Security's Everyman

Security's Everyman

Thursday, February 28, 2008

Real Life Awareness

Here's a great user awareness story from real life.

My wife and I just finished attending a 4 week long Sunday School class on Parenting Preshoolers. Yesterday the girl who was the class coordinator sent out an email to the whole class. She ended the class with the following statement

"If any of you are interested, please let me know and I will email her your email address. I did not want to send everyone's address to everyone without their consent."

If you stop to think about it you will know where this is going. :) When I looked at the "to" address sure enough there was each and every address for the whole class. I couldn't help but smile. It sort of has a happy ending though. A few minutes later she sent out a follow up email
"I apologize for not hiding the addresses in the last email. I meant to press a different button but hit send before I could correct it. Sorry."

So either she realized what she did or someone else pointed it out to her. Either way I was impressed with the fact that she was aware of the fact that she should not have just sent out every ones email address w/o their permission. Way too often people just forward emails with the address of everyone in their address book w/o thinking about it. I'd like to know where she learned about the need to hide addresses. I saw her last night and we had a good laugh over this I wish I'd asked her then. Was this something that she learned from a work User Awareness program? Did her husband pass this on to her? Maybe a friend told her about it. Either way it's a good that she know it and that she puts it into practice..........usually.

I sent her a reply and told here that with her permission I'd like to use her in my blog. Of course I assured her that I'd not reveal her name or email address........unless I forgot. :)

Thursday, February 21, 2008

What?!?!

I thought these guys were getting better at this. Apparently whoever sent this failed "Basic Phishing Emails 101" I've got all sorts of comments and tips on how to do this better but I'll let you come up with your own.

From FedEx Express
 
FedEx Express Logo   
                                             
                                              FedEx Nigeria Head Office
                                             
70 International Airport Road

                                              Mafoluku, Lagos.
                                              Tel +234-807-493-8690

 

 

Attention' Attention’ Attention'''


                                                CLAIM NOTIFICATION.

 

This is to notify you that your parcel is still in our possession, this parcel contained an International Cashier Bank Draft/Cheque worth the sum of $2 Million dollars only and it is ready for delivery to your door step. Meanwhile, before the delivery or shipment will take place, you are advice to send to us the following data’s mention below:

 

1. Your Name
2.Address
3.Telephone

 

The above requested information’s will enable us deliver your parcel correctly without any mistake or delivering your parcel to a wrong person. Further more, you might be asking yourself how comes this email, cheque or draft, Anyway, your cheque was brought to this office by a Lottery Fiduciary Agent Or Claim Agent, signifying that you are a rightful winner to their Lottery Award selected randomly from 10 lucky email addresses which your email address is one of the lucky email address.

 

FedEx courier service company mailing you as per your parcel that was brought to this company to be delivered to you by  lottery groups, along the delivery process that brought a misunderstanding between you and the lottery claim agent and in regards of their request as per their insurance certificate cost and tax fee which happened to be the course of your parcel being pending for the past months/one year.

 

Meanwhile we are hereby happy to inform you that the FedEx Company has finalized everything with the nicon insurance company of Nigeria ? and the internal revenue office as the company organization has also listed 24 valuable parcel’s to be intact in their office after the released of the parcel’s from the nicon insurance company and internal revenue office.

 

We are happy to inform you once again that your parcel that contains the sum of $ 2 million dollars is among the 24 parcel’s listed which is now in our office and also with your name as the receiver despise that we lost your private residential address’s, which is an indication that you can now re-send your residential address, telephone as stated above back to the FedEx company where your parcel can be delivered to you without hesitation with this e-mail  (fedex_courier1@web2mail.com)
 
Meanwhile remember that the sender of this parcel to you that’s the fiduciary agent still owns this company the sum of  $150 before incident occurs Note this fee is not just for delivery but with the stamp duty, this company has spend out of their incomes in the process by recovery back your parcel? so dear customer we once again appreciate your patronage in our favor.

 

Without hesitations you are to pay for just the balance left by your sender since we have lost his contact. this payment have to be via western union money transfer with the below payment information so that your parcel can be delivered to your residential address before it accumulate a demurrage after one week only,as you know your parcel is not just an ordinary parcel but with a huge amount and I think you understand what I mean by accumulating a demurrage? Which you will not allow to happen to your recovery parcel that almost gone if not for the love that the good god have for you by favoring you with his favor because it was god who did it not by your power but by the spirit say the lord.
 
