Sister CISA CISSP


October 30, 2008  3:33 PM

Don’t Be Seduced Just Yet

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I had a co-worker ask me yesterday what my opinion on “cloud computing” is, and whether it should be something they could recommend to clients. He had seen announcements about cloud computing from Microsoft

According to a 2008 paper published by IEEE Internet Computing “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, table computers, notebooks, wall computers, handhelds, sensors, monitors, etc.” Another criteria is that it be massively scalable.

“Cloud Computing” is almost the same as “SaaS” (software as a service), the difference being, according to Gartner, scalability.

What I found the most interesting was the statement from Microsoft: Windows Azure provides developers with on-demand compute and storage to host, scale, and manage Web applications on the Internet through Microsoft® data centers. (the bold emphasis is mine.)

So, a business runs all it’s core applications and stores all it’s data on Microsoft’s servers. Windows is actually developing Azure as a separate platform from Windows server and desktop apps. It’s all accessible anywhere from the Internet. I guess Microsoft has decided to get into the Data Center business arena along with IBM and HP.

This is probably a silly question, but what do you have if there is no Internet access? There seems to be a massive assumption that all business functions can be run over the Internet.

The ONE statement about security on their opening page was: Security supported by flexible Code Access Security policies and The built-in management services give monitoring and tracing capabilities.

That’s IT???? I admit it is a page pitched to software development, but shouldn’t secure software development and the security of data centers be in there anywhere? The FAQ offered up nothing on that topic, as well. It did, however, offer up pricing.

So, I’m going to be terribly cynical and say that this might be Microsoft’s approach to controlling the rampant software piracy of their products going on all over the world. How about promoting it as a “more secure platform?”

Other than being a marketing ploy, “cloud computing” sounds like “thin client” writ large. There may be some significant financial savings, if you have the right kind of business to use this platform. AND you want to turn your data security over to Microsoft.

Microsoft’s only mention of “risk” – Windows Azure provides you, the developer, with a scalable platform and a rich development environment that allows you to focus on the business logic of your application without worrying about operational constraints or lock-in,” didn’t get me to “wow.” How often has security lagged far behind software development and what is Microsoft doing to change that? From this announcement, nothing.

October 28, 2008  3:08 PM

More on Cell Phone (IN)Security

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I’m having very mixed feelings, I must say, on what I’ve been reading about accessing information from cell phones. On the one hand, in my line of work, which occasionally includes forensics, I’m pleased to see new tools come out that make my job that much easier. The Cell Seizure Investigator “stick” from Paraben for under $500 is a great new piece of equipment for pulling all information off of a corporate cell phone.

On the other hand, knowing that there is a quick tool to pull all the data off my phone in five minutes or so doesn’t give me warm feelings inside. Given that there isn’t really a secure delete function that is available, anything that is on my phone could be recovered in the same way we can recover deleted data from a hard drive. When will we have the ability to encrypt the storage on these things?

I have seen some early reports of cell phones that use biometric identification, but none that appear to be here in the USA.

I have run across a free tool for deleting data on your cell phone by recellular.com that offers some software based on model of phone. Not all models are covered, and I haven’t had a chance to test it out. If you do, please let me know your results.

In the meantime, review what is on your cell phone, and keep it to a minimum!


October 23, 2008  4:41 PM

Physical Security Part II

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

The most secure Data Centers I’ve seen utilize electronic access cards of some type that have a good reporting mechanism, right down to which door. Of course, these systems don’t do you a bit of good if no one looks at the logs, but that seems to be the exception, rather than the rule. Thank goodness!

I’ve seen some systems that you must swipe in order to exit, as well as enter. This seems a smart way to make sure employees and cards are being utilized properly. Also, doors should alarm if they are propped open or not quite secured. Depends on how much you value your data, doesn’t it?

