Software, Interrupted

It seems like every few months I have to set up a wireless network for someone. And while it's certainly an easy task I am fairly sure that the security choices people make in the process are probably not the most iron-clad.

Whether by design or by default, every company and, now, most homes have a wireless network. Unless you understand, control, and manage this network, you are creating vulnerabilities that threaten network security. As more and more companies begin using wireless as a primary medium for data services, including VoIP and video, preventive measures should be taken to better safeguard your Wi-Fi.

I spoke with Jay Botelho, director of product management at WildPackets, who provided three tips to safeguard a wireless network:

1. Ad-hoc mode: Turn it off--forever.
I'm amazed how often I continue to see laptops in public places, like airports, coffee shops and trade shows, that are configured with ad-hoc mode enabled. Just "view available wireless networks" next time you're in a public place and I'm sure you'll find a neighbor or two with ad-hoc mode enabled. If they're a colleague of yours, do them a favor and tell them to disable ad-hoc mode--forever. There's nothing it can do for them, except create a possible security breach. And whatever you do, don't connect to an unknown ad-hoc network. You may just be taking someone else's bait.

2. Use WPA-2.
The word has been out for awhile, but usage of sub-standard wireless authentication/encryption, including WEP, is still prevalent. There's no reason to be using anything except WPA-2. Every wireless adapter and every AP for sale today supports WPA-2. Some of your gear is 4-plus years old and doesn't support WPA-2? Replace it! I'm sure there are some killer deals at your local electronics store. And the risk far, far outweighs the expense. You don't have to look far to find evidence of this--remember TJ Maxx?

3. Establish firm security policies.
The above concrete actions are just examples of what is truly needed: a complete security policy for your organization. The policy must tie overall network security with wireless security. It's all one network--it needs a single unified policy that incorporates all levels of network access. Wireless is only one of them.

Follow me on Twitter @daveofdoom

I ran across a recent blog post by storage vendor Cleversafe titled "Three Reasons Why Encryption is Overrated," and as I suspected it generated a lot of discussion in online forums (LinkedIn, Google Groups, log-in required for both) dedicated to those issues.

Beyond the sensationalist headline, the post does raise some interesting points for consideration on the topic of encryption.

1. Future processing power--In the future, malicious hackers will be able to crack older encrypted files due to increases in processing speed.
2. Key management--An encrypted file has a key to unlock it. Lots of files means lots of keys. Lots of anything equals management headaches.
3. Disclosure laws--Such laws mandate that data breaches are reported. Whether or not that exposed data is safely encrypted or not doesn't really matter at that point--the court of public opinion has branded you guilty.

Distribution or dispersal of data (Cleversafe's approach) is certainly one way to deal with emerging security threats, but it may not be the right way for everything. The important thing is to start looking at new technologies and methods to determine what's right for your business and technology strategy.

Follow me on Twitter @daveofdoom.

I heard an interesting story from the guys at WildPackets, a provider of network and application performance monitoring, analysis, and troubleshooting that's faced with an unexpected dilemma.

More than 100,000 unique visitors a month--a large percentage of them, ne'er-do-well hackers--are downloading WildPackets' free drivers for reasons other than their intended purpose, capturing wireless network traffic for monitoring and analyzing network and application performance.

These drivers are often being used in conjunction with AirCrack, an open-source program that cracks WEP passwords, typically for the purpose of accessing password-protected wireless networks.

The people at WildPackets are trying to be good Web citizens--their license agreement and the Web page state that the drivers are only downloadable for use with licensed WildPackets' products--but the downloads persist. So the company is trying to put this high volume of traffic to good use by turning hackers into helpers.

Prominently displayed at the top of the driver page is a banner that reads "105,000 people access drivers here from WildPackets monthly, $1 from you could help find a cure for Parkinson's - please donate today" linking directly to the donation page of the Parkinson's Institute and Clinical Center in the Silicon Valley.

Turns out some hackers have compassion, or at least are curious enough to check it out further. In less than one week, more than 1,000 people have clicked on the banner. WildPackets doesn't yet know how many clicks have yielded donations, but it's reached out to the charity for details to spread this story to a larger audience.

Follow me on Twitter @daveofdoom

Following up on a post about the top Web 2.0 security threats I thought I would take a quick look at what I mentioned as one of the biggest security threats to any company: information leakage.

All the delightful modern collaboration tools we use--blogs, wikis, SaaS applications, etc.--just make it easier for your corporate information to walk out the door. Regardless of the systems or applications your company uses, odds are any piece of data can (and will) be accessed, e-mailed, written down, or just remembered by a large percentage of your staff.

Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.

Generally speaking, information leakage is nearly impossible to contain, regardless if data is Web 2.0 browser-based or not. Think back to the last time you used a public Web terminal at an event or hotel--I can't remember a time when I couldn't just hit the back button or history tab that at a bare minimum revealed the last users' e-mail address.

So what can you do to protect your business? The truth is that there are few non-draconian methods available to protect your data and ensure that people are using collaborative tools effectively. In this case, prevention is the best medicine.

The Secure Enterprise 2.0 Forum has just released its 2009 industry report outlining the top Web 2.0 security threats. These security threats are not so much specific to Web 2.0 companies as much as they are to browser-based applications.

