Michael N. Dundas

http://www.flickr.com/photos/solarider/2255744829/

A few years ago, I was having a discussion with an acquaintance who was involved in an investigation.  One individual they were tracking kept changing his mobile phone every few days.  Each new mobile was typically pay as you go or stolen and personal information connected to the mobile was either false or not available.  Yet the investigators were able to very quickly determine the new number of the individual each time they switched mobile numbers.    How they did this at the time impressed me, and I use the logic to this day.

Throughout the course of the investigation they were able to determine who this individual contacted.  A few of the mobiles that the individual contacted did not routinely change their mobile number.  As a result, by watching the calling patterns of the mobile phones where the numbers did not change, the investigators could quickly determine a new number that suddenly was calling each of the static numbers in a similar pattern.  This of course requires access to mobile network data, but it worked.  Even though this individual thought they were not being tracked,  their efforts to remain anonymous unknown to them were ineffective.   As a side note, there is software that will search for and detect these types of calling patterns automatically.  The same logic here can easily be applied to a Internet connection.

A more common example is when you are ever pulled over by a police officer and you don’t have your license.  Aside from them giving you a ticket for not having your license on your person, they will most likely ask you for your full name and birth date.  The reason for the birth date is to help assure them that when they go back to the cruiser to search on their laptop, the records they obtain are actually yours and not someone else with the same name.   How many Michael Dundas’ are there in Canada?  Not sure, but the number of Michael Dundas’ with the exact same birth date really lowers the probability of a false positive.  This same logic can be applied to social networking and there is interesting research in this area including twitter.

The EFF recently published a post on information theory and privacy.  In it they discuss the concept of Entropy and how it applies to information and privacy.  It touches a bit on some of the math behind it, but if you are interested it is a good explanation of why when you think you are anonymous you may not be, even when you take precautions.  If you skip the math, their example of how a ‘user-agent’ header transmitted by your browser can narrow you down to one of 1500 people can start to give people that are new to information and anonymity a good perspective.

http://www.flickr.com/photos/imuttoo/3935553419/

On the Securosis blog there has been two posts recently (here and here) about security and taking a default deny position as the best approach to securing a particular service or network.  At a high-level, you block every port / service / protocol that is not defined as being required and then wait to see who complains.  As people complain, you investigate the complaints and figure out what policy changes are required and make them.  The end result is a secure policy allowing only the required access.  At least that is the theory.

I believe that “default deny” is a excellent security goal.  That being said, obtaining that goal has to be weighed against other objectives.  Often, I find many security professionals proclaiming that ‘default deny’ must be deployed, everyone has to make it happen, regardless of the cost to the company, regardless of the risk to the project.  The general sense is that if default deny can not be completely reached, the project should not go forward or should be held up.

This sets a very adversarial tone for everyone involved in the project.  It creates a very binary choice, “you are either with us or against us”, there is no in between.  While this is great in the movies, for the most part, it is not real life.  That positioning breaks down communication, it puts the team on the defensive, and it creates a environment where the team does not want to talk, work, or involve the security experts.   They are seen as unreasonable and unrealistic.  Have you ever been ordered by law enforcement to “stand back”, “show me your driver’s license”, or told you can not cross this line with no explanation as to why?  How does it make you feel?  Did this attitude earn your respect or lessen your respect for them?

The default deny stance is easy, minimal work, and most importantly risk free for the security members of the team.  While that is not a bad thing, it often increases the amount of work for others on the team as well as their responsibility.  In a simple case, if on a project by blocking port 1234/tcp, I force the team to have to re-program the socket interface on the application, which in turn generates a code review, which then generate more work for the Q/A team.  If the team overrides the security experts and says we are not doing that work, the security members can now claim they did their part, the team did not listen and so if there is a breech it is not their fault.  This does not promote a collaborative team environment.

Humans naturally fear the unknown.  It explains why as a society we overreact to terrorists that attempt to blow up planes or all rush to get the latest vaccine for a new strain of bacteria.  In both cases we are more at risk of death from being hit by a car in our daily travels yet we show no fear that will occur.  This irrational fear is re-enforced in courses and books on security.  The result is we see “default deny” as a valid and only solution.   The result is security professionals promoting often with a very hard line just that.

