Environmentally Conscious Security: Painting Information Security Green

Historically, ecological concerns have been significant drivers for change.  Topics ranging from global warming to protecting various species carry a strong emotional appeal, thus, motivating business and personal change with the ultimate goal of protecting the environment.  These environmental initiatives have been termed “green initiatives” and they impact IT in the form of “green computing.”  The popularity of the green computing initiatives stems not only from environmental concerns but also from a financial concern. A primary goal of many green computing initiatives is to reduce power consumption as this has a direct impact on the bottom line.

This article addresses three green computing initiatives and identifies information security action items associated with each initiative. Information security is a concern when programs such as these are implemented.   These initiatives are important because information security is easier to sell if it’s green.

Setting

Green computing is not necessarily new.  In the early 1990’s, the Environmental Protection Agency (EPA) and the Department of Energy created the Energy Star program that defined, among other things, efficiency requirements for computers.  Restrictions have also been placed on how computing equipment, such as monitors and uninterruptable power supplies, can be disposed of.

Recently, a large amount of government spending has been focused on green initiatives.  In 2009, the American Recovery and Reinvestment Act (AARA) provided $70 billion towards green initiatives including developing more efficient energy use for equipment and software and creating more efficient IT cooling solutions. $47 million of that money was allocated to the datacenter energy consumption and efficiency programs.

You might be thinking, “the environment is great and all but my company doesn’t really care about that.”  It is of little consequence if your company is concerned with the environment or not because it has been proven that green computing saves money.  Power is expensive and these costs continue to rise, thus, making green computing an easy sell.

Is it Green?

Software Efficiency and Green Computing

Software efficiency is important to green computing because as equipment consumes less power, machines can be configured to go into a power saving mode resulting in less power being required to perform the same operations.  This initiative saves fossil fuels through the conservation of energy.

Information security practitioners are also concerned with software efficiency because the possible outcome of combining resources provides hackers with fewer options for malicious use. Advocates of consolidation and reduction efforts can claim that these are not only information security initiatives but also green initiatives.

Virtualization and Green Computing

Virtualization, in computing, is the creation of a virtual (rather than actual) version of a device, such as a hardware platform, operating system, a storage device or network resources which makes it possible to consolidate many machines onto fewer platforms.   This is especially advantageous when legacy systems can be combined onto newer hardware platforms.  Legacy systems often do not incorporate the latest advances in power technology and thus, are less efficient to maintain.  If these systems are virtualized, fossil fuels can be saved through more efficient power management on the newer hardware.

For information security practitioners, virtualization brings an array of advantages and disadvantages.  It can be a great option for improving security, especially availability and business continuity.  However, unless information security personnel are involved in the process and proper controls are tailored to the virtual environment, it may create greater safety risks than benefits.

Terminal Based Computing (Thin Computing) and Green Computing

Terminal based computing is another technology that can reduce the amount of energy consumed by workstations.  Because most of the processing power is consumed on the server side where the terminal sessions are managed, the workstations can be very basic machines that require little power to operate.

Terminal based computing provides advantages to the security architecture of a company because more control can be applied to the actions taken on the terminal based environment than in decentralized client-server models.  The disadvantage to information security is that the terminal environment can introduce a centralized point of attack and point of failure for an environment. Thus, additional controls  may be needed to ensure availability of the terminal servers and confidentiality and integrity of the information contained in such systems.

Think about how software efficiency,  virtualization and terminal based computing can be used to emphasize their inherent  green computing advantage, allowing you to present the additional value of these initiatives to decision makers.  These options are not just a safe choice; they are a green option too.

A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name.  The process relies on trust.  “Secure” websites utilize such a certificate to validate their identity.  This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.  The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.  This chain of certificates is called a certificate hierarchy.  A small group of trusted certificate authorities is installed on computers within the operating system.  These authorities include such names as Equifax, VeriSign, and Thawte.  So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with an SQL injection attack against Comodo’s GlobalTrust and InstantSSL databases leading to the issuance of rogue certificates for addons.mozilla.org, login.skype.com, login.live.com, mail.google.com, google.com, and login.yahoo.com.  This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as *.google.com which allowed the certificate to be used for any google.com site.  In response, DigiNotar was removed from the trusted list so that all the certificates it had issued were no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.  Users then will be redirected to such sites through phishing or ‘”crucial  that man in the middle” attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates that McAfee lists rogue certificates as one of their ten threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  To do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the number of time that machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific. Thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.  Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.  Depending on the browser’s settings, it may be accepting revoked certificates.  Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate, but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.

 

 

Risk Homeostasis and its impact on risk reduction

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.  Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.  It all comes down to perceptions.  With Wilde’s theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.  So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?

 

Is Your TV a Security Risk? Embedded Devices May be the Next Target.