We assure you that your parcel will arrive at your country in two days time and it will get to your door step the third day as soon as this company receive the balance left by your sender and the tracking number of your parcel will be sent to you via e-mail immediately so that you can track it yourself to see your parcel coming on the way and you will also know when it will arrive at your country because we operate in trust and loyalty in your favor.
 
And also the FedEx Courier Service Company is hereby to inform all their customers by eradicating all their communication with the scam mails that are going all-over the world be careful with their e-mails so that your parcel will not be in danger with their evil planes.
 
FedEx provides access to a growing global market place through a network of supply chain, transportation, business and related information services.
 
PAYMENT INFORMATION

 

Receivers Name: Nbu Philip

Senders Name: Your Name

Text Question: Who is your father?

Answer: God almighty
Amount: $150

Location; Lagos Nigeria Africa

MTCN Number... 

 

Please you have to send the full payment information including the MTCN Number for we to fully proceed on your delivery
 
FedEx is one of the world's great success stories, the start-up that revolutionized the delivery of packages and information. In the past 30 years, we've grown up and grown into a diverse family of companies as FedEx that's bigger, stronger, better than ever. Call me: Tel: +234-807-493-8690
 
WAITING TO READ YOUR E-MAIL.

YOURS AFFECTIONATLY.


MR.SAM BROWN.
Tel +234-807-493-8690


FEDEX COURIER MANAGING DIRECTOR..
 
 

Sunday, February 17, 2008

When does security begin?

I ran across this the other day and had to save it for later. Now later has arrived.

It makes me feel good to know that I'm not alone. One of the biggest frustrations with my job is that since they didn't have an official security program before I got here security is often an afterthought. Sometimes that means after a project has begun and often it begins after the project has been completed. Similarly to Mathias so far the best I've been able to do is get a few of the PM's on my team and my signature is required on the final paperwork before something goes live. Unfortunately there are a few problems with this.

  • The first problem is that after a project has gone from vision to final testing and is ready to deploy the project team and sponsor get a little upset if security tries to put it on hold.
  • Often by the time I've found out about a project it is almost too late to ensure proper security is in place.
  • One of the most common things that I've run into is the lack of understanding of the need of security. I regularly hear "It's not on the Internet so why does it need security?" or "You have to have a username and password to access the application so it's secure."

I have been working on, and am slowly starting to see some results, getting the rest of the enterprise to think about the need for security early on. We have a major project coming up that has already asked my input and it isn't even slated to begin until 2010 or 2011. That makes a security guy smile. :)

It's never too early to think about security for an application or a project but it's often not the case. Security is still an afterthought in the mind of many and it requires that we not only be prepared to start at the beginning but to also jump in at any point in the process and ensure that security is properly implemented.

InfraGard Speaking Schedule Change

My talk at the Birmingham, AL InfraGard Chapter has been moved from March to April 8, 2008. If you are in the Birmingham area and either regularly attend the InfraGard meetings or are interested I'd love to meet you there. I'll post location information once I know it myself.

Thursday, February 14, 2008

The 7th way the Starbucks-AT&T deal will change mobility

ComputerWorld has an article "6 ways the Starbucks-AT&T deal will change mobility". They failed to list the 7th (actually probably it's the first) way it will change mobility.

  • More laptops will be pwned.

Now access is free for thousands of people who wouldn't pay the $30 to $40 a month that T-Mobile charged. That means that every person with a laptop that lives near a Starbucks and is an AT&T broadband customer will go there to access the Internet. Their laptops are not hardened. They have no idea how to protect themselves or that they need to protect themselves. They will conduct financial transactions and someone will be waiting to sniff their traffic, hack their system, or convince them to connect to a rogue AP.

Thanks James

I appreciate the help.

Thursday, February 07, 2008

If I had a nickel for every patch

UPDATE: I'm now up to over $3!!!!!!

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12


I'd have 75 cents today alone (hey, in a possible recession every penny counts). Today the following Companies announced patches for their software.

  1. Microsoft has 12 patches coming out next week on Patch Tuesday.
  2. Adobe has a patch for Acrobat Reader.
  3. Apple has a patch for Quicktime.
  4. Sun has a patch for Java SE 6.

Luckily for most these are all apps that have auto patching capabilities and usually they are turned on. This is a good time to remember to check the other software on your systems that don't have auto patching.

