperture At Max Focal       : 5.7
MCU Version                     : 107
Effective Max Aperture          : 5.7
Sensor Pixel Size               : 6.05 x 6.05 um
Image Data Size                 : 6218124
Image Count                     : 26181
Deleted Image Count             : 1307
Shutter Count                   : 27488
Flash Info Version              : 0101
External Flash Flags            : (none)
Flash Commander Mode            : Off
Flash Control Mode              : Off
Flash Group A Control Mode      : Off
Flash Group B Control Mode      : Off
Flash Group A Exposure Comp     : 0
Flash Group B Exposure Comp     : 0
Image Optimization              : Custom
Multi Exposure Version          : 0100
Multi Exposure Mode             : Off
Multi Exposure Shots            : 0
Multi Exposure Auto Gain        : Off
High ISO Noise Reduction        : Off
User Comment                    : (c) Josh More     www.starmind.org
Sub Sec Time                    : 55
Sub Sec Time Original           : 55
Sub Sec Time Digitized          : 55
Flashpix Version                : 0100
Color Space                     : sRGB
Exif Image Width                : 3872
Exif Image Height               : 2592
Interoperability Index          : R98 - DCF basic file (sRGB)
Interoperability Version        : 0100
Sensing Method                  : One-chip color area
File Source                     : Digital Camera
Scene Type                      : Directly photographed
CFA Pattern                     : [Green,Red][Blue,Green]
Custom Rendered                 : Normal
Exposure Mode                   : Auto
Digital Zoom Ratio              : 1
Focal Length In 35mm Format     : 600 mm
Scene Capture Type              : Standard
Gain Control                    : None
Contrast                        : Normal
Saturation                      : Normal
Sharpness                       : Hard
Subject Distance Range          : Unknown
GPS Version ID                  : 2.2.0.0
Compression                     : JPEG (old-style)
Thumbnail Offset                : 3388
Thumbnail Length                : 9164
Subject                         : Bird Viewing Area
Image Width                     : 3872
Image Height                    : 2592
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:2 (2 1)
Aperture                        : 7.1
Blue Balance                    : 1.355469
Image Size                      : 3872x2592
Lens ID                         : AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED
Lens                            : 80-400mm f/4.5-5.6 D VR
Red Balance                     : 1.835938
Scale Factor To 35 mm Equivalent: 1.5
Shutter Speed                   : 1/320
Thumbnail Image                 : (Binary data 9164 bytes, use -b option to extract)
Circle Of Confusion             : 0.020 mm
Depth Of Field                  : 6.28 m (56.59 - 62.87)
Field Of View                   : 3.4 deg (3.55 m)
Focal Length                    : 400.0 mm (35 mm equivalent: 600.0 mm)
Hyperfocal Distance             : 1125.03 m
Light Value                     : 14.0
Date/Time Original              : 2009:01:25 23:44:02.55

As you can see, there is a lot of data here. Far more than you might expect to be in a simple picture. Moreover, I’ve bolded some of the more interesting information. A photographer might be interested in knowing that I used a Nikon d200 to take this photo. I also apparently used an AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED lens. Note that there is technical data about not just the focal length and aperture used, but also the maximal and minimal settings for the lens. Note as well that the date appears in numerous places. Now things are getting interesting, as there’s a way to verify that I took the photo when I claim to have done.

After all, I might have fabricated evidence.

So sure, this is good to know, in case I am claiming to have captured Bigfoot, but that doesn’t happen very often in business. However, information leaks do.

Let’s take a quick trip over to Wikileaks and see what we can find:

Over here, we find a nice report titled “UN finds 217 sex abuse claims against blue helmets”. Downloading the fairly nondescript file “OIOS-20070130-01.pdf“, we get:

