Security in The 'Real World' and the Influence on IT Security - Part 1

An interesting and different look at security & civilization through history.

Can’t wait for Par Deux

posted Tuesday, February 28, 2006 2:35 PM by sandeepm

The human society we live in today is the result of over 4000 years of cultural evolution. Security has always been a priority for all societies and while the focus of security may have changed, the emphasis has not. Every society has been built upon a core set of security foundations that allows the government to keep its citizens safe, maintain law and order, and protect from external threats. Historically this has been achieved by building settlements in areas that can be easily defended from attacks and close proximity to natural resources and trading partners. At this point the settlement was a potential opportunity for attack, but with little or nothing to offer the would-be attacker they remained relatively safe. However as the settlement grew in size and importance they moved from being an opportunity to becoming a target. The first level of defence to be erected was the outer wall to keep people out. But in order to allow people to travel out and allow commerce they had to start opening doors in their otherwise impenetrable wall. And while a trader can look like a trader, sound like a trader, and even smell like a trader, without the soldiers at the door checking their cargo they could never be sure. Sound familiar? It should do. In the IT world we call this wall a firewall and the people going in and out are packets. And just like the real world unless you deeply inspect the traffic or people coming through you have no real idea of the validity of the traffic. A similar approach is used in modern airport. The fact you have a ticket and passport does not imply you are a trusted and valid traveller. Unfortunately the IT world has been slow to keep up and our firewalls have frequently failed to keep out malicious traffic and hackers. The concept of masquerading malicious traffic as valid data and passing it through the firewall is often called a Trojan - again a familiar term. First conceived 3000 years ago and named after the Trojan horse. Something that was perceived to be ‘good traffic’, secretly containing dangerous ‘traffic’, and taken knowingly through the ‘firewall’. The threat and countermeasure have been known about for three centuries, yet after 30 years of using a similar network we still became victims to the same threat. Looking back through history there are a number of facts that become apparent:

IT threats mirror themselves on real world threats
Threats come from the inside as well as outside
Attackers don’t play by the rules
Attack classes can be classified by real world categories

Trojans, viruses, and spyware all take their name from real world threats and all too frequently the IT world fails to stay up to date and understand the types of threats that are evolving. While we have all had anti-virus deployed in our environments, did we consider spyware and the threat it poses before two years ago? The real world threat of spies also have been know for thousands of years, yet it has taken over 30 years in the IT world to wake up to the threat of spyware.
Security in the physical world costs relatively less than its IT counterpart, is more effective, and gives us less cause for concern – can we take what we have learnt from the physical world, and develop the same type of security models in the IT world to deliver greater security, at a lower cost? Over the next few blog postings I will highlight physical security models, how they apply to the IT world, and how you can leverage these models to define your own internal security policies - stay tuned.
http://blogs.technet.com/sandeep/default.aspx

March Technet webcasts

March TechNet Webcasts are here- check out the schedule

They’ve got over 50 new TechNet webcasts coming up in March. Check out the March TechNet webcast schedule.

And if you haven’t seen the new interactive webcast calendars, this is a great way to keep on top of what’s coming each week:

NEW: Interactive TechNet Webcast Calendar
Upcoming TechNet webcasts in a dynamic, interactive format.

NEW: Interactive Security Webcast Calendar
Upcoming Security webcasts in a dynamic, interactive format.

Windows Defender ( Beta 2 )

Windows Defender (Beta 2) is a free program that helps protect your home computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.
It features Real-Time Protection, a monitoring system that recommends actions against spyware when it’s detected, and a new streamlined interface that minimizes interruptions and helps you stay productive.
Get more information :

http://www.microsoft.com/athome/security/spyware/software/default.mspx

An always useful link

Cleartype Tuner
One of these always useful links to have - I just changed to a new laptop a couple of weeks after the New Year, and the default LCD display was somewhat fuzzy even with ClearType turned on.
If you didn’t know, you can use an online tool to optimise the cleartype settings here. There’s also an XP Powertoy to achieve the same thing here available here.

Anatomy of a Break-In

Watch out! It is amazing how simple it is to break into companies and steal all their data. This story “Anatomy of a Break-in” details how easy it is by profiling “step-by-step” how Ira Winker and his team were able to compromise all the critical systems within two days including having the ability to steal sensitive information and threaten the entire IT infrastructure of a business.
Courtesy of
InformationWeek

Anatomy Of A Break-In
By Ira Winkler, Internet Security Advisors Group

Fold that T-Shirt

New technique for folding t-shirts
Just found a silly video about folding t-shirts: Folding T-Shirts.wmv

Meeting the Productivity Challenge

There is a series of podcasts that are running in the Globe and Mail from now until March 3rd.

These podcasts address some great topics dealing with Productivity in the Canadian market? but are a good guide to business in any country.

Listen each week for IDC’s Perspectives on Productivity and look for the printed supplement in the Monday Report on Business section of the Globe and Mail.
The series is available to both read and download at www.globeandmail.com/productivity.

Additionally, I will be posting links to the mp3 and wma versions each week. Remember, podcast doesn’t mean iPod, these podcasts can be listened to on your PC, Windows Mobile device, or virtually and mp3 player.

Enjoy,

Windows Defender Beta 2 is now available!

Windows Defender (Beta 2) is a free program that helps protect your home computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.
It features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, and a new streamlined interface that minimizes interruptions and helps you stay productive.

