Stuxnet received a lot of attention because it was the first publicized case of malware targeting a physical control system, and anything that touches a nuclear reactor is a big deal. But this type of threat certainly wasn’t unforceen. The potential for malware and other network-centric threats to impact SCADA systems has been discussed within the security community for years. Stuxnet was simply the first to capture the spotlight.

The source code has been widely available online since July, so it’s no surprise that derivatives are starting to appear. Cyber criminals of all sorts have undoubtedly downloaded, modified, and experimented with it. The vast majority of malware created today is simply a derivative of existing malware; those capable of creating something completely new are far and few between. This new variant, code-named ‘duqu’, is probably the work of an individual or small group. A government or large criminal organization would not rework the Stuxnet code. They’d study it, learn from it, and then create something completely different to avoid detection.

Organizations with SCADA systems should be concerned about a much broader range of threats rather than focusing on Stuxnet or duqu. They need to ensure that their systems are adequately protected against malware and a long list of other insider and outsider threats.

More generally, rather than focusing on specific peices of malware, we should be asking why we continue to build systems that, from a security perspective, are fundamentally flawed. We continue to make the same mistakes over and over again, and then we’re surprised when a security breach occurs.

If you don’t want people to see something, don’t photograph it.

If you have a look at the pics (Links: photo1 photo2) you’ll note that she appears to have taken them herself using her mobile phone.  While I certainly don’t have any inside knowledge of the case, my bet would be that the sender or recipient’s email account was compromised, not the phone itself.  Of course for that to be the case, she would have had to email the images to someone, which bring us to my next bit of advice:

Don’t email photos that you don’t want people to see.

Of course there’s always the publicity angle.  Leak nude pics of yourself. Benefit from the exposure, but deny intent.  Then play up the victim angle, collect some sympathy votes, and keep the story alive.  Ah, Hollywood.

Added 2011-09-20:  I linked to the photos in the original article because of their relevance to the story — they showed her holding the camera herself. I did not copy the images to avoid a copyright infringement.  It appears that they have been taken offline or access blocked.

“The DNS vulnerability could result in a complete system compromise,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited.”

“Internet Explorer is affected by two critical vulnerabilities being patched, both of which can be exploited by a drive-by download,” Talbot added. “The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent. There is a very large attack surface.”

“We haven’t seen nearly this many low profile patches – ones that primarily result in information-disclosure or cause denial-of-service conditions – in quite some time,” Talbot concluded. “Half of all the vulnerabilities patched this month are of that type, which is rare.”

There is good reason that high-end cryptographic devices offer features such as maintaining a constant data rate independent of the data being encrypted. It sounds like Skype might want to also incorporate some of those features.

“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”

While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising.  Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services.  Given the alleged sophistication of the attack, EC2 is simply an obvious choice.

While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else.  Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots.  They probably even purchase their computers the same places we do.

The Sony PlayStation Network data exposure has two causes:

• Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
• The criminals. Let us not forget that Sony was the victim of a crime.

Like TJ Max, the Sony security breach should be a wake-up call.  Consumers often feel safer dealing with larger, more established companies.  But it appears that some of them don’t have security right yet.

We also need to understand that tracking down cyber criminals is becoming increasingly difficult.  Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere.  However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.

From a technical perspective, the root cause of the initial security breach was poor software design, poor implementation, and inadequate testing.  It’s an industry-wide problem that won’t change until customers demand better software and are willing to pay for it.  Things got worse because the folks at HBGary appear to have ignored basic and well understood best practices with regard to passwords.

However, let’s not ignore the other root cause.  While it doesn’t justify criminal behaviour, let us not forget that HBGary, in an apparent attempt to obtain publicity for themselves, allegedly did the cyber equivalent of visiting the nearest biker hangout to announce, “Just want to let you know we’re going to screw with you in the media tomorrow, but don’t worry, we’re only going to screw with you a bit.” Or, if you prefer a different analogy, they kicked the hornet’s nest without wearing the customary protective equipment.

As security pros dealing with people allegedly responsible for hacking and denial of service attacks on major companies, HBGary must have expected probes of their systems and at minimum a distributed denial of service attack.  They reportedly kicked the hornet’s nest deliberately and intentionally. It leaves me wondering if  becoming a victim was part of their publicity strategy. Getting yourself hacked would certainly be an bold publicity stunt for a security company, but it wouldn’t be the stupidest thing I’ve seen either.

Any mechanism that allows the Government easier access allows criminals and foreign Governments easier access as well.  The point of hard drive encryption, to name one example, is that it protects sensitive information if someone steals your computer. Whether that someone is a junkie, stalker, unethical competitor, or law enforcement officer with a warrant is irrelevant from a technical security perspective.

The issue of key escrow for “lawful” access will certainly be raised again and the answer is simple: Given the security breaches that many governments have suffered, they have proven themselves incapable of protecting their own sensitive information.  Why should we trust them with more?

Businesses must ensure that they retain the ability to access encrypted information in the event that the user leaves or forgets their password.  In that instance, the law enforcement solution is to serve a court order on company.

Personal computers, smart phones, and similar devices are becoming increasingly that — personal. They have become an extension of ourselves.  Law enforcement agencies need to come to terms with this new reality and understand that their access will continue to decline. The cost of gaining access to such devices will continue to increase exponentially until it is impractical for all but the most serious investigations. The tricks Declan outlined in this article will become less effective as criminals quickly learn about them and implement countermeasures.

Back when I studied Criminology I learned that the average IQ of inmates was just slightly lower than the overall community average and that many criminologists believed it was because people with slightly lower than average intelligence were more likely to commit the type of crimes that could land one in jail.  Twenty years of experience suggests another scenario:  We’re much better at catching and convicting criminals with below average IQs.

