Security Watch | Matt Hines » December 2006

December 19, 2006 | Comments: (0)

Communication versus security

TAGS: Security

Well, it happened again this week. I ended up working with customers who didn't tell me a major change was happening to their network, the end result of which essentially ended up stranding them off of the Internet.

For the client, having this happen is kinda like having your car break down between two major cities, in some podunk little town without cell phone coverage. Not that podunk towns are bad, mind you, but people look at you strange and give you some outrageous estimate for getting your car back on the highway. Not a place you want your business to be for any length of time.

Last time this happened to me was when a provider decided to change BGP route entries without telling me. All of a sudden the company I was worked with couldn't access the Internet and my phone was ringing literally every 15 seconds. I had to go in and fix the problem, which was fairly minor, but it would have been nice to know ahead of time that this kind of event was going to happen.

Same kind of thing happened this weekend when a client changed web hosting companies (and DNS hosting as well) but neglected to tell us. Well, of course, DNS entries changed and things broke. Secure web transactions and email went poof. A few days later and things are back to normal.

But it would have been nice to know ahead of time.

Not knowing what your customers, clients, partners or providers are doing can cause you headaches and leave you exposed in a multitude of ways. Don't ask me about the client who decided to unplug the firewall from their corporate network because one of their VP's said it was getting in the way of a 'custom' application working properly.

I'm sure you have your own horror story about coming in one day only to find something changed and the person making the change neglected telling anyone. And fires ensued because of this communications failure or lack of communication.

The reason I'm telling you this now is because everyone is a little harried as we come up on the holidays. More shopping, more parties, more running around, more stress. You name it and is coming to a head in the next few weeks.

But don't forget communication. Make sure that everyone is aware of network or machine configuration updates or changes. Is someone making changes to the network during the holiday party because they think that's the best time to do it since no one will be on the network (yes, I've been involved in that kind of situation as well).

Communication saves time and effort in the long run. Make sure that everyone is still communicating effectively, even though too much sugar and lots of small sandwiches are being passed around in the conference room.

And don't forget that all of this holiday commotion can leave networks unnatended and logs unobserved. While a skeleton crew is running the data center because everyone else in on vacation, someone should still be on the lookout for nefarious activity both from the inside and out.

FYI

Even though the day after Thanksgiving here in the US, known as Black Friday, sees a huge upsurge in retail sales, it's this week that really gets retailers going. I managed to get a little e-shopping in today and was impressed at the site responsiveness from several e-retailers.

Maybe we'll be lucky and not have any major security incidents today.

Nope, just got another email about more security problems. Oh well.

Posted by Victor R. Garza on December 19, 2006 09:55 PM

December 09, 2006 | Comments: (0)

Is social engineering always used to commit fraud?

TAGS: Security

When I was describing social engineering to my latest VoIP class this week, one of the students asked the very relevant question, "isn't that just another name for fraud?"

Yes, Virginia, in most cases, social engineering is used to commit some type of misrepresentation or fraud. Especially in the context I was using it in, where I was describing how Kevin Mitnick used the 'art' of social engineering to find out if the FBI was bugging his phone (that and numerous other tricks) back in the day.

I was also describing the use of the 2600Hz tone to get free long distance when in-band signalling was still used by telephone companies. Draper was famous for his Captain Crunch escapades as well, and while this wasn't technically part of the social engineering discussion, it did act as a segue into how people are socially engineered all the time, even today. Case in point is the latest HP scandal where social engineering was used and for some reason is now called 'pretexting'.

What's the remedy for social engineering, you ask? Education.

Education of your employees is paramount to stop social engineering attacks.

Education in your tech support department is especially important, where an outsider acting as an employee can sometimes gain corporate access by gaming an unknowing (or overly trusting) tech support person.

In other words, when it comes to your support department - trust, but verify.

During class I couldn't think of a use for social engineering which didn't end in some type of fraud.

Let me know if you can think of any way that social engineering can be used for non-nefarious purposes. Right now I can't seem to think of any...

Posted by Victor R. Garza on December 9, 2006 03:56 PM