$ exiftool OIOS-20070130-01.pdf
ExifTool Version Number         : 7.42
File Name                       : OIOS-20070130-01.pdf
Directory                       : .
File Size                       : 221 kB
File Modification Date/Time     : 2009:02:19 22:44:11
File Type                       : PDF
MIME Type                       : application/pdf
PDF Version                     : 1.5
Page Count                      : 17
Creator Tool                    : PrimoPDF http://www.primopdf.com
Metadata Date                   : 2008:04:09 12:54:16-04:00
Document ID                     : uuid:a3ec6d39-037e-4672-945b-25ce88970721
Format                          : application/pdf
Description                     : United Nations Organization Mission in the Democratic Republic of the Congo
Modify Date                     : 2008:04:09 12:54:16-04:00
Create Date                     : 2007:04:12 17:16:25Z
Title                           : Allegations of sexual exploitation and abuse in the Ituri region, Bunia [ID Case No. 0618-05]
Creator                         : PrimoPDF http://www.primopdf.com
Author                          :
Date                            : 01/30/2007
Keywords                        : monuc, congo, bunia, sexual, exploitation, abuse, ituri
Subject                         : United Nations Organization Mission in the Democratic Republic of the Congo
Producer                        : AFPL Ghostscript 8.54

So, we’ve learned when the file was created (back in April 2007), but it was modified in April 2008. Interesting. We also learn that it originally had a more interesting description and title than “OIOS-20070130-01.pdf”.

But Wikileaks scrubs data in an effort to remain anonymous (well, mostly). What about other information out there? How about we do a quick Google search on intitle:”rfp”+filetype:doc+response, looking for responses to RFPs that might be available. Suppose this searched turned up a document titled “KonnSv11.doc” that just might be an RFP response from a large multinational company that knows a little something about connectivity. Wonder what this document can tell us?

$ exiftool KonnSv11.doc
ExifTool Version Number         : 7.42
File Name                       : KonnSv11.doc
Directory                       : .
File Size                       : 508 kB
File Modification Date/Time     : 2009:02:12 22:51:53
File Type                       : DOC
MIME Type                       : application/msword
Title                           : COMPANY IPCM RFP Response
Subject                         : Ver.1.0
Author                          : Tikeo Homado
Keywords                        :
Template                        : NormalAnglais
Last Saved By                   : Tikeo Homado
Revision Number                 : 18
Software                        : Microsoft Word 8.0
Total Edit Time                 : 6.9 hours
Last Printed                    : 2000:03:21 02:34:00
Create Date                     : 2000:04:20 02:06:00
Modify Date                     : 2000:04:21 09:39:00
Page Count                      : 1
Word Count                      : 13019
Char Count                      : 70516
Security                        : 0
Company                         : COMPANY
Lines                           : 1221
Paragraphs                      : 1012
Char Count With Spaces          : 91437
App Version                     : 8 (0e84)
Scale Crop                      : 0
Links Up To Date                : 0
Shared Doc                      : 0
Hyperlinks Changed              : 0
Title Of Parts                  : COMPANY IPCM RFP Response
Heading Pairs                   : Title, 1
Code Page                       : 932
PIDGUID                         : {91F4D900-FDF2-14D0-BEF0-DC9E29819138}
Hyperlinks                      : joeLogo2.gif
Comp Obj User Type Len          : 20
Comp Obj User Type              : Microsoft Word ��

So, we get the name of the person who worked on the RFP. In this case, the same name is listed in the RFP, but it’s not unusual for companies to have an RFP team, with a project manager in charge. Might it be useful to get the names of the key project managers at a competing company? Also, note that we have learned how much time they put into writing the RFP. If, after a few searches, you can find out how much time your competitors spend on responses, might that not be useful?

Let’s look at one last example. If we do a search on intitle:”salary”+filetype:xls, we might expect to find a lot of spreadsheets containing salary data. We might even be right. Were we to find such a file and run our handydandy little tool against it, we might even see:

$ exiftool Salary info over 75000.xls
ExifTool Version Number         : 7.42
File Name                       : Salary info over 75000.xls
Directory                       : .
File Size                       : 131 kB
File Modification Date/Time     : 2009:02:11 23:10:49
File Type                       : XLS
MIME Type                       : application/vnd.ms-excel
Author                          : sgermon
Last Saved By                   : nshoedinger
Software                        : Microsoft Excel
Last Printed                    : 2008:03:10 13:56:03
Create Date                     : 2006:12:11 15:48:19
Modify Date                     : 2008:10:09 12:38:55
Security                        : 0
Company                         : JANEDOE
App Version                     : 11 (270f)
Scale Crop                      : 0
Links Up To Date                : 0
Shared Doc                      : 0
Hyperlinks Changed              : 0
Title Of Parts                  : Contract; Benefits, CoDist, 'Contract & Benefits'!Print_Titles
Heading Pairs                   : Worksheets, 2, Named Ranges, 2
Code Page                       : 1152

The interesting bit here is that the author and the person who last edited the document are different. So, we know that two people know the salaries in excess of $75,000 for this organization. Those names also look a lot like network username names, so we probably also have email addresses and with a bit of work, possibly accounts that we could use to access certain systems. Perhaps these names even have access to the financial data, given that they know salaries.

