Skip navigation

Three Resolutions For Mac OS X Users

In 2011, we saw a large increase in web site exploits that exposed private user data as well as a breakdown in the trust of SSL (for various reasons) and the introduction of real malware on to the OS X scene. If there were just three things I could ask Mac users to do in 2012 to help protect themselves (‘cuz if your a Windows user it’s been game-over for years for you already) these are what they would be.

Secure & Diversify Your Web Credentials

Just like companies have lost paper files—and then laptops—containing private data, web sites have and will continue to leak your information like a sieve. While you should choose carefully which ones you let have very sensitive data (like credit card numbers, government id numbers and health information), you really do need to ensure that you at least use different and “strong” passwords at each site you have an account at to avoid having hackers replay your credentials at other sites.

The easiest way to do this is to use a utility like 1Password (@1Password & usually $50 but is on sale for $30 for a short time) by AgileBits which works with practically every browser and will let you create and use diverse passwords at the click of a button. It even works on your mobile device, so you don’t have to worry about remembering the (necessarily) ugly passwords they end up creating. You can even use 1Password to store secure notes to yourself (say, in the event you need to use complex credentials on systems you cannot install 1Password).

By using 1Password, you will avoid being the in the 60-70% of users who have their credentials stolen and have to worry or scramble because they used the same ones on an array of popular web sites. Windows users can also take advantage of this tool (and there’s a bundle price if you need it for both platforms).

You can do this without 1Password (e.g. keep a text file or spreadsheet in a secure disk image), but the ease of use is worth the price of 1Password. If you do decide to use a more manual approach, generating secure passwords with tools like this one will also help you be a bit more secure than your brain’s “random” sequence generator.

Know What’s Going On With Your System

While the Mac App Store can help ensure you aren’t loading “bad apps” onto your system, the advent of web-born malware for the Mac was seen for real this year and 2012 may prove to be the year we see the Mac becoming more of a target. There’s no guarantee that Mac App Store apps are non-malicious and you really have no idea what the ones you download from third-party sites contain, even if they do the task you want them to. Some apps that you “know” you trust may be sending out “phone home” signals or other non-user-initiated or informed-of Internet communications with unknown payloads.

This is where a cool little utility called Little Snitch (@littlesnitch and $30) by Objective Development can really help open your eyes as to what applications and processes (programs you may not be able to “see” easily without tools like the Mac Activity Monitor app) are trying to do on your network. Their own information page says it better then I could paraphrase:

Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection, or define a rule how to handle similar, future connection attempts. This reliably prevents private data from being sent out without your knowledge. Little Snitch runs inconspicuously in the background and it can also detect network related activity of viruses, trojans and other malware.

Again, you could monitor your Mac firewall logs by hand with the OS X Console application and tweak your own firewall rules, but Little Snitch won’t forget to watch out for you.

Secure Your Public & Untrusted WiFi Connections

While Facebook, Twitter, Gmail and other sites have SSL (https) options (some using it by default), you really need to take control of your own transmission security when not on networks you trust. Why? Well one example is that you may be at a restaurant (as I was with my kids in November) where they terminate all SSL sessions at their border gateway (meaning they could read all the data that should have been encrypted). You also cannot be sure when Facebook is going to mindlessly toggle their SSL settings or when a Facebook application causes the SSL settings to be disabled. Even though SSL is relied upon by pretty much everyone to “just work”, it’s not a given or a panacea.

When on unfamiliar, public or other untrusted networks, it’s truly necessary to take control of the encryption as best as you can and use some type of Virtual Private Network : VPN : setup. While running your own is the only real way to know what’s happening at the VPN termination point, there are reputable services out there who can provide security and that you should be able to trust (at least better than SSL in a Starbucks). One of them—and I believe the most user-friendly one—is Cloak (@getcloak and FREE to $8-$15/month) by Bourgeois Bits.

Once installed, Cloak will detect when you’re on a public WiFi connection and automatically kick in a VPN session. You can start up a VPN session at any time with a single click in the OS X menu bar and also define more granular rules (if you want to). With Cloak, you have no excuse to not take an added measure of security when you’re out and about with your Mac.

