Here’s a link to a posting I did for IBM’s Security Intelligence Blog on the perils of ignoring the whole Bring Your Own Device (BYOD) trend. Enjoy …

http://securityintelligence.com/byod-why-you-better-not-ignored-it/

 

 

A quick “heads up” that I will be presenting on the topic of Social Media Threats on Friday, March 7, at the Delaware Valley Chapter of the Information Systems Security Association. Here’s a link for more info:

www.issa-dv.org/meetings

Also, I’ll be presenting on Access Management and Federated Identity Management on Thursday, March 20, at the Harrisburg (PA) Chapter of ISACA (previously known as Information Systems Audit and Control Association). Link below:

www.isaca-harrisburg.org

So if you’re looking for some CPE’s and will be in the area, please drop by and say “hi.”

An update to my post from last week regarding vulnerabilities in WiFi access points …

Team Cymru, a non-profit security research organization, recently reported that some TP-Link wireless routers had been compromised in such a way as to redirect the DNS (Domain Name System) requests to a couple of suspicious IP addresses.

Without going into the technical details of what this means the effect would be that a hacker could reroute traffic from those home networks to a destination of his choosing. In other words, a user types “www. google.com” into their browser and ends up instead at “www.hacked-google.com” or some such. Scary stuff since we all depend on the DNS to get us to the correct web sites, connect to our email and so forth.

Team Cymru then updated their findings this week to reveal that they have identified more than 300,000 such home routers that have been compromised and the list includes not only TP-Link models but also those from D-Link, Micronet, Tenda and more.

My previous post focused on Linksys equipment so, as you can see, the larger problem of vulnerable WiFi access points and routers runs across the various manufacturers. In other words, don’t think you’re safe just because your particular make and model hasn’t been explicitly listed so far. It’s probably just a matter of time.

So now that we know the risk is real and not just theoretical, what should you do? Here’s some good advice from Team Cymru as summarized by PC World:

“Team Cymru researchers advise users to disable remote management over the Internet on their routers and to keep their firmware up to date. If remote administration is absolutely necessary, steps should be taken to restrict remote access to only particular IP addresses. Other recommendations include: changing the default passwords, not using the default IP address ranges for a LAN, logging out every time after accessing the router interface, checking the router’s DNS settings frequently to ensure they haven’t been modified, and using SSL (Secure Sockets Layer) to access the router’s Web interface if the option is available.”

Hopefully, one day all our routers and access points will be able to securely patch themselves as we have done with Windows, OS X and others, but until that happens, you now at least know what to do.

Windows users learned (the hard way) a long time ago that their PC could be infected with viruses, Trojan horses, worms and the like without their knowledge. Anti-virus vendors have made a mint off of capitalizing on the concerns that grew from that basic fact. Eventually, Microsoft decided it was in their best interest to make available free security tools that could help limit the threat and mitigate some of the PR hits their brand kept taking with each new outbreak of malware.

As discussed in this blog before, there is nothing about Linux, UNIX or OS X that makes those platforms inherently immune to virus attacks either, although, the sheer number of known malware instantiations is lower. Mobile devices, which are, after all, nothing more than miniaturized computers that also happen to have built-in cameras, MP3 players and telephony features are vulnerable as well. In fact, the first mobile malware was first spotted 10 years ago, if you can believe it. Clearly, none of this is a new problem.

Well, guess what? You know that WiFi access point you installed in your home a few years back or the ones you never see but freely use at the local coffee shop could be infected as well? How about the possibility that the wireless in your doctor’s office waiting area is as sick as the patients sitting next to you?

Yep, malware for WiFi is the latest unfortunate turn of the technological crank and, once again, we shouldn’t be surprised. Routers and access points are, after all, just special purpose computers and, in most cases, ones that have never been patched since the day they were installed.

One recent study found that:

Using the top 50 selling home routers for sale on Amazon, the firm detected software vulnerabilities in three quarters with a third of these having publically documented flaws open for any attacker to exploit. Common problems included vulnerable management interfaces and dodgy authentication.

So that’s 75% of the most popular devices are vulnerable. Great. But the hits just keep coming

Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. 

The team designed and simulated an attack by a , called “Chameleon”, and found that not only could it spread quickly between homes and businesses, but it was able to avoid detection and identify the points at which WiFi access is least protected by encryption and passwords.

So let’s review…

  • WiFi access points can be attacked
  • Most have never been patched
  • Most are vulnerable to exploitation
  • Some could be attacked by malware that spreads from access point to access point

I don’t know that WiFi access point anti-virus tools are waiting just around the corner.  However, I do know that it would be a good idea to take another look at the access points you can control and review the security settings and update the firmware. Don’t say I didn’t warn you …

Here’s a cool/creepy thing to keep in mind … when you post to social media or take photos with your phone, it is entirely possible that your laptop or mobile device is also adding location data to your work. This could be a very useful feature if where you are adds context to your posting, such as where you were when you took that awesome shot of the sunset over the ocean (which ocean?  which beach? what season?) or if  you just tweeted about a great slice of pizza others may want to know where so they can get one too.

