View From The Bunker
A blog about security and availability from some of the folk at Symantec

• Home
• About
• RSS
• Get in contact

• Search

  Search for:

• Pages

  • Anyone need help with their VCR? Thought not.
  • Keep Your Data Safe Tool
  • About
  • Get in Contact
  • Books
  • Internet Security Threat Report – Podcast
  • Symantec Fast Response TV Widget
  • Contributers:
    • Darren Thomson
    • Dominic Cook
    • Gareth Fraser-King
    • Guy Bunker
    • John W. Turner

• Recent Posts

  • And the Academy Award for the most dangerous search term goes to…
  • Importance of end-to-end encryption in the retail space
  • Lock Up Your Code
  • Storage Goes Wild…
  • UK ID fraud cases jump a third as malicious insiders turn to cybercrime
  • The Butterfly effect – Mariposa
  • The RSA Conference – Cloud, devices & social changing the game?
  • Financial Data and the Mobile Generation
  • Is online security hindered by computer jargon?
  • 2010s Top 25 Most Dangerous Programming Errors…

• Tags

  backup book bot botnet business continuity Cloud CNI conficker cyber-criminal data-loss Denial of service Downadup Education email encryption fraud Get Safe Online Identity impersonation InfoSec ISTR Las Vegas legislation Malicious insider passwords Phishing policy Privacy Ransomware Reputation RSA Conference security SMB SNIA social networking Spam Speaking StorageExpo underground economy USB Vision vulnerability website whaling wireless

• Blogroll

  • Bruce Schneier’s Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Security Bloggers Network
  • Toby Stevens’ Data Trust Blog

• Multimedia

  • Symantec Guide to Scary Internet Stuff – Botnets
  • Symantec Guide to Scary Internet Stuff – Drive-by downloads
  • Symantec Guide to Scary Internet Stuff – No 5 Rogue AV
  • Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
  • Symantec Guide to Scary Internet Stuff – No7 Pests on your PC
  • Symantec Guide to Scary Internet Stuff – No8 Losing your Data
  • Symantec Guide to Scary Internet Stuff – Phishing
  • Symantec Guide to Scary Internet Stuff – Underground Economy

• SYMC Blogs

  • Ask Marian Consumer Security Blog
  • Con Mallon’s Symantec Consumer Blog
  • Gareth’s BE Blog
  • Symantec French contributor
  • Symantec podcast channel
• 
• 

The Power Of The Internet – small

While I’m talking about the power of the Internet, it is also worth mentioning that while you can attack a whole country it is also very easy to pick up some tools on the web to test your own company’s security. One of my favourites to show how easy it is to get employees to inadvertently give away information is the USB Switchblade / HackSaw. So, here’s the plot: buy a few USB memory sticks, load up Switchblade (it does need a little configuration) and then leave them around the organization. For example, in the cafeteria, or perhaps on the reception desk. When you have done this, just sit back and wait for the results. In this case the results will come when someone picks up a USB key and plugs it into their system – the software then collects and reports back password hashes, LSA secrets and IP information. The whole process takes about 20 seconds… we can’t ignore the fact that these tools exist – because they do… and you can’t keep a secret for long, at least not when the internet is involved.

What now? Well, time to educate folks that picking up USB sticks (and CD ROMs) from un-trusted sources can be ‘dangerous’… and while you should update the relevant policies you can’t rely on them to stop people from doing silly things so this might be the time to put a solution in place to prevent unauthorized USB devices from stealing your data.

The Power Of The Internet – BIG

You have to love the Internet, there is so much to find out (just look at the latest Cuil search engine statistics… 120+ billion pages!) but it is also possible to launch an attack against a country from your arm chair. There was a new attack this week against the Georgia president and it’s not so dissimilar to the infamous incident launched against Estonia in 2007. The scary thing is that it can still happen – and with relative ease. If the Internet is going to continue to flourish then further steps need to be taken at all points in the network to make it a safer place to do business. It’s ours to lose…

I’ve Got A Secret…

OK, so it’s not me, it is now well known that there is a(nother) flaw in DNS. The flaw was due to be ‘revealed’ next month at a security conference, but someone else reverse-engineered the threat based on the small amount of information that was leaked out and let the cat-out-of-the-bag. (There was another one as well this week, relating to WiFi devices… so, in case you were wondering, these things are a regular occurrence.)

So, the question is should such information be made public and if so when? In this case, at least it was a friendly hacker who pieced together the information and then went public with it. Of course there might be some other cyber-criminals who have also done this – perhaps we won’t know (until its too late).

The reason that the vulnerability wasn’t publically released was to give various vendors time to patch their software and for users to deploy it. More often than not the vulnerability is public (or is being sold in the underground economy) before a fix is available and this tends to act as a catalyst for a fix to be made rapidly available. Of course, having a fix available and having users deploy it are very different things.

Companies need to consider whether to have someone watch for these vulnerabilities and patches. This usually falls to someone in an IT department – and while it was popular a few years ago, it seems to have waned. As with most threats, this is something which SMB/SME also needs to be aware of and can appear to be a huge effort. In fact CERT (www.us-cert.gov) has a great site and even has an RSS feed on the latest activity. It does take time (and effort) to be able to separate the wood from the trees as far as your organization is concerned, but the effort is worth it.

On balance it is better to know about potential problems before they occur (even if there isn’t an immediate fix available): Forewarned is forearmed.

When Is Cloudy Day Is Better Than A Sunny One?

It happened again, the cloud went away. Of course we are not talking about clouds in the sky, but one of those on the Internet. The outage was 8 hours this time – so a ‘working’ day. It was a Sunday, but that doesn’t mean that people aren’t working – we live in a 24×7 world, so 8 hours is 8 hours.

