Thursday, September 24, 2009

iPhone Security

Perhaps it’s because we think of Apple as the security minded OS – the Mac that is – so we trust the iPhone. I am dumb founded over and over as I study just how insecure information is over the iPhone. Is that Apple’s fault or the problem of securing information over the wireless cell phone network? Things that travel over the air need to be smaller – so am I assuming if I say that Apple has “built it” without worrying about security so that people will buy it, use it, and love it – then they can worry about it’s security. I wanted one as well and now that I have one, I can see why people love it – it is so nice to have “things” available via the Internet over this small device. In a recent DAR meeting, we wanted to read a certain article in the recent DAR magazine, but no one remembered to bring their magazine. I was able to pull it up on the iPhone and read it to the group. It saved us a lot of head aches by being able to do that. So the convenience and access to information is tremendous. Plus it is small and easy to carry around, as opposed to a laptop. Had I brought my laptop, I could have connected to the Internet by tethering my laptop to the iPhone. So now, the iPhone has the ability to act like an air card and connect to the Internet via the AT&T 3G network. If SSL is broken on the iPhone and I am not really getting a secure connection on the iPhone, what happens when I tether my laptop to it and try to create an SSL connection over the 3G network? Is that broken also? Is it possible to tunnel through that 3G network with an encrypted channel and have a secure connection? I still have many questions about how this all works!!

Sunday, June 7, 2009

Shortened URLs

TinyURL and Bit.ly are commonly used application interfaces that redirect a long URL with a shortened URL. This shortened URL can then be used in various kinds of mobile computing, and where smaller content is needed, such as Twitter. This smaller URL is subject to abuse because the user can’t see the actual URL. The shortened URL redirects the user to the original site using the longer URL stored at the “mother” site. Malware is already using the shortened URL to redirect “trusted users” to malicious sites. When a friend sends you a link to a site, you are essentially trusting that they are sending you to a safe site. Bad people are stealing Twitter logins, for example, and then sending bad links to all the people in their “friends” list. Firefox has a plug-in called longURL that will show you the long URL when you hoover your mouse over the short URL. Or, you can go to the longURL site – www.longURL.org – type in the TinyURL and it will give you the full URL. LongURL supports URLs from tinyurl.com, is.gd, ping.fm, ur1.ca, bit.ly, snipurl.com, tweetburner.com, metamark.net, url.ie, x.se, 6url.com, yep.it, piurl.com, and others. It is also good to note that LongURL has a web developer plug-in as well.

Friday, May 1, 2009

The OSI & TCP/IP Models

The OSI (Open System Interconnect) model is a product of the International Standards Organization (ISO). It consists of seven layers that define how information is transferred across networks. The layers, from lowest to highest, are the physical layer, datalink layer, network layer, transport layer, session layer, presentation layer, and application layer. Knowledge of this model is required for most any networking test out there, and is often used during job interviews to see how well one understands networks. One way to remember these layers is with a mnemonic. If you google the OSI layer, you will find a long list of mnemonics that are meant to help! Her are a few:

"People Design Networks To Send Packets Accurately"
"People Don't Need This Stuff Presented Anyway"
"People Don't Need To Study Protocol Analysis"
"Phil Donahue Never Televises Sick People Anymore"
"Philys Did Networking Till She Passed Away"
"Please Do Not Take Sales-People's Advice"
"Please Do Not Tell Secret Passwords Anytime"
"Please Do Not Throw Salami Pizza Away"
"Please Do Not Throw Sausage Pizza Away"
"Please Do Not Touch Steve's Pet Alligator"
"Please Don't Network These Stupid People Again"
"Programmers Dare Not Throw Salty Pretzels Away"
"Programmers Do Not Throw Sausage Pizza Away"

If you want to go the other way, these are from top to bottom!

"A Pathetic Silly Trick Never Does Please"
"A PC Sees The Network During PowerUp"
"A Perfect System That Never Did look Perfect"
"Active Penguins Seek the Nearest Deep Pool"
"All Parents Should Teach New Dads Parenting"
"All Penguins Stand Too Near Deep Pools"
"All People Seem To Need Data Processing"
"All People Seem to Need Dominos Pizza"
"All people should teach networking daily please"
"All People Studying This Need Drastic Psychotherapy"
"All Pizza Seems To Need Double Pepperoni"
"All Pre-School Toys Need Durable Parts"
"All Pretty Serious Teenagers Never Do Physics"
"American Presidents Should Try New Dating Practices"
"And Please Send Them New Delhi Pie"
"Angus Prefers Sausages To Nibbling Dried Pork"
"Apply Proper Sense To Network Data Path"
"APS Transports Network Data Physically"
"Australian Post Sucks They Never Deliver Parcels"

Personally, I have more trouble remembering the mnemonics!! At least the layers make sense to me!! Perhaps that comes with understanding how the layers are meant to function together.