Organized crime and terrorists have employed countermeasures such as encryption for decades. But what what appears to really make some law enforcement types uncomfortable is that you, me, and dumb criminals can now do it too.

In case you’ve missed the latest developments in the United States, many passengers over the past few weeks have found themselves in the uncomfortable position of having to choose between two intrusive and dehumanization alternatives: Submitting to a virtual strip search courtesy of a “body scanning” machine, or being subjected to an “enhanced pat-down” of their entire body including breasts and genitals.

As a security professional one thing that makes my blood boil is when “security” is used as an excuse. I cringe when I hear the phrase, “for your comfort and security…” which is usually followed by words that have little – if anything – to do with comfort or security. But in more than fifteen years as a security professional I have seldom witnessed anything as disgraceful as TSA officials using “security” as an excuse to abuse passengers.

Preventing the introduction of weapons, explosives, and other dangerous items onto passenger aircraft has been a security concern since the first recorded aircraft hijacking in 1931. In 2001 the game changed when multiple aircraft were hijacked and flown into ground targets as improvised missiles. Additional threats, including the introduction of small amounts of explosives onto passenger aircraft, have further complicated the threat landscape.

There is no doubt that the nature of the threat against passenger aircraft has changed dramatically in the past decade. The era of hijackings in which crew and passengers passively cooperated with hijackers – and were usually released – has been replaced with a set of new scenarios in which immediate action by passengers and crew against anyone threatening the aircraft appears justifiable and the best chance for survival.

There is also no doubt that all aspects of aviation security, including passenger screening, need to be regularly reviewed and appropriate changes made to manage risks. However, there is a world of difference between imposing realistic security controls and using the threat of terrorism as an excuse to impose draconian, unnecessarily invasive, and abusive processes in the name of “security”.

It is true that there is a terrorist threat against aircraft, and passengers are one of many vectors that could facilitate the threat. But in passenger screening, as in most areas of security, the law of diminishing returns applies. X-ray machines for carry-on luggage, explosive residue detection equipment, metal detectors, and skilled security professionals are capable of detecting the vast majority of weapons and explosives. Perfection is simply not possible. Adding strip-search machines and intrusive “pat downs” adds little – if any – additional security, and the marginal gain is grossly outweighed by the negative impact of the security measure on the very people it is designed to protect. It is a dramatic example of an exceptionally poor security management decision.

Let’s also not forget that the threat of terrorism is not limited to aircraft. Around the globe busses, trains, schools, public buildings, restaurants, bars, hotels, and marketplaces have all be targeted by terrorists and other criminals. As security professionals we have an obligation to set aside knee-jerk, “increased security at all cost” reactions and seek out security controls that are both effective and acceptable to the population they impact. Nobody would consent to body scans or intrusive personal searches to get into a taxi, bus, shopping plaza or nightclub. So why should we tolerate it at an airport?

I’m sure the TSA will argue that their employees are not committing sexual assault (or whatever the crime is called in the airport’s jurisdiction) because they have “consent”. But do they really? What choice does a person whose job requires them to travel have? Much of the United States has “at will” employment – employers need no reason to dismiss an employee. Let the TSA view their naked image, let the TSA grope them, or risk loosing their job. Not much of a choice. Parents also have a difficult choice to make.  Do they subject their children to TSA “searches” that would land anyone else in jail, or do they cancel the trip to Disney this winter?

The TSA’s new ‘scope or grope’ policy does not meaningfully improve security. No technology can compensate for poorly paid, poorly trained, and increasingly disenchanted front-line security staff. The fact that the TSA even considered this ineffective and unethical nonsense highlights the fecklessness of TSA leadership and the spineless politicians that support them.

Law abiding citizens and airport security staff should see each other as partners in security – both cooperating to ensure the security of their flights.  But that won’t work until the TSA stops abusing those it is supposed to protect. It’s time for TSA chief John Pistole to pack his bags and for the American Government to put a real security professional in charge.

I’ve only had two bad online experience, and I got my money back both times.  Yet I continue to hear horror stories from others.  So I thought I’d share my approach.

First and foremost, there is nothing magic about shopping online.  The major difference when you walk into a shop is that you have a good idea where they are located. However, disreputable bricks-and-mortar stores (along with phone and mail order outfits) ripped off consumers for years before the Internet was invented.

So how can we shop online with confidence?

1) Consider ordering from businesses you know.  Saving a few dollars on an unknown vendor may not be worth it.

2) If you’re looking for something and don’t know where to find it, consider using eBay or Amazon. Carefully check feedback on the vendor before buying.

3) Always pay by credit card.  From time to time you may run across vendors who request payment by other means.  They might want to you wire money using Western Union or a similar service.  The problem is that once you’ve sent your money, there is little you can do about it.  Real online merchants accept credit cards or use a service like PayPal that accepts credit cards on their behalf. Period.

4) Understand any rules that apply to disputes.  For example, if you make a purchase on eBay and pay using PayPal you must open a dispute within 45 days.  Be wary of anyone who may be trying to string you along with a series of excuses, delays and apologies.

5) Next to how they treat other customers, the best predictor of how a business will treat you after getting your money is how they treat you before. When shopping online we often have our choice of products and resellers.  When I”m trying to decide, I’ll often email a few vendors to ask their advice or for product information.  The timeliness and quality of their response speaks volumes about them.

Have other words of wisdom to share?  Please comment!

This is yet another example of why passwords are a really bad idea.  However, from a practical perspective, the best thing you can do is to ensure that you have opened a tab yourself before logging in.  If you click to a tab and find yourself at a login screen, close the tab, open a new one, and navigate to the site you want.

