Good References on Securing Mac OS/X

After reading Thomas’ article on re-evaluating the safety of Mac OS/X last week I finally managed to bring most of my Apple equipment up to current.  I checked all the network devices and updated most of those.  My Windows machines are all current.  I do have that one Mac that won’t run a current OS.  I read a great tips article over at Naked Security about bringing that as close to protected as possible.

Another reason NOT to jailbreak your IOS device!

While many folks enjoy the iPhone and all of the apps that are available for the device from iTunes or Apple’s App Store; there are people out there who want to do more.  The only way to run software on your iPhone that isn’t available from iTunes is to run another operating system other than Apple’s iOS on the phone.  The process of installing and running another operating system on an iPhone is known as ‘jailbreaking’ (see this great post at iphonehacks.com for more info).

Who does this?  People who want to listen to music obtained from sources other than iTunes (DRM free).  People who want to run apps that Apple has not approved. And then there are people who obtained their iPhone through other than normal commercial channels.

The downside to jailbreaking used to be that you had to trust whoever wrote the new operating system and whatever apps you wanted to run.  That’s not Apple.  If you jailbreak you can’t take your phone to the Apple Store for help or service.  You also can’t use iTunes or the App Store to use iOS apps.

When you read about iPhone ‘hacks’ or attacks it is important to find out if they are against iOS or jailbroken devices.  Often these hacks and even research (see touch logging) into how to attack iPhones are against jailbroken devices.

Password Managers & Escrow

Five years ago I made a decision to move from PasswordSafe to AgileBits 1Password.  As someone in the security field I’ve always tried to practice what I preach and using different passwords for different sites and cycling passwords (changing passwords every N months) is important.  I looked at a number of different password management solutions.  I enthusiastically moved to 1Password as it offered everything I was looking for.  Early on I used a local database but after becoming comfortable with the product I moved to using a shared database stored at DropBox.

One of the other password managers I looked at was PasswordBox.  PasswordBox offers an application that includes the capability to sync passwords back to ‘cloud’ storage at the developers site and is available for Mac, Windows, and mobile platforms.   When I first looked at this my concern with PasswordBox was that there was no knowing how my passwords would be secured given the applications storage model (i.e stored where?).  With 1Password storage is either local or at DropBox.  The 1Password folks have been called out on encryption (Cult of Mac 2012, Lifehacker 2013TraxArmstrong 2013 ) numerous times over the past years.  I followed that controversy and think the AgileBits team handled it well so I have no reservations recommending 1Pasword with DropBox.

Using any password manager one of the harder problems seems to be keeping the browser plug-in alive.  As Firefox has marched through release after release I’ve had to update the plug-in and recently had to uninstall / reinstall the plugin after the 1Password major version change.  That’s just one browser.  I try to keep 1Password running in Firefox, Safari, and Chrome.

Something that I have been looking for as a feature of a password manager has been some way to do password escrow.  That is creating the means to pass on information in my password manager should something happen to me.  The simple way of doing this is to give someone I trust the password to my password manager.  The downside is that the act of giving that password information creates a potentially huge point of friction.  You have to ask yourself ‘Will the person I gave that password to do the right thing at the right time?’.  Giving someone the password also equates to giving them the keys to everything.  You lose the capability to purge some information you don’t want to pass on.  One way around that is the capability offered by an application such as Legacy Locker.

Legacy Locker and other apps like it (Perpetu) offer a service that passes on usernames and passwords that you select to some person or people that you designate in the event that you ‘in theory’ pass away or become permanently incapacitated.  All of these offer some form of credential or service escrow capability.  They solve a very difficult problem that is faced by virtually all Internet based service providers; how to allow someone other than the user who agreed to the terms of agreement and opened the account into an account.

My advice regarding password managers is that more people should use them.  They are an important tool to maintaining one’s individual security on the Internet.  In order to be truly useful across multiple devices a password manager needs to use some common storage point and using Internet Cloud based storage works.  The key to using Cloud based storage and keeping your passwords secure is making sure the manager supports strong encryption.

Remote Access Tool Misuse & Familial IT Support

I read an excellent article by Nate Anderson in Ars Technica, “How the FBI found Miss Teen USA’s webcam spy” about how they broke the recent Miss USA ‘sextortion’ case.  It got me thinking about how many of my friend and colleagues become temporary IT support personnel at the end or the year trying to help their parents and loved ones through their various computer problems.  While remote access tools are a tremendous help in solving these issues without having to travel to someone’s home; they do pose a risk.  Even my wife’s favorite support tool; Teamviewer has been targeted.  By their design these tools are developed to sit and listen for an incoming connection.  If you do use these tools make sure that you are using a non trivial password or pass-phrase.  Try to make sure that the tool doesn’t load upon start up and requires that someone find and execute the program before a remote connection can be created.  If possible move the link to the utility out of the normal applications folder and into a sub folder so that it is that much harder to ‘accidentally’ launch.

Why Security is Hard: When APTs became TPAs

Trying to secure the Internet and all it’s users, content, and services is a difficult job. The Internet is a global resource that supports many different cultures and languages.  The purpose of the various Internet web sites that appear on the Internet vary from commercial sites selling products and services to informational sites about many more topics that most people need or care to know about.  There are a myriad of operating systems and applications used to produce and access those sites.  As if Advanced Persistent Threats (APT) were not bad (or scary) enough there is now a new term used to describe the attacks that security personnel are trying to secure all these operating systems and applications from.  Welcome Targeted Persistent Attacks (TPA)!

