Archive for June, 2012

Who can you trust?

Posted: June 11, 2012 in Uncategorized
Tags: , , ,

That’s a difficult question to answer — especially when you’re dealing with organizations you know only over opposite ends of a wire. This issue lies at the heart of an article quoting me in today’s Raleigh News & Observer “Stump the Geeks” column.

 

First of all, let me state for the record that I have no firsthand knowledge of the service offering discussed in that column of this blog post or how well their service works. It could be perfect in every way, for all I know, but the issues I’m focusing on here remain the same so please read this in the spirit in which it was intended — as an example of how some of the critical thinking that needs to be employed when dealing with security issues.

With that bit of disclaimer out of the way let’s consider the case of OpenDNS. Typically the translation of that web site name (e.g. WordPress.com) into it’s numeric IP address equivalent, which is necessary in order to actually route your request through the network, is handled by a Domain Name Server (DNS) that is provided by your ISP. OpenDNS, however, offers to do this for you instead if you are willing to configure your system to use its services in lieu of the one your ISP provides.

Why would you want to do this? Well, it’s because OpenDNS claims to be able to offer additional controls and security protections that most ISPs don’t. For instance, you can configure OpenDNS to block access to harmful sites based upon objectionable content or security risks by redirecting traffic to a safe landing page rather than the actual site.

Sounds good, right? But who determines what is risky and what isn’t? Do their definitions coincide with yours? With the way “bad” sites pop up and disappear on the Internet on an hour-by-hour basis, can any system based upon reputation (such as OpenDNS) ever hope to keep up with the perpetual game of Wack-a-Mole?

Further, even if all this does work perfectly well, who do I trust more — OpenDNS of my ISP? The reason this last question is important is that one or the other is going to have access to all my web surfing history. If that bothers you then you need to decide which of the two choices in this example, do you trust more with that information? Either could be compelled to turn over such information if directed to do so by the Courts but what about turning it over to other companies who use it to market to you based upon your browsing habits?

I have no idea how to answer that question for you since my sensitivity to risk in this area is bound to differ from yours. It’s the same reason you choose to bank or invent with different companies than I do as well. It’s a very personal choice but, in the end, it all comes down to … “who can you trust?”

As I’m sure many of you have heard, the popular, business-oriented social networking site, LinkedIn.com, had a security breach recently that resulted in exposing about 6 million of its users’ passwords. You might be thinking, what’s the big deal?

  1. I don’t store anything all that sensitive on my LinkedIn account and
  2. even if I did, why would anyone want to target me?

The first issue that many fail to appreciate is that most people use the same password for more than one site. In fact, many use the same password for every site. This is a problem since it means that if I know your LinkedIn password, I probably also have a pretty good idea what your email password is. And if I can get into your Gmail account, for instance, then I can also go to your banking site and request a new password be emailed to your account, which I now control.

Furthermore, I can change all these passwords to one of my choosing and then you can’t get in to fix the problem either. Then it’s game over and you are forced to deal with a sea of faceless support centers for each site trying to gain back control of your digital persona. Since many of these services are free, the support your get is worth about as much as you paid for it, if you know what I mean.

As to why you would be targeted for such an attack? Because you exist. Hackers don’t only go after famous people just as identity thieves don’t restrict themselves to only millionaires.

So, what can you do?

  • First of all, you should probably change your LinkedIn password today. Even if you weren’t one of the 6 million compromised accounts, why wait for the next breach?
  • Second, change other passwords to key accounts like your email, bank, credit card and merchant sites that might have payment details stored for you.
  • Third, choose good passwords that can’t be easily guessed or cracked through dictionary or brute force attacks, which leads to …
  • Fourth, use a password storage vault or single sign-on software to keep track of all your passwords. These tools allow you to generate strong, hard to guess passwords that are unique for every site and only require you to remember one strong master password to unlock the vault.

If you are trying to do this for an entire organization, consider a centrally managed, enterprise class tool like IBM Security Access Manager for Enterprise Single Sign-On, which automatically enters userids and passwords when logon fields pop up, allows you to set policies for all your users and supports resetting lost passwords and shared workstation support with fast user switching.

If you want a simple, free tool to keep track of passwords on a single system that requires you to copy and paste stored passwords manually from the vault, Password Safe, from the open source SourceForge project is one of many options.

Also, there are other options that range somewhere in between for a range of prices supporting a variety of platforms. Whatever you choose, just try to make sure it comes from a legitimate source. The worst case scenario would be to store all your passwords in one tool that sends all your info to an attacker.

OK, so now you just think I’m being paranoid, right?

By now you’ve probably heard the news reports of the recent discovery of the Flame malware that seems to be targeting systems in Iran (and possibly other locations in the Middle East). While there are some similarities with the Stuxnet worm, there are probably even more differences.

At this point it appears that Stuxnet was designed for sabotage — specifically targeted at Iranian nuclear facilities — while Flame seems to be built for espionage. In other words, it’s a software-based spy.

The press has picked up on this aspect as well and has been reporting that Flame can eavesdrop on unsuspecting users through the built-in microphone in their computer, turn on a webcam for remote viewing, take periodic screen captures and store keystrokes. Scary stuff to be sure but it’s not new. Not by a long shot.

In fact, I wrote about a similar threat a dozen years ago in my book, Inside Internet Security: What Hackers Don’t Want You to Know,  in discussing a piece of malware making the rounds then called “Back Orifice.” See if anything in this excerpt sounds familiar…

NetBus control panel – a contemporary of Back Orifice

Among other things [Back Orifice] can:

  • monitor and store keystrokes entered by the user (including ‘hidden’ fields often indicated by a string of asterisks);
  • look over the user’s shoulder by capturing screen images;
  • execute commands of their choosing on the user’s system;
  • rename, copy and delete files on the user’s system;
  • connect to other systems via telnet or FTP;
  • open and close the CD-ROM drive (just for kicks!).

And if that wasn’t scary enough, they can even turn the victim’s machine into their own remote surveillance system. If a microphone or video camera is attached to the user’s system, hackers can turn these devices on and then sit back, listen in, and watch what their victim is doing.

So, not to diminish the seriousness of this latest malware (for those relatively few systems that are infected with it), but try not to get caught up in the hype that would lead you to believe that this is some sort of new quantum leap in the threatscape. In reality, this threat has existed for more than a decade. Most people simply didn’t know about it. But now you do … 🙂