Friday, 21. May 2010
Friday, 21. May 2010
Thursday, 20. May 2010
—Caution: Below you will find what some may term as a rant.—
Telnet- (TErminaL NETwork) is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility via a virtual terminal connection. (Wikipedia)
English translation: Telnet, a simple way to connect one computer to another. Great for command line work.
Now what is my beef with Telnet? Nothing.. My beef is with the implementations of telnet. Telnet is an “in the clear” communication. That means that data transmited over a telnet connection is sent with no encryption, no obfuscation, and no joy…
What is telnet commonly used for you might ask? In computing environments you will see telnet used as a remote command line access system. Administrators and users alike log into servers across the network, and perform what ever tasks required.
You can probably see the issue I am getting at, and thousands of security professionals before me have gotten at… An administrator, with root access, logs into a server using telnet. Their credentials (username/password) are sent in plaintext. Someone sniffing packets on the network has a chance to grab those credentials. Now your administrative access has been owned.
But Josh, I’m on a switched network, packet sniffers can’t get my traffic, that would only work on a hub or wireless. A good observation, but not true. Your switched network offers a little protection against it, but is not difficult to get around .
So what does this mean? Is the worlded doomed to telnet horror?
There is a simple solution my friends.. not elegant, not bulletproof, but better than telnet. A simple SSH connection. It does require a ssh server on one side of the connection and a ssh capable client on the other, but the encryption benefits far out way the small cost (cpu cycles wise) in most cases.
So, the next time you find yourself typing the word telnet… stop and think.. Do I really need to use telnet? Or can I move into the 21st century and enter the SSH world.
Friday, 14. May 2010
Another Laptop containing sensitive data has been stolen. Another un-suspecting poor joe is now put at risk of identity theft. Let’s read and think… how can we fix this??
1. Require encryption on all devices that connect to your network?
“A seven-month cybersecurity review undertaken last year at the behest of VA secretary Eric Shinseki found that more than 28% of the VA’s vendor contracts were missing required clauses about information security, and contractors on 578 contracts actually refused to sign the clauses.”
That might help.. except you are letting contractors, who want your business, to flat out refuse to sign the agreement that they will encrypt devices connecting with the VA.
— Interesting note. How good is 256 AES Encryption with a password of abc123? So in the encryption clause, do we also detail required password policies (length, change dates, etc?)
2. Don’t allow contractors to use private equipment to access the VA? This raises alot of questions. What kind of contractors are they? Are we talking IT people? HR people? Are they shifting records? Doing field VA reporting? Until we can define the divisions of employees, we cannot clearly think about who can use private gear and who cannot. A small statement though… I personally would never let a privately own laptop onto my internal corporate networks. Period. There is guest access and vpn connections into DMZ’s for that. If they require more access, they can be issued a company laptop, with company encryption, company policies, and company control.
3. Dumb Terminal access to VA Records? Instead of having local copies of a VA form, you issue each contractor a cell card. They can then collect data into a web application (Https please…) and submit it there. If they need to access records, they can once again access a secured web page. Heck, maybe we use multi-factor auth? (PW, RSA Key, etc etc). The systems could be booted from cd with a simple OS, browser, etc. Then at the end of the day, a drive wipe can be run to write random data to the free space on the drive and ram. At least there if the laptop is stolen, the thief i most likely not going to get a thing. (most likely, I KNOW! someone can prove me wrong out there.)
What about you? Any ideas on how we can make the access to VA documents safer? Here is my scenario challenge to you.
1. You are the VA CISO. (god I hope they have one…) You have 200 Field contractors across the country that go out and collect VA information (ssn, name, address) and explain benefits to Vets (need to access the vet records) currently on the system. How do you do this securely?
Wednesday, 12. May 2010
“Germany’s top criminal court ruled Wednesday that Internet users need to secure their private wireless connections by password to prevent unauthorized people from using their Web access to illegally download data.
Internet users can be fined up to euro100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict.”
– Please read entire article so as to not be taken out of context:
Let the dissection begin:
1. Does the court have the power to specify what level of security is put in place? Can the users simply put wep, password 12345 and it pass muster?
If the courts do regulate the level of wireless security, where does their power stop? Can they then enforce a certain level of wired security? IE: Shielded and secured network cables?
2. With the ease that many (i said many, not most) Wireless ap’s can be cracked, does the German court really expect to stop the flood of illegal downloads?
3. What about coffee shops, or locations with public wireless? I know some do use a shared key, or time based key for their wifi, but are they also going to be held responsible for activities committed on their network? If so, does that mean each coffee shop and wine bar in germany needs to hire a security “expert” to watch for illegal actions?
– Ok, so I’ve gone movie plot threat slightly, but, all in all the court ruling is slightly rediculous, slightly logical. It will make people think more about putting security on their wifi, but the fact that the government is mandating private owners security levels… slightly frustrates me.
It will be interesting to see further cases regarding this, as the recording groups can use this to attempt to pursue cases against those “aiding and abetting” criminals