Ghost in the Wires

Ghost in the Wires by Kevin Mitnick and William L Simon is perhaps the seminal work on social engineering by one of the industry’s most famous exponents. Mitnick attained a certain amount of notoriety by going on the run for two years before finally being apprehended by the FBI, but I think that his biggest claim to fame is his ability [as alleged by prosecutors] to be able to phone NORAD, whistle down the line and launch a nuclear strike. This is obviously preposterous, and is not something that will be discussed in the rest of this article.
When reading the book the first time, I was struck by how early Mitnick embarked on his career as a social engineer. Persuading an LA bus driver to divulge where he could get a machine like the one used to punch tickets at the age of 12 shows how a bit of knowledge and the knack of talking to people can reap dividends.

I also particularly enjoyed the episode Mitnick describes in a South Dakota registrar’s office. Having explained that he was a private investigator, he was given a desk and ultimately given access to the Crown Jewels – blank birth certificates and the official embossing tool for them. In a short space of time he had all the documentation he needed to continue to reinvent his identity as and when needed. Patience and an open personality, with an eye on the prize in the long game again produced rewards.

Having called in to the NSA itself (and in the wake of Snowden’s revelations how ironic is that) and accidentally overheard a conversation about himself must have been incredible. It’s unsurprising that Mitnick didn’t dare to push his luck by calling in again.

It felt that throughout the book Mitnick was at pains to explain how he never hacked anything, just persuaded people to give him access through what he said and how he said it. He also made it clear that he wasn’t doing any of it for financial gain, but more as a test of his abilities, which were honed and improved over the years. Having a remarkable memory for numbers obviously helped tremendously.

I’m not convinced that downloading / obtaining source code and trawling through it for bugs which could be exploited is as innocent as he claims: at the very least, whoever he told about the vulnerabilities may have committed serious crimes.

This was an interesting book, and one which should be on every security professional’s reading list.

The Code Book

Having seen Simon Singh explaining how the Enigma machine worked while at a conference, I picked up this book. It charts the history of codes and ciphers from well before Roman times to the current day, and shows how they have developed over time. It was also very useful to read the difference between code (replacing words) and ciphers (replacing letters): most of what was discussed in the book fell into the latter category.

Singh writes in a very clear and informative manner, and makes the history of the topic interesting and at times exciting. I have to confess that some of the maths which was used went over my head, though I understood the general meaning in what was being said.

I was fascinated by the work done to understand the Linear A and Linear B languages, and the fact that initially scholars of Ancient Greek were convinced that neither text were part of that language: it must have been incredible for the person who finally worked out that Linear A was indeed Greek, albeit 500 years older than that used by Homer 3000 years ago.

The assertion that the most unbreakable code was that used by the Navajo code talkers in the Second World War is quite an interesting one. I understand that if you use a language that no-one else understands, then you improve the chances of it not being understood, but the fact that new phrases had to be introduced for English words which don’t appear in the native language must introduce some opportunities for the code breakers to make a start. Some form of frequency analysis would have some effect, but I think that the differences between Japanese kanji and English Roman script had something to do with it too.

The development of near-identical public key cryptography technologies by mathematicians in the US and the U.K. at approximately the same time is also an interesting revelation. (Diffie-Helman and RSA were both more or less simultaneously discovered on either side of the Atlantic, though GCHQ were slightly ahead in each case.) The fact that the cryptologists in the UK were based at GCHQ and therefore unable to share any of their work externally (or to review external solutions) shows I think that given enough time any technology can be “discovered” by different people in different locations.

In summary, I believe that this book is a good introduction to many different concepts, along with many good examples of each concept. It is well worth reading.

Certified Information Systems Security Professional

In November 2015 I attended a week long bootcamp at Firebrand Training in Wyboston, England. From the Sunday to the Saturday thirty or more students sat in the classroom and tried to take in all of the course materials, ready for an exam on the Sunday.

The exam itself is computer based, 250 multiple choice questions, and you’re given six hours to complete it. You are permitted to take breaks, and the training centre laid on food and drink so you could freshen up a bit before getting back to the exam.

I have to say that if I hadn’t had years of experience to call on, and if I hadn’t done the Certified Ethical Hacker (CEH) qualification a few years before I would probably have struggled with some sections. As it was, I passed and then had to apply for my certification proper.  That involved completing a questionnaire and finding an existing Certified Information Systems Security Professional (CISSP) to vouch for me, then waiting for several weeks before being given the good news.

As with the CISM and CEH designations, recertification requires at least 120 hours of Continuing Professional Education (CPE) in related topics over three years. As I have only recently gained the accreditation, I don’t have to recertification until 2019.

In my opinion, the CISSP from (ISC)2 was the hardest certification for me to pass, though the course for CEH was much more intense.

If you can’t explain it to…

…those with no knowledge of a subject, then you probably don’t understand the topic well enough yourself.  (That’s more or less what Einstein said, but he contradicted himself by also saying, on another occasion, that “If I could explain it to the average person, I wouldn’t have been worth the Nobel Prize”.)

The first statement is a truism I think, one that I’ve sought to address with my posts here.  The main aim of that section on my blog is to get away from confusing words and language, and to explain things so the layman can understand them.  I’ve even had positive feedback on one of the articles from my father, who said he understood it all – not bad for a silver surfer! (Him, not me!)

Too often too much jargon is used, in all walks of life.  You just need to hear the experts being interviewed on the news – how many times do they launch into language which just confuses the rest of us? Using jargon, acronyms and other terms which have special meaning in that subject doesn’t help understanding for the uninitiated.

