[SecurityRatty] tag: concerns

Indian official says no threat from BlackBerry use

Tue, 01 Jul 2008 20:00:00 +0000

An official of the Indian government has dismissed concerns about security of BlackBerry service, though it is not clear whether he is also expressing the view of government security agencies that want to be able to intercept messages sent through the service as a way to combat terrorism.

Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security

Tue, 01 Jul 2008 15:03:10 +0000

In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.

Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with the App Engine project was pretty late - the code “was almost ready for release” when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team.

The Interview

cloudsecurity.org: What security principles did you follow for App Engine?

GvR: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: What criteria did you apply to Python module selection?

GvR: We first looked for modules that were useful and straightforward to audit. If a module was large or complex, we’d only audit it (fixing things we found) if it was deemed essential or at least useful for a large number of users; otherwise we’d exclude it.

cloudsecurity.org: What do you see as the security risks inherent in exposing an interpreter runtime in a shared environment?

GvR: I presume you’re asking about risks to users, like providing accidental access to data belonging to another app. We’ve taken extensive measures to isolate different apps from each other. For example, each app runs in a separate process, and the datastore prevents an app from accessing data belonging to other apps.

cloudsecurity.org: I recently attended a fascinating talk by Justin Ferguson (a Seattle based security consultant) at eusecwest in London. He gave a great talk exploring security vulnerabilities in language interpreters and specifically highlighted some security weaknesses in Python App Engine. What are your thoughts on his research and specifically the Python issues he highlighted? When do you anticipate they will get fixed?

GvR: We’ve anticipated all of the possibilities raised in Justin’s talk, and took measures to protect our users. Justin highlighted weaknesses in Python, but not in App Engine. Furthermore, our security model does not rely solely upon protections within the Python interpreter; there are additional protections that these external analyses have missed.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

cloudsecurity.org: Python was the first language to get the App Engine treatment, what language is next and what are some of the language specific security challenges the team has had to deal with?

GvR: Although I can’t comment on what language is next, we are working on this, and have gotten a lot of great feedback from our developers. As far as language-specific security challenges, they stemmed mostly from the complexity of the Python interpreter. We spent a lot of time auditing this, and did a great deal more than just identifying buffer overflows. I can also add that Google is actively researching the security of interpreted languages. Google engineers routinely contribute security fixes to open source projects, including but not limited to Python.

cloudsecurity.org: How does the team decide when ‘enough is enough’ in terms of hardening the interpreter?

GvR: That’s not really how we approach it. We realize that security is an ongoing effort, and try to stay ahead of threats through continuous monitoring and testing.

cloudsecurity.org: Some commentators have suggested that perhaps the difficulty of auditing the implementation led to some modules being more heavily restricted than perhaps necessary. What are your thoughts on that and what plans, if any, are there to bring back code objects/functions that were eliminated in the initial release? (with the benefit of hindsight).

GvR: The only thing we are likely to put back is the _ast module, which was not audited based upon an underestimation of its usefulness (see my answer to question #3 above). We will also put back some dummy functions and other objects whose absence currently prevents some popular frameworks from being loaded without modifications. For example, some harmless functionality in the imp module will come back. We’re also looking into making urllib2 work (to some extent), though that’s not really a security issue but merely a matter of API adjustment.

cloudsecurity.org: It is reported that Google encourages small groups to go off and create. How involved were the Google security team with App Engine in terms of design and implementation review/testing? Given the dynamics, is it possible to have a meaningful security process that shadows the development process?

GvR: The Google Security team is involved in everything we do. They have been extremely helpful.

cloudsecurity.org: How can people report security weaknesses they discover in App Engine? What commitment does Google give in terms of dealing vulnerability reports?

GvR: There is a standard process for submitting security issues. See http://www.google.com/corporate/security.html. Google moves very fast to protect its users when a verifiable security vulnerability is reported.

cloudsecurity.org: One concern is the potential misuse of App Engine to exploit security vulnerabilities in visitors browsers. This is not a new problem per se, shared hosting providers know all about this. But with Google and other Cloud providers, the scalability potential is much higher. What are your thoughts on this and what pro-active steps is Google taking to detect and terminate evil apps?

GvR: This is high on our list of concerns. We deal with this through a combination of restrictions on what you can do (e.g. certain HTTP headers and ports are off-limits) and, again, monitoring.

cloudsecurity.org: Beyond App Engine, what role do you think Python will play in the Cloud both now and in the future?

GvR: Sorry, I’m not prone to philosophizing about the future.

cloudsecurity.org: Trust is often cited as a barrier to enterprise adoption of Cloud Computing. What role do you personally think Google can play in building that trust?

GvR: I think trust is built up over a long period of experience. Our actions in terms of being open to our users will be the most important factor in establishing trust. Of course, Google’s reputation also helps: everybody understands that Google doesn’t want its name associated with a bad product.

cloudsecurity.org: Looking at the Cloud Computing landscape beyond Google, what are your thoughts on the current state of Cloud Computing and Security?

