Ed Smiley's Blog

An interesting thought came to mind while reading the Windows Incident Response blog yesterday. A link provided by Claus brings up an interesting concept, XPM.  Windows XP Mode (XPM) is a “Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site.”  Sound cool, but what happens with the security patches that come out after SP3?  With so many people who don’t bother to patch their systems, would this just create a bigger problem with 2 possibly unpatched operating systems available as a target to exploit?  There seems to be some kinks that need to be worked out on the security end as I have not heard any talk of how this will be patched and what will happen once XP is no longer supported.  I will be curious to see how this pans out in the near future.

EDIT: Some more interesting news has been coming out about XPM (via Slashdot):

Microsoft, Intel goof up Windows 7′s “XP Mode”

Windows 7′s ‘XP mode’: Right idea, wrong technology

Windows 7′s ‘XP Mode’: A Great Idea, on Paper

As I looked at my calendar last weekend, I wondered why it was so packed.  Aside: Hey, I am a Sys Admin.  My meetings tend to be more spontaneous, like my computer is on fire or the website is down.

Turns out there were 6 great events going on this week:

1.  Pauldotcom put on Part 2 of Zen and the Art of an Internal Penetration Testing, which covered using tools such as Nessus, Core Impact, and Metasploit for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process.  I did not get a chance to listen to all of this, but look forward to a recording being released at a later time.

2.  Rob Lee brought us Memory Analysis for Incident Responders and Forensic Analysts.  I thought that this was an incredible webcast which gave great insight about why memory analysis is important, which tools to use for acquisition and analysis, and sample cases on memory analysis.  I would highly recommend anyone interested in security/forensics to go back and listen to this webcast.  Also, version 1.3 of the SIFT Workstation just released, so be sure to pick that up.

3.  Larry Pesce brought us the monthly Late-Breaking Attack Vectors Webcast where he discusses the latest happenings in attacks.  Items covered were the every so popular Mikeyy Twitter worm, OS X botnets, and many others.  Larry did an excellent job and this webcast is always worth a listen.

4.  Chris Nickerson and Mike Murray discussed Modern Social Engineering Part II – Top 5 Ways to Manipulate Humans Over the Wire.  Social Engineering is a technique usually not discussed as much as using vulnerabilities or exploits to get inside a network, but Chris and Mike go deep into how to manipulate people.  They do an excellent job expanding on Part I and give real world examples throughout.  Also at the end there is a fairly long Q&A which discusses some interesting techniques.  If you would like to learn more, check out ChicagoCon coming up.  Looks like a great opportunity to interact with some of the great minds in security and it is cheap! ($100).  Also be sure to check out Chris’ new podcast Exotic Liability.

5.  Pauldotcom celebrated its 150th episode with a 12 hour extravaganza featuring guests such as Lenny Zeltser, Martin McKeay, Johnny Long, Stephen Northcutt, and many others.  This episode will surly keep you entertained for a long while to come!

6.  Mike Murray and Danni Lupisella presented on many of the threats that popped up in quarter 1 2009 in their Midnight Hacking webcast.  This was a great webcast that allowed for interaction directly with the presenters and covered great content such as mobile phone vulnerabilities, SSL exploits, and Conficker.  These appear to be monthly and I look forward to attending them on a regular basis.

A little while back this question came up to the SecurityTwits feed from michealc:

Well Micheal, here is your answer.  These types of webcasts are probably the best online security training you can have for the money (free).  They allow you to hear an excellent presentation from some of the best minds in information security and then interact with those great minds during question and answer sessions.  I have been to a few trainings in the last year or so, but some of these webcasts are much better as far as content, presenter knowledge and style.  Keep your eyes on Twitter and the securitytwits feed for great more great webcasts/podcasts.

Jayson Steet tweeted a link to a Computer World article about the recent rash of security breaches in the academic environment.  (Aside: Follow Jayson as he will soon be releasing a book called F0rb1dd3n that looks awesome!).  There are a few interesting tidbits in this article and definitely worth the read if you work in academia.

I think the author might be too bold by saying that during the last few weeks of the semesters that breaches occur more often due to students being under duress.  I think pretty much everyone is under some sort of duress during these important final weeks of the semester.   From the faculty designing finals and grading, to the staff having to put up with the faculty, to the IT staff having to make sure everything is working .  Perhaps it is people trying to take shortcuts (such as taking PII home on their laptop, which then gets stolen) to get work done quickly in situations where time is limited, but I think you can hardly pin it just on the students.

