Frederick Giasson

Information Gathering
Get an eye on your teckies

You are an IT department administrator? You have people to supervise (teckies, developers, etc)? Take an eye on them. The problem is that they need information to do their work. Sometimes they don’t find it and ask for it. Sometimes they ask for opinions, review and tips to their pair. There is several ways to ask for this information. Occasionally they use Usenet or Webforums. The problem with these technologies is that all their content is logged. By example, Google get an archive of most of the Usenet groups since ~1997. Most of the times they need to detail their problem to get valuable answer from other users. If he has a problem with the topology of your enterprise’s network, he’ll probably write things about the hardware used, the subnets used and the technologies in place inside your enterprise. At last, most of the time, he’ll ask these questions during is working hours. There isn’t any problem with this fact, but who say working hours also say company’s computer and company’s computer settings like company’s email address and identification. Then they will use their enterprise email to get answers to their questions.

If you understand the problem, you’ll see that you have a post on a Usenet group, sent by one of your teckie or developer, where you have sensitive information about your enterprise’s network infrastructure tagged to it by the email of the so helpful employee.

What you can do? Educate them. The only thing that they want is doing their job. But sometimes they don’t see that they can harm the enterprise by doing this type of things. They only need to be educated to the problem. They only need to be aware of the problem. It’s your job, not necessary their.

If you don’t believe what I say in this post, try it. You’ll be astonished by the results.

Know you Enemy
Does he really know them?

First, I want to excuse me for the lack of posts in the last 4 days, I had other things to do and had a shortage of time. So, the article that I’ll comment is 5 days old but I want to comment it anyway.

There is an article that I need to comment on. The problem with it is that he doesn’t focus on his subject, go everywhere and try to cover a wide question in a little article. The title is “Know your enemy” — cliché. He writes on 3 main subjects: Companies resources (new network technologies), third world hackers (money as motivation) and others obscure ones (custom software and social engineering). There is what he said about the second subject and I want to comment on:

Should US companies worry about hackers in Russia and other countries?
Hackers from countries where the economy is less developed than the US
are more motivated by money than by pride when they start trespassing
on US companies – as opposed to US hackers, who are motivated more by
pride than money. (There are many other ways that you can make money
in the US.)
Also, money is a stronger motivator than pride. That’s why people
motivated by money are more dangerous. Hackers are businesspeople [if
they are motivated by money]. In most cases, they are probably just
having difficulties in their countries finding and exploring
opportunities to work.
If a company that is hacked into can explore with a hacker his or her
talents in a more peaceful way, the victim can only benefit. If these
hackers are businesspeople, they can be redirected by being offered a
better deal than the one they might get by creating pressure through
hacking.
I deeply believe in this point. It is hard, however, to generalise too
much because every case involves different kinds of people and
different circumstances.
What security measures offer the best protection against hackers?
Keep the hackers occupied if you recognise them as a threat. This
might be similar to what some countries have done with their nuclear
scientists – Russia, for example, keeps them under close supervision
and treats them well, but above all keeps them busy professionally.

The problem is that he make too emphasis on the typical hacker of Hollywood. Really, he is not a threat. The real threats are the criminal groups. They begin to see benefits with cyber crimes and they exploit it. They exploit the internationalisation of the Internet and the lack of law applicability of many countries. This is the real problem. It’s true that the motivator is the money in this case too, but good luck to employ them after. I think that he talk about a minority of cases, and by doing so, he’ll not get rid of the real problem, the real danger, the criminal groups implication in the cyberspace.

It’s my 2 penny to the discussion.

[In addition to the post: 12 October 2004]
—————————————————
I just read Bruce Schneier’s October blog posts. He talks about this subject the 4 October with Bill Brenner from SearchSecurity.com. It’s interesting to see that I’m not alone to share this view. I know that many other people do too. There is the excerpt from his post:

“What’s the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We’re seeing a huge increase in identity theft and associated financial theft. We’re seeing a rise in credit card fraud. We’re seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there’s a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we’re seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.”
———————————————–

Simple technologies
Not as safe and simple as they appear

In our new brave world, technology is spreading everywhere. We use things we don’t understand how it work; it work so easily that we don’t have and try to understand how it work. We use it and that’s it. The problem is that if a thing become to ease to use, we low down our awareness and tend to think that it’s not dangerous because it seem simple. Some times, it’s true, other times it’s not. It’s not because a thing is easy to use that it’s not dangerous. I don’t learn you anything by saying this but we tend to forget these things, me the first.

One example can be your neighbourhood. It’s not because nothing happened the time you lived there that nothing can happen. It’s not because you never do a car accident and that car seem simple and are easy to use that a car isn’t dangerous and that a car accident can’t kill you.

Another interesting example that I thought of, and that leaded the write of this post, is the use of cordless phones or baby monitors. They are easy to use, not expensive and everybody use one in their houses and apartments. We can use it at 10, 20 or 30 foot of the base. Wow, thank God for these tools. Yeah, it’s true that they are really interesting and useful. The thing that you need to ask yourself is: if I’m using a cordless phone at 30 foot of the base and that I can have a conversation, do another person can? The answer is yes. Must of cordless phone don’t use encryption. They seem simple, but they are not. They use different technologies: analog, digital, DSS, Etc; they have all different levels of security. If you buy a product that seems to have integrated security, be aware. Don’t believe everything that a constructor can say in his publicities. By example, the Motorola Secure Clear system in 1990 was not really secure at all. It was only using speech inversion as “encryption”. A scanner with a little gadget of 5$ was able to “decrypt” the whole thing. It’s the same thing with the baby monitor. Depending of the technology you are using, you can have a better security. By example forget the analog technology, anybody can listen at it. However, if you are using a digital cordless phone using the DSS technology, you’ll get rid of many problems. If you buy a baby monitor, be aware; use it only when you really listen at your baby. Don’t forget that they are in reality small radio emitter/receiver.

One problem with these two technologies is probably the police. I know that in some states it was legal to eavesdrop conversations of cordless phones without any warrant. I don’t know if it’s always the case, but I don’t think the situation has changed. Changed or not, it don’t discard the case that everybody who wish to eavesdrop your conversation can without to many problems. It’s sure that it’s a felony in many countries, but they have the power to do it.

The only thing that I can say is to be vigilant toward the technologies you are using. In this post, I talked about some technologies that are threats to your privacy, but have in mind that other technologies can be threats to your physical security. Just be aware of what you are using; simple != safe to use. Simple in appearance is more and more not simplest in reality. It’s why it’s always important to inform yourself about technologies you are using.

For Paranoiac – Part 2
Hide your information flow

Today using encryption can raise a flag to who is spying your information flow. The fact of encrypting one of your message can says that this message is of some importance. Why? Because in these days, message encryption is relatively rare. Some will says that this is not true; all transactions are encrypted and many sites use SSL or other encryption negotiation protocols to hide your requests and transactions. The problem is deeper. With information flow analysis, you can easily infer meaning of a flow of information. We’ll take an internet information flow for our example. The internet works because all the communications are done with some type of protocols. You have one to see web pages, another to get your emails, another to send your emails, one to send files, etc. All these protocols can be view as signatures. If someone is spying your internet information flow, he can easily discard all the data you send over the internet except your emails. Why he can do this? Because he know the signature of this specific flow of information. If you encrypt one of your email message, he’ll be able to easily infer that this message is of some importance; except if you encrypt all of your emails (in this case you have another information flow pattern). He can infer this information because you changed your communication pattern.

It’s why stenography can be interesting, because you can hide and change your signature. The problem is that by doing this you can raise suspicious by possibly changing your communication pattern again. Nothing is perfect in this world!