Sample Case

Some Seattle criminals were apparently hacking wifi to help them locate business servers with identity information and then breaking in and stealing the servers. This is a perfect example of why physical security risks should be checked along with any electronic security validation. Penetration testing needs to be both physical and electronic, because sometimes it’s just easier to walk away with the equipment than it is to hack in and steal the data.

Contents Of A Company Smart Phone Policy

What issues should be in a company smart phone policy?  There are a lot of different options for restriction or permissiveness, depending on the company and any associated culture.  If we run down all the possibilities (that we had thought of by this time, there’s always more) you can use the list to check or build your own company policy.

Is company business permitted on personal phones, and vice versa?  This is the most important bit of information in your policy.  It determines how much effort you can expend in other areas, and how expensive they’ll be, or how much risk you’ll accept.  If you try a half-way approach, the end result is the same as if you openly permit mixing.  If you fail to address it, you have accepted the inevitable, so you might as well document it as such.  Company business on personal phones and personal business on company phones is no simple issue.

Allowing personal business on company lines means your security personnel can monitor it, or should.  You’re monitoring all company assets for anomalous behavior, right?  Hackers are into phones these days.  You’d be a fool if you weren’t at least checking them once in a while, like we used to check PC’s for viruses once a week.  However, most employees don’t like knowing their personal calls are monitored.  Plus, since any company property can become legal evidence, anything done on that phone can potentially come out in court.  We all like to think our private calls to that certain number are private and unknown to others, but if it’s a corporate phone, it had better be known or one day it may turn into a courtroom surprise.  Express your intent to have phones utilized in a professional manner for business use only to reduce the likelihood of courtroom embarrassment.

Permitting work on personal phones is worse in one way, which we’ve discussed previously, so we’ll zip through it here: your personal phone gets impounded as evidence, and no, you can’t back it up before we take it.

Specifically differentiate between business and personal use, what is acceptable, and in what quantity.  The easiest way is to specifically restrict use, even if it’s realistically impossible; at least you’re trying.  Failure to address it at all, however, means you implicitly accept it, which means you might as well document it so management understands what risk they are accepting.

Be specific, if you can, about what behaviors, frequencies, and durations of behavior are acceptable if you are permitting personal or business use.  If you can’t be specific, you are assuming anything goes.  At least try and limit it with a stock “professional behavior” phrase or similar.

Does your policy cover all the features of current phones (cameras, sms, etc…), or just talk about a couple issues?  It needs to cover everything plus contain extension language so when they figure out how to do new things with phones you don’t end up having to rewrite the policy.  Who knew ten years ago we’d finally be doing all the things today they told us about 40 years ago?

Discuss why you are restricting use.  People are a lot more likely to follow a policy they understand than one they think is draconian and absurd.  Don’t wait to educate them until you’re coming to get their phones for a legal case.

Discuss who it applies to.  If you’re treating the executives differently than the staff, better mention it, or it could cause problems.  Treating everyone exactly the same makes things easier unless you’re the person explaining it to the C levels.

Define the terms you use that could be misunderstood, perhaps deliberately, or what could be termed “weasel” words.  When you say “personal use and business use”, what do you mean?  When you say “off hours”, do you mean the same time for all shifts or different times?  Don’t say “disciplined” when you mean terminated.  Weasel words.

Define any exceptions, generally if necessary.  “You are allowed to use the company phone to make emergency calls, where emergency implies life and death situations.”  Why someone would need that laid out for them is a mystery, but you know if you leave it out, someone will get sued after somebody lets someone die because they couldn’t make a personal call on a company phone.  Read a spray paint warning label if you doubt it.

Particularly vulgar misuse should be defined and the resulting disciplinary and legal steps laid out to discourage straying from the expected path.  “If you take pictures of guests without permission and post them on the Internet or sell them to someone you will be fired and charges filed with the appropriate criminal authority.”

Make sure to cross link to your social networking policy, since many people take pictures just to upload them to their site and share with friends.

