I just received a fraudulent email claiming that my LinkedIn account was locked out.  At first glance the sender appeared legit as did the body of the email and the link that I was supposed to click on to reset my password.

Reviewing the raw source of the email showed that it was bogus.  (that and the obvious fact that I could still log in to my LinkedIn account)

The link went to some web site (NOT LinkedIn)  that’s most likely designed to get me to enter my user credentials and if I had done that, then someone else would now have control of my Linkedin account.

Just because it looks legit, doesn’t mean that it is.   Don’t get all clicky just because someone sent you an email.

“McAfee is aware that a number of corporate customers have incurred a false positive error due to incorrect malware alerts. Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. You can view information at https://kc.mcafee.com/corporate/index?elq_mid=2362&elq_cid=757526&page=content&id=KB68780 (NOTE: system is currently slow) or the McAfee Community at http://community.mcafee.com/docs/DOC-1374/”

http://isc.sans.org/diary.html?storyid=8656

Modern cell phone devices can be loosely categorized into three tiers based on the functionality of each device: basic, advanced, smart

1) Basic

a. Cell phones that only provide voice and messaging capabilities

2) Advanced

a. Cell phones that provide additional features such as GPS or multimedia capabilities

3) Smart

a. Cell phones that provide PDA functionality including document management and manipulation.

b. Provide alternative network access including 802.11 wireless networking capabilities.

The key difference in the way we view these various devices is that the most advanced of them are truly full featured computing devices and should be subjected to the same scrutiny and governance as any other mobile IT corporate asset such as a laptop. These new devices are capable of nearly every function of their larger counterparts including document storage and manipulation, web browsing, messaging and direct network access via WiFi. Additional and unforeseen functionality may be added with the addition of third-party applications. While these devices are similar in many ways to regular corporate assets, they differ in one fundamental way: size. Due to their small size the risk of loss or theft is significantly higher than their larger counterparts.

According to the document from NIST entitled “SP800-124: Guidelines on Cell Phone and PDA Security” an estimated 85,619 mobile phones and 21,460 PDAs were left behind in one Chicago taxi firm’s vehicles during the six-month period of the study, compared with only 4,425 laptops. One estimate given for the year 2007 was that approximately eight million phones would be lost. These numbers suggest that it is prudent to employ a more stringent security regiment for those cellular devices capable of carrying sensitive data to include data/disk encryption and remote wipe capabilities.

Just as the risks are varied depending on the type of device, so too, are the efforts employed to secure the devices. A basic cell phone may be best secured by merely enabling a screen-lock that requires that the user enters a pin number before accessing the device. More robust and feature-filled devices that are equipped with document management tools, WiFi and internet access require appropriately robust solutions, comparable to larger portable devices such as a laptop. These more advanced cellular devices should use the same types of security as would be recommended for a corporate laptop, including firewall, anti-virus, anti-malware, remote wipe capabilities, strong passwords and encryption at the file and disk levels.

Issues with Connectivity

With the addition of 802.11 and Bluetooth wireless connectivity to this new class of portable device, care should be exercised to limit potential exposure when utilizing these connections to connect to corporate assets or when transmitting business related information. Whether web-browsing or using email, an unsecured WiFi connection can lead to confidential data leakage. When sending information over WiFi make sure that the connection is encrypted whenever possible (such as with an SSL connection.) If data is being sent via insecure means such as email, care should be exercised to protect the data by utilizing encryption (even using a password-protected zip format will provide at least some protection)

An improperly secured Bluetooth link will allow an attacker to surreptitiously connect to the device and potentially download any and all information stored on it. Bluetooth pairing pin numbers should always be changed from their default values, or should be disabled when not in use.

Consideration should also be given to the possibility of the device being used as a proxy, allowing unauthorized connectivity to/from the internet by proxying the WiFi connection to the cellular data connection.

Methods of Protection

Due to the similarity in features that smart phones have with laptops it is reasonable to consider securing the device as if it were a laptop or any other corporate asset. That means employing a local firewall, anti-virus/anti-malware measures, encryption of corporate data, enabling VPN connectivity to access corporate assets, etc. Any non-essential services should be disabled when not in use (such as Bluetooth or WiFi)

These devices should also be subject to the same scrutiny and rigorous standards as other corporate devices and subject to the same policies and procedures regarding acceptable use, authorized software, password requirements, Internet policies, etc. Specific policies and procedures should be created to assist in the governance of these devices (including laptops) that would delineate the methods and tools used to enforce these recommendations.

Threats:

Security concerns for the different types of cell phones are cumulative starting with the ‘basic’ cell phone.

Basic Cell Phone Security Concerns

a. Loss, Theft, Disposal

b. Unauthorized Access/Usage

c. Eavesdropping

2) Advanced Cell Phone Security Concerns

a. Electronic Tracking

b. Server resident data

3) Smart Cell Phone Security Concerns

a. Malware

b. Data Interception or Access

c. Network Access

d. Should be regarded as a small form factor laptop for the purposes of security requiring the same methods of protection including anti-virus, anti-malware, etc.

Recap/Recommendations:

The amount of effort employed to secure each type of device should be commensurate with the potential risk associated with each class of device.

1) Basic and Advanced Cellular Phones

a. Employ the use of a screen lock password

b. Where possible enable backups of phone data to the network (via activesync or other methods)

2) Smart phones

a. Should be regarded as comparable to a laptop in regards to data exposure and potential risk and therefore should employ the same methods of protection.

b. Anti-virus measures should be installed and utilized.

c. Anti-malware measures should be installed and utilized.

d. Firewall software should be installed and active to prevent unauthorized connections to or from the device.

e. VPN connections should be used when connecting into the corporate network

f. Non-essential services (such as Bluetooth or WiFi) should be disabled when not in use.

g. Strong passwords or two-factor authentication should be used to secure access to the device’s networking connections.