You could do this for free (provided you trust your home Internet provider) with many modern routers or even a simple Linux/BSD or OS X box providing VPN services, but it would still not be as simple as using Cloak.

With these three simple steps/apps (less than $100), you will be far less at risk than you (probably) currently are as you run naked & blind across the internet with your password stapled to your forehead.

If you have any suggestions for similar/competing tools or have additional resolutions you think would be helpful to Mac users (or any computer user), drop a note in the comments.

An Open Letter to IT Vendors For 2012

Dear $VENDOR,

2012 is nigh upon us and with the new year, I am throwing down a challenge to each and every IT vendor out there. 2011 was a brutal year of incidents, breaches, outages and FUD and the last thing anyone needs is a repeat performance. Instead, please take this list back to the development teams, product managers, marketing department and sales team and do your best to be part of the solution this year, not another problem.

  • Do not ship any product with insecure protocols used for administrative/programmatic access even available in the configuration options

    Router/firewall vendors: remove telnet completely from the configuration options. All vendors: Only make your web interfaces & APIs available via TLS/SSL (even if that means shipping with default, self-signed certificates). Where you must leave a choice (e.g. legacy support), present the default configs with only secure options for new installations and slap enough warning dialogs to annoy organizations’ IT workers into Doing The Right Thing™.

  • Default to integrating with centralized identity & access management systems

    I understand the need for one “failsafe” account to get into the application prior to full integration, but if you should be ashamed of yourself if you ship a product that uses local accounts &amp groups and has no robust means of integrating with SiteMinder, Active Directory, LDAP or other centralized systems. Every organization need to be able to control all access as centrally as possible and you are doing us all a disservice by not providing this functionality.

  • Have multi-factor support for administrative access

    Lack of control of admin-level access is one of top findings in audit reports. There are a multitude of multi-factor authentication systems out there, many at little-to-no-cost. Giving organizations the means to stave off hackers and auditors in one stroke will score you major points, especially at contract re-up time.

  • Provide robust & open reporting out-of-the-box

    You all claim to provide good reporting and you all lie. All of you. Capture every action and event and make it easy to get to that data, even if it means providing access to the back-end database (read-only, of course). The ability to tie reporting sources together is one key weapon in our arsenal as we try to defend our organizations from malicious individuals (both internal and external). Giving us the ability to slice & dice what is happening in your systems (using any tool we want) is a crucial component in this defensive strategy.

  • Don’t use “cyber” or “APT” in any of your literature this year

    I’ll give you a pass if more than 75% of your revenue comes from the U.S. government as you have to sell you wares to them with those keywords in your proposals or you’ll never get in the door. But, when selling to the rest of us, forget buzzwords and give us practical solutions to help in ailing areas such as signature-based anti-malware or managing a ton of boxes in a private cloud effectively. We don’t need FUD, we need to be fed a healthy diet of cost-effective, easy-to-manage, enterprise-capable wares.

  • Align your licensing structure to fit “the cloud”

    Many of us are having to become contract, legal and finance experts just to be able to figure out how to make your products cost-effective in public and private clouds. I guarantee you that no matter how inbred you may be within an organization, you will be easily supplanted by the first competitor who makes it easy to transition from your tool and had a easy way to manage licenses in modern dynamic computing environments.

Those are just a few points, but it will be difficult for most of you to tackle even one of them. However, if even one of you does manage to check even one item off that list, you stand to help make Christmas a little more merry and a little more bright this time next year*.

*Apocalypse not withstanding.

Still Not A Fan Of Paywalls

As you can probably tell from a previous post, I’m not a fan of paywalls—especially poorly implemented ones. Clicking on a link in an RSS feed post and having it land on a page, only to have it smothered in an HTML layer or — in the following case — promptly redirected to “Pay up, buddy!” sites is frustrating at best. I’ll gladly debate the efficacy of paywalls vs other means of generating revenue in another post (or even in the comments, if civil). I primarily wanted to write this post to both show the silliness of the implementation of Foster’s Daily Democrat’s paywall and point out a serious deficiency in Chrome.