I also seem to remember that Skype just released a patch and Apple released a patch for IPhoto so that takes me up to 80 cents. I wonder what's in the couch under the cushions. :) If I go back a few weeks I'm well over a dollar and possibly pushing 2 dollars.

Just remember to keep your systems patched and keep an eye out for that forgotten application and update it also. While you're at it check your DSL/Cable modem, wireless or wired router, printer, and anything that can connect to a computer or network. Check out Pauldotcom.com for more information on imbedded device security.

Good Tips

PC Magazine has a list of 72 Tips for Safer Computing that I wanted to point you to. I know lots of us are constantly asked by friends and family how they can keep their computers safe. Unless you have a ready made list it can be time consuming to give them all the tips they need. Well here is a pretty good list that you can give them and if they follow it they should be in pretty good shape.

Odd things

Sometimes odd things happen one right after another. I've had one of those weeks. It started a few days ago when I was walking to lunch. I got to the restaurant and ordered my food to go. As I was waiting I touched my hand to my phone which I keep on the right side of my hip. Next to it I keep a belt clip that has my Employee ID, Door Access card and Transit card. As I felt my phone I noticed that something didn't seem right. My belt clip and cards were gone. I immediately started to panic. I work in Atlanta and foot traffic is heavy. I was sure that someone had picked it up and I was hoping that they would take it to my office and leave it at the security desk. Luckily my food arrived at that time and I started to retrace my steps. I found it about half way between the office and the restaurant. It was in the middle of the road and I watched 3 cars run over it. I was able to retrieve it and except for the clip it was undamaged.

I was listening to Pauldotcom Security Weekly (an odd thing in itself :)) the other day and they were talking about lost laptops and Paul was saying that he never leaves his laptop unattended. He makes sure he carries it with him everywhere to prevent it from getting stolen. I'm pretty much the same way. If I'm going somewhere and I know that I won't need my laptop I leave it at home. If I'm one my way to or from work and I have to stop somewhere I will take it with me instead of leaving it in the car.

Well, yesterday I had to drive to work because I missed the bus into town. The temp light on my Jeep came on about 1/2 the way there. I pulled over to let it cool down and decided that I needed to replace the thermostat (I've been putting it off). So during lunch I grabbed a thermostat and planned on changing it in the parking garage after work. Since I usually dress in a Shirt and Tie I needed to change before doing the work. I grabbed my laptop bag and headed down to the locker room where I keep my workout clothes and changed into a pair of shorts and a tee shirt. I grabbed my stuff and headed to the parking deck to start working. I replaced the thermostat, added some coolant and hit the road. Unfortunately it seems that the thermostat wasn't the problem because the temp light came on again about 1/2 way home. More troubleshooting needed.

As I got home and started to grab my stuff it hit me that my laptop bag was NOT in the car. I really panicked this time. I had visions of it sitting in the parking garage thinking that I had set it on the ground beside my Jeep while I worked on it and forgot to put it in when I left. I searched my mind trying to remember where I may have left it. Was it still in my office? WHERE!?!?!?! Then it hit me that I had left it in the locker room. My panic subsided a little because it is an employee only facility, but I was still worried none the less. So I grabbed my 2 girls and hit the road to go back to the office and get it. It was still there and had been undisturbed. I guess if anyone saw it they just assumed that it belonged there. WHEW!!!

Both of these incidents could have had much worse endings. The loss of my cards could have given someone unauthorized access to the facility (and lots of free train rides). We have processes in place so that I can disable the cards quickly so that would have reduced the window of opportunity. The laptop loss would not have been such a big deal since I use TrueCrypt (they now have whole disk encryption now) and keep all of my data on the encrypted volume. It would have been a headache more than anything.

So lessons learned. PAY ATTENTION!!!!! Don't get so distracted by what is going on around you that you lose focus on important things.

Wednesday, February 06, 2008

(Another) Good SANS ISC Entry

There are just some resources that are invaluable to Security IT Professionals no matter what area of IT you work in or what your position in the company is. SANS is one of those resources. They watch our back, block for us and give us new plays for our playbook. Not to mention that they coach and train us to make us better at what we do.

Today the ISC Diary has another good reminder and tip for us. One of our primary responsibilities is to secure our environment. We apply patches, double check our configurations, ensure least privilege, etc..... but are we often overlooking something? Do we spend so much of our energy on these things that we forget to make sure that we didn't leave something that doesn't need to be there? Do we fail to look beyond our standard procedures and checklists? How long has it been since they were updated?

