Risks of Automatic Image Downloads in Gmail

This morning, as I logged into my Gmail account, I was notified that the company had decided to turn on automatic image loading for all email.  This made me wonder, isn’t this going to be a security issue?  Images contained within email are generally not embedded, but need to redirect to a specified URL located on a remote server.  Malicious users can obtain information about when you loaded an image and that the email you accessed the image from is legitimate and active, potentially spamming, phishing or attacking you with malware in subsequent email messages.  You can also give up your IP address, which can provide attackers with a close estimation of where you are located.  Any information they find regarding your whereabouts or Internet activity can be used to specially craft messages and URLs to obtain personal information or destroy your data.

So, how does Google plan to mitigate these risks for its customers?  Well, Google says that their proxy servers will host all images, preventing attackers from knowing where the email was opened from or exploiting any security vulnerabilities on the local machine due to embedded malware.  This proxy solution does not, however, prevent attackers from learning your location or whether your email address is active.  Loading images automatically also starts something called ‘read tracking’, whereby senders can tell whenever a message is read by a specific recipient.  

Loading images within the proxy servers will speed up the time it takes users to open Gmail messages, and Google could cache all email images before a recipient opens the message to prevent tracking.  If Google does cache all messages, attackers could implement a denial of service attack on the company by sending millions of images to their proxy servers.  

Luckily, for those concerned with this new setting, Google has allowed users to revert back to the previous configuration whereby each user needs to load the individual email messages manually.  From a security perspective, this is a much safer option.  We already receive enough spam and phishing attempts, and each suspicious email should be scrutinized for its authenticity – we do not need to now worry about strangers figuring out that our accounts are real and where we are located! Turn off the automatic image download option if only to protect your own privacy. 

Secure Control System Network Design

When designing control system networks in a secure fashion, it is important to note the different requirements that exist between various business networks.  Control systems vary widely from corporate network resources in need for speed, reliability and uptime.  Control systems rely on real-time operations and therefore must remain highly reliable.  Business networks, on the other hand, operate over low-cost Ethernet to provide fast access to resources using TCP/IP.  SCADA systems operate between these two networks to relay information from one to the other and need specific components from each network to function.  SCADA systems must be able to operate in real-time while using TCP/IP to communicate data to the business.  

These obvious demarcation points on the network are great spots to segregate networks when developing a secure control system network design.  The SCADA system should sit on a DMZ, a security zone located between the business and control system networks.  It is not ideal to place business applications on the same network as the control systems because legacy systems within control are vulnerable to malware and malicious traffic, while operating across insecure protocols, such as Modbus.  A firewall placed on either side of the DMZ protects the control system and the business network from vulnerabilities and threats found within each.  Placement of intrusion prevention systems and other perimeter security devices between the SCADA network and each other network is best practice.  

Systems within the control system network include RTUs, PLCs, and HMI systems.  The SCADA network will also host HMI systems plus data historians, MTUs, and ICCP clients.  The network containing business applications will include popular business software programs, as well as supervisory workstations for monitoring SCADA systems. 

Placement of the control system network devices in the most secure zone, or deepest layer, is another best practice.  Traffic should flow from the higher security zone to lower zones, but not in the other direction.  Information within the control system network should be enabled through the firewall to the DMZ as needed, and the SCADA DMZ equipment should communicate through the firewall out to the business networks.  Traffic should not traverse the firewalls directly from the control networks to the business LANs.  The DMZ acts as intermediary communication center, taking in information to its systems from the control network and passing information along to the business network.  This same design must be used for any traffic that needs to reach control from the business networks.  

Set up file shares and patch management servers within the DMZ to capture information from one network before passing the authorized information along to the receiving network.  This will prevent malicious code from traversing directly to a targeted host because, theoretically, a different port and IP address should be used from the DMZ host to pass traffic.  The important considerations when designing security into control system networks is to segregate the vulnerable control network as much as possible from the highly volatile business LAN.  The DMZ acts as a buffer to double check that traffic is traveling to approved resources, and infection in the DMZ is less intrusion and detrimental than an attack of the control system resources themselves. 

Beware of CryptoLocker!

