Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
Social media versus your reputation
by Carl Anctil
I was reading an article last week about social media and thought it would be a good idea to share it. The article is Social networking 101: Facebook and your digital reputation from The National Post.
In my opinion, in terms of reputation, there seems to be very little concern in the general population regarding the use of social networking sites. Most people simply go ahead and post a considerate amount of detail about their lives without worrying about the possible consequences.
Over a period of time – a few days, weeks, or even months – it’s difficult for anyone to gain an accurate picture of what’s happening in a person’s life. All this personal information is just given away, without hesitation, for anyone to see, judge, or otherwise interpret as they see fit.
Social media is an in the present technology. That means it is all about current events happening now. People’s posts often reflect their emotion or mood at that specific moment in time. Most of the time, posts include pictures or video clips that may have current event context associated with them. However (and this is the problem), context usually doesn’t continue over time. Remember the pictures of your ex that you posted? I bet it seemed like a good idea at the time, but now you wish you could take them back. How can anyone expect to have control of past information, especially when the context has passed?
This brings up the others factor. This factor is just as important because we usually don’t have any control over the information that others post about us. What they say and how they describe us at that specific moment in time will probably change over time. Once again, this is the problem with in the present technologies. Social media is a great tool for the present… but lacks the context of the past. What happens to posts when the context associated with that information disappears? This is when problems usually occur.
So watch your privacy settings and be responsible about what you post. Your reputation tomorrow may depend on what you post today.
Magic Formula for Passwords
by Carl Anctil
Today, you are all very lucky. I am going to share my secret recipe when it comes to choosing passwords. I have been using this method for several years. It has served me well over the years and at this time, I feel it has passed the test of time (well, over 8 years). The formula is simple, effective and the result is a unique strong password every time you use it. This is how it works.
First, choose a word that contains a minimum of 8 characters. This secret word must not have any meaning, relation, association, etc. that can connect back to you, to a website or to an application. This means no maiden names, pet names, birthdays, etc. Same rules as before for choosing strong passwords. For this example, the secret word will be elephant.
Second, choose a secret 4 digit pin. Again, this secret pin can not have any meaning to you. This is important, we don’t want anything that could be easily guessed. For this example our 4 digit pin will be 1234.
Third, pick one special character such as a punctuation. We will use the @ character.
Let’s say we need to come up with a password for a website. We’ll use www.paypal.com as an example.
- drop the www and the top level domain (.com). We end up with paypal
- pick a letter position in the result word as a key. This must be the same every time. To keep this simple, let’s use the first letter. Match the first letter (key) in the domain (p) with the first corresponding letter in your secret word like so ele(p)hant.
- replace that letter with your secret pin ele1234hant
- capitalize the remaining letters after your secret pin like this ele1234HANT
- add your special character anywhere you want ele1234HANT@
The resulting password is: ele1234HANT@
What you end up with is a 12 character unique strong password that contain letters, numbers, at least one upper-case letter and at least one special character. All you have to do is remember one formula instead of several distinct passwords. Works for me.
In addition, this method will provide you with a password that most likely will not be part of any dictionary or rainbow table. I like that.
Should the letter for the domain or application that you want to create a password for not be part of your secret word, just continue to the next available letter in the alphabet. Instead of paypal let’s use www.bank.com. Since there is no letter b in elephant. I would have to use the first e as the first match when going through the alphabet. The result in this case would be 1234lephant@
I know there are no capital letters but 3 rules out of 4 isn’t bad. Besides, you could easily add a capital letter anywhere should you really want to.
Hope this helps when choosing strong passwords. No more passwords on post it notes!
Least Privilege
by Carl Anctil
The principle of least privilege is quite simple. The concept is to provide users with just enough privilege to perform their duties. But how do you apply this guide in a home environment?
For the home user, the least privilege principle is applied by using a normal, basic user account (not an administrator account). With this method, people can effectively limit the potential damage should that account get compromised or otherwise infected with malware. This is possible because normal users are limited with their access to non administrative areas of the operating system.
The concept or principle has been used in Unix and Linux for a long time. In fact, the Unixes have always had the benefit of the “root” super user account for performing administrative tasks. Users login using their regular account for everyday duties and only switch when they need to increase their privilege to complete an administrative task. They SU (switch user) to the super user (root) temporarily to complete the necessary administrative task.
On the Windows platform, users should also use a normal, basic user account for everyday use. Since the release of Vista, Microsoft has introduced this principle via User Access Control (UAC). This is a new feature in Windows and one that has caused many frustrations among Vista users. The reason behind this frustration is before the release of Microsoft Vista, most Windows users were able to run everyday tasks with elevated privileges such as the local administrator on the computer. With the introduction of UAC , this is now impossible, for every user is run with limited privileges. When a user attempts to perform an administrative task, a pop-up is presented with a dialogue requesting the password for the currently logged-in user before permitting a more elevated privilege mode. This pop-up is the kind of dialogue that users who are not familiar with the least privilege principle find frustrating and annoying. They didn’t have to deal with it before, and don’t fully understand the security benefits.
UAC in general is actually a very good thing. It’s designed to prevent malware from installing itself without user intervention. It also provides the user with a mental pause to perhaps help prevent mistakes before they are carried out. I hope people will learn to appreciate and understand the importance of the least privilege principle.
Network Validation
by Carl Anctil
Network validation is an important step or tool for designing or hardening a network. Something else that’s just as important to have is a valid, accurate and up-to-date network diagram. The act of correlating a network diagram against the actual network wiring is network validation.
Why bother with validating a network? The short answer is: to make sure that a network is wired according to how the network diagram says it is. This is important. Why is this important? A network diagram is exactly like a blueprint for a building. When architects create a blueprint for a new building, they do so following construction laws, regulations, standards, etc. These laws and regulations are required to make sure that our buildings are built according to proven and safe standards. They are there to protect us and make us safe. The result we get for following these rules is that they provide for us a reasonable expectation that our buildings are safe and secure. Sound familiar?
What does validating a network mean? For starters, it means that a network diagram should be designed before any actual wiring begins. Many networks are built without a network diagram to follow. This simply opens the door for costly and unnecessary mistakes or network flaws. If someone is responsible for a network without a network diagram, one is still required. It also means that the person in charge of a network should be able to validate every physical connection to that network in 10 minutes or less. This validation process should also be performed on a regular schedule.
Many organizations do have network diagrams, but how accurate are they? The importance of keeping a network diagram accurate is crucial. This is often one of the first thing that will be sought for investigations or for the prevention and detection of network breaches. Remember that without this key piece of information, where does one start?
Do you know how the firewall is connected to the network? Do you know if someone temporarily hooked up the database server to the DMZ? Why is the proxy server unplugged? or plugged in the wrong switch? Do you know how the network connects to the internet?
The answer to these common questions can only be reliably answered by conducting a complete network validation using an accurate and up-to-date network diagram. It’s a pretty simple concept to understand. However, somehow, this remains overlooked by many organizations. These organizations cannot reliably answer, or they do not know how to answer, these simple questions.
So please, validate your networks and keep accurate and up-to-date network diagrams. It’s rule number one.
How to Avoid Being a Target
by Carl Anctil
How to avoid being a target?
The quick answer is to move all essential, business critical or operational workstations and servers to a less targeted platform. If you’re less of a target, then the likelihood of a compromise significantly decreases. That’s all, folks; simple enough, huh?
Okay, it’s not quite that easy, but let’s compare for the sake of it. We’re going to stipulate that all configurations, settings, installations, etc. on all platforms have been completed following best security practices and that everything is fully patched and secured. So what do we have left to do?
The Windows solution is the most targeted platform for both the home and the business user. In order to successfully deploy the Microsoft Windows operating system for use on critical systems, a considerable amount of maintenance and dedication is required. The fact that this platform is the most popular and the most targeted platform of them all makes the attentiveness for this solution a must in order to prevent a compromise. Failure to do so is asking for trouble. The minimum required maintenance includes the following:
1.Keeping the OS fully patched.
2.Installing antivirus software and keeping it up to date.
3.Installing a software firewall for workstations at minimum.
4.Installing other various malware solutions and keeping them up to date.
5.Ensuring that third party software such as Java, Flash, Acrobat Reader, etc. are also all kept up to date.
These five steps are the bare minimum that is required to deploy an operational, critical system and to keep it safe. Anyone or any organization that is not ready or willing to spend the required amount of time and effort to continuously monitor and stay on top of this maintenance will, sooner or later, become compromised in some way. It’s simply a matter of time.
Or maybe it’s time for a change.
Moving your essential, business critical or operational workstations and servers to an alternate platform such as Linux, Mac or any other UNIX variant could possibly save a considerate amount of time and effort. Think about all the time it takes to continuously loop around the five steps above. Thought about it? This newly saved time could well be used to actually enjoy using a computer for work or play. Maybe this extra time could be better spent improving your business or customer relations. The fact is that a server or workstation that isn’t as much of a target will keep a significant amount of malware away. This is how computing should be – without malware.
Remember, these other platforms also have to be kept updated as necessary. However, they are not the most continuous target. That’s the difference.
Scrubbing The Web
by Carl Anctil
I have been using Privoxy for many, many years. It was actually called the Internet Junkbuster when I was first introduced to it. In early 2000 when I started getting into security and privacy, it was one of the first tools I began using to disguise my user-agent string.
Modifying a user-agent string is a simple way to avoid malware infections from websites that use the user-agent string as a method to determine the browser type and version in order to infect or hijack a browser (most common with IE). I modify the user-agent string to this day. However, what I do now is pretty subtle. I add or remove a single dot somewhere within the string. This way, if someone quickly glances at logs, my new customized user-agent string doesn’t stick out like a sore thumb.
Another reason I like using Privoxy is to block banner adds. Especially today, with all the XSS vulnerabilities going around, this is quick and simple way to eliminate this threat. I also believe in cookie management. Privoxy can be used to manage your browser cookies and how they interact with websites. You can block them altogether or modify them to force a particular behavior, such as whether they are session cookies or permanent cookies. I know this is possible from within the browser, but Privoxy offers many more options and more flexibility for cookie management. It’s really cool stuff once you get into cookies and the how and why they work.
Privoxy is an effective tool for controlling tracking web bugs. Web bugs are tiny 1×1 images used to report back to a company (website) whether you have opened or visited a certain page. Once this 1×1 image is rendered by the browser, various statistics are sent back to the requesting server such as the IP address, date and time, browser version and type, etc. This information is usually sent directly to a third party which usually is an advertising company. But there are other uses for this technology such as by some services that will advise you when an email (including webmail) has been read.
Lastly, I like Privoxy because I can also control the referrer. When a connection is made to a website, the browser will let the web server know which URL it came from. This is called the referrer. With Privoxy it’s possible to modify or block the referrer string that is sent to a web server when a new connection is made. This way web servers think you browsed directly to the url instead of having clicked from a link (being referred by).
Privoxy is a proxy. It runs in the background. I install it locally on every computer I have. I have it run locally on the loopback interface, which is the default. The browser will need to be configured to use the local proxy for it to perform the necessary scrubbing. For myself, Privoxy is simply another tool or software like antivirus, antispyware, etc. It doesn’t matter whether I’m on Windows, Mac or Linux, I install and use Privoxy when possible.
Collaboration versus Privacy
by Carl Anctil
The perceptions and concerns we have about disclosing to much personal information have a direct link between the sharing and the openness of collaboration. When peering is added to the equation, we end up with what we have today, which is often referred to as Web 2.0.
The debut of dynamic content and open source software such as the LAMP stack, have contributed and provided an affordable platform for people to create and share with others. Without this basic foundation, we would still find it difficult to collaborate with every day people. This brought on a new requirement, how could we justify or to approve the work that people are creating and sharing with other peers. The easiest and most affordable method to legitimize the work created by a large pool of unknown people is to be open about the content, how it is built and where it comes from. The easiest way to accomplish this is simply by using your real name and identifying the purpose of your collaboration. (blog, wiki, social media, etc.)
Social media websites such as Facebook, Myspace, Linkedin, etc. are common these days and they make it easy to collaborate and share with family, friends and anyone else really. Through these new collaboration means, our personal information is much more exposed than it was before. If convenience is counter to security, then exposure must be counter to collaboration. In security, when something is convenient it usually means it is less secure. With collaboration, the more we collaborate, the more exposure (risk) we put on our private information. Just look at the social media websites mentioned above as examples. They contain a lot of private personal information, and people must learn how to balance the kind of detail they share with others through this new digital medium.
We all know (should know) that increased exposure normally also means more risk or at least greater risk. How do we mitigate this risk? By helping people protect their personal information. People have to learn how to collaborate online. The key is to learn to manage which personal information to give out and how to control it.
I believe that using a real name for collaboration doesn’t necessarily increase the risk of exposure as long as the other personal information included is also common knowledge or otherwise publicly known or easily obtainable. For example, I can manage the combination of my real name plus my work history. I control what I expose, so I can manage that information about me. Other private personal information such as date of birth, social insurance numbers, addresses, etc. should and need to be kept private and tightly controlled. Besides, private personal information should not and is not required in general collaboration. So why take the risk?
Openness over Privacy
by Carl Anctil
I’m presently reading the book Wikinomics by Don Tapscott. Early in Chapter One, the author explains how Wikinomics works and how it’s based on four powerful new ideas. These four ideas are: openness, peering, sharing, and acting globally. After reading about these four principles, I realized that this thing called Wikinomics actually works. We can simply look at the development of Linux as an early example of Wikinomics success.
Now that Web 2.0 and mass collaboration has gone mainstream, what effect has it had on our privacy? I’ve noticed a trend in the past several years about how much easier we share and disclose our personal information. Should we be concerned about this trend?
I remember back in 1991 when I first started using the Internet. The first thing I learned was all about pseudonyms and how important it was not to reveal personal details online. Even today, we still teach children and adults about the dangers of giving out too much personal information on the internet. Is it necessary to divulge personal information to be open? Or is it possible to be behind a pseudonym and still be considered open?
I’m going to use myself as an example. I’m currently serving in the military. I have about four years before my time is up and I retire from the service after twenty-two years. I will be young enough to have another twenty years to turn a nine year old hobby into a second career.
One of the problems I’m facing is this; How open should I be? I’ve been on IRC on and off for years and I’ve been on multiple mailing lists as well. I’ve probably had conversations with some of you in the past but I’ve always had and used multiple pseudonyms. How have you as professionals dealt with this?
If openness in the Wikinomics sense has worked in the past using pseudonyms, what has changed today to make us stop using pseudonyms in favour of our real names?
I’ve tossed out a lot of questions in this post. However, I will remain on the same theme next month but this time with answers.
The fact that I wrote this post and you are reading it is the peering part. Next is the sharing so feel free to send comments. And by acting globally together, we will benefit our common and greater community.
Engage with Michael
-
Journey Into the Breach