Thanks  to Thorin for the link!

As you can see in this YouTube video, it is possible to open many residential garage doors using only a simple wedge and a wire hook.  What was intended as a safety feature to allow the door to be opened without power creates a security vulnerability.  Using a plastic cable tie might be the best way to address this, provided that you have a way to cut the cable tie if you need to open the door during a power failure.

Sometimes a high risk position results because we don’t correctly asses asset values, threats or vulnerabilities. Sometimes the cost of implementing a safeguard exceeds and expected loss, and the decision to accept risk is a logical one. And sometimes we simply make mistakes.

But there are other reasons that we Canadians are often too polite to point out: Laziness, denial, rationalization and risk decisions based upon emotion rather than logic.  The H1N1 ‘flu gives us plenty of examples.

We’re in the midst of an influenza pandemic.  Fortunately we know how to create ‘flu vaccines — we do it every year to combat the seasonal flu. So we have a vaccine, and every credible organization from the World Health Organization down to our local medical officers are recommending that we vaccinate ourselves and our families.

The risk is clear: pH1N1 is a nasty virus that, at best, will make you sick for a week or two.  At worst, it could kill you. The threat is real and much of resulting risk can be mitigated by a simple vaccination.  The Public Health Agency of Canada advises that, “without interventions like a vaccine and antivirals, close to 25 to 35 percent of the population could become ill over the period of a few months.”  Other health organizations have released similar estimates. The vaccine has been tested in Canada as well as other countries, and we know that approximately 1 in 100,000 people will have a serious reaction to it, as with any other vaccine.  (Source: http://www.phac-aspc.gc.ca/alert-alerte/h1n1/vacc/options-eng.php)

From a risk management perspective it doesn’t get much simpler than this. The benefits of the vaccine clearly outweigh the risks, and the cost (a few hours of our time at most) is minimal compared to the potential loss.  And that doesn’t take ethics and social responsibility into account.   Those who choose not to be vaccinated not only may become ill, but could also pass H1N1 on to more vulnerable family, friends and colleagues — including those who can’t be vaccinated due to alergies.

As a result, we continue to see people announce on the Internet that they’re not getting vaccinated. Some quote “facts” that are uninformed myths at best.  Some focus on the 1 in 100,000 serious reaction rate and completely loose perspective.  Others ignore a century or so of medical science and proclaim that they don’t need a vaccination because they are “healthy and take their herbs and vitamins.”

Chances are that you’ve already seen the writings of otherwise intelligent parents who are incapable or making good risk management decisions. Their blog posts usually start with how much they love their kids.  Then they latch on to the one quack that chargers people $50 each to attend a seminar to learn “the truth” and rationalize that “the medical community don’t all agree”.  They focus on the danger of mercury in vaccines, even though the exposure is less than you’d get from eating a can of tuna.  Or they repeat silly claims like suggesting that the vaccine is “untested”.

Some of these people obviously have other agendas.  It’s clear from their writing that they’re simply anti-vaccination shills. They write clever “balanced” articles pitting fact against laughable fiction and seek to “support” others who share their defective logic.

Some see themselves as rebells, not “giving in” to the experts who tell them they should be vaccinated.  The old phrase, “Rebells without a clue” comes to mind.

In others, the barrage of H1N1 information creates neurotic behaviour and they operate on a completely emotional level. They “agonize” (often at length and in writing) about how “difficult” the decision was.  They loose all perspective, and should you dare point out the flaws in their reasoning their feelings are hurt. How dare you suggest that they don’t know what’s best. They behave as if the act of conceiving a child instantly made them more knowledgeable on vaccines than the WHO, CDC, and the medical experts of countless countries, including their own. They have “the right” not to vaccinate themselves and their children, and as emotional people often do, they confuse having a right with it being the right thing to do.

But then consumers still receive calls like I did on Saturday afternoon.  The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.” 

I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am.  However, if you call me, you get to go first.  And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.

When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.

So I did just that, and asked about the call.  The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.

Banks should know better.  Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem.  Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.

There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.

Perhaps the Bank’s security, fraud and marketing people need to have a chat.

One of the things that they didn’t discuss is why we continue to use passwords for authentication even though they’re known to be a serious weakness. The first reason is that, as long as we don’t include the cost of a security breach, passwords are free.  The second is that while better authentication technologies exist, nobody seems interested in allowing a single credential to be used across multiple systems on the Internet. I should be able to carry one authentication device and use it everywhere, but instead when we go that route we end up with a key-ring full of devices.

Perhaps it’s time for the open source community to step up to the plate?

I’m a strong proponent of whole disk encryption, especially on portable computers.  The small size and weight of the HP Mini 110 make it an easier target for thieves. However, by default Windows 7 creates two hard drive partitions, a hidden one for boot and recovery, and a second main partition for the operating system. My favourite open source encryption software, TrueCrypt, won’t do whole hard drive encryption on Windows 7…at least not yet. So I decided to give Microsoft’s BitLocker a try.

BitLocker is designed to work on PCs that include a Trusted Platform Module (TPM) chip on their motherboard. BitLocker essentially stores the hard drive encryption key on the TPM and the system can be configured so that users must authenticate to the TPM using a pin in order to boot their computer.

While that’s a nice plan, it doesn’t help those of us who have purchased a computer that doesn’t include a TPM, and I was somewhat disappointed to learn that the HP Mini 110 falls into that category. But searching the web I quickly learned that BitLocker can be used without a TPM chip by making a group policy change. (Detailed information can be found here.) Once the feature is enabled, the BitLocker key can be stored on a USB flash drive.