So, a few questions for you:

What information are your clients putting out on the Internet about themselves? About you?
What information are your competitors putting out there?
What information are you accidentally leaking when you send files around?
Did you know that exiftool can also be used to SET data as well as read it? Interesting, no?

Do you think you might want to do something about that?

Important Note

It is important to note here that search engines make public a lot of information that probably was not intended to be made public. It may or may not be illegal to access all of this data, but it should be OK to run tools like this against data that you own and find out what you’re leaking.

For my part, I modified some of the data in the exif reports listed above. The format is correct, but it seems wrong to me to propogate someone’s data security mistake just to make a point, especially when the point can be made without doing so. If you start playing with these techniques, I implore you to remember that people on the Internet are still people, and people make mistakes. There’s generally no need to make these mistakes worse for them.

Please, be kind.

Small Business Defense – Patch Management and Defense in Depth

If you recall from yesterday, you’re in a lot of trouble. You have all these patches coming at you, and you have to apply them quickly but make sure that they don’t break anything. This isn’t easy, but what follows is a simple list of things to check. It’s far from complete, but if you’re not managing your patches already, it’s a step in the right direction.

Do you really need that patch?

Remember that patches fix specific problems in specific pieces of software. You can dramatically simplify the situation by reducing the software that is installed. If you don’t use instant messaging in your business, there’s no reason to have it installed. The same goes for various games and peer to peer applications. Depending on what you do, it may also apply to development tools and office applications. Remember, if it’s there to be exploited, it can’t be exploited.

Is there another option?

Many patches cover specific attack vectors. For example, different applications often listen for connections on specific ports. Sadly, many of them are installed in such a way as to connect with anyone that wants. Thus, if you have a payroll application that listens on port 11235 (eureka) but only needs to be accessed by the CFO, you can lock connections down so that only the CFO can use it. If you do that (and the CFO’s PC is secure), you might be able to get away with excluding or delaying the patch.

Also, many applications run at a higher user level than is necessary. Some people may have administrator rights to their own systems. They may even need them to install software and do their daily jobs. However, do they need them to use Internet Explorer when they connect to Facebook? Probably not. Using a tool like Drop My Rights or avoiding IE alltogether and using Firefox, would mitigate this problem.

Test Quickly

Despite my issues with virtualization, it is a useful technology. If you have a full virtual infrastructure, you can quickly copy a machine, apply a patch, and run a suite of automated tests to see if it works OK. If you’re a bit of risk taker, you can even flip this around and apply the patch as soon as it becomes available, and simply make a copy of the machine in case it does cause problems. That way, you’re protected as quickly as possible.

Deploy Everywhere

Remember, a piece of software should be easily accessed by those that need it, and impossible to access by those that don’t. It’s a bit like your bed. You need to sleep in it. Depending on your living situation, others may need to sleep in it as well. Thus, you need doors so you can get into your house (where you presumably keep your bed). However, you don’t want random people coming in off the street and sleeping in your bed. That’s why you put locks on the doors.

If you only apply your patches on some of your servers, it’s like only locking your front door but leaving your back door hanging open. Eventually, you’ll stumble home exhausted from your day, and find a group of strangers in your bed.

Conclusion

You have to realize that patching is essential, but isn’t enough. You can apply hardening techniques like those above and antimalware techniques like HIPS, as mentioned earlier. You can lock down your network and user rights. There are a lot of other things that you can do as well. However, you have to apply the patches.

There are technologies that can be used to keep things up to date. There are technologies that can be used to automatically test your patches. There are technologies that can help you determine if a particular patch is needed. However, before any of these can be successful, you have to commit to the reality that patches have to be applied as soon as possible, and accept that you are placing your business at risk if you do not.