Get more information at:http://www.microsoft.com/athome/security/spyware/software/default.mspx

14th Feb Updates

On 14 February 2006 Microsoft is planning to release:
Security Updates
•
One Microsoft Security Bulletin affecting Microsoft Windows Media Player. The highest Maximum Severity rating for this is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scanning Tool.
•
Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
•
One Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Office. The highest Maximum Severity rating for these is Important. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
•
One Microsoft Security Bulletin affecting Microsoft Office. The highest Maximum Severity rating for this is Important. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.
Microsoft Windows Malicious Software Removal Tool
•
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
•
Microsoft will not release any NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
•
Microsoft will release one NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although they do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

I.T. Security & E-Commerce

http://www.businesslink.gov.uk/bdotg/action/layer?r.l2=1075408323&r.l1=1073861197&r.s=tl&topicId=1075423257

Security Alert IE

Security Alert, February 8, 2006

A new Windows metafile vulnerability was discovered in Microsoft Internet Explorer (IE). The vulnerability is caused by incorrect processing of image headers and could be exploited by remote intruders executing arbitrary code in the context of the currently logged-on user. The problem affects Windows 2000 with Service Pack 4 (SP4) and Windows Me.

Systems that have IE 6.0 SP1 installed aren't affected.
Microsoft issued an advisory (at the URL below) that recommends installing IE 6.0 SP1.
http://list.windowsitpro.com/t?ctl=204B1:3943B9

Security Alert Mozilla Foundation

Security Alert, February 7, 2006
8 Vulnerabilities in Mozilla Suite, SeaMonkey Suite, Firefox, and Thunderbird
The following eight vulnerabilities exist in Mozilla Foundation's Mozilla Suite, SeaMonkey Suite (the code name of a new version of Mozilla Suite), Thunderbird email client, and/or Firefox browser. The first vulnerability is rated critical, the next four are rated moderate, and the final three are rated low in terms of severity. The vulnerabilities are as follows:
- XML could be injected into the browser's localstore.rdf file, which would then be read by the browser at startup. The vulnerability could allow intruders to inject JavaScript code onto a user's system.
- The browser contains integer overflow errors that could allow intruders to execute arbitrary code on an affected system.
- The products' QueryInterface method contains a flaw that causes memory corruption, which could allow intruders to execute arbitrary code on an affected system.
- Dynamic changes to certain style elements could cause the browser to attempt operations on freed memory space, which could allow intruders to execute arbitrary code on an affected system.
- Specially crafted JavaScript objects could trigger "garbage collection," which could cause the browser to attempt operations on freed memory space. The condition could allow intruders to execute arbitrary code on an affected system.
- Web pages with extremely long titles cause the browser to take a long time to start up, or to crash when the computer has insufficient memory available.
- The E4X AnyName object that's used by the products' JavaScript engine is unintentionally exposed to Web content, which could allow scripts to perform unauthorized actions.
- The products' XML parser might read beyond the end of a buffer, which could cause the browser to crash.
Mozilla Foundation released updates to the products to correct these problems. For more information, go to
http://list.windowsitpro.com/t?ctl=20228:43C5FC

Firewalls, a history lesson

Recently, a rather high profile software company has been taken to task about its patching strategy.
One of the comments that was made by the customers of this company was basically: "We don't have to worry, all our servers are behind a firewall".
I've got to be honest and wonder why these people think that their firewall somehow protects their systems? A firewall is the outside of what is known as "M&M Security" - Hard and Crunchy outside, Soft and Chewy inside. The basic problem with M&M security is that once a bad guy (or worm, or virus, or malware of any form) gets behind the crunchy outside, the game is over.
George Santayana once said "Those who cannot remember the past are condemned to repeat it.". And trusting in a firewall is an almost perfect example of this.

It turns out that there's a real-world example of a firewall that almost perfectly mirrors today's use of firewalls. It's actually quite uncanny in its accuracy.
Immediately after WW1, the French, seeing the potential for a threat from Germany, built a series of fortifications known as the "Maginot Line". These were state-of-the art fortifications designed to protect against most if not all the threats known at the time.

(Image above stolen from wikipedia).

From all accounts, the Maginot Line was a huge success. Everywhere the German army engaged the French on the Maginot line, the line did an excellent job of protecting France. But it still failed. Why? Because instead of attacking the Maginot Line head-on, the Germans instead chose to cut through where the Maginot line was weak - the Saar gap (normally an impenetrable swamp, but which was unusually dry that year) and the Low Countries (Belgium and the Netherlands, which weren't considered threats), thus bypassing the protection.

The parallels of the Maginot line and Firewalls are truly eerie. For instance, take the paragraph above, and replace the words "Maginot Line" with "firewall", "French" with "the servers", "German Army" with "Hackers", Saar gap with unforeseen cracks and "Low Countries" with "employee's laptops" and see how it works:

From all accounts, the Firewall was a huge success. Everywhere the Hackers engaged the servers on the line, the firewall did an excellent job of protecting the servers. But it still failed. Why? Because instead of attacking the Firewall head-on, the hackers instead chose to cut through where the firewall was weak - they utilized previously unforeseen cracks (because the company hadn't realized that their WEP protected network was crackable) and the employee's laptops, where the firewall was weak (because the employee's laptops weren't considered threats), thus bypassing the protection.

You should never assume that some single external entity is going to protect your critical assets. If you've got a huge armored front door, I can guarantee that the thieves won't come through the armored front door. Instead, they're going to pick up a rock and throw it through the glass window immediately next to the door and go through it.

I'm not dinging firewalls. They are an important part of your defensive arsenal, and can provide a critical front line of defense. But they're not a substitute for defense in depth. And let's be honest: Not everyone configures their firewall correctly.

If you assume that your firewall protects you from threats, then you're going to be really upset when the bad guys come in through an unprotected venue and steal all your assets.

Thanks to Stephen Toulouse and Michael Howard for their feedback.