This scenario is not ideal because the key is not protected – anyone who gets their hands on the USB key can duplicate the key and use either it or the duplicate to boot the computer.  However, it’s certainly better than the alternative, which is to not use hard drive encryption until third-party products catch up with Windows 7. If you protect your USB key like you protect your car keys, it does provide a practical defence against a thief accessing your data.

But if you’re like me, you probably keep your USB flash drive in your briefcase, making it vulnerable to theft along with your laptop.  It’s like leaving your car keys sitting on top of the hood. I mentioned this challenge to a few colleagues, and one of them introduced me to a very cool product from Verbatim, the TUFF-’N'-TINY™ USB flash drive.

Image courtesy of Verbatim

In addition to having the smallest form factor I’ve seen in a USB flash drive, the Tuff-‘N’-Tiny is dust, water, and static discharge resistant.  It also includes a short key ring lanyard, which I highly recommend you use.

BitLocker only requires the USB key during the initial boot sequence, after which it tells you to remove the key, so the Tuff-‘N’-Tiny soon hung on my keychain as the “ignition key” for my HP Mini.

The Tuff-‘N’-Tiny also includes Verbatim’s V-Safe encryption software.  Unlike many USB devices that mount both a public (unencrypted) and secure (encrypted) partition, V-Safe switches the user between the unencrypted and encrypted partition on the same driver letter.  At first this seemed a bit unusual, but I quickly realized that, in addition to requiring only one drive letter for the device, this scheme also prevents the user from accidentally saving sensitive files to the unencrypted partition. Once you’ve entered your passphrase, only the encrypted partition is available.

Getting back to BitLocker, I think we’ll all agree that it is best used with a TPM chip.  However, while not perfect from a security perspective, it is possible to use Windows 7 BitLocker for pratical whole hard drive encryption without a TPM chip provided that you store the USB key separate from the computer. And so far, at least for me, attaching a small USB flash drive to my keychain appears to be the best option.

If our operating systems and applications were designed with privacy in mind, we could simply tell them that we don’t want to retain any browsing history, that our web cache and cookies should be deleted when we close our browser, that we aren’t interested in being presented with a list of our most recently used files, and that the last date/time a file was read isn’t necessary information.  We could also tell it to overwrite disk space when it’s done with it.

The technical reasons behind some of these issues were originally performance related, but given the speed of computers these days, there is no good reason that our computer needs to keep notes on what we’ve been using it for.

Of course when one brings up these issues, there are those who ask, “What do you have to hide?”  Child pornography is an often-quoted example of why computer forensics is a good thing, and I certainly agree that child pornographers should receive an express ticket to jail (or worse).  But I’m not willing to give up fundamental privacy rights and live in digital glass houses in order to make it easier to catch criminals.

I’ve written before about hard drive encryption, and full drive encryption remains the best way to safeguard your privacy.  The enhanced BitLocker functionality in Windows 7 combined with the TPG chip in many new computers are a move in the right direction. The open source TrueCrypt project is great, but they need to quick adapt to new realities in Windows 7.

Self-encrypting hard drives appear to be a promising technology, but while vendors brag about them, they aren’t readily available and technical information remains marginal at best. If — as a security professional and writer — I can’t get my hands on one to test, I have to conclude that they’re not a viable option at this time.

Then there are software products that perform tasks such as wiping free space and deleting unwanted browser histories.  From a functional security perspective, products like Evidence Eliminator can perform a nice clean-up of your computer, deleting temporary files, browser artefacts, and wiping unused hard drive space to eliminate ‘deleted’ data.  But “Evidence Eliminator” is a really bad idea.

From a security perspective, this product (and to be fair many others in the same category) often creates a bigger problem than it solves:  While they do a good job of removing unwanted data, they also do a fantastic job of creating evidence that you ran “Evidence Eliminator”. It quite amusing to read of people attempting to explain in court that they didn’t delete data pertaining to the matter in front of the court when they ran “Evidence Eliminator”.  By definition, if you’re eliminating evidence, you look guilty.

Ironically, by calling the product “Evidence Eliminator”, the vendor has made performing clean-up tasks that may be quite reasonable in many circumstances look like a criminal act.

Imagine you’re at work and someone you know emails a URL.  You download a file you expect contains something humours and end up with porn on your work computer.  Sure we can discuss why you shouldn’t have downloaded it in the first place, but there are countless scenarios that could result in you having some type of data on your drive that you don’t want.

In the physical world, you could toss it in the shredder bin, take it home and put it in the fireplace, or otherwise dispose of it. We should have the same ability with data.  But it’s just real deletion that we want, not evidence elimination.

On the off chance that enterprising developers are reading, there are two products missing from the market – or at least I can’t find them!

The first is a clean-up product that runs entirely from a USB stick and does not require installation on the PC.  Running it would clean up the hard drive, overwrite browser artefacts, temporary files, wipe free hard drive space, etc. In fact, it would do most of the things that Evidence Eliminator does – except the purpose would be to clean up the computer and protect privacy – not destroy evidence.

The second is an installable package that monitors system use and cleans up after the user automatically.  In short, it would protect privacy by doing what the operating system and applications should offer to do by itself really deleting stuff.

Thoughts?  Questions?  Ideas?

Let’s hear ‘em!

Highly recommended reading!

The full report is available for download here.

Unless you have an IT guy or gal in the family, it can be hard to get the right information.  And there are definitely challenges.  For example, check out Justin Foster’s blog post on Keeping Granny Safe.

One of the great tidbits in it is the link to Secuna’s free vulnerability scannersfor home users.  They offer both a web-based and a downloadable package.  I installed the latter on my notebook and it quickly identified a few products on my computer that needed updating.