I’ve spent much of my working life in IT and Security, with a bit of engineering thrown in.  I’ve never been able to maintain the technobabble that so many of my peers manage, and have made a point of trying to explain things simply and in plain English.  It even helped me in one role where I actually worked as a sort of translator between the really bright, techie guy who couldn’t explain things simply, and his boss who was a technophobe.  I can effectively translate from very technical into English, but I’m not too good at going the other way.  That’s no bad thing though, in my opinion, as I never like to assume that people understand everything first time round anyway – if I’ve put my thoughts into plain terms in common usage, then there’s less chance of misunderstanding.

I got my inspiration from this piece from http://patriciasplace.me/in-other-words/ – it’s the item for #40.  Pop over to the site and have a look around!

What are backups, and when / why are they needed?

As I’m keeping this simple, I guess I should start by explaining what a backup is, and why it’s necessary. (Apologies to those who know, but if my blog item on Patching was Security 101, then this is surely part of IT 101!)

A backup is simply a copy of one or more files kept on a different device than your working version. You need one so that if the original file is lost, damaged or deleted, then you won’t have to recreate it from the beginning. Some files are irreplaceable e.g. family photos in the digital age (because we no longer get film negatives with our snaps) so we need to be careful.

Here’s a question: do you backup your home PC, laptop, smartphone, tablet etc on a regular basis?

  • Those of you using the iCloud or something similar – well done. (As an aside, and not part of this discussion – have you thought about how secure the data is there: after all, you don’t control who has access do you?) You probably just need to worry about how often you back up to that cloud storage and whether you have an Internet connection at the time you need it.
  • Those using iTunes or similar – that’s great, your device is backed up, but what if the place you backing up to e.g. your home PC dies?
  • As for the rest – do you use a thumb drive or external hard drive of some sort?

Another question to consider is: how often do your files change? If you have a document which you work on regularly e.g. accounts for a social club, it may be something you need to backup regularly. If it’s a treasured family photograph, or an invoice for an online purchase, the file won’t change but you should really have at least one backup copy.

There are many backup solutions available. Perhaps the simplest is to use an external hard drive or a thumb drive (also called a memory stick, USB drive, pen drive etc) and simply copy the files you want across to it. Make sure you keep the drive in a safe place (not next to your computer though: if the computer goes up in flames during a house fire, having files copied on a device sitting next to it probably won’t be any use) and, if the data on it is sensitive you may want to encrypt it. (Hmm, I think I’ll need to write a separate post on encryption!)

As you can infer from above, there are many cloud based services like the Apple iCloud or Microsoft’s Office 365 where you can hold all your files and not have to worry about messing around with thumb drives etc. Personally, if I was going to use them for some of my own sensitive files, I’d ensure I used some of their more secure services like two factor authentication.

That sounds scary and technical, but it’s basically a combination of a password and a code generated on a separate device (as they say in the trade, it’s something you know and something you have, which “proves” you are you). That device may be software on a phone, a pin code that’s sent to your phone or email, or it may be a physical thing like a fob which your bank provides: I have one which looks a bit like a small calculator which I have to slide my bank card into, and it gives a code which I have to type in on the website before I can access my account details.

There’s another time when you should seriously consider making sure you have backed up your data properly, and if you don’t do it at any other time then you should make sure you do it when … upgrading your device and / or the operating system software on it. Apple tend to force the backup if you use iTunes, because that’s the first thing they do before upgrading the software. Given that right now many people will be eligible to upgrade their Windows version for free (if it’s a personal device which is compatible and running specific earlier versions, it’s worth making sure your essential files are backed up before you start.

Patching – what’s all the fuss about?

I suppose this falls under Security 101, one of the most basic things we’re all encouraged to do with our technology, but there’s always a reason to postpone it:

  • My machine slows down while it’s downloading the latest patches
  • I’m worried that things won’t work afterwards
  • I keep having to reboot my machine, sometimes several times during one set of updates
  • I’m busy just now, can I not just do it later?
  • I don’t use the Internet much, so my device can’t be infected
  • I’m not using Microsoft, so there’s no need to patch
  • ….and, well, you know how it goes on….

I’m sure you’ve got your own versions of these, but the point is that these are all just excuses for something that should just be part of your normal experience – in my opinion.

Should we patch absolutely everything? I.e. should we install all updates for all products as soon as they’re available? No, I don’t think so. We should base our patching strategy on a risk assessment. If you find out about a patch for one software programme – let’s say Microsoft PowerPoint – but don’t have PowerPoint on your device, do you need to apply that patch? Not if it only addresses vulnerabilities in PowerPoint, as your device doesn’t have that vulnerability. But if the patch includes other packages which you do have installed eg Excel, then yes, you should.

Why am I picking on Microsoft? Just in order to use program names that we’re most likely to be familiar with. The same principles apply equally to other vendors and other software packages. Software has vulnerabilities, it’s inevitable. If there are none on the day it is released someone somewhere will find some soon afterwards. And the more valuable the data you access through the software, the more likely someone is try to create an exploit for that vulnerability.

In my opinion, you should patch regularly i.e. keep patches up to date. Apart from anything else, this lessens the amount of time spent downloading updates, as you’re keeping on top of things (in many respects, the same goes for antivirus updates too). Patch what you have to, but eg if the patch is for a Mac and you’re using Linux, why apply a Mac patch unless the patch also applies to Linux devices.

Not using the Internet often is no protection either. The only truly secure device (from Internet attack anyway) is one which does not have any form of external interface (wifi, wired, serial cable, whatever) and which is never connected. Some well known legitimate websites have been targeted and have had malicious code embedded in them, infecting users who are only browsing (because no software is totally secure, right?). Botnets are out there looking (in an automated way) for vulernable machines, so you only need to connect once to run the risk of infection. It’s a bit like contraception – if you don’t ever have sex, you’re unlikely to get pregnant, but do it just once without any form of protection and pregnancy is a very real risk.

If you’re only looking