Archive for the 'Security' Category

How dangerous user behavior puts networks at risk

December 12th, 2007 | Posted in Security | del.icio.us! | digg! | reddit! | No Comments »

As CIO at Bunker Hill Community College, Bret Moeller embraces students experimenting with technology as part of their education, but he’d prefer if their independent studies didn’t involve hacking into the college’s network.

“There are some students who discover at school that their whole point in life is to hack into the college’s network to either glean information they have no right to access or to simply kill the network to prove they can do it,” said Moeller, who works to manage and secure the Boston-area college’s network.

“We can detect scanning on our network and we try to lock things down as much as possible or not allow software on workstations, but sometimes there can be a hole in our protections. We can’t control the end users to the same degree one can in a corporate environment, but we still have to do as much as possible to secure the environment from end users,” he said.

Yet, Moeller may have more in common than he realizes with corporate network and security managers.

Recent research from the Ponemon Institute revealed that a majority of users disobey company security standards — and they do so knowingly.  In addition, survey data just released by RSA shows that trusted insiders “create data exposures of extraordinary scope” through their everyday behaviors.

“End users are smarter than ever. The advent of the PC at home and not just work anymore, as well as the ability to look up and verify what the IT people are saying to you, is a different world,” said Steve Moore, technology leader at Mary Kay Inc. in Dallas.

In addition, users can easily find detailed accounts of how to sidestep corporate policies, available from countless Internet sites and even laid out clearly in publications such as The Wall Street Journal.

With compliance regulations a constant factor, IT executives are caught between a rock and a hard place.

“We’re constantly trying to balance the need for expanded access to information and the requirements to protect information from unauthorized and inappropriate use,” said James Kritcher, vice president of IT at White Electronic Designs Corp.

in Phoenix. “We now have an expanding number of accounts, passwords and other mechanisms to manage access to various resources. The resulting overhead and complexity increases the likelihood that inappropriate access may be granted.”

For instance, users can unwittingly grant inappropriate access to co-workers, friends and family if they share too much information or neglect to update passwords. One area Craig Bush finds lacking among users is password security. He said the company has policies in place to ensure passwords aren’t abused or revealed, but users consider managing passwords more of a hassle than a safeguard.

“It’s funny how end users just don’t think passwords are a big deal and think we are just here to make their lives miserable when we request them to change or update passwords,” said Bush, who is network administrator at Exactech Inc. in Gainesville, Fla. “General password security is an area I see lacking among most end users. They just don’t realize there is technology that can use their passwords to get information and corrupt the entire network.”

Other times, it’s the more technology-savvy users who cause the most trouble. Users have tried to deploy consumer wireless routers at work, said Martin Webb, manager of data network operations, Ministry of Labour and Citizens’ Services, Province of British Columbia, Canada.

“Consumer routers are shipped with all the security settings turned off, which makes it easier to deploy, but it also immediately creates holes with security on the network,” Webb said. “It seems to be an innocuous thing and usually they are deployed without malicious intent, but it is still something we have to stay on top of or we are at serious risk.”

Mixing business and personal life

Another common problem is when users try to take their work home with them, but wind up taking more data off corporate networks and premises than they should. For instance, thumb drives, or USB flash drives, used improperly could bring a company to its knees, according to Albert Ganzon, director of network services and engineering at Pillsbury Winthrop Shaw Pittman LLP, an international law firm in San Francisco.

Being responsible for securing company and client data puts Ganzon into a state of heightened alert, considering information saved on a thumb drive is nearly impossible for him to secure.

“Thumb drives make it so easy for someone to download a copy of anything and just walk out with it. We can’t catch that before it happens; we can’t turn the USB drives off without debilitating other valid functions of the drives,” he said. “It is critical for us to keep client data confidential, and it’s a very touchy area when the potential of leaks occurs.”

Ganzon doesn’t necessarily believe users intentionally put the network, the company and its clients at risk, but when working to get their jobs done they may sidestep certain security policies without considering the potential repercussions. “If that data is lost or stolen, well, people just don’t understand the risk they pose at times,” he said.

Christ Majauckas agreed. The computer technology manager at Metrocorp Publications in Boston said users, in some cases, believe they are following the policies yet continue to pose significant risk with their actions. For instance, one of his security pet peeves is users who download e-mail attachments from personal accounts while logged onto the corporate network via their company PC.

