Information Security Short Takes

Steps to Ensure a Smooth(er) Migration to a Cloud Service

noreply@blogger.com (Bozidar Spirovski) — Mon, 09 Jul 2012 20:34:00 +0000

Moving a service to a cloud provider can be a very beneficial activity (reducing cost, piece of mind, transfer of risk), but it can also create a huge amount of problems if not done correctly.

We will not delve into what SLA and service conditions are agreed on with your service provider. We will focus on the migration process.

Assuming you have selected a service to migrate to a cloud provider, and have selected the cloud provider, even after contract signing, things may still be far from complete. The migration process is the thing that can be very painful and can break the entire service for an extended amount of time. And sadly, the service provider may not be too interested in properly supporting you in the migration process, for whatever reason.

To ensure a successful migration, or at least to be able to 'pull on the handbrake' before disaster strikes, make sure that you check the following elements before driving into the migration process:

Clearly understand what data from the current service will be migrated into the cloud service - this is crucial from several points of view: If there is migration, you must understand the amount of data can and will be migrated, whether the service provider has sufficient space to accept all data or you'll need to prioritize and whether the format of the data remains the same. For instance, you may be using a MySQL database but are migrating all data into an Oracle cloud service. Also, if data is not migrated, you'll need to keep it available to the users as legacy data.
Clearly understand the migration process of the data from local into cloud service - if existent the migration of data can vary wildly. It can depend on very complex factors like change of format, structure, proxying etc, or very simple like bandwidth to transfer the files over.
Understand authentication source of the cloud provider - all your services were authenticated to a data-set within your company, usually a LDAP server or a database. You must understand which data-set can the cloud provider support for authentication, because you may need to recreate your user's accounts and generate and distribute new passwords to them.
Gather all usage scenarios of the service as it is currently delivered (in house) - there may be multiple usage scenarios for a service that have been introduced through the years, either officially or unofficially. For instance, a mail server can be accessed via POP3, IMAP, MAPI (on Exchange servers), and different users may be using different protocols.
Confirm which usage scenarios are supported by the service provider - your users may need to be reconfigured in advance or at the moment of migration. You need to understand which steps you'll need to take to maintain minimum outage for the users. This is usually tightly connected to the authentication source and set-up.
Ensure you have bandwidth - Going into the cloud means remote access. And whatever your in-house service was, you never cared about bandwidth usage and latency over your gigabit LAN, but that bandwidth usage may be very significant. Observe your current network using network analysis tools and learn more about broadband packages that you use, especially their flexibility to quickly increase bandwidth or decrease latency if needed on roll-out time.
Know who to call - at time of migration and right after that, things are going to be hectic, issues will rise all over the place, and your team will be less than their usual competent self, since they'll also be using a service. Have all of them read through the SLA and the communication and escalation procedures of the cloud contract. This way the issues will be escalated rapidly, and support call will be made much faster.
Understand your fallback options - any migration can go wrong. In order to be able to continue your original service in such a scenario. Investigate whether your original service will be available during after the migration, and look and test for any risks that the migraiton may leave your in-house service broken. This may be a huge issue if somehow there are problems.
Make a plan with outage period and ability to go back to your service - before you go into migration, make a plan for the migration, in which you'll define the migration period start and finish times based on testing results. The entire period of migration should be planned as downtime, and the source service should be in a 'frozen state' (no new entries in it). The reason for such a downtime is two-fold: Even if the migration is online, if anything goes wrong, you are under less pressure to fix it, and by creating a frozen state of the source service creates a point-in-time to which you are prepared to revert in case of trouble.
Inform everyone of the pending change - spread the word, the customers should be well aware of the change. Informing everyone is about people being able to plan and adapt if the service is out, but it also helps you and your team - you'll get more feedback and discover overlooked items, and during the crunch time the users will give you more breathing time instead of jumping on your throat because their service is not working.

Migrations are a very stressful time for everyone, and hopefully the above points will help both you and your customers survive them in a smoother manner.

Talkback and comments are most welcome

Management Reaction to Failed Cloud Security
Security Concerns Cloud “Cloud Computing”
Maintaining quality in outsourcing telco services
5 SLA Nonsense Examples - Always Read the Fine Print

Fairwell to Ray Bradbury

noreply@blogger.com (Bozidar Spirovski) — Thu, 07 Jun 2012 07:09:00 +0000

For the man who illustrated our imagination, and made me personally read more...

rest in peace, Ray

Ray Bradbury, 1938-2012

Observations of lack of research in social engineering

noreply@blogger.com (Bozidar Spirovski) — Tue, 20 Mar 2012 22:53:00 +0000

Phone call social engineering is considered the easiest methods of social engineering: It does not involve personal contact, and leaves little in way of electronic trail (e-mail can leave much more eletronic trail if not approached properly).

In the past months Shortinfosec had the fortune to review an social engineering attack performed by a pen-test team on a company. While the pen-test was considered a failure by the client, significant elements of the attack point to open issues with the client. Publication of this information is based on the provision all information regarding the pen-test client and provider location, business and identity to be unidentifiable.

The attack
The social engineering attack was performed over a phone line, not even being in the same city as the client, with the pen-testers using publicly accessible lines. The targets of the attack were chosen from social networks.

The attack was three-stage:

Collect information about order delivery process (delays, timing etc...)
Collect information about current order in pipeline (order prepared but not delivered to customer)
Divert order to different address.

The attack was performed by multiple phone calls, which created contact with multiple targets. Each call was a probing attempt to collect as much information possible. The first and second stage of attack was targeted at the same targets but with several days delay between stages. Two persons performed all attacks.

In the first stage of attack, the attackers simulated a disgruntled customer, which insisted on getting details on the process as his delivery was not proper. Approximately half of the targets responded were either compliant to explain the process, or were unable to reach the account manager and proceeded to divulge information to the attackers.
In the second stage of the attack, the attackers approached targets that were deemed 'soft' - that were most compliant and divulged most information. They misrepresented as persons from multiple client companies, until they received information of a current order in pipeline. A minor number of targets responded with required details, simply because they most targets did not have access to order information.
In the third stage of the attack, the attackers again approached the 'soft' targets attempting to divert the order from pipeline to a different delivery address. Most targets did not have the authority to change the delivery address. The attackers reached a target with appropriate authority, but that target contacted the real client while on the phone to verify. The client denied any change, which caused the all kinds of alarms to go off. At the end, police were notified immediately, and the pen-testers nearly ended up in custody.

The review
When investigating the approach used by the social engineering attack, we found missteps in the following areas:

The process research - the failure of the attack had one primary reason: The requested redirection address was outside of the free delivery area, and the targeted person actually sent out an electronic invoice to the real client for the redirection. This invoice was rushed by the client's accounting department since it was for an outstanding order, and immediately disputed by the client, thus exposing the attack. This shows insufficient research of the process
The selection of targets - the targets of the attack were selected purely by one criteria: anyone who has a public information regarding their employment at the pen-test client on social sites. This approach is easy, but there were very little criteria of how useful these targets are in the further stages of the attack, and how they tend to react. This caused multiple calls of relatively low quality information or response in the first and second stage - thus spreading the attacker resources thin.
The selection of faked client - the faked client was not researched, and was selected by random from the information received in the second stage of the attack. The client should have been approached to research its process. A contact center channel would be an excellent 'cover' for such a task. This is especially true since the pen-test client operates via a phone channel. But instead researching the client through impersonation of an anonymous service like an Appointment Setting Service, the attackers merely dropped a name of a client. This lack of research, combined with insufficient process research caused the inability of the pen-testers to prevent the invoice reaction.

Apart from these missteps, the actual amount of achieved information gathering was quite interesting: The attackers collected information about business process, customers and current orders. Even without being able to redirect an order, the collected information could be valuable for sale to competitors or for publication to discredit the business.

