Interesting and educational:

http://www.secretservice.gov/know_your_money.shtml

I got this link from security guru Bruce Schneier's blog entry. Check this out it is really very elegant and useful.

Hoofangle's Consumer Privacy Top 10

Suggestions to secure home computing

Online attacks are continuously becoming better in technical sophistication and social engineering techniques. In such a hostile environment, it is imperative that we pay attention to secure home computing and practice best behavior to reduce our exposure. Risks of compromise are too great to ignore when your identity and financial data are at stake. Below are some suggestions to reduce exposure to online threats and increase level of security. Choose what applies best in your situation and make it part of daily routine to follow these practices.  If it seems too painful or you think you can afford to be lax, just remember that you have to always secure your information, whereas an attacker has to compromise it only once. So, read on.

1. Hibernate or standby your computer when not using it. This reduces the time your computer is online and thus the window of opportunity for attackers (this is useful for broadband users).
2. If you cannot put your computer in hibernation, at least disable network connections when not using Internet.
3. Do not use IE (Internet Explorer), use firefox or another browser. This may seem an extreme idea at first, but stop using IE for a month and switch to another browser and you will be surprised at the noticeable performance benefits, not to mention the reduction in adware, spyware and increased level of security.
4. Never give out your password or PIN of your accounts either online or over the phone. Legitimate businesses do not have any reason to ask for your passwords and PIN.
5. Do not give your bank account information online or over the phone unless you know whom you are dealing with.
6. Bookmark the URLs of sites that you login with username and passwords. This is helpful in protecting against phishing attacks that try to steal sensitive information about your accounts by making look alike sites of banks or other institutions (such as yahoo, paypal etc).
7. Probably everyone knows this by now; still it’s worth repeating. Do not open emails and attachments from unknown recipients.
8. When clicking on URLs inside emails, verify that you see the same URL in window you expect to see. Although, I suggest that you do not click on links in emails from unknown persons or businesses. Just by clicking, you may be putting yourself in danger. Often, such fake sites have hidden scripts and programs, and by opening them you end up downloading those on your computer without your knowledge.
9. Do not open IM (instant messaging) links from unknown persons.
10. Do not disable automatic updates from legitimate software (windows and others which you have installed yourself).

There are still more things you can do to further increase the level of security, more on that later. Have a safe and secure home computing experience.

Instant Messaging Security - Benefit is company has secured most often ignored channel of threat.

Security is as strong as the weakest link. Many corporates spend tons of money securing their application/hardware/infrastructure, but they forget to focus on seemingly trivial application like IM. IM users can send: unencrypted information, share files, share their on-line status and send audio/video with users across the Internet. As an example, user's on-line status can provide information about about the user's on-line behavior. People outside of organization can find out when a particular user logs in/out of the IM and can make a good guess whether user is logged in from home or office and hence determine location. Another example, If I knew that John just met a friend called Tom and was aware that John's buddy list did not have his name I can open an account tom234 and add John as buddy and fake Tom's identity to gain John's trust: this is easy because authentication is just tied to the on-line identity.

Many companies have come out with corporate version of messenger called enterprise messenger which works only within the company and not across the Internet. There are other vendors who make IM gateway manager which sit behind the firewall and administer IM traffic. There is a hybrid enterprise messenger solution which  works not only within the company but also across the Internet.

There is no one right answer about how to secure IM in a corporate setting. There are some minimal things that corporates can do to secure IM:

0. Policy: Have a policy about IM usage.

1.IM Gateway: Implement IM Gateway to help  log/monitor/administer IM traffic.

2. File Sharing: Block file sharing through IM.

3. Audio/Video: Block audio/video through IM.

At the near end of the spectrum deploy enterprise messenger solution which allows messaging only within the company. At the extreme end of the spectrum create a policy which disallows IM usage.

Thought #24 - Can IM be subject of SPAM?

Implement Security - Benefit is company has a notion of external and internal DNS servers which prevents attack against company's DNS servers.