“Downloading e-mail attachments from personal e-mail is one of the main sources for virus attack” Majauckas said. “If they use corporate mail, we check that for viruses. But they think it’s better not to use corporate e-mail for personal use, so instead they open the mail in such a way that we can’t scan for viruses. I am not going to rely on Google to check for viruses on my network.”

For Koie Smith, IT administrator at Jackson, Tenn.-based law firm Rainey, Kizer, Reviere & Bell PLC, users trolling the Internet and visiting personal sites such as MySpace or Facebook represent a big risk, so much so that he uses a Linux-based proxy server called Squid for content filtering and to shut down access to those sites.

For one, he is quite certain the sites aren’t being used for work purposes and on top of that, Smith said he finds those sites and others are ripe with spyware ready to latch onto his corporate network.

“Even though we need the Internet for productivity reasons, browsing the Web is obviously a concern because users can pull down spyware or a virus. Without adequate protections on the computer — or even in some cases when there is — viruses in the wild can still cripple your network by one user browsing to a site they shouldn’t be going to,” Smith said. He added that the content filtering also serves to protect the user and organization legally. “There are things our company can’t have happening in the workplace, and unrestricted Web browsing opens the door for that.”

More education required

Bruce Bonsall, CISO at MassMutual Financial Group in Springfield, Mass., worries most about the intertwined work and home life of most corporate employees that leaves networks open to security holes and employees vulnerable to attacks. He said he also gets concerned when a user population isn’t as educated about security policies or potential threats as they should be.

“It’s not realistic for me to think that people are going to stop mixing their personal and work lives. We have to rely on them to practice good hygiene when opening links and try to prevent all the sewage that is out there from backing up into corporate networks,” Bonsall said.

For him, targeted attacks such as phishing and whaling concern him because they could take advantage of users not keeping up with corporate education efforts. He said technologies such as network access control and security information management can help protect the network, but only to a certain degree. As attacks get more sophisticated, user education is the only option.

“The bad guys are going after high network staff and senior executives, which is very disturbing. The more information they use that relates to the target, the more likely someone will get tricked, even savvy end users,” Bonsall said.

Source: ComputerWorld

AJAX benefits

December 7th, 2007 | Posted in AJAX, Security, Tech | del.icio.us! | digg! | reddit! | 1 Comment »

December 06, 2007 (InfoWorld) — While Asynchronous JavaScript and XML may have issues with security and performance, Zimbra Inc. still sees AJAX as the best way to deliver experiences on the Web and has based its open-source Web 2.0 platform on 200,000 lines of JavaScript, a company executive said Monday.

At the Web Builder 2.0 conference in Las Vegas, Zimbra’s president and chief technology officer, Scott Dietzen, emphasized a variety of AJAX and Web 2.0 technologies for developers and users, including the extension of AJAX to offline usage.

Despite AJAX’s problems, Dietzen said he favors it over other technologies such as Flash when it comes to the Web.

“There’s no other way to deliver a richly interactive experience on the Web,” said Dietzen, who was once CTO at BEA Systems Inc. “If you want the Web look and feel and the ability to mash up all sorts of other Web technologies, I think AJAX is the best fit.”

Zimbra, which was acquired by Yahoo Inc. earlier this year for $350 million, is a provider of collaboration and messaging software.

Dietzen did cite AJAX security issues such as cross-site scripting attacks, in which user data can get interpreted in the browser, creating a breach. Also noted as a security concern was use of source code in the browser.

“The goal for rich Internet applications at least ought to be to deliver the same level of security that we’ve delivered for Web applications, because to deliver less undermines user confidence in various ways,” he said. This is a goal that is close to being achieved, Dietzen said.

Blocking execution of user JavaScript inside of an application is important for combating server-side scripting attacks, according to Dietzen. Obfuscation and minimization technologies to remove white space can be used as security measures, he said. On the positive side, there is no caching of user data on the desktop with AJAX. Dietzen also advised that sensitive code not be put in a browser.

Browsers, meanwhile, also present challenges. They render the same HTML differently and were not designed for the load presented by AJAX; browsers have memory leaks and performance gaps, Dietzen said. But browsers are getting better, Dietzen said.

Safari 3 is dramatically better,” he said.

And Zimbra has found that Internet Explorer 7 executes JavaScript two to four times better than Internet Explorer 6 does, he noted.