First up, lame paywall. You get three free direct story link visits prior to be asked to register and eventually pay for content. NOTE: You could just be going to the same story three times (say, after a browser crash) and each counts as a visit. After those visits, you have to register and give up what little anonymity you have on the Internet to be able to view up to an additional ten free direct story links before then being forced to pay up. If you are a print subscriber, you do get access for “free”, but there’s that tracking thing again. Foster’s uses a service called Clickshare to handle the subscription and tracking. Just how many places do you need to have your data stored/tracked just to read a (most likely) mediocre piece of news?

The paywall setup is accomplished by a simple “Meta Refresh” tag. In its most basic form, it is an instruction that tells the browser to load a particular URL after a certain amount of time. In the case of Foster’s paywall, the HTML tag/directive looks like this:

[code lang=”html”]<meta http-equiv="refresh" content="0;url=https://home.fosters.com/clickshare/authenticateUserSubscription.do?CSAuthReq=1&CSTargetURL=…"/>[/code]

It’s telling your browser to double-check with their Clickshare code immediately after teasing you with the article content. And, it’s easy to circumvent. Mostly. The problem is, I’m a Chrome user 99% of the time and Google has not seen fit to allow control over the meta refresh directive. To jump the paywall, you’ll need to fire up Firefox. And enter “about:config” in the location bar (and click through the warning message).

Once there, filter for “refresh”, find the setting for “blockautorefresh” and set it to “true“.

Now, every time you visit a web site that attempts to auto-refresh full browser pages, you’ll see a warning (with the option to allow the action):

Why Chrome has not implemented a way to control this is beyond me. Since Safari also has no ability to control this setting, it may have something to do with the webkit core that both browsers are based on.

This doesn’t stop the frustration with the RSS-click-to-read and it doesn’t help iOS/Android users, but it does provide a means help keep a bit of anonymity (if you also use other extensions and controls) and should force these sites to kick their paywall game up a notch.

Predictions? Humbug! Resolve Is Where It’s At

This is the time of year when pundits and armchair/amateur analysts make predictions for the coming year. Given that only a tiny fraction of them predicted the Sonage of 2011 (not Sony specifically or the level of pwnage) or the RSA/Lockeed [↑, ↑, ↓, ↓, ←, →, ←, →, B, A] multi-faceted “supply chain” attack (most just predicting increased “nation state” hacks) or the decimation of trust in certificate authorities (not that we really trusted them before), it is hardly worth the time reading or seriously considering any post presuming to posit what will occur in 2012 (wait…I can’t resist…and it even fits in 140: “2012 Infosec Prediction: There will be more attacks just like the one this year if not worse in scale and/or magnitude #protip“).

Instead, why not get some resolve and take charge of what will happen in the coming year? “Resolution” & “resolve” have their roots in the Latin “resolvere“, which has a host of contextual meanings. One highly appropriate one is “to find the answer or solution to“. So, rather than pontificate, here are some “resolves” for you for 2012:

  • Resolve to not buy any more products and to make serious use (beyond the typical 5% you are) of the ones you have. That may require ensuring your staff has appropriate training to automate where applicable and tweak appropriately where possible. It may also require a good amount of thinking. In most shops, the last thing needed is more tools. Figure out the best way to use the tools you have. Not only will it improve the efficacy of current investments, it will free up more capital for your business units to invest & grow.
  • Resolve to actually have meaningful dialoge with your Internal Audit department. I’ve rarely come across an auditor who is truly evil (they do exist, tho). Most want to Do The Right Thing™, but many lack the technical skillset to turn that desire into a reality. You should make it a goal in 2012 to have you and your Internal Audit department toe-tapping from the same risk dance card.
  • Resolve to join at least one cross-industry information sharing group. Even if it’s just kvetching at a local ISSA meeting, you should not underestimate the cathartic benefit of knowing you’re not alone. Joining or help to build a full-on entity like the ACSC, however, will even reap even larger dividends.
  • Resolve to understand the business model of each of your business units (if you have more than one) and find a way to get a handle on their pain points (the ones you or your IT department are causing). Go out on sales calls; shadow call centers; watch highly experienced and effective folks as they get their jobs done by working around IT & security barriers you’ve helped put in place. You’ll come back with business justifications for all sorts of things (like adaptive authentication or revamping your outdated identity & access management model)
  • Speaking of sitting… Resolve to spend three or more total business days at your IT Help Desk (great advice for non-security IT folk, too). You will first-hand observe the gaps in many of your processes (which you should then fix) and will also be able to put real faces & names to the pile of call statistics you ignore every month. I can also guarantee that you will then be spending a great deal of time revamping your incident response plan/procedures (you will see things you really won’t believe).
  • Speaking of statistics… Resolve to pick three meaningful things to start measuring and find a way to collect the data, get access to the data and publish the data (including sharing it to Internal Audit and getting it in front of senior management). A great place to start is the CIS Consensus Information Security Metrics. Your goal is to have at least one action item per month from this exercise (or pick different things to measure).
  • Resolve to kick the effectiveness of your security awareness program up a few notches. Create an internal “YouTube” service that shows real attacks from end-to-end. Make your messages personal by tying in social media awareness, safe browsing practices and patch management with messages of how to help folks keep their kids safe online or themselves safe as they do online banking. Make the learning experience engaging (just like you demand of your kids’ teachers).
  • Resolve to be the first organization of 2012 that has a sane password policy. (This one won’t be easy)
  • Resolve to expand beyond the mystical forumlae for CVSS & CWSS and create the foundation for a true risk-centric security program. If you are looking for help/guidance, this rogues’ gallery is a good place to start. WARNING: you will actually have to talk to business/finance people. (*shudder*)
  • Resolve to partner with just one development team and one Ops team and help get them rugged and visible.

Finally, resolve to do just one of the items on that list and you’ll be doing more good in 2012 than all of the prognosticators combined.

You’re The Mayor of FUDville!

Rik Ferguson, Director Security Research at Trend Micro, had a great tweet early last Tueday morning calling out potential FUD in an article over at The Metro:

Given the plethora of FUD-dropping in the article, I could only think of one way to do it justice, and that was a paragraph-by-paragraph check-in via:


Every FUD-check counts!

(it may help to have the article open in another window)

OK! we’ve got you at The Metro. You’ve been here 1 time.
  • +1 for heartstring tug (“Children”)
  • +1 for immediate FUD in headline
  • +1 for Facebook reference in headline
Nice check-in! You earned +3 points!
  • +1 for mention of Pentagon in sub-head
  • +3 for context switch from personal to national scariness
  • +1 for Facebook reference in sub-head
  • +1 for first use of “cyber”

Great mixing of FUD domains!
  • +3 for context switch to “child pornography” in main article picture caption
  • +1 for Facebook reference in caption

You’ve been to Facebook FUD 3 times! You’re the Mayor!
  • +3 for context switch back to national scariness
  • +1 for use of “cyber”
Every cyber-FUD check-in counts!
  • +2 for global scariness
  • +1 for social-media scariness
  • +3 for Facebook (you’re the Mayor!)
  • +1 for mentioning Sony attack
  • +1 for national scariness
  • +1 for mentioning Lockheed attack
  • +1 for mobile scariness
  • +1 for use of ‘bot’
Whoa! +10 points! Awesome check-in!
  • +3 for context switch back to personal scariness
  • +1 for re-mention of child pornography
  • +2 for added scariness of kidnappers

You know “they” know where they live and aren’t afraid to spread the FUD!
  • +1 for geolocation scariness

Headed in the right direction with this check in!
  • +1 for more geolocation scariness
  • +3 for Facebook (you’re the Mayor!)
  • +2 for “bedroom”

With that last check-in, you’re well on your way to becoming the Mayor of FUDville!
  • +1 for social-media scariness

Social-FUD FTW
  • +3 for Facebook (You’re the Mayor!)
  • +3 for coining ‘lifejacking’
  • +1 for mobile scariness

The Mayor is in the house!
  • +2 for Android scariness
  • +1 for “Wild West”

