Corporate Email Leaks – Measuring The Stupidity

 Computing, Security  No Responses »
Sep 092011
 

I was alerted to this by an article on The Register which points to the Godai Group‘s investigation into what happens when you register domains “close” to a reputable company and grab all the emails that happen to pop by. It is hardly a surprise to anyone who has run an email system, but you will get tons of email delivered caused by email address typos. Specifically Godai Group looked at a specific type of typo – accidentally leaving out a “.”. For example, one of the domains that the Godai Group picked up on was some-person@ca.ibm.com where “someone” has registered caibm.com (no dot) … whether or not that person is sniffing those emails cannot be known, but they could.

Again, to those who have run email systems it is no surprise to learn that some of the emails contain “interesting” information not limited to :-

  • Trade secrets
  • Business invoices
  • Personal information about employees
  • Usernames and passwords!
  • Network diagrams.

What is not mentioned is that those Fortune 500 companies almost certainly have policies in place prohibiting acts such as sending passwords and other sensitive information by email. But of course there is a description for someone who reads all of the corporate policies – someone who isn’t doing their job!

There is an interesting list of mitigations in the Godai Group report, but it could be a lot more extensive :-

  • When sending out an email to an address where the left hand side would be a valid internal address, flag the destination in your logs. Use that information to build up a list of domains for which you should check for valid internal addresses and freeze (hold in the queue) any messages that match. As an example, if mike.meredith@ca.ibm.com were a valid address you might want to freeze any emails addressed to mike.meredith@caibm.com.
  • Use your email logs to build up a database of domains that you send email to. This will allow you to identify similar domains that may be practicing so-called “doppleganger domains” that you may want to take some action against. You may think you can guess what the domains would be, but there is a lot to be said for hard evidence.
  • Perform content filtering on outgoing email, and build up a set of rules to catch emails containing patterns that match certain kinds of emails you do not want leaving your organisation – to begin with a pattern matching “password [is] XXXXXX”. This could take considerable effort to build, and there will always be the chance of a false positive so you will want a sensible warning message when emails matching the relevant content filter get caught – “Please check that this email does not contain confidential information; please check the recipient address, and if necessary re-phrase the email”.
  • Encourage the use of end-to-end encryption such as PGP. Plain encryption is not sufficient – “walled garden” email systems such as GroupWise support encryption for internal emails, but this is about external (even if it isn’t intentionally so) email which is not encrypted with such corporate email systems. In fact systems such as GroupWise may be considered dangerous in this context – it comes with the word encryption on the tin, and even allows you to “take back” emails that you have sent that you regret. These facilities encourage dangerous practices.
  • Education, education, education. But this will not accomplish much – not only are the people who really need to be educated not listening, but these problems are mistakes – both in terms of accidentally sending emails to the wrong address, and in terms of emailing information that should probably not be sent via email.
  • Lastly, and perhaps for amusement value, you could try persuading senior managers that the danger of them sending inappropriate information accidentally out to third parties via email is so great that it justifies setting up a process by which all their email sent to external address is manually reviewed to ensure that it is not an accidental release of internal information. Good luck on that one!

Naked Couple Exposed By Laptop Security Software

 Security  No Responses »
Aug 312011
 

I became aware of this story through an article on The Register – to summarise the facts, a woman bought what turned out to be a stolen laptop, and whilst using it to conduct a certain kind of webchat with her boyfriend, an employee of Absolute Software used previously installed software on the stolen laptop to ‘grab’ several items of data including screenshots of the webchat session.

Even if someone unintentionally using a stolen laptop cannot expect reasonable levels of privacy (and the Judge doesn’t believe that their privacy should have been breached), ordinary human decency should have been enough to exclude the naked pics. Anyone involved in the security world (including IT security) should be aware that anyone using a stolen laptop may well not be the person who stole the laptop and may be guilty of no more than stupidity by buying a stolen laptop.

Such stupidity deserves punishment, but the loss of the laptop is punishment enough – having naked pics of yourself passed around a bunch of geeks and then shown to the police is going just a little too far. And what about the boyfriend ? He didn’t have anything to do with the stolen laptop, so why were Absolute Software stealing naked pics of him?

Once you have a timestamp and a network address of the stolen laptop, that is sufficient in almost all cases to identify who to talk to about the laptop. Grabbing screenshots of a webcam chat is merely prurient voyeurism of the same order of magnitude as setting up network webcams in a shop changing room.