The reality, of course, is that there is no such thing as a free domain registration.  Somebody pays for it.  And while there is nothing wrong with giving a customer a “free” domain when they purchase other services, as one of my colleagues recently found out, ethics among hosting services greatly vary.

My colleague purchased a hosting plan for $5.95 per month with HostPapa.ca that included a free domain.  According to the terms of service posted on their web site, there shouldn’t have been a problem:

“You have all rights to transfer, sell, or modify your domain name to another person or individual. If you decide to sell or transfer your domain name and HostPapa is the domain name registrar, please request our “domain name transfer instructions” by sending an email to support@hostpapasupport.com. We will send you the specific details and information about transfer of ownership.”

But, when my colleague decided to transfer his domain to another registrar, he found out that it wasn’t that straight-forward.  Host Papa had registered the domain in their own name.  In email, he was told,

“The $100.17 you paid upon sign up with HostPapa was for a hosting account. We included a FREE domain as a thank you for creating an account with us. This domain is only free as long as you are a HostPapa customer, hosting the domain on our servers.

If the domain was not free, you would have been charged $126.37 for hosting and a domain purchase. Now that you wish to cancel your services and take your domain away, the invoice I have created for your domain in the amount of $26.20 covers the cost of HostPapa registering this domain on your behalf when you signed up with us.

This is standard for anyone cancelling their account and wishing to retain their domain.”

During his email discussion with them, at one point a representative of HostPapa wrote chillingly, “Legally, the domain name is ours.”

We contacted HostPapa and inquired, and they explained,

“Yes, you can transfer your domain name to another host at a later date, however, there will be a fee of $24.95 + GST for Canadian clients to release the domain, since it’s only free as long as you are hosted by us.”

Your domain name is key to your Internet presence, and losing it can have a significant impact.  Assuming you maintain a backup of your web site, you can easily move to another hosting company if you control your domain.

So what can you do to protect yourself?

First, keep in mind that virtually anyone can become a ‘registrar’ through a simple reseller agreement. The fact that a company can register a domain for you doesn’t provide any indication of business ethics. Search the web, read their agreements carefully, and do your best to check our their reputation.  Be cautious if transferring your domain requires emailing or telephoning support or the description of the process is vague.

Second, check your domains to ensure that they are registered in your (or your company’s) name, not a provider’s.  If you don’t already have a favourite “whois” tool or web site, try allwhois.com. If the domain is not in your name, contact the registrar immediately and ask that it be corrected. If they refuse, indicate that you wish to transfer your domain to another registrar. But keep in mind that as far as the domain registration world is concerned, the owner is the entity listed in the whois database.

Third, consider using a separate registrar from your hosting provider.  If you’re more technically inclined and have a number of domains, you might consider opening your own reseller account with a large registrar like Tucows and becoming your own registrar.  It also might make sense for you to use a third-party DNS provider like dnsmadeeasy.com.  Ideally you want control of your domain information including the contact names, addresses, and DNS servers. Your registrar should allow you to update at least your DNS information through a web-based interface.

For example, I’ve recently been dealing with a situation involving the use of Yahoo Groups.  While it’s a great way to share information with a group of people, here’s what can happen:

1. A volunteer sets up a group on behalf of the corporation, bearing the corporate name.
2. The volunteer runs the group for a while but subsequently decides to leave the role.
3. The volunteer refuses to turn over control of the group to a board member.
4. When pressed on the issue, the volunteer claims that the group is inaccessible because it hasn’t been used for a while.
5. When pressed further, the volunteer deletes the group including all content.

Unethical volunteers (and employees) can create disruptive scenarios. In this case, they have the potential to impact communication with group members and information can be quickly lost. While criminal and civil proceedings can be initiated after the fact, the disruption has already occurred. 

In an ideal world, there would be services available that take these issues into account. For example, one could have multiple administrators and require two of them to approve sensitive transactions.  But until services like that exist, your best defence is to recognize what can happen, ensure that someone other than the group administrator has a copy of all documents and maintains a list of participant’s email addresses so that they can be contacted if an issue arises.

Have another suggestion?  Please comment and let me know!

If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are.  If you business accepts credit cards, you owe it to yourself to watch this video.

Security is often categorized as physical security, personnel security and information security. Much of the reason is historical.  Back before computers, corporate security people were concerned primarily with physical assets.  The area of personnel security evolved with background checks and security clearances and then expanded into workplace violence prevention and ensuring the safety of employees at work and when they travel.

Then computers came along, and the complexity of these new systems gave birth to “computer security”.  Over time the “computer” field became known as “information technology” and “computer security” became “information technology security”.  Some time after that it finally dawned on people that the focus should be protecting information (as opposed to “information technology”) and since then the term “information security” has increased in popularity.

Within the information security field, the buzz phrase, “Confidentiality, Integrity, and Availability” describes its goals:  Protecting information against unauthorized disclosure, ensuring that it is not inappropriately modified and making sure that authorized user can actually use it.  Every so often somebody (commonly a vendor representative trying to push their product) tries to expand this definition by adding a fourth or fifth, but in doing so they usually succeed only in proving that they don’t understand information security.

In some organizations different people or groups are responsible for different “types” of security.  They often use different language, different processes and their failure to co-ordinate activities often increases security risks.

So what is this security thing anyway?  Security is simply about protecting assets.

Physical security is about protecting company assets.  But so is personnel security.  While I’m certainly not suggesting that a company owns employees, they are assets.  Their ability and willingness to work is of great value to the company – without them very little could get done.  If a company fails to protect employees, and they are unable to work, that constitutes a loss.  Failure to comply with laws and regulations regarding the protection of employees also impacts other assets including employee and public relations and monetary losses due to fines or civil damages. All political correctness aside, employees are valuable assets that require protection.