DNS is a glue that binds the Internet. DNS maps IP to user friendly names. Let us imagine a world without DNS for a moment: To access Microsoft.com web site you need to type: http://207.46.130.108 -  how much fun it is to remember all those million IP addresses of all web sites?  Suppose if you type http://www.microsoft.com on browser and if your query is intercepted and a fake IP address is returned, the browser will connect to the fake IP. To take this to next level, what if you tried to connect to a banking web site and get a fake IP - your login/password can be potentially be compromised. Messing with IP address to name mapping is known as DNS spoofing which is relatively easy to do which makes DNS vulnerable.

These are the things we can do to protect DNS:

1. Avoid spoofing by encryption - Encrypt data transferred between master and slave servers: use a shared secret or RSA to encrypt data. Restrict zone transfers to known servers.

2. Don't list your private IPs of your zone - Disable ls query which lists all the servers in a particular zone.

3. Isolate internal DNS servers from external DNS servers - Use Split Horizon DNS architecture which in layman term means use 2 DNS servers:Internal DNS servers for intra-company query and to relay non-intra-company query to external DNS server. External DNS servers to service outside-world originating query for the zone's public IPs and to service the recursive non-intra-company query from the zone's internal DNS servers. The Split Horizon DNS can be implemented with a single DNS server in 9.x using views, but I would not reccommend a single DNS sever serving intra-company/outside-world query at any cost.

4. Prevent outside-world induced recursive query attacks -  Disable recursive query on the external DNS servers for outside-world originating queries.

5. Update/Patch software - Use recent version of BIND 9.x.

6. Configure your firewall - log/monitor/administer DNS traffic.

7. DNS registry check - Last but not the least, monitor your DNS registry at the root i.e. perform whois lookup regularly and make sure it returns the correct data.

Thought # 23 - Why are there only 13 root name servers?

Muni Tripathi is a Senior Software Engineer at Arcot Systems. Muni has over 8 years of experience in software development with various networking and security technologies. In his current role at Arcot, he is working on development of security applications. He has previously held engineering positions at Brocade Communications and consulted at Cisco Systems. He is a CISSP. He holds BE degree in Electronics and Communications from IIT, Roorkee and MS in Electrical Engineering from USC, LA. 

And gives a name to the vulnerability - "We called this bug KESM, which stands for Killer Empty Sender Message."

http://www.securityfocus.com/archive/1/416154

GoogleTalk - are you still talking?

"Being able to break security doesn't make you a hacker anymore than being able to hotwire cars makes you an automotive engineer."

- Eric Raymond

Implement perimeter security - Benefit is company has a mechanism to police the traffic that enters the corporate network and prevent unwanted traffic.

Perimeter is the border of your corporate network this is where the corporate network connects to the Internet. This is the entry point of Internet traffic into your corporate network.

Gone are the days when just an access list on the border router prevented undesirable traffic. Welcome to the world of viruses, worms, trojans and denial-of-service.

Some of the best practices for perimeter security are:

1. Implement Committed Access Rate on the ISP router. This can prevent DOS coming from the internet to certain extent.

2. Implement  RFC 1918 and RFC 2827 filtering on the edge router. RFC 1918 filtering prevents packets with private IP address as source address being routed to the Internet and blocks packets with private IP address as source address coming from the Internet. RFC 2827 filtering prevents packets with non-inside source IP address going to the Internet and blocks packets with  inside source IP address entering from the internet.

3. Implement inline firewall which can police traffic.  Inline means active listening and blocking mode. Firewall with application level filtering capability is recommended. Series of two firewalls from  different vendors is recommended.

4. Deploy the public servers (external SMTP, external DNS and external WWW) in a separate zone called Demilitarized zone. This zone has lesser security level than the private network.

5. Implement Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). IPS operates in inline mode.

6. If you are co-locating your servers at ISP, make sure their perimeter is secure before you co-locate.

7. If you have a remote office, make sure you connect to them only through VPN, same applies to remote users.

8. Use Network Address Translation to mask the internal IP address.

Thought # 22 - What does SPAN mode connectivity for IDS mean?

Remote access security - Benefit is the company can ensure that the employees connect securely to the corporate network and that they do not introduce any vulnerabilities into the network

The days are numbered where employees use POTS to connect to corporate network. Any external connection to your corporate network is an entry point for vulnerabilities. This is not a desirable connectivity solution anymore.

Virtual Private Network (VPN) is a technology that evolved to address the secure remote connectivity solution. There are many protocols that implement VPN and some are built into the OS. There are multitude of VPN protocols such as IPsec, PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and SSL.

