by Nathaniel Borenstein
I wasn’t there myself, but I heard from colleagues that Tim Berners-Lee (the originator of the WWW) keynoted at London’s IP EXPO Europe show earlier this month. He was asked why security wasn’t considered more in the beginning of the Internet.
This got me thinking back to those days and asking the same question. Why didn’t we early Internet guys predict the need or put the hours in on security from the start? After all, today there’s a whole industry now dedicated to the challenges of securing the Internet, as well as the data and communications carried over the network. Today, companies like Mimecast fight a never-ending struggle to keep the Internet reasonably secure.
Why didn’t we early Internet guys predict the need or put the hours in on security from the start? The good news is that the world runs on the Internet and there are thousands of smart people and companies working hard and fast to secure it and our data.
But many decades ago, there were so few people on the Internet that most of them knew each other by name. My late mentor, Einar Stefferud used to tell people his address was ‘stef @ any machine on the net.’ We mostly just trusted each other, as research colleagues. Besides, doing never-before-done amazing things is a lot more fun than preventing bad things that were, at the time, completely hypothetical.
For me, that’s all the explanation you should need. But I’ve plenty of other explanations and here are some of them:
1. They didn’t know how. When you’ve just built something new, by definition no one will know how to secure it. The people building them were specialists in all sorts of things, but not, with a few exceptions, security. They hoped that the security people could come in later and fix things up.
2. They didn’t want to. The early Internet pioneers tended to have a very egalitarian vision of the Internet. They wanted to open possibilities for everyone, not close them off from some people. While they would have readily said that some security would be needed, it just wasn’t what they wanted to work on. The vision of an Internet open to everyone tended to work against any efforts to secure it. Also, there was a lot of belief that anonymity should be possible on the net, so there was substantial resistance to requiring strong authentication of identity.
3. For most people, security was boring. Those who found it interesting generally wanted to work on something heavily used. Even security researchers — and there were some — generally trusted one another.
4. They feared it might be impossible. It was clear that Internet security would be very complex, and less clear that it would ever be truly possible. For that matter, they weren’t entirely sure that what they were trying to build with the Internet was even possible. Nearly all the protocol designers worried about security, and tried to make wise decisions when they could. But it’s hard to secure something before you’ve designed it.
The good news is that we now know the world loves (even runs) on the Internet and there are thousands of smart people and companies working hard and fast to secure it and our data. Nowadays there are university programs and whole careers to be made in various aspects of the Internet security industry.
It’s still an open question whether we can do so completely. The bad guys are constantly innovating so companies like Mimecast have to be relentless and in it for the long haul. This is a constant battle of cat vs. mouse between the Internet good guys protecting all of us from the bad guys out to steal our data, corrupt our systems or rob us plain and simple.
This is a worthy pursuit for any company, computer science graduate or expert. The world needs more smart, well-educated people worrying about security.
That’s why I’m particularly passionate about the need to get more young people, particularly women, interested in engineering at an early age. It may seem like an uphill battle. But there’s an encouraging shift visible in the emergence of targeted technology clubs and engineering toys designed to appeal to them from companies like Goldieblox, Roominate. Oh, and for the record, I’ve no financial interests in these firms or the toy industry. It’s just clear to me from my own experience as a parent and now grandparent, that if we inspire early, we can create the talent we need tomorrow.
by Orlando Scott-Cowley
Spear phishing is the new frontline in the battle to protect enterprise systems and data. As security scanning or gateway security services like ours have made it hard for traditional spam or phishing attacks to target businesses, the offenders are now moving towards spear phishing.
Targeted Threat Protection is a new service to protect enterprises from the growing risk they face from spear phishing.
Spear phishing is a targeted attack using embedded malicious links in an email that appear to come from a trusted individual or organization. Once clicked, the organization’s security is compromised when the user is tricked into giving away sensitive credentials or is taken to a site that exposes their systems to malware. These emails are often created following social engineering reconnaissance that helps to make them look legitimate.
The rise in targeted attacks is linked to a broadly acknowledged principle defined by IT teams – that users are the weakest security link in a company’s network. IT teams work hard to block the majority of external attacks at the email gateway but an innocent click from an email to an infected site can undermine all this work. Even those with traditional web scanning in place may not be safe if the link is accessed from a mobile or personal device.
To combat this threat, we’ve announced Targeted Threat Protection. The new service scans all URLs in inbound emails every time they are clicked by the user, even if it’s through mobile devices not provided by the employer. This is done for all links in every email whether the sender is ‘known’ or not. The user has peace of mind knowing all links clicked on in email are protected and if the links is safe there’s no interruption to how they work – the site will open as normal in the browser.
However, if they do click on something malicious Mimecast will block access to the site, let them know and give them options on what to do next based on their security profile set by the IT team.
Wholesale URL protection of this kind is more safe and effective than attempting to detect a single phishing email and recognizes that links can start safe but be compromised at a later date. Links in emails are scanned every time they are clicked to ensure they are safe – not just the first time.
For IT and security teams, this new service protects the organization whether users are in the office or not, something on-premise security options struggle to offer. They also have peace of mind that the cost of the service is easy to predict as it’s licensed per user and not per device.
In addition, no extra resources are needed to implement the service – it doesn’t require installation on devices or for end-user’s browser proxy configurations to be changed.
It’s controlled from a single Administration Console alongside other Mimecast services, which provides full visibility of blocked links and sites to assist administrators with ongoing threat management, reporting and any end-user education designed to reduce future risky online behavior. This information is accessible through an easy-to-use search log which can answer complex commands such as ‘show me users who clicked bad links yesterday’. This data can be used by administrators to set different policies by end-user based on their security profile e.g. block outright any at-risk site or offer a warning page to alert more informed users.
The threats to an end-users’ inbox are constantly changing and have moved far beyond the daily barrage of spam and virus content on their work desktop. We have to protect their work and personal desktop, laptop, tablet and smartphone as today they use them all for accessing enterprise email. With next generation services like Mimecast’s Targeted Threat Protection, companies can stay ahead of increasingly sophisticated attacks without increasing the workload of IT teams.
If you’d like to talk to Mimecast in person about the email security threats and how our services can protect you and your company, we’ll be attending Infosecurity Europe this week at stand F86 – if you’re in London and attending do drop in.
by Orlando Scott-Cowley
Last month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?
State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.
Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.
Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.
If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.
Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.
Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.
The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.
From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.
For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.
by Orlando Scott-Cowley
Doctor Who: Series 7 Part 2, The Bells of Saint John.
There’s something in the WiFi. You know you’ve made it as an actor and as a security issue when you appear on Doctor Who. If, like me, you tuned-in to (showing my age there, who “tunes-in” anymore?) the new series of Doctor Who last weekend, you may have chuckled at the use of WiFi networks as a medium for evil. Rogue Access Points that upload the soul of their users, leaving them trapped inside a Spoonhead, sorry server, somewhere in London’s Shard building. Kudos to the script writers for the plot, and for renaming servers, spoonheads – I’ll be in the spoonhead room.
“I don’t know where I am… I don’t know where I am…” is a cry most IT managers, administrators and help desk staff have heard in their time; usually from hapless users trying to find their way onto the network or perhaps around their desktop, rather than being trapped inside an evil WiFi network. That wasn’t lost on me, nor was the uploading of souls; something we might think Facebook has in their roadmap–or at least the curating of your own soul. The evil walking WiFi base stations, hoovering up data and people, did remind me of Google Street View cars that were caught hoovering up WiFi networks, but I’m sure that’s coincidental.
Now, while not all WiFi networks are this evil there are certainly many we should avoid. I’m still amazed to see the SSID “Free Public WiFi” whenever I’m on a train or at an airport; while not necessarily unsafe, it does indicate an old an unpatched version of Windows XP is running somewhere – which in itself is terrifying. Others are certainly more dangerous; there’s often a looky-likey network at conferences or near popular coffee shops, designed to trick you into joining and routing your traffic through them. This is just plain unsafe and even on open public networks you should always use a VPN or at least HTTPS connections. Firesheep was an excellent demonstration as to how vulnerable unencrypted web traffic is on open wireless networks.
As IT professionals we’re constantly reminding our users of the security risks associated with the unknown; like free or open WiFi networks as well as clicking links in email. Hopefully now Rogue Access Points have made it to prime-time this job will be a little easier.
I’m waiting to see if there is another episode of Doctor Who dedicated to Phishing emails, or perhaps password sniffing, but in the mean time I’m trying to work out how to change my SSID to that funky font used in Doctor Who.
Remember, if you’re looking for WiFi and sometimes you see something a bit like this, don’t click it.