Can personal or business devices connect to business or personal networks?  In other words, are you going to trust that the mail-room guy’s phone is clean enough to let it access your corporate network?  This is the second most important issue, and it leads directly to complexity and cost.

Will you, for example, attempt to isolate personal phones from the main network?  If you do a good job, it’s going to cost.  If you don’t do a good job, you increase risk.  Mention it to management and see if they’re comfortable with it.

Will you permit work devices to surf on any old network and then return to the fold bearing who knows what sort of infection?  If you do a good job, it costs you, if not, it increases risk.

Related policies reminder.  Remind users that when using a device in a setting other policies may apply.  So while that smart phone may be great for surfing porn in their basement, because it’s a work device, it’s still not permitted.  Oh, and you can see them in the logs you’re monitoring.

Finally, damage.  If they drop their work phone at home, or their home phone at work, who’s paying and under what circumstances?  If they lose the phone on a subway, who’s paying to replace it?  Some employees will flush phones down the toilet repeatedly, it’s just in their nature.  Who’s paying?  And if you have someone losing phones, have plans for dealing with it.

Very importantly, have a hard policy regarding how fast they notify authorities and who those authorities are.  Many people will wait to inform you of a loss until they get the new device or the loss personally inconveniences them.  Meanwhile, the lost phone has been in the hands of bad guys for days or weeks.

Put a reward sticker on the phone.  It might result in the return of several valuable phones that would otherwise end up in pawn shops.  A few cents per phone versus hundreds of dollars for a single loss makes it worthwhile.

Security; alluded to above, is the cost that makes any risk bearable.  What will you do, or be able to do, if a phone containing potentially sensitive business information is lost, or if personal information is exposed on company networks?  There are a few facets to phone security issues.

Loss.  In either business or personal property cases, where company information may be present, it is best to:

  • Be locked with a code of some sort, to prevent immediate use.  Also, activate this lock after a period of inactivity, like a screen-saver on a PC.
  • Be encrypted, to prevent stronger efforts at compromise, such as corporate espionage or other subversive reason.
  • Be remotely wipeable, to allow for a positive acknowledgement that a device is completely safe.  This is critical for assets storing very sensitive data, but won’t always be possible, especially in cases involving corporate espionage, so in those cases strong encryption is an additional requirement.  Note that remote wiping of a personally owned device can create additional liabilities, the most obvious being, what if it’s done accidentally.  Likewise, with a business device, a sales person could lose valuable scheduling data that hasn’t synchronized with HQ yet, costing them sales.  Address these and other risks by having users sign an agreement and understanding of how phones are protected and specifying what they can do to avoid complications, as well as the companies refusal to accept any liability.  Place the onus on them to care for data that is important to them.

Integrity of the device: anti-virus, anti-tampering.  Companies concerned about data leaks must weigh the risk of device compromise through malicious software and employ appropriate measures.  Anti-virus is available for phones, as is anti-tampering software that performs an integrity check on the program portions of phone memory.  This plays directly into whether or not you permit 3rd party untested applications to be installed on devices.  If it’s a personal device, you don’t have much choice, so factor that in to any decisions: such phones will leak data like a sieve.   Business phones can be much more locked down, but you’ll need a process whereby new apps can be requested and tested.

Disable unnecessary services, just like with a computer.  If you can avoid Bluetooth, do so.  Same with Wi-Fi, but if you can’t, take appropriate mitigating steps.

If restrictions in use could conflict with emergency contact from relatives, provide contingency contact plans for them.  In other words, if you require personal phones to be removed or turned off, provide a way for relatives and emergency contact through other means, such as a paging system or central contact number that can reach the person.  Kentucky coal miners, as an example, cannot receive calls down in the mine, so relatives must contact the mine office which will use radios to relay appropriate information.

Legal requirements.  Your legal department will likely want a couple paragraphs in the policy, most notably regarding compliance with local laws and ordinances.  Just because the business provides a phone, doesn’t mean you can use it in violation of laws such as phone use while driving.  The legal department will specifically want that mentioned to escape liability when an employee breaks that law and ends up in trouble.

