Archive for July, 2011, How to stay safe online while traveling
Network World, IT security’s scariest acronym: BYOD, bring your own device
Fast Company, It’s Time To Cut Back On “Hack”
Help Net Security, Companies Underestimate Costs of Security Breaches
BusinessNewsDaily, Is Allowing Employees Remote Access to the Office Creating a Security Threat?


Next week is Black Hat in Las Vegas, which is one of the world’s biggest shows for techies and hackers. We were lucky to catch up with Travis Carelock, technical director for the show, to chat with him about this year’s show.

VPN Haus: What are the expected trends at the this year’s show? What topics and sessions are getting a lot of buzz?

Travis Carelock: We are very excited about our keynotes.  We are very fortunate to have highly respected individuals from both the public and private sectors.  Ambassador Cofer Black, was director of the CIA’s Counterterrorist Center during the 9/11 attacks.  He has since gone on to have a very successful career in the private world serving the information security sphere.   His reflections over the last decade will provide attendees with an amazing view of the frontlines from someone who lived it. Our second keynote, Peiter “Mudge” Zatko of DARPA.  He is an infamous  “old school hacker” from the L0pht days.  Mudge will tell us what the government can learn from a hacker, and because turn about it always fair play, what a hacker can learn from the government.

At Black Hat we have always delivered content centered on the latest attacks and zero days in many of IT’s most ubiquitous systems. However, one of the most surprising trends this year is all the attack vectors that are “outside” of the norm.  We have some fascinating presentations on attacking SCADA systems, mobile device management systems, embedded webservers, wireless medical devices, laptop batteries, banking cards, USB devices, and even with UAVs (that’s right Unmanned Aerial Vehicles).  The obvious trend is the ever-increasing complexity of our modern world.  As more devices become “smarter” with code, hardware and features, history has told us that the unintended attack vectors will increase as well.  The IT/Security department must broaden its scope to include this brave new world.

VPN Haus: How should Black Hat attendees secure their data, if they plan to tap into their corporate networks at the show? Do you recommend attendees bring their own VPNs?

Carelock: The three most important words Black Hat attendees need to remember in regards to their data is encryption, encryption, and ENCRYPTION!  Realistically, users have not been able to store or send their data in cleartext and still maintain a reasonable expectation of security for many, many years now.  If it is data on your hard drive, then it should be encrypted.  If you are connecting back to your corporate network and passing the very lifeblood of your business (its data) through an unknown or hostile network, it HAS to be encrypted.  Personally, if it is possible, I would suggest even using your VPN connection in a “bridge mode” with no split tunneling, and do all your Internet surfing using your corporate infrastructure via the VPN tunnel.

Stay tuned for next week, when we talk to Travis about security issues that can emerge at Black Hat.

Infosecurity, Data breaches show need for better encryption key, certificate management
ComputerworldUK, The Sun hacked: How it happened 
Mobile Enterprise, How Secure Is Your Branch Networking?
Dark Reading, OMB Issues Security Guidelines For Federal Telecommuters
NetworkSecurityEdge, Security Departments Focus on Network Speed over Network Protection

By Bernd Reder

There’s a bevy of IT managers who probably yearn for the good old days, when they decided which cell phones and notebooks employees could use and which applications could be installed on them.

This isn’t today’s reality. Employees now expect to be able to use whichever device they want, whether it’s a BlackBerry, iPhone or Android-based device. Neither do employees want to be told they can only use the company’s “sluggish” laptop, instead of their own high-end notebooks.

According to a 2010 Unisys- IDC survey , employees of American companies, on average, use four to five consumer devices at work. For example, employees typically use a cell phone, a tablet PC (like Apple’s iPad), notebooks, USB drives and external hard drives. A staggering 95 percent of the surveyed employees said that they were using a device at work, which they had bought themselves.