The conclusion
This particular case was deemed by the pen-test client as a failed social engineering attack, but that is obviously a purely formal treatment of the outcome.
The missteps in the process which were identified are not uncommon in a pen-test scenario, where deadlines are short, and results need to be produced by the pen-testers on time and under budget. The entire process and results has lessons for both pen-test client and pen-test team:

The pen-test team should reserve sufficient time in the project schedule for investigation, which is crucial when playing with the emotions and reactions of human beings.
On the other side of the fence, the pen-test client is still quite exposed, with information leaking left and right, which was proven by the amount of information collected by a pen-test team with relatively small amount of research.

Talkback and comments are most welcome

7 Problems with Cell Phone Forensics

noreply@blogger.com (Bozidar Spirovski) — Sat, 11 Feb 2012 17:00:00 +0000

Cell phones don’t feel newfangled but in truth they are. With innovation comes swift change, sometimes so swift that it is difficult for forensic scientists to keep up. Criminals use cell phones in a variety of crimes and it is up to the forensic scientists to uncover their transgressions. But where do they start? What are some complications that scientists encounter?

Innovation - Change is the number one issue for forensic scientists to overcome. Even the cell phone manufactures don’t always know how to retrieve information stored in new phones, so how can scientists retrieve the information? Staying up-to-date on new cell phones is challenging but not impossible. As fast as they are created, criminals come up with ways to abuse them. Strangely enough, this can be beneficial for forensic scientists. Using online tips can allow scientists to simply access information that would otherwise remain unreachable.
Charge – Unlike computers, much of what is stored in a phones memory is reliant upon the battery. When the electricity goes, so does the information. Depending on what information you are looking for and how it is stored, battery or charger power is an essential thing to think about.
SIM cards and removable media - SIM cards are the soul of a cell phone. They carry vital user information. Likewise, removable media, such as SD cards, can have lots of stored data on them. It is important that forensic scientists have the appropriate equipment to read and evaluate the data.
Passwords – Password protection on cell phones is challenging to overcome, though not impossible. Depending on the model, passwords can be circumvented in several ways.
Internet connection – The smarter cell phones become, the harder they are to examine. Using an internet connection instead of SMS or voice makes a forensic scientist’s job much more difficult.
Quarantine – One thing that is often disregarded is the need to sequester the cell phone before analyzing it. New text messages can overwrite old material, and connections to the internet can invalidate old data. It is imperative to make sure the phone is isolated.
Security augmentations - Forensic scientists must be especially alert when dealing with cell phones that have been improved in some way. Some users have the capability of putting in dead man’s switches, effectually wiping the contents after an action or a period of time. Malware can also be downloaded onto the phone, placing the computer systems in danger.

There are many more problems for forensic scientists to watch out for, but these are the seven most common. Tracing cell phone data is a laborious task, but it can be done. All it takes is a little investigation, a few tools, and a lot of persistence.

This is a guest post by Coleen Torres, blogger at Phone Internet. She writes about saving money on home phone, digital TV and high-speed Internet by comparing prices from providers in your area for standalone service or phone TV Internet bundles.

Talkback and comments are most welcome

Related posts

When Will Your Mobile Phone get Hacked?
Is Geo Location Based DDoS Possible?
Is the Phone Working? - Alternative Telephony SLA

Support Free Internet - Stop SOPA and PIPA

noreply@blogger.com (Bozidar Spirovski) — Wed, 18 Jan 2012 07:56:00 +0000

Stop SOPA and PIPA: We openly declare our support for the efforts to prevent the ability for governments to police the Internet.

Kudos to Wikipedia

Talkback and comments are most welcome

Related posts

Privacy Ignorance - Was Eric Schmidt thinking?

Failed attempt at optimizing InfoSec Risk Assessment

noreply@blogger.com (Bozidar Spirovski) — Mon, 16 Jan 2012 22:05:00 +0000

Last weekend I got into a discussion with an insurance supervisor on the topics of risk assessment. He explained the process of work of actuaries in insurance, and that there are standardized tables of probabilities for an event to occur, like sickness and death, and how it is used to calculate insurance premiums.

After digesting the explanation, my reaction was that I found the holy grail of the Information Security Risk analysis: All it takes is for enough amount of incident event be collected into a statistical table, and all possible types of information security incidents will have a standardized table of frequency and impact - no more assessments over the entire organization!

And in such a great and utopian solution, at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs.

But I was quickly brought back to reality by the expert in insurance, with a good question: Actuarial tables are compiled based on information that is mandatory to be published - illness, fires, theft, even death. How will you collect accurate information from information security, when it's not mandatory to publish them?

And he was perfectly correct: Collecting information to compile an actuarial table for information security will be impossible. There are very few companies in the world that will release any information that there was an information security incident if it hasn't impacted the public in a very obvious way. Also, the value of the impact is calculated in any number of methods, and different items are included in the value, making the valuation of the incident an incomparable attribute from one incident to another.

Having a standardized method for risk assessment in information security based on hard numbers would be great. But since the factors included in any incident are very complex and varying, and also consistent incident reporting is nearly impossible, we will be sticking to the current qualitative methods.

Talkback and comments are most welocme

Related posts

Example Risk Assessment of Exchange 2007 with MS TAM
Risk Assessment with Microsoft Threat Assessment & Modeling

The Difficult Life of Mac in the Mixed Environment

noreply@blogger.com (Bozidar Spirovski) — Thu, 12 Jan 2012 08:21:00 +0000

Just before the sad event of Steve Jobs death, obtained a MacBook. While everyone is still immersed in reading the biography, we embarked on the journey of using a new OS for the first time. Here are the positive experiences and gripes that we found when using it in a multi-purpose multi-platform environment.

Please note that we are just starting up using the Mac, and some of our issues may have solutions that we haven't found yet.

The environment
The MacBook arrived in the very mixed environment of Shortinfosec

Domain - an active AD Win2008 functional level domain, but used only for testing. The computers are only added to the domain to do research related to the domain.
Computers - Work is done on our laptops - HPs, Lenovo and Acer running Windows 7, Vista and Ubuntu.
Virtual environment - Virtual Box and VMWare player based virtual machines, mostly bridged network
Network - 802.11 n Wifi and wired 1 Gbps Ethernet network. Cisco and Huawei network elements
VPN - Cisco IPsec VPN for remote access
Storage - iSCSI based storage server, built around an Openfiler storage server, on the wired LAN segment
Printing - a very old HP LaseJet printer, so old that we have to use a Centronix to USB convertor, so we attach it to any laptop we need.

What we do on this environment:

Testing and honing skills of attack tools
Running test scenarios on corporate products
Active Directory fiddling and trying to break
Playing games
Blog management
A lot of article and paper writing
Java development
Odd accounting jobs
Lots of games ;)

The positives
We like to start on a positive note, so here are the things we like about our Mac

User experience - as Steve Jobs insisted, the user experience of working in Mac Applications on the Mac is seamless. Everything just runs. Even attaching external hardware a 20 year old printer was a breeze - much easier then doing the same on Vista.
Battery life - the battery life is simply outstanding. The commercials say that the Mac can do 7 hours on battery, and that is quite true, for working in word processor, at 65% screen brightness.
Portability - not really comparable, since all other laptops are 15'', but the Mac is very easy on the shoulders, and an excellent companion at meetings.
Speed of functions - all implemented functions within the OS are implemented VERY WELL. For example, the Cisco IPSec VPN connection using the native Lion client authenticates at least 10 seconds faster than the Cisco VPN Client for 64bit Windows 7 (we actually measured)

The gripes
Naturally, not everything is that great, and here are the frustrations that we faced with our Mac.