Tool kits also have been a problem, but that situation, too, has been getting better. Tool kits now are available from organizations such as the Eclipse Foundation, Adobe Systems Inc. and Microsoft Corp. “I’m happy to say no more Zimbra developers are using text editors or vi to craft their JavaScript,” said Dietzen.

Offline AJAX usage is a “hot topic,” Dietzen said. Zimbra now can be used offline, he said.

“The answer for occasionally connected apps is to provide a cache on the client side that allows the application to interact locally with a data set, and then synchronize over the network when the network is available,” said Dietzen.

Offline AJAX systems can be developed by using a set of caching APIs in JavaScript that enable this. These are accessible via offerings such as Google Gears and the Dojo offline tool kit.

Also, developers can program a client in something other than JavaScript, using technologies such Adobe AIR (Adobe Integrated Runtime). Developers build full programs on the client integrated with the browser, like what Microsoft is doing with its Silverlight platform.

But Zimbra used another approach. “What we did at Zimbra is we actually took Zimbra server code, which was written in Java, and we created a microserver that runs on my local client,” said Dietzen.

Dietzen mentioned the AJAX technique of AJAX Linking and Embedding (ALE), in which one document can be embedded inside another. This expands content-sharing.

He also cited a technique called “lazy loading,” which cuts down loading time for Web pages. With lazy loading, the page loads but other parts of the application, such as calendaring, are loaded only as needed.

Dietzen noted that Zimbra’s platform enables use of mashups — quickly assembled task-based applications deriving data from other, larger systems. Mashups get Dietzen’s vote as the killer app for Web 2.0.

Source: Computerworld

Hidden dangers of file transfer

November 28th, 2007 | Posted in Security, Tech | del.icio.us! | digg! | reddit! | 1 Comment »

Threats to a company’s information security do not always come from new technology. While CIOs and chief security officers might worry about the risks carried in iPhones or brought in through social networking sites, some experts warn that a far older tool is rendering businesses vulnerable to data loss and electronic intrusion.

That tool is file transfer protocol, which companies have used since the advent of the mainframe. In some cases, the mainframe is still the principal home for FTP in large companies, because it remains one of the most practical ways to transfer files between large systems.

It is, however, what security professionals term a “dirty” protocol. In-built levels of protection are limited. User names, passwords and often the files themselves are sent in the clear.

“FTP does things in a way you would never include in a protocol today,” says John Pescatore, vice-president at research firm Gartner, and a specialist in IT security. “In any security audit, FTP is a hole you have to look for.” That hole will, in all likelihood, have been plugged in any business large enough to run its own mainframe.

In fact, IBM has developed a number of strong security measures for its Z Series mainframe machines, including access control and encryption, as well as restricting FTP traffic to known and trusted IP addresses or ensuring the only way to use FTP on a network is to use the FTP servers on the mainframe itself.

“The [mainframe] platform has security measures for FTP, starting with identification and authentication with a simple user ID and password right through to digital certificates,” explains Linwood Overby, a senior technical staff member at IBM.

Deploying a digital certificate to control FTP alone is unlikely to make commercial sense, however, and even companies with FTP running on mainframes or other enterprise-grade systems need to remain vigilant. The reason is that FTP, like so many arcane areas of technology, is being made more accessible.

A quick internet search reveals dozens of free FTP applications that can turn a standard desktop computer into an FTP system. Increasingly, FTP services with large storage capacities come with paid-for, and sometimes with free, internet accounts.

This makes any company vulnerable to unauthorised FTP traffic, data “leakage” or outright data theft, unless networks have been set up specifically to block unauthorised FTP traffic.

And the situation is being made worse by the proliferation of FTP “alternatives” that promise to do away with the technical know-how needed to set up a standard FTP client or server.

The uptake of these services – including web-based file transfer utilities such as YouSendIt and SendThisFile – is being driven as much by consumers as by business.

A growing desire to send files such as digital photos, music or home videos, and the increasing quality of digital media, have created a demand for services that anyone can use, and that overcome the typical 8MB to 10MB file size limits of most corporate and personal e-mail accounts.

But the family guy in the corner looking for a way to send videos of the kids’ party to Grandma might unwittingly open up a serious security hole.

“It is very easy to download an FTP application and call your friend or business associate with the address. But there is no way of verifying these transfers, and nothing in the process that protects your business,” warns Dr Taher Elgamal, chief technology officer at security vendor Tumbleweed. “And the free services offer no guarantees that a file transfer is done correctly or properly scheduled.”

