Deprovisioning and the Insider Threat   Leave a comment

If you’re not paying attention to your access controls, especially when it comes to removing access for staff who should no longer have it, you’re setting yourself up for problems.

Deprovisioning, or removing accounts, is an important process in managing system access. The process usually depends on people to some extent, although automation can make the job a lot easier if your infrastructure is setup to handle it. At a minimum, your security processes should integrate with the separation process for both employees and contractors.

Here are a few touch-points that need to accomodate deprovisioning:

  • VPN and other remote access infrastructure (don’t forget your mobility solutions)
  • Any business applications or systems that can be reached directly over the Internet
  • Business partner networks, applications/Saas solutions or systems
  • Cloud management and cloud-operated virtual systems

Aside from the risk from disgruntled former staff, people who are still within the company should only have access to systems needed for their jobs and to which they are authorized. For example, a system administrator who moves from managing your messaging infrastructure to running a research network should not retain administrative privileges on your messaging infrastructure after they transition to the new role. (In my experience, this type of legacy access is pervasive but organizations should realize that it is a problem waiting to happen).

Retaining access during transition is one thing, but people retaining access as part of their legacy in the team opens the door for all kinds of problems. For example, even a well-intentioned ex-admin who makes a change to your messaging infrastructure after departing the job could cause operational problems due to incompatibilities with the current configuration. On the other hand, if the password for the ex-admin’s legacy account is cracked or stolen, their account could be used to perform malicious acts, which would then probably be attributed to the admin – even though they may have had nothing to do with the attack.

There’s no question that Shionogi’s situation would have been helped by ensuring a deprovisioning process was established. However, there were a couple other weaknesses that enabled the attack. For one, Cornish was able to install virtualization management software, which means he still had administrative rights. Secondly, most management consoles fail to include any features that ensures checks-and-balances to what can be done by one individual. If the system required someone to “approve” or finalize the deletion of the virtual systems, their problems could have been avoided entirely.

So the next time you’re talking with your software vendors and evaluating a systems management solution, consider whether the solution integrates with your deprovisioning scheme and wheter the solution enables separation of duties for staff performing critical functions.


Posted August 20, 2011 by jeffkeith in Security

Tagged with , , , , ,

whoops   Leave a comment

Everyone’s got their security problems, but India’s National Technical Research Organization (which is supposed to be similar to the US’s NSA) appears to have some big ones. After an “audit”, some of their internal, classified information got out into the public domain. Oddly enough, Pakistani and Chinese targets they were monitoring began to disappear. More info in this Tribune article

The article blames whistleblowers, but you have to wonder how long Pakistani, Chinese and other intelligence and CI agencies have had a foot in the door. Everyone knows that India and Pakistan don’t trust each other, but India has on the face of things, had positive relationships with the US and with China, even though the government has long been hedging its military options and recently agreed to buy jets for its air force from Russia instead of the US.

I guess it’s tough being so popular.

Posted August 17, 2011 by jeffkeith in Security

Tagged with , , , , ,

A couple shots from today’s ride   Leave a comment

The skies looked a lot more threatening than they wound up being today. I’ve been working hard on longer rides this spring and even though the skies didn’t want to cooperate today, I knew I had to head out and get some saddle time.

Here are a couple shots from today’s rides:

Everything starts with food – here’s the Tiger resting while I ate half of my breakfast:

The Tiger at Breakfast

A couple hours later, taking a break in a park and eating the rest of breakfast:

Tiger in the Park

There are all kinds of flowers out now:



I picked up a sandwich shortly after this stop and took it with me for a ride out into PA. I thought I might find another nice place to stop and eat it. After an hour or so  I took another break. I like to stop at this one pulloff – you can see it was pretty gloomy, but it only rained lightly a few times up to this point.

Another  pic looking to the right:

A little gloomy out today

I headed home to eat my lunch and took a break for a couple hours and then decided to finally button up the Bonneville from it’s new battery and take it out. The Bonneville hasn’t been out yet this season, so a fresh tank of gas was in order, along with a good long ride. I only stopped a couple times.