That’s a pretty big policy for such little devices.

Finding Clients/Finding Services

A few practitioners have asked me, and as a former customer I’ve had a similar problem: how do you locate local assets as either customers or practitioners?

Customers are confronted with two problems when looking for security practitioners, who’s in their vicinity, and who’s professional? Most clients only hear about practitioners through advertising, either direct or via some event with speakers. Professional mixers are common, but security people at those events, far less so. In many cases, companies looking for security consultants don’t realize they have one or two really special people in their neighborhoods, because those people are too busy to make the local advertising circuits. And any business person knows that local talent is cheaper than traveling talent. If you can locate good talent.

Practitioners have a similar problem in locating local businesses to work with. How do you find local companies in need of your services?

This is a list of all the ways Digital Trust uses to do both: find clients and find help.

Professional Events, speaking engagements, Small Business Development Centers, Chamber’s local and regional.

Yellow Pages, and online versions, but nothing beats the paper book in our experience.

Zero effort lead generation from job boards. By monitoring resumes and/or job openings, opportunities can be easily located with little effort.

Although it’s harder to located local professionals than for professionals to locate opportunities, both are possible by using these tools. Make a list, process it over time, and you’ll find what you’re looking for in a simple, logical, efficient manner.

A Short Review of Really Bad Password Policies

A recent client utilized some password controls (which are good) in ways we’d never seen before (which is bad).

The first thing that stood out was the length requirements. There was a minimum length of seven, and a maximum length of 8. The minimum was okay, provided additional controls enhanced it, but the max of 8 just seemed strange. It drastically cuts the available pool of passwords, for one.

For example, the password list we use contains (at the moment) 322,431 passwords, ranging from a length of zero to a length of 24. There’s only five passwords at 24, but they’re there. Note that random creations are not included, this is just a set of likely passwords, not all possible passwords. Unfortunately, when you restrict that to 7 or 8 characters the entire set contains only 80,610, a reduction of around 75%. Theoretically, that means during testing, we miss 75% of target accounts. Realistically, 7 and 8 character passwords are more common than many other possibilities, and other password controls, like minimum length, mean the smaller passwords don’t matter anyhow, so the real reduction in correct password guesses will not be as harsh as 75%. At any rate, restricting maximum length is idiocy; the only justification for such a policy is machine limits and a need to break in. Otherwise, if a user wants a 24 character password, let them have it.

Restricting complexity is also a fundamental control flaw. If your users are given the choice between making passwords that look like “ricky” or making passwords that look like “Ricky@Ches”, they are in large numbers going to opt for “ricky”. The math here is quite simple. The single set of lower case characters numbers 24. If you simply add an upper case requirement, you effectively double your possible key values. If you add in numbers, you gain another 10, and special characters can add another 29 (US Keyboard), or even more if you allow non-printing characters, up to 254. More realistically, a complete expected set of characters means 24+24+10+29, or 87 possible key character values. 87 is better than 24, by more 3X.

Repeatability controls are put in place so users don’t keep using the same password. This can mean not being allowed to use the same password until some time has passed or a certain number of changes have occurred. When implemented poorly, this allows very dedicated users to change their password multiple times in a row until the requirement is satisfied, and then return to using their original password, circumventing the logic and reducing the effectiveness of the control.

Intelligence requirements involve more logic to restrict obvious or encoded passwords. This can become complicated, such as restricting the use of date based encoding (using a date in the password), or simple, such as not permitting the 1000 most common passwords to be used. Each rule increases the amount of processing, but lowers the likelihood of a password failure.

There are other controls, but these are among the simplest and most common. Failing to enact one isn’t a catastrophe (with the exception of length), but failure to enact all of them is a recipe for disaster.

Shmoocon 2011

shmoocons impact on our people

We had a great time at Shmoocon , our first, and a special thanks go out from the company to the friend of the show that got us the ticket. Also to all the great folks we met; here’s hoping we get to team with you on some work in the future. The Shmoocon organizers did a spectacular job of design and execution at the con, and the choice of venue was very good.