Just as we need to ensure that we do the things that we need to do we also need to ensure that we don't do things that aren't needed. The key is knowing what these things are.

Security Catalysts Community Roundup

When I started following blogs a couple of years ago I discovered several blogger's who impressed me with their knowledge of various aspects of security. I thought I had hit a gold mine in finding their blogs. Now I had places to go and get information on various topics. I could even ask them questions and usually get a reply from them. Towards the end of 2006 a few of them started talking about a new community that was starting up. It offered a place to post your thoughts, questions, comments, ideas, etc and interact with other security professionals. So I decided to check it out and saw a few things that I liked.

  1. The boards weren't stuffed to the gills with questions so it made it easy to find what you were looking for.
  2. The boards are kept organized. There aren't hundreds of user created main topic areas that clutter the boards.
  3. When you posted a question or idea others chimed in with comments that were meaningful. There is no name calling or belittling others. If someone does do that their comment is removed and they may soon follow.
  4. You actually saw who you were interacting with and not some cryptic screen name. This allowed me to have a sense or whether or not I could trust them. All members are required to register with and use their real names. (OK, so we don't do ID checks on everyone but you get the picture)

These are just a few of the things  that I really liked. I then hooked up via email with Michael Santarcangello who could be called the "Father of the Security Catalyst Community". I had listened to his podcast and read his blog and liked what he had to say and the way that he thinks. He, like many in the SCC, doesn't think along the same old "best practices" lines that seem to infect many in IT and Security. He thought outside the box and tried to get others to do the same.

That was Jan. 2006 and since joining the SCC I have benefited tremendously. It has provided me a place to get answers, feedback, support and development friendships and networking with other Security Professionals. Lots of people have joined the community and many of them participate regularly in what is going on. I'd like to invite you to stop by and check out what is going on. I'm going to highlight a few of the conversations that have gone on in the recent past and a few of the people who have their own blogs. My goal in this is to give you a little more insight into what the community is all about and entice you to come join us and add your voice to what will become a major voice in security in the future.

Recent SCC Posts of note:

  • Rootkits and MBRs - As soon as news of the new (ok, not new but new in the news) MBR Rootkits hit the gang at the SCC jumped on this one. Read what the community has to say about this topic. I personally think that the first response post is packed with wisdom and insight. :)
  • ICMP Tunneling - I went back a while on this one because it has some useful information on a topic that we don't hear much about and many people haven't really considered as a threat to our data.
  •  Value of asp.net web.config file encryption - Here is another topic that isn't very sexy and doesn't get a lot of attention in the media and blogs but that doesn't stop us from discussing it. We all know the importance of web app security but we can't forget the server itself.
  • Project Management Training - We all like to stay on top of our game and training and opportunities to learn and improve ourselves is a major focus of the community. Here we discuss how to prepare yourself to be successful in Project Management.

We have lots of blogger's and others who have their own web sites. You can find a complete list of them by clicking on the "members" link from any page in the community and then click on the website column. Many of the names you will recognize right away because they are the "big names" in information security blogging (and usually in their field of specialty also) and some you may not be familiar with but they have great things to say. I wanted to bring a couple of them to your attention.

  • Michael Dickey (aka - LonerVamp) blogs at terminal23. Michael caught my attention early on because he has lots of good things to say. He's a Linux guru who understands security and has a great grasp on using linux both to help secure your environment and as your everyday OS. He can get pretty technical so beware. Sometimes he makes my head hurt.
  • Adam Dodge has a website called Educational Security Incidents (ESI) where he maintains a ongoing list and discussion of breaches in the .edu space. Those of you who work in the .edu space need to know Adam and his site. Colleges and Universities have their own unique challenges when it comes to information security that most of us don't face. They have to find the balance between the "free flow of data" nature in a university environment and protecting the PII, research and other important data. There are lots of other .edu security gurus in the community that will benefit you greatly if you are in that field.
  • Alex Hutton is another blogger that is worth your read. His focus is on Risk Management and he blogs at and maintains a site called Riskanalys.is (yes the .is is correct). Alex usually doesn't talk too technical but don't let that fool you. He knows his stuff from everyday security to the implications of not being compliant to how risk can make or break your company.

Well, that's it. A quick recap of what's going on in the Security Catalysts Community and why you should be involved.

