When discussing computer security with people, something I often bring up is this very simple equation:

What this means is that "secure" things tend not be convenient to use. For example, a powered down computer in a metal box secured by locks, and put in a safe protected by armed guards 24x7 might be relatively safe from theft, but it's not very usable, is it?

Conversely, convenient things aren't secure. For example, not having a lock on your house might make it easier for you to come and go as you please, but it sure makes it easy for would-be thieves to get into your house and take whatever they'd like.

Something else to note about this equation. Assuming security and convenience are expressed in terms of real numbers greater than or equal to zero, As convenience decreases towards zero, security increases towards infinity. If security is zero, conveniences doesn't matter (because both inconvenient and convenient things can be insecure). However, if convenience hits zero, then security is undefined. You can't divide by zero. You also can't make something absolutely secure :)

Another thing that comes up in security--computer or otherwise--cost. What is it we are trying to secure? What does it cost to reduce that risk? What is the likelihood that a "loss" will occur and how much will that lost cost? It seems silly, for instance, to spend $100 to secure a $10 item, unless that $10 item has $1,000 (or more) worth of data on it :)

Anyway, this article is not about computer security. It's really about airport security, or rather insecurity. This topic entered my consciousness again when I found out about the idiot who tried to explode something on an international flight landing in Detroit on Christmas Day. My immediate response was "oh crap, they're going to make it more painful to travel again."

And yes, they are. While the TSA hasn't said anything officially yet, there are a number of reports from many sources, including the New York Times, that suggests measures similar to the following will be taking place on all flights inbound to the US:

  • Passengers will have to remain in their seats one hour before landing with no access to anything they may have brought on board or have access to on the airplane (e.g. inflight magazine, pillows, blankets, etc).
  • Passengers will not be told when they will land or be given any clue where they are.
  • Passengers will be subject to extra screening at the boarding gate.
  • Only one carryon item will be permitted to be brought onboard per passenger.

I question how many of these security measures will actually be effective at either deterring or preventing a real security event, which for the purposes of this discussion are a loss of life by one or more passengers caused by the actions of one or more passengers on the plane (e.g. because of a terrorist-type event).

Let's look at what the folks from the TSA have done since September 11, 2001 in order to "improve security" at our nation's airports (notwithstanding the "new rules" being implemented since Friday):

  • Liquid Restrictions: Considering the 3.2oz/100ml or less bottles of liquids in a quart-size plastic bag are subjected to a simple Xray scan and not anything more, one could easily slip in a relatively dangerous liquid past security. Several passengers could, in concert, do this together.
  • Shoes Off: We can thank¬†Richard Reid, the infamous Shoe Bomber¬†for this stupid rule. Again, all they are doing is Xraying the shoes. I'm sure the bad guys can find ways to hide explosives in shoes without getting caught by the Xray.
  • Laptops Out: Don't understand the rationale behind this one at all. I suppose it's to get a better look at everything. I would be more concerned about smaller devices.
  • Need Photo ID: How easy is it to fake an ID or a passport?
  • The¬†No Fly List: How easy is it to fake an ID or a passport and use a name that isn't on the list? Seems like all it does is inconveniences people with names similar to suspected terrorists.
  • Barking The Rules: I've heard a number of personal accounts of TSA agents yelling at everyone in line about what the rules are going through the security line. I've also experienced this myself. They don't exactly do this in a friendly, courteous way.
  • More Secure Cockpit Doors: This is, perhaps, one of the few "good" things that came from the last round of major changes to airport security. This probably did not cost that much in the grand scheme of things and has a measurable impact on the safety of the people of the pilots. It's debatable how much this does for the passengers safety, of course.

This is all, as Bruce Schneier calls it, Security Theater. Stuff that's designed to make us "feel" more secure without actually making us more secure. These measures made traveling inconvenient. The new ones they are implementing are going to make it that much worse. I can think of many ways around all these "restrictions" without a lot of thought. I'm sure a real bad guy could come up with even more, especially given lots of time and motivation!

Having been through Israeli airport security twice in the past 6 months, I can tell you that "better" security (or at least better security theater) is both time-consuming and costly, both in terms of machines and people-power. Persons and belongings are throughly screened before getting anywhere near an airplane, and you don't have to take off your shoes in the process. The TSA screening that comes after my Tel Aviv flight but before my connecting flight home is almost insulting in comparison.