Finally, there’s “information security”.  Today information is an asset.  While computers and networks can be complex, and different skills are required to protect digital information, in the end it’s all really just about protecting assets.

Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,

“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”

In addition to speaking and writing on security awareness, Wright also conducted some interesting research:

“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.

The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”

Perhaps it’s time we put more emphasis on security awareness training?

If you’re a Canadian citizen, reside in Ontario, and have a driver’s licence you now have the option of paying an additional $40, attending an interview, and obtaining an Enhanced Driver’s Licence that will be accepted in lieu of a passport when driving across the boarder. Within the card is an RFID chip so that you can hold it up to a reader, and by the time you reach the border agent they’ll have your information on their screen. According to the Government of Ontario web site, the RFID chip only sends a unique identifier and not your personal information. The Canadian and US governments then allow each other to access their databases. Using a unique identifier is much better than, for example, allowing anyone with a RFID reader to directly obtain your name, address, etc. However, those citizens who choose to obtain an Enhanced Driver’s Licence will be carring an RFID chip with them almost everywhere they go. And it can be read at least 10m way by anyone with the right equipment.

Today the technology is new, readers are expensive and few people have the cards. But imagine what might happen if they become popular in a few years:

On Sundays, you go to your favourite store. The RFID reader at the door logs your entrance, and readers strategically located around the store track your movement. You pay for your purchase with cash, but a reader at the register associates your unique identifier with the details of your purchase. A few months later you don’t have cash with you and you use your credit card. Now they add your name. The next week they’re taking a survey and ask your postal code, and it is added to the database. A year goes by and in a moment of weakness you fill in an application for a store loyaly card. The information you supply is added to the database. Later the store is purchased by another company that also has customer database, and they combine the data.

What we often fail to consider is that the ability to uniquely identify an individual allows us to build a database and leverage that information both before and after the event. In many cases we choose to provide information, and that’s ok. But adding technology that allows anyone with an RFID reader to start collecting it is a bad idea.

Personally, I’ll stick to my passport and only carry it when I travel.

What’s your plan?

Every year we have “flu season”.  And every year we have people show up at work with the flu as if doing show displays their dedication.  In reality, they’re spreading a virus to their colleagues. Hopefully employers are looking at the bigger picture and making simple policies such as prohibiting employees with a fever from entering any company facility.

The larger picture is business continuity planning.  There are countless reasons why employees may not be able to come to the workplace:  Illness (the employee, a family member or fear of contact with ill colleagues), power failures, protests, floods, severe weather and other natural disasters. While firms in the manufacturing sector may have to shut down, many others could, with the right planning, sustain operations with employees working remotely.

How well prepared is your company?

“It could be that the purpose of your life is only to serve as a warning to others.”

In the security field we strive to keep our employers and clients out of that category.  However, reality is such that we often learn best from our mistakes and those of others.  As any parent can attest, even the best warning about the potential danger involved in a childish act of stupidity doesn’t come close to the educational impact of falling, or watching one’s friend fall, flat on their face.

Last week I wrote about a security breach at Twitter that resulted from a poor security design.  The kindest thing I can say is that Twitter managed to ignore more than thirty years of security knowledge and made a design error that I would expect a junior security consultant to pick up in a matter of minutes.

Don’t get me wrong — I’m a huge fan of Twitter.  The basic concept behind their service isn’t new, but their timing, marketing and some of their technical decisions are brilliant. But, as much as it pains me to say this about any company, they are making the same critical mistake that has plagued many startups in the Internet space: They obviously lack competent security expertise.

I’m sure that they mean well, and I’m sure Twitter has some very talented developers that really want to do the right thing.  I’m sure that they have considered some aspects of security.  But they need more.  They need a security pro sitting around the development table.  They need to critically examine every aspect of their system from a security perspective.  And they desperately need a good security risk assessment.

Take, for example, my experience with Twitter last week. On Tuesday they announced the ability to send updates via SMS to Rogers phones. I found out because my phone suddenly started getting SMS messages. I replied with “off” and it stopped.  Wednesday the exact same thing happened again.  “Off” worked, and I logged in via the web to make sure it was really turned off. 

Thursday morning it was back with a vengeance. I was driving to the office and a flood of messages began.  Having worked on an SMS project, I knew that mobile phone companies require systems that use SMS to honour the ‘stop’ command.  As soon as a mobile phone subscriber sends ‘stop’ the service provider is supposed to reply with an acknowledgement and not send any further messages.  So I replied with ‘stop’.  Twitter sent an acknowledgement, but messages continued to flood in.  At first I assumed there must be a queue somewhere, but an hour later I was still being flooded with so many messages that my phone was almost useless.

I logged into Twitter and tried to turn off the SMS updates.  But the system gave me an error and continued to show the updates as ‘on’.  Next I tried to delete the phone.  Given that the Twitter ‘Devices’ page displayed my mobile phone number, that should have been easy.  But in response to the ‘delete’ button Twitter replied that there was no valid device to delete.

I opened a support case and while waiting found that the ‘sleep’ function would still work. I temporarily managed to get messages under control by telling Twitter that I sleep 23 hours per day.  About 10 hours into the incident, I received a reply from Twitter support indicating that they couldn’t resolve the issue and had escalated it.  Some time after that they managed to delete my phone from the system.

From a security perspective, a few things went wrong.  First and foremost, the system is clearly not designed to gracefully handle database inconsistencies.  I don’t know how Twitter’s database works.  Presumably it’s large and complex due to the sheer volume of data it handles.  But if the system can display your telephone number and not delete it, sometime is very wrong.

