Do not give power to your foes
The principle of information pipeline

Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.

Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. It’s done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning.

If you cut their sources of information they’ll not easily be able to go through these first essential steps. The principle is the same as in personal self-defence, if you look self-confident, attentive and aware, most of your possible stalker will watch for another target; they don’t need to get in trouble with you; they need an easy pray; a pray that they can hunt easily. The same principle is present here; if the first steps of an attacker are hard to get troughs, most of the attackers will try to find another, more easily penetrable system. Sure that there are exception, if your attacker is searching challenge and not profit (money or peer acceptance), you’ll probably fit his prey pattern and get stock with him.

You need to always have in mind you goal. Your goal is to limit the information that attackers can gather from your organisation, his personal and your network. By remembering this goal, you’ll probably be able to find what your information leaks are and how to prevent them. There are some examples:

• Your attacker can bring much information by looking at your garbage containers.
o You can hire a specialised garbage collector that will destroy your garbage’s. (Just ensure that the company is trustable).

• Your attackers can bring information on your employees for further social engineering tricks.
o You can try to limit the information about your employees you put on the internet. (Example, by not putting your employees’ contact book.
o You can teach your employees to be aware of this situation; how attackers do this type of attack on them.

• Your attacker can map your network by ICMP querying.
o You can block the ICMP echoing of certain critical part of your network.

• Your attacker can do banner grabbing to try to know which program deliver a specific service (example sendmail for SMTP).
o You can choose a product where you can alter or delete the banner when a session is open (a banner is a signature sent by a software generally when a connection is attended).

• Your attacker can try to guess your firewall rules with a TCP ACK scan.
o You can also choose a firewall that store the stage of his connection to refuse the ACK response packet.

• Your attacker can use packet fragmentation options to do his scan to stealth the scan attempt toward the firewall and IDS (old ones)
o You can use a firewall or IDS that refragment packets before analysis.

These examples are obvious. However, the goal isn’t to do an exhaustive checklist of what to do, but to give you some example that will help you find information leaks about your company.

What’s important here is to always have the principle in mind. How to implement this principle in the everyday life of your enterprise is another question but you have some leads here.

Enjoy the principle, the lecture and feel free to add your stone to the foundation.

Articles published by Microsoft this week
All on computer security

This week many interesting articles about security have been published by Microsoft. I just write this little post to let you know about them. The most important publishing was the MSDN magazine issue of November 2004. All articles are about computer security. Articles cover a wide range of subject from cryptography to .NET technology. After this, there was another really interesting article called The Security Risk Management Guide. It was written to help Microsoft?s client to type, build and maintain a security risk management program.

Always on the computer security subject but on another topic: passwords and pass phrases. There are 2 articles written by Jesper M. Johansson: Part 1 and Part 2, and another to come soon.

Finally there is the Security Application section of the .NET framework on MSDS that is always a good reading.

This is all I have to say on this today. Then good reading on Microsoft!

Google used by terrorists
The search engine that can save lives

Google is an information gathering engine; everybody knows the fact (it’s the definition of a search engine, but Google is a bit more). In the past, US Army had sensitive document leaks on Google. Theoretically terrorists were able to use it and get access to those same documents. Do they do it? No demonstrations of this have been done for the moment. We can think that they did, but I never had any confirmation of this.

But yesterday terrorists used Google to find information on a hostage. They used it to confirm his identity. By confirming his real identity, they saved his live. It seems that we can use Google to destroy things (by gathering information about bomb making or critical infrastructure information) but also to save lives. Is that true? Possibly. It demonstrates the new power of internet as an ease information gathering system that can be used for anything, by anybody, all around the world.

Google Desktop Part 2
The AIM logs problem

I was wandering around Google Desktop for another day. I was questioning myself of pros and cons of the usage of this product. The fan of my laptop is crying to death. Indexing finish after 3000 hits. If I reinstall the thing it stops after 10000 hits. It seems to have a problem of indexing; normal it’s a beta version.

I came along a new thing that I didn’t saw before. It’s in relation with the AIM. I’m not normally using it, I prefer MSN Messenger. Everybody knows that Google Desktop index all messages from AIM. It’s not really news in itself. The thing that most people don’t know is that if you turn off the logging property of your AIM it seems that Google Desktop index your messages anyway. Is anyone can confirm me this? It seems that there is no solution to the problem and that the only way to get rid of this bug is to uninstall Google Desktop.

There are some excerpts that I took on the webpage of the Google Desktop that seems to confirm this observation:

“…An AIM chat window for that person opens. If you’re not signed on to AIM, Google Desktop Search will try to sign you on…”

“…When you look at a web page, read an email, open or edit a file, or have an AIM chat, Google Desktop Search does two things. It indexes that item’s content so it can find the item later. It also copies the item’s content into its cache, so that you’ll be able to find and see long-finished chats and older versions of files and web pages…”

This is a problem because you don’t have any power on this. If you use Google Desktop you bypass the ability of AIM to don’t log conversations.

So, if they are doing this for AIM, they’ll probably also does it for MSN Messenger and further products that they will support.

There is a last question pending in my mind: Why are they doing this? Is this for future plans or only because they didn’t see this like this?