Tag: Security

Reality check

I heard a number of people recently say that they wouldn’t store their data in data centres because it is more likely to be hacked and stolen. Ah, …say what…? Rather than get into the technicalities of cloud security let me draw an analogy here.

If you really wanted to you could stick all your money under you mattress at home. Does that make in immune from theft? Nope. Most people elect to trust their money to a bank. You’ll pay a fee for this but you gain a certain amount of increased security and convenience. Given that banks are holding the assets of many people they can spread the cost of improved security across all the customers as well as given them the convenience of accessing their money just about everywhere.

Does this mean you won’t maintain some money at home and in your wallet? Nope. It just means you don’t have to maintain all your savings with you all the time. Does this mean that a bank isn’t subject to theft? Certainly not. But generally you’d have to agree that it is less likely to be subject to theft even though it looks after a lots of people’s money.

Security is never perfect, security is journey not a destination, security is about human beings and human beings are far from perfect and finally it is about risk and return. Sure you could keep all your money under your mattress but is it really more secure? And what price do you pay in convenience over trusting it to a bank? Seems to me that most people see the rewards of being with a bank much greater than the risk. Banks are also commercial entities, which means they need to abide by legislation on how they deal with people’s money. They are also private enterprises whose reputation (and stock price) will suffer if theft occurs. These is just two powerful incentives for banks to ensure they keep people’s money secure.

So how is it that people seem to think their data is more secure if it is saved on a server in their office? Chances are that server is connected to the Internet full time. This makes it its own data centre. Why is it people believe their own little in house data centre is less subject to attack that a large commercial data centre? It really just doesn’t make any sense.

Of course there is the argument that if you money gets stolen while in a bank it will generally get refunded by the bank but what happens in the case of your information being stolen? Once your information has been stolen there is generally not a lot a way to ‘replace’ it. However, let’s look at the fact that people are happy to send emails full of that same information to people they have never met, unencrypted and unsecured across the public Internet without a moments thought. Even given this hugely insecure process it still remain wildly popular doesn’t it? Why? Because the convenience trumps the security issues. Risk and reward at work again.

There are certainly challenges with cloud computing including the storage and security of data. Yes by all means lets have a debate about the issue, but lets have a debate about the reality of the world we live in not some hysterical emotional response to a perception of the truth.

Facebook https

When you do your Internet banking you (hopefully) do so over a secure encrypted connection. Amoungst other things, this ensures that no one else can see what you are doing. Unfortunately, other sites don’t usually do any encryption.

 

Enter Firesheep. This is a free utility anyone can download, install on their wifi enabled machine and basically take over your Facebook connection if you use it an open wifi hotspot like a coffee shop. Have a look at this article for more information on what is possible.

 

One way to thwart such attacks is to use a https (i.e. http with security) when using a service. Problem is most common social networking services don’t support a connection at their end. However, now Facebook does.

 

To enable this go into your Facebook account settings and select Account Security

 

image_2_2A2D3C03

 

Save the setting and then reconnect to Facebook. You should now see that you are connecting via https (i.e. securely).

 

image_4_2A2D3C03

 

Clicking on the security lock (i.e. certificate) shows:

 

image_6_2A2D3C03

 

This means all information sent from your browser to Facebook and back is encrypted and secure.

 

Hopefully it won’t be long before all the other majority sites also go secure. In reality there is no real technical reason why every site can’t be https. However, there are people out there who still really want to see where you browse and they have a fair amount of clout. Don’t forget that you still need to ENABLE this, so do it NOW and you’ll be much safer when you access facebook.

 

Hopefully the first steps to a fully https world!

Backup or be devastated

Here’s a copy of an article I wrote that appears in an e-zine from MyMate (on page 13) which can be found at:

 

http://www.wanttobebigger.com/MyMate-e-zine-June-2010.html

 

In the world of technology your last line of defence is the humble back
up, yet many businesses, especially small ones, remain extremely
caviller about this critical function of a business.

Nearly every business these days depends on IT. So what happens
when IT isn’t available? You have probably experienced a mild disaster
such as the internet being unavailable or a hard disk failing. The
question is, how long did that issue interrupt your business and how
much money did it cost you?

Now imagine a much bigger disaster, say your office being burnt down
or flooded. How long would it take you to get up and running again?
Most small businesses have never invested the time to consider their
disaster recovery planning – and they should – because without it there
is good chance they’ll go out of business after even a minor problem.