Small Business Attack – Vulnerabilities and Exploits

So, by now, I am assuming that everyone around knows the importance of patching their systems when patches comes out. However, the reasons behind the practice aren’t often clear. It gets a bit complex, because a patch can be intended to solve a problem or add a feature. It gets more complex because there are different sorts of problems, only some of which are security related. For the purpose of this post, a “patch” is a small release that is intended to correct a security problem in a piece of software.

So, when these come out, there is generally a known problem in the software. Since it can allow an attacker to do something bad (to the system, the application or the data, generally), it’s known as a “vulnerability”. You’ll hear those of us in the industry natter on far longer than is polite about the different ways to classify these vulnerabilities and which ones are “real” and which ones aren’t.

Really, we’re part of the problem. See, within the security industry, there is a small and vocal minority that think that patching is stupid, and that systems should be designed securely to begin with. Secure systems should only need a patch to add new functionality, and never need one to correct a security problem. They say that people shouldn’t patch at all, and instead should hold software vendors accountable so that their software is designed securely in the first place. If we don’t, we’ll never get secure software.

These people are absolutely correct, and utterly wrong at the same time.

Developing secure software is very hard. It requires that all developers understand security and have enough experience to make the proper design decisions, that project managers will support them when correcting problems causes a release date to slip. It means lots and lots of testing. It means better tools and much longer release cycles.

In the end, it means very slow and very expensive software. The market doesn’t want that. Thus, we have patches.

There is a large and mostly silent majority in the security industry that simply patch every time they become available. They wait for the patches to be released, put them into their test systems and start running tests against them. The often deploy the patches to production on the weekend following the update. Thus, patches are often applied five to twelve days after they are released and cause a minimum of interruption to operations.

These people are absolutely correct, and utterly wrong at the same time.

Patches fix problems, and as we all know, problems come in different flavours and severities. If you treat every problem the same way, you are giving some problems too much attention and, worse, some far too little. This gets us to exploits.

The attackers have tools too. There are tools that scan your systems looking for problems. There are tools that automatically try to take over your system when problems are found. There are tools that cover their traces. These tools are updated too… with patches.

Specifically, when a patch comes out that addresses a security problem, attackers start looking at what the problem fixes, and add functionality to their tools that detect the problem and exploit it with ease. The more urgent the patch (more severe the problem), the more quickly they work to update their tools.

This puts you, the business owner in an interesting position:

You can’t not patch, as that would leave your business vulnerable.
You can’t wait too long to patch, as the attackers would slip in, take over, and cover their tracks.
You can’t patch too quickly, as that could cause problems in operations.

What are you going to do about it?

Security lessons from Nature – Venom

I am quite certain that it will come as no surprise to you that there are animals out there that are venomous. Generally speaking, they’re the ones that slither around until you walk up to them, at which point they begin doing a remarkable impersonation of a stick. Should you be unwise enough to think “Hey, I need a stick just like that one!” and pick it up, they will suddenly turn around and stab you with long pointy fangs. Then of course, to add insult to injury, they’ll also inject you with venom. These nasty chemicals will course their way through your system causing pain, organ failure and death.

It’s not just the slithery scaly ones that you should be careful of, of course. There are also the ones with far too many legs. These ones lurk in the woods, waiting for you to get distracted by a pretty nature scene, at which point they’ll descend from the trees on long thin threads, land on your neck and bite you. Then, as you’re falling down and writhing in pain, they’ll climb back up the thread and return to their lairs, giggling the whole way. They also like to live in areas where there are no trees, where they’ll conceal themselves in crevices and wait for you to go rock climbing. If you stick a finger in a hand hold, they’ll bite the fingertip, so that when you yank your hand out and fall off the mountain, you have time to watch your hand slowly swell and turn colours before you eventually splat at the bottom.

Then, there are the ones that live in the sea that are venomous all over. Since they swim better than you, they can come at you from all directions. Since you can only look in one direction at a time, you’re pretty much doomed. There are even some that are almost invisible and are one of the most deadly creatures in the sea.