(Some) customers were quick to come to the defence of the service this time – but perhaps they wouldn’t have been if it had lasted a week… or maybe if it had been a Tuesday…

Choosing a service provider is not as easy as it appears – you do need to ask about their Disaster Recovery / Business Continuity plans and ensure their plans meet your needs, otherwise you could end up with no service and no business.

Open Source… Opens Security Holes?

One of the things I talk about to customers is the potential issues with Open Source and security. It seems that others are also concerned and Fortify have been analyzing the problem.

They looked at a number of Open Source packages available and for a couple of the most popular found that they were vulnerable to SQL injection attacks as well as Cross Site Scripting. Open Source is a good thing, don’t get me wrong, however security is not necessarily at the forefront of the developers’ minds when they are developing functionality. With access to the datacentre information over the web, these applications represent real risk when it comes to data loss and general IT security. Perhaps we need to give Open Source applications a security rating?

There has yet to be any cases of popular Open Source applications being deliberately compromised by cyber-criminal gangs – but we do known that their operations are becoming increasingly more sophisticated in their approaches – and perhaps they have already done this, and we just plain don’t know about it…

So, if you are going down the Open Source route this is another case of ‘buyer beware’… except of course it’s ‘free’…

One Man, One Password, One Cell

So just how important can one person be? If they happen to the the IT administrator and they have a grudge, then perhaps the answer will scare you. In a recently reported incident one employee locked out a whole city from the computer system – and then refused to hand over the password. Implicit Trust fails once more. If that had been your company what would you have done? In this case they threw the individual in jail and are waiting… and trying to crack the password themselves!

More to the point, what could you do to prevent it from happening? This is a tough one – obviously you could have audit trails (but if you can’t log in, then how can you find the information), perhaps you could have a secret backdoor (not such a good idea – some cyber-criminal will find it), perhaps you can have policies and procedures (not that they help when you are locked out)… so what to do? Maybe the best thing to do is to ask your IT administrators how they would solve the problem – they will no doubt come up with a solution that would work for you and your network. If you think using this case might be a little close to the mettle, then how about framing it as an ‘accident’ when everyone gets locked out – it’s own form of ‘disaster’.

Standards… You Gotta Love ‘Em

Guidelines for whistleblowers… enough said!

It’s The Summer… It’s Raining… Disaster?

So, we’ve had some serious rain here in the UK this week – not yet as bad as last year, but it’s only the start of July, so plenty of time for more. In the US they have also had some serious rain, thousands of forest fires and other natural disasters. This has prompted a number of companies to re-evaluate their disaster recovery plans – we should be doing the same thing over here… just in case. One interesting comment was that the plans need to take into account the possibility that staff will need to take the time off to deal with family issues… while this may seem obvious, it is worth being reminded about!

Perhaps having a well thought out DR plan dealing with the likes of floods, will ensure that we will have a summer of sunshine… a bit like the hope of carrying an umbrella will prevent the rain… on the other hand… P5 rules… (Proper Planning Prevents Poor Performance)

And Your Password Is… Password

A report into the Top 10 passwords for 2008 puts ‘Password’ at the top of the list. It’s been in the top 5 for years – why? You would have thought that people would realise that if it (whatever it is) is worth protecting by a password then they would realise that it is of value to someone else.

‘But… it’s only my blog’ or ‘It’s just my social networking account’ or … there is an endless supply of excuses as to why people chose weak passwords – listen up, if it has a value to you, it has a value to someone else. So, now let’s play a game of ‘What If’… and this is what you need to do when setting a password (partner’s name, child’s name, pet’s name – they are all in the popular list – and easily guessable – by machine, don’t think that someone is typing them in, oh no, its all done by machine)… so what if someone gets onto your site and defaces it, perhaps posts objectionable content or pictures, perhaps emails all your friends and tells them that you hate them… it’s coming from your account, they will be impersonating you, how do they know it’s not you? How long will it take to repair the damage caused? Hopefully the picture is clearer now… so when you chose a password make it a strong one – put in a number or two, perhaps some punctuation and have it at least 8 characters long. That way someone won’t come along and hijack your account and maybe your reputation as well.

(Just so you know… the same goes for work passwords as well – many companies have policies and protection in place for work based passwords… and for good reason. Imagine if someone could impersonate you and therefore your company…)

Watching Me… Watching You…

A-Ha. So, Google has been ordered to hand over details of everyone who has ever watched a YouTube video - and in the UK, that’s more than 11 million people in April alone – to a company who says they are infringing copyright with some of the clips. All-in-all, 12+ terabytes of data – which is a massive amount of data to be trawled through. There are a number of concerning point here… firstly, we are back to trying to decide whether an IP address is actually ‘a person’. For some YouTube viewers, they log in, so you can be relatively sure that they are who they say they are (providing that no-one else uses the machine, etc, etc), for everyone else, if you go through a DHCP server – then you cannot be sure, or rather they cannot be sure.

More worryingly is the fact that, yet again, the information that was collected for one purpose, has now been taken to be used for something different. So, while I might be ‘happy’ (and I use the inverted commas cynically) to have my IP address logged for Google to use – I am certainly not ‘happy’ that they can give the information to someone else. Perhaps they could anonymize it – to prevent any comeback? Something would have been better than nothing! As it is, this seems wrong – and will start to set a dangerous precedent for those companies who collect the information having to hand it out to others – who will then be able to do whatever they want with it. Even if this time, they decide not to go after individuals, who’s to say they won’t in three months? Perhaps three years?

Next Page »

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• 
  

• 
  UK Orders
  US Orders

• 
  UK Orders
  US Orders

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response