For Dinner:

Dinner with the Bonnie

Dinner with the Bonnie

On the side of the road. Now it was raining on and off and it was getting dark:

Bonnie break

Bonnie break

That’s it. Today’s rides started at about 10 this morning and ended at about 8:00pm with about 3 hours of breaks throughout the day. Good Stuff!!!

Posted May 14, 2011 by jeffkeith in Bonneville, Motorcycles, Tiger 1050, Triumph

Tagged with ,

Catch and Release Security   Leave a comment

A little break from brain-dead…

Catching a fish without harming it and then letting it go is a great experience. Face it, it’s a win-win situation: the fisherman is entertained in the chase and the fish lives on.

Security policy enforcement isn’t an area frequently associated with Steven Covey, but it can be.

Read the rest of this entry »

Posted February 22, 2011 by jeffkeith in Security

Tagged with , , ,

Brain Dead on IP, part 3   Leave a comment

So aside from generally exploiting unsuspecting users, what other harm could there possibly be from Microsoft’s code sharing?

How about the recipients exploiting weak code against other companies? Oh, and let’s not forget bolstering the local competitor too (from #cablegate #10BEIJING207):

"¶1. (S) Summary:  A well-placed contact claims that the
Chinese government coordinated the recent intrusions of
Google systems.  According to our contact, the closely held
operations were directed at the Politburo Standing Committee

-- Another contact claimed a top PRC leader was actively
working with Google competitor Baidu against Google."


"PRC Sees USG and Google Working Together

Google's recent move presented a major dilemma (maodun) for
the Chinese government, not because of the cyber-security
aspect but because of Google's direct challenge to China's
legal restrictions on Internet content.  The immediate
strategy, XXXXXXXXXXXX said, seemed to be to appeal to Chinese
nationalism by accusing Google and the U.S. government of
working together to force China to accept "Western values"
and undermine China's rule of law.  The problem the censors
were facing, however, was that Google's demand to deliver
uncensored search results was very difficult to spin as an
attack on China, and the entire episode had made Google more
interesting and attractive to Chinese Internet users.  All of
a sudden, XXXXXXXXXXXX continued, Baidu looked like a boring
state-owned enterprise while Google "seems very attractive,
like the forbidden fruit."  He said it "seems clear" to the
Chinese people that Google and the U.S. government were
working together on Internet freedom and to undermine Chinese
government controls on the Internet.  That made some
intellectuals happy, XXXXXXXXXXXX said, but "some others" regarded it
as interference in China's internal affairs."

So in case you didn’t read the “interesting article” links in part 2…

"¶53. (S//NF) CTAD comment: In November 1995, He Weidong
founded the security company Tianrongxin, a.k.a. Beijing
TOPSEC Network Security Technology Company, Ltd. TOPSEC is a
China Information Technology Security Center (CNITSEC)
enterprise and has grown to become China's largest provider
of information security products and services. TOPSEC is
credited with launching China's first indigenous firewall in
1996, as well as other information technology (IT) security
products to China's market, to include virtual private
networks, intrusion detection systems, filtering gateways,
and security auditing and management systems. Additionally,
in September 2000, Weidong founded the company
Tianweichengxin, a.k.a. iTrusChina, which became the first
experimental enterprise to develop business Public Key
Infrastructure/Certification Authority services approved by
China's Ministry of Industry and Information Technology.

¶54. (SBU) CTAD comment: During an interview with China News
Network, Weidong stated that half of TOPSEC's start-up
capital came from the PRC, with the other half coming from
the company's management department. Additionally, he pointed
out that TOPSEC began not as a company, but as a small
research institute that took contracts from the government's
research and development tasks (NFI). "...