Let’s examine one simple aspect of disaster planning, backups. Most
businesses would probably say that they do backups, the problem is that
is only half of the solution. When was the last time that you actually
tested that your backups worked? You certainly don’t want to find out
that your backups don’t work after a disaster. So it is important that you
regularly test that you can restore from your backups. You should also
plan on doing a complete restore of all your data somewhere every 6-12
months to make sure you can get it all back.

Next consider how you would cope in a real disaster like a fire. What
plans do you have in place to keep your business operational? How long
will it take you to get up and going? How are you going to cope having to
get new IT resources like workstations, servers and printers? It really is
much better to plan for these eventualities ahead of time rather than
trying to have to manage them on top of everything else in the event of a
disaster.

Hopefully you will never have to implement your IT disaster plan but it is
important that you not only have one but that you practice its
implementation. This means that at least once a year you should
simulate an IT disaster and see how well your plan works and what may
need adjusting.

Too many businesses see their IT as simply an overhead. They fail to
realise that it is one of the most vulnerable parts of your business –
without which, you may be unable to operate.

If you value your data then you should value your backup and disaster
recovery plan, as they are going to save you. It is no good trying to
develop these in the middle of a disaster. They need to be planned,
implemented and tested beforehand, because as they say failing
to plan only means you’re planning to fail.

Bad guys win again (Part IV)

The Internet is a neutral place. For as much good as it allows it also permits equal amounts of bad. It is simply a medium. Probably the thing that most people have problems comprehending is just how ‘global’ cybercrime is. You can have your bank account details stolen by someone in Russia or you can have your server brought down by someone else in China. Given the growing speeds and pervasiveness of the Internet it is actually getting easier.

A recent program on 4 Corners “Fear in the Fast Lane” gives you some insight into the challenges faced. You can find a complete replay of the episode here:

http://www.abc.net.au/reslib/200908/r419212_1990446.asx

One of the cases it details is how an Alice Springs betting company was sent bankrupt because they failed to pay ‘cyber’ extortion money. Another instance shows how a simple drive through a Sydney suburb revealed about 20% of home wireless networks had no protection. So many people are using computers and networks these days but every few grasp the issues they face and the challenges security brings. If you are interested I created a video a while back that illustrates what can arise from insecure wireless networks after demonstrating the issues to a friend:

http://www.youtube.com/watch?v=mknGP-TOFu8
In an interesting turn of events, it seems that the Australian Federal Police featured in the story, who took over an underground hacking site, had their sting turned against them as “Hackers break into police computer as sting backfires” details. It further illustrates that there are just too many opportunities available for people to exploit vulnerabilities and weaknesses in computer systems. As I always tell people:

Q. How many different types of attacks and attackers do you have to protect yourself against?
A. ALL OF THEM.

now

Q. How many vulnerabilities or weaknesses does need to find to get inside your computer?
A. JUST ONE.

How can you win against these odds? Security is a huge investment that needs to be constantly maintained. Now consider your average computer user. Do they have the knowledge or the skills to even understand the threats they face – nope. As one of the Feds in the show says, it is probably about time that computer security be given same national priority as health but what are the chances of that?

As the show details, the problems are only going to get worse with the roll out of the Australian National Broadband network that will provide huge improvements in access speeds. I’m sure that the criminals can’t wait for that either because it means they can now achieve their ill gotten gains in a much shorter time period. A much better ROI.

Bottom line is that as we base more and more of our lives and society on computers without educating end users we are all losing out. It is typically the non-IT literate user who has their computer compromised without their knowledge. That computer is then added to a fleet of other compromised computers which are used to do the bidding of a cyber crim somewhere.

http://www.youtube.com/watch?v=BRhauoXpNSs
Because we all live on the Internet it is up to everyone to be aware and maintain the security of their own systems. People are just not doing that, which in effect impacts us all and makes the Internet a worse place to be. My contention has always been, imagine the roads if we didn’t have rules, cyber crime can reek just as much havoc yet we happily allow people to buy a computer and connect it directly to the Internet with no training or understanding. Don’t appreciate the problems this can cause? Watch the 4 Corners program and visit the accompanying site to see why the Internet is fast becoming a place that you MAY NOT want to be!

WiFi bounty hunter

After reading “The great WiFi robbery: police to patrol down your street” what I want to know is there some sort of bounty that I can claim if I find an open WiFi hotspot? It is interesting that police are now diverting resources to warn people about the issues of unprotected wireless.