Lastly, even the cute fuzzy critters can be dangerous. From good sized ones that are part duck to rodents that swarm to little monkey-like creatures with poisonous elbows(!), you never know what’s going to get you.

So yeah, the world is a very dangerous place (and it’s even worse if you dare to live in Australia). The only way to be safe is to not go out in it at all. Well, maybe not. Maybe you’re just fated to get bitten and die a lingering painful death. After all, with all these creatures around, everyone dies that way, right?

Right?

What, they don’t?

The lesson to learn this week is one that you already know. Simply put, don’t panic. Yes, there are venomous animals all over, but there are a great many mitigating factors as well. Snakes and spiders actually prefer to be left alone and only bite as a last resort. Even better, most of them aren’t venomous. Scorpion fish and stingrays tend to only bother divers, who generally know the risks and how to avoid them. Also, I can count the number of times I’ve been attacked by a platypus, slow loris or horde of shrews on one hand… and I don’t even need to use my fingers.

The business world is full of security concerns. The threats are real and need to be addressed. However, it can be overwhelming to listen to everyone’s advice and idiotic to ignore it. You have to strike a balance in what you do. It doesn’t make sense to spend a million dollars to protect a $10,000 server. Just like it doesn’t make sense to wear a suit of armor when going rock climbing. The thing is, it also doesn’t make sense to go on a ten mile hike stark naked, smeared with rattlesnake pheromones.

Others have said similar things (Bruce Schneier, Drew McLellan). It really comes down to a simple problem. We’ve had millions of years to come to terms with the risks of living in the world, but only about twenty years to deal with the risks on the Internet. We don’t know how to strike the balance between being naked out there and armoring up ridiculously. We can’t intuitively recognize that a pair of good hiking boots is “good enough”.

There are all sorts of mathematical models that we use in the industry to analyze risk to do cost justification to senior management. They mostly work, but when you down to it, it’s like trying to come up with a mathematical model that says things like “wear gloves when rock climbing” and “don’t pick up snakes in the woods”. They’ll never going to be perfect.

So, what’s the right solution?

I’m afraid that it’s going to have to depend on the situation. If your organization is structured such that you allocate money on a yearly basis, and that money has to be approved by a board, you probably have to weigh all your options, call in numerous vendors, get position statements from all the middle managers, perform risk and threat analyses and put together a cost justification. Then, once you have a plan to present, you get to try to shoehorn the plan into an ROI model that’s not going to work anyway. Then, if you’re lucky, you get it passed. If you’re not, you’re unprotected for another year.

However, I prefer to work with small business. Then it’s easy to do what I like to call “agile security”. It’s fast, it’s cheap and it’s easy. There’s just one drawback. You have to trust.

Back in the days when people didn’t know which snakes were venomous and which ones were safe to hit with a stick and bring home for dinner, they likely relied on a handful of experts. Some knew snakes. Some knew spiders. Some knew plants: which ones not to eat, which ones were yummy, and which ones were the best ground up into a paste and put on the wound that was made when you ignored the advice of the snake expert.

They didn’t have complex models. They didn’t use a lot of numbers. They just said things like: “Don’t touch that snake. When Og touched that snake, it bit him. Then he ran around in circles for a while, turned purple and died.”

In a similar vein, I offer you this advice:

Install a firewall that blocks both inbound and outbound traffic. If you don’t, it’s easy for an attacker to get your data or use your system to attack others. When this happens, your business will suffer.
Run a HIPS product (antimalware or application whitelisting). If you don’t, you’ll get infected and an attacker could do anything they want.
Don’t give everyone administrator access on your servers. If you do, there’s no control over your systems, and anyone could make a mistake that brings everything down.
Make sure that more than one person knows the administrator passwords. If you don’t, and that person proves to be untrustworthy, you’ll be locked out.
Keep your systems patched. Server maintenance is like house maintenance. It’s a LOT cheaper to fix things early.

There are a great many others, of course, but these are a good place to start. If you’re not following any of this advice, pick one and start. Remember, you’re walking around in the woods right now. I know that you can’t afford a suit of armor. I know that you don’t know which boots are best. That’s OK. Here are some sandals. They’re not ideal, but it’s better than what you’ve got.

Let’s work our way up together.

