Swimming with Sharks

People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
— Bruce Schneier, Secrets and Lies

Is it ever safe to swim with sharks? Who in their right mind would ever feel safe? Yet, the security of web infrastructure and applications are least concerned in most of today’s businesses, when the Internet is full of sharks, trying to hack your application and stealing/damaging data.

It is true that most companies have spent money on security infrastructure like Firewall, IPS & IDS and fortified their infrastructure but not enough attention is paid to their most valuable asset, “people”. How many of them are aware of safe security practices in their day to day work? How committed are they to practice them?

In a time when everyone uses third party vendors for development, sites hosted with third party vendors, while the applications handshake with yours and your partner’s systems for SSOs and authentication, security should be in limelight, yet it always takes the back seat or in most cases it is an afterthought!

Most organizations don't see value in educating their employees about security and precautions, let alone taking time to think through the scenarios when developing applications. If you think it could never happen, either it's a matter of time or you never realized to see the activities on your systems, perhaps going undetected. No matter what's been spent on technology, if the awareness and the commitment across your organization are not maintained high, people will remain to be the weakest link. If you are naive, I strongly recommend you to read up on Kevin Mitnick's “Ghost in Wires”. (I couldn't put it down after started reading :)

Have proper procedure and policy about social site usage and be it known to everyone. have a process to make sure every new and old employees, onshore/offshore consultants to learn about security threats and risk and have them committed to follow precautions in their days to day job. It is a good thing to have a healthy amount of paranoia!

Scroogled,Outlooked or Yahooed, your email is not secured!

       You heard it loud and clear from Microsoft’s  “scroogled” campaign against Google's policy on email privacy. But I don’t think any of you would have bought into it, since we all know there is no such thing as privacy or security when it comes to emails. Any one remembers Petraeus affair? I guess, the convenience of email makes everyone forget and sacrifice their security concerns, how else can we explain that people don’t think twice before exchanging confidential information like their tax returns, mortgage papers and pay stub. If you assume, hackers are only interested in celebrities email, you are wrong. You just don’t hear about common Joe’s email hacks in newspapers! Given the importance of emails today, it is a gold mine to hack anyone’s email and snooping on documents being exchanged. Access to email is the most critical tool needed to reset passwords on pretty much anything; bank accounts, mortgage account, eBay, Amazon, iTunes, you name it.So I don't think anyone needs to be convinced that securing your email is an utmost important task.

       Email being such an important tool, why is it so hard to make it secured and protected? No one wants others to read their emails, celebrity or not. But the problem is, if your email service provider is in the business of reading your mails to sell advertisements, sell your data to vendors and feeding the government surveillance system, why would they make it easier to keep your data away from their reach! So there is no easy button out there. But we can’t give up and go back to Pigeon Post, well even then you would have to encrypt your messages!

General tips to keep your email account safe.

•  Always use a complex and long passwords for your email accounts and make sure you don’t store them on your PC.

·    Make sure your alternate email id, which is used for password reset is also secured with strong passwords
·    Use email service with minimum two factor authentication. I know gmail supports two factor authentications, but most other providers don’t. Never understood, why it takes so long for yahoo and Microsoft to implement it.
·    Make sure you are using HTTPS to access your mails when using browser

Content Encryption

       None of the above is going to make your email content safe, it only protects your email account and assures your message safety when it’s in transit. But it is not going to stop Google or Yahoo snooping on your email. Let’s see what we can do about.

1) Simple encryption

Encrypt your content and attachment using 7-zip with a strong password. 7-zip being a commonly used free application, it should not be hard to use it on the receiving side. Make sure you don’t store the password in your computer or don’t sent the password by email.

There are handfuls of other good tools that you can explore like Encrypt Files, which will encrypt the whole folder, dsCrypt allows you to drag and drop files to be encrypted are come of them. Whatever tool you use, make sure it is available on all platform and devices, including the mobile.

2) Use Pretty Good Privacy (PGP) certificates

This is basically certificate based content encryption, very similar to SSL site certificates. You generate two certs public one and a private one; give out the public cert to anyone who wants email to you so that he/she can encrypt the content with it. Once you receive, only you would be able to decrypt with your private key.

       OpenPGP is a free open source tool that lets you do it, for more information on how to use PGP encryption, there is a good article on Life Hacker.

Secured Email Providers

       There are lots of new players in this space now, offering you a secured service, some of them are free and others may charge a few dollars a month;HushMail, 4SecureMail and Swiss Mail are some of them.Typically the email recipient will be taken to a website to answer the secret questions and the content is decrypted upon successful answers.