"¶55. (S//NF) CTAD comment: Of note, the CNITSEC is responsible
for overseeing the PRC's Information Technology (IT) security
certification program. It operates and maintains the National
Evaluation and Certification Scheme for IT security and
performs tests for information security products. In 2003,
the CNITSEC signed a Government Security Program (GSP)
international agreement with MICROSOFT that allowed select
companies such as TOPSEC access to MICROSOFT source code in
order to secure the Windows platform. XXXXXXXXXXXX

¶56. (S//NF) CTAD comment: Additionally, CNITSEC enterprises
has recruited Chinese hackers in support of nationally-funded
"network attack scientific research projects." From June 2002
to March 2003, TOPSEC employed a known Chinese hacker, Lin
Yong (a.k.a. Lion and owner of the Honker Union of China), as
senior security service engineer to manage security service
and training. Venus Tech, another CNITSEC enterprise privy to
the GSP, is also known to affiliate with XFocus, one of the
few Chinese hacker groups known to develop exploits to new
vulnerabilities in a short period of time, as evidenced in
the 2003 release of Blaster Worm (See CTAD Daily Read File
(DRF) April 4, 2008).
¶57. (S//NF) CTAD comment: While links between top Chinese
companies and the PRC are not uncommon, it illustrates the
PRC's use of its "private sector" in support of governmental
information warfare objectives, especially in its ability to
gather, process, and exploit information. As evidenced with
TOPSEC, there is a strong possibility the PRC is harvesting
the talents of its private sector in order to bolster
offensive and defensive computer network operations

Still think protecting IP is boring?

Certainly, one could argue that China gets a bum wrap. However, some of the most interesting stories about the misappropriation of intellectual property involve China on a regular basis.

Some of them are almost comical in the level of sophistication. Take personal firewall company Cybersitter, who produces a product in the US intended for parents to apply to their kids’ computers to filter what they’re able to see. On January 4th, 2010, Cybersitter filed a lawsuit alleging that its code was stolen and directly incorporated into the “Green Dam Youth Escort” firewall that the Chinese government was requiring be installed on all computers sold in the country.  (article link)

Cybersitter is seeking $2.2B US damages – which sounds like a lot until you consider the scale of the alleged infringement. According to this article, a press release in June of 2009 indicated that the product had been downloaded over 3 million times and had been installed on over 52 million computers. Just using Cybersitter’s 5 home computer license for those numbers yields over $500 Million in licensing fees.

The funny part – apparently the infringing code included instructions for Green Dam users on how to get back to Cybersitter’s website for support.

But wait, there’s more….

Posted February 20, 2011 by jeffkeith in Security

Brain-Dead on IP, part 2   Leave a comment

There are other ways to lose your company’s IP, like doing business in countries that require the disclosure of IP in order for products to enter their markets.

India and Japan just signed a bilateral trade agreement that will reduce tariffs on about 90% of trade for 10 years. One clause in the agreement requires companies that sell telecommunications equipment in India to disclose the source code to their products to the government. This isn’t so unusual (China has a similar requirement), but Japanese companies balked at the clause and it has since been put on hold. Maybe the recent arrests made some Japanese business leaders a bit less trusting of the Indian government’s ability to keep their source code out of private, and competing, hands?

On a side note, I wonder how much the alleged abuses in spectrum licensing in India influenced the rollout of 3G and 4G services in the country? According to the linked article, Average Revenue Per User (ARPU) “is just 198 rupees ($4.38) a month, down from 230 rupees a year ago” – with such a narrow margin for Indian providers, cutting and limiting costs in their operations is crucial for survival in the market. The motivation to acquire any useful technology without having to invest in it must be very high. If control over 2G spectrum allocations drove such a corruption scandal, I wonder what access to the Indian government’s source code repository could do?

When governments get involved in code escrow, as was proposed in the India-Japan deal or as required in China, companies in sensitive industries are put in a difficult position. On the one hand, a foreign government could pass along their IP to a local competitor who operates globally (which is alleged in China repeatedly – use Google for dozens of links). Aside from purely competitive risks, these decisions can also have an affect on international competitiveness and the security of the home country or society-at-large. Companies in the military and dual-use technology arenas are (hopefully) a bit more careful about these issues. (I am thoroughly convinced that export control laws have more to do with that restraint than any ethical standards among modern executive leadership).