Just in case someone gets here by doing a search and doesn’t care for an essay on I.T. Security, here are some links:

Mythic Monday – Theseus and Misdirection

Theseus is one of the most famous of the Greek heroes. He’s famous for the slaying of Procrustes, defeating Medea, slaying the Minotaur and “winning” Hippolyte. That’s all well and good for a story, but we like to learn modern lessons from our stories, so it’s only natural that we should look at Theseus as a master of social engineering.

Oh, and as a word of warning, by the end of this post, you might not be liking Theseus very much.

The story commonly starts with a discussion of how Theseus is a son of both Aegeus (a king) and Poseidon (a god). This is mythologically necessary for reasons of heroism, but it’s also important to know that since this can’t be true, Theseus starts his adventures by lying about his origins. Then, of course, he goes around killing people. Granted, they were bandits, but what’s interesting is how he dealt with them.

Periphetes killed people directly and Theseus killed him directly with a sword
Sinnis forced people to bend pine trees and watched them die when the trees sprung back up. Theseus killed him in the same way. Then, of course, he raped Sinnis’s daughter and continued on his way.
Sciron forced people to wash their feet before they passed him, and when they bent over to do it, he’d kick them over a cliff. Theseus, of course, kicked him over the same cliff.
Then Theseus met Cercyon who he wrestled to death and then raped his daughter as well.
Best known, of course was Procrustes, who forced people to lay in his bed and either stretched or cut them to make them fit. Theseus, as one would expect, tricked Procrustes to lay in his own bed and cut him to fit. (It is unclear why Procrustes didn’t fit in his own bed.)

In each of these early stories, Theseus was careful to learn about his target before dealing with them. This made it easy to trick them and then end their lives in an appropriately mythologically-just manner.

Lesson One: Know your target.

Then, later in the story, our “hero” (a.k.a. murderer and rapist) visits his father Aegeus for the first time and his father’s wife, Medea. Medea knows that if Aegeus realizes who Theseus is, her own son will no longer be in line to be king, so she tries to have Theseus killed. Though he could have handled the situation by simply telling Aegeus who he is, he prefers to bide his time and wait until his father recognizes his own sword (which he gave to Theseus’s mother to give to her son (daughters, apparently, don’t deserve swords)). He chose an appropriately dramatic time to reveal himself, as Medea had just conspired to poison him. So, when Aegeus recognized his son, Medea had to flee.

Lesson Two: Only reveal what you absolutely have to.

Lesson Three: Pick your timing carefully.

Now we get to the really famous part of the story. Theseus travels to Crete where he aims to stop the minotaur from devouring fourteen kids each year. He promises his father that he’ll change the sails from black to white if he succeeds. Then he arrives in Crete where, in short order, Theseus befriends the king’s daughter Ariadne, gets her help to kill the minotaur, kills the minotaur, flees Crete with Ariadne, abandons Ariadne, forgets to change the sails and arrives home in time for his father to despair of having lost his only son (Medea’s son doesn’t count, I guess). With the death of his father, Theseus becomes king.

So, in other words, Theseus befriends those he needs and then discards them as long as their usefulness is at an end.

Lesson Four: Say what you mean, mean what you say… only while you’re saying it, of course.

Of course the “oops I accidentally caused my father’s death, guess now I’m king” excuse wasn’t accepted by everyone, and soon the Pallantides attacked. Theseus, of course, had a spy and was able to ambush their ambush, killing all fifty nobles (after which, the nobles learned the valuable lesson “let the non-nobles do the fighting”).

Lesson Five: Keep your eyes and ears open.

After this point, the story gets somewhat less linear and tends to focus on Theseus and women. Hippolyta, Helen and Phaedra are all abducted, raped or married (in various combinations thereof). Then, Theseus drives the centaurs out of the area for “getting drunk and molesting the women”.

Lesson Six: Double standards are OK.

Interestingly, Plutarch’s tale of Theseus focuses on the idea of democracy and how he turned the monarchy around and gave power to the people. This, of course, involved abolishing all the local courts and making Athens the only and centralized government. He then invited foreigners to live as citizens and divided the citizenry into three classes. Lastly, he instituted the Isthmian Games (like the Olympics).