GvR: It’s obvious that Cloud Computing is only just taking off. The next few years will be very exciting.

cloudsecurity.org: Lastly, what are some of your favourite App Engine apps?

GvR: There are too many to enumerate. If you insist on a highlight, well, I like Rietveld (http://codereview.appspot.com), a tool for collaborative code review which I (largely) wrote myself. It is open source and includes some essential components from Mondrian, a similar internal tool which I created before I joined the App Engine team.

Thanks

My thanks to Guido for his time and sharing his views.

Catalyzing security in service orientation

Mon, 30 Jun 2008 12:31:36 +0000

Blogger: Ramon Krikken

Many different conference tracks, many different perspectives on 'security' and how to best implement it. I spent most of my time in the Service-Oriented Architecture (SOA) track, looking for little nuggets of wisdom to help with my upcoming SOA security overview, and I certainly did find some. There were - luckily - no huge upsets, but there were certainly lots of questions on how to to implement controls in a service-oriented environment. What was once only the question of what Web Services standards to use, has now evolved to discussions on everything from high-level architecture to the minutiae of security token translations.

One of the discussions in SOA security revolves around the location of controls. In general the architecture is best served if most controls, such as authentication and authorization, are externalized from the application code. It creates a separation of concerns, and usually makes management and auditing more straightforward. So some of the different infrastructure components, like web services modules and the XML gateways, support access control, encryption, and data validation features. Some vendors would like us to believe that pushing all this functionality into their well-packaged, standards-based solution is going to solve the 'security problem,' but does it?

It all works out well as long as we can - in the true spirit of service orientation - view the service as a black box, but that isn't necessarily possible from a security perspective. Certain functionality, like the compute-intensive XML schema validation, is an ideal candidate for infrastructure security, and so is service-to-service authentication. User authorization is all over the map depending on its granularity and requirements for data-awareness. With encryption it also depends on whether we're talking data transport or storage. Service-enabling legacy applications also throws us a curve-ball because of, amongst things, the need for identity and access token mapping that take us into the darkness of the black-box service.

In other words, both applying controls in service orientation, and applying service-oriented principles to security, aren't necessarily as straightforward as some may want us to believe. Security professionals probably already had a feeling this would be the case; we're a bunch of skeptics, after all. But if it's the case that enterprise architecture is far ahead of security architecture in SOA planning or implementation, then there may be some misunderstanding in the organization on how to secure the infrastructure and services. At the surface, and in the common case, the decision to put controls at the infrastructure level seems simple. The devil, it appears, is very much in the details that are invisible to us in some of the higher-level architectural discussions.

Fortunately, all is not lost. We may have thought that 'the SOA train has left the station, and security is not on board,' but it now appears - at least from Burton Group's research - that the train isn't necessarily all too far down the tracks yet. We need to work with the architects to create a security strategy that matures along with the other aspects of SOA implementation, work with the development team to overcome the challenges of building security into the SDLC, and most of all, work with ourselves to make sure we're able to apply consistent principles of information assurance no matter what the next best thing in SOA technology is. There is time to get things right, and the best time to start is now.

Catalyzing security in service orientation

Mon, 30 Jun 2008 12:31:36 +0000

Security Function as a Business Enabler

Fri, 27 Jun 2008 16:50:00 +0000

In one of my earlier blog posts I branded Information Security function (as part of IT) as an overhead of an overhead. It is utmost important for security manager to run the security function in a way that it enables the business.

The various components (sub functions) of security organization should align with the business objectives of the IT and the whole organization. There needs to be a cohesive security strategy in order to align the various comoponents. One good way of understanding the business objective is why is the business parting with money for deploying a specific security component. Why is business giving me money for Compliance? Why is business giving me money to implement IDP? Constitutive questions such as these will help you to understand the fundamental concerns for the business and based on these we can come up with a strategy suitably aligned with the business.

One good example is the area of compliance. Attempting to make each every units of your business complaint with certain standards/legal regulations and so on would be a tall order. First define the scope, draw a circle around the units that need to be compliant, then come up with a strategy to make it compliant by formulating your objective - derived from the business objective of why the business gave you money.

Any security implementation effort should have a well defined focus (scope), business objective and strategy to bind the various components cohesively that aligns with the ultimate business objective. By this business will view security organization with dignity else security organization will end up being a spoke in the wheel of business.

In the past, I was involved in discussion about the ROI of information security and security is insurance and so on. After eating the forbidden apple from the tree of paradise, I realize security has neither ROI nor akin to insurance. Information security is way of doing business with due care. Security is way of enhancing the trust of a business among customers and thus enhancing the identity (or brand image of the company). Few years down the line people won't even question why you do security, it will become a part of your background conversation. Nobody questions why we buy hybrid vehicles anymore right?

