Archive for March, 2012

IBM’s X-Force researchers have released their 2011 year end Trend and Risk Report and there’s good news and bad news for those of us trying to defend the castle, so to speak. First the good …

  • spam is down compared to last year (although you wouldn’t know if from my inbox),
  • software vendors are doing a better job of patching their products in a more timely manner,
  • and one of the long-standing threats to web server security, cross site scripting vulnerabilities are down (but not out, I might add).

But don’t pop the corks just yet …

  • attacks focused on mobile devices (i.e. smart phones, tablets, etc.) are on the up tick,
  • and so are automated password guessing and phishing attacks.

Also, bear in mind that some of these statistics are cyclical in nature with a down year typically proceeding an increase in the following year.

All in all, though, some great info to have at your disposal and to factor into the way your organization views IT risk.

For more info including access to the free report and an overview video go to

I’ll be serving as a panelist at the Wilmington Information Technology eXchange and Conference hosted by the University of North Carolina Wilmington on April 18, 2012. I’ll be joined by Jonathan Campbell, CSO for New Hanover Regional Medical Center, with the subject of our discussion being “Security and Privacy Concerns including Mobile Device Management.” I plan to give a brief overview of the latest attack trends with a focus on one of our most challenging areas for security — how to handle the proliferation of mobile phones, tablets and other devices that are cropping up in greater numbers in corporate environments. For more information on the event click on the image below …

In keeping with the theme of the previous post, I was recently asked by Tyler Dukes of The News & Observer, who writes the biweekly “Stump the Geeks” column, to comment on issues with choosing good passwords. Here’s a link to the article  below:

Due to space considerations, a lot of what I wrote didn’t make it past the editor’s knife so I’m posting here my larger response so you can see what didn’t make the paper and, hopefully, get a better sense of my thinking in this area…

Ideally you would want each password to be chosen randomly and comprised of a mixture of upper and lower case characters along with a few numbers and special characters like *!%$ thrown in for good measure. Also it is best not to also use same password on any other system so that if it does become compromised, the damage is limited. Finally, it should be changed at regular intervals such as every 90, 180 or 365 days, depending upon the risk involved with the information being protected.

All this is to make the password hard to guess. The problem is that things that are hard to guess often tend to be hard to remember, which is people naturally bristle at such guidance.

I think the best compromise is to use password storage or single sign-on software. These tools can generate strong, random passwords that are unique for each system they will be used to log into and only require the user to remember a single password to unlock the password storage “vault.” I have literally hundreds of passwords — all unique and none that I actually know, but with tools like these I only need to keep up with the one password that unlocks the tool and it keeps up with the rest.

IBM sells a product called Tivoli Access Manager for Enterprise Single Sign-On that I work with that is designed to do this for an entire organization’s user population. There are consumer products as well that are both free and fee-based. One nice freebie that I have used is Password Safe, which is an open source tool available from Still other tools offer to save your passwords on a shared system (i.e. in the cloud), which is convenient if you need them to be available across multiple systems. Just bear in mind that when you store your passwords on someone else’s system then you are totally at the mercy of how good a job they do with their security and, in most cases, there is no way for you to verify if their claims of using strong encryption and the like are valid or not.

As with all such decisions, there’s a trade-off between security and convenience and the answer will be different for different people depending upon their tolerance for risk and their understanding (or lack thereof) of that risk.

One of the hardest problems we face in the IT security space is that of user authentication. In other words, are you really who you claim to be? One the one hand, it’s something we do every day when we run into people we know (or don’t know), yet there have continue to be cases of impersonation, which means our systems for verifying authenticity aren’t perfect. Complicating matters is when this identity verification happens at opposite ends of a wire in cyberspace where many of the mechanisms we rely on in the physical world elude us.

Here’s a link to an iTunes U podcast interview I did with Dr. Steven Furnell, who heads up the School of Computing and Mathematics at the Plymouth University (UK). Apologies in advance for my weak sounding voice and seeming lack of energy as I had to go in for vocal cord surgery two days later.

I’ll be presenting at InfoSec World 2012 in Orlando, which runs April 2-4. My talk will be on the first day at 1:30 on the subject of “Creating an End-to-End Identity Management Architecture” and will cover the following:

• A holistic view of the various components that comprise an enterprise-wide identity and access management infrastructure
• The appropriate role of directories, metadirectories and virtual directories – what they reasonably can and cannot do
• The elements of an automated account provisioning/de-provisioning system
• How role management can help you get a better handle on identities
• Lessons learned and best practices of identity management

I’ve been attended and presented at this conference numerous times over the past decade and found it always to be one of the best of its kind. If you can make it down to Orlando, please stop by and say “hi.”

It seems that every 18 months or so we are treated to another scary story about how SSL is broken and all your encrypted secrets are at risk. Of course, there’s always at least a kernel of truth to the report or wouldn’t get much traction and the latest case is no different.

For those of you that aren’t crypto geeks (which, I hope for the sake of humankind is most of you), Ron, in this blog post heading and in the research paper than uncovered the vulnerability, is Ron Rivest (the “R” in the “RSA” cryptographic algorithm that is widely used across the Internet) and Whit is Whitfield Diffie of Diffie-Hellman key exchange protocol fame. Both Ron and Whit are giants in the crypto arena due to their many contributions.

You can read more about the vulnerability, it’s likelihood of impact and some countermeasures you can take in the following article from Dark Reading:

The net of it is that this is a bona fide risk but it isn’t likely to affect most web sites. So, the sky is not falling but I would recommend taking an umbrella…

LinkedInMy previous posting dealt with a technical attack involving malware being distributed through social media. Here’s a story on how social media sites can be used for social engineering to entice users into being attacked.

The article points to how information gleaned from LinkedIn profiles can be used to target users with more plausible attack scenarios — a.k.a. spear phishing. It describes how one person was able to get added as a connection to more than 60 people at a company where he posed online as a worker and then proceeded to get himself added to a private LinkedIn discussion forum.

  • “Now I had an audience of 1,000 company employees,” O’Horo said. “I posted a link to the group wall that purported to be a beta test sign-up page for a new project. In two days, I got 87 hits — 40% from inside the corporate network.”

Of course, the risk here is that the fake page could have been infected and used to distribute malware as previously described. But is this really a problem with LinkedIn? Should we avoid social networking sites as a result?

I would say “no” and “no.” The real issue here was that people were trusting things they shouldn’t trust. If someone had bothered to find out who this guy was before adding him to the private discussion forum, it wouldn’t have been an issue. Also, if users had been more discerning as to which links they clicked on, it wouldn’t have been an issue.

The point really is what and whom should you trust? LinkedIn, like any social networking site, is only as good as the information in it and only as trustworthy as the people posting to it. It seems that every time we develop a new communications forum, whether it be snail mail, telephone, email, SMS, or social networking sites, we have to re-educate ourselves as users as to what is and is not reasonable and responsible behavior within this new context.

Hackers know this and it’s how they are able to exploit these windows of opportunity with each new turn of the technological crank. The onus is on the good guys to maintain a healthy skepticism when moving into new forums or risk being the next victim.