Srcasm

I came across a very interesting read at Marcus Ranum’s blog about the 6 dumbest ideas in computer security.  His number 1 idea was by far one of my biggest pet peeves:

#1) Default Permit

The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked - now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted “Default Permit” in the early 1990’s and convinced themselves it was OK because “hackers will never bother to come after us.” The 1990’s, with the advent of worms, should have killed off “Default Permit” forever but it didn’t. In fact, most networks today are still built around the notion of an open core with no segmentation. That’s “Default Permit.”

This could not be truer.  I find every time I go into a meeting to discuss, setup, introduce or roll out the newest and greatest product, this comes into play.  Most people want to roll it out without thinking about what it actually does.  Take for example a new firewall system.  The new product could be brought in, setup and configured exactly like the old one and everything will probably continue to function.  But in the end, why bother spending $20,000 on the new box if you aren’t going to look at what you’re using it for.

Please keep this in mind while setting up your new software program, coding your new web application or simply plugging in the greatest computer you have ever owned.  Keep it closed — open only what you need.

I came across TweetClouds.com and decided to run my name (sans the @replies). Below is what I tweet about day in and day out. I must have a lot of time, work and new things in my life.

The trouble with websites attempting to help users with their “browsing” issues is that sometimes they don’t get the whole picture.  Take this relatively new site Bux.to.  They offer and interesting albeit strange service that enables users to earn $0.01 per page that they look at for at least 30 seconds.  Using advertising dollars (and more), they can help these website viewers earn an “unlimited” amount of money.  Honestly I don’t know that I’d spend my time doing it but that’s not what this post is about.

I was reading through their FAQ page and came across an interesting question.  It said, “I can’t see any ads!“  A simple enough problem that I’m sure many of us would complain about to any website (that is if we didn’t actually want to see the website content).  But their answer is what scares me, “If you see no ad links on the “Surf Ads” page but you DO see stats on the right hand side then you need to disable all antivirus and antispyware/adware programs.“  Now, I don’t know about anyone else but I would be weary of any website that tells its users to disable ALL antivirus and antispyware/adware programs.

At my company we make sure that these programs have to be running on the users machine at all times but I’m sure that this isn’t the case for many organizations or home users.  I ask the security industry, what can we do to protect users from following these types of directions?  We can educate users on good and bad websites to visit and how to protect themselves from not opening email from people they don’t know but how do we go about telling users not to trust some of the information on legitimate websites that they use each and every day.  This is not the first time I’ve read or heard something like this on the web it’s just the first time I’m writing about it.  Thoughts anyone?  Or is this just another example of Darwin’s Law?

So, while I was perusing the Wootable Awards for CES 2008 I happened upon an advertisement from WebEx.  It read just like the one to the right — oh wait, it was the one to the right.  I’m not sure about anyone else who works in security, IT, or for any company where company data is important but this is difficult to look at.  Don’t get me wrong, I think that WebEx makes a great product.  I’ve used it at my companies and I’ve used it to share data with clients.  I also understand that they are trying to pull in the guy who has no control over his network security and just wants to get his information out there but this is a scary thought for those of us who need to protect said data each and every day.

I know that most companies today have at least a simple firewall installed on their internet edge and some even have a DMZ where they put their email servers and web servers (not many it turns out).  But many companies don’t use any sort of content filtering or application level firewall that can help block unwanted things like sharing your precious information with the world and a $49/month WebEx account.

So please, make sure that you take 5 minutes today and take a look at what you allow to run inside your network.  No matter how strong your firewall is on the internet, it still can’t block the stupidity of people who run things that have the ability to “leap the internet securely, through any firewall.”

As I’ve promised in the past, I’m trying to blog a bit more…  So here yah go.

Do you trust me with your personal documents, financial bank statements or list of passwords to your online services? I hope not. So why trust online productivity tools like Google Docs and Zoho with it? These sites offer a great service but there is a time and a place for everything. I use Google Docs for a lot of my collaboration and document sharing for my consulting work however I don’t use these services for my personal, secure and confidential information. This would be like asking a stranger to hold onto my passport while I go away on vacation.

All of these services offer a privacy statement (Google and Zoho both do) and I don’t believe that they lie about how they use your information. One thing I do think is that they are still an internet and public service that always has the possibility of misusing your information or worse yet, allowing others to misuse your information. Two things I’ve learned in the security world is that 1) nothing is totally secured and 2) people make mistakes. I just logged into my Google Docs the other day and saw that someone had shared a spreadsheet file with me by accident. They must have clicked to share the file with everyone in their address book. Lucky for that user I’m a nice person (hah!) and I emailed them to let them know about their error — not everyone will be that nice.

If you’re going to use these services to modify and keep your documents online, I recommend using some sort of tool to encrypt the files before upload. There are plenty of file hosting services out there that will allow you to host files that are not necessarily documents or spreadsheets. And hey if you feel so inclined, you can send them all over to me at sucker (at) srcasm.com and I will host them for you myself… I promise, I won’t read them.