“Default deny” ideally assumes that their is an understanding of a service or application in its entirety.  From the end user interface right down to the bits that traverse the wire  in detail under all conditions.  Years ago this was possible, however todays applications are rarely the result of one teams code from the ground up.  APIs of third party vendor systems are called, third party libraries are used for communication, storage, authentication and many other functions and features.   Today, it is unreasonable to assume that a particular team will understand everything at all levels given the nature of how services on the Internet are built and deployed.  Security professionals are correct in pointing out this is a risk, however it is a risk that is not going to go away and security models have to adapt to manage and minimize the risk.  A simplistic “Default deny” does not accomplish this.

I have consulted for several very large tier 1 service providers.  The default position tends to be a “Default permit”.  From there they determine what is ‘bad’ and craft security policies to deal with and minimize the risk.  While enterprises can afford to take a more “Default deny” approach, this will become more and more difficult.  As services are more and more build by external vendors, use third party APIs and libraries, interact more and more with cloud computing, permit access on PDA devices for services, and the many other services available and yet to be available a different approach is needed.   “Default deny” is a great goal for security of a project, however it needs to be prioritized with and assessed from a risk perspective with other goals of a project.

Do you think that the security community of today needs to change their approach, and behaviour?

http://www.flickr.com/photos/room929/428260081/

Nicole Garton-Jones submitted on slaw.ca today a post entitled Practicing Law on the Road: the Role of the Cloud and the Emergence of the Virtual Law Firm.  In it she highlights the idea of working remotely and using VoIP, Cloud computing and virtual desktops along with your PDA and laptop devices.  Especially when it comes to law firms, my experience is they are often slower to adopt to technological changes that other industries due to a combination of tradition and general need to follow government laws, and procedures enforced by their professional organizations.  It is nice to see a lawyer promoting these technologies, I think that is great for the legal industry.

In her post, she discusses cloud computing, laptops and PDAs and touches on the security.  I feel that the security needs to be given a much more serious discussion.  My experience consulting with small companies and law firms is that they typically do not give security enough time, consideration, or expertise before choosing a technology path.  There are many reasons for this, cost, resources, and time being the main factors.  It is usually discussed when a laptop with sensitive data goes missing, someone realizes there is a keystroke logger on their system, or their server data has been compromised and is leaking onto the Internet bypassing the firewall, IDS, anti-virus, and notice of the system administrators or third party companies hired to provide system administration and security.

Cloud computing offers many advantages and cost savings to companies.  It also brings with it the concern of your data being stored off-site, out of your direct control.  With large cloud computing vendors such as Amazon and Google, your data could be across the world in a foreign country and the laws that apply to the protection of that data probably differ from those in your home country.  This has been a topic of discussion for a while now in the Cloud computing arena.  One of the suggestions is to use a ‘private’ cloud.  This is typically a cloud that you own or have more control over where the data is stored.  For example, Canadian Cloud offers a guarantee that “…data are safe and secure on hardware located in Canada, and subject only to Canadian laws and regulations..”  This resolves international issues when it comes to control of data and is appealing.  However, there is much more to consider before choosing a provider.  While Amazon, Google and other large companies are international, they also have the size to attract security professionals that are very knowledgeable and current.  They can afford the resources to properly monitor against attacks to steal your data.  Google recently publicized the discovery of China conducing espionage on its systems.  Will a provider of a smaller cloud offering have the resources to detect such attacks?  If you install your own cloud, do you have the resources to hire individuals capable of detecting these types of attacks?  One could argue that not using Amazon or Google is less secure and you have more risk exposure.  My point is that companies and firms need to consciously assess these decisions based on the sensitivity of the information they are thinking about storing on a cloud system.

Laptop security is still as important weather the cloud is present or not.  It makes sense for an attacker to go after the weakest link and that is almost always the end user device.  Although one may suggest that all the information is on the virtual desktop on the cloud, there may be cases where data needs to be pulled locally.  If this is the case and the data is sensitive you will require encryption.  Even if data is not stored on the laptop ever and therefore there is no need for encryption and the management tasks it brings, installation of malware that will capture keystrokes and gather screen shots is invaluable on the laptop of a lawyer involved in a sensitive case.  This software exists in many places and is easily obtained and deployed.  Proper user device security does not go away.

Between iPhone and Blackberry, currently the Blackberry is much more secure than an iPhone.  Blackberry has the infrastructure including BES servers which allow enforcement of detailed security policies along with a robust management architecture.  BES servers offer the ability to remotely wipe a lost Blackberry as well as the ability to track the location of the phone remotely.  The Blackberry device itself has the ability to wipe all data via a menu option or by simply entering the wrong password a configurable number of times.   By comparison, the current iPhone can have a password in place, but bypassing it is easy once you have the physical device and security policies can be easily overridden by the user of the device.  I fully expect the iPhone to improve in this area as it targets the business market, but currently this is the general state of security with the iPhone.  A company that deploys iPhones or Blackberries needs to consider the type of data on these devices and the required security.  While many users prefer the iPhone over the Blackberry, you are making a security decision when you make this decision as well.  Best to make it consciously and understand the risks you are assuming with your firm and clients data.