Camera systems can be a very good alternative to swipe cards, but ONLY if you have sufficient coverage of the area you’re trying to secure. I tested a system that could see me going up the steps to the Data Center, but didn’t capture me until I was two feet from the door. If I scuttled sideways to the right, it missed me entirely! We adjusted that camera together.
Does your system overlap all areas inside the Data Center? Can you track where someone goes throughout the area?

Finally, is your camera system secured away from the Data Center? Make sure only specific people have access, and make sure the captures are stored securely. How long should you keep them? I’d say a year, which would give you a good period of time to track back possible miscreants. But it really depends on your storage space. If you can use WORM (Write Once, Read Many) storage, even better.

Ultimately, it does come down to your employees. I can’t tell you how many times I’ve slid in the door behind someone holding an armful of books and thanking them for holding the door. If someone strange is sitting in the conference room, it could be me hacking your network. Just ’cause I’m a lady dressed in a really nice business suit doesn’t mean a thing.

How are you disposing of your physical computer equipment? Never underestimate the ability of people to be lazy and just “toss” stuff. Find a way to securely wipe your data OR transfer the risk by hiring someone that will give you a certified receipt that THEY have destroyed it for you. Expensive? Probably? More expensive? Getting your company’s name in the paper.


October 21, 2008  1:58 PM

ATMs with Bugs – At the Grocery Store

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

From the Wall Street Journal comes the disturbing news that a high-tech wireless “bug” has been found in hundreds of grocery store ATMs in five different European countries. According to WSJ:

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug reads an individual’s card number and the corresponding personal identification number, then packages and stores the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

The easiest way police have been finding these things is to weigh the ATM, although the bug (a card, actually, and I think has to be plugged into the motherboard) only weighs about 4 ounces. How many more will they find? Now that ATM fraudsters can go “upscale” to a wireless bug instead of a clumsy card skimmer, theft becomes even easier. These bugs are big enough to be programmable, so that they could only collect information from Platinum level cards, for instance, instead of my Uncle Bert’s VISA card.

Although the article does not address debit cards, I would have to wonder what the impact was on those? Did they escape due to the lack of PIN capture? Possibly.

The first solution I would think of would be to lock down the phone line so that it ONLY can dial home (and not to Lahore to deliver its’ payload). Not only that, log and report any attempts to dial elsewhere.

This is a VERY sophisticated attack, and appears to be widespread. Early estimates indicate a theft between 50 to 100 million dollars.

Just who has had access to the inside of those machines, that were built in China? How are they secured? The report mentions that the bug is “attached behind to the motherboard.” Somebody has some inside knowledge of this equipment and has used that knowledge to quite an effect.

Thieves keep getting smarter.


October 20, 2008  1:06 AM

Let’s Get Physical

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

When I do an audit, or a penetration test, I start by walking around the building, both inside, outside, and sometimes even on the roof. In my travels, I’ll leave my business card where I can gain unauthorized access. How often am I successful? 95% of the time.

I mentally catalog the exterior doors, the signs on them, and I keep an eye on whether people use them a lot. Then I monitor where the smokers go; I’ve often been able to enter a building undetected that way.

From there, I move to the Data Center. How many doors? Do the doors close firmly and immediately behind whoever enters? I’ve gotten in that way, too.

How about door locks? At a business I was at recently, they were still using push-button locks with a four digit code. After the fourth visit to the server room, I had the code in my head. They couldn’t recall when the last time was they had changed the code, either.

Keys? How many keys are there? I’ve never seen a key that couldn’t be duplicated. How about having to deal with when they get lost? One memorable evening, I went around the IT staff’s desks, looking in desk drawers (in pen tests, all “politeness” is off). I found a very nice key ring labeled “Server Room.”

What about contractors or cleaning people? Does someone escort them while they’re in there, or are they left to their own devices? As boring as that is, leaving someone alone with the corporate crown jewels is equivalent to unlocking the barn door. Are the server cages secured? Are there segments to your Data Center, so that the really significant equipment is in a further secured area inside the Data Center?