 

“All unsecured WiFi networks out there are open for exploitation by the crooks and the average mum and dad don’t understand the vulnerabilities”

I have no argument with this statement but is it likely that others are going to appreciate the seriousness of the issue? As I mentioned in another recent post, most people still have no idea about the differences a digital world has created. An even earlier post I detailed how, on a recent visit to a friend, I found an unprotected WiFi hot spot in the street. This is not a new issue.

 

The article also says:

 

“He blamed computer equipment sellers for not doing enough to educate customers on the importance of security.”

 

Again no argument there. For my part I have created a YouTube video that highlights the issues with WiFi security. When I teach my Wireless Networking course at community college I ensure that I drum into attendees that wireless is ALWAYS more insecure that wired. It can be made more secure but it can never be made totally invulnerable to attack or compromise. The biggest problem is that generally out of the box most WiFi is totally insecure.

 

So where does the responsibility for WiFi security lie? With the user? With the equipment provider? With the installer? With the police? As the article highlights:

 

“The Queensland operation could attract criticism from those who believe police time would be better spent seeking out drug dealers and robbers, but Detective Superintendent Hay said the issue was just as important as any other.”

 

Which again harks back to my thoughts on how little most people really understand our digital world and the interaction it plays in the real world. The best advice I can give is to take responsibility for your own digital security. If you don’t understand then learn, otherwise sooner or later you’ll become a victim.

Snapped

Here’s yet another example of why you need to think about what you post for public viewing on the Internet. The story “The family Christmas photo that became an ad for a Czech food store” demonstrates how once you upload your information to the Internet you have no idea how that information may be being used. It also shows how someone can use it for commercial purposed without acknowledging or paying you for something you created.

 

Generally most people would not hand over personal information to a stranger in the street if they were asked, yet they willingly do so on the Internet? How come? Seems to me, most people really don’t understand both sides of the Internet. Yes, there is plenty of good but there is just as much bad. The issue isn’t the Internet per se, it is the human beings that use it.

 

Value your privacy because the Internet sure doesn’t and once you surrender control of your information then it is lost for ever. Be ware!

Oops

Chalk up another win for the bad guys. If you read “Computer spies breach fighter jet project” you’ll find the following:

 

“In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft.”

Yup, you read that right, 7TB of data. Roughly 7,000GB! Where from? The Pentagon no less. You have also gotta love this:

 

“The spies inserted technology that encrypts the data as it’s being stolen; as a result, investigators can’t tell exactly what data has been taken”

 

Talk about a “prefect crime”!

 

What is clear these days is that the latest developments in technology are not only being used for good but also bad. Like most tools, the Internet is neutral but it provides a platform that can be used in many different ways, which many people seem to overlook in their rush to get systems ‘online’.

 

As the standard law of computer security goes:

 

Q. How many vulnerabilities do you have to defend against?

A. EVERY SINGLE ONE

 

Q. How many vulnerabilities does someone need to find to exploit your system?

A. ONE

 

The odds are certainly not in your favour. That’s why you have to keep working so hard to keep the bad guys out but with odds like that do we ever really stand a chance? It certainly doesn’t seem so does it?

Determining TCP activity

There a few ways that you can determine the TCP/IP activity on your system.

1. Netstat
 
Simply go to a command prompt and type netstat –an and you should see something like that shown above. You can see the protocol, local_ip_address:port, foreign_ip_address:port and the state.

This really only tells you the basics of which ports are connected to what IP addresses but it doesn’t actually tell you what programs are using those ports.

2. Fport

Fport is a free program that can be downloaded from :

http://www.foundstone.com/us/resources/termsofuse.asp?file=fport.zip

and when run in the command window will not only show the TCP ports but it will also show which program on your system is using that port, as shown above. For example we can see that iTunesHelper.exe is using port 1029 TCP is is process 3548.

Fport therefore provides a lot more information but it isn’t updated constantly and you need to run it in a command prompt.

3. Prio

 Amoungst other things Prio can do what both netstat and fport do but do it as part of your task manager. You’ll find the free download Prio at:

http://www.prnwatch.com/prio.html

Once installed Prio will provide you with an additional tab in your task manager (accessed via Ctl-Alt-Del) called TCP/IP as shown above. In there you’ll see an up to date list of all the TCP connections and the programs using these ports.

So all 3 tools provide you with the ability to inspect what TCP/IP connections are taking place on your system. This can be of significant assistance when tracking down rogue applications accessing the Internet without your knowledge.