The keyboard shortcuts - putting an IT pro who worked on a PC and Unix for 20 years in front of a Mac running OSX is a special kind of hell: NONE of the keyboard shortcuts are the same, and it a significant effort to shift to OSX shortcuts. They are not illogical, only completely different, which hampers productivity for anyone used to do much of their work on a keyboard.
Interoperability with other platforms - There are interoperability gripes with a lot of stuff. The Mac can join an AD domain (sort of), but we had a lot of stress getting the Mac to use cached credentials. Mostly the same happened with a Linux based LDAP service.
Software is missing - A lot of productivity software that we are used to is missing for Mac - we stumbled on Visio, then on MS Project, then on Notepad++, then on 7zip... We didn't go into developing Java in Eclipse, because of the following point. Mind, there are replacements for most of the software we were missing, but productivity was hampered since we needed to find the appropriate software, buy it and learn how to use it. VMware player is nonexistent for Mac, we are limited to VirtualBox.
Lacking native support for obvious items - first disaster - no support for NTFS write. We had to revert to the dreaded FAT32, which was a deal breaker for development. As if that wasn't enough, iSCSI is not natively supported, which further killed any attempt at accessing the large Java codebase on our iSCSI fileserver.
Remote access - So far we haven't discovered an efficient native tool to access and work on our Mac remotely. The Apple Remote Desktop is a shameless highway robbery - why should any company or user need to pay any money to access and manage a single Mac remotely? We are at the moment trying out VNC, which is not a very preferred platform.
No Native or Free Disk Encryption - (Updated, thanks to comments on reddit.com). Up to OSX 10.6 only Sophos SafeGuard provided full disk encryption for a Mac. For OSX 10.7 there is FileVault full disk encryption, but we haven't tried it.

Conclusions and thoughts
We are not abandoning the Mac - it is a great tool and an asset in our little lab. But in the current state of things, it takes a lot of effort and compromise to fully migrate to a Mac platform, especially since a multi-environment knowledge is required.

If today someone asks us whether a Mac is a good idea for company use, we would not be very supportive for the following reasons:

Business Software lack of compatibility
(Updated per the comment of Ryan Black) Incompatibility with writing to NTFS filsystem (which is everywhere) (previously stated NTFS fileservers - fileservers are accessed through SMB, which is supported)
Learning Curve for efficient use

Talkback and comments are most welcome

Related posts
Information Risks when Branching Software Versions
8 Golden Rules of Change Management

Choosing Data Storage - A difficult dance

noreply@blogger.com (Bozidar Spirovski) — Mon, 09 Jan 2012 10:24:00 +0000

IT has come a long way in the past 15 years, and definitely has advanced into the realm of commodity service. But there are still complexities under the hood of this commodity service. One of the most underestimated in complexity is data storage - it is taken for granted by everyone. For example, i frequently talk to a high ranking manager in a software company and he constantly states that all that is needed is another disk.

At the end of the day, data storage is very far from simple. Every organization needs to provide storage service for it's requirements. But storage is not only capacity, and one must be careful when choosing the appropriate solution for storage. There are three basic options at the moment:

Cloud storage services
Open Source based storage systems
Commercial enterprise storage systems

We will evaluate each service from the following key parameters of a storage system

Capacity - The first (and usually only) thing we think about when we talk about storage - and the easiest to achieve. Regardless of option for data storage, capacity is upgradeable. In open source storage systems which are based on commodity hardware, upgrades are limited to the abilities of the host server/box. The enterprise systems are much more upgradeable, but at high costs. For a cloud storage provider, capacity upgrade is nearly infinite (at least on paper). It is wise to plan ahead and consider whether future ability will support your requirements.
Input/Output Operations per Second (IOPS) - The usually forgotten and very difficult to assess parameter, but nonetheless very important. The IOPS should present the amount of operations that the system can perform on a storage within a time-frame of 1 second. But since read and write operations on a storage can vary (sequential or random, read or write, even there are front-end and back-end IOPS when using RAID configurations). Cloud storage services do not publish IOPS, Enterprise manufacturers always publish the IOPS number that is most beneficial to them and the open source solution mostly leaves the IOPS to the builder of the system. In any case the end result is, DO NOT TRUST THE NUMBERS. There are some nice estimation calculators online, like wmarow's iops calculator, but use them only for reference. The smart solution is to test the storage service in a configuration as close to the one you wish to use, and assess whether performance is acceptable.
Access Bandwidth - This is not disk bandwidth, which is calculated via the IOPS. The access bandwidth is the bandwidth between the server and the storage itself. Naturally, you want this to be as high as possible. For enterprise storage systems, discussing access bandwidth is moot, since such storage is mostly connecting through Fibre Channel which has multiple links of 2, 4 or 8 Gbps. For open source storage systems, which are mostly iSCSI based, the access bandwidth starts with 1 Gbps with Ethernet overhead. For cloud storage services, access bandwidth is a significant factor - cloud services are accessed through WAN links, where access bandwidth is limited and may be prone to congestion. When choosing a storage system, test your application with the bandwidth you are planning on using.
Redundancy and high availability - What kinds of failures and incidents can a storage system survive? Cloud services claim that they can survive a lot - short of a cataclysmic event or a nuclear bombing - but such claims should be tested. Enterprise storage systems are designed to survive nearly any hardware issue within them, and provide abilities to replicate to other systems which are at a distance of tens of kilometer (naturally, at a high high price). Open source storage systems redundancy is dependent on actual hardware redundancy of the box the customer built, and provide some technologies for replication, which are in a different level of maturity. Always consider placing the data based on the importance to the company - can you survive without it?
Actual hardware - storage systems are comprised of well known components - hard drives, controllers, interfaces, power supplies. For both enterprise storage systems and for cloud service the customer does not need to bother too much with the hardware - the provider constructs and combines the required hardware. On the other hand, when preparing an open source storage, the customer usually builds the hardware which means finding appropriate hard drives, RAID controllers, redundancy in power supplies, caching mechanisms, LAN and FC interfaces. Building a system from scratch is a great experience, but commodity devices may be prone to much more failures then specially built hardware. Testing is not very useful here, but think ahead of the very possible risk of failure of commodity components.
Reporting - Once the storage system starts working, reporting becomes an immediate issue. The customer will want to know the load on the system, on individual hard drives and logical devices, response times, utilization trends etc. Again, enterprise storage systems shine in this area with an excellent portfolio of reporting tools, albeit usually with exorbitant prices. Cloud storage services may provide some reporting but not too in-depth, and the open source systems usually lack poorly, since the open source project is focused on functionality, not reporting. When choosing any storage system, always ask to look at the live reports from the service/system you are planning on using.
Support - Again, once the storage system starts working, there will be problems. And I guarantee you - the problems will not be simple: either it works or it doesn't. There will be all kinds of complicated and seemingly impossible combinations of issues. And this is exactly where the customer will need support. But there is no clear-cut answer to which type of storage system has the best support. One must tread carefully here, because good support is about having trained support personnel, but also having very dedicated support personnel. By definition, enterprise storage systems have a great advantage in this area, but this advantage can easily be ruined by a support team that juggles many projects, is used as presales or is simply not dedicated to supporting a customer. Cloud services fall in much the same category, but it can be difficult to discuss storage issues with a cloud storage service: the engineers are impossible to reach, there is insufficient data to support an issue (reports, analysis) and the cloud service provider has usually a well crafted SLA to protect themselves from most issues. The open source systems are an issue of support in a different way - since the systems are built with software which is written by many, there are rarely any real experts to support such a system, unless you pay someone - and even then it may be a risk.
Vendor lock-in - Cloud storage services are the strongest player in this area - if the customer chooses a cloud storage system as an important part of your infrastructure, it will adjust it's operation to the cloud system and create a 'symbiotic' bond, thus making the migration very costly. Enterprise systems are much easier to migrate from, since they are basically just huge hard drives. If all else fails, an operating system level copy command will provide a very crude but always successful migration. Open source storage systems have no lock-in: simple hard drives, where migration is a copy-paste operation.