I work in the field of IT security and even I can be surprised by the creativity and ingenuity of attackers looking to make a quick dollar.  Enter CrytoLocker, a particularly nasty piece of malware that encrypts Windows –based files on both network drives and localfile systems.  The strong encryption used makes it virtually impossible for people to recovery their data unless they follow the instructions provided by the attackers asking for money in order to be provided with the decryption key.  

Victims of this ransomware usually experience the infection when unknown attachments are opened through email or through the use of infections already on the machine.  Occasionally, it is installed via drive-by downloads.  Word, Excel, PDF, and other daily-use file types (including pictures and movie files) are susceptible to this attack.  Ransomware attackers then present a screen to their victims stating that they must pay $300 in order to receive the key or their files will all be deleted forever within 72 hours.  Unfortunately, aside from losing $300, many times the decryption does not work and the files are lost anyway.  This is a very good example of why people need to backup their critical files!  

Anti-virus software is unable to prevent this malware from infecting machines, too, meaning even people who are diligent with their A/V software are vulnerable.  The most common infections have come in through email attachments, but the malware has also piggybacked on existing malware, such as Zeus.  The best way to prevent an infection in this case is the actively ensure your anti-virus is up to date and that it scans daily to circumvent the infection of these other Trojans.  

Email attachments are something people have been warned against for years, yet this is still one of the most popular avenues for infecting machines.  Phishing scams are a great way for attackers to hit hundreds of people at once, through specially crafted emails that look like they came from legitimate organizations.  Always double check that any email you receive from a shipping organization, a bank, or any other common source is legitimate.  Check the email return address to ensure that the domain is correct, and call the company to find out if what they are ‘selling’ is in fact truth.  Be aware of which company is shipping your packages so that you only pay attention to emails from them (and even then, scrutinize its content for accuracy before you click any attachments or links).  Question your bank before you respond to an email to find out whether this is their normal process for conducting business.  

CrytoLocker is a dangerous piece of malware, so protect yourself from it as best as you can.  Imagine how it would feel to be locked out of your computer, potentially never accessing your important files again.  Back up your data regularly, and unplug that backup from the network or computer when you are finished.  This is, along with current antivirus software and due diligence, is your best defense. 

Is Canada Affected by the NSA Surveillance?

With recent notices of entire countries blocking the use of VPN and encryption technologies (China has been doing this for years), it makes me wonder where our Internet traffic originating within Canada actually goes in order to finalize a connection.  Our infrastructure is vast, covering the majority of our populated areas, but we still rely heavily on many of the US Internet providers' routes to gain access to sites.  This means that traffic entering and leaving the US is susceptible to, and going to be, NSA surveillance.  

Our traffic is routed through US exchange points.  As Byron Holland has stated, Canada should invest in the construction of its own exchange points, reducing the amount of traffic that relies upon the US infrastructure.  This could also set Canada up to regulate the types of traffic and protocols that are allowed in or out of the country, but its doubtful that will happen.  

Protesters have set up camp across the globe, most recently hitting Washington with their Stop Watching Us campaign.  However, protest marches do not really solve the problem, do they?  If Canadians want to prevent their information from being intercepted by the NSA, we need to keep that data safe within our own country.  This is practically impossible, though, with today's markets and infrastructure.   

Another problem is that Canada is guilty of spying on other countries (Brazil), too.  Our CSEC is likely involved more heavily in the spying activities that the NSA is reportedly undertaking anyway.  The "Five Eyes", five countries who have agreed to pass along intelligence information in the name of anti-terrorism, are probably all spying on each other and on foreign citizens, passing along this information because they believe it is for the sake of national security.  

So, yes, Canada IS affected by the NSA surveillance but keep in mind that this has likely been happening for years.  Also, Canada is monitoring their own information.  Provided the government bodies are protecting this data accurately, if this information helps leak intended targets before a bomb goes off or a plane flies into a building, I am okay with this surveillance.  If it weren't for these allies and their spies during World War II, the war could have been much longer and much, much for tragic.  I believe their intentions are good - but they do need to assure their citizens the spying is not as adverse as in those areas such as China or India.  

iOS 7 Within the Organization

The hype of the release of iOS 7 has died down since mid-September, and Apple has released one software update that fixed known bugs in the code that presented security risks.  The promise of making iOS 7 more business-friendly was floating around for months prior to the release of this software, but has it really stepped up to what was advertised? The look of iOS 7 is juvenile - gone is the sleek, sophisticated appearance of traditional Apple apps, home screens, and even the unlock buttons.  Now we are left with what looks like a basic Windows or Android iOS, neither of which have that professional image that Apple used to portray.

