GNSC Blog

From the BBC

A contractor working for the Home Office has lost a computer memory stick containing personal details about tens of thousands of criminals.

The Home Office was first told by private firm PA Consulting on Monday that the data might be missing.

The lost data includes details about 10,000 prolific offenders as well as information on all 84,000 prisoners in England and Wales.

The Home Office said a full investigation was being conducted.

Again, from our perspective there are only two ways memory sticks or USB drives should be used…either encrypted or not at all.  Our endpoint security can’t prevent your employees from losing USB drives but it can prevent company data being copied to them or falling into the wrong hands.

According to Australian Blogger Long Zheng, it appears Microsoft is looking to patent a security feature similar to what Apple uses in it’s Safari Browser.

Web browsers store history and cookies that can be used to track where users have been.  This information can be read by web sites a user visits to provide some information about who they are.  Microsoft is looking to provide easier ways for this information to be deleted or prevent its collection.

Look for this feature in Internet Explorer 8.0 which will probably be released sometime in 2009.

I found this post on a blog this AM.  This demonstrates the power and danger of Google.

http://strydehax.blogspot.com/2008/08/hack-olympics.html

Just remember, if you are going to store something online or share a folder in a way that makes it accessible through a web query, realize Google probably will find it and make it accessible to the world. 

Want a good scare? Visit Johnny Long’s web site here and see what he found on Google.

Most of the media coverage and corporate focus related to digital threats is geared towards high-profile, externally-oriented ones.  Vulnerabilities, exploits, worms, etc.  are the main drivers for vendor solutions.  However internal threats pose an equally and arguably greater threat because of low awareness. 

Recently, insider threats, which have always been there, have been more widely reported, most recently with Countrywide’s disclosure related to the millions of stolen and compromised mortgage applicant records. 

In response to this, PromiSEC, a leader in clientless solutions to enforce the security, compliance and integrity of endpoints and servers, has introduced a publicly available Internal Threat Encyclopedia. 

This is a great idea! 

Now there is a place to get reliable and up- to-date information on the many commonly used programs that create holes in your security or compliance environment.

What I like most about the PromiSEC product is that it is so easy to use and configure.  Since it’s clientless, there’s no installs on PC’s.  I’ve seen this product scan, identify and lock down hundreds of computers in less than 10 minutes.  The ease in which it does this is amazing. 

For more information about PromiSEC visit our web site www.gnscon.com

No I am not talking about visiting caves.  Splunking is the process of using a product called Splunk.  It’s a security search engine that allows you to view log information from various sources such as firewalls, servers, and other network devices and report on them.  Think of it as as Google for IT stuff.  Beyond the functionality, which is excellent, the really nice thing about this product is that it’s open source meaning it’s essentially free to use, if you don’t want any professional advice or support and you are not pumping tons of data into it.

This 2 minute video give you all the information you need to get started.

How does it work?

Splunk like Google needs data to work.  Google’s strength is that it can not only search through tons of data but it can correlate it, making some assumptions in terms of what should be displayed and in what order.  Splunk works much the same way.  It uses data generated from virtually any networked computer device and then allows you to search for things that are important, such as signs of potential or known problems.  By default it can gather information from Event Logs automatically, syslogs, file shares and with a growing list of plug-in’s can read data from other sources.

So how does it benefit the average company?

Splunk is a framework that can make sense of data.  In it’s simplest form, it can show you on one page the condition of a system, security information, change controls, web page stats, etc. 

If you’re looking for a way to easily report on the IT log data you already have you should look at Splunk.

Info Security Magazine recently sponsored a great online presentation addressing issues of Web 2.0 and the issues surrounding Social Network sites such as MySpace, FaceBook and LinkedIn.

If you are interested in learning about the issues surrounding Web 2.0, Generation V and Social Networking, this is a great place to start.

I work with Chris Pruetz who does the technical presentation.

You can register for it here.  Its archived so you can attend at a time that best fits your schedule.

Very informative.  Highly recommended.

If you are interested in learning more about the solution they recommend from Marshal Inc, please visit our website at www.gnscon.com

I’ve seen some interesting software error messages, some with bad English, some incorrect translations and ones that make absolutely no sense. 

Have you ever sent an error report to Microsoft from IE?  Most of the time I don’t because they tend to blame everyone but themselves for the problem.

I was tempted today because my IE has been crashing all day.  To my surprise I saw the following….

This problem was caused by Windows, which was created by Microsoft Corporation. Currently, there is no solution for the problem that you reported.

Wow.  An admission of guilt. 

If you haven’t already heard, the big IT security news over the last few weeks has been the DNS Vulnerability that was outed by Dan Kaminsky, a security researcher at IOActive in Seattle.  It’s appeared in most major publications and it was certainly one of the top talks at Black Hat last week in Las Vegas.

For more information on this, see the NY Times article here

What’s it all about and why is this so important?

The issue is that it affects the heart of the Internet.  DNS or Domain Name Service is what makes everything work.  It the thing that makes browsers work and email flow.  In very simple terms, DNS converts named domains to IP addresses.  It is the human factor of Internet routing.

The issue that Dan Kaminsky exposed, which has actually been known for years, is that with certain DNS servers (BIND), carefully crafted code could be used to “poison” the server and divert legitimate DNS requests to unauthorized servers.  What this means is that if you wanted to go to your online banking site and typed in “www.whateveryoursitenameis.com”, a compromised DNS server might take you to another site or even an official looking replica of your banking site that could be used for fraudulent purposes.  Essentially requests to go to a specific site are “hijacked”. 

The issue potentially affects everyone but it’s up to ISP’s to fix it.  Why haven’t they fixed it?  Well there are really two main reasons.  First, there is no real fix.  There’s a patch but it supposedly slows everything down.   In the consumer’s mind, IPS’s are measured by speed not security.  To most business, slowness is worse than having a potential security issue.  The second reason is that some ISP’s don’t see the risk as being that high.  Their argument is that if it’s known and there’s been no exploits, why worry.  To most ISP’s credit, they have taken either direct or indirect steps to protect their customers.  However some have not. 

Dan’s talk at Black Hat has pretty much eliminated both the above arguments.  In fact it’s been reported that several exploits have now been published and there have been a few actual attacks.  This week will prove to be a defining week.

What do you do?  Well Dan Kaminsky has a great resource on his web site that will allow you to determine if your ISP’s DNS is vulnerable.  You can find it here.  If it is, you can contact your provider and ask what they are doing to protect you. 

In Part 1, we went back to basics and started with the minimum security that every business and home computer should have.  

In this weeks article we’ll look at an equally important minimum for every small to medium sized business; knowledge, understanding and education. 

One of the most important things when approaching computer security is to remember there is no panacea.  Installing some piece of software or hardware does not make security problems go away.   The hardware or software may mitigate risk or help you manage risk but the risk never actually goes away.  Its important to remember this since our tendency is to rely on technology to solve problems. 

Take for example the firewall.  With it, intruders are knocking on our electronic door.  The firewall simply prevents intruders from walking right in.  Even so, the intruder keeps knocking and looking for other ways in.  The danger is the firewall can make us complacent.  What we don’t see or hear doesn’t bother us.  Yet, the risk never really goes away. 

A homeowner, even with locked doors and a security system,  would still wisely be on guard for the intruder if they knew the intruder was parked outside their door.   What if the intruder call’s his lock picking friend to attempt to open the locks?   Maybe he knows someone who can disable the alarm system?  Maybe he can even convince the homeowner he’s not a threat and let him in.  A wise homeowner is  always remains alert for trouble.  It should be the same for IT security. 

The first step in this process is education (assuming your are already running a good anti-virus program, supplemented with a good malware program and a properly configured firewall).  You need to know the issues, the threats and the risks. 

Here are some great places to get started.  Wade into the reputable security media on the Internet first before plunking down $$$ for classes or educational materials.

1. Security Focus – a good portal to general computer security news
2. ITSecurity – a more issue driven computer security site.
3. SANS – A leader in security information publishing, training and certifications.
4. Microsoft Security Central – Microsoft’s site for keeping you updated.

There are many more, but these will get you started.  If you want more or issue oriented ones, just contact us.  A perfect way to keep on top of issues is to subscribe to these site’s RSS feeds. 

In Part 3, we’ll define and discuss some of the current issues and terms in more detail.

I received a few emails on Part 1 and was asked why I didn’t include Patch Management as part of my article in Part 1.  Well the answer is, I could have but I chose not to.  Patch management is definitely important and it will be defined in Part 3 and discussed in Part 4.