In a perfect world, databases maintain internal consistency.  But we don’t live in a perfect world, and all sorts of strange things can happen in a database.  From a security perspective (as well as an operational one), we need to accept this fact and design for it.

When it comes to any type of communications system, we must recognize that system failures do occur.  For example, radio systems often have timers to shut down the transmitter in the event that a person, computer, or stuck microphone attempts to transmit for a long period of time. When designing an SMS gateway, we similarly need to recognize that database issues or queuing problems could potentially result in a large quantity of undesired messages being sent to a mobile phone.  To protect both both the organization and the user, the system should be designed to tolerate these failures gracefully.  And when the user sends ‘stop’, the system must ensure that the messages do indeed stop.

Then there’s the helpdesk issue.  Twitter is a free service, and we all understand that free services can’t always provide immediate technical support.  But Twitter doesn’t give the user any way to indicate the severity of the issue.  A ten hour response time to most support requests is fine – but when Twitter is malfunctioning and slamming a user with SMS messages it is woefully inadequate.

Part of a security risk assessment involves asking difficult questions about internal and external threats.  It requires considering what can go wrong and determining the potential consequences. It involves exploring scenarios like, “What happens if one of our executive’s email accounts is hacked?” and “What could cause the system to go berserk and start flooding users with messages?”

Good security is about much more than checking a user’s password.  It’s about achieving a holistic understanding of the system’s confidentiality, integrity and availability properties.  It’s about understanding what can go wrong and how to design and operate  the system to minimize the risk. And ultimately it is about protecting the organization’s bottom line.

If Twitter wants to avoid serving as a warning to others, they need to start taking security much more seriously.  They need to find about $50,000 in their budget for a proper risk assessment.  Then they need to start incorporating security requirements into their software development lifecycle. Investors may be desperate for a good start-up these days, but they understand that security breaches, especially those that reveal questionable security competencies, are bad for business. And in the fickle word of social media, they can be fatal.

My question is this:  How many passwords have to be compromised before we all finally come to the consensus that passwords are a really bad idea?

There are three ways to authenticate someone:

• Something they know (a password);
• Something they have (a physical device); and,
• Something they are (biometrics).

Each of these ‘three ways’ is called a factor. If you want to ensure that someone is who they say they are, simply use two of the above factors for a strong authentication. For example, have the person type in a password and something else, like insert a smart card or type in a 6 digit number that proves they have a specific peice of hardware with them.

The problem with passwords is threefold:

1. Passwords alone are single factor authentication, and by definition that authentication is weak.
2. We let users choose their own passwords, thereby increasing the likelihood that others can figure out the password.
3. Since people forget passwords, we build mechanisms to let them find out their password or reset it.

In other words, we take a weak authentication mechanism and make it worse. And then we act surprised when it fails.

For years we’ve been telling people to choose complex passwords that can’t easily be guessed.  But most people don’t follow that advice.  And even those who do may be subject to attack because of the poor authentication used to reset passwords.  A good authentication mechanism should not not allow each user to determine the strength of authentication.

Effective alternatives are available.  Among them are key-chain size authentication tokens from RSA and Vasco.  In summary, as part of your login to a site you have to type in the 6 digit number that appears on the device, as well as your username and password (or a PIN).

While it’s easy to understand that Twitter may not want to provide users with authentication tokens (it is a free service after all!), at minimum they could, and should, require two-factor authentication for all users with administrative access.  The amount of damage that could result from an intrusion into a Twitter administration account warrants two-factor authentication.  If Twitter had conducted a risk assessment they would know that.

Security professionals have been pointing out these exact problems with passwords for years.  Is anybody listening?

According to Jody Gibney, Group Product Manager of OnlineFamily.Norton, many parents don’t understand what their children are doing online and only about 20% of parents with kids aged 6-18 use technology to help.

It should be no surprise to parents that kids do a lot online:

• They consume, create, and share web content.
• They socialize one-on-one and in groups.
• Kids who use social media have an average of 145 online friends.
• They often have multiple complex online identities.

It’s no surprise that parents have a hard time keeping up.

Parents also may not realize where the real dangers lie.  While pedophiles have lured children across the Internet, such occurrences are very rare. Much more common is, as Jody put it, “plain kid-on-kid meanness.”  Social media sites allow kids to post hurtful words, images and videos that can result in real-world embarrassment. Parents need to know what sites their kids are using and decide if and how they should monitor it. Rather than simply prohibiting access to sites, Jody suggests that parents negotiate age-appropriate solutions with children.  For example, a teen may be allowed to use Facebook on the condition that they ‘friend’ Mom so that she can see what is being posted.  If the child sets up a second Facebook account, it’s important that Mom have a way of finding out about it.

Some elements of Norton’s approach, like categorizing web sites and reporting on use, are similar to other products, but their philosophy is different.  Norton’s service is designed to encourage dialog and negotiation between parents and children. For example, Norton encourages parents to log in to OnlineFamily’s web-based interface with their children and discuss the various choices and options. The selections made for each child become “house rules” and include web site categories as well as rules relating to the use of instant messaging, what times the Internet can be used, for how long, and what happens when rules are violated.

Most rules and limits can be configured as hard or soft. Hard time limits log the child out after giving a 15 minute warning, while soft time limits simply report the activity. Similarly three options exist for web sites: Monitor use but don’t block, warn the child first but let them proceed to blocked sites, or actively block access to sites that violate the house rules.