Upon first glance and a few quick scrolls through the integrated applications, it doesn't look like Apple make this new software enterprise-ready.  Nothing is really different in my calendar or mail apps, and I don't find that they are easier to navigate or integrate.  But, the iOS 7 upgrade has enabled functionality that did not exist in previous versions. There is now new Mobile Device Management support for iOS 7 devices available to companies to lock down and keep tabs upon their corporate phones.  The Enterprise SSO support helps users access corporate apps without having to enter credentials for each different app.  And there is the per app VPN functionality to protect the data within an app during transmission.

Apple had made some great improvements in phone security with the release of iOS 7, so it definitely is a better option for most companies.  They offer a remote lock functionality with their Find my iPhone offering.  This allows businesses to remotely lock a phone if it reported as lost or stolen.  Find my iPhone can be managed through MDM systems, as well.  

Apple has expanded their MDM capabilities to include control over Bluetooth pairings and personal hotspot usage, prevention of users from changing accounts on the device, and verify that specific phone settings are in place.  MDM can ensure that only authorized apps are configured to open and share important documents and files.  

Per-app VPNs allow the company to manage specific application data while not having to control or run all user traffic through their own network.  Each VPN is managed by the IT department, but users do not notice a difference in speed or usability once the tunnel is established.  

And the introduction of a functional biometric fingerprint sensor adds a new way to authenticate to the phone.  Its security is still up for question and may not be right for a company issuing corporate phones, as this is not a second factor of authentication.  The sensor is an alternative to the passcode for the lock screen.  A passcode still must be set on the device, though, which means a more complex code could be enforced.  

Apple has produced a few additional opportunities to help companies bring iPhones into the enterprise, but there are still questions that need answering and uncertainty around usability, control and security.  However, I think as more people adapt to iOS 7 and more experience is built up around the MDM functionalities available, this will quickly become a contender for enterprise phone offerings.  

Wildcard Certificates - The Risks

Using a wildcard certificate may make sense if you are looking for easy management and multiple deployments.  They allow you to secure all subject alternative names (SAN) within a domain, and can be a very cost-effective way to secure many different devices. If you have a single registered root domain, a wildcard certificate can secure all domains associated with that root.  

The problem with wildcard certificates is that single private key is used to issue certificates to any number of devices, both inside and outside of your infrastructure.  This increases the organization's susceptibility to fraud and data loss. Two important aspects to incorporating wildcard certificates is to implement proper control and monitoring of the certificates.  Without this, malicious users can issues fake SANs and associate those with your domain.

Wildcard certificates can be installed on many different servers, which could potentially expose the private key to others.  Specific certificate keys, in this case, are very accessible, increasing the risk of eavesdropping.  If the private key is compromised, encrypted traffic can easily be decrypted by a malicious user, exposing data and confidential information.  Impersonation of a SAN can also occur.  

Wildcard certificates are dangerous if not controlled.  If one server is compromised and the private key is discovered, every single device on your network using that certificate is considered compromised.  Trying to keep track of each device and application using the certificate can be a nightmare, leading to expiration of the certificate and problems with usability.  

Your best option is to create single certificates for each SSL device requirement.  This ensures that each device has a unique private and public key pair, so that if the private key is compromised, only that device is affected.  Always store the private keys very securely; if using PKI, keep the server storing these keys offline so that it cannot be compromised.  

Traveling with Data

In today’s connected world, it isn’t uncommon for business people to travel internationally to meet with partners, colleagues, and investors.  Traveling today means extra special care must be considered when staff are transporting potentially sensitive data across these borders.  Common threats to business travelers include Wi-Fi hotspots, untrusted hotel Internet connections, border or custom officials, and theft or loss of physical devices.  To help protect your organization and your people, it is important to create an international travel policy when traveling with corporate data and assets. 