The latest televisions and Blu-Ray players come equipped with more than HD video and audio.  Internet access and a host of new applications are being built in to run directly on these “smart” TVs and DVD players.  A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable.  Accessing the internet and your favorite apps directly from your TV is convenient.  However, what security risk does it pose?

Are Smart TVs and Blue Ray Players a Security Risk?

The primary question is, “Are these devices a security risk?” Examining the features of smart TVs and Blu-Ray players and comparing them to existing systems that already have a risk profile will help answer this question.

To access the Internet, a device needs an Internet browser. Currently, manufacturers have decided not to develop their browsers but to use existing products that have proven effective on other platforms.  Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using Microsoft’s Windows “media extender technology.”  The default installation of the press center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player to give access to files on the home network or office network.

Another consideration is the type of content that will be available on these devices.  In the past year, a significant number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Smart TVs and Blu-Ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for an extended period of time.  The longer a security breach goes unnoticed, the more damage and harm are typically caused.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  (Update: A security firm did recently find a weakness in a Samsung TV.  For more information, click here.)  It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as the internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider cutting access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process, and not all companies make it easy to upgrade their products. In the future, companies will need to develop procedures for regularly updating devices.

In conclusion, a smart TV or Blue-ray player could be vulnerable once exploits are designed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded, but manufacturers have not released any security updates for their devices. Until manufacturers address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect the device from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.

 

Security Focus at the Corporate Board Level

Imagine a boardroom a generation ago.  Smoke fills the air, and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterward the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.

So what happens today where technology is so prevalent?  In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members.  The study titled “Better board governance: Communication, security, and technology in a global landscape of change” looked at a global cross section of companies from a variety of industries.  These companies ranged in size from under $500 million to over $10 billion.  The results indicated a lack of secure procedures for corporate board information management.

Board Communication and Security

In today’s world of technology, board members can be distributed across the globe and meetings are sometimes virtual.  Surprisingly, though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members.  Another 49% transfer documents through email.  Unless encryption is used, email is not a secure method for transmitting confidential documents.  Only 10 % of companies use specific email accounts set up for board members to deliver information.  Instead, a whopping 65% said they never use the corporate email network.  In these situations, the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.

A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information, so data is protected against eavesdropping.  Additionally, in secure portals Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.

Document Retention

With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board-related documents.  However, only 30% of all enterprises surveyed suspected that the board members did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smartphone, or tablet.  Not only is this a risk for data disclosure, but it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.

Board Scrutiny

On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance is regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.

Security is necessary for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.

Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.

 

Six Email Scam Tactics you should recognize

Scams exist.  That is a simple truth.  There are honest people, and then there are others who try to cheat.  Email and the technology age facilitate scamming through email.  Often these emails promise jobs or an irresistible offer, but sometimes they are more subtle than that.  This article analyzes the types of email phishing traipsing around the World Wide Web so that, armed with the knowledge of email phishing attacks, you can avoid them in the future.

1. Irresistible Offer

Here is the ultimate dream held by many Americans: Get rich quick.  It just doesn’t work.  The ads that are frequently displayed online or the spam messages sent to people every day offer ways to get rich quick, have free money, receive free gifts or services, or meet someone beautiful and sexy.  The scammers want to take your money, not give it to you and that beautiful woman you see in the picture might not even be a woman.

2. Money Mule
The money mule scam offers you the opportunity to make lots of money by transferring cash. It appears somewhat legitimate but it is actually illegal and you will be the one the evidence points to.  You may see an advertisement for a financial position where you move money around from home and make a lot of cash.  You are actually transferring stolen money or money laundering.

3. Pyramid schemes

Follow this formula with several people and they will all send you money after you send money to me and other more complex variations of this.  You get money if enough of the people you send the message to end up sending money and also participating.  Eventually, the system runs out and someone loses.  Other times you participate in a service that requires little but promises much.  What you actually get, if anything, is far different from what is promised because the only ones that make out of the deal are those who first started.  When it is time for you to get paid, there is nothing left in the pot.

4. Stolen Goods Mule

Similar to the money mule but goods are transferred instead of money.  These services typically offer themselves as a shipping consultant and your job will be to receive packages and then ship them to another location.  Criminals purchase goods using stolen credit cards and then sell the items on eBay.  You receive the stolen goods and sent the merchandise off.  Unfortunately, when the fraudulent charges are noticed, the address they shipped to is the one the police will go to.

5. Spear Phishing

Spear phishing messages provide you with a link to what appears to be the site, and they ask you to log in or to update your password.  Spear phishing messages are crafted to appear to come from some service that is legitimate but they are just copies or fakes.

6. Whale Phishing

Whale Phishing is a specific attack against an individual with wealth or access to valuable assets or information.

Awareness of such attacks is increasing, but the mere fact that the average user still receives so much spam means that it must be paying off for someone.  Don’t be the one who gets burned.  Educate your employees on the risks.