If there are too many VPN users, dedicated VPN hardware is a choice. IPSec is a good protocol of choice which is supported by many VPN vendors. IPSec provides stronger encryption than PPTP, L2TP.

IPSec VPN is a good choice if the remote client base is large. IPSec can be used to tunnel data securely across two different locations.

If there are less number of users (the processing overhead is less), SSL VPN is a good option. SSL VPN has less maintenance overhead i.e. remote clients does not need any additional software installed. It works through the web browser. The advantage of SSL VPN can turn out to be disadvantage since users can connect from any unsafe computer which has a browser installed.

The choice of remote access solution depends on company's context. Here are some things to remember before implementing remote access:

1. Always provide secure access use VPN technology rather than POTS dial-in.

2. Large remote client user base, IPSec is a preferred protocol of choice.

3. If you want less staff maintenance overhead and higher remote client flexibility use SSL VPNs.

4. It is always a good idea for VPN policy to include anti-virus, firewall checks on the remote client in addition to authentication.

Thought #21 - How do you arrive at the optimal VPN policy?

Securing Online Transactions Against Keyloggers

The requirement to secure financial transactions is self-evident. No one wants to do financial transactions without their authorization and knowledge. Risks are higher when transactions are made online. In this article, lets examine the threat posed by keyboard loggers. Keyboard logger, also called keylogger is a software that captures keyboard inputs including logon information of your accounts. It’s easy for a hacker to install a keylogger on your computer without your knowledge. Anti virus and firewall may not detect and prevent the installation of keyloggers. This is a significant threat to secure operational environment for online transactions.

Before looking at couple of ways to mitigate the risk posed by keyloggers, let us understand how it compromises the security. Verifying the identity of a user is called authentication. Most of the financial services operating on the Internet today use Single Factor Authentication technology. Single Factor Authentication is verification of user’s identity with a single piece of information, something that a user knows, such as password or PIN. When a user logs onto a secure site, he enters this information using his keyboard. With keylogger installed on your system, sensitive information is compromised.

So, how do you fix it? Some banks have implemented creative approaches to reduce the risk. One of the approaches displays a number pad on the web site for PIN inputs and does not take keyboard inputs. You click on the numbers on the pad to input your PIN, instead of using a keyboard. Going forward it reduces the risk for educated users, but for a user, who uses the keyboard (although wrongly) while interacting with new interface, there is still a small window that a keylogger captures the sensitive information. It’s still a significant improvement from plain keyboard input. Another method is to use One Time Passwords (OTP). In this approach, banks give out a set of randomly generated passwords to customers through a pre-established channel. These passwords expire after a single use, so even captured passwords are no good.

Responsibility of securing user’s own computers lies with users. But there are too many variables that users are not aware or do not control. It’s good to see some banks and other institutions take the initiative to reduce some of these variables and make the overall environment more secure.

Muni Tripathi is a Senior Software Engineer at Arcot Systems. Muni has over 8 years of experience in software development with various networking and security technologies. In his current role at Arcot, he is working on development of security applications. He has previously held engineering positions at Brocade Communications and consulted at Cisco Systems. He is a CISSP. He holds BE degree in Electronics and Communications from IIT, Roorkee and MS in Electrical Engineering from USC, LA. 

There is an excellent article by security guru Bruce Schneier about Zotob worm. He likens worms/viruses incidents to natural disasters - preparation is the essence of defense.

It has to be remembered, by just patching for one worm or virus your job is not complete yet. The variants (kin) of the same worm or virus is most likely to hit in the next few days which can delude incident/patch management.

I agree with Bruce when he says sound process is the answer for sustained and effective incident handling. 

Implement web security - Benefit is company is protected from one of the common attack entry points.

Though web security can be addressed under the umbrella of application security, the pervasiveness of web applications and its vulnerabilities prompted me to dedicate a separate section.

Web applications are one of most exploited class of applications. The very nature of being available over the network on a standard port makes it even more vulnerable.

These are some of the tips for implementing web security:

1. Keep your web server updated of the latest patches.

2. Disable directory listing in your web server.

3. Implement secure socket layer web server wherever possible. Make sure to use certificate from a trusted vendor and do not use self signed certificate for production web servers.

