…how often companies botch the termination process for an employee with “destroy the network access” and are then shocked, shocked I tells ya, when the network, is in fact, destroyed. This week’s episode is especially chock full of security fail… Network administrator dude resigns from company over a dispute with a senior manager. His former manager (and close friend) convinces company to keep said dude on as a consultant due to his deep knowledge of said company’s networks (FAIL!!!). Fast forward a few months… the manager/friend now finds out that *he* is about to be laid off. He refuses to hand over some passwords and his buddy logs in using valid credentials from a local McDonalds and deletes a bunch of VMs… according to a story on Wired’s Threat Level Blog…
“The Feb. 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,” according to the complaint filed against him, which asserted that the hack cost Shionogi about $300,000. That figure rose to $800,000 in later court documents.
Really, really basic controls broke down here… if someone with “destroy the network access” is upset enough to leave the company (especially in a crappy economy like we are in now) – show them the freaking door and cut all of their access before it hits them in the ass on the way out! And don’t allow vital knowledge to accumulate in one person’s head, making them irreplaceable. Finally, make sure that there are checks and balances in the termination process to insure that these steps are completed quickly and properly. This is infosec 101, people!
When I read about Telex, a research project aimed at making it easier to get past Internet censorship, my “split personality” – lover of freedom and justice versus corporate security guy kicked in right away. You see, if widely implemented, Telex would make it much easier and safer for people living under repressive regimes to get past said regimes’ censorship of the Internets. Built on client software, some clever crypto in packet headers and servers hosted by friendly ISPs, Telex would turn the idea of a proxy server inside out, effectively making the entire Internet (it’s a series of tubes, you know) one big proxy.
This would be really great – I would love to see the US government as well as non profit organizations host Telex servers to allow people in China, the middle east, and other places where freedom of expression is curtailed… however, Telex would also make my job as a security professional that much more difficult. By installing a Telex client, the users on my corporate network might be able to bypass the web filtering we have put in place. While some of that filtering is aimed at keeping people away from “non work appropriate sites,” there are other reasons to filter Internet access in the workplace as well. For example, we block access to sites known to host malware. We block access to sites which would put us in violation of various legal and regulatory mandates. These are all legitimate things to do in a corporate environment, and our employees have unfettered access to the Internet outside of the office. Employees using a system like Telex would put our company at risk.
Telex is stil in the proof of concept stage and there needs to be a lot more software and infrastructure development done before it can be a reality on a large scale. As I said, I am 1000% pro Telex as a tool for people to bypass repressive regimes’ Internet censorship. But I think that corporate Internet censorship (hate that word) is another kettle of fish altogether and we security professionals need to keep an eye on Telex and similar technologies. I feel like I should be dressing like these guys after writing this…
Over the past few days, a lot of folks at work have been sending me links to this really excellent XKCD cartoon:
I think this really hits the password problem on the head. With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated. And yes, they are hard to remember. And most importantly, they make users hate the InfoSec people. Do they ever bring us home baked brownies as a reward for our password rules? Nope.
As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea. The math seems to work and it certainly seems to be easier on the user. However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable. I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.
OK… I have no problem with police departments (such as those in New York City and London) setting up units to look at (public) social media sites for signs of impending lawbreaking, whether it be morons rioting, morons flash-robbing, or morons planning other mayhem. More power to them… I think that if you tweet or Facebook your nefarious plans for the world to see, you should have an additional count of felony stupidity added to your charge sheet. I also have no problem with the authorities turning off communications facilities when there is a credible and imminent threat to life and limb, such as the possibility of a cell phone triggered improvised explosive device. But, when I first read about the Bay Area Rapid Transit (BART) police’s move this past Thursday evening rush hour when they disabled cellphone communications on the underground portions of the BART system, I felt very uncomfortable. This sounds like something that repressive regimes like Egypt, Syria, or Libya would do to their people, not something which could happen in the US. Then I read BART’s statement about the cellular interruption and got to thinking:
Organizers planning to disrupt BART service on August 11, 2011 stated they would use mobile devices to coordinate their disruptive activities and communicate about the location and number of BART Police. A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators. BART temporarily interrupted service at select BART stations as one of many tactics to ensure the safety of everyone on the platform.
First of all, BART probably broke the law by doing this. It is against federal law to interfere with licensed wireless communications. Even prisons (which, in my opinion should be able to operate cellphone jammers) have been prevented from doing so in the past. (Yes, I know that BART did not jam the signals, they simply shut down existing cell sites – the result was the same, though).
Now, depending on what kind of information BART had, there may have been a (morally) acceptable reason for taking action. For example, if the information was very clear in stating that the types and methods of protests were aimed at inducing overcrowding on platforms (a situation dangerous to life and limb) and there was reason to believe that the threat was credible and imminent, I might have been tempted to make the same decision. But there are some other factors to consider (apart from the legal issue).
First and foremost, what about people already on the BART system who might need access to 9-1-1? Well, the NYC subway system has no cell service on its underground portion (thankfully) and manages to have a mechanism (call boxes) for getting help in an emergency. I assume BART is similarly equipped, so the cell service failure did not totally isolate riders from help. Yes, had someone been on the phone with 9-1-1, their call would have been interrupted, but they could then resort to the call box – not ideal, but workable.
Second… if BART management felt the threat to be credible and that mobile devices were an integral part of the threat, they really only had two choices – shut down cellular service, or shut down stations where they felt the threat was greatest. The latter option is not a perfect solution (the protestors would just regroup via Twitter) and would inconvenience thousands of innocent commuters.
We are just not yet equipped to make decisions like this and we need to be.
My takeaways from this:
Mobile devices and social media pose new challenges to law enforcement and new potential dangers to the public (as last week’s riots in London seem to have demonstrated). Getting a mob together and coordinating their actions is a lot easier than it used to be and law enforcement needs tools to deal with this problem in a way which preserves public order but which also respects the rights of the people to peacefully assemble and protest. This is not an issue to be left to local police departments – we need to do this at the federal level as it is a constitutional issue.
If we decide to allow law enforcement to disrupt communications to preserve public order, we need to have strict standards as to what constitutes a serious and imminent threat to public order and there must be a process to publicly review any such decision after the fact – and consequences for those who make the wrong decision. The body that makes the (very quick) decision to pull the plug needs to have both law enforcement and civilian members (maybe a constitutional lawyer?).
Other risks need to be considered – for example, using a bunch of social media bots, a miscreant could create a denial of service attack on communications by creating a “virtual” flash mob that exists only in cyberspace, but looks big and scary. In addition to inconveniencing the public, such an attack could be used as an aid to committing other types of crime. If these fake flash mobs were to become a regular event, public support for anti flash mob measures could dwindle, leaving us where we are today.
Hopefully our elected officials will take some time out from serving their special interest masters, playing party politics, destroying the economy, and all of the important work that they love so much to take a look at an important issue in a rational way. Oh, wait…
The attack prevented investors from accessing corporate announcements made during the exchange’s mid-day break. As a result, trading in companies who made such announcements (including such well known names as HSBC and Cathay Pacific) was suspended for the afternoon session.
The general take away from this incident is that attackers look for “low hanging fruit” when choosing their targets. I am sure that the HK Exchange’s back end systems are protected by many layers of firewalls, intrusion detection systems and other technology. The public web site is, well, public and is thus by necessity much more exposed to attack – and an easier target.
The lesson? There really is no such thing as a non critical system these days… every system needs to be designed as if there are hoards of attackers just waiting to pounce… stay paranoid!