If components of security function is not cohesively aligned with business objective it is spoke in the wheel of business else it is a brand enhancer of business.

Bill Gates retires, Symbian goes open source

Thu, 26 Jun 2008 20:00:00 +0000

Microsoft, usually a source of software patch updates and claims about Vista adoption rates, produced a bit of sentimental news this week as Bill Gates stepped away from his daily corporate duties on Friday. Gates, who founded Microsoft at age 19, will now devote his time to philanthropic work. Meanwhile, the U.S. Senate discussed the issue of laptop searches and seizures at the nation's borders and also decided to delay a vote on a controversial spy bill. While on the topic of controversial plans, an ISP (Internet service provider) suspended a program that would have served up ads based on a user's Internet history after the move sparked privacy concerns. Yahoo, a perennial name in this space, defended its Google ad deal on Wednesday and the next day launched yet another reorganization. Finally, Oracle wants at least US$1 billion from SAP due to infractions supposedly committed by a subsidiary.

Gates pushed change in security culture at Microsoft

Tue, 24 Jun 2008 20:00:00 +0000

Nearly six and a half years ago, in the aftermath of the Sept. 11 terrorist attacks and amid concerns about growing online threats, then-Microsoft CEO Bill Gates sent out a companywide e-mail that some consider his most important ever.

NHTI loses thumb drive that may have contained student information

Tue, 24 Jun 2008 13:21:39 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
NHTI, Concord's Community College

Contractor/Consultant/Branch:
None

Victims:
Nursing program graduates form the classes of 2006 and 2007

Number Affected:
128

Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"

Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.

On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.

The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.

Our Campus Safety Department conducted a thorough investigation to locate the flash drive.

The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.

The potential security breach involved personal identification information of 128 former students.

While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.

There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.

We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.

However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.

We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.

NHTI takes the protection of confidential information very seriously.

We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.

The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?

If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at (603) 271-8904.

Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.

I was a little tardy in finding this breach. I thought is was still good information for readers though.

Past Breaches:
Unknown

Why would the Government hire a security consultant and then not listen to him?

Thu, 19 Jun 2008 15:56:00 +0000

I received an interesting piece from one of my friends in Homeland Security. It concerns Juval Aviv, the Bodyguard for Golda Meir and the person she sent out to track down those responsible for killing the Israeli athletes during the Munich Olympic games.

Apparently Mr. Aviv delivered a lecture in New York City a couple of weeks ago. He made some startling predictions. One of these is the fact that he believes the next attack(s)on the U.S. will occur in the next few months and it will involve suicide and non-suicide bombers where large numbers of people congregate. This will not come as any surprise to those of us who have seen the Al Qaida training types showing training scenarios aimed at football stadiums, shopping malls, golf tournaments, etc.

Interestingly, Aviv claims that these threats are well known by the U.S. Govt. but they do not want to "alarm citizens" with the facts. Aviv just might know what he's talking about there since he currently serves as a special consultant to the U.S. Congress and other policy makers. There is no doubt that he knows what he is talking about when he describes what is needed at U.S. airports.

I have long known that U.S. airports are not as safe as people would like to think. Apart from all of the "mistakes" and the prohibited items that make it past the security check points, there is the procedure whereby bags remain unchecked in any form until people have gained access to ticket desks and the internal front area of the airport. The people themselves are not screened until they head for the gates. What would happen if a terrorist self-detonated in the middle of a crowded airport without ever trying or expecting to make it on a plane? Scary thoughts, but thoughts nonetheless about which someone should be thinking and being concerned enough to address it.

Should Aviv be taken serious? Well, he predicted the London bombing on the Bill O'Reilly show on Fox News stating publicly that it would happen within a week. At the time, O'Reilly laughed and said that in a week, he wanted him back on the show. Unfortunately, within a week the terrorist attack occurred.

It would be nice to know that the Government was doing all it could for us, but reading and hearing things like this does not exactly instill confidence. Then again, there were probably those who felt safe seeing Army reservists with rifles in our airports in the days following 9-11. That is, if you didn't think about it for more than a minute.

Like charity, security starts at home. Now more than ever, it may be a case of; "the Lord helping those who help themselves."

Laptop stolen from R.E. Moulton may affect 19,000

Sun, 15 Jun 2008 18:15:45 +0000

Technorati Tag: Security Breach

Date Reported:
5/23/08

Organization:
OneAmerica

Contractor/Consultant/Branch:
R.E. Moulton, Inc.

Victims:
Customers

Number Affected:
~19,000

Types of Data:
"names in combination with social security numbers"

Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.

We are writing to inform you of an incident involving the possible disclosure of personal information.

Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.

A police report was filed and the police are actively investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.

Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.

At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.

Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.

Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.

Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.

While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.

Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.

In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.

We sincerely apologize for any inconvenience or worry this may have caused you.

We encourage you to contact the company at 800-553-5318 with any questions or concerns.

From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?

Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?

I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.

I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.

Past Breaches:
Unknown