Computer World also talks with the author of “Breaches in the Academia Sector“, John Correlli, who adds a spot on statement of “Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn’t a priority until it’s a problem.“  When is it considered a problem?  When you (being the college, unit, dean) need to spend money to notify victims of a breach?  When you suffer embarrassment due to a breach?   I think the ‘it can’t happen to us‘ way of thinking no longer applies as breaches have struck all areas of academia.  So why not take the steps to be proactive beforehand so you don’t have to pay for notifications or you don’t have to suffer the embarrassment?  Simple, people hate, fear, and resist change. Unfortunately, the open environment of academia hinders change and is typically used as an excuse to resist it.

John also says that the academia is prone to these threats due to “A customer user population that is relatively low paid, lives “on site” and experiences high turnover.”  I agree with this and not only in the customer user space, but in the IT Staff space.  Typically lower end IT Support/Sys Admin jobs are stepping stones for people to move onto better positions and typically on the lower end of the pay scale.  Although I don’t have any numbers (but would love to find some) on the pay differences between academia and business, I would say that academia IT is on the lower end of the pay scale compared the same position in the commercial sector.  Then a new person has to come in, make heads or tails of what the last person did (You mean every IT person does not document what they did?!?), and go on with their everyday job.  So then it comes to how do you keep talented young IT staff who can go work somewhere else for plenty more money, and most times much less grief.

So, the million dollar question is, how do we secure data and promote the open environment of academia?  I think Michael Santarcangelo has some great ideas in his book ‘Into the Breach‘ such as holding people accountable for their actions and engage the people whose data you are trying to protect.  Would love to hear how other people are doing it.

An interesting article came up in my Google Reader tonight from Michael Krigsman of the IT Project Failures Blog on ZDNet.� He discusses how Twitter is dangerous to businesses and governments due to the rapid nature information can spread.� He ends with an interesting question: “Is Twitter a weak link in the security chain?”

First of all, I don’t think he is picking directly on Twitter, but the any social network tools like Twitter, Facebook, My Space, and numerous others.� While I do agree that posting something on Twitter could easily reach hundreds of thousands (and possibly millions) of people in minutes. The important part is that someone has to be typing the 140 characters into Twitter to begin with.� While you can loosely say Twitter is a weak link in the security chain, it is only as the facilitator.� The weaker link in the security chain can be multiple other things, such as the misunderstanding of the power of Twitter or even the direct message function.

An example Michael uses is of US Congressman Pete Hoekstra (R-Michigan) tweeted information about a secret congressional envoy in Iraq.� Yes, probably a bad move.� However, this does not make Twitter a weak link, it makes Mr. Hoekstra a weak link to sensitive government information.� Come on, this guy is a ranking member of the House Intelligence Committee!� I am sure he has to handle loads of sensitive information and should know better.

You know how everyone says when you are all fired up, you should not belt out a nasty email?� Perhaps the same thought should be put in before you tweet things, such as congressional information, to the world.� I twittered a 140 character summary of what I wrote here to Michael and he responded with the another question: “The question is getting folks to think before tweeting confidential information. Easier said than done.“� He is absolutely correct, but how do we do it?� Twitter is a great tool because it is so open.� How far are we away from tweets being siphoned through company security or PR before getting posted, or is that already happening?

An interesting post came through the Educause Security list with a link to a recent NY Times article entitled “Do we need a new internet?“.� Reading the article, you would think that all hope is lost with quotes like:

�Unless we�re willing to rethink today�s Internet,� says Nick McKeown, a Stanford engineer involved in building a new Internet, �we�re just waiting for a series of public catastrophes.�

�If you�re looking for a digital Pearl Harbor, we now have the Japanese ships streaming toward us on the horizon,�

Wow.� As the person who posted to the list stated “Do you think it is really that bad?”.� I am very curious as to the replies that will follow.� Do we need a new internet or is it a combination of insecure operating systems, uneducated (security-wise) users, and poor patching?� If we repair these things can we repair the internet?� Can we repair these things??� A recent article in SCMagazine debated if security awareness is even worth doing.

The article brings up a good point about the current internet becoming “the bad neighborhood of cyberspace.”� We are implementing this kind of secure and unsecure network for our users.� Any user with administrator rights (see what running with Admin rights will do for you here) will be put on an ‘unsecure’ network with just a direct connection to the internet or “the bad neighborhood of cyberspace”.� These users will have no access to network shares or any part of the secure network.� Hopefully, our the users on the unsecure network will see the benefits of being on the secure network and make the unsecure network unnecessary.