So now what? How do we make our flights more secure, yet not so inconvenient that people don't want to fly?While we can argue about different screening procedures ad-infinitum, the best defense is an aware, active traveling public. As long as passengers remain watchful of suspicious activity and act accordingly, situations that do break out on planes can easily be neutralized before they become serious threats. It certainly happened with this most recent threat.

Ok, I was suckered into something I said I wouldn't do: I actually jaikbroke and unlocked my iPhone. George Hotz, a.k.a. geohot make it so easy with blackra1n. It was a super easy process to do, and if you do a restore, your iPhone is back to its Steve Jobs approved state.

For the most part, I don't want a jailbroken phone. However, Apple (or is it AT&T?) doesn't permit the iPhone to be unlocked in the United States. I don't need that often, but it is handy when I am traveling, which I have done quite a bit lately.

One other thing I can certainly use is the ability to tether, which AT&T still doesn't officially support. However the blacksn0w also enables the IPCC "hack" that allowed you to download a provisioning file that enables tethering (i.e. using your iPhone as a modem). That's also useful when traveling, particularly if there isn't an iPass-compatible WiFi hotspot nearby.

There's a part of me that feels uneasy about this. Geohot and others like him are finding and exploiting security vulnerabilities in the iPhone to inject code into the phone to make it do things Apple didn't want you to do. Whereas we usually hear about the "bad" results of security vulnerabilities--and these exploits could be seriously bad in the wrong hands--this actually gives the user more functionality.

Apple will, of course, study these jailbreak tools and find a way to close the security holes they take advantage of. Typical in the game of cat-and-mouse between vendor and hacker. Of course, if Apple had more customer-friendly policies related to unlocking the device and allowing installation of "unapproved" apps, this problem would mostly go away.

Apple could be using these "hackers" to make their phone as secure as possible. Once Apple believe the phones are invulnerable to these kinds of attacks, they could simply provide easy access to device unlock and allow people to install whatever apps they want. People get the functionality they want with a much more secure device to boot. Everyone wins.

That's just a crackpot theory, of course, and I'm probably wrong about it. I hope I'm not.

This past week, I've been on the Check Point Security Tour up in Western Canada talking about the Dangers of Social Networking. The basis of the presentation was actually something I gave to Check Point employees in Redwood City back in August on the benefits of social networking. I added the "dangers" part after I  was asked to present in this tour :)

This topic seem quite timely as this past week, several of my followers on Twitter got bit by the latest attempt at hacking Twitter accounts. At least three of my followers sent me direct messages on Twitter that were a little suspicious:

this youz ? ? http://is.gd/4H1qh

lost a ton of weight and feel better here http://ringys4u.com

hi. i lost excess fat with http://loseweight.asdjiiw.com it works...

These message looked suspicious. I didn't click on the links and I immediately warned the affected individuals to change their passwords.

Of course, Twitter is not the only place this happens. In fact, these kinds of messages have being sent out as long as email spam has been around, which have been going on at least as long as I've been on the Internet.

Nothing New Under The Sun

I've been at this "social networking" thing a while. Aside from starting out on computer bulletin boards in the late 1980s (you know, the kind you used your computer modem to dial into), which is one of the earlier forms of so-called social networking, I've participated in IRC, instant messaging, USENET, mailing lists (also ran my own for 9 years), online forums, blogging (phoneboy.com has been one since 2005), and of course use the "current" social networking tools like Twitter and Facebook.

The main thing that differentiates these service from one another is the interface used and whether or not the services permitted real-time communication with others. Beyond that, they all fulfill a fundamental human need--the need to be heard and understood by others.

The Value of Social Networking

By this point in time, I think most of us understand why social networking is valuable. It's great for making new connections with people, strengthening existing connections with people, being part of (or starting) a conversation, and sharing ideas and things you've created.

For business, it can even be more powerful. Connecting with more customers more often can mean more sales. It can also allow you to get better visibility into what's going wrong with your business, for example customer service snafus. Businesses have to accept that they cannot control the conversation about them. However, they have a fighting chance of guiding it in the right direction by actively participating in the conversation.