Norton’s approach, Jody explained, is to “understand intent, guide online behavior and discuss online activities.” When a web site is blocked, OnlineFamily gives the child options that include “Oops, I made a mistake! Let me go back.” and “I want to tell my parents why I tried to go to this Web site.” There is also an option to dispute the categorization of the site. When a child researching a homework assignment is prevented from accessing a site, he or she can explain why they want access and the request is sent to parents in real-time.

I’m often concerned about the ethical implications of monitoring software and I believe that spying on family members can erode trust and damage relationships. OnlineFamily avoids that issue completely. Not only does it display a notification every time the child logs on, but the child can also click on the application’s icon and display a summary of house rules, including information on what types of activity is being monitored.

Last week I created an account on OnlineFamily.Norton.com while it was still in beta. I downloaded the program and installed it on our family computer. Then I logged into the OnlineFamily web site, added my daughter as a family member, identified which computer account she used and sent an invite to my wife giving her ‘parent’ access. Next I set the rules and explained the system to my daughter.  Overall, I’m impressed. I did run into a few rough edges with the beta, but by the time you read this they will have been fixed.

OnlineFamily.Norton is the first product in this space to actively involve parents and that makes it a winner. It officially launches today at http://Onlinefamily.Norton.com and is free until January 1, 2010. Norton hopes to receive feedback from parents and say they will consider it carefully before deciding on the future pricing model.

The ISTR contains a lot of interesting information and I’d encourage you to read it — I’m certainly not going to repeat all the findings here.  But if you’re an average Internet user wondering what’s going on, here is my greatly oversimplified summary:

Criminal activity on the Internet continues to increase.  Criminals are targeting your personal information, especially your credit cards and logins to your financial institution. They’re doing so mostly by compromising the web sites you visit and installing nasty stuff that downloads to your computer.

There are a lot of things you could do to protect yourself.  But the real question isn’t what you could do, it’s what should you do.  Here are my top five recommendations:

1. Ensure your anti-virus software is up-to-date.  If you don’t have an AV package, get one.  AVG, BitDefender, Kaspersky, McAfee, Nod32, or Norton/Symantec.  (In alphabetical order if you’re wondering.)  
2. Update your operating system and unless you have a very good reason not to, set it to update automatically.  A lot of systems are being compromised even though a fix was issued more than 6 months ago.
3. Back up data you don’t want to live without. Use removable media (CD, DVD, USB Flash drive, USB Hard drive) or an automatic Internet backup service like Carbonite.
4. Avoid the darker side of the Internet like gambling, porn, pirated software, illegally distributed movies, etc. They’re a haven for malware.
5. Don’t let your kids play on your work computer.

The vast majority of intrusions into personal computers are preventable.  Following these five simple recommendations dramatically reduces your risks.

For business readers, here’s an excerpt from the ISTR:

“Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content. Some of the common techniques used by attackers to compromise a website include exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields), or exploiting some vulnerability present in the underlying host operating system.”

Sixty-three percent of vulnerabilities documented by Symantec in 2008 affected Web applications. The message to web application developers is clear: Many of you are not paying sufficient attention to security. As a profession, you are failing your customers.

I realize that’s a harsh statement and that in many cases web developers are responding to downward pressures on price and unrealistically short development timeframes.  But as a profession it’s time to step up to the security challenge and start designing web applications that resist and even tolerate some intrusions while still protecting sensitive information and users. Those users, after all, are your customer’s customers.

We must start paying more attention to security throughout the software development lifecycle.  That includes ensuring security requirements are identified along with other functional requirements for new applications.  In fact one of the problems is that we still consider security requirements somehow separate from ‘functional’ or ‘business’ requirements.  They’re not.

Perhaps this is one space where the open source community could play an important role.  Most web applications have common requirements like user account maintenance, authentication, priviledge management, session control and input validation.Yet every application developer seems to create their own and many make the same mistakes. Perhaps it is time for an open web application framework that handles these critical functions…and does it right.

There are a number of ways to monitor a brand online. Some free services will monitor search engines for mention of specific keywords and other medium-specific tools can be used to monitor media like Twitter. But when I asked the pros what they use, the name Radian6 came up — over and over again.

Radian6, founded in 2007, is based in Fredericton, New Brunswick and has 45 full-time employees.  Amber Naslund, the firms’s Director of Community, explained,

“Radian6 provides the social media monitoring platform for marketing, communications and customer support professionals. The company’s flexible dashboard enables monitoring all forms of social media with results appearing in real-time as discovered. Various analysis widgets give users the ability to uncover the top influencers as well as which conversations are having an impact online.

Radian6 gathers real-time-as-discovered information from across the social web, including blogs, video sharing sites, boards and forums including LinkedIn Answers, and emerging media such as FriendFeed and Twitter.”

After a brief online training session that Radian6 provides to all new customers, I logged in to their slick web application and began to enter some keywords I wanted to track.  And that’s where the similarity with free tools ended.  Radian6 provides powerful tools to drill down in results and analyze them. For example, I could quickly sort hits based upon the level of engagement (measured by comments) or inbound links.

While savvy companies will obviously want to read everything written about their products, it is often necessary to prioritize.  Radian6 not only finds relevant information and conversations, but they also provide the tools needed to analyze and prioritize.

While monitoring their brand is an obvious priority for Radian6’s 300+ customers, I can imagine many other uses.  For example, by choosing the right keywords and leveraging Radian6’s powerful widgets, I was able identify and begin to track key influencers on specific subjects.  A similar approach could also be used to track competitors, business partners or a key industry.

It didn’t take long to understand why PR pros pointed me to Radian6. Behind their advanced software is a team that not only understand and embrace social media, but they also ‘get’ customer service. When I needed help, one Tweet and Amber had me sorted out in a matter of minutes.  It doesn’t get better than that.