Tuesday, February 05, 2008

ActiveX Vulnerabilities

As many of you are aware Symantec recently announced that several ActiveX vulnerabilities exist that have to do with image uploaders in many social network sites. The current recommended fix is to set the kill bit on each of the CLSID's. If you have ever done this manually it can be time consuming if you have several machines to do it on. The other option is to make the changes on one system and then export those registry keys out and import them to the other machines.

One of the SANS Handlers, Tom Listen, has released a tool that will allow you to manually make these changes via either GUI or CLI. I've tested both and find them to be very easy to use and a time saver. The command line version probably can be used via script or pushed out via AD although I have not tried this.

If you are interested in giving it a try you can find his write up and download the tool here.

New (at least to me) SPAM Vector

Has anyone seen much of this? I've been getting lots of "Yahoo Groups" spam in the last couple of weeks. Usually I immediately delete it but this morning I decided to investigate a little further. Here is the text of today's message.

www.creatxxxxxxxx@yahoo.com has invited you to join the BUILD_YOUR_WAYS_TO_EARN_AT_HOME group!

Greetings,

Are you tired of finding a job? apllying
to a large company and still unrecognized
your ability of doing work.
How about putting the work at home and let
those company paid you at home?

A Simple Step By Step System
For Selling Your Online Marketing Skills
To Businesses Right In
Your Local City

http://urlmin.com/gethirednow
http://urlmin.com/gethirednow
http://urlmin.com/gethirednow

Being a Complete Stranger to Putting Checks
in Your own Pocket.

To your Success,

Nicole R.
Success Builder Team

I've masked part of the top url to keep others from going to it but I wanted to point out something. Notice that the first part is "ww.creat". That is how it originally was and then they started a new word. I'm assuming (based upon the rest of the url) that they were wanting to say "create" but if you look at the rest of the message and see the grammar you will understand. :)

Fortunately for those who received the message the http://urlmin.com/gethirednow link failed to contain the actual link so you can't click on it and be taken to where ever it takes you. Of course you could still manually go there, but if you do that you probably deserve never mind. I did do a google search on urlmin.com because I've never heard of it before and it appears to be a spanish language url shortening service. Anyone know anything about it's legitimacy?

I just wanted to see if any of the rest of you have seen this and what your take on it is. Let me know if you have any insight.

P.S. Nicole R - If you are on the Success Team maybe you should look into taking some English as a second language and grammar lessons.

A funny thing happened on the way to reviewing my logs

At work we're in the process of implementing a SIEM (Security Information Event Management) system. I'll leave the vendor nameless for the moment but they have a reputation of making most everything harder than it needs to be. Until that time all logs have to be reviewed manually and obviously that means that they are not reviewed in real time. I have others that monitor most of the logs but I monitor our IPS logs from the UTM device. Usually I review them each morning when I come in  but last week I didn't get a change to so yesterday I was playing catchup.

As I reviewed them I noticed something new. There were lots of  entries where XSS had been stopped. At first I was really worried thinking that if there were that many attempts then that must mean that there was a vulnerability that someone found and now they were trying to exploit it. Of course I had no real way of knowing if they had been successful or not. At least not w/o more research. As I looked into it more I noticed that it only happened on one day and that it was only for a short period of time. Then I started to do a whois lookup on the IP address and discovered that it was me. I had been doing some testing on a new feature of our web site and part of that was for XSS vulnerabilities.

It's good to know that the IPS caught this and stopped it before it got the the server itself. That makes me feel a little better but I sure will be glad when the SIEM implementation is complete so I can see these things in real time and have a better grasp on what is going on.

Friday, February 01, 2008

What a week!

It's amazing how a week can go to pot in no time. I had such big plans for the week and they all just went up in smoke. I had several things that I was going to blog about and several things at work that I was going to accomplish. Very little of either happened. It all started Tuesday afternoon when I found out that I had unplanned meetings pop up. I was in a meeting every working hour Wednesday and Thursday. Of course most meetings equal unproductivity.

When I got a chance to slow down last night and check my email, RSS feeds and various other communication methods I was floored. Where does all this stuff come from? Most of it was quickly filed away to be dealt w/ today (which meant that I didn't get other things done). Now finally my inbox is either empty or at least prioritized, my RSS feeds are clear (mostly marked as read even if just to get it out of my face) and now I'm going to slow down and relax this weekend. The blog posts will have to wait a day or two (or maybe just go unwritten).

Hope y'all have a great weekend.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.