Where Email and "Social Media" Tools Differ

It's relatively easy to send an unsolicited email to someone. All you have to do is find their email--or guess it--and send them an email. Furthermore, it's relatively easy to "spoof" an email. I figured out in the early 1990s how to send an email from someone appearing to be from "[email protected]" by talking directly with the email server. While¬†mail servers¬†have gotten smarter about these things over the years, it can still be done relatively trivially.

The newer social media tools make this a bit more challenging as a "friend" or "follower" relationship is required. For example, I can only send someone a direct message on Twitter to someone that is actually following me. Facebook requires the person to be a "friend." This severely limits who can send you a private message and you can be fairly certain who sent the message to you.

Despite these controls, I still see "spam" on Twitter and Facebook. And yes, like what happens with email from time to time, it appears to come from a "friend." But unlike email, where your identity can be easily spoofed, something more nefarious has to happen.

URL Shorteners

Prior to Twitter, there was not a huge called for so called URL Shortening services, which take a long URL and make it shorter. tinyurl.com is one of the oldest such services. However, the limited message size of Twitter and the increase in URLs shared over the service necessitated the use of these services in order to allow for text to accompany the URL and, of course, allow for URLs that might be longer than 140 characters :)

URL Shorteners are great for exactly this reason--they make long URLs shorter. They also provide other services as well, such as the ability to see who clicked on the link and when. However, they are also bad because they mask the original URL, which, if you could see it, might cause you not to click on that link. For example, would you click on a link for either of these URLs?

  • http://www.xzxxy.cn/cgi-bin/pwn-system?type=win
  • http://www.paypal.com.hax0r.pl/webscr?cmd=_home

You can tell by looking at these URLs that something is up. However, Look at these two URLs:

  • http://bit.ly/3Ha5Mo
  • http://bit.ly/N03v1l

Can you tell what evil might lurk behind these shortened links just by looking at the link?

How Do I Get Spam From My Friends on Social Networking Sites?

With friends sending you benign looking links via direct message, we have ourselves a perfect storm for the spreading of spam. Theoretically, these messages came from someone you trust, causing you to let down your guard and think it's ok to click on the link. The link leads to a website that contains a piece of malware that, without your knowledge or consent, either steals your Twitter credentials stored on your computer, or hijacks your existing Twitter session and sends out similar links to your friends. Or much worse.

While that can and does happen, the other possibility is that you were flat out tricked into giving your Twitter credentials to a third-party that either looked like the Twitter site or purported to do something of benefit to you (e.g. help you gain more followers). While not all third-party sites that ask for your Twitter credentials are bad, some are.

Information Disclosure

Speaking of information disclosure, there are plenty of other opportunities to disclose information on social networking sites that, under a different context, you might not disclose. My buddy Kellman has a great post on those "quizzes" that make the rounds from time to time and what great sources of information they can be about you. While some of the questions are truly innocuous, some "key" questions could be sprinkled in there that, when used in the right circumstances, could easily be used to "reset" an account password or gain access to an account.

Protect Yourself

The dangers in social networking aren't new at all. They've been there for at least a decade. Fortunately, the ways to protect yourself aren't new, either, though far too many people forget the basics.

Careful With That Link, Eugene: Like links you receive in email, particularly unsolicited ones, all links on social networking sites should be carefully evaluated. Since the links themselves are often shortened URLs, look at then text around it. Usually that text is a huge clue as it contains misspelling or contains "spammy" looking text. Your account could be sending those same kinds of messages if you're not careful about what links you click on.

Use Different Passwords, Change Them Often: Each of your social networking sites as well as all other important websites should have different, complex password assigned to them, and they should be changed regularly. Since people often use the same password on multiple sites, one compromised account could easily lead to compromising other accounts.

Don't Blindly Give Out Your Credentials: There are a lot of third party web-based services out there that make use of your social networking services. In the past, the only way for this to occur was to give your credentials to these services. This works, so long as these third party services weren't somehow compromised, or worse, the services were not what they seemed to be. The one benefit to using something like OAuth (which Twitter does) is that you can revoke a web applications permission quite easily. It doesn't prevent the third party web service from being compromised.

Keep Your Operating System, Browser Patched: Ensure you have applied all the latest patches from Microsoft, Apple, or whomever supplies your computer's underlying operating system. Ensure you are using the latest version of your web browser.  If you are using Internet Explorer--especially if you are using Internet Explorer version 6, as is standard on Windows XP, try using a third party browser such as Firefox or Google Chrome.