In the regular public sector, however, decision-makers need to consider the potential harm to their domestic operations as well as potential social impacts that might occur under worst-case scenarios. As an example, Microsoft gave the Chinese government source code for various products like Windows, which the Chinese security establishment appears to be analyzing thoroughly for weaknesses (link courtesy of this interesting article).

Microsoft made the “profit-oriented” decision to disclose code in order to sell in China, and neglected the potential social impact issues. I’m excluding competitive issues because everyone knows that Microsoft’s products are usually pretty shitty before the first 100-or-so patches are applied, so nobody would really want to steal their code ;-).

Now, everyone who uses Microsoft’s products are potentially/eventually at risk of attack. (and let’s not forget the Chinese aren’t the only ones with the code link, link) Regular consumers of, say, Windows, don’t get access to the source code and are not generally able to evaluate Microsoft’s security, which props up another industry that has been failing for years to address problems. Governments who use Microsoft products are also vulnerable to newly-discovered attacks and each day we’re hearing more and more about those attacks also (here’s today’s hacked government link)

Interesting stuff, for sure.

to be continued…

Posted February 17, 2011 by jeffkeith in Security

Tagged with , , , , , , ,

Brain-Dead on IP   Leave a comment

I’m always astonished to witness people ignoring warnings about lax intellectual property security.

Maybe intellectual property is an unfamiliar, unapproachable and utterly boring subject for the average person. Since most people have at least a passing interest in money, and IP theft cases can cost a company millions, the whole “not interested” scenario doesn’t seem to make much sense to me.

Millions of dollars you say? Yes, and it affects everyone.

Ironically, real stories as examples of how an IP theft can sting a company seem to be pretty interesting to people. Here’s one, just for fun:

From the “2010 U.S. Intellectual Property Enforcement Coordinator Annual Report on Intellectual Property Enforcement”:

U.S. Secret Service
Silicon Valley Engineer Arrested for Theft and Transfer of Trade Secrets to China: In July 2009, a technology company’s chief legal counsel contacted the San Jose Resident Office of the USSS requesting investigative assistance in an ongoing theft of company trade secrets. An initial investigation identified three suspects and determined there was over $60 million in loss. The U S Attorney’s Office Computer Hacking and Intellectual Property Section requested that the San Jose USSS Office investigate this case for Federal prosecution. The agents discovered that a former employee established multiple businesses in order to develop and sell Global Positioning System (GPS) applications for mobile phones. The employee also recruited two other employees, Chinese Nationals, to integrate the stolen software source code into his products. The suspect also acquired at least one investor and attempted to recruit others in order to advance the interests of his businesses in the U S and China. On November 10, 2010, the three suspects were indicted for conspiracy, theft of trade secrets, possession of trade secrets and foreign transportation of stolen property. On November 16, 2010, San Jose USSS special agents arrested the former employee for the above listed charges.” (emphasis added)

So maybe you’re not in the geolocation business and that seems boring too. However, at some point in your life, you probably took a prescription medication. Maybe you thought your prescription was expensive. Maybe this has something to do with it:

Wed. Feb. 3, 2011 – UPDATE 3-Ex-Bristol-Myers worker accused of secrets theft

“A former Bristol-Myers Squibb Co (BMY.N) employee was charged with stealing company secrets and proprietary information as part of a plan to set up his own pharmaceutical company in India, the U.S. Justice Department said on Wednesday.”

For fiscal year 2009, Bristol-Myers Squibb spent $3.6 Billion on R&D. Shalin Jhaveri, the guy who stole BMS’s IP and almost setup a company to profit from it, spent very little.

So that was fun. A couple interesting stories about people who basically took advantage of a company for self-enrichment. They were caught, damage contained, company vindicated, everyone’s happy – end of subject.

Not quite…

Posted February 14, 2011 by jeffkeith in Security

Tagged with , , ,