A special note about some of the worthy causes that Shmoocon (and others) help support, namely Hackers for Charity. H4C is a small, tiny really, group of security people supported by the community that does direct, hands on work with charitable organizations worldwide, and has a boots-on-the-ground mission in Uganda. We won’t detail their work here, you can check the link, but you won’t find a better place to drop some of your corporate dollars. We support them as much as we can, and encourage others to as well. Your money has a direct affect on people’s lives all over the world, and helps improve security for the rest of us.

While we were out of town, our end of things was covered by a special group of good people. If you need security work (and we’re not available, of course) contact the fine folk at and they’ll help you out. They’ve contributed some serious goodness to the field over the years and won’t steer you wrong.

And one final note, to a person who will remain nameless in this blog, because name dropping is not only tacky but selfish, we meant what we said, a lot of what this company and the people in it have become is due in no small part to your efforts. Se we’re making a donation in your name to H4C, because money is more honest than platitudes. Thanks.

Understanding Litigation

Digital evidence (eEvidence) in litigation is something that, if you’re on either side, you need to comprehend. Not understand; you need more than that. Especially when it comes to evidence and expert witnesses, judges and lawyers need an end to end confidence in the product. Lots of times, that’s not there. The lawyer seeks out someone “reputable” to handle the evidence collection, but what if they’re only 90% on the ball? Unless the lawyer really knows their stuff, they aren’t going to spot the weakness. Which means if the judge or the opposition does spot it, they could be in a bit of trouble.

How to know if you’re witnesses will be able to withstand the glare of the opposition? If you can walk through the entire process, from seizure to presentation, and as the non-expert in the process, be confident that the process is sound.

Questioning the chain of evidence and evidentiary conclusions is simple and straightforward, if mundane and tedious: at every step ask the question. Why did you do that? Why do you claim that? What makes this the best? Is there another way? How did you? Where did you? Who did that? Who says so? Who else says so? When was that?

By simply drilling into each layer of the chain, you gain a confidence in it that comes through in court. And more support for it’s accuracy.

If your witness can’t explain the situation to you in a way that makes you 100% confident, it’s probably not worth 100% confidence. Any gap can be exploited by the opposition. If you can find and fill those gaps, or at least circumvent them, you’re way ahead of the game on court day.

If you can’t, chances are you’re about to get eaten.

This post is copyright 2010 Digital Trust, LLC.  This is not legal advice. Always seek consultation with a qualified legal representative for legal matters. Counsel: do not list Digital Trust without contract. Replication for internal company use is permitted provided this notice remains attached.  No other private or public re-use is permitted without consent.

Cause and Effect: eEvidence Collection

Collecting eEvidence (digital evidence) has always been a chore. When 200MB drives were the norm, it still took 2 hours to image a drive. Now they’re 200GB and it takes 3 hours. Plus copies. So imaging drives for a case is expensive. It’s not just the time spent imaging, there’s also any necessary testimony, report writing, and additional copies. Drives get bigger faster than technology can evolve to process them, so now we have TB drives that take 16 hours to get the first image, and then you have to redo the checksum to confirm the image. If you’re working at a client site, that’s expensive for your team.

Does that mean that by employing larger hard drives the bad guys can make it too expensive to prosecute or sue? It sure does. It’s one reason why prosecutors won’t go after cases below a certain level. It’s too costly. Let alone for the individual litigant that has shallow pockets. A mediocre evidence case is going to add $2500 to the bottom line. If you’re in People’s Court, that’s not going to happen. A more serious case can run into tens of thousands. A big case into hundreds.

So attorneys, remind your clients to buy the biggest drives they can afford, so that on the off chance they’re sued, they present a discouraging front.

What’s the effect seen from that cause? The eEvidence business needs to bump up efficiency. If one agency can bring home a case for 25% less than the competition, you’re foolish not to use them. There hasn’t been much competition, but that may be changing. As business people look into the numbers being thrown around in eEvidence gathering, they see opportunity.

