Srcasm

I came across a very interesting read at Marcus Ranum’s blog about the 6 dumbest ideas in computer security.  His number 1 idea was by far one of my biggest pet peeves:

#1) Default Permit

The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked - now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted “Default Permit” in the early 1990’s and convinced themselves it was OK because “hackers will never bother to come after us.” The 1990’s, with the advent of worms, should have killed off “Default Permit” forever but it didn’t. In fact, most networks today are still built around the notion of an open core with no segmentation. That’s “Default Permit.”

This could not be truer.  I find every time I go into a meeting to discuss, setup, introduce or roll out the newest and greatest product, this comes into play.  Most people want to roll it out without thinking about what it actually does.  Take for example a new firewall system.  The new product could be brought in, setup and configured exactly like the old one and everything will probably continue to function.  But in the end, why bother spending $20,000 on the new box if you aren’t going to look at what you’re using it for.

Please keep this in mind while setting up your new software program, coding your new web application or simply plugging in the greatest computer you have ever owned.  Keep it closed — open only what you need.

I recently found while working on a Barracuda spam appliance that the person who set it up made a tiny mistake.  Now I’d be one to admit if it were me but I’m pretty sure it wasn’t this time.  They had all the steps right up until the second to last one.  Let me set the stage…

1. Three spam filters from Barracuda Networks spread out accross the globe.
2. All three have a similar configuration setup on them.  (Check for spam on the inbound and act as the primary, secondary and tertiary outbound relays for internal mail heading out to the wide, wide world we call the Internet.)
3. Setup allowed Relay IP addresses (internal mail servers, certain paging systems, even a multi-function printer or two).
4. Add the companies domain name to the list of allowed relayers…
5. Turn on the appliances and setup the MX records outside so we have a “fail-safe”, redundant, spectacular, awesome email spam fighting system!

Now, if you haven’t seen it yet, check step number 4 again.  See, in step 3 we set up the system so that specific servers were able to relay out through the device.  These IPs were entered in by either individual hosts or small subnets of systems that had rights to send out email to the outside world.  But in step 4 we then said that any email coming “from” the company’s domain (we’ll call it xyz.com) was allowed to relay as well.  That’s an issue because it’s fairly simple to both figure out what the company’s domain name is and then use it to start sending spam out from anywhere in the world.  Lets look at and example session connecting to a Barracuda spam appliance via SMTP: (Note: The bold lines are the commands that I wrote.)

220 spam1-svr.xyz.com ESMTP (d2f98b7a83b562327asdcjb25227d4f7)
HELO xyz.com
250 spam1-svr.xyz.com Hello laptop-lt [malicious.ip.from.outside], pleased to meet you
MAIL FROM:someone@xyz.com
250 Ok
RCPT TO:anotherperson@zyx.com
250 Ok
DATA
354 Start mail input; end with .
This is an email
.
250 Ok: queued as AAEDC3SKB1CE

The problem with allowing xyz.com to relay is that it takes precedence over the IP list that was setup in 3.  This means that with that first line (spam1-svr.xyz.com), a spammer knows what the local domain is.  Now all they need to do is start making up email addresses that may or may not exist in your domain and they too can use you as an open relay.

If you’re on a Barracuda box, the screen is located at Advanced->Outbound/Relay and looks like this:

Please, make sure that you’re not using the Senders With Relay Permission or Trusted Relay Host/Domain sections of the relaying tab.  Take the time to enter the IPs of the systems that need relaying and if you can, use LDAP lookups to verify that the sending email address is actually someone who exists.  You’ll thank me later — when you’re not blacklisted in 10 different systems and your users’ email can’t get through.

So as most people know I am a big fan of Google in most ways. I use their email (for multiple domains and a Gmail account), I’ve been known to use Google Docs, maps are one of their best features — and who could forget good ‘ol Google.com? I have to say that their sites tool is a little on the junky side but all-in-all, their services are great. I recently came across one that I had not seen or used before and now I’m in love. The kind of love that can not be split up by browser upgrades, computer changes or long-distance travel and it’s called Google Browser Sync (for Firefox only).

I’ve used different browser sync tools in the past but this one just blows the others away with its simplistic design, cross-platform capabilities and an online storage system that I have come to love very much. After a quick install (just like any other Firefox plugin) the browser plugin prompts you for your Google account info (no Google for your domain accounts that I know of) and then has you choose a unique PIN number. The PIN is to make sure that someone doesn’t just add the tool bar on a computer where you’ve saved your password. I’m also not sure if the PIN allows you to have multiple Google Browser Sync subsections (i.e. Sync computers A and B and then sync computers C and D). Once this process is done, you’re off to the races. Not only does it sync your bookmarks but it also does browsing history, saved passwords and even keeps track of your open tabs. This means that if you close Firefox on your work computer, go home and open it up, it’ll prompt you to see if you want to reopen those tabs! How great is that?   In addition, there is no user intervention required.  When you close down Firefox, the small window pops up for a second that shows you that it’s syncing your browser to Google.  That’s it.