The list of key web 2.0 security threats:

• Cross Site Scripting (XSS): Malicious input is sent by an attacker, stored by a system, and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are more susceptible to XSS and malicious scripts. This type of functionality in which many users can create content viewed by other users is typical to Web 2.0 systems such as social networks, blogs, or wikis, making Web 2.0 applications especially vulnerable to XSS. Web 2.0 applications rely heavily on user-generated input. In order to allow the user great control over the content design, applications often allow HTML tags that are not safe and can be abused for XSS.
• Cross Site Request Forgery/Cross Gadget Request Forgery: The victim visits a malicious Web site. While content is displayed on the victim's browser, the malicious site code generates requests to a different site to which the victim is authorized, for example through a persistent cookie. Such requests can perform operations on behalf of the victim, even across insecure gadgets on the same Web page.
• Phishing: The victim receives by e-mail a request to install a fraudulent widget, or is redirected to a fraudulent Web site in order to fill an online form with sensitive information.
• Information Leakage: Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their Web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
• Injection Flaws: Web 2.0 is vulnerable to new types of injection attacks, including XML injection, XPath injection, JavaScript injection, and JSON (JavaScript Object Notation) injection. In addition, because they rely heavily on client-side code, Web 2.0 applications more often perform some client-side input validation, which an attacker can bypass.
• Information Integrity: Information correctness is one of the key elements of data security. While we usually think about loss of integrity due to a malicious hack, unintentional misinformation also leads to loss of integrity.
• Insufficient Anti-Automation: The programmatic interfaces exposed by Web 2.0 applications enable an attacker to automate attacks. Two examples of automation include brute force attacks and Cross Site Request Forgery. Other examples include automated retrieval of a large amount of information and automatic opening of accounts, for example as part of a phishing attack.

Personally, I think the biggest risk is information leakage. Despite any and all attempts to stop information from walking out the door, there is little that can actually be done. More about that in a future post.

Via ReadWriteWeb

BBC News reports on a study by computing magazine Which? where they recovered 22,000 "deleted" files from eight computers purchased on eBay.

The recommended way to really make sure your data is gone is to take a hammer or drill to the drive and completely destroy it. Just think of all the YouTube fun to be had destroying computers and cell phones.

It didn't take very long for Sony's new PlayStation Home to fall prey to hackers, with multiple developers already exploiting different areas of the service.

One hack uses Apache and DNS redirection to let you display your own version of PS Home to display movies, text and music of your choosing.

Another hack allows for the downloading of any file you want, like someone's user profile or avatar, and the final near-term vulnerabilities include uploading any file to the Home server or deleting any file from the Home server.

It's not clear to me that there won't be APIs or other mechanisms to interact with PlayStation Home in the ways that the hacks have determined, but I would assume open APIs would make hacking a lot less interesting. Besides the obvious business reasons to release open APIs (increase adoption, ecosystem, etc.) it would give people the option to do more creative and less risky hacks around the core and accessories.

A quote from StreetskaterFU:

SONY f*%&d it really up! First they delay HOME for more than a year, then they delay it a few times again and again till finally we have a HOME beta on a technical standard from 2005 with crappy graphics, a few boring areas and many many many many many many many many bugs.

It's a bit surprising just how weak the security is, especially considering the competitive pressures and the existing knowledge of how to build secure client/server applications. So far it sounds like basic enterprise development techniques would have removed these risks.

Via Gizmodo

Symantec is out with their annual report on the Underground economy and it's clear that crime pays. Apparently we all would have been better off investing in phishing scams and botnets instead of stocks and the US housing market.

Symantec estimates the value of total advertised goods on observed underground economy servers at over $276 million for the reporting period, with credit card information accounting for 59 percent of that total.

Using a median value for credit card fraud and an average bulk purchase size for credit cards, the potential worth of all credit cards advertised during this reporting period would be $5.3 billion.

A few highlights from the report:

• Bank account credentials were the most commonly advertised item for sale on underground economy servers known to Symantec, accounting for 18 percent of all items; prices for bank account credentials ranged from $10 to $1,000, depending on the balance and location of the account.
• Desktop games were the most pirated software, accounting for 49 percent of all file instances observed.
• Symantec observed 69,130 distinct active advertisers and over 44 million total messages posted on underground economy servers during this reporting period.
• The United States hosted 41 percent of the total observed underground economy servers worldwide, while romania had the second highest percentage at 13 percent of the total.
• Phishing scam hosting services were offered for an average price of $10 with prices ranging from $2 to $80.

InfoWorld consulted a range analysts and CIOs to figure out the five technologies IT shops must continue to invest in despite the recession. The common theme, says IDC chief analyst and senior vice president Frank Gens, is that "any technologies that can save companies money or reduce expenses will continue to thrive."

1. Storage: Disks and management software
2. Business intelligence: Niche analytics
3. Virtualization: Optimizing resources
4. Security: Data and end points
5. Cloud computing: Business solutions

These are all very logical, but I fail to see why the Cloud factors so heavily (say in contrast to something like SOA with reusable services.) Sure EC2 can help save money, but it also means you have to change business processes and be subject to variable versus fixed costs for computing resources. Amazon's flexible pricing is great if you know what you are spending, but risky if you don't.

Full article at InfoWorld.com