You can have perfect evidence, or you can have good enough evidence. You can have genius testimony, or good enough testimony. (Anything worse than good enough doesn’t survive, because it gets sued into oblivion.) You can have it fast, faster, and fastest, with costs rising accordingly. It also comes in immediate, tomorrow, and when its convenient forms. And local talent should be cheaper, but it’s not always that way.

Looking at eEvidence assistance as just an hourly rate is a big mistake. Take the time to talk with the potential services and find out which one provides the best return for your money.

This post is copyright 2010 Digital Trust, LLC.  Replication for internal company use is permitted provided this notice remains attached.  No other private or public re-use is permitted without consent.

Using Free Wifi

Free wifi spots aren’t safe; this is not news. Wifi has been compromised since the beginning. So why are companies still allowing sensitive company data to cross public wifi networks (Panera, Starbucks, etc.)?

For one, if you use the maximum current security configurations and a whopper of a key, it is pretty solid. Not unbreakable, but definitely discouraging.

The vast majority, unfortunately, don’t maximize their use of the security features. Worse, some companies in highly sensitive fields continue to utilize free wifi spots, spots without encryption, for business purposes. Let’s focus on what makes this a very bad idea.

First, they assume their users are safe because they utilize VPN software of some sort. VPN software, especially the SSL variety, is not entirely safe. At the industry convention Blackhat more than a year ago a fellow going by the handle Marlinspike demonstrated how to compromise an SSL connection. So you can’t rely on SSL, and there are problems with other VPN connections as well, but not as accessible to the general public as the SSL bugs.

Second, companies assume the environment is safe (it’s not) or that their laptops are secure (they aren’t). Some hacker groups meet at these free wifi spots, because they are free. Hackers like anonymity. They might also like a peek at what’s on the other laptops nearby. Windows, Macs, and Linux laptops all have flaws that can be exploited. Yes, they can be “hardened”, that is, configuration changes can be made which make it much more difficult to gain access, but nothing is 100%. Regardless, the typical IT department isn’t making hardening changes to their systems or keeping them up to date. One of the most egregious errors is allowing users to install software on the systems. Either the software itself can be a problem or it is used as a vector for other problems.

Is it a war zone? No. It’s generally safe to use free wifi zones, especially if you’ve taken rudimentary precautions. But it’s not fool proof. And while it’s your personal risk to do online banking via free wifi, it’s entirely another legal matter to allow employees to do so when it can result in catastrophic business loss.

A safer (note “safer”, not safe; nothing is 100% safe) alternative is to use a dedicated Air-Card from a cellular provider, or the built-in equivalent. You still need to harden the machines, and restrict user software installation, but at least the guy sitting next to you isn’t accessing your hard drive. But it costs money.

So, how much is that class action lawsuit going to cost you?

Fear tactics? You bet. Fear is a survival mechanism. We’d like you and your company to still be around next year. So no more sensitive business data without adequate precautions on the free wifi networks. It’s the sensible thing to do. Contact us to discuss in more detail how best to secure your mobile users.

Safety Tip for Physical Pen Testers

When assessing an account, be sure to ask questions regarding company policy on firearms, threat response, and also check the laws for state and local carry rules. Then verify reality matches the picture described in the interview. All it takes is one jumpy, perfectly legal, gun carrying employee to accidentally put a hole in your plans. If there are security guards and/or they are armed, make sure they are experienced, follow their procedures, and practice drills. Even a billy-club can ruin your day. If there is a fair chance that you may be looking at an unexperienced, unprepared armed response, discuss the risk with the client and consider delaying any physical check that may result in conflict until the client’s people are better prepared.

Sleazy Brand Reputation Services

We’ve been working on a research project about brand protection and reputation monitoring on all the social sites, like LinkedIn, twitter, etc… and seeing a disturbing trend. Most of these companies are selling something you can get for free. Very few have any value add, and even fewer offer any genuine innovation. So before you or your clients pony up several thousand to several hundred thousand dollars to babysit your business’s social reputation, take a long hard look at Google Alerts. It’s free, and any geek worth his coffee allowance can set it up for you.