About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Wednesday, January 26, 2011

On Piracy

The government, entertainment and software industries have each put a lot of time and effort into combatting copyright infringement, including software piracy.  So far, most of the public relations effort I've seen has been focused around either trying to shame people into not pirating software, or trying to scare people with the legal consequences of piracy.

So far, neither method has been effective.  Shame is not effective because public opinion is that despite piracy, the victim corporations are still making tons of money.  A combination of high prices, high corporate profits and the fact that corporations are faceless entities prevents people from empathising with their position.  To date, fear has not been effective because the number of people sued or prosecuted for software piracy is incredibly low.  People (correctly) see that they can get away with it as long as they're not major distributors.  However, this viewpoint may change if law enforcement is able to exert more resources against software piracy.

Personally, I think a better approach would be to show people how they can be harmed by software piracy.  Any time you place a program on your computer, you are entrusting your hardware and your data to not be abused by the program you're downloading.  That's fine when it's a corporation providing you with the data because there are consequences (lawsuits, bad PR) if they provide malware in their software.  However, you have no such guarantee when downloading software from warez websites or peer-to-peer applications like BitTorrent.  Macs and even "jailbroken" iPhones have been virus infected by pirated software.

Pirating an OS is even worse, as a pirated OS is generally not eligable for security updates, leaving it vulnerable to hacking or virus infection.  That is one likely reason that China has such a high proportion of hacked computers.

Although it's currently very unlikely that any given software pirate will be arrested, it's far more likely that their computer will be taken over and used for malicious purposes.  I think if people were more aware of that fact, it might actually make a difference in the amount of software piracy.

Wednesday, January 19, 2011

What is computer security

This morning a friend of mine tweeted about a good definition of security that he ran across.  Read the article for more explanation and details, but the essential definition is that security is:
Security is the process of maintaining an acceptable level of perceived risk.
I really like this definition because it's simple and easy to comprehend, but it also accurately portrays several nuances that are frequently missed in discussions about security by both security people and non-security people.
  1. Security is a process.  Security isn't something that you set up and you're done, it's an ongoing process.  You have to keep aware of current and upcoming threats, new vulnerabilities and new mitigation techniques.  As bugs are found in software, you have to patch them.  As employees come and go, you need to grant and remove their access diligently.  These are just some examples of the process of security.
  2. Acceptable level of risk.  Security (computer or physical) isn't about eliminating risk.  That's impossible.  It's about managing risks to an acceptable level.  Things that need to be considered are how expensive is the security device/policy?  What barriers does it add to normal operations?  How likely is the threat, and what amount of damage can be expected from it?  How much security is worth it?
  3. Percieved risk.  We're not omnicient.  Security people, managers, employees and customers have to make our best judgements about what the risks are, how dangerous they are and how likely they are.  The fact that humans in general are rather poor at estimating risks is why we spend billions on airport security and very little on preventing traffic collisions.  Several books have been written about this issue.
I think a better understanding of what security means would do much to improve security decision-making in general.

Monday, January 17, 2011

Forgot your password?

It seems like more and more frequently, articles about email and Facebook hijackings appear in the news.  Although the news frequently calls them "hacking", the actual method tends to be either guessing the password or abusing the "security questions" in the password reset feature.  If you're not concerned about this, you don't understand the potential consequences of losing access to your email.  George Bronk, the extortionist in this case, searched his victim's email accounts for nude pictures and videos.  He sent what he found to the victim's friends and frequently attempted to extort the victim further.  He also utilized his control over the victim's email accounts to gain control over their Facebook.  Had he been more interested in monetary gain, he could have just as easily used the password reset feature for the victim's bank accounts to clean them out financially too. 

Incidentally, this was the same method used by David Kernell to gain access to Sarah Palin's email account.

So, what can you do to prevent something like this?  The article above provides some suggestions about false password reset answers ... but that poses problems of their own.  If you provide false information for your password reset questions, you need to make certain you can remember the answers when you actually need to use them.  If the account allows you to create your own password reset questions, that might help you make answers that are memorable to you and difficult to discover.

Another suggestion is to keep your social networking (Facebook, MySpace) privacy settings under tight control, and be careful what you share on them and who you "friend".  Remember, friends can usually see more of your profile than people who aren't friends. 

A fun exercise is to try thinking like a hacker ... logout of your Facebook (so you can only see the public profile) and then see if you can find out enough information on yourself to answer your own password reset questions.  Pretend you don't know anything about yourself, can you break into your Facebook?  Your email?  Can you find out what bank you use and get into that?

Do you have any additional suggestions?  If so, please comment.  I'd love to hear them.

Tuesday, January 4, 2011

Quick update to "Cablegate"

In my last post on "Cablegate", I suggested that the reason so many cables were able to be accessed by Bradley Manning was because of the desire to improve information-sharing after the attacks of September 2001.  At the time that was speculation on my part, but a new article in the Washington Post shows that this is correct.

From the article:

Investigations into the attacks concluded that government agencies had failed to share critical information that could have helped uncover the Sept. 11 plot. Because of that lapse, Congress tasked the Office of the Director of National Intelligence with pressuring key government agencies - including the Pentagon, the Homeland Security Department and the State Department - to find ways to rapidly share information that could be relevant to possible terrorist plots and other threats.
The State Department, with its hundreds of diplomatic posts worldwide, was already making tens of thousands of classified cables available to intelligence and military officials with secret security clearances. But in 2005, the DNI and the Defense Department agreed to pay for a new State Department computer database that could allow the agency's cables to flow more easily to other users throughout the federal government.
"It was consistent with the concept of needing to share information after September 11th," said State Department spokesman P.J. Crowley. "We were asked to do it, and the Pentagon paid for it."
The article also describes the limited safeguards present on this system that directly allowed Manning to steal the documents.

A few State Department officials expressed early concerns about unauthorized access to the database, but these worries mostly involved threats to individual privacy, department officials said. In practice, agency officials relied on the end-users of the data - mostly military and intelligence personnel - to guard against abuse.
The department was not equipped to assign individual passwords or perform independent scrutiny over the hundreds of thousands of users authorized by the Pentagon to use the database, said Kennedy, the undersecretary of state.
"It is the responsibility of the receiving agency to ensure that the information is handled, stored and processed in accordance with U.S. government procedures," he said.
To prevent illegal intrusion, the State Department has long maintained safeguards that make it difficult for an individual to download sensitive information onto a portable device such as a flash drive or compact disc. But Kennedy acknowledged that the department had no means of overseeing practices by other agencies using its data.
U.S. investigators suspect that Bradley Manning, an Army private stationed in the Persian Gulf, downloaded the 250,000 State Department cables to compact discs from a computer terminal in Kuwait. He then allegedly provided the files to WikiLeaks, which shared them with newspapers and posted hundreds of them online.
There you have it.  The rush to share information after September 2001 lead to poor logging and auditing of access to data and placed great trust in the users to not betray the government.  Mr. Manning betrayed that trust.