Tips:

There are steps that can be taken to safeguard yourself against potential malfeasance.  First, always pay attention to the website you are visiting.  Frequently, phishers will set up a mirror site that looks exactly like the site you want to see.  Always be skeptical and go to the website directly rather than clicking on any link provided in an email.  Be wary of hyperlinks within emails and remember that banks will not ask for personal information via email.  Installing anti-spam software from a reputable source will significantly diminish your vulnerability to attack.  Finally, if something phishy does occur to any one of your accounts, change your password and secret questions.

Scamming happens, that is a simple fact.  Today I looked at multiple ways that a person could get burnt ranging from spear phishing to a money mule.  In any case, the best defense is a proactive one.  Pay attention to your financials, and always protect your personal information.  Be cautious about any offer that seems too good to be true.  Follow these steps and the job of sifting out what is potentially dangerous versus what is benign becomes much easier.

New Hacking Evidence fresh from the source

Previously, we have discussed the dangers of hacking and measures to take against an attack in the LulzSec blogs.  Now we will delve into a different aspect of the wide world of hackers.  We will not, however, look at a particular company or conglomerate that hacked different entities and organizations.  Instead, we will observe the findings of McAfee after they accessed a server that was used for attacks since 2006.  Operation Shady RAT, RAT, being short for Remote Access Tool, has introduced new evidence on the targets, motivations, and frequency of hacking that are summarized below.

McAfee took possession of a server that had been utilized as a hacking device since 2006 and analyzed its contents revealing a large amount of information on attack trends and methods used by hackers.  On August 2, 2011, McAfee published their findings in a report titled, Revealed: Operation Shady RATAlthough recently there have been highly publicized attacks by Anonymous and LulzSec, these attacks are not new.

Upon the acquisition of a command and control server and the subsequent research into the logs of the server and tracing the attacks the results were shocking.  So surprising that even McAfee employees were surprised at the level of penetration, the wide scope of the assault, and the overall impudence of the intruders.  The perpetrators hacked into seventy-one different companies and organizations by using this server.

The types of targets that Shady RAT attacked ranged the gambit.  These hackers attacked government agencies, but unusually these attacks were not just on American government agencies but worldwide government agencies.  Also, they hit a nonprofit think-tank based in the United States.  These attackers even went as far as to attack Olympic committees of various countries.  Even still the vast majority of attacks were on worldwide government agencies, with a total of twenty-one different government bureaus across the globe being attacked.  In conjunction with the legislative findings, another high-risk industry was the defense contractors.   In fact, thirteen defense contractor attacks were coordinated through the command and control server McAfee obtained access to.

If the results of Operation Shady RAT are considered representative of other attacks, they could call into question some common assumptions held on the focus of attacks.  A common belief is that hacks primarily occur against the United States, Canada, and Europe.  While Operation Shady RAT showed the majority of attacks did occur in those regions, with forty-nine coming against organizations within the United States, four against Canada and six against Europe, ten attacks were focused on Asian countries.  Companies in Asian countries often get less attention in the media for hacks against them.  The underlining issue with the attacks carried out by this server is that since the range of companies and organizations is so broad, anyone could be vulnerable.  Protection is not an option for companies.  Everyone needs to be concerned with information security.

Even more intriguing was the findings of the types of attacks used and the evidence of what attackers obtained or attempted to obtain.  The oft-cited motivation for hacking has been a commercial gain, but the same server was used for commercial hacks and hacks that had no commercial interest.  Hacktivism, hacking to promote a political agenda, is seen clearly in the attacks on the Olympics.  Interestingly, logs from the server outlining attacks on Olympic committees, especially in the time leading up to the 2008 Olympics.  Furthermore, attacks on the non-profit think tank also provide evidence that the hacks were not carried out by a group solely focused on commercial gain.

Another interesting point made by the article is the frequency of the attacks and the amount of time the hackers remained in various organizations without detection.  There have been difficulties and controversies over the number of successful attacks that take place because organizations are reluctant to report incidents because of the potential loss of customer confidence.  Operation Shady RAT provides real data on the number of attacks that took place.  The data is limited to only the attacks that occurred from this one command and control server, but they are unfiltered by corporate PR departments.

In 2006 when this server began directing attacks, only eight organizations were infiltrated, however, by the next year that number had jumped to twenty-nine.  The regularity of the attacks continued to rise until it peaked in 2009 with thirty-eight attacks, and tapered off within the last two years.  Also, the amount of time spent within these companies and organizations is tremendous.  The rate of time spent within a company ranges from just one month to twenty-eight months.  For example, the hack on a South Korean construction company began in 2006 and lasted seventeen months without detection.  Meanwhile, the twelfth United States defense contractor was only under attack and infiltrated for one month.

Upon a thorough reading of the findings of McAfee, we can now conclude that anyone is vulnerable to attack, not just government offices or major companies.  Also, due to the report a better knowledge of the types of attacks is now out there and available.