Lesson Seven: Take power for yourself, but make it look like you’re giving it to others.

Lesson Eight: Calm suspicions by leveraging efficiency.

Lesson Nine: Always have a distraction handy to point to.

So there we have it. Nothing special involved here at all, just straightforward psychology, the same techniques that have been used for thousands of years. These days, of course, it’s easier to know your target (1), what with everyone revealing (2) so much on the Internet. One can leverage real-time technologies like RSS and IM to create the ideal timings (3). This timing can be used to push people into believing what is said (4). Then all one has to do is sit back and observe the reactive behavior (5).

Of course, most attackers wouldn’t worry much about ethics (6), but would be careful to cover their tracks (7). Then, if they get in too deep and run the risk of being discovered, the careful social engineer can simply pick out another problem and give you advice on how to solve it (8,9).

You may think this is far fetched, but it happens all the time. It’s not about the technology. If they can get there with social engineering, they will. It’s often easier and leaves fewer traces. Remember, attackers are about the end goal.

Lesson Ten: It’s good to be king.

Site Review – Scribd

Scribd isn’t as well known as many other sites, but what it does, it does quite well. Simply put, it’s a way to share documents via the web. The documents can be in various formats, and the site automatically converts them for you. Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats. It’s a nice and easy way to share documents.

Pros:

Easy to use
Free
Shifts the bandwidth for hosting large files to someone else

Cons:

Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
It’s weak on the social networking
Only two levels of document security: “public” and “private”
Search doesn’t allow you to search by licensing

The same caveats about security apply to this site as others. In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do. So, be careful building a business model around this site.

However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity. Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here. In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.

Malware

The way that Scribd works, you upload a document and they automatically convert it into other formats. It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk. You can avoid that one pretty easily by just viewing the document in the built-in viewer.

Trusting Information

This one is a risk pretty much all over the Internet, but it can be a bit trickier here. For those in the security field, consider this as a variant of cross site scripting. For those who don’t know what I’m talking about, just bear with me.

See, it’s very easy to make an account. You pick your name, you build your profile, you upload your docs. It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them. Then, they’d pull down the latest SEC documents and press releases and upload them to the site. Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price. Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).

With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response). It would be important to verify any information before acting, especially if it’s marked as “urgent”. The Internet allows us to share vast amounts of data very quickly. This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.

Conclusion

I use Scribd, albeit not a lot. I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much. If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool. Get an account, become familiar with the system so you can recognize when it is used outside of the main site.

As always, view all emotionally charged content as suspect and verify it before you act.

Small Business Defense – Antimalware

As many have noted before me, antivirus is dead. However, let’s clarify a few things.

First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless. Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one. However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake. Antivirus may not be dead, but your system will be.

See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware. This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature. So, these things can change and morph faster than you can keep up. However, you’ve got to do something, right? What are your options?

Ignore The Problem

My mother used to tell me that if I ignored the mean kids, they’d stop teasing me. She was wrong. In the same way, ignoring this problem will not make it go away. Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners. I hope that we can agree that this is no solution.

Host-Based Intrusion Prevention

Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products. These systems shift the problem from scanning the entire system to looking at what actually runs. These systems can detect common security flaws and prevent malware from accessing them. With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.

Perimeter Control

In the past, we’ve used a firewall to prevent access to internal systems. Some people are trying to extend this idea and pushing extra capabilities onto these network devices. The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network. It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.

Application Whitelisting

As many people do, once they’re told that something’s not working, they go to the opposite extreme. In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run. While I’m not a fan of extremism, it seems to be working in this case. Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others. The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want. Also note that, depending on your organization, it might take a long time to define the “good” applications.

Loss Detection

One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do. If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem. Small comfort, I know, but it’s better than not knowing, right?

Combination

Every organization will have a different set of needs and will need a different solution. However, there are a large number of businesses out there that would likely benefit from the following type of solution:

Application Identification – Take the time to identify which applications are required for business.
System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.

There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.

Small Business Attack – Malware

It’s interesting how business awareness lags actual security threats. I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”. This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.

This is our fault. For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities. If you’ve touched any IT in the last decade, you’ll recognize the following list of words: virus, worm, trojan, spyware, adware, malware. You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life. Well, I’m sorry to break it to you, but you’ve been lied to.