The most popular file transfer services do provide some basic security, although this is typically restricted to users who sign up for the paid-for business or enterprise services.

SendThisFile uses 128-bit SSL encryption, similar to that on many banks’ websites, for all file transfers.

Its enterprise version uses DES encryption for files stored on its servers, but that is not a feature of the free service. YouSendIt also uses SSL, although it does not offer file encryption on its servers.

Both services provide a higher level of security than a standard open FTP service, and should be less vulnerable to attackers looking for back doors into a company network. But at the same time, the measures that make such services less vulnerable make them harder to block than vanilla FTP. YouSendIt, for example, uses a network’s Port 443, which is also used by web browsers.

This raises issues for companies that simply do not want staff transferring files using third-party services, however secure they might be. Allowing the use of consumer-friendly FTP services makes life easier for those who might want to transfer confidential information to people outside the business.

A secure, file transfer service overcomes this, in part, by logging who has transferred data, and when. But for total security, these services need to work in conjunction with data leak prevention technology, suggests Bill Nagel, a specialist in security and risk at Forrester Research.

“As much as 80 per cent of all data leaks come from inside a company. Businesses are having to keep more data for longer, and the flipside to that is that there is more data that can get out,” says Mr Nagel.

The tagging that data leak prevention systems rely on is a huge effort, he points out, and perhaps appropriate only for the most sensitive information.

For the rest, a combination of education and providing secure ways to transfer files may be the most effective way to reduce risky behaviour, says Mr Nagel.

“In a third of data leak cases, the cause was something that people knew they shouldn’t do, but which made their lives easier.”

Source: The Financial Times

Protect Yourself From Identity Theft - Use Your Debit Card

August 31st, 2007 | Posted in Security | del.icio.us! | digg! | reddit! | No Comments »

You’re in line to pay for some gas at the local gas station, and the cashier asks you, “Will this be debit or credit”. You’re saying to yourself, “I’m paying with a Visa debit card, does it really matter?”. The answer is YES. It does really matter what you choose when they ask you for debit or credit. There are two reasons why you need to make sure to choose debit if you are using your debit card to pay for a purchase.

It protects you from identity theft. Studies have shown that you are 17 times more likely to have your identity stolen by making a credit transaction rather than a debit transaction. This is mostly due to the fact that you must type in your pin number in order to make the transaction, when a credit purchase requires a signature receipt that is kept by the store. Most stores do not display all of your credit card numbers, but I have found every once a while that you will see receipts with the full credit card numbers displayed on it. It’s shocking that those receipts still exist, but they are out there.

It saves the merchant money when you choose debit over credit. You might be saying, “What do I care if the merchant saves money or not?” Well, you better care. Because who do you think they are going to pass off that extra expense to? You! When you choose debit, the average transaction costs the merchant about 10 cents to 20 cents. When you choose credit, banks charge merchants anywhere from 75 cents to $1.25. Merchants are hoping and praying that you choose debit when you truly are using a debit card, but it doesn’t always happen. The banks are the ones that are being ridiculous about this. Some banks are actually charging you a fee to use your debit card as a freakin’ debit card! They WANT you to say “Credit” so that they make more money off of the merchant. And banks wonder why so many people think they are scum of the earth. I am all about “maximizing the profits of your shareholders”, but the way that you maximize the profits of the shareholders is by taking care of your customers, NOT taking care of your shareholders!

I was thinking if there was a way to use your credit card as a debit card. Most credit cards have a pin number attached to them now to allow you to use it in an ATM machine. But my question is, can you say debit, when you have a credit card, and then type in the pin number? If you’ve ever tried this before and it has worked, post a comment on here. I don’t know the answer to the question, so I’m asking you.

Hopefully, this opens up your eyes more to the importance of that little phrase that we are faced with every day, “Debit or Credit?” It will further protect you from identity theft AND it will help merchants keep their cost of doing business lower which ultimately allows them to keep the prices of their products lower.

Source: BlogForward

November 7th, 2006 | Posted in Security, Tech | del.icio.us! | digg! | reddit! | No Comments »

opendns.pngFree domain name service Open DNS speeds up your web surfing sessions and protects you from phishing sites.

OpenDNS provides free DNS server addresses which you enter on your home router or within your computer’s network settings. The service caches the billions of DNS requests made by its users into a giant database on a distributed network, which turbocharges surfing for everyone who uses it.

Open DNS also flags phishing sites and auto-corrects URL typos

via lifehacker