Conclusions
There are multiple pros and cons across our storage systems parameters, but at first glance, the enterprise storage systems have the upper hand. Bear in mind though, such systems always come with exorbitant pricing, especially on any upgrades after the initial purchase. Therefore, such systems may be well suited for the mission critical applications, but are too price prohibitive to be used for every and any use within a company.
The cloud services are extremely flexible in expansion capacity and redundancy (at least on paper). But quality of service and support may be lacking, as well as issues in speed of access. So cloud based storage may be only logical if you rent the full package - server plus storage in the cloud, to guarantee an overall service level. The remaining issue is lock-in: once you start using a cloud provider, leaving it may be a challenge, since you have adjusted your operation to it's service and it may be costly to shift providers.
The open source systems are an interesting project, and can provide a very cheap solution for a lower tier functions. But in order to actively use such a system would mean to dedicate an employee or a team of homegrown experts on the open source storage system, to properly support the system. Also, redundancy and high availability can become an issue in such systems.

In summary, do not choose only one storage solution: The enterprise system is well suited for the business support, but it is a huge overkill for a test or proof of concept systems. Cloud storage services are a good choice for a cloud based infrastructure, but the lock-in issue requires careful strategic approach before lock-in occurs. So use everything, and always evaluate any solution for at least 3 months before committing to it.

Talkback and comments are most welcome

Related posts
RAID and Disk Size - Search for Performance

The STRATFOR Conundrum

noreply@blogger.com (Bozidar Spirovski) — Tue, 27 Dec 2011 09:34:00 +0000

It has been a while since the last published article, and we are not going to try to make excuses.
But we are enticed to do a quick note of the developing story of STRATFOR. In summary, Strategic Forecasting (STRATFOR) servers got hacked by a group apparently affiliated with Anonymous. Anonymous have since denied any involvement in the hack.

The attack apparently resulted in more than 200 GB of data being stolen.

The story of the hackers is published on pastebin
http://pastebin.com/q5kXd7Fd

The STRATFOR site is currently offline

I can honestly say that I would not want to be in the shoes of the IT guys nor the CEO of STRATFOR.

This incident shows that even guys which do intelligence and security for a living can fail miserably at protecting their information assets.

But what is much more bizarre is the fact that STRATFOR decided to keep a large number of credit card numbers in their databases, thus creating a huge financial problem, which will greatly increase the profile of the incident.

Talkback and comments are most welcome

Related posts
Blogtipz Hacked
When Will Your Mobile Phone get Hacked?

Five Information Security Issues We All Face Today

noreply@blogger.com (Bozidar Spirovski) — Thu, 08 Sep 2011 16:42:00 +0000

Technology has done a great deal for changing the way we live and do business today. While the benefits are numerous, however, there have been challenges that come with that development. Here’s a look at some of the information security issues we all face.

Awareness
A blog post by Rik Ferguson for Trend Micro says awareness and education are key issues surrounding information security today. People must understand and accept the risks that come with using technology and the Internet in particular. By knowing threats are present, they can learn to use these luxuries carefully, and not blindly accept that someone will have the solutions for any problems they may face.

Complacent Businesses
We place considerable faith in businesses to safeguard our personal information. However, some companies are not always as proactive about defending files as they could be, Ferguson suggested. In fact some don’t strengthen protective measures already in place until information breaches or near-breaches occur. Customers want to know their information is protected, and businesses often have a legal obligation to plan ahead and monitor their client files as much as possible.

A Wealth of Online Possibilities
Online banking, smart phones, credit cards, bill pay, and countless other Internet options open individuals to numerous hacking risks and opportunities for criminals to try stealing personal information. Careful selection of account passwords, safeguarding Social Security numbers, and being absolutely certain that companies are reputable will help individuals handle some of these risks.

Recognizing Problems
Not every threat can be avoided, but being able to recognize the warning signs of identity theft might keep a problem from escalating as much as it could have if left unchecked. Unauthorized account changes or withdrawals, unexplained denials of credit, and letters or phone calls about services or products you haven’t requested are all good indicators that you might have a problem on your hands and that steps should be taken to stop these issues.

Risk Management
Companies and individuals are responsible for managing the risks associated with keeping personal information in computer files. People and businesses should know what information is in their files, and keep only what is absolutely necessary. Then, plans must be made to keep those essential files safe.

What You Can Do
If you’re interested in joining the ranks of qualified professionals who work daily to keep information and technology safe and secure, consider attending college for information technology training. You’ll learn how to prevent cyber attacks and teach people how to protect their important files. Many colleges and universities offer this degree; start checking for schools if this sounds like the right profession for you.

About the Author:

This guest post has been provided by Philip J Reed on behalf of Westwood College. Westwood offers degrees in many programs, including information technology training. They have an extensive online course catalogue, and are always available to answer any questions you may have about the degrees they offer.

Talkback and comments are most welcome

Related posts
Information Systems Security as a Profession
ITILv3 Foundations Training - Experiences

RAID and Disk Size - Search for Performance

noreply@blogger.com (Bozidar Spirovski) — Mon, 22 Aug 2011 07:16:00 +0000

Centralizing your storage is always a very good idea - you can manage storage requirements of most servers through a central storage system, without the hassle of juggling local disks within servers.

But centralizing a storage opens a whole new world of hassles:

Physical limits- depending your choice of vendor and class of storage you may be limited by number available slots for drives
Technical limits- depending your choice of vendor and class of storage, it may support hundreds od drives, but not with your current CPU's or cache memory
Higher costs - everything within the storage costs - physical drives, CPU's, cache memory, drive bays, licenses for storage management software. And all these usually have exorbitant prices.

So when looking for a storage, there is always a tug of war: limited budget vs functionality, drive space and performance.

Let's discuss all three elements countering the budget:

Functionality - this are covers overall management, non-disruptive OS upgrades, point-in-time snapshots, point-in-time clones, replication functionality etc. These are very easy to declare as requirement by the client, and leave very little 'wiggle space' for the storage vendors to try to sell something else or reduce the price at the RFP by reducing .
Drive Space and Performance - Here is the conflict between storage vendors and clients: Storage vendors do not sell space and rarely sell performance, they sell hard drives. And everything in their portfolio (cache, slots, licenses) is based on physical drives. So they will always push the client into a 'number of drives' mentality. This is wrong, the client needs to think in terms of useable space and Input/Output Operations per Second (IOPS), because at the end of the day, the servers do not care that you have 20 drives, when they see only 100GB of partition and only 200 IOPS when they need 1000. And here we hit the problem of balance - as you are well aware, a storage can provide different levels of data protection through redundancy or parity, at the cost of physical capacity and performance.

When declaring your useable space, you need to either declare the number of IOPS that it needs to support or (which is very difficult) or to declare a RAID level. Since estimating actual IOPS requirement is difficult, you can always approach it with a 'I need a better functionality then I have at the moment'. This is very easy to achieve with the Wmarow's IOPS calculator:

Input the parameters for number of drives and raid level that is currently servicing your server.
Then input the estimated number of drives and organization (RAID) that you are thinking of buying.
Compare the IOPS results.
If you are migrating more servers to one RAID group, add up all initial IOPS and compare to the one resulting IOPS
You need to achieve a better IOPS result for the target then currently, by at least 50%

The results will vary wildly, based on number and type of drives, as well as RAID level. We have calculated a sample of IOPS results for a 2 TB capacity drive using different RAID levels and disk drives, with an assumption of using a small storage with only 16 slots for disks (click the image for large version):

Please note that the actual IOPS result of a certain storage system may be different in absolute value, because of processor power, advanced algorithms and cache memory. But regardless of these attributes, the relative ratio between the produced IOPS will remain the same - RAID0 will be always 3 times faster then RAID5 on same drives.

Also, please note that no matter what the abilities of the storage system that you are looking at, there are physical limitations to each disk, and these cannot be overcome by any amount of cache, intelligent algorithms or processing power of the storage system.

In conclusion, since the absolute value of different storage system may be different, what is the best way for a client to be certain that he/she will receive the balance of protection and performance that is needed ? There are two options:

Test the configuration. If someone wants to sell a storage, he/she should be able to create a same configuration storage at a lab environment, and you then generate a full load of performance and load testing of the configuration
Ask for a guarantee - give the salespeople the parameters of the services on the servers (databse, file servers etc.). These can be collected through performance monitor and database tools. Then make the vendor guarantee with financial penalties that any of the functions will perform two times faster (or any other parameter) with the same servers.