The TCP/IP model is probably a more useful model, and is often shown beside the OSI model to compare it's layers. This model was first defined by DARPA in a pre-Internet description of the ARPANET. The TCP/IP model has only 4 layers: the Network or link layer (which consists of the physical & datalink layers of the OSI), the IP layer (which compares to the OSI network layer), the TCP layer which compares to the transport layer of the OSI, and the Application layer which spans the session, presentation and application layers of the OSI.

Since the IP protocol suite are the primary protocols used on the Internet, learning and using the TCP/IP model is critical to understanding the Internet architecture.

For additional information, there are great descriptions of these models on Wikipedia. Also see RFC-1122 and RFC-1123 for a discussion of the Internet layer protocols and architectures.

Sunday, April 19, 2009

Firefox and No Script

Firefox is my browser of choice, at least for home use. It is not something that our IS division chooses to support in our work environment. I started using it because it was the more secure choice for browsing. It has had its security issues like everything else, but the Mozilla people are quick to fix them and it is still less likely to be the point of attack. In addition, they have these things called Add-ons. The idea of the Add-on is to customize your browser experience so that it works the way you like it. Some of these Add-ons are quite powerful. My favorite is “No Script”. It allows you to choose the scripts that you want to run. It is also an eye opener to see how many scripts are running on these sites, and which ones don’t need to run for the sites to work. I generally allow only the site I go to, if I need it, and none of the “analytics” that are used to track our browsing behavior. Those are not needed for the functionality of the web page. It is still amazing to me how many scripts are being used and how they are becoming critical to our browser experience. By blocking these scripts, we are less likely to click on a random site and become infected with some random malware! It allows us to pick and choose which sites we trust to run these scripts. This is a pretty powerful tool!!

Friday, April 10, 2009

My Mac Friends

To my Mac friends: I love Macs. I want one! They say Mac folks are a “class of their own”. They say they don’t think they need to worry about security and “antivirus”. Well – I’m a Mac lover and I agree they have built a great system. But please don’t miss the threats that are being aimed at the Macs! Think about it. Mac lovers are willing to spend a little more on a good system. In the short term, they were not targets. But now – as the world is getting more sophisticated, as are the bad guys, Macs and Mac users are targets.

Yeah for Macs. I love them! I want one! I used to work for an organization that was all Macs! That is, until Windows ’95 came along and offered some of the things that the Mac folks already knew and had been enjoying for a number of years! But – Windows ’95 came in at a better price! It took probably fifteen years for the Microsoft folks to get up to speed with the Macs – and I don’t’ think they’re there yet – but they definitely have the market share. Finally the Microsoft folks are getting their operating systems, and software, to a more secure level. The Mac folks have still been sitting back there for the last 15 years wondering when they (Microsoft) would catch up!

I love the fact that the Mac went to an underlying system that is Unix based! More of us will be able to understand and want the Mac for just that reason! Their systems are tough both physically and electronically! But – they are being targeted – not a lot, but enough to make the Mac users hesitate. First – their file system is set so that “everyone” has read permissions for any newly created files. Friends – stand up and take notice. You do need to be sure your systems are secure. You do need to purchase and install an antivirus program. You do need to use the firewall. OS X comes with a built in firewall, but you may want to change the configuration. For help with hardening your Mac platform, check out SANS MAC OS X Security Checklist at http://www.sans.org/score/macosxchecklist.php.

Network administrators may also need to help your Mac users. Macs can’t just be “left alone” … if they are on your network, you need to understand how they work, and what they are capable of. Those Macs are mighty powerful systems – and you want them on “your” side, not the bad guys’ side! The SANS Checklist also includes information about the MAC as a server. It is a “must read” for Network Administrators!

Sophos just had a great article about the latest threat to the Macs. They even have a video showing how easily they can be exploited. Please check it out at http://www.sophos.com/pressoffice/news/articles/2009/03/mac-malware.html . It is worth the time and money to put an antivirus on your Macs!! There are several options, also outlined in the SANS Checklist, including some enterprise options.

Mac users – go forth and enjoy – safely!!

Friday, April 3, 2009

What's Up With DNS?

DNS (Domain Name Service) is that wonderful service that translates domain names to IP addresses, like sans.org to 66.35.45.201 or yahoo.com to 68.180.206.184. DNS is inherently a very troubled, insecure service. It uses UDP port 53. UDP is one protocol in the TCP/IP protocol suite that is used for transport. UDP is sometimes referred to as "Spray and Pray" because it just sends packets out and hopes they get to their destination. UDP is called an "unreliable protocol" as there is no guarantee of delivery or reponse for that matter.

