Josh More – Starmind Blog

In Wagner's Ring Cycle, Brünnhilde is cursed by Odin for fighting on the wrong side of a battle. She is put into a coma and hidden behind a wall of impenetrable fire until a rescued by a brave hero. (For those that want more detail, but don't want to spend 15 hours listening to an opera, look here.) As is always the case in myths and legends, the hero shortly arrives, gets through the fire alright and rescues the "damsel" (who was truly a Valkyrie).

Now, the Ring Cycle is amazingly complex and even this tiny little bit lends itself to a great many security-focused interpretations (firewalls, penetration testing, identity theft), but today I want to look into encryption and steganography.

Essentially, when Brünnhilde upset Odin, he hid her inside a mortal woman (steganography) and isolated her from access to all but one person (the encryption key). Just as in business, there are risks inherent to Odin's plan. If the encryption is too weak, Brünnhilde might be rescued by someone other than Siegfried, her intended. On the other hand, if it is too strong, or Siegfried happens to fall upon some trouble prior to the rescue, she might never be freed.

Luckily for aficionados of myth and fifteen hour long operas, literary convention protects us from a story involving Brünnhilde roasting behind a wall of flame for millennia or one in which she is rescued by Fred the Handyman. Alas for us though, literary convention does not protect businesses.

When a business protects it's data with encryption, it takes the risk the the keys may be lost. If they are, it's all up to the level of encryption used. If the encryption is too strong, the data is effectively lost (Brünnhilde sleeps forever). If, however, it's too weak, the data may be recoverable by you (or your competitor, Handy Fred).

Similarly, Odin's plan of hiding his Valkyrie within the form of a mortal woman is quite clever. However, it's only useful so long as it is rare. If every mortal woman (or even a reasonably large percentage of them) were truly an otherworldly warrior woman, someone who wished to engage in the practice of uncovering the Valkyrie within (never wise) would simply need to get a decent sample of mortals and start decryption activities. In business, this would be like an attacker checking every file on a website for evidence of steganography. Once found, they would know which ones to check out for hidden data.

There are two main lessons to learn from this myth. First of all, if you encrypt something, be sure to have a key. If you think that there is a reasonable risk that your key may be lost (Siegfried did have a troubling habit of battling dragons and otters), it may make sense to make backup copies. Though having a stash of emergency backup heroes would make for a pretty poor myth, it is essential in the business world.

Quite to the opposite, while steganography works well in myth, it's less effective in the business world. If you hide your vital data (or Valkyries) in other files (or mortals), it's only useful so long as you remember where it's hidden. If you want to share the vital data, you have to let others know where it's hidden... and a shared secret is only good so long as both parties keep it and no third parties listen in. After all, if you have a secure channel through with to share the existence of the steganographic file, you might as well just share the data. Heck, even in the myth, the fact that we know that Odin hid Brünnhilde within a mortal means that the secret wasn't kept.

That's not to say that steganography is useless, but it is quite limited within a traditional business environment. Better, perhaps to focus on the encryption side and make sure that the data cannot be read even if found. Then you don't have to worry about supporting back channels and can devote all your resources to protecting known data rather than trying to hide it. (On the defense side, being aware of steganography as a back channel is very useful, but protecting against it and using it operationally are very different things.)

So, in the end, it would be wise to use encryption where you can, not be distracted by steganography, and avoid Norse sagas as they never really work out well for anyone involved.

Related posts

• No related posts.

Who doesn't know about LinkedIn by now?  This business-focused social networking site has been around seemingly forever (2003 is forever ago, right?).  There are even blogs dedicated to helping you maximize your use of LinkedIn.  Really, what more can I add?

You probably already know the basics.  If you have an account on LinkedIn, you can add all the businesses associates you know to your account.  This gives you a sort of online Rolodex that you can access from anywhere.  Digging deeper, you can use groups to find the contact info for people you know, but perhaps not well.  You can ask and answer questions and try to use the network to find contacts deeper within an organization.

It's very useful for sales people and job hunters... and since everyone will likely be one or the other at some point in their career, most people are on it.