Talkback and comments are most welcome

Related posts
Choosing a System Integrator - Follow the money
Cloud Computing - Premature murder of the datacenter

Maintaining quality in outsourcing telco services

noreply@blogger.com (Bozidar Spirovski) — Sun, 07 Aug 2011 20:07:00 +0000

More and more IT services are being outsourced. And as telco services are now easily integrated and transported over IP protocols, the outsourcing is being well established with telco.

But the issue with telco services is that quality in telco is very difficult to properly define. This is because there are parameters that are difficult to track – sound quality, response of system to tone-dial menu selection of an IVR, unexpected intermittent interruptions of voice communication, temporarily unavailable service.
And when part of the telco service is outsourced, it becomes even more difficult to manage the quality of such services.

Here are some elements that will affect the quality of outsourced telco services:

Oversubscription to outsourcing service – the service may be of a variable quality, with off and on periods when service is poor and then it’s great. This is usually connected to oversubscription of the outsourcing service, and when their services are overloaded, the customer facing service is of poor quality.
Availability of the oursourcing servers – simple and straightforward, power outages, server outages, cooling outages all create failures that interrupt service. Even if there are secondary servers, the switchover will fail all active connections
Connectivity to outsourcing service - most outsourcing services are far and away, most often in asia. So internet links will be the primary connectivity media to such outsourcing services. But the internet as a medium has a lot of possible issues and failures of connectivity paths are not that rare.

When the outsourcing service is part of your call management, things get very interesting. Services that are part of the call management process that are easily outsourced are ringback tone, voice mail, autoanswer etc.

How to solve this issue of quality when outsourcing? There is no magic bullet, but here are some experiences and pointers:

Ofcourse, you will create the standard contract with availability, packet loss and jitter criteria. (see related posts)
You can also include call disconnects or failure to connect.
It would be very good to try to connect this to customer complaint number, but the outsourcing service will be very reluctant to accept a quality of service condition is connected to a very subjective criteria that cannot be measured and confirmed by both parties independently.
Create a criteria of complaint to outsourcing service - for example, if the telco customer detects issues that are so large that they need to send a complaint to their outsourcing service more then 4 times every quarter, that would be a basis for a contract review. This clause is very wise to include especially in the first year of use of the outsourcing service, when you are still learning their weak points

Talkback and comments are most welcome

Related posts
Telco SLA - parameters and penalties
Is the Phone Working? - Alternative Telephony SLA
5 SLA Nonsense Examples - Always Read the Fine Print

Information Gathering - lessons from The Big Short

noreply@blogger.com (Bozidar Spirovski) — Fri, 29 Jul 2011 10:00:00 +0000

Information gathering from public sources is still one of the best ways to understand your potential target.

I have been reading a great book called "The Big Short". It's a book about the financial crisis of the sub-prime mortgage market in the US. I don't have any financial services training so I didn't quite grasp all the nuances of the financial machinations involved, but one thing is clear: All people that managed to profit during the failure of the subprime mortgage market relied only on publicly available information.

This only goes to show the power that lies in publicly available information, if it is analyzed properly. Always collect as much information as possible, using OSINT tools like collection of financial statements, annual reports, analysis through specific tools like Maltego and IP and DNS registries.

Regardless of whether you need to collect information on a potential competitor, a target of a penetration test, in financial spread betting or derivatives trading, or even in financial research of a company there are several lessons that the "The Big Short" teaches us:

Financial statements contain non-financial data - do not run away from the balance sheets, income statements and the like. Most often, these documents have a significant narrative which describes the points of the financial items, and thus explains the operations of the target
Collect information for the target - grab financial statements, news on sales contracts, news on key personnel that arrived or left the company and their assistants, everything in terms of indexed documents or spreadsheets.
Collect information for the target’s partners and customers - it is not only the target that needs to be investigated. An excellent information source may always be the partners who may have less stringent information security policies. Also, their financial statements may have useful insights.
Look at relationships between everyone - who owes money to whom, who is dependent, who has the trust of who. Understanding relationships between people and companies is a great foothold for social engineering.
Ask the 5 Why- On every fact or relationship, ask yourself why is this done in such a way and try to answer it. Then ask why on the answer, and again and again. If you don’t find a good simple answer, there's a good chance there is a gap there, either some useful information is not available but is important, or there is a gap to be exploited.

While "The Big Short" is about making money, the lessons from it are excellent for information security. I would recommend a read for every security guy.

Talkback and comments are most welcome

Related posts
Digging for information with Open Source Intelligence

Software Security Degree Programs

noreply@blogger.com (Bozidar Spirovski) — Thu, 30 Jun 2011 13:49:00 +0000

Software security is a highly technical and vital skill in today's evolving technological marketplace. Even so, programs specializing in this area are quite rare. In fact, it's more common to find a professional in this field with a Bachelor's or Master's degree in computer science, than it is to find experts who have achieved a certification in software security.

Software Security Degrees Are on the Rise

More institutions are providing programs and degrees focused on the security aspect of information technology than ever before. Part of the reason for this is the significant projected increase in the number of jobs available in the field. In fact, the Bureau of Labor Statistics estimates the industry will grow by 36%.

The growing technology and ever-expanding number of applications are a significant contributing factor. As new technology appears and grows, so does the risk of system vulnerabilities and the need for specialists to mitigate and protect against them using penetration testing tools and other preventative procedures. .

What to Expect in a Software Security Degree Program

If you're interested in a software security degree program, you'll find a healthy interest in technology and solving intricate problems will help a lot. By the time you've received your degree, however, you'll have a detailed understanding of the challenges involved in securing network and computer systems, and be able to use technological tools and protocols to minimize risks. You'll feel confident knowing you can restore various systems after an attack and be comfortable providing security for mobile and software management.

You'll have the basics in software engineering, telecommunication network fundamentals and have the option to include additional classes such as business management and managerial economics. Just because this program focuses on software security, doesn't mean there's no variety.

Some programs such as the Master of Science in Information Technology – Information Security designation (MSIT-IS degree program) from INI Pittsburgh-Silicon Valley offers focuses in Mobility, Information Security, or Software Management. You're not confined to standard classroom learning either. Some programs offer an internship while many classes are available online, which is perfect for students who may otherwise be unable to take this kind of program.

Certifications in this area can be attained in as little as two years, although the education can take up to four. Most potential employers will consider applicants who combine a degree with practical experience, and this is where internships can make a significant difference.

Where Can You Work With a Software Security Degree?

The job titles currently available to those with a software security degree can include information technology specialist, data security administrator and computer security specialist, among others. Applications can involve the health care industry, financial businesses, or any business that requires any sort of computer program to function. This leaves the field wide open to those who wish to specialize in this fast-growing career choice. The money isn't bad either; annual salary starts at an average of $50K per year and goes up from there.

With the need for software security experts on the rise, and everyone getting online, you can still work in almost any industry. Combine you degree with other interests, and you may just find the career you've always dreamed of.

This is a guest post by Fergal Glynn. Fergal is the director of product marketing and a frequent writer for Veracode. The Veracode platform helps websites of all kinds avoid cross site scripting vulnerabilities. Fergal has spent the last decade working primarily in online security and software development

Talkback and comments are most welcome

The Cloud - time for serious consideration - Web services

noreply@blogger.com (Bozidar Spirovski) — Sat, 18 Jun 2011 09:55:00 +0000

In 2008 we published an article on cloud computing, which basically said, don't turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article - since Shortinfosec was and is hosted in the cloud. After three years, and a lot of additional examples of cloud development, it is time for a serious reconsideration:

Our original argument was that the confidentiality, availability and integrity triad was unsustainable in the cloud world at the time (2008). Today, things are looking different:

Backup storage is humming in the cloud in some form or another - and is being used by enterprises
At least 3 different vendors of banking software are collaborating with cloud services providers to enable the cloud operation of their software (Tieto, Misys, Temenos)
E-mail and office applications are happily running in the cloud (Google, Microsoft)
Web applications are more available then ever

Since this article will become too long if we discuss all possible cloud applications, let's start with the simplest one - Web hosting.