4. Disable web server modules that are considered to pose a security risk.

5.  Implement reverse-proxy or a load balancer to protect the real web server.

6. Implement high availability architecture.

7. Use network address translation to protect real web server IP address.

8. Run the web server in chroot jail and also make sure to run it under a non privileged ownership such as nobody.

9. Audit the CGI or other scripts for any vulnerabilities  before they are allowed to run on the web server.

Thought #20 - Why do many sites allow some configuration setting on despite the recommended setting is off. 

Operations security - Benefit is the company has a operational framework that is robust and is not vulnerable to threat agents.

The term operations security is a very broad concept. It can involve anything from system architecture to change control. For the purpose of this document, operations security involves three distinct parts:

- Production system architecture

- Production system integrity

- Life cycle management of application and/or system

The production system architecture should be designed robustly. The recommended solution is a high availability architecture where members operate in either clustered or load balanced fashion. The high availability architecture makes system less vulnerable to threat events. If a threat event has occurred on one or more members, there are other members that can handle the load.

Production system integrity can be maintained by using change control mechanism. No changes should be allowed on production system unless it is reviewed and has passed through the change control process.

Life cycle management of system/application should be performed with security in mind. When software or system is upgraded, it is critical to assess the security impact of such an action. The most desirable solution would be to integrate security specification in the development and testing of the system/application: by this we can make sure that robust system/applications are released to the production environment.

Thought #19 - Should penetration testing be a part of product testing?

Felix Mohan is a brilliant security strategist and a leader of Indian IT security space. He is the CEO of a top notch security company in India called SecureSynergy.  His article titled Time Synchronization - Vital for Info-Security describes the ramifications of skewed time across the systems.

In summary unsynchronized time can affect: 

1.  Authentication, some authentication applications depend on time stamps.

2.  Functioning of applications which are dependent on time stamps.

3. Audit/Log time stamps hence computer forensics.

4. Time stamps on files, which can track the dates and time of file creation, last accesses, last modified etc.

5. Scheduled tasks or cron jobs - imagine the effect on stateful applications.

And more such as: sub-optimal performance of certain applications such as NFS resulting in additional network load. Moreover, confusion among communicating parties (think email).

How about the ramifications of unsynchronized time on a ecommerce shop? Do you want your credit card transaction to show up with a wrong time stamp?

ClickFraud:

In past decade, advertisers have found web as a new medium for advertising. It’s a simple concept, service providers (Google, Yahoo etc.) place ads on web sites, and charge the advertiser for each click received on their ads.  One such program is Google’s “AdSense”, which places Google ads on web sites which have relevant content for the ads.. Since ads are context sensitive, it increases the chances of monetizing the ad. Google charges advertiser money for clicks on an ad and shares it with web site owner. Another approach is Google AdWords, in this approach, advertiser buys keyword for a price. When a user searches for the keyword the results display the advertisement of the advertiser who has paid for that keyword.

If a user is not interested in something, he is not likely to click on an ad, so this is a very efficient model for advertisers. However, it also has a potential for, what is called ‘ClickFraud’. This is the practice of deliberately generating clicks on an ad in order to increase the fees paid by advertisers. To increase their revenue, rogue web site operators themselves could click on ads and/or pay others to do so. Competitors of an advertising company could hire people or use automated tools to generate clicks, in order to run up competitor’s advertising bill without any actual sales. This could become a serious issue for advertisers and hit their bottom line.

How can ClickFraud be prevented? Service providers employ sophisticated techniques to detect clicks on ads. Some of the simple and obvious things that can be done is to check for IP addresses of the machines originating the clicks, check for the interval of clicks from a network address range, generate statistical data and heuristics over a period of time and trigger alarms for abnormal click behavior. Advertisers can protect themselves by keeping a tab on fees they are paying for ad clicks and matching it against sales generated from these clicks. An abnormal trend in figures should raise the alarm. Another way to minimize ClickFraud is an agreement between service providers and web site owners. Any fraudulent activity can cause the partnership to end and may lead to litigation.

Can ClickFraud be completely eliminated? It is unlikely, but with the combination of various prevention measures and inherent trust in people for good behavior, damage shall remain within acceptable limit.