 

Whether traveling internationally, or commuting daily on a public train or bus, people log onto corporate laptops and work on sensitive information with little regard for what is going on around them.  Maybe there is some element of trust when people take the same train each and every day.  The problem is traveling by air can be one of the most likely spots to lose data. 

 

Airports offer wireless Internet access for their patrons but who can tell how secure these hotspots are?  The connections are not encrypted and it is highly likely that these hotspots have been hacked, with stealthy users now watching your every move.  People want to stay connected, and hackers take advantage of this by setting up fake hotspots that attract people anxious to connect with business and friends.  For business travelers, the biggest dangerous hotspot venues are the airports. 

 

The clientele of airports, simply be sheer nature of the industry, varies daily and never are people in one place long enough to gain any relationships with fellow passengers.  This leaves airports as one of the most compromised places, with thefts and pickpocket activity occurring around the globe.  With added security since 9/11, many travelers know to keep their bags and valuables within sight at all times, but this attitude is lost as soon as a laptop or tablet opens to corporate information.  In the USA, border guards and customs officials are allowed to confiscate any equipment they want, and do with the data as they please.  This means copying it, sending it to other agencies, and obtaining access to encrypted containers. 

 

Some countries can be difficult to travel to with laptops because of import laws.  If a business traveler cannot prove they are not importing a laptop, they may lose the equipment.  Some countries do not want people to connect to the Internet and expose any corruption or fraud to the media.  And malicious officials may be involved as well, asking for a special tax to be paid to them before releasing the laptop back to its owner. 

 

Take extra special caution when traveling with data.  If possible, use a clean, freshly imaged machine that has no corporate data stored locally.  Always use your company’s VPN to access and update corporate documents.  And watch where you are using your laptop –make sure to position yourself against a solid wall so that no one can shoulder surf or gather information through a window. 

Basic SCADA Security Requirements

Traditional SCADA systems were designed to connect directly to each other either via serial connectors or SONET.  Because of their compact design and communications requirements, SCADA protocols were developed to enable the polling needs of these systems.  Common SCADA protocols include Modbus RTU, RP-570, Profibus and Conitel.  With the expansion of data networks into remote locations, companies operating SCADA systems decided they would tie these into their corporate networks.  However, increased and wide exposure to public Internet sites have led many SCADA systems to compromise from the wide range of vulnerabilities associated with their protocols. 

Unlike common desktop computers and servers, simply installing anti-virus programs is not the best way to secure SCADA systems.  Their legacy design and components leads them to hang or worse when anti-virus programs are introduced.  SCADA software itself lacks any basic security controls because when it was designed years ago, security was not an issue.  Vendors do not develop or release patches for SCADA equipment as quickly and efficiently as enterprise and consumer software vendors, either.  Some of these patches require a reboot of the system running the software, and in critical infrastructures, this can be a huge headache.  Plant shutdowns rarely occur, so vendors and staff need to wait until one of these annual planned outages to perform SCADA patching. 

With new government regulations dictating the security of critical SCADA infrastructure, it is now more important than ever to examine your systems and ensure that no malicious users or code can attack.  This means segregating PLC’s and HMI’s behind several firewalls and forcing all traffic to pass back to your headquarters.  Nothing on the SCADA segments should ever communicate directly with your corporate networks either, but should communicate only with systems within a secure DMZ.  Traffic should also flow from the high security zones (SCADA) to lower security zones and any other traffic, unless it is absolutely verified as necessary, should be blocked by the firewalls. 

Some considerations for developing and maintaining your critical infrastructure include performing vulnerability assessments regularly against your systems, networks and communications.  Stay up to date on any new developments in the SCADA virus and malware domain, and make sure any SCADA software is running on a hardened operating system.  Employ multi-levels of defense with a firewall, IPS, and virus scanning of devices that are capable of running this software.  Keep your virus software up to date.  The use of encryption and VPNs can help when transmitting polled data from a remote site back to centralized SCADA systems.  If an incident occurs, you should be prepared with a thorough and tested Incident Response Plan.  And always ensure your SCADA data, including the software, is backed up regularly, and tested for integrity.