From it's inception, web hosting was in a sense hosted in the cloud - but a very simple cloud. Very few people or even companies own and operate web servers, and others host their web sites on provider servers throughout the world.
But hosting is not exactly the cloud. The cloud offers so much more for web hosting.

Now, this is not the time to start thinking: "I'm thinking of upgrading my web host and I've been checking some web hosting reviews. It's pretty hard to decide which host especially when reading the editorial and user reviews since all of them have good reviews." Let's go on and choose the most expensive one."

When reviewing moving the web to cloud, understand the strengths and weaknesses of the cloud:

Strengths

Availablity - any cloud service is distributed over multiple servers, datacenters and sites. And the cloud systems can transfer the hosted applications/sites near-instantly between this infrastructure. So even if a server fails, your availability will be nearly unharmed.
Coping with large load variations - again, since there are multiple servers and datacenters, if your application/site suddenly become very popular, the cloud infrastructure won't fall to it's knees under the load of additional requests.
Timely and consistent updates - the underlying servers of the cloud infrastructure need to be fully consistent with each other. Also, since they are running many customers applications/sites, a failure due to a patch is not something the cloud service will accept. So you can rely on the fact that all servers will be very quickly and consistently updated.
Extremely fast scaling out - If your application/site has a sustained high visit rate, it needs more servers to run on. This is very easy to implement in a multi-server, multi-site environment of a cloud service.

Weaknesses

Custom platform - each cloud service provider designs the cloud service environment with it's specifics, like underlying operating system, databases, application server and development platform. These are fixed across the entire cloud platform, and if you wish your application/site to run on the cloud service, you must make it work with the cloud service.
Lock in - once you have adjusted the entire application/site to run on the cloud service environment, it may be difficult to move it to another cloud service provider - since then you'll need to re-adjust everything to run on the new cloud service. This is even more difficult if the application/site was developed from scratch with specific cloud service in mind.
Isolation breach - your application/service is not the only one running on the cloud service systems. A breach between the isolation controls of different applications/customers can cause access to proprietary data, use of other party's resources and in general a very large amount of grief for everyone involved. At the least, you could be billed for resources that another application in your context due to such breach
Data protection - placing your application/site in the cloud also puts it's data in the cloud. And this data is very important to you, and sometimes very confidential in nature. Since all this data is managed by the service provider, incidents of data loss, data leaks and security breaches can all happen.
Cost - the cloud service providers have a lot of innovative pricing mechanisms, like pricing per I/O, or per CPU used, or bandwidth, or any combination of those. So while efficiency and availability will definetly increase, so may the costs of your hosting.

The cloud is very ripe for web services. But before you choose one, be careful to do a serious consideration on your pros and cons. If you can match your application/site to a cloud service, you can bring it to a new level of efficient operation.

Talkback and comments are most welcome

Related posts

Cloud Computing - Premature murder of the datacenter
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach
Tutorial - Secure Web Based Job Application
Rules for good Corporate Web Presence

Where are your default admin passwords - and who can get to them?

noreply@blogger.com (Bozidar Spirovski) — Sun, 12 Jun 2011 22:39:00 +0000

Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).
We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria

Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks
Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.
Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost

The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

Take an ordinary envelope.
Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides.
Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape.
Put the password envelopes inside the tamper-evident envelope
Seal the envelope, and have the manager sign the edge where the envelope is sealed
Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures

The end result can be seen on the following image.

Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible. If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation)

This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts. Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
5 Minute Security Assessment

Information Systems Security as a Profession

noreply@blogger.com (Bozidar Spirovski) — Mon, 06 Jun 2011 04:23:00 +0000

Computer hackers and cyber-terrorists can wreak havoc on information systems (IS). Because of this looming threat, the demand for cyber-security specialists – and information security training – is on the rise.

Trained and certified IS security professionals are needed to combat these threats and vulnerabilities, which can be incredibly costly to organizations. In fact, a Reuters special report noted that the market that the IS security market is estimated to be between $80 billion and $140 billion a year worldwide.

IS Security Opportunities

Industry experts suggest that that there is a tremendous need for IS security specialists in both the commercial sector and government. National Public Radio (NPR) recently interviewed James Gosler, a veteran cyber-security specialist who has worked at the CIA, National Security Agency and Energy Department.

Gosler estimated that there are only about 1,000 people in the United States that have the necessary skills to tackle the most challenging IS security tasks – but noted that some 20,000 to 30,000 highly trained security professionals are needed to meet the needs of corporations and government agencies. The U.S. Bureau of Labor Statistics (BLS) projects that employment in this field will grow much faster than the average for all occupations, with an increase of 20% or more between 2008 and 2018.

Career Options, Salaries and Job Duties

If you’re considering a career in IS security, you’ll find job openings in a variety of related areas. Security specialists may be found in each of the following BLS occupational groups, and often enjoy salaries in excess of $100,000 per year:*

Computer Specialists: $41,680 – $115,050
Database Administrators: $40,780 – $114,200
Computer Systems Analysts: $47,130 – $119,170
Network Systems and Data Communications Analysts: $42,880 – $116,120
Computer and Information Systems Managers: $69,900 – $166,400

IS security specialists with industry certification typically earn salaries at the higher end of the range. For example, a 2009 salary survey Certification Magazine found that professionals with the Certified Information Systems Security Professional (CISSP®) credential earned an average annual salary of $108,630.

As an IS security professional, your work might involve encrypting data transmissions, implementing firewalls and developing a formal strategy to protect computer files from unauthorized access. You may also be charged with policing violations of security procedures, and taking corrective or punitive measures.

Other duties include controlling, granting or restricting access to files as required by user; tracking and proactively addressing potential computer virus threats; and performing risk assessments and tests to ensure that security protocols are functioning as intended.

Education and Training

Most IS security jobs require at least a bachelor’s degree in a field such as computer information systems, information technology or engineering. Experience in software or computer hardware design is also beneficial. Candidates with specialized information security training will enjoy the best prospects.

To help meet the demand for government IS security personnel, the Department of Justice sponsors the Federal Cyber Corps Program. College juniors or first-year graduate students who are pursuing a relevant degree and planning on a career in the IS security field are eligible to apply.

Participants receive a monthly stipend of about $1,000 plus tuition, room and board, and travel to conferences. In return, students are expected to complete a summer internship with a federal agency.

Working professionals can pursue information security training through continuing education programs. Online security training is a great way to develop the knowledge and skills required to practice in this specialized field.

Some online security training programs even prepare participants to earn salary-boosting certifications, such as the CISSP®, SSCP® and CAP® designations from (ISC)2® and the CompTIA Security+™ certification.

Do you think you have what it takes to succeed in this challenging field? Employers and government agencies are actively seeking cyber warriors to safeguard critical information infrastructures against security threats. With a computer-related degree and relevant information systems security training, you’ll find yourself in high demand for rewarding, high-paying IS security jobs.

This is a guest post by Claudia Vandermilt. Claudia works in conjunction with Villanova University and University Alliance to promote professional training materials. She’s currently taking Advanced Information Assurance and Security and looks for exciting security news in her daily RSS.

Talkback and comments are most welcome

Related posts
ITILv3 Foundations Training - Experiences
8 Steps to Better Securing Your Job Application
Engaging a team for a security analysis

Mac Antivirus - Staying careful and safer

noreply@blogger.com (Bozidar Spirovski) — Fri, 03 Jun 2011 05:25:00 +0000

Having an antivirus software is a gold standard in the Windows world. But what if you are using a Mac? The prevailing opinion is that there aren't enough viruses or malware in the wild to merit having an antivirus.

But in reality, while very few will name 5 viruses for Mac off the top of their heads, Mac has a lot of issues. For instance, Safari does not have a stellar reputation on security. In March of 2011, at CanSecWest, a Mac with Safari fell victim to a security exploit in under 10 seconds.