A secure network will sacrifice things such as privacy and anonymity.� Will users decide not to give up those things and would rather wipe their computer every 6 months when it gets infected?� Quite an interesting article to debate!

EDIT: Excellent blog post by David Akin and one here from Gene Spafford from CERIAS

An interesting whitepaper was released by Beyond Trust (found via TaoSecurity) entitled “Reducing the Threat from Microsoft Vulnerabilities” (PDF)  Here are some of the key findings from the study:

• 92% of Critical Microsoft vulnerabilities are mitigated by configuring  users to operate without administrator rights.
• By removing administrator rights companies will be better protected  against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities.
• 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights.
• Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights.

If those stats don’t make you want to take away administrator rights from your users, I don’t know what will.  Coming from a scientific background, I love to see statistics, numbers, and facts.  In the past when discussing admin rights with users, I used an Eweek article entitled “Is System Lockdown the Secret Weapon” to drive home my point.  In short, they basically visited some nefarious websites using three separate computers.  One with Administrator rights, one with Power User rights, and one with User rights.  They then ran a malware/spyware scan afterwords and found that the computer with Administrator and Power User rights had 19 threats and over 2000 registry keys installed.  The computer with User rights had a single threat that was in the browser cache.  A single threat people!

In academia, removal of admin rights has been met with much resistance (by both faculty/staff and IT staff).  We have been making it work in our area by doing the following:

1. Working with the faculty and staff to find out their needs for computing.  Assuring them that they will continue to function in the same capacity they were able to with Admin rights.
2. Knowing that applications will need to be installed, we are very prompt when these requests arise to limit possible downtime.
3. Developing practices for our “road warriors” that keep them safe, but allow for emergency admin rights if necessary.
4. Set an example by having IT staff run as users when we are not performing tasks that require administrative rights and elevate our rights when necessary.

Following these steps, over 95% of our faculty/staff perform their jobs without admin rights.  It is getting to the point where this is going to have to be reality in academia.  Free and Open education can exist when having user rights and many places around the University (including us) have proven that and make it work.  The sad part is that I hardly ever hear it mentioned when trying to explain to faculty and staff about removing rights.

Into the Breach Picture

�

I received a preview copy of Michael Santarcangelo (AKA Catalyst) book, Into the Breach, a few weeks ago and finally made my way around to read it on my recent trip to Texas. My reaction to the book, WOW! No other book that I have read in the past few years (even my chemistry ones) have sparked so many thoughts of how I can use the information I was reading in my everyday work.

In the Introduction and even on the back of the book there is a quote that hits home:

People have been unintentionally and systematically disconnected from the consequences of their actions for so long, they are no longer held accountable or take responsibility

This quote seems to be one of the things I deal with all the time. People either have too many other things to do or are “too important” to deal with the consequences of their actions.  Even more so, these same people are hardly every held accountable or take responsibility when something does happen.  Michael explains how to change thinking from just throwing technology at the problem to engaging people and involving them in the process of securing the data with a Strategy to Protect Information.

A phrase is mentioned throughout the book and even has its own chapter is “People just want to do their jobs“.  He uses a spot on example of a confusing password policy and how users react to “pain” caused by it.  In this case, the pain is how these items (like confusing password policies) hinder the users from doing their jobs.  As a natural response to the pain, users will find a way to deal it, such as writing down their complex password on a post-it and sticking it on their monitor.  Later in the book he explains an approach that supports people and engages them in the process of protecting information.  I sometimes think that we (as IT professionals) get hung up in the policy and forget about the person actually doing their jobs.  I have heard many times at my job, this is policy, that is policy.  However, nothing is done to help the users comply with the policy and still get their jobs done in an easy and manageable manner.

This is just a small sample of what is in this book.  I think that this book is a must read by anyone dealing with information, from the highest tier professional (CIO/CISO) to the part-time helpdesk technician.  Into the Breach takes an unique and interesting approach showing how everyone can be involved in protecting his or her business.

Found an interesting article on DarkReading this past week. Ponemon Institute and Dell Computer did a study on business travelers and found some interesting things:

1. 12,000 laptops per week are lost at US Airports
2. Between 65 and 70 percent of lost laptops are never reclaimed and disposed of
3. 42 percent of respondents say they do not back up their data

All I have to say is WOW. Losing 12,000 laptops per week is one thing, but 8,000 laptops never being reclaimed is preposterous. Have laptops become disposable? Where is the line where your time is worth more than your laptop, or your data? Read the full report here.