       If you need security and privacy on your emails, you would have to sacrifice the convenience for sure. I am not sure whether you would be able to convince everyone communicating with you to follow the process. But my advice is, if you ever have to email anything sensitive, tax doc, medical records or SSN, never send them in plain text.

Whose war is this?

"If history repeats itself, and the unexpected always happens, how incapable must Man be of learning from experience" -George Bernard Shaw

I salute The New York Times for coming out and reporting on it's system being hacked, reported on Jan 30th, 2013. Following the suit, we hear the same from other major media companies WSJ and Washington Post. It makes you to wonder how many more companies are affected, but not disclosing! And how many more are affected but not aware of this APT running on their network!

NYT is not new to being hacked, it has seen it's share in the past, but unlike many companies, NYT management seems to be committed in securing their infrastructure,data and is well aware of Internet security pitfalls. It even conducts “Hackathon” events every year with a bug bounty program, it is working with major companies in security industry. Regarding this particular incident, NYT management took the time and risk to analyze the hackers activity, instead of shutting down the system in panic. Kudos to the management for all that. But I believe the issue is much bigger than what it appears to be. Let's take a look at some of the facts about this cyber terrorist activity.

• NYT isn’t new to being hacked, as it was hacked few times in the past along with other media companies (May 2009, Sept 2009, April 2010).
• In April, 2010, NYT journalist Andrew Jacobs claimed that his Yahoo email account was hacked while he was in Beijing, forwarding all of his correspondence to a third party. (http://nakedsecurity.sophos.com/2013/01/31/history-hack-attacks-against-media/)
• NYT expected retaliation from China after publishing the report on Wen Jiabao
• AT&T notified NYT on unusual traffic on day one after the report was published
• NYT uses Symantec AntiVirus, possibly using other desktop protection software
• 53 of their user computers were compromised
• 45 different malware were installed and only one was detected by an up-to-date AV software
• The hackers used University infrastructure to hide their tracks
• NYT didn’t notice it for three months!
• Symantec says AV alone is not enough to protect your PCs
• WSJ & Washington Post confirmed similar attacks on their systems too
• Based on the attack signature, NYT claims that govt of China was behind the attack
• Red China calling it a baseless allegation

Though NYT was expecting the retaliation, it wasn't able to detect or stop it for a while. Assuming it's allegation is true that it was govt of China, orchestrating these attacks, would it be possible for any one company to stop these attacks! I don't think so, when many of our corporations are being attacked by foreign states and individuals, what's the role of our government in all this? Is it not government's interest to protect it's business? What would have been the govt reaction if it were a real intrusion on it's borders? Is it really hesitating to get involved? Many are the unanswered questions.

It doesn't give any assurance when I look at the outdated federal guidelines on Internet Security, one has to wonder how much Washington wants to be involved in this war? Could it be hesitating because of it's past history, regarding Stuxnet and Iran? Or is it simply a matter of time before Washington catches up? Only time can tell.

What’s your tensile strength?

A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder

In a time when every product is developed with an unimaginable rush to deliver and market, how much time is really spent on security aspect of your product? Is security a thought thru and well integrated aspect in your application or is it really an after thought? Most of us know what the reality is! How many of you are still following traditional SDLC for project life cycles? Given the demand to deliver products with no time for proper planning or testing, unless otherwise security becomes a second nature to everyone in an organization, it is an impossible goal to achieve decent security across all your products.

You may have separate Information Security team, specialized in all security threats and tools to prevent them, you may have trained your architects and team leads in security matters once in few years, but the chain is only as strong as it’s weakest link! It only takes one flaw to give your entire infrastructure on a platter to be owned.

A case for browser side standards

Steve Jobs can ban flash on Apple products, Google can discontinue supporting IE6 or 7, but how many of us can dictate the minimum requirements for accessing your websites?

I wasn't surprised when one my clients gave me requirements that the state of the art new financial portal must support IE6, in addition to supporting every other browsers out there, including iPad & iPhone. The senior executive wasn't shy about it when he said that we would support IE6 as long as there were at least one client using it. It sounds great from a customer service perspective, but does it really make sense from your organization's security standpoint? All we are discussing is just browser versions, how about the long list of protective (?) software on workstation, like firewalls, antivirus, anti-malware, anti spyware? What about the browser extensions? Are they providing protection or stealing data? What's at stake here? Is it not your organization's good name and your client's trust!

We all know how much money and effort is going on to fortify the web infrastructure, but the client workstations have remained to be the easy soft belly that hackers target. It is about time that we introduce to some industry client side standard for securing the future e-commerce!