Browser Plugins Can Help: If you are using Firefox, there are plugins that can help expand those "short" URLs so you can see where it is they will take you. LongURL is a good example of this for Firefox.

Security Software: Windows users should ensure they are running an up-to-date set of security tools that cover anti-virus, anti-malware, and protection from browser-based attacks. Microsoft puts out a free anti-virus/anti-malware tool which is quite good, as does a few other companies. Their free tools do not protect against browser-based attacks. Something like ZoneAlarm ForceField or ZoneAlarm Extreme Security (which includes ForceField and other security features) can be effective protection against these kinds of tools. (Disclosure: I work for Check Point Software, which publishes ZoneAlarm).

Nothing Is Completely Private: Even if you protect your updates on Twitter or are very careful about whom you interact with on Facebook, note that all communications, even so-called "direct" or "private" messages, are not entirely private on social networking services. Accidental disclosure can and does happen, thanks to actions by you or your so-called friends. It's not always intentional, of course, but it does happen.  And yes, those "quizzes" you might take may contain a so-called identity question that could be used to take over one of your other accounts. Just be careful.

Some Final Thoughts

Social networking has been, and continues to be, quite pervasive in the civilized world. The tools used for this have and will continue to change over time. What hasn't changed is that there are people out there who do not have your best interest at heart. And while nothing is entirely safe and secure, with a little vigilance, we can spend less time being victims of the latest scam and more time doing what we're supposed to do on these social networks: communicating and sharing.

Reblog this post with Zemanta

Over the past couple of days, I was out at VMworld 2009 at Moscone Center in San Francisco, which is a trade show put out by the fine folks at VMware. While it was not my "official" job,  I did do a bit of booth duty at Check Point's booth. It's been a while since I've done that.

While there, I met a couple people I've been meaning to meet for years: Randy Bias, the guy behind Cloudscaling, and Chris Hoff (a.k.a. Beaker). I also got to experience first-hand at the show was the absolutely spectacular epic fail that is AT&T's wireless network during a trade show at Moscone Center. Full signal, yet calls were dropping like flies. Data might as well have been GPRS for all the speed I wasn't getting. It was horrible. Why AT&T doesn't have several microcells inside Moscone with either a fiber link or several DS3s for backhaul is absolutely beyond me.

Meanwhile, back to VMworld and why Check Point was there. We were demonstrating Security Gateway R70 Virtual Edition (or R70 VE for short). The main difference between the R65 VE we ship today and R70 VE, aside from the new Software Blades architecture, is the level of integration with the VMware environment. Specifically, we use the VMsafe APIs provided by VMware, which give us a whole new level of visibility into the networking that goes on inside a VMware ESX server.

If you wanted to see what was going through every port in a physical switch, you might have some trouble either setting up mirror ports for everything or network taps. In VMware with the new VMsafe APIs, applications like R70 VE can see everything going through the virtual switch and can block it as appropriate.

In our demo, we show a couple of virtual machines hooked up to a virtual switch along with a separate VM for R70 VE. One of the VMs is compromised and starts "attacking" the other. These VMs and the R70 VE VM are on the same logical subnet, hooked to the same virtual switch. R70 VE is able to successfully block the attacking traffic using the IPS blade.

The good news for the firewall administrator is that this virtual gateway is managed with the same set of tools you use today: SmartCenter and all of the SmartConsole apps. It feels just like a gateway on a physical appliance, except it is running inside a virtual machine.

R70 VE is not shipping today. The code shown at VMworld is of alpha quality. We are expecting a Q4 2009 release timeframe, but that is not final and is subject to change.If you're looking for more details, let me know and I'll hook you up.

Recently, I was asked to complete a security awareness training at Check Point. It is considered a mandatory exercise for all employees. It consists of watching a brief presentation, taking a short multiple-choice test, virtually signing the security policy document, and providing a user validation question and answer.

The entire process took no more than 20 minutes. After having watched the presentation, I can tell you, with a fair degree of certainty what the different levels of classification are, what generally falls into each level of classification, and what my responsibilities are with respect to handling data in that classification. It was all done with clear language using examples I feel most people could relate to.

It is exactly the kind of policy presentation that any serious company should have. The reason: employees are often the weakest link in security. Educating employees on what the policy is vital to ensure corporate assets are protected.

Oh wait, you don't have a security policy? Well now, that is a problem.