[SecurityRatty] tag: access

Encrypting Disks

Fri, 04 Jul 2008 09:10:18 +0000

The UK is learning:

The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers. The portable data disk contained a copy of records of 894,629 calls to the ambulance service's Paisley EMDC since February 2006. It was fully encrypted and password protected and includes the addresses of incidents, some phone numbers and some patient names. Given the security measures and the complex structure of the database it would be extremely difficult to gain access to any meaningful information.

News story here. That's what you want to do. There is no problem if encrypted disks are lost. You can mail them directly to your worst enemy and there's no problem. Well, assuming you've implemented the encryption properly and chosen a good key. This is much better than what the HM Revenue & Customs office did in November. I wrote about disk and laptop encryption previously.

Meme for the Fourth

Thu, 03 Jul 2008 12:18:23 +0000

Among all the bad news, its good to find things that work really well. One thing to reflect on for the fourth is that markets work and they do so primarily because of entrepreneurism. As Tom Barnett says "there is a myth that we built this country all by ourselves." Actually we had access to lots of outside capital and then worked our tails off to leverage it into something much bigger and more profound. Now you can see the same thing happening lots of other places.

But the cool thing is that in 2008 we are not stuck with the industrial age way of initiating this growth pattern - its not all big companies signing deals for timber and such; you can do it at an individual level through microloans and enable someone else to reach the next rung. Best way I have seen so far to do this is Kiva, and there is a nice meme running right now:

Tom Barnett: "...everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above."

Beyond the uber theme of enabling entrepreneurs to make markets, there are two other themes at work here that I love. First, its bottom up not top down. Second, the technology does not have to be perfect, it just has to be good enough. If its good enough amazing things can happen.

If you are looking for something to do on the 4th, surf over to Hoff's blog, where he has started a Security Pro Funding Pool for Kiva. His goal is to raise $1,000 for Kiva businesses. Its an incredibly cool thing to do and a great way to celebrate the good stuff that's been done both in markets and technology. Being a banker to the working poor can be fun. Who knew?

Hidden endpoints: Mitigating the threat of non-traditional network devices

Thu, 03 Jul 2008 11:40:22 +0000

Organizations have many safeguards in place for network-enabled devices like PCs and servers, but few realize the threat posed by non-traditional devices like printers, physical access devices and even vending machines. Endpoint security expert Mark Kadrich offers up some worst-case scenarios and explains how these and other endpoints can be protected.

Equifax bolsters border security

Wed, 02 Jul 2008 20:00:00 +0000

Equifax, the company that compiles credit reports, has chosen network-access-control technology to make sure contractors and employees access its network with machines that meet the firm's security requirements.

i-safe has some great articles for your online safety

Wed, 02 Jul 2008 19:25:39 +0000

They have a bunch of learning modules for kids to seniors to law enforcement.
Check em out.

clipped from ilearn.isafe.org

Which module do I watch?
There are five options with five different users in mind. Those registered as educators with i-SAFE have the greatest
access to view the modules because you work closely with students and parents. Those registered as parents and fifty+
have access to either of those modules since many users fit both categories. However, students are limited to the i-MENTOR
Training Network. And the Operation i-SHIELD module is reserved for those in law enforcement. Below is a breakdown of each
module. To begin, please register by creating a user name and password at the top of this page. That will help direct you to
the appropriate i-LEARN module. Enjoy!

Protecting exposed servers from Google hacks (and Google 'dorks')

Wed, 02 Jul 2008 11:32:18 +0000

Search engines are now routinely used to find ways of gaining unauthorized access to servers. Michael Cobb explains how to avoid exposing your important data to 'Google dorks.'

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security

Tue, 01 Jul 2008 15:03:10 +0000

In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.

Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with the App Engine project was pretty late - the code “was almost ready for release” when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team.

The Interview

cloudsecurity.org: What security principles did you follow for App Engine?

GvR: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: What criteria did you apply to Python module selection?

GvR: We first looked for modules that were useful and straightforward to audit. If a module was large or complex, we’d only audit it (fixing things we found) if it was deemed essential or at least useful for a large number of users; otherwise we’d exclude it.

cloudsecurity.org: What do you see as the security risks inherent in exposing an interpreter runtime in a shared environment?

GvR: I presume you’re asking about risks to users, like providing accidental access to data belonging to another app. We’ve taken extensive measures to isolate different apps from each other. For example, each app runs in a separate process, and the datastore prevents an app from accessing data belonging to other apps.

cloudsecurity.org: I recently attended a fascinating talk by Justin Ferguson (a Seattle based security consultant) at eusecwest in London. He gave a great talk exploring security vulnerabilities in language interpreters and specifically highlighted some security weaknesses in Python App Engine. What are your thoughts on his research and specifically the Python issues he highlighted? When do you anticipate they will get fixed?

GvR: We’ve anticipated all of the possibilities raised in Justin’s talk, and took measures to protect our users. Justin highlighted weaknesses in Python, but not in App Engine. Furthermore, our security model does not rely solely upon protections within the Python interpreter; there are additional protections that these external analyses have missed.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

cloudsecurity.org: Python was the first language to get the App Engine treatment, what language is next and what are some of the language specific security challenges the team has had to deal with?

