Archive for August, 2008

What we’re reading, week of 8/25

Posted: August 25, 2008 in Highlights

From Endpoint-Security.Info…
Insider Compromises 2 million Private Records
Agent Smith examines the tale of Countrywide Financial Corp., and an insider who sold customer information to competitors over the course of three years. Could Countrywide have prevented this by updating their security practices to include monitoring data transfers to portable devices?

From Network Security Blog…
Force Gmail to use HTTPS
Martin McKeay explains how users can protect themselves from having Gmail login data stolen when using a  public network. “Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default.” It will be interesting to see how Google responds to this discussion – whether they’ll change the defaults ettings or offer some justification for not automatically running on SSL.

From Amrit William’s Blog…
The 11 Worst Ideas in Security
Amrit calls out the top 11 banes of the security world, which include analysts, passwords, and yes – security vendors.

We’re interested in getting readers’ opinions on NAC. For those who have taken it on in their organizations, what have you found to be the real advantages? Has NAC had a positive influence on your organization beyond what could be expected from adopting any other set of standards? Have you implemented associated tools, technologies, or consulting to augment your NAC initiatives? Overall, how has your experience been (especially as compared to the processes you previously had in place)?

Please share your thoughts in the comments section. We’ll be posting some responses and discussion on this topic next week.

Last week we posted in response to this article about LogMeIn – a remote access utility that the author claims could replace his VPN. We decided to pose the question to industry peers using LinkedIn’s Q&A feature. We asked:

Anyone using LogMeIn for Windows and Mac? CNET writer, Seth, posted something on his experience with it and sounds intriguing.

Marcin Antkiewicz wrote:

Using LogMeIn, or any other remote access relay service creates a few issues for us, the security folks. Such services extend the network perimeter to unknown locations, and sneak unknown and untested software to the service portfolio. The important change is not just minor administrative nuisance, but arbitrary changes to the risk profile.

From a user’s perspective, LogMeIn is just an easy way to log in to their email, to me it means corporate secrets accessible on airports and coffee shops. In addition to exposing screen in strange places, such software might not conform to various security best practices with regard to privacy, implementation, and vendor security. Risk management issue again.

While those standards might be restrictive and arbitrary, circumventing controls is a bad idea. You should request an easy remote control access instead, and IT Sec folks should be able to accommodate your request as it’s in their best interest.

Quite a few nasty break-ins happened due to bridged security domains (desktop compromised while running admin/root sessions in screen/vmware console/rdp). You do not want such event to be traced to you machine, while running rogue software…

Caveat – my experience is from the Security side of IT, and my answer assumes a user working for a large corporation with sizable IT. Small shops might easily afford use of software that could cause problems in big enterprises. I am _not_ trying to say using LogMeIn is inappropriate, only that it might be.

Adrian Vianna wrote:

Logmein is great!. I actually use it for both work and pleasure. It’s pretty secure and if you need to handle computer in remote locations it will definitely beat the headaches of VPN’s and all that.

Its a cool feature to have if you need access to a computer from the “Cloud”

Peter Gregory, CISA, CISSP wrote:

I have to agree with Marcin Antkiewicz. While such a product may be *convenient*, tools like GoToMyPC and LogMeIn are essentially covert channels that are difficult to control. The use of such products should be a violation of most organizations’ security policy.

Functionally, these products are no different than an unauthorized dial-in modem or access point inside the enterprise network. Recall that many organizations spend considerable effort rooting out unauthorized modems and access points, and so should we be blocking and/or removing these tools. Organizations should do the best they can to block all such covert access.

Maury Blair, MCP wrote:

LogmeIn or GoToMyPC are great for small shops who don’t have a dedicated IT staff and don’t want to hire a consultant to implement a low cost VPN. The Achilles’ heel of these services is that you are connecting to a PC under the assumption that 1) the pc is turned on (i.e. there were no power issues at the office, the cleaning lady didn’t accidentally unplug the computer, etc. . .) and 2) the computer is functioning correctly. For true remote access you can deploy an affordable VPN for your small office for probably alot less than you think. There are several easy to configure routers for small offices with built in VPN technology for under $200. I once deployed a site to site VPN for my dentist using a couple Netgear FVS318 routers. At the time, each router came with one licensed copy of Netgear’s VPN client for PCs. All in all, they spent about $1000 on the routers and my labor and they were able to eliminate a costly leased line between the offices as well as gain remote access to their network from home. Avoiding VPN altogether Pros: Cheap, no IT consultant necessary to setup and configure, easy to use. Cons: does not account for power outages or malfunctions on the host pc.

Anthony Maughan wrote:

While I think overall LogMeIn is a rather insecure solution, once again ease of use trumps heavy security. The company I’m currently with offers a two-factor solution for LogMeIn (mentioned previously) using your cell-phone. It adds a modicum of safetly for remote login vulnerabilities, but doesn’t resolve the “viewing remote computer” issue. Traditional VPN’s like Cisco, Juniper and such typically use stronger encryption than SSL, which is what you get from LogMeIn. They also allow for some better auditing tools etc. UltraVNC OneClick is an interesting free solution that has some of the same functionality, but not quite as easy to setup or use.


Eric Humphries wrote:

LogMeIn also has an added bonus of allowing two-factor authentication and notifications when someone successfully logs into your account. Now this is all well and good for remote access to a PC or network, but if you have existing infrastructure that needs access to the network these solutions will not work. You’ll never avoid VPN’s altogether if you’re doing any type of automated processes.

What we’re reading, week of 8/18

Posted: August 18, 2008 in Highlights

From 360 Degree Security…

Competitors Can Be Civil

Tyler Reguly reflects on recent experiences at Blackhat and DEFCON, and discusses how competitive vendors in the security space find common ground.


From Emergent Chaos…

Certifiably Silly

Adam Shostack discusses the failings of SSL in a response to a post by Michael Barrett about Firefox 3.0 and self-signed certificates. In a later followup (I’m Certifiably Wrong), Adam responds to readers’ comments.


From Zero Day…

Security vs. convenience: Apple chooses poorly

Guest-blogger Oliver Day writes about Apple’s absurd practice of asking users to divulge their administrator passwords when bringing machines in for repair. Readers debate in the comments section over whether this practice is a) necessary, or b) a problem at all.

Vista x64 VPNs

Posted: August 15, 2008 in 64-Bit, Posts

Says ZDNet’s Ed Bott in a recent post about Vista x64…

Readers report problems with VPN clients from Check Point, SonicWALL/Aventail, and Cisco. Microsoft has compiled information into Knowledge Base article 929490, Windows Vista-compatible third-party virtual private network (VPN) client schedules. The article, whose Last Review date is listed as November 5, 2007) includes an awful lot of “Unknown” entries in the x64 column and notes that Cisco has no plans to update its VPN Client. The release notes for the June 2008 VPN Client 5.0 release makes it clear in two places that only 32-bit Windows versions are supported.

Indeed, VPN support has been a major weakness for Vista x64, which is why NCP has designed their VPN client for compatibility with Vista and other 64-bit operating systems.