The first read where I came across TPA was over at Tech Republic.  During an interview with the Research Vice President at NSS Labs they report:

“The truth of the matter is that an APT is sometimes made up of known exploits/vulnerabilities that are not that Advanced; so the term APT doesn’t define the action correctly. TPA highlights that the actor is going after a specific target such as company X or an entire industry sector like financial services, and will be persistent in attacking the target”

Uhh?  So the reason we need a new category of product is because some malware writer slacked off and didn’t use the latest, most advanced exploit or vulnerability and instead used something that Microsoft already addressed a couple of Tuesday’s ago?

To be fair this blog post that also appeared at NSS labs makes a better case for the new term (TPA that was).  What NSS Labs seems to be talking about here is threat or breach detection.  Of course, there is also a TPA focused Breach Detection Systems (BDS) product buyers guide.

 

Pogue Leaving the New York Times

The NY Times reported this afternoon that David Pogue, longtime (13 years) tech columnist for the New York Times is leaving to start a new consumer-oriented tech site for Yahoo!.  I’m a fan or all three: the NY Times (great paper and good business oriented tech coverage) , Yahoo! (been a subscriber there since the week they started offering subscriptions), and Pogue as a talented tech writer.  I’ll continue to read the Times daily (yeah Bits Blog!) and use Yahoo! both as an info and services source.  I think the biggest challenge will fall to Pogue.  He’s usually a great writer and if you have seen his videos you know that he can stand in front of a camera and report on a story.  Can he carry an entire site?  I guess we will all see?

Using a Heat Map to Relate Security Information

I have been thinking a lot about how security practitioners can share information. They need to be able to tell the masses about security issues.  I usually refer to this as security awareness.  They need to be able to communicate the current security and risk state to organizational leaders.  I came across an interest web site that uses a Heat Map to relate security state information.

Exploit of Trust Hack in a K-12 School

I was contacted the other day and asked to assess the threat posed by the email below.  The message was sent to much of the professional staff of a local school district.  The subject line read “URGENT. MUST READ.”.  The email was from an email account at a North Carolina, US University.  The contents of the message was a link to a web site that read in part “Contact Update”.

Screen Shot 2013-05-29 of email

Following the link users were taken to a web page that looked like this (see below).  The title of the page is “School Support Team” and asks the user to enter their first and last names, date of birth, email address,  username, and password (p-word with confirmation).

Screen Shot 2013-05-29 at 12.14.38 PM

There is no title that associates the site with the school district.  If anything the form asking for a “p-word” should have raised a caution flag to anyone who saw this.

A number of people who received the email message contacted the IT department and asked what they should do.  As the IT administrators fielded more calls they sent email messages to all of the district’s users alerting them not to respond to this message.

In the end several employee’s acknowledged that they had not only received and read the email message but that they had followed the link and filled out the form.  I wish I could say that these were all low level folks who didn’t know better.  But I can’t.

When discovered by the IT staff these employees were advised to change their passwords immediately.  Should their accounts have been disabled and thus forced to choose a new password.  Probably.  But the IT staff and the district don’t have policies in place to mandate such a move.

What’s worse is that some employees complained that they could not change their passwords.  You see they would not be able to remember anything else.  And some of those same people reported that their school password matched that they use for their home email and banking.  Yes.  That was priceless.

Some employees complained that the web filter that blocked them from viewing their favorite web sites while at work should have stopped the message getting through or stopped them from being able to access the web site and form.  The reality is that the message was delivered via email address from a university.  This message exploited the trust relationship formed because the supposed sender was in the “dot edu” domain.  The chances that the web or email filter at a  school would block a message from another school is thin.  An important takeaway from this should be that web sites hosted at free web providers like this one should be blocked.  I did advise that they add the site “webs.com’ to their blacklist.

What can come of this?  I would expect that any account for which the user entered a username and password will be probed.  My guess is that this was a data gathering exercise and that the probes will not start immediately.

If you are a school district IT professional here is what you should add to your defenses.  The link in the message referred to a free web hosting site at webs dot com.

Screen Shot 2013-05-29 at 12.15.16 PM

The web site used a form that was created at the free form Freedback dot com.

Screen Shot 2013-05-29 at 12.14.53 PM

I would suggest adding these sites to your local blacklist.

I did contact Freedback dot com, Webs dot com, and the university that the email came from.  To their credit the team at Freedback dot com responded to my twitter requests to block the site within hours.  The team at webs dot com responded the next business day.  The University still has not responded.

What’s the threat here?  Given the use of the “p-word” I don’t think the attacker is local to the east coast of the US.  This could be just a person or company that sells into schools gathering data so as to avoid cold calling.  This could be an attacker trying to locate users who give up their passwords with the intent of later finding other accounts (think Yahoo Mail or GMail).

My strong recommendation to the person who called me was to step up security awareness training for all district employees.

Cybersecurity & the Law: IT for Oppression

I don’t know how many people read the IEEE Security and Privacy magazine but this past issue closed with a interesting ‘Last Word’ essay by BT CSO Bruce Schneier titled “IT for Oppression”. It’s avery good read that discusses both the positive and negative use of the technology that many here have used and contributed to in the name of improving security. Schneier makes a great case for his call for more research into how to circumvent these technologies.

https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html

While Schneier points out that cyberspace is still waiting the arrival of it’s hero (Gandhi or MLK) he ignores the fact that our system of laws is regularly used to prosecute those who challenge seemingly ‘correct’ uses of security such as the recent Swartz and weev cases .

http://www.wired.com/threatlevel/2013/03/holder-swartz-case/

http://news.idg.no/cw/art.cfm?id=50707CC6-B980-1CD4-53A32E093B8B71AA

http://articles.latimes.com/2013/mar/28/opinion/la-ed-computer-fraud-abuse-act-20130328