But there is more to this than just the salacious details of the kind of pictures captured. Who owns the data on that laptop ? Well all of the data on the laptop at the time it was stolen surely belongs to the owner of that laptop (unless of course they have been stealing data themselves!), but any data created since then does not. And that surely includes screenshots of what activities are shown on screen.

If Absolute Software had chosen to activate the webcam to grab pictures of the person using the laptop rather than grab screenshots, they would have been on slightly less shaky ground because they would then be creating data and not stealing data. And of course they would not have grabbed a naked pic of an entirely innocent man! However they should also have the decency to ensure that any images they grabbed didn’t contain an ‘unusual’ amount of skin exposed.

Plus of course by grabbing any sort of image from a webcam could put the employees of Absolute Software at risk of creating and viewing child porn – not everyone engaged in ‘adult’ webchats is necessarily over the age of consent!

Do OSX Users Need Anti-Virus Products?

 Computing, Security  No Responses »
Aug 192011
 

Revised answer: Yes

The longer answer gets a bit more involved. First of all, there is some level of protection built into OSX against malware called File Quarantine. There are limits to how much protection this provides compared with PC anti-virus and anti-malware products as it protects against known malware at the point where the malware is installed or run.

It is also limited by the frequency at which the OSX operating system is updated – OSX is typically updated once a week – unless you put off applying updates whereas a PC-style anti-virus product will typically update it’s virus definitions on an hourly basis. This would seem to make it totally inadequate, but OSX just doesn’t have as much malware as Windows.

There are a number of possible reasons for this including that OSX is inherently more secure and that OSX just doesn’t have enough of a market share for malware authors to bother with. The truth behind the lack of malware for OSX is only known to the malware authors, although it should be noted that OSX viruses do exist (as do Linux ones).

You could take the attitude that a flood of OSX malware is due any day now, and insist on running an anti-virus product in addition to the inbuilt protection OSX has. There are of course people warning that the flood of OSX malware is just around the corner, although they tend to be people connected to the anti-virus industry so are perhaps less than totally disinterested.

Of course if you have some seriously private data to protect, you should probably consider it. But most of us don’t work for the intelligence services, so can be a little less protected … for now. This of course can all change next month, next year, or sometime, so don’t take the word of this blog entry seriously especially if the date on it is a long time ago!

Of course now some time has passed, the situation has changed (with Flashback amongst others), so the answer is that yes you do need an anti-virus product. It is true that Apple has some built-in protection against Malware, but Apple is not an AV company and so they may well react too slowly to protect you.

HP To Stop Making PCs? Is This Wise?

 Computing  No Responses »
Aug 192011
 

According to the site where I usually get my news, there are two articles today … one reporting on HP supposedly spinning off the PC business, and another reporting on Lenovo’s bosses patting themselves on their back for buying IBM’s PC business a few years ago. The interesting thing about these two stories is that HP may be making the same mistake that IBM has previously made.

It may not appear at first glance to be a mistake – IBM and now perhaps HP are ditching a very low margin business because their core area of profitability is in business software and services with much higher margins. But is it a sensible decision ?

One of the advantages of selling pieces of tin that ordinary people have a chance of encountering when they are looking for a new desktop PC or laptop, is that your name is “out there”. Ordinary people will know your name, and know what business you are in – just the kind of publicity that an obscure company selling business software would love – how many people in the street know who Oracle are ? Or Autonomy ?

Operating System Patches As Preventative Maintenance

 Computing, Security  No Responses »
Aug 132011
 

It is often the case that people are reluctant to apply operating system patches to servers for two core reasons :-

  1. Applying patches often means an interruption to service, and arranging an appropriate outage can sometimes be difficult.
  2. There is a risk in applying patches that they may break something that previously worked.

Both concerns are legitimate, but what is less often observed is that an unpatched server may appear to be working but to an extent is already broken – the patches are released to fix broken servers.

If we look at car maintenance, we are used to the idea that we take our cars for preventative maintenance – it is called a service. Almost everyone with a new car will routinely take it along at regular intervals for a service to reduce the risk that it will break unexpectedly. Those with older cars frequently accept that their car will unexpected break and they will have to cope with that when it occurs.

Or in other words we apply preventative maintenance to cars, deliberately taking them out of service (you can’t use a car when it is in the garage getting services) so as to exchange a scheduled period of unavailability for reducing the risk of an unexpected unavailability.

It should be the same for operating system patches.

 Older Entries  Newer Entries