Artifical life-form FUD meets historic gunslinger FUD!
  • +1 for mobile/acrobatics tie-in
You’re a FUD gymnast!
  • +1 for SMS scariness
Every check-in counts!
  • +3 for Anonymous reference
  • +3 for LulzSec reference
  • +3 for context switch back to national scariness
Good use of “cyber-vigilante” FUD!
  • +1 for Lockheed reference

Defense FUD FTW!
  • +1 for “cyber”
  • +1 for “cyber”
  • +1 for “cyber” (You’re the Mayor!)
  • +3 for “cyber”

You’ve earned the Cyber-FUD Badge!
  • +3 for “cyber” (You’re the Mayor!)
  • +10 for nuclear scariness
  • +10 for “scary”
FUD is scary
  • +10 for context switch to global “Olympic” scariness

Congratulations! You scored over 100 points! You’re the mayor of FUD-ville!
(Done with homage to @shpantzer‘s SCSOVLF.)

DNSChanger Detector

The FBI made a tool to help you determine if you were a victim of the DNSChanger malware.

If you’re like many casual Internet users, you have no idea how to get the information to plug into the input box.

Unfortunately, the security model of most modern browsers makes it impossible to easily retrieve this information. However, it is possible to grab the DNS entries if the user is willing to trust the requesting source.

To help make it easier to determine if you’re infected, I wrote DNSChanger Detector. It’s a small Java applet that requires the user to allow it to have privileged access to the DNS entries via a call to sun.net.dns.ResolverConfiguration to get the nameservers. Once it has them, there is some jQuery glue in place to let Javascript access the results.

I understand why the FBI didn’t attempt to go this route, but it will hopefully be useful to folks who don’t wish to walk their friends and family through the process.

Why Didn’t They Just…?

A while back I was engaged in a conversation on Twitter with @diami03 & @chriseng regarding (what I felt was) the need for someone to provide the perspective from within a medium-to-large enterprise, especially when there are so many folks in infosec who are fond of saying “why didn’t they just…?” in response to events like the Sony attack or the compromise of the senate.gov web servers.

Between consulting and full-time employment I’ve been in over 20 enterprises ranging from manufacturing to health care to global finance. Some of these shops built their own software, others used/customized COTS. Some have outsourced (to various degrees) IT operations and others were determined to keep all activity in-house. Each of them has had challenges in what many would say should be “easy” activities, such as patching, vulnerability management or ensuring teams were using good coding practices.

It’s pretty easy for a solitary penetration tester or industry pundit to lay down some snark and mock large companies for how they manage their environments. It’s quite another experience to try to manage risk across tens (or hundreds) of thousands of employees/contractors and an equal (or larger) number of workstations, combined with thousands of servers and applications plus hundreds (or thousands) of suppliers/partners.

While I would not attempt to defend all enterprise inadequacies, I will cherry-pick some of the top snarks & off-hand statements for this series and try to explain the difficulties an enterprise might have along with some suggestions on how to overcome them.

If you have a “why didn’t they just…?” you’d like answered drop me a note on Twitter or in the comments.

Mid/Northern New England Tweetup

Eventbrite site: http://www.eventbrite.com/s/5cnV

It’s at Fort Foster. We thought about it a bit late in the season so no pavillion, but I’ll be there wicked-early and have a gazebo-like covering setup over some tables. I highly suggest bringing folding chairs. There is a nominal entrance fee (cash). Link to Fort Foster is in the Eventbrite page.

I’ll have signs up showing where we’re setup.

Right now (08-16) there are over 30 ppl (including family members) signed up!

I’m making a boatload of pulled bbq (still not decided on chicken or pork) for everyone. It’s potluck, so bring as much or little as you like. I’ll work on a massive bucket of drinks as well (tis busy week here, unfortunately) and will no doubt have spare plates & napkins.

We setup a google spreadsheet if you want to wish to post what you plan to share (if anything…no worries).

I updated the eventbrite posting with my google voice # if you need to reach me by phone for any reason.

Fort Foster has a beach area, scuba diving area, can handle kayaks and has a nice (but smallish) set of hiking trails. There are also grills if you plan on bringing raw items to cook.

If you have any questions, do not hesitate to ask!

Oh, yeah, it will come as a complete surprise, but I’ll have the “shield” on so you can recognize me :-)