I recently visited a really nice Data Center, and the Security guys were very proud of their camera system. It was an excellent system, covering all the doors. But what about once someone actually gets in? What are they doing? Where do they go? The company used a lot of subcontractors, and I pitched to the Security guys the idea that they needed cameras for all areas of the Data Center, not just the doors.

They needed to be able to see where someone went down the server rows to do their work. It’s great physical evidence that says it all in a court of law. If someone says they didn’t touch that server, and you have pictures showing them walking down that row and stopping at that rack, well, game over.

We often think about hacking or breaches as something that is completed with some esoteric piece of magical computer code. I think like the bad guys: what’s the easiest way in?


October 10, 2008  2:12 PM

ATMs Redux – Why I Don’t Use My Debit Card

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

In a previous post about Automatic Theft Machines I commented on the worrisome rise in skimming with these machines.

Now, to add to our pain, we should be concerned about gas station pumps, according to NBC. Take a look at the picture of the device – makes me wonder how they set it up without inside help.

The article goes on to discuss the rising crime rate from debit card theft. Once these folks pluck your card number and PIN, they can clean out your bank account in no time flat. Unlike credit card fraud, where the bank removes your liability after $50, people are reporting a struggle to get their bank accounts credited after all the cash has been extracted.

So, let’s see, ATMs, airline check-in machines, and now gas pumps.

I’d decided after the Hannaford breach that we would no longer use our debit card unless standing inside the bank. And even that is not risk free from skimming.


October 9, 2008  2:00 PM

Hardware? What Hardware?

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

I came across a recent post from the Breach Blog reporting that a U.S. Naval Laboratory employee – the computer administrator – had stolen 19,709 pieces of computer equipment, worth up to $1.6 million.

Did no one see this guy carting hardware out the door? I’m not talking about the small stuff, I’m talking about the more than 100 personal computers. Doesn’t a Naval laboratory have cameras on the exits, and guards? I know it’s easy to have hindsight vision, but this seems like it should have tripped somebody’s awareness alarm.

We can also extrapolate that there was no inventory control of hardware, AND no financial oversight of hardware costs. This happened over the course of ten years, so maybe he was able to slide it in under the radar.

What about the information ON the hardware? The Navy says only 14 people were affected. Given the evidence of their controls so far, I’m not sure I have a high level of confidence. They had to go through hard drives, CDs, Zip drives and all those computers. I hope they did.

How was this discovered? He and his wife are divorcing, she filed a protection request, and told his bosses she wanted his “work stuff” out of the house. He had so much stuff, he was storing some of the equipment at a neighbor’s house.


October 6, 2008  8:19 PM

Auditing iSeries

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

IBM’s system iSeries are some of the most solid server systems around. Formerly (and by some, still called) the AS400, those servers are at the top of the food chain for reliability and stability. DB2, the native database system for iSeries, is as solid as a rock, and powers many of the banking, healthcare and service industries I get to see.

A lot of engineers will tell you that the iSeries is the most secure OS around, due to the object-level security functions. Those object levels are great, but I can tell you that I find that iSeries are incredibly easy to get into, for two reasons:

First, default services are left enabled. FTP, DDM and ODBC ports on the server are open, and unless you have an exit program, no logging of access takes place. So if I have an application ID and password, I can gain access to see what I can get into. Try a port scan and see what the server tells you.

Last year I saw an iSeries at a merchant (details fudged to protect the guilty) that had NETBIOS enabled. Sitting on a Windows 95 computer in their training room, with a guest ID access, I could see every single file on that iSeries. And I had Full Control of those files. Ooops.

And let’s talk about telnet! Many legacy “green-screen” applications that connect to an iSeries are running via telnet, which means that usernames and passwords are passed to the iSeries in clear text.

Second, special authorities are not locked down. What initial program are users accessing (UPINPG)? If the response is NONE, then they can break through to the command line. How about user classes (UPUSCL)? Have you got people that are part of the programmers group (PGMR) or SECOFR, or SYSOPR? Regular users shouldn’t be in these classes either.
UPSPAU indicates what special authorities each user has. By default, a user should only have access to their printer queue jobs (*SPLCTL), not all objects (*ALLOBJ).

