by Orlando Scott-Cowley
Last month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?
State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.
Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.
Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.
If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.
Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.
Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.
The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.
From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.
For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.
by Orlando Scott-Cowley
Doctor Who: Series 7 Part 2, The Bells of Saint John.
There’s something in the WiFi. You know you’ve made it as an actor and as a security issue when you appear on Doctor Who. If, like me, you tuned-in to (showing my age there, who “tunes-in” anymore?) the new series of Doctor Who last weekend, you may have chuckled at the use of WiFi networks as a medium for evil. Rogue Access Points that upload the soul of their users, leaving them trapped inside a Spoonhead, sorry server, somewhere in London’s Shard building. Kudos to the script writers for the plot, and for renaming servers, spoonheads – I’ll be in the spoonhead room.
“I don’t know where I am… I don’t know where I am…” is a cry most IT managers, administrators and help desk staff have heard in their time; usually from hapless users trying to find their way onto the network or perhaps around their desktop, rather than being trapped inside an evil WiFi network. That wasn’t lost on me, nor was the uploading of souls; something we might think Facebook has in their roadmap–or at least the curating of your own soul. The evil walking WiFi base stations, hoovering up data and people, did remind me of Google Street View cars that were caught hoovering up WiFi networks, but I’m sure that’s coincidental.
Now, while not all WiFi networks are this evil there are certainly many we should avoid. I’m still amazed to see the SSID “Free Public WiFi” whenever I’m on a train or at an airport; while not necessarily unsafe, it does indicate an old an unpatched version of Windows XP is running somewhere – which in itself is terrifying. Others are certainly more dangerous; there’s often a looky-likey network at conferences or near popular coffee shops, designed to trick you into joining and routing your traffic through them. This is just plain unsafe and even on open public networks you should always use a VPN or at least HTTPS connections. Firesheep was an excellent demonstration as to how vulnerable unencrypted web traffic is on open wireless networks.
As IT professionals we’re constantly reminding our users of the security risks associated with the unknown; like free or open WiFi networks as well as clicking links in email. Hopefully now Rogue Access Points have made it to prime-time this job will be a little easier.
I’m waiting to see if there is another episode of Doctor Who dedicated to Phishing emails, or perhaps password sniffing, but in the mean time I’m trying to work out how to change my SSID to that funky font used in Doctor Who.
Remember, if you’re looking for WiFi and sometimes you see something a bit like this, don’t click it.
by Orlando Scott-Cowley
This weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.
There are a couple of interesting observations one can make as a result of this last hack.
The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.
Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.
Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.
What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.
by Orlando Scott-Cowley
Cloud computing is becoming the paradigm shift it always promised to be, even for larger organizations who scoffed at the cloud’s lack of enterprise support or security and thought it was for SMBs only. The promised all-around savings in almost all aspects of IT’s hard and soft costs are driving more and more businesses to adopt the cloud, as it allows them to shift large chunks of budgetary Excel spreadsheet from Capex to Opex.
Over the last few years, the cloud has brewed up a storm in the IT Infrastructure world. The basic idea behind the cloud is to deliver centralized IT services, usually from a third party, to help free up almost all operational and administrative burdens in the local IT department of your business. The cloud is routinely defined as having a handful of essential characteristics; on-demand self-service, broad network access, resource pooling, rapid elasticity and scalability.
The underlying technology behind the cloud is not that different from the systems traditionally within your network; cloud services generally offer platforms that replace onsite services like email, file handling, information management, and so on. The cloud simply uses them like any other platform in its normal communication and every day operation, so there is really nothing new here. We shouldn’t worry about how the cloud utilizes these standards, as being RFC compliant is an essential part of Internet participation.
Providers of cloud services and platforms also subscribe to an evaluative standards model as a way to differentiate themselves and ensure they are providing best practice and recognizable standardized behaviour to their customers. Evaluative standards are used to certify providers’ infrastructure, services and importantly their processes; the most common and well known form of evaluative standards are the ISO family, and the most applicable for this discussion is ISO 27001:2005, or to give it its full name ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems – Requirements. These standards are the most obvious areas we can improve on for the purposes of securing the cloud, and to some extent work has already begun.
by Orlando Scott-Cowley
Late last year I wrote about how important an email address is, and suggested that your email address is really part of your identity. That post seems more relevant today than when I wrote it, as this week we learn that both LinkedIn and eHarmony have had user credentials stolen.
LinkedIn confirmed that some of the passwords stolen do correspond to their users accounts, but that those passwords have since been disabled. Yesterday eHarmony confirmed a similar problem, on their blog. We can assume that for every stolen password the attacker has the corresponding email address, so is able to cross reference user details against cracked passwords. LinkedIn estimated that around 60% of the stolen passwords had already been cracked; this isn’t a surprise given what we know about the commonality and simplicity of users passwords, and the tools available to attackers such as Rainbow Tables.
LinkedIn’s disabling of users’ passwords is a good first step, but the password is only half the problem. Given that the majority of these services require users to login with, or at least register, an email address it is likely that the users credentials could well be valid across a variety of social media sites. I have today seen first-hand proof of this quite close to home, as no sooner had news broken of the LinkedIn hack than one of my colleagues received an alert from Facebook telling them someone had logged in from a new location and device; same email address and of course same password on both sites.
The problem highlighted here, and one that many of us are guilty of, is sharing passwords with many accounts, whilst the common factor is always the email address. Using a different email address for all your digital and social identities is impractical, using the same email address and password is simply convenient but lacks security; we trust our online service providers to keep our identity secure. But we’re learning the hard way that sharing passwords is and has always been a bad idea. Unfortunately RSA Security, Epsilon and HB Gary also found this out a little too late.
Mimecast’s own research released this week tells us that IT departments are worried about the risk presented by social media; fully 59% of IT teams we spoke to believed that social media usage at work increased the risk of corporate information leaks. It would seem that the users’ convenience is also a significant contributory factor to that risk. I would bet that some LinkedIn users probably login with their work email address and favourite password; I shudder to think what other online corporate services that email address might gain access to.
The lesson we should take away from the LinkedIn and eHarmony breach is twofold; we must learn that our email address is now a vital part of our identity and we should consider how it ties us to so many of our online services. Secondly there is a delicate balance between convenience and security. Sharing credentials between online identities means if you lose one you could lose them all. There are a number of tools that will let you generate and store complex passwords locally, then auto submit those passwords as login credentials to websites; whilst that might seem onerous the risk of compromise of all your online identities is small. IT Managers should also take this opportunity to educate their users on the benefits of good password discipline, password complexity and rotation.
Protecting your online identity is a 21st Century problem that one needs to take care of, convenience and laziness are your own worst enemy.