On the other hand, if you weren’t aware that this information was being captured and made available for all to see, you might not think it was such a great idea. For instance, you could be passing time in a doctor’s waiting room tweeting about last night’s game and not realize that you’ve just told the world that you have a medical problem of a somewhat sensitive nature.

For a real world example of this, I used a tool at http://teachingprivacy.icsi.berkeley.edu:8080/#project to view the comings and goings of one of the giants of the IT world. I’ve redacting his actual Twitter handle out of respect for his privacy but what I found was publicly available information that anyone could easily obtain. The screenshots below reveal what I found with just a few clicks …

TwitterTrack1

 

As you can see our subject is quite the world traveler but he spends most of his time on the West Coast.

 

 

 

 

 

TwitterTrack2

 

 

Zooming in on the red “hot spot” from the previous image shows that he is probably based in Silicon Valley.

 

 

 

 

TwitterTrack3

 

 

Zooming in further still shows a Google map with one of the tweets coming from a urologist’s office.

 

 

 

 

Maybe he was just there to work on their computers but, still, it’s probably not what he had in mind to blast out to the Twitterverse when he wrote that tweet.

A similar bit of stalker magic is available from WeKnowYourHouse.com which correlates tweets using the words “home,” “house,” etc. with the geolocation from Twitter to assert, with reasonable confidence that you live at the following address …

WeKnowYourHouse

Pretty creepy, huh? Consider yourself forewarned and double-check those settings to make sure that you aren’t guilt of revealing TMI…

Want to start an endless debate with a room full of techies? Assert that a particular operating system — pick any — is more secure than all the rest then sit back and watch the factions form. Some will argue that Mac OS X wins because of the relatively small number of known malware exploits as contrasted with Windows. Others will point to Linux’s built-in security model as superior to the competition. Windows fans will point to a vastly improved track record in the security area over the past decade. Still others will say that the mainframe’s z/OS and it’s related predecessors have proven their strength over the long haul running many of the world’s most critical transactions since the 1960′s.

Who’s right? Answer: I’ve used them all and I would say it’s none of them and all of them. Macs aren’t immune to malware as Apple’s own employees found out — the hard way.  Windows wears the largest bull eye by virtue of its pervasive presence in the market so it will always victimized by bad guys. Linux’s strong security features may be beyond the grasp of casual users. z/OS has benefitted from something of a “security by obscurity” position, which means latent vulnerabilities could be there for the taking.

Not a very satisfying answer is it? Maybe a better way to rephrase the question would be not “which is the most secure?” but rather “which is the most securable?”  The latter takes into account a larger understanding of the role of the user/administrator in the security ecosystem. In other words, it’s not just about technology but also people and process as well.

Yet another way to look at it is to say that the most secure OS is the one that you configure and use properly. The fact is that any of these options can be good or bad depending on how they are deployed and executed. That’s my answer. Now I’ll sit back and watch the various OS fanboys fight it out …

 

P.S. Here’s a nice write up on “Four easy ways to protect your Mac from malware,” which is a question I get from time to time.

It’s been an interesting year in the world of IT security and privacy. It turns out that all the world’s spy agencies are, in fact, spying on each other. Shocking, right? OK, so they aren’t just spying on other spies but probably you and me as well to one degree or another. How much do they know? How long have they known it? How is the information being used?

I think the best answer is a quote from Tom Waits that predates this latest controversy but is quite apropos, nevertheless …

“The folks who know the truth aren’t talking. The ones who don’t have a clue, you can’t shut them up.”

In other words, don’t believe everything you hear because the people making the most noise tend to be those with the least actual information. At the risk of falling into that latter category I will suggest that the organizations that might know more about you than the TLAs (Three Letter Agencies) are the ones that we voluntarily give up our personal information to in exchange for free email, social media, cloud storage, navigation services, etc.

Along those lines comes a revelation that sits squarely between the uncomfortable intersection of security and convenience — your wifi passwords. If, for instance, you have an Android device you probably connect it to a wireless LAN on occasion. Unless you enjoy typing in long, complicated passwords on tiny keyboards, you probably opted to let the OS store this info for future use. For further convenience you probably allow Google to back up the settings on your phone since this makes recovery far easier when you get a new one. All very nice but …

This means that Google is storing all those “secret” passwords somewhere in their cloud. Who has access? How well is it secured? How could this information be used/abused? Now the heartburn begins…

I have no idea whether Google does a great job or a poor job of securing this data just like I have no idea how well credit card numbers and other sensitive information is being secured on systems for major retailers but I do know that at least in the case of the latter there have been some major breaches. We might not know about these failures were it not for legislation that requires public disclosure of such incidents and I suspect we wouldn’t necessarily know about similar compromises in social media, email and other Internet-based services.

And don’t make the mistake of thinking that a leak of wifi passwords would only affect a few home networks or that if you choose not to have your info backed up by Google or because you use an iPhone or no phone at all that you will be safe because all it takes is for one user — any user — of any wifi network you use to have saved and backed up this info for it to make everyone on that network at risk. 

Just another reason why you should make sure that you use a good VPN or SSL connection, even when you think you are on a secure wifi network…