One of the first lessons I learned about business came from my first boss, Bill, the sole proprietor of a small retail shop where I worked after high school a few days a week: the customer is always right. Bill always told me that word-of-mouth advertising was much more valuable than paying for print or radio ads, because when a satisfied customer tells a friend about a good experience it makes a lasting impression. Even more-so the negative impression — if a customer goes away unsatisfied, they’ll tell even more people than if they were pleased with their shopping experience. So it was very important to smile (even when answering the phone), be courteous, helpful, and always look for an opportunity to make a bad experience a good one, or at least neutral, before the customer left.
Bill’s shop was a small-town business, and he knew that word travels fast in a small town, for better or worse. With social media, online customer reviews, and ubiquitous smartphones, shoppers are lured instantly to the best deals and away from the worst experiences. Now for even the largest businesses, much of that small-town atmosphere now applies to a global customer base, and handling this hyper-connected community can require great care. As we saw for one local contractor, sometimes an indelicate response to a customer’s bad experience can mean even greater negative publicity than before.
Customer service, public relations, and brand protection are disciplines in their own right, and I don’t presume to cover their concerns here. But each overlaps organizational security in key areas, including: protecting the organization, insuring adherence to defined policies, and communicating the customer’s or end user’s hardship back to the organization.
Read More »
“Disorder increases with time because we measure time in the direction in which disorder increases.” – Stephen Hawking, A Brief History of Time
F-Secure researcher Jarno Niemlä recently released a presentation on the increasing tendency for malware authors to sign their software with digital certificates. In the presentation, Niemlä notes a number of methods used by malware writers to produce and assign the signatures, as well as the implications of those signatures and what value, insight, or warnings they can provide to defenders. I’m thankful for Niemlä’s perspective, but thought it might be worthwhile to dive a little deeper into some of the subtexts that exist and perhaps lend some more context to F-Secure’s work, as well as our own brief coverage in the CRR.
Read More »
No doubt the eruption of social media applications, networks and tools has caused a significant ground disturbance; some would say it’s been a series of category nine earthquakes. I recently had the pleasure of reviewing the results of a Cisco commissioned survey provided to 500 information technology security professionals in the US, Germany, Japan, China, and India concerning social media and personal devices conducted by InsightExpress.
Do take the time to review these results, and in doing so I think you will share my realization, that with everything new there are unintended and unforeseen security issues, both real and perceived. These issues appear to be at the root of the substantial consternation amongst the participating information technology security professionals. Indeed, this multidimensional capability called social media is in fact permeating the hermetically sealed secure environments of our businesses, or so it would seem. It is time to get out the plow, hitch up the horses and hoe a few rows in order to plant the seeds to grow healthy and sustainable security practices and capabilities surrounding these concerns.
So let’s dig into the issues that are making the respondents twitch. “Our employees are using unsupported applications on their laptops.” Is that you making the comment? Or are they thinking of you when they responded? Are “unsupported” social media applications used at the office? Is it you? How about peer-to-peer (P2P) software and networks, is it a necessity of your business for you to be connected and sharing work content? Or perhaps you are using an externally hosted and maintained service (aka cloud); especially given the large number of respondents who indicated they had employee clientele doing just this. But I believe a bit more context needs to be evolved to fully understand the issue(s) or we may find ourselves making “much ado about nothing” (with a tip of the hat to The Bard).
Read More »
A blog post that appeared last Friday, observed that Facebook is signing their mail with DomainKeys Identified Mail (DKIM) using a 512-bit RSA key. The author went on to analyze the security of doing so as compared with a longer key, and concluded that a determined attacker could probably factor the public key quickly enough to be useful in sending falsified messages purporting to be from Facebook. The blogger, John Graham-Cumming, said:
Some months ago I started an 8 core Mac Pro machine at work on breaking this key. It ran for 70 days non-stop and was close to a break when I had to use the machine for something else.
If I can do that, pretty much anyone can. And those people will be able to forge mail from Facebook. Facebook has a simple solution, of course, just change the key length. And if you are using 512-bit RSA keys in your DKIM implementation, please stop.
PS The owner of a spam botnet could factor keys like that very quickly. Imagine having a few thousand machines that can be used for key factoring.
One question that comes to mind is how many other domains are using 512-bit keys? It’s hard to answer this question directly because one needs to know the “selector” (key name which is included in the signature) to look up the key, but some of the data Cisco has collected on DKIM metrics gives an approximation. The methodology is a bit indirect because we don’t collect the selector name for successful verifications (only for failures), but since we usually get a smattering of verification failures for domains sending us messages, we can use that data to infer the selector names they use.
Read More »
If you’ve ever taken a look at the (now deprecated) RFC-1700 (a.k.a. “Assigned Numbers”), or at its replacement, IANA’s maintained PORT NUMBERS database, you may have been as puzzled as I was about these two lines:
tcp-id-port 1999/tcp cisco identification port
tcp-id-port 1999/udp cisco identification port
What is that supposed to mean? Does Cisco IOS devices have some kind of custom IDENT server running on ports 1999/tcp and 1999/udp? Well… no. This is yet another instance of “gather around the campfire to hear a story.”
Read More »