 Reference:

Click Fraud: Google v. Auctions Expert International,, Edward H. Freeman

Muni Tripathi is a Senior Software Engineer at Arcot Systems. Muni has over 8 years of experience in software development with various networking and security technologies. In his current role at Arcot, he is working on development of security applications. He has previously held engineering positions at Brocade Communications and consulted at Cisco Systems. He is a CISSP. He holds BE degree in Electronics and Communications from IIT, Roorkee and MS in Electrical Engineering from USC, LA. 

There is an interesting article by Ken Durham. The article talks about availability of source code of Malcode (Malicious Code) and its ramification. This opens a can of worms.

If black-hats have access to the source of malicious code:

1. Black-hats can tweak the source code and create new variants of existing viruses or worms.

2. Black-hats can automate the process of generating viruses and worms: with a click of a button it would unleash attack- they have already accomplished this - they have a GUI for the same!.

3. Black-hats can cross breed these different classes of malcodes and create an even more powerful progeny.

4. Black-hats can review the code and understand the attack vectors.

5. Make the code easily available to other black-hats.

Following the are the implications of the above:

1. Reduction in cycle-time to create new viruses and worms - expect new variants sooner than later.

2. Viruses and worms which are more complex whose attack vectors are highly distributed: this makes it difficult to tackle the incident because vulnerabilities needs to be addressed across multiple systems.

3. Viruses and worms which are order of magnitude powerful than their predecessors.

4. Malicious source code re-use makes it easier to create viruses and worms.

The vendors who develop patch usually fix the vulnerabilities by the known behavior of the viruses and worms most of the time since they don't have access to the malcode. Should they try hard to get access to malicious code? 

I started blogging due to inspiration from my hero Rajesh Setty.

Please check out Rajesh's posting about the Blogging Starter Checklist. It provides enough information for any of you who would want to start blogging. If you need more information: I am always reachable at:

ravi_char  at hotmail dot com (This method helps prevent spam)

Blogging has provided me a platform to channel the unstructured information in my head in a structured way. Recently, I heard from my former colleague and Toastmasters guru Randie. This is what Randie emailed about my blog:

"I looked at your blog and I was literaly blown away.  That was fantastic, informative and entertaining.  I learn a lot about a lot of things just by reading it for a few minutes."

Thanks Randie. Emails like these motivate me to be do even better: be more relevant, add more value and provoke more thoughts. Thanks to you all! 

Vulnerability management team - Benefit is company has a mechanism to act on newly discovered vulnerabilities and generate suitable action to mitigate the same.

Threat agents take advantage of vulnerabilities. Almost everyday new vulnerabilities are detected and some of the vulnerabilities are serious in nature. If these vulnerabilities are not addressed in a timely manner it will result in a threat event: which is threat agents taking advantage of vulnerability.

The Vulnerability Management Team (VMT) provides a pro-active vulnerability mitigation. Some of the typical tasks of VMT are:

- Pro-actively monitor vulnerabilities, for example tracking the latest CERT advisory.

- Work with application and system owners to make sure that vulnerabilities are addressed in a timely manner.

- Make a decision about when the vulnerability needs to be addressed or whether to be addressed at all and identify ramifications of addressing the vulnerability as an example what are the ramifications of patching the system.

VMT is a very important part of the security program. A system which may secure today will not be secure tomorrow without the VMT.

Thought #18 - How do you make a decision whether to address vulnerability or not?

Implement physical security - Benefit is company will eliminate another major source of security threat.

No amount of technical controls can provide adequate security unless physical environment of the company facility is well protected. Imagine, if someone could walk into the company office and walk away with a proprietary document, the ramification could be tremendous.

Physical security can be divided into three parts:

Administrative - This involves facility selection, site management  and personnel control.

Technical - This includes fire detection, suppression, intrustion detection and CCTV, HVAC and smart/dumb access card.

Logical -  This includes fencing, lighting, locks, guards and dogs.

To implement a good physical security we need permutations of the various above components. It is a good idea to design the facility that house the IT infrastructure with security in mind rather than implementing security as an afterthought. If designing is not an option select a site that meets most of your security needs.

Some of the physical security controls that are mandatory are smart/dumb access card to facility, HVAC and CCTV. It is a good idea to have a guard to monitor the facility round the clock if the company can afford it.

Thought #17 - What is the most important objective of physical security?