Bottom-up, not Top-down

The “top-down” IT approach starts to take a back seat as the “bottom-up” approach becomes increasinglypopular. In the old “top-down” approach, the company prescribes which systems are to be used, whereas in the “bottom-up” approach, it is the employees who decide which systems suit their needs. The IT department then has to “miraculously” transfer companyapplications and data onto the employee’s preferred system.

So what does this mean for IT departments? Many IT managers don’t trust this development. They are afraidof losing control over their IT environment, which could lead to security problems and compliance risks.

Of course, managing the IT environment becomes more complicated when users bring in their own devices.This is especially true for mobile systems like smartphones and tablet PCs. However, there are also upsides to thissystem: employees are more content, they work more productively because they are allowed to use the systems they are used to, and theyrelieve the IT budget, if they pay at least part of the procurement costs for hardware and software.

A Problem that is None

However, a closer look at the security and compliance problems with personal IT devices actually shows that there are none! Having said that, it’s still important for companies to include personal mobile devices in their IT systems when these devices are also being used for business. Companies like Good Technology, Microsoft and Mobile Iron provide solutions for efficient Mobile Device Management (MDM).

The second central aspect is to secure access from mobile devices onto data and applications within the corporate network. NCP engineering* for example, offers a technology solution that can be easily integrated into the corporate network and onto mobile devices of all kinds. With solutions like this, consumerization becomes much safer to implement.  And employees will be able to work more efficiently and effectively.

*NCP engineering manages VPN Haus.

By Jeff Orloff

It was the day before the state’s standardized testing day, and I received a call from the assistant principal. At the school district where I was working, standardized testing is done mostly online, so it was certainly bad news when the assistant principal told me that half of the computers in the facility were not working. The school, located in a juvenile detention facility, had about 60 students using computers in eight  different rooms with three servers; a domain controller, an application server, and a media server for online courses that the students could take.

When I arrived at the school, one of the teachers showed me the strange problem. The teachers could not access any of the practice tests, retrieve documents, or access data from other network based applications. They could, however, get online and students could access their online courses — but the videos that delivered lectures were lagging.

Rogue Device to Blame

The computers were obviously attached to a network, since they were able to access the Internet. But running the simple IPCONFIG test on the computers showed a Class C network address opposed to the Class A block that was given out to all computers on the district network. Immediately, I thought that somehow our computers were connecting to the detention facility’s network. Checking one of their computers, I noticed that they, too, were using Class A IP addresses. Now I was starting to worry.

Clearly, something was on the network that was acting as a DHCP server. It would have been easy to ask the teachers if they had brought in a device that they shouldn’t have, but by this time everyone was gone for the day with the exception of myself, the administrator, and the one teacher who was helping me out. Using a laptop with RogueChecker installed on it, I was able to connect to the network and immediately find a server that was pushing out addresses to roughly half the campus. Now I just needed to find it.

RogueChecker in action

Using NetStumbler, I was able to look at the IP address of the server with the different wireless access points in the building. Sure enough, the server IP address of the rogue device shown in RogueChecker matched up with one found in NetStumbler. Using the signal strength indicator we could now narrow down our search to one wing of the building.

Identifying Rogue Devices

Sure enough, one of the classrooms had an off-the-shelf brand wireless router plugged into the network jack which was promptly removed. Once all the computers were restarted, we were able to restore access to network folders, data and most importantly the application that would run the assessment for the students the next day.

For a school this size, the process of finding the exact location of the rogue device was not that difficult a task. On a large secondary school, or university, the search would be more problematic and would take the efforts of many more people. In fact, one of the best methods I have seen to handle this task involves crowdsourcing.

The methodology is similar to this case. First the rogue device needs to be verified and then the location narrowed down using technology, generally more than one person searching for the device’s signal. Once you can eliminate a majority of the campus you need to enlist the help of as many willing participants as you can find to help search for the device by assigning each a geographic location that they are responsible for making sure that the assignments overlap as much as possible to ensure nothing is left unturned.