Companies and firms need to consciously assess the security requirements of their data independent of any one technology.  Once this is completed, choose and deploy solutions and services that meet those requirements balancing off risk, cost, and convenience.  While there is no such thing as 100% security, you can consciously minimize this exposure, and manage the risk.

How confident is your company or firm that data stored on your local servers, cloud infrastructure, laptops, PDAs and other devices is secure, and can not be extracted or viewed without proper authorization?  If your data was being extracted or viewed without authorization would your security team detect it?  If not, why not?

I posted a couple weeks ago about operators monitoring systems and discovering a serious exploit in progress and determining what to do if no one was available to make a call such as shutting down a service.  What metrics are in place such as length of time, number of phone calls, seriousness of incident, that allow an individual to make a call that might affect the business confidently.  My example was one where it was discovered that a hacker was slowly siphoning off account information at a financial institution. I don’t know what this particular institutions procedures were, but turns out my fictional example happened.  Not surprised as it is a valid scenario in todays world, but thought it was worth commenting.

On Slaw blog, there was a post today about some issues a few lawyers had when they ended up following an individual on Twitter. The post ends by effectively asking if people feel they should follow someone who follows them or not. I added my thoughts into the comments of that post, but thought that would be a good topic for a quick entry in my blog as I have pondered that question for a while.  I’ve added a little more detail here as to my criteria than the comment. The process is not cast in stone, rather a general set of guidelines that I typically use to make a decision.

My goal with social media is to connect and meet other interesting people.  As a general rule, I believe that when someone decides to follow you they are indicating they value your opinion and/or want to start some sort of on-line relationship with you. At least for a majority of people, I believe this to be true. Specifically in my areas of interest (security and networking), Twitter has been very valuable for me in building relationships, getting feedback, and keeping abreast of what is happening.  I also feel that the point of Twitter, Facebook, Linkedin and other social media sites is to connect with others, build relationships and trust.  Accomplishing that requires both parties to give, just like a relationship between two friends.  If it is one sided, what is the point?

That being said, there are those that will use social media for ‘bad’. Bad by my definition in this context, is to attempt to tweet me to death with useless information, send marketing links about products constantly, or use it as an automated tweeting tool where no real person is on the other side.

When someone follows me I typically do the following:

Check their twitter profile

Are others following them?  What is the ratio they have of followers to following?  If not many are following them, then I check how long they have been tweeting.  Maybe they are new.  The ratio of followers to following is a indication to me of how active they are and how interested they are in others.  A low follow rate may indicate they like to say things, but don’t like to hear opinions of others.  Not 100%, but an indicator.

Scan their tweets

I scan their previous tweets.  Are they informative and original or are they all just re-tweets.  Do they appear to be all just trying to sell products? Do they appear to be auto-generated?

Internet presence

Do they have an Internet presence such as a website, blog,  Facebook account,  Linkedin account?  If they have a website does it look legitimate?  Does the website or blog have information that is useful?  Are their opinions?  Is their an ‘about me’ area where they tell the reader about them.  This is extremely important to me.  I like to know who I am building a relationship with.  I don’t need big secrets about them, but a general concept of who you are, what you do, likes dislikes is helpful.  If I am going to read your posts, references to articles, I’d like to know that you are real and have some background and/or experience with the information you post.

General Internet search

I will search Google.  Do they post elsewhere?  Do they have comments and opinions?

Based on the information I find and feedback, I make a decision to follow or not.  This evaluation process is similar for blogs I add to my blog reader.  Again, this is not cast in stone.   There are a few that I follow that do not follow me back and that is fine.  However, for me that is the exception as opposed to the rule.

Do you have a criteria for who you follow on Twitter or what blogs you subscribe to?

Seth Godin was interviewed by Nora Young on Spark.  The interview can be found here.  The part of the talk where Seth describes how many of us were never trained to take initiative but to follow instructions and how that impacts us in our work made a lot of sense to me.  My favourite part was the section on emotional labour, the act of connecting to another human being and making a change even if it is not easy for you to do it in that moment.

A good talk for anyone in a leadership position.