GvR: Although I can’t comment on what language is next, we are working on this, and have gotten a lot of great feedback from our developers. As far as language-specific security challenges, they stemmed mostly from the complexity of the Python interpreter. We spent a lot of time auditing this, and did a great deal more than just identifying buffer overflows. I can also add that Google is actively researching the security of interpreted languages. Google engineers routinely contribute security fixes to open source projects, including but not limited to Python.

cloudsecurity.org: How does the team decide when ‘enough is enough’ in terms of hardening the interpreter?

GvR: That’s not really how we approach it. We realize that security is an ongoing effort, and try to stay ahead of threats through continuous monitoring and testing.

cloudsecurity.org: Some commentators have suggested that perhaps the difficulty of auditing the implementation led to some modules being more heavily restricted than perhaps necessary. What are your thoughts on that and what plans, if any, are there to bring back code objects/functions that were eliminated in the initial release? (with the benefit of hindsight).

GvR: The only thing we are likely to put back is the _ast module, which was not audited based upon an underestimation of its usefulness (see my answer to question #3 above). We will also put back some dummy functions and other objects whose absence currently prevents some popular frameworks from being loaded without modifications. For example, some harmless functionality in the imp module will come back. We’re also looking into making urllib2 work (to some extent), though that’s not really a security issue but merely a matter of API adjustment.

cloudsecurity.org: It is reported that Google encourages small groups to go off and create. How involved were the Google security team with App Engine in terms of design and implementation review/testing? Given the dynamics, is it possible to have a meaningful security process that shadows the development process?

GvR: The Google Security team is involved in everything we do. They have been extremely helpful.

cloudsecurity.org: How can people report security weaknesses they discover in App Engine? What commitment does Google give in terms of dealing vulnerability reports?

GvR: There is a standard process for submitting security issues. See http://www.google.com/corporate/security.html. Google moves very fast to protect its users when a verifiable security vulnerability is reported.

cloudsecurity.org: One concern is the potential misuse of App Engine to exploit security vulnerabilities in visitors browsers. This is not a new problem per se, shared hosting providers know all about this. But with Google and other Cloud providers, the scalability potential is much higher. What are your thoughts on this and what pro-active steps is Google taking to detect and terminate evil apps?

GvR: This is high on our list of concerns. We deal with this through a combination of restrictions on what you can do (e.g. certain HTTP headers and ports are off-limits) and, again, monitoring.

cloudsecurity.org: Beyond App Engine, what role do you think Python will play in the Cloud both now and in the future?

GvR: Sorry, I’m not prone to philosophizing about the future.

cloudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cloud Computing. What role do you personally think Google can play in building that trust?

GvR: I think trust is built up over a long period of experience. Our actions in terms of being open to our users will be the most important factor in establishing trust. Of course, Google’s reputation also helps: everybody understands that Google doesn’t want its name associated with a bad product.

cloudsecurity.org: Looking at the Cloud Computing landscape beyond Google, what are your thoughts on the current state of Cloud Computing and Security?

GvR: It’s obvious that Cloud Computing is only just taking off. The next few years will be very exciting.

cloudsecurity.org: Lastly, what are some of your favourite App Engine apps?

GvR: There are too many to enumerate. If you insist on a highlight, well, I like Rietveld (http://codereview.appspot.com), a tool for collaborative code review which I (largely) wrote myself. It is open source and includes some essential components from Mondrian, a similar internal tool which I created before I joined the App Engine team.

Thanks

My thanks to Guido for his time and sharing his views.

2% of all laptops sold every year are stolen from airports?

Tue, 01 Jul 2008 12:58:00 +0000

Interesting analogy from NetworkWorld on rising rates of laptop loss, but it works! Apparently laptop loss is giving IHOP a run for its money. From the article...

"Some of the largest and medium-sized U.S. airports report close to 637,000 laptops lost each year, according to the Ponemon Institute survey released Monday. Laptops are most commonly lost at security checkpoints, according to the survey."

Over 630K laptops lost each year just within airports! From IDC's Quarterly PC tracker (Dec 2007) we see that over 31M laptops were projected to be sold in 2007. This means that over 2% of all laptops sold in the US were lost or stolen from airports!

Hard to believe. Am I exaggerating or is this for real? Makes me think about how cold boot can be a weapon of choice for criminals to gain access to sensitive data.

A strategic approach to enabling mobile business applications

Tue, 01 Jul 2008 11:16:21 +0000

Today's successful enterprises are discovering that granting mobile access to critical business applications can increase productivity and revenue. This guide will cover how to develop an overall strategy for mobilizing applications and how to tailor that to your specific needs. Learn about the most common roadblocks and how to devise a plan that will avoid problems in your applications rollout.

Andy sees the light

Tue, 01 Jul 2008 09:40:00 +0000

As per usual the man-in-the-trenches Andy-It-Guy comes up with some excellent observations.

He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.

(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)

This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.

The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.

Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."

Note the move from "allow all and block specific known bad" to "block all and allow specific known good".

I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.

And on top of that allow for agility.

This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.