So what's all the hubbub about DNS being such a problem? First - it may take a little time to get your answer back. You type in your browser "www.yahoo.com" and you wait for a connection. Behind the scenes, a UDP request goes out to your "name server" who will attempt to translate the words to an IP address and send your brower request to that address. If your "name server" doesn't know the answer, they send the request up the chain to another "name server", until someone along the line knows how to translate the name to its IP address. This week two of the big name servers, Neustar and Register.com, were both hit with DDOS (Distributed Denial of Service) attacks. Several big companies were affected, including Amazon and Petco. They reported a huge increase in name service requests, to the point that they were unable to service all of the requests. The result ... you probably would not be able to connect to Amazon.com.

This is just one of the many problems with the current DNS standard. To learn more about how DNS is set up, see RFC 1035 for the Implementation and Specification document. "RFC" stands for "Request for Comment" but the RFCs are the definitive documents on how things work in the Internet protocol world!

Wednesday, April 1, 2009

Are we April fools, or just foolish?

We’ve made it through April Fools Day without an incident with the Conficker worm. Perhaps it has taught us a lesson or two. There have been a lot of people getting their computers “up-to-date” these last few days with the threat of something possibly happening. That has to be a good thing. Some of us will be a little more confident in our “effective posture” on April 2nd. Let’s see if we can keep up the good work without becoming complacent after a few days go by!

Another new threat emerged this past week – a new worm that is targeting routers – primarily home routers. It is supposed to be very stealthy – that means it will be hard to detect that you have been compromised! Many of us have our home wireless routers in place – perhaps we did our due-diligence when we set them up. But many people have put them in place without understanding what they do, or taking the time to change the default passwords! So this brings up a couple of basic security premises for routers:
1) Always change the default password! 2) Patch! Patch! Patch! 3) Turn off management access from the Internet.

So - we're back again to passwords and patches! And - why expose our management interface to the Internet if we don't need to? It's sort of like looking your front door!

Sunday, March 22, 2009

The CAG - Consensus Audit Guidelines - Draft 1.0

Our state security committee has begun the review of the CAG. It has been discussed at our last two security meetings. There is much support in the committee for a guideline that actually has a good amount of body to it. I am in the process of updating a checklist for an internal audit. It is an old list and needs to be updated. That process is giving me an opportunity to go through the Consensus Guidelines and include a good amount of these best practices. In many cases, I already know the answers - and they will be no, we don't have these in place. At least the questions will be asked so that the ideas are put in place in the minds of the people who will be thinking about these questions. When I have completed my list, I will share it with our security committee. There may be others that will find it useful, or they may want to also edit and change it for their use. Our agency, as with others, will probably say that some of these ideas are beyond what we need - and definitely what we can afford. We are limited both financially and with resources. But as we go forward, these things will be in their minds and it will be interesting to see how they will impact all of us. There are many of these that could be implemented with little money and resources. Some of them I've already heard people from our agency say that we don't need. It is good to have the support of the security community when trying to explain that these things need to be in place! We have far to go before we sleep!!

Wednesday, March 18, 2009

It's mine and I'll Patch, Patch, Patch!!

For me, security has become a passion. I am always amazed at what is going on in the world of the Internet. Far too many of us are such trusting people. Is this an exclusively American trait? We are happy, believing, trusting people. We want to leave our wireless routers open so that our neighbors can use it. We don't really believe that criminals might come into our neighborhoods to use our Internet connection. But the world is taking advantage of us every day. How much of our hard earned savings is going overseas? How much of our tax payer dollars have already gone overseas? How many of us have already had our identity compromised? Yes - our government has given a lot away, but how much has been stolen from us? Now that's a different story. That's not politics - that's us! We bury our heads in the sand and let it happen!

I hear my own children say that they don't want to have to deal with all the security. They just want to be able to do their thing, and let someone else take care of the security (mom!). But now - we need to take care of ourselves! No one is going to do it for us. There are lots of us out here that are willing to help make the Internet a place to feel safe. There are many things one can do to make it a safer, fun, interesting, and educational place! But we all need to take responsibility for our own computers! Stand up and take notice ... this is my computer and I will do my best to keep it a safe place!

So what will I do? FIRST, I will have automatic updates running on my computer! Please make sure they are turned on and that your computer is up to date. This is not something to take lightly. It may take time to get all the updates on it, but those that are being exploited - and there are millions - are being taken advantage of BECAUSE they have not updated their computers. All the major player - Microsoft, Apple, Linux, Adobe, Firefox, and many more - post their updates and security patches as quickly as possible. Those unpatched systems are the ones that the thieves of the world are going to try to exploit. So - patch everything! I will keep my computers as "up-to-date" as I possibly can. That is our FIRST line of defense! So - Patch! Patch! Patch!

Lynda