We’re at the end of what antivirus can do. We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.

Back in the day, malware would spread from system to system and slow things down. Sometimes, they’d delete files. That was then.

Today, people are using these systems to create what are known as bot armies. Once they take over your computer and add it to their armies, they can do anything they like to your computer. Like what?

Conduct attacks on other networks
Store illegal materials (often child pornography) on your computer
Crack passwords
Banking data
Harvest all proprietary data (trade secrets, tax information, business plans, source code) from your network
Harvest client data (credit card numbers, social security numbers) from your network

Basically, if you get infected with malware, the attackers can get anything they want from you. Any file you have, any site you browse to, any email you send or receive. It’s all theirs.

It’s more than a nuisance. What are you doing about it?

Security lessons from Nature – Fire ants and lizard evolution

Borneo is a fascinating place. It is a land of edible birds nests, dragon’s blood and gold. Oh yeah, and don’t forget the parachuting cats (pages 29 and 31 are best, or, if you prefer, there’s a boring version.) But as much fun as the cat story is, I’d like to talk about ants instead. Ants, lizards, and the economy.

The news about the US economy isn’t all that good… depending on what “good” means. I personally have my doubts as to whether ever-increasing growth is a good thing. When that happens in a population like Borneo, we call it an epidemic (malaria) or an infestation (rats). When it happens in a person, we call it cancer. When it happens in the stock market, we call it “business as usual”. Methinks that there’s a misunderstanding somewhere, but I’ll let the economists handle that.

As I look at the news over the Internet and I hear from my friends, I’m seeing companies failing and people being laid off/let go/fired. Whatever terms you want to use, it’s pretty awful for people whose jobs are on the line, as they are in a position where they don’t have control over their own lives (much as if they were fighting malaria or cancer, actually). It is not surprising that the phrase “job security” would be bandied about right about now. For years I’ve been told “there’s no such thing as job security” and that I should “work to put myself out of work”. This doesn’t make much sense on the face of it, but when you get down to it, it’s all about control. In a lot of businesses, the bosses are in control and the employees do what they’re told. In others, the bosses and the employees work together to build something better. The former model is hierarchical and the latter model is cooperative.

Which brings me directly to ants and lizards.

See, in an ant society, you have very strict roles. The queen’s job is to lay eggs. The drones’ job is to mate with the queen, which sounds like a nice job, but they then have to die (always read your employment contract). Then you have the workers which, well, work. Then, some species will also produce soldiers who protect the nest. The model works well, and the ants are able to build very complex structures and societies within it, but the queen has all the control.

Lizards, in contrast, just sorta hatch and spend the rest of their lives eating things and laying about on rocks. Each lizard has their own autonomy and is in control of their respective lives. No one talks much about lizard edifices. Outside of science fiction and Minnesota, no one talks much about lizard societies.

But you know, they should… because the lizards are winning.

Recent developments on the fire ants vs lizards front has led to lizards evolving longer legs and faster speed. In contrast, the ants on Borneo are blowing themselves up. As with much in live, it all comes back to Borneo.

See, in Borneo, the ants are required to be suicide bombers because each suicide also takes out one invader. Taken as a whole, allowing harm to come to a few workers here and there keeps the colony safe and stable. Seems a bit like laying people off to keep the company afloat, doesn’t it? In contrast, the lizards who have learned to run away from threatening ants have survived and become successful enough for them to produce children that are even faster. They can escape the ants. They might even be able to escape parachuting cats (short version here if you skipped the earlier links).

It seems that, unless you’re independently wealthy, you have a choice to make. You can be an ant and lay your job on the chopping block to help out your company, or you can be a lizard and scurry from project to project, moving so fast that the other ants can’t keep up. Your company may or may not survive, but if you’re fast enough and good enough, you’ll likely land on your feet (like a parachuting cat, actually).

Security is an active pursuit. Your IT systems won’t stay secure if you just lock things down and then ignore them. Your job won’t stay secure if you sit around and hope for things to get better. Your business won’t stay secure if you wait for an outsider to fly over your island and drop cats on you.

Now is the perfect time to be a long-legged lizard.