However, like all systems, there is a dark side. Many security practitioners constantly caution about putting personal information online. This information can be used in social engineering attacks against a business or to engage in identity theft. If someone manages to get your LinkedIn credentials, they also get access all of your contacts. For a sales person, this can result in loss of competitive advantage. Moreover, if someone untrustworthy manages to link into your network, they can see everyone you know. This information can be used to target existing clients or uncover information about the structure of yours and related companies.  On the other hand, this same design allows legitimate people in your network to leverage your extremely valuable connections, which can strengthen your relationships to all parties involved.

This is a fairly typical risk management problem. If you put data into the system, you run the risk of its being misused. But if you do not, your competitors can leverage their networks better than you. What can you do?

The solution that most people take is to simply ignore the risk. They assume that everyone is who they claim to be and will link willynilly to all and sundry. Some of them even claim to be LIONs (LinkedIn Open Networkers) and will link to anyone who expresses an interest, often attempting to link to complete strangers.  (In the physical world, we use a different word to describe this behavior, but that veers from the topic at hand.)

Another solution is to ignore the site altogether. If your data isn't online it can't be compromised. Many in the security community approach it this way. It is the most secure solution, but you also lose all the benefits.

Of course, there is a middle ground. By using out of band techniques, you can have a reasonable assurance of a person's identity. For example, if you receive a LinkedIn invitation, you should first check out their profile and make sure that it matches what you expect. Then, you should send them an email or give them a call outside of the LinkedIn system and make sure that they intended to send you the request. If they say "yes", then you know that they are legitimate and you can add them to your network if you know them to be trustworthy. This doesn't address all of the risks, but it does hit the major ones while still allowing you to use the system to your advantage.

Related posts

• Site Review – LinkedIn – Part 2 (0)

There are many anti-spam solutions in the market.  They tend to fall into a handful of types.  However, all of them must do the same thing:  somehow determine which emails are legitimate and which ones are not.  There are many ways to do this, and most of them use differing combinations of the same techniques.  Thus, the main distinguishing characteristic is where the antispam solution fits into the network.

Client Software

A common solution is to use software that plugs into the email clients.  This gives the user direct control over spam handling at the cost of requiring the spam to completely traverse the system and end up on the final computer.  Thus, the risk exists that any malicious software may exploit the client and then run directly on the target.  Additionally, the server must handle the additional load of processing spam and the administrator has no direct control of the anti-spam system.

This solution is generally not a good fit for businesses, though it can be quite effective for home-based users or businesses small enough so as to lack an I.T. department or contracted service.

Server Software

A traditional solution is to purchase anti-spam software for the server.  This gives the email administrator direct control over the way that the anti-spam system operates.  The users typically see an email folder that contains "known safe" spam messages.  Thus, the users are protected against problematic emails but still able to inspect the acceptable ones if they choose to do so.

This is the standard solution for businesses, and works fairly well, though it does result in emails still traversing the system and adding load to the mailserver.  As spam traffic increases, the resources of the server must be scaled up.  Since there is no control of the spam until it reaches the server, the business still risks denial of service by choosing this solution.

Appliances

One way to solve problem of the limitless scaling of server resources is to shift spam protection to an appliance.  In this solution, a dedicated device is placed between the Internet and the mail server which serves only to filter spam.  It is more complicated for the email administrator to manage, but it does keep everything within the control of the business.

Some of the larger businesses use this method.  It still requires email to enter the network, but it does protect the core systems against exploitation and limits the amount of email that the end users must sort through.

Cloud Solutions

Though "cloud" solutions are getting a lot of market buzz these days, some have been around for a long time.  In the anti-spam world, in particular, a cloud solution is often a good one.  With this solution, spam need not ever enter the business network.  The business is protected against malicious software and denial of service attacks.  The users don't have to deal with spam at all.

However, nothing is perfect.  The main drawback to the cloud solution is that it inevitably delays email delivery.  In short, you are adding an additional layer of processing and network transport, so every single email is going to be slower. While email administrators often state that "email is not instantaneous", the delays are often noticeable with this sort of solution.

Conclusion

As always, a balance must be struck.  You can emphasize usability -- giving control to your users and risking both direct exploitation and the consumption of internal resources.  You can emphasize security -- making email administration more difficult and delaying email delivery.  You can pick a solution anywhere along this spectrum, but no solution will ever be perfect.