Also, social engineering attacks can be easily used to con the user into running malware code on their Mac. So having an antivirus and antimalware package on your Mac is a very wise choice.

But this brings us to another problem: What antivirus software packages have a Mac version. As of June 2011, Wikipedia lists that only 16 out of 62 antivirus software packages support the Mac. In a very interesting marketing move, some antivirus manufacturers actually offer free use of antivirus packages for Mac. Norton has another very interesting combination product - one that runs on the native MacOS and another that runs on the Windows environment available through BootCamp.

The policy of implementing an antivirus on Mac is a very wise choice for corporate environments. If a corporate environment is just starting to adopt the Mac platform, one can start 'light' with the free antivirus packages. These are not manageable through a central console, so you will soon be looking for a corporate antivirus platform that includes Mac antivirus software. But while you are using a couple of Macs, the free stuff will help immensely.

Talkback and comments are most welcome

Related posts

Managing the permanent security issue of Top Management
Protecting from the CCenter Malware and Trojan
Managing Antivirus Software - Keep the reinstall away

What is a Dedicated Server, and Why Would I Need One?

noreply@blogger.com (Bozidar Spirovski) — Thu, 02 Jun 2011 05:18:00 +0000

A server is essentially a computer that does not do anything else but supply and store information for other computers. You could be using one of your computers as a server in your office, for example.

This computer would then be called a server and supplies information (even software applications) and data to other computers, which basically become user terminals. If you have an e-commerce site, or you have a lot of important information that you want to keep safe and secure, you should be looking at the best dedicated servers provider in your country or region.

Normally, when you register for a website, your website would be hosted on what is called a shared server. This means your website and information are stored on a computer that is used by many other customers of that provider.
In the case of a dedicated server, you have your own whole computer and network connection.

Here is a comparison of normal shared servers and dedicated servers to illuminate the issue.

Traffic Issues. If someone else’s website gets a lot of traffic, and your website and database are on the same server, your website will start to slow down. You cannot have this happening if your website and database are crucial to your business operations. With a dedicated server, you have the one whole computer to yourself, and there will be no influence on your traffic from outside sources.
Size. What happens when your website grows? With a shared server, you will have to keep buying extra space. With a dedicated server, you have the whole computer, and this means it is just about impossible to run out of space.
Security. Information on shared servers is never as secure as dedicated servers. There are multiple accounts and multiple users. Do you really want your important company information on a computer that is also being used by other people?
Service. Dedicated servers normally come with a range of services, such as back-up, security and support. If your information is on a computer provided by a normal shared server supplier, you cannot expect the same service. Do not expect the computer support with shared servers to match the response times of that provided by your dedicated server company. Dedicated also means the company should be dedicated to you, and not just the fact you have your own server.
Location. Just like any other server, your dedicated server will be stored in a very secure location. This is much better than having a server in your own office, for example. It would be possible to run your own e-commerce site from your own office, but you would need the technical know-how and computer support to manage your own server. Normally, that will require outsourcing it services or employing your own team.
Cost. Dedicated servers will obviously cost a considerable amount more than a standard server. If your e-commerce site is growing, for example, having a smooth, fast and reliable website will mean more money. Investment in a dedicated server is an investment into your revenue stream.

In essence, dedicated servers are necessary for anyone who is making revenue from their site with a lot of traffic. You need to be sure that your business is managed, monitored, protected and stands alone from anyone else’s business on the internet. You can always switch your website to a managed server as it grows, although for those who are serious about e-commerce, setting it up so it is stand-alone from the beginning, is still the best option.

This is a guest post by Tom Mallet is an Australian freelance writer and journalist. He writes extensively in Australia, Canada, Europe, and the US. He’s published more than 500 articles about various topics, including dedicated servers and Computer Support

Talkback and comments are most welcome

Related posts
Creating Your Own Web Server
Tutorial: Making a Web Server
Is the Server Running - optimal use of redundancy on a budget

Where are the sources of security incidents?

noreply@blogger.com (Bozidar Spirovski) — Mon, 30 May 2011 16:37:00 +0000

Security incidents come in all shapes and sizes. They can affect availability, confidentiality or integrity. Shortinfosec organized a Linkedin poll to observe the opinions of the professionals on what are the sources of security incident that they deem most frequent.

The poll has 56 respondents , and there is no scientific selection of respondent groups to have a full blown research result. However, this small still nicely represents the issues by frequency that organizations are coping with.

The poll question was What is the most frequent incident type that is affecting your organization?
Five answers were suggested

Network Issue or Outage
External Hacker Attack
Internal Hacker Attack
Software Error Causing Data Corruption
Human Error Causing Data Corruption

The poll was open for all Linkedin users for 20 days, with invitations sent to the linkedin connections and groups.

Results and analysis
After the closing of the poll, the following results were observed:
Most respondents (66%) select network issues as the primary source of security incidents. Data corruption due to human error takes the second place with 18%, and data corruption due to software error with 13%.

However, the demographics of the responses also indicate different view of the issues from a different executive level. Network issue is selected as a primary source of security incidents by operational personnel. Management levels have also voted on this option, but the majority of issues of networking are felt by operational teams.

The second most frequent issue is human error, and this is an incident which is mostly identified by managers (more then 75%). In reality, a human operator within a company has significant abilities to work within the information system of the company. Human errors can happen for any number of reasons, and paired with the abilities of the human operator within the systems, very significant errors can occur corrupting data, causing erroneous calculations. And such data corruptions are easily felt across the entire company, hence the votes by management.

The third most frequent issue is data corruption due to software errors. These should have a much lower frequency then human errors, but the impact of such errors can be very wide ranging - since the error is embedded within the information system.

External hacker attack was chosen as the least frequent issue. But this only presents the view of the internal users. It is quite possible that internal users do not have the full scope of hacker attacks - they are not detected, or corporate procedures prevent distribution of information about hacker attacks.

Conclusion
The overall poll, while not conforming to standards for academic research, it still provides the following insights - operational people are plagued by network issues (availability), while managers are plagued by data corruptions (integrity).
Very few identify actual breach of confidentiality as a top issue in security incidents. It seems that the corporate world is either well protected against confidentiality breaches, or is still relatively blind to them. We would bet on the latter.

Talkback and comments are most welcome

Related posts
Thrown in the Fire - Database Corruption Investigation
The SLA Lesson: software bug blues
Security risks and measures in software development

Managing the permanent security issue of Top Management

noreply@blogger.com (Bozidar Spirovski) — Sat, 28 May 2011 08:22:00 +0000

Regardless of procedures and policies, a company can have a nearly permanent security issue in top management. This issue results from the speed with which top management requires their services delivered and, more than probably, their lack of an information assurance degree - or even an understanding of what information assurance is, for that matter. No top manager wants to be bothered with the problems and challenges that security and IT guys are facing with their wishes. They want them resolved, preferably yesterday.

The security issue of top management results from their lack of time and insistence that everything works when they request it. Usually that means that the security request aspects of the solution have not been researched or even familiarized with. All this results in a half-baked workaround solution.

We will provide two examples of security issues that can easily arise:

The manager requests a new gadget - like a smart phone, tablet computer or a new 'bling computer' with a different OS. Procurement is quick to purchase the new device for the top manager that orders it. When the new gadget arrives procurement informs him in a CYA (Cover Your A*s) approach that they have done their job. The manager expects it to run immediately, so this is what usually happens:

the gadget is set-up as fast as possible, using the basic instructions from the Internet or what little experience an engineer has with the gadget.
help to install the gadget is solicited from any current users of the gadget, who also assist in set-up to the best of their knowledge, but with little concern about security or compliance to corporate standards
the gadget is configured to provide all or most corporate services as used by the manager on the standard corporate computers.
The end result is a device which can connect to most of the corporate services, but which is rarely properly secured. If the gadget is stolen, there will be a whole lot of grief for security guys.