I know that many of the security gurus out there will yell at me and say, “hey, what about what they do with that information?!?!?!?”  Well I’ll tell you what — If you can show me a simpler, clean and fast way of syncing browsers online without using a service like Google (who already knows who I talk to (email), what I’m interested in (search) and where I like to eat brunch (maps)) then I’d be happy to hear it and take a look.  For now, I trust Google with my info.  They haven’t steered me wrong yet and I’m hoping that they never do.

Please, let me know what you think of the browser wars, syncing your info, sending email or anything else under the sun.

I’ve been a long-time believer in the need to encrypt your data but the question has always been, at what cost? Do I slow my access to the data down? Do I store it on a separate hardware encrypted device? Can I recover the data if something becomes corrupt? These are all important questions to ask one’s self when deciding on the level of protection of your data. TrueCrypt has won a new place on my shelf on security tools.

TrueCrypt has been one of the most intriguing programs I have used over the past few years. It has the ability to created encrypted containers to store data in that can be auto-mounted as drives during Windows logon, it’s cross platform, it allows encryption of full partitions and most recently in v5 had the addition of full system encryption (including a Windows partition). It does this in a seemingly easy but secure way. Continue reading »

We all live in the same world (well, most of us anyway) and we all have 20 different passwords at any given time. Sometimes sites/services don’t allow more than 8 characters, others require at least 9 characters, some do allow special chars and others don’t. It’s a nightmare trying to figure out a password scheme that works and allows you to use the same one across the board… And then there is the all problematic issue of using the same password everywhere means if one is compromised then they all are. What to do? A password manager might be the answer.

There have historically been three main options for managing passwords with regards to the computer. First there was memory (not the RAM kind). That worked well for 1-3 passwords. Then there was the pencil and paper. This was a fail-safe method was had no security, could get lost or thrown out and eventually got dirty if you erased it too many times. Finally there was the computer. Using programs like KeePass and RoboForm users could record their passwords in a secure, recoverable environment that never got dirty due to too many eraser marks on a piece of paper. It seemed like all the issues were solved but then the internet came and blew it all up.

How many times are you at one of your 15 computers and that one doesn’t have your KeePass container. You either have to guess/reset your password for that specific service (and then remember to update it later in your password management software) or you would have to get to the computer that the password was on. In addition to that, you might not even have your computer available. Maybe it was stolen, lost or MIA (in transit with that pesky airline luggage). What can you do then? Recently a couple new services have popped up that allow secure password management online — that’s accessible from almost any computer. PassPack and Clipperz are both startups that are trying to fix the need for remembering too many passwords and other pertinent information. While you can check out PassPack’s “unbiased” comparison chart and blog entry to compare the two services, I’m just writing about PassPack today.

PassPack uses client-side (JavaScript) encryption to protect your information.  You get to setup an account on their servers that stores your encrypted file that has used a pass key called your “packing key” to uniquely and securely (AES) encrypt your information.  While there are trust issues that have to be overcome when storing your information almost anywhere, the guys (and girls) at PassPack have been open and honest about what they’re doing and how they’re doing it.

In addition to offering its users an online storage area (while currently limited to 32k) for their information, PassPack has also unveiled some pretty neat features.  Their “1 Click” logon allows a user to add a bookmarklet to their browser and simply go to a page that they have saved information for and with a single click (get it?) log into the site.  It uses JavaScript layed over the actual site and doesn’t use the clipboard to log the user in.  Pretty neat, huh?

Some of the new features that they’re coming out with are even more impressive.  The ability to share certain passwords securely with other users will be a big help if they want to break into the commercial/small business area.  Having the ability to share a password with a colleague on a temporary basis without emailing it to them or sending it to them via mail or the dreaded fax machine would greatly increase productivity as well as security (if they build it right, the end user would never even have to see the password with 1 Click logon).

While PassPack has a long way to go before they accepted by most users or better yet the corporate environment, they’re on the right track.  The possibilities are endless with the configuration that they have so far.  Maybe encrypted document storage, better offline support or secure transmitting of information (like encrypted email) that can not be broken by anyone (I know, a far-off wish).  What do you think?  Would you store your passwords online?  If they were encrypted?  What would a company have to do to prove to you that they were honest and could do what they said they could do?