ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for June, 2010

Are you Using or Abusing Digital Certificates?

Friday, June 25th, 2010


Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication.  They, of course,  became the rage for securing Internet based transactions.

Today some people take for granted that digital certificates are intrinsic to any web-based transaction and that the transactions are,therefore, safe.  But are the transactions safe?  By the way I stand corrected – I just did a quick pole of 10 people who regularly do e-transactions on the Internet and one of the ten even knew the existence of digital certificates.

Here is what digital certificates are and how they work.  Digital certificates are electronic documents, much like an electronic version of a passport.  In fact they contain very similar boiler plate information about both the owner and the issuer of the certificate.  The issuer is hopefully a certificate authority, analogous to an issuing Country of a passport, which is widely recognized and in whom everybody else has complete confidence.

The digital certificate also contains a secret known, again hopefully, only to the certificate owner and to the issuer.  The secret is called a private password.  The certificate authority also publishes a public key or password for every certificate holder.  Both the public and private keys used only together can unlock the secrets otherwise encrypted by one of the keys.

For example, if Bob wants to send a confidential email to Sally, then Bob would encrypt the email with Bob’s private key and then again with Sally’s public key.  Sally would decrypt Bob’s email with Bob’s public key and with her secret private key.  Bob’s public key will only decrypt emails from Bob, and Sally’s private key will only decrypt emails encrypted with her public key.   So confidentiality and fairly strong authentication of sender is provided.

Another example.  If Bob wanted to send an open email to many people, but needed everybody to be sure that Bob was the sender, Bob would encrypt with his private key and anybody receiving the email would decrypt and read it with Bob’s public key.  Bob must have been the sender, so authentication of sender is provided to some degree.

Online vendors use digital certificates in combination with the SSL protocol for their encryption algorithm, in order to protect the validity, integrity, and confidentiality of each transaction.  Any visitor to a validly secured online e-transaction site should be able to view the associated digital certificate including details of the hashing algorithm used to protect their transaction.  In this case, the validation only goes in one direction; only the transaction site is identifying itself conclusively to any visitor.

Yikes!  SSL Meltdowns

We’ve probably all read about a recent SSL certificate validation problem stemming from a hashing algorithm.  This is not the first problem with  SSL.  There was a doozey in 2009. And in 2008.  And so on.  Each time there is a problem, someone finds a resolution, such as changing a hashing algorithm.

Whether industry uses SSL or TLS there will undoubtedly be developing security vulnerabilities and remediation for them.

The big issue is how to take reasonable precautions to protect ones-self from SSL meltdowns.  Here is a simple precautionary SSL check-list.

  • Do verify the URL you are visiting is what you expected and not a similar URL with slashes and asterisks where they don’t belong.
  • If in doubt phone the vendor’s or site.
  • Do take the time to verify the digital certificate  on a web site.
  • If in doubt, research the certificate  authority.
  • Remember that not all portions of a web site are secured with SSL.  Users can stray to an unprotected area of a site.

Have a secure week.

Regards,

Ron Lepofsky  CISSP, B.A. SC. (Mech Eng)

ERE Information Security and Privacy Auditors

Tags: , , , ,
Posted in Security Postings | 1 Comment »

How about my idea for securing the nation’s electric grid?

Wednesday, June 9th, 2010


NERC’s June 2, 2010 report identifies  potential paths to destruction of our North American Electrical Grid (www.ere-security.ca and    http://www.nerc.com/ ).  These paths include co-ordinated cyber / physical / blended attacks, pandemic illness, geomagnetic disturbances and electromagnetic pulses.

In my opinion, while  NERC (North American Electric Reliability Corporation, www.nerc.org ) has managed to accurately identify real security risks it has missed the main point.

Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005 ( http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003 ).   And yes the NERC CIP 01 – 09 security standard (http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html and http://www.nerc.com/page.php?cid=2|20 ) for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.

However, the fundamental recommendation of the report calls for better co-ordination between US power-grid providers and the government.  To me, government co-ordination is an oxymoron.  We can all see how well government co-ordination is working on the Gulf Oil Spill.

To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.

I think the path to grid deliverance is for the government to substitute co-ordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.

Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the “here and now” concerns expressed by their own SCADA IT security staff.  We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.

So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty.  Then executives can re-evaluate their security ROI business cases to include the new downside penalty.

In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means.  Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses.  Somebody with a six foot ladder and a laptop could potentially do just as much damage.

The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on  sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).

While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.

Maybe it’s time to think again.

Have a secure week.

Ron Lepofsky,   CISSP,  B.A.SC. (mech eng)

President,

ERE Information Security and Privacy Auditors

Tags: , , , , , ,
Posted in Security Postings | 6 Comments »

Stolen Gaming Credentials can cost Big Bucks!

Wednesday, June 2nd, 2010


Here’s a glaring example of how recreational online gaming of any sort can lead to unintentional expense and headache.

On May 27, Angela Moscaritolo at SC Magazine wrote an article about Symantec having discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites.    You can see the article on the ERE RSS feed or at http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/e.

Online gamers own virtual assets within their games.  These assets can be bought and sold for real dollars, up to thousands of dollars.  An individual who steals and uses a gamer’s identity will gain access to the gamer’s assets which they can then use, sell and vandalize.

In any instance, where a gaming siter has access to their gaming membership’s credit card and banking information, the potential for identity theft and credit theft is escalated if a gamer’s credentials are already stolen.

Online gamblers face similar risks as online gamers whose credentials are stolen, with the added grief of facing a foreign jurisdiction when attempting to claim for losses against the gaming site.  This is because most gaming sites, for reasons of US law, reside outside of the jurisdiction of the USA.

The same problem is faced by members of online transaction sites, where the members’ authentication credentials are stored by the transaction site.  If a member’s user name and password are stolen, the member faces exactly the same potential risks as the online gamer, and is exacerbated if the member’s credit information is also electronically stored with the site.

While credit companies are implementing multi-factor authentication in order to mitigate potential fraudulent transactions, electronically stored credit card information is still a potential security and theft vulnerability.    In these critical situations, my preference is to err on the side of conservatism; if anyone has access to electronic information, than potentially anybody has electronic access to that same information.

So the question is “What should gamers and transaction site members do to protect their electronic identities?”

The answers are pedantic but effective:

  • Regularly change passwords.  Chances are that a stolen old password will be used by a theft and, of course, will be useless.
  • Use groups of passwords, prioritized by importance, for different uses.  The best advice, of course, is to use a different password for every single use, including logon to your home and work computers, online banking, transaction sites, etc.  This is not practical for most folks, so a tradeoff is to have a few different passwords but never use the same password for both critical and less critical applications.
  • Consider storing (new!) passwords in an encrypted file or an electronic vault.  Various programs and utilities are available for assisting with this process.  The immediate two benefits are that people do not store their passwords in an unencrypted state and that the stress of remembering all the passwords and their use immediately disappears.
  • Store the password for your  “password vault” in a secure, non-electronic format or encrypt it with your own personal encryption system.  For instance –  add a suffix and prefix that are meaningful only to you and which are not composed of any personal information.
  • Do not log onto any system over Wi-Fi or cellular network without the logon sequence being encrypted.  Otherwise the logon credentials are easy prey for “man in the middle” attacks.
  • Do not share passwords with anyone.  Ever.

Have a secure week.

Ron Lepofsky, CISSP,  B. A. SC. (Mech Engineering)

Tags: , , , ,
Posted in Security Postings | 5 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button