Last, but not least,are the users changing their passwords? I found two with UPPWCD last week… Are there users that are using their username as a password? UPPWON will tell you the facts.


October 2, 2008  7:39 PM

Security is a State of Mind

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

An interesting new study commissioned by Cisco has just been released.CISCO Study The study focused on the behavior of people in various countries, when it comes to information security. It shows just how far we have to go. It’s a fascinating study about the attitudes and actions of non-IT personnel. The study surveyed 1,000 employees and 1,000 IT professionals from various industries and company sizes in 10 countries: the United States, the United Kingdom, France, Germany, Italy, Japan, China, India, Australia and Brazil. The countries were chosen because they represent a diverse set of social and business cultures, established and emerging network-dependent economies and varied levels of Internet adoption.

Some findings worth pondering:

50% of the non-IT personnel surveyed use company-issued computers to do personal business; almost 61% of users from China reported routinely getting email from a personal account.

An average of more than 4 in 10 users allow someone else to use their company-issued computer without supervision – France is highest with 58%.

People STILL write down their passwords and post them on their desk or monitor, especially in Italy (14%) and India (13%).

One our of five people report altering security settings so that they could visit unauthorized websites.

Seven of 10 IT professionals said employee access of unauthorized applications and Web sites ultimately resulted in as many as half of their companies’ data loss incidents.


September 29, 2008  9:43 PM

Do You know Where Your Previous Mobile Phone Is?

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

Cell phone companies are tempting us more and more with phones that act as PDAs (Personal Data Accessory??), send and receive email, surf the Web, have bigger capacity to store documents, are music players, cameras and oh, by the way: a phone. And in the coming years some have proposed utilizing your phone to pay bills and buy stocks.

It’s wonderful and terrible all at the same time. There is no standard procedure for wiping a phone’s information. Phone manufacturers have proprietary hardware, and have been extremely reluctant to release information to software developers who could provide us with a way to wipe the phone and its’ memory. As a result, we have millions of phones available with sensitive data, on an open market. Thank you manufacturers, for protecting the consumer? As usual, no one really thought about security, not to mention privacy.

Three years ago, Graham Clements – A managing director for a subsidiary of Japanese packaging multinational Ishida – decided to get rid of his BlackBerry and turned it in to his IT department for recycling. At the start of this month that BlackBerry was one of the top items on the agenda at the first board meeting that Clements had called since his return from vacation – because the data on it had come back to haunt him.

Instead of being recycled, the BlackBerry, like millions of other mobile devices every year, had been passed on to a company to be sold. On Clements’s device were business plans, details of customer relationships, information on the structure of the company, details of his bank accounts and details about his children. Ouch.

Fortunately, that BlackBerry was among several that were recovered from mobile phone recycling companies as part of a study into data loss on mobile devices. It’s a significant issue that many companies have not addressed.In a 2006 survey by the Business Performance Management Forum (BPMF), nearly half the respondents reported that at least 25 percent of all mobile devices in their organizations carry mission-critical information and applications.

Imagine having a computer that you could never wipe clean of any of your confidential business activities. Instead of recycling, we can only destroy the items. Mobile device security software commonly available can secure the device, but cannot wipe it. If anyone knows of a good wipe program, please drop me an email.

Some folks leave their SIM cards in the phone they return to corporate headquarters, along with their messages and documents. Taken any pictures on that phone you wish you hadn’t? That office Christmas party where your senior manager got drunk and acted up? They’re probably still there.

I’ve just thought of a new Rule of Thumb: There’s no such thing as DELETE on a cell phone/PDA/camera. We must act accordingly until assurance can be confirmed about wiping these devices. If it cannot be wiped, it must be destroyed, which is not exactly “green” in any corporate environment.

My old one (a Palm) is in my desk drawer, kept for parts because my spouse is still using a Palm. Where’s yours? What was on it?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: