Information Gathering
Get an eye on your teckies

You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they don’t find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he has a problem with the topology of your enterprise’s network, he’ll probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, he’ll ask these questions during is working hours. There isn’t any problem with this fact, but who say working hours also say company’s computer and company’s computer settings like company’s email address and identification. Then they will use their enterprise email to get answers to their questions.

If you understand the problem, you’ll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprise’s network infrastructure tagged to it by the email of the so helpful employee.

What you can do? Educate them. The only thing that they want is doing their job. But sometimes they don’t see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. It’s your job, not necessary their.

If you don’t believe what I say in this post, try it. You’ll be astonished by the results.

Know you Enemy
Does he really know them?

First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that I’ll comment is 5 days old but I want to comment it anyway.

There is an article that I need to comment on. The problem with it is that he doesn’t focus on his subject, go everywhere and try to cover a wide question in a little article. The title is “Know your enemy” — cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on:

Should US companies worry about hackers in Russia and other countries?
Hackers from countries where the economy is less developed than the US
are more motivated by money than by pride when they start trespassing
on US companies – as opposed to US hackers, who are motivated more by
pride than money. (There are many other ways that you can make money
in the US.)
Also, money is a stronger motivator than pride. That’s why people
motivated by money are more dangerous. Hackers are businesspeople [if
they are motivated by money]. In most cases, they are probably just
having difficulties in their countries finding and exploring
opportunities to work.
If a company that is hacked into can explore with a hacker his or her
talents in a more peaceful way, the victim can only benefit. If these
hackers are businesspeople, they can be redirected by being offered a
better deal than the one they might get by creating pressure through
hacking.
I deeply believe in this point. It is hard, however, to generalise too
much because every case involves different kinds of people and
different circumstances.
What security measures offer the best protection against hackers?
Keep the hackers occupied if you recognise them as a threat. This
might be similar to what some countries have done with their nuclear
scientists – Russia, for example, keeps them under close supervision
and treats them well, but above all keeps them busy professionally.

The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. It’s true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, he’ll not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace.

It’s my 2 penny to the discussion.

[In addition to the post: 12 October 2004]
—————————————————
I just read Bruce Schneier’s October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. It’s interesting to see that I’m not alone to share this view. I know that many other people do too. There is the excerpt from his post:

“What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.”
———————————————–

Simple technologies
Not as safe and simple as they appear

In our new brave world, technology is spreading everywhere. We use things we don’t understand how it work; it work so easily that we don’t have and try to understand how it work. We use it and that’s it. The problem is that if a thing become to ease to use, we low down our awareness and tend to think that it’s not dangerous because it seem simple. Some times, it’s true, other times it’s not. It’s not because a thing is easy to use that it’s not dangerous. I don’t learn you anything by saying this but we tend to forget these things, me the first.

One example can be your neighbourhood. It’s not because nothing happened the time you lived there that nothing can happen. It’s not because you never do a car accident and that car seem simple and are easy to use that a car isn’t dangerous and that a car accident can’t kill you.

Another interesting example that I thought of, and that leaded the write of this post, is the use of cordless phones or baby monitors. They are easy to use, not expensive and everybody use one in their houses and apartments. We can use it at 10, 20 or 30 foot of the base. Wow, thank God for these tools. Yeah, it’s true that they are really interesting and useful. The thing that you need to ask yourself is: if I’m using a cordless phone at 30 foot of the base and that I can have a conversation, do another person can? The answer is yes. Must of cordless phone don’t use encryption. They seem simple, but they are not. They use different technologies: analog, digital, DSS, Etc; they have all different levels of security. If you buy a product that seems to have integrated security, be aware. Don’t believe everything that a constructor can say in his publicities. By example, the Motorola Secure Clear system in 1990 was not really secure at all. It was only using speech inversion as “encryption”. A scanner with a little gadget of 5$ was able to “decrypt” the whole thing. It’s the same thing with the baby monitor. Depending of the technology you are using, you can have a better security. By example forget the analog technology, anybody can listen at it. However, if you are using a digital cordless phone using the DSS technology, you’ll get rid of many problems. If you buy a baby monitor, be aware; use it only when you really listen at your baby. Don’t forget that they are in reality small radio emitter/receiver.

One problem with these two technologies is probably the police. I know that in some states it was legal to eavesdrop conversations of cordless phones without any warrant. I don’t know if it’s always the case, but I don’t think the situation has changed. Changed or not, it don’t discard the case that everybody who wish to eavesdrop your conversation can without to many problems. It’s sure that it’s a felony in many countries, but they have the power to do it.

The only thing that I can say is to be vigilant toward the technologies you are using. In this post, I talked about some technologies that are threats to your privacy, but have in mind that other technologies can be threats to your physical security. Just be aware of what you are using; simple != safe to use. Simple in appearance is more and more not simplest in reality. It’s why it’s always important to inform yourself about technologies you are using.

For Paranoiac – Part 2
Hide your information flow

Today using encryption can raise a flag to who is spying your information flow. The fact of encrypting one of your message can says that this message is of some importance. Why? Because in these days, message encryption is relatively rare. Some will says that this is not true; all transactions are encrypted and many sites use SSL or other encryption negotiation protocols to hide your requests and transactions. The problem is deeper. With information flow analysis, you can easily infer meaning of a flow of information. We’ll take an internet information flow for our example. The internet works because all the communications are done with some type of protocols. You have one to see web pages, another to get your emails, another to send your emails, one to send files, etc. All these protocols can be view as signatures. If someone is spying your internet information flow, he can easily discard all the data you send over the internet except your emails. Why he can do this? Because he know the signature of this specific flow of information. If you encrypt one of your email message, he’ll be able to easily infer that this message is of some importance; except if you encrypt all of your emails (in this case you have another information flow pattern). He can infer this information because you changed your communication pattern.

It’s why stenography can be interesting, because you can hide and change your signature. The problem is that by doing this you can raise suspicious by possibly changing your communication pattern again. Nothing is perfect in this world!

What to do?
A story about sexual aggression

Last night I was in a bar and saw one of my old thaiboxe student. She was really excited and wanted to talk to me.

There is the conversation:

“Heee Fred! How are you? I need to tell you a thing that I’m really pride of!”

“Fine thanks! Explain me this thing then.”

“Some weeks ago I was in a bar with some girl friends. We enjoyed our evening until a guy come talk to me. He was really mannerless and impolite. I said to him to leave me alone all the evening but he didn’t ear anything. He always come back to talk to me.”

“Yeah, a persevering lad you got there”

“Yeah too to my taste. At the end of the nigh he finally grabbed me by the arm and get me out of the bar.”

“Hummm, after?”

“I was beginning to fear the guy. On the spot I didn’t know what to do.”

“Yeah, it’s sure that it always surprising for the first time”

“When we arrive on the street he finally grabbed my breast and tried to bring down my pants. The thing is that he never had the time to do it. During this short space of time, I saw three of his friends bring closer to us. I saw that I was in troubles. Then I instinctively reminded what you learnt me in your courses; I bent my legs; I brought my body closer to his, then I unbent my legs and stoke under his nose with my palm. Automatically he release me, got his nose with his two hands and his eyes was filled with tears. Then I ran for my life.”

“Yeah girl! I’m really proud of you! You done everything well, it’s exactly what you had to do!”

“Yeah I’m really proud of me too! Some days after I feared to be in public but I rapidly go through it.”

“Imagine if you let him rape you? You would probably have many more aftermaths.”

… Etc…

I was effectively proud of her. It’s exactly what she had to do. First, there was a lad that caused problems. He was persistent. She was aware of him. She knows that he can cause some troubles.

At the end of the night he grabbed her, she known that she was in trouble but was first stupefied by the action of the lad. Eventually she insight that she was been raped. Then she reacted to the situation. The only valuable action that she can do to try to overtake the flow of events was to strike, and strike hard, his rapist. It’s exactly what she done. After, she hadn’t to continue to strike him. She had to strike and run. She hadn’t to strike him again and again, otherwise there were possibilities to fallback in troubles. The only purpose to attack the rapist is to have a chance to run and get help. She done it by the book and handled perfectly the situation. She struck him hard, and run to get help.

It was essential that she try to get out of this situation by any means and not let her be raped by fear to be hurt. It’s a question of psychology. If she does everything that she can to get her out of this type of situation, she’ll know it and be pride of his reaction toward the events. If she does everything in his power, she’ll be able to go through the aftermath more easily.

There I’ll talk to girls. Please, if you lived this type of situation, do exactly what she done. Try, by all your powers, to get out of situation. You need to seem aware, rude and ready to fight. Rapists like many other stalkers don’t search combative preys; they search for docile and weak ones. If you don’t fit the pattern, they search at another place. If this doesn’t work and he continues then, strike and strike really hard. The goal of striking isn’t to kill him, it’s just to take him down for some second, the time to run for your life. You need to strike to destabilise him. What she do was excellent because by striking the nose his eyes will automatically be filled with tears, it’s a natural reaction of the body. He’ll lose visibility and be out for a moment, and then you have the time to run. Other interesting place to strike is in the testicle. Depending of your situation it can be with one of your knee or by squeezing them with your hands, etc. You can also poke his eyes; strike the Adam apple on his throat with your forearm, etc. If you are in a bar, you can always use a bear bottle to strike, it’s always effective and it will bring the attention to you. Finally, do what you can in the situation you are, but please, do a thing!

If you are interesting in the subject and wish to learn more about self-defence, psychology of criminals, awareness tricks and mindset, there is a huge literature on the subject. I point you out some interesting introduction works that are not expensive and easy to read: Dead or Alive by Geoff Thompson, Defensive Living by Edd Lovette and Gift of Fear by Gavin de Becker.

Take care.