Resources:

The security concerns delineated here are taken from various sources, primarily from NIST SP800-24 “Guidelines on Cell Phone and PDA Security” http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

I haven’t tried the Windows client so I can’t vouch for it, but so far the Mac client has worked with no problems.

::Full Disclosure::

And if you decide to try it out I’d appreciate it if you used my link here.  It’s a referral program and I get an extra 256MB of space for each person that signs up through the link.   For a short time, their bumping that up to 512MB per sign up, so I thought I’d plug the product here and maybe earn myself a bit of extra backup storage!

There are unconfirmed reports that this critical patch was released out of band due to the vulnerability that it addresses is currently being exploited in the wild.

• Microsoft Patch Details: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
• ISC details may be found at: http://isc.sans.org/diary.html?storyid=5227
• In depth details of the vulnerability: http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

Somewhere between these two is “Passphrase Mnemonics”  (yes, that’s my term for it – don’t blame anyone else).  Passphrase Mnemonics allows the average individual to have unique, easily remembered and cryptographically strong passwords for each and every site requiring a login without resorting to writing them down or storing them in a program.

Before we get right down to it though, let me explain why this post is entitled ”Passphrase Mnemonics” and not “Password Mnemonics”  It’s really quite simple: the term “password”  implies using a single word to verify your login, whereas “passphrase” implies using a string of words or a phrase.   Phrases are easy to remember and can provide more security than a single word.  And at this point, we should all be using phrases instead of words.  Especially words that can be found in a dictionary.  Not just an english dictionary; any dictionary such as French, Spanish, Swahili, Finnish, Vulcan, Klingon, Elvish, etc.   Any word that’s found in a dictionary can be easily brute forced using one of several freely available tools.

On to the method or the “Mnemonic”  (by the way, a “Mnemonic” is simply a memory device that you use to remember something ~ think of the old rhyme “30 days hath September…”  That’s a mnemonic to help remember the number of days that each month has)

Step by Step:

1. Find a favorite book or movie – I like to choose a book with at least twelve chapters, so for this example I’ll use “Snow Crash” by Neal Stephenson
2. Choose a chapter based on the number of the month.  Since this post is being written in September, I’ll use chapter 9.
3. The initial passphrase will be the first sentence of the given chapter, so in this case the first sentence of the 9th chapter of “Snow Crash” is “The world freezes and grows dim for a second”
4. Lets choose a site that requires a login.  I’ll choose Yahoo.
5. Now create the passphrase for the site by using the first three letters of the site, followed by a special character:  yah!
6. Appending the first three words of the initial passphrase (substituting underscores for spaces) yields: yah!The_world_freezes
7. Last step, change each word by substituting a number or a special character for a letter in each word: yah!Th3_w0rld_fr3ezes

So for every site that requires a password you simply prefix your passphrase with the first three letters of the site.  This same password for Amazon would be ama!Th3_w0rld_fr3ezes.

Is this as robust and as secure as using software based password tools like PasswordSafe?  No, not at all.  But it’s a sure bet safer than using the same password everywhere!  And you don’t even need to write it down or have your pda handy to keep it safe.  All you need to do is remember your passphrase (Th3_w0rld_fr3ezes) and know what site you’re logging into and viola! Simple, cryptographically strong and easily remembered unique passwords for each site.

If you’re comfortable using software-based password managers, by all means continue to use them.  If you’ve considered them in the past, maybe now would be a good time to do a bit of googling on password managers and find one you like.  But if not, this relatively simple process will at least provide you with a method of creating decent passwords (passphrases)

If you’re like me and you know of several people that might not have the technical savvy to be aware of scams that ask you to log into a bad guy’s site which is masquerading as your bank or other trusted online source.  Some of these fake sites go to the extremes of mimicking every single part of the trusted site,  with the exception of the login form.    Entering your credentials here gives the bad guys all they need to drain the victim’s account via the legitimate site.

How can we expect people with little to no technical experience be able to recognize these threats and avoid them?

The answer is so simple even your crazy Aunt Martha can do it.  (ok, maybe not crazy Aunt Martha, but everyone else)

Train your userbase (mom, dad, the neighbors, co-workers, etc) to use the double-login method.

The double-login method (my own name for it) has the user enter false information first, and then the legitimate information.   A bogus login and password will be accepted by a bad site every time because they have no way of validating the information until later when they attempt to use it to compromise the account.

An example:

Crazy Aunt Martha gets an email from her bank asking her to verify some security settings or transfers on her account.

Unbeknownst to Aunt Martha, the email was fake!  It was a phishing attempt that contained a link that was formatted to look like it came from her bank, but in actuality connected her to the bad guy’s site which has been set up to look just like the legitimate bank.

Aunt Martha doesn’t know the difference between the good site or bad, nor was she able to tell that the email link she just clicked on was bogus.  What Aunt Martha can do is use the double-login method to protect herself.   She attempts to log into the site with her bogus information and it gets accepted!  She immediately knows that this is a “Bad Guy’s Website” and promptly closes her browser and forwards the email to her bank’s security contact, which (being the great IT guru that you are) already placed into Aunt Martha’s address book.

A quick follow-up call to the bank can confirm the details and Aunt Martha’s life savings are intact!

If the bogus credentials are accepted, then the site is bad.  How easy is that?

In the interest of full disclosure: This isn’t my idea.  I heard of it at a small security conference earlier today.  I just think it’s a really great idea that needs to be shared!