The manager wants to open photos on a foreign USB - a guest arrives at the managers office, and he/she has an USB stick with photos. The manager wants to see the photos on his computer.

If the manager's computer has permissions to open a USB, he/she will read the USB, possibly opening a virus or Trojan.
If the manager's computer doesn't have permissions to open USB, it will be rushed through operations to enable access. Again, the end result can be a executing a virus or a trojan
If not captured properly, a Trojan may enter the computer network of the corporation, and collect data or cause havoc

The harsh reality is that these situations will happen, and cannot be avoided in most corporate environments. So what can be done to mitigate these situations?
1. Have antivirus with very frequent auto-updating and realtime scanning installed on everything. Even if an infected USB is inserted, this mitigates the risk of the virus/trojan infecting a corporate compoter.
2. When configuring a new gadget, educate the IT team to first set up security - they should find out how to install/activate antivirus, put up a firewall and set up password protection for using the device. Even if you have limited amount of time with the gadget, it will have deterrents in place to reduce the risk of a stolen device.
3. Try to set-up the gadgets so they don't store corporate data locally - Access mail via IMAP or webmail, and computer services via VPN. Even if the gadget is stolen, all it takes is a password reset.
3. Have a good relationship to procurement - if they give you just a day advanced notice that there will be new gadgets, that is a day more to read up and prepare for a more proper configuration.

Talkback and comments are most welcome

Related posts
TrueCrypt Full Disk Encryption Review
Brief reminder - The value of a stolen corporate laptop
Tutorial - Breaking Weak Encryption With Excel

Engaging a team for a security analysis

noreply@blogger.com (Bozidar Spirovski) — Tue, 17 May 2011 14:43:00 +0000

Being involved in a security project requires lot of resources: a good measure of knowledge, a huge measure of experience, some amount of software and personnel. Usually time is in short supply, so this is compensated by more computers or more people.

The first option is to use a computer and a piece of software. While there are a lot of automated tools that a security consultant can use, these are not really smart.

For penetration tests - most vulnerability scanning systems are 'loud' as hell and will be immediately detected by any IPS/IDS system. Also, such systems are very rarely successful at any penetration unless properly tweaked and configured by a human operator.
For procedural assessment, that software is just a set of questions forming a checklist. The problem is that every organization has specifics in their security organization, and the actual procedural posture of security needs to be understood by an expert operator in order to properly answer the questions in a checklist.

The second option is to hire a freelancer team. Presently, there are a very large number of people looking for a freelance gig as security analysts. Some of them publish their expertise through social networking sites, others just use job search sites to look for an engagement. But this is a nightmare in itself for at least two reasons:

Unknown amount of expertise - when hiring someone for a security job, unless you know his/her previous work it is very difficult to know whether he/she will deliver the expertise. Please note that the CV of a person can say anything without much means of confirmation - references for previous security engagements are very rarely given by clients.
Unknown agenda - even if he/she is a great expert, you will open the doors of a corporation to that person. Unless you are 100% certain of his/her professional agenda, you may find yourself in a lot of legal trouble if there is a disclosure of confidentiality or even malicious attack from someone in your freelancer team.

As Alan Weiss points out, you should only get into partnerships if you can multiply the profit by a hundred, not double it. And in cases of security analysis, you can easily deplete your profit with a choice of a wrong team, let alone be stuck with some legal issues.

Talkback and comments are most welcome

Related posts
Tutorial - Secure Web Based Job Application
8 Steps to Better Securing Your Job Application

Defeating gaming protection on popular gaming consoles

noreply@blogger.com (Bozidar Spirovski) — Sun, 27 Mar 2011 22:07:00 +0000

Gaming consoles are great for multiple reasons. First the obvious reason - you get to play a lot of games, and every one of them look as advertised, runs smoothly, and without performance issues. And then there are the additional benefits: A gaming console is basically a very beefed - up computer. Wouldn't it be nice to run it as a full blown computer?

But gaming console manufacturers need to make the users use only their software with the console - that is how they generate profit. So all console manufacturers lock their consoles through a firmware protection mechanism that allows only signed code to run on the consoles.

And a lot of people attempt to bypass these protection mechanisms in order to run custom code, also known as homebrew code. Naturally, all bypassing methods are illegal, but we are going to discuss the success of bypassing for different consoles

Xbox 360 - Xbox 360 is well protected. can run homebrew only if you make a hardware modification to the Xbox. There are subvariants on modding the Xbox for playing music, using large USB files which are much easier. But since Xbox is a full blown computer, the aim would be to run a full computer operating system. Unfortunately, this falls under the domain of homebrew, and can be achieved through hardware modification. But the Xbox is currently quite outdated in terms of total computing power compared to current new computers. The only thing that stands out is the PowerPC CPU, but not so much to merit a hardware modification. Therefore, xbox 360 is not a very popular homebrew platform.
Play Station Portable (PSP) - The PSP is my favorite example. It started with a buggy firmware that allowed for all kinds of exploits, and the users could install their own custom firmware. Then SONY stepped up to the plate, and fixed a lot of things, and made the newer versions much stronger in terms of protection. The exploits were limited to exploiting flaws in legal games and then injecting a code that will run the homebrew as if part of the legal game. But then things got horribly wrong. On 02 January 2011 it was revealed that the master signing keys were uncovered. You can now sign more or less anything for PSP.
Nintendo Wii - Similarly to PSP, Nintendo Wii can run homebrew by exploiting a installing a 'Homebrew Channel' application which bypasses the copy protection. The architecture of the Wii is based on the Nintendo GameCube. Because of this, most of the homebrew tools from Nintendo GameCube can be used for Wii.

For anyone, choosing a gaming console is primarily based on the choice of games and the gaming experience. But it is always nice if you have the freedom to try other things on your gaming console.

Talkback and comments are most welcome

Avoiding security complications when servicing desktop equpment

noreply@blogger.com (Bozidar Spirovski) — Tue, 18 Jan 2011 20:23:00 +0000

Any computer within a company is full of confidential information. And corporate desktop computers are quite resilient and long living. But at the end, any electronic device can fail.

But contrary to the rules that everyone repeats about laptops, desktop computers do not have encrypted disk drives.

Unlike industrial electronic repair, in which the repairs are performed on-site, desktop computers are treated as consumer electronics and are repaired at the vendors premises. So, if proper controls are not present, an IT technician may pick up the computer with the functional hard drive full of information and send it off to an external vendor - thus creating a security incident

To prevent this, a simple process should be put in place:

When performing electronic repairs on IT equipment, first try to fix system with replacement parts - internal IT can replace RAM memory, Hard Drive and PSU.
If the motherboard or elements on the motherboard are an issue, remove the Hard Drive prior to delivering the computer to the vendor.
If the computer is fully failed, remove the hard drive for data transfer or controlled data destruction
Even if the hard drive is fully failed, remove it for mechanical or magnetic destruction.

This very simple process will prevent possible security incidents

Talkback and comments are most welcome

Related posts
Windows 7 Full Disk Encryption with Truecrypt
Brief reminder - The value of a stolen corporate laptop

Protecting Yourself From Firesheep with Strict Transport Security

noreply@blogger.com (Bozidar Spirovski) — Thu, 09 Dec 2010 18:17:00 +0000

Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)
Step 2: Install an addon that lets you add specific STS settings - STS-UI
Step 3: Configure STS-UI for the sites you're concerned about
Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI
Go to tools->Manager Strict Transport Security

Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "facebook.com" and select "Force subdomains too"

After adding facebook.com and twitter.com it should look like this

Done. Now you will always be using HTTPS for data exchanged between twitter or facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added. This really isn't a scalable approach since xyz.com could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot. A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hotspot).

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Related posts
Stealing Twitter and Facebook Account - a Video Example
Corporate Guest WLAN - The best place for Eavesdropping to Interesting Traffic
5 Rules to Home Wi-Fi Security
Example - Bypassing WiFi MAC Address Restriction
Obtaining a valid MAC address to bypass WiFi MAC Restriction