SecTools.org has long been a nice repository of must-learn tools for security enthusiasts. In the last month, the tools list has been updated with a new top 125. I see you can now also submit reviews for the tools as well.
(Disclaimer: Putting this out there, but my time at work this afternoon is forcing me to do less re-reading than I’d like. Hopefully I’m not sounding like an unreasonable ass!)
Carrier IQ is a hot topic right now, which itself sort of pisses me off. In the same spirit of what pisses me off, I read the ComputerWorld article, “Carrier IQ is BYOD kiss of death — urgent action required” (via Dan Morrill). Yes, read the article because it at least doesn’t whine about data gathered by carriers, rather that this data is logged and stored on vulnerable devices.
1. If the confirmed presence of Carrier IQ on your phone prompts new (ensconced) action, you’re doing it wrong. Whether this is a business-purchased device or a personal one, it’s not entirely YOUR device. The carrier is going to and is already doing whatever it wants. While it’s nice that people are getting mad now, you shouldn’t be surprised by this state of affairs. Maybe this will spur usage of unlocked phones not supplied by carriers, or custom ROMs, but still…
2. If you’re pissed about carrier-implemented apps, are you pissed about all the crappy apps your users can install on their phones? Again, if not, you’re doing it wrong. And there will be apps with even worse transgressions (if not outright malware apps). In users’ defense, at least they dont have a chance to know about carrier apps.
3. Are you worried about corporate espionage targeting your phones but not your carriers? You’re somewhat doing it wrong. I like that the article mentions the risk of phone-based attacks harvesting extremely juicy data that is brilliantly stored on the end device, but one should also keep in mind that these carriers and anyone else logging anything at all (the carriers absolutely will be, it’s their network) are also risks (that includes Google or Apple, the makers of your OS). Those entities are making your risk decisions for you.
4. Why are you kneejerk reacting to get rid of Carrier IQ software in the “urgent action required” section? This is the same backwards approach to security that says you only react to bad things actually happening right now, instead of doing any prevention. It’s fine to react, but please don’t be surprised or crazed with action after the revelation of something that was predictable and probably expected at some point. And just because you get rid of Carrier IQ, does that mean you also fully understand every other part of your phone’s OS, included software, carrier presence, and installed apps? Shit no.
Is there a difference between malware keyloggers vs carrier-embedded software logging vs OS-enabled logging? In my books, not really, until users are fully made aware of what is going on. Which itself is an entirely new topic because if you’re doing something that will piss people off if it were made known, why the crap are you doing it?
I think Dan is on the money when he says this really doesn’t change anything on the BYOD front and poses the question of whether these phones really are yours or not.
Another discussion topic would be what makes these phones so different in this regard to our Microsoft-clad personal computers running on our ISP of choice? It’s interesting that I do actually trust Microsoft as my OS more than Google or Apple and I trust my interaction with my ISP a bit better than with my phone carrier and I also trust the software process a bit more (i.e. I have the ability to deeply on a technical level watch an install and monitor/alert on behavior). You make everything convenient which hides the details which, to me, fosters less trust…
Skype still beats on the enterprise door with regularity. Brandon Knight talks about Skype in the enterprise over at infosecisland. I’ve talked about it before and before and before and before and before…
I like Brandon’s take on the potential eavesdropability risk with Skype (which is almost certainly real, since China allows its use and they certainly never would if it were truly private):
For example, how are you communicating today in your organization? If you are making calls which route across a PSTN (Public Switched Telephone Network) then you are already putting your conversations into the hands of service providers, governments, and whoever else may have physical access to the lines.
Fair enough argument. But this only applies to people who understand that Skype isn’t a private network. I’ve had plenty of discussions where users argue that Skype *is* private. You can’t make that assumption; you’re using someone else’s app, over someone else’s lines, and through someone else’s proxy/login/servers.
This also applies only to the instances given. If I want to eavesdrop on John’s Skype conversations, I can do some network tomfoolery to reroute traffic. Doing that on a PSTN or somesthing else is a whole different game. The name of the game in the digital world is efficiency, which blows away any comparable example in the analog world (just ask the MPAA or RIAA…).
Brandon’s article is an excellent companion to any discussion about Skype in the enterprise, and he brings up decent points about public information disclosure, desktop maintenance, network security visibility (data exfiltration), and even side-channel delivery of content such as the ads accompanying the app.
There are even other considerations, such as how you handle people’s personal accounts upon termination (and contact lists and client/customer contact habits), automatic updates, logging, etc.
Watching the Illinois water pump hacking situation has been fun. Wired pretty much summed up the end story: no hack here, just a series of fun incidents.
While it makes for a great movie plot, and gets people excited, I’ve found that most “strange” things at work involving computers ends up being completely innocent, and not the effects of some nefarious digital attackers. For as paranoid and ear-to-the-security-ground as I might be, I’m still one of the last people to think an actual attack is under way when something weird happens on my networks. And 98%+ of the time I’m correct. Jumping the gun and throwing cries of, “hackers, hackers, hackers!” without anything solid to go on does no one any good.
It’s one thing to muse about the possibility of an attack or to wildly (or jokingly) suggest it, but doing so outside of very controlled groups of people leads to a misunderstanding as someone walks away from that conversation and tells someone else that it *is* a hacker. And then it gets to someone important, and now you’re spending days, weeks (or more) trying to dig out of that hole and pass the hot potato.
When in doubt, stick with non-extravagent gut feelings. As they say in law enforcement, there may be the possibility of a complex, movie-like conspiracy, but the truth is almost always rooted in the simplest answer. Not some complex plot.
I will say, kudos to finding that Russian (but not the German?) IP address accessing the remote systems. Not so impressed that those IPs can even log in (no idea on the auth mechanism). And just a sigh about not finding those IPs very soon after the fact (i.e. log review, but it’s hard to fault someone for not reviewing logs when it’s a time/money sink 99% of the time and even then it might be missed, besides which maybe they get 240 logins a day, which would suck to browse through, and I don’t know many SIEMs that would be smart enough and easy enough to just tune out anything from your normal systems…seriously, the ideas on how to monitor are easy, but not so much with the tools at hand…yikes, this is a whole discussion in and of itself.)