What you can't do, however, is nothing.

Related posts

• Small Business Attack – Spam (0)

We've been battling spam for many years now.  We all know that the problem exists, and that it can be annoying... but sometimes it seems like the constant complaining of email administrators is even more annoying.  Is spam really such a big problem?

Let's look at it for a minute...  The influx of email can slow the mail servers.  Manually sorting legitimate email from spam can reduce employee productivity.  In some environments, the adult nature of spam can cause HR issues.

So sure, spam can be annoying, but is it really a serious problem?

Though I try to keep this blog from getting overly technical (after all, there are technical security blogs far better than mine), I am afraid that I have to dig a bit into the labyrinthine mess that is SMTP.  The Simple Mail Transfer Protocol dates back to 1971 and is the method still used to transfer email today.  (Though it has been extended and tweaked many many (many) times.)  These days, it is far from simple but it is still deeply flawed.

At it's heart are three problems:

First of all, the protocol is plain text.  This means that anyone who can read the network traffic as it flows from the sender to the receiver can read the message.  This allows attackers to read or alter messages as they go by, thereby preventing the receiver from knowing for certain that the messages are private or even reliable.

Secondly, the protocol is honorary.  Just as anyone can drop a letter into a mailbox and put on whatever return address they wish, anyone may send an email and forge any From addresses they want.

There are numerous technical measures that can be put in place to limit these two problems.  However none of them work perfectly and each them make the maintenance of the system increasingly complex.  If too many of them are implemented, you run an increasingly greater risk of email being greatly delayed or simply getting through at all.

Then, we have the final problem.  Though it doesn't relate directly to SMTP, the fact is that email is not human readable (by most humans, anyway), so recipients have to use email clients. As always occurs, a handful of email clients have become the most popular and are analyzed by attackers for problems. Then, email messages can be forged and sent containing malicious code that will exploit a flaw in the email client.

So what does all this mean?

Basically, in addition to spam being annoying and the extensions we've built around it making the actual system work poorly, we have a situation where attackers can target specific people and run their own software directly on the targeted workstation.

So how do we protect against it?

Related posts

• Small Business Defense – Anti-spam (0)

Anachoresis.  The word can mean many things referring to hermitages, animals or bacteria.  Now, as interesting as the medical definition is, I am more interested in the zoological context today.  When the word is used in reference to little critters, it describes the habit of hiding in crevices to avoid predators.  If you're a mouse, such a strategy works great.  You just scurry about eating seeds all day and when it's time to sleep, you find a nice little hole and hide from all the cats that hunt at night.

The strategy, of course, is less effective when implemented by elephants.

As with most security strategies, this one works better for some animals than for others.  The same applies to businesses.  The equivalent strategy in the small business space is to try to "fly under the radar".  Much like mice hiding in holes, this strategy is only effective so long as there are other mice around for the predators to pursue.  As soon as the easy prey is eaten, predators start learning other techniques to get at the more difficult prey. Lizards may lose their legs and evolve into snakes.  Mammals became more slender and supple and grew into weasels.

True, in the business space, an attacker would be much happier to take control of a multi-million dollar business than a sole proprietorship. However, if all the big attackers are pursuing the bigger prey, the smaller attackers are free to go after all the little businesses hiding out in holes... and they've been busy.

Just like snakes and weasels, worm-based malware will crawl around the Internet looking for the little cracks and crevices in the security around small businesses. Like shrews, automated malware spread and look for juicy targets, which, when found, can be targeted by all. Similarly, like biological viruses, digital viruses can infect a small business and just wait for the right conditions to execute a payload.

The point of this isn't to scare you. Realistically, small businesses don't face the same threats that large enterprises do. However, that doesn't mean that they don't face any. It's one thing to use that justification to avoid spending large amounts of money on expensive protection that you may not need, but it's quite another to think that just because there are fewer threats that you are safe. No matter how good it is at hiding, a mouse is not safe from a snake. Just as a mouse uses more than one security technique, businesses of all sizes should consider how much of a target they are, who wants to attack them and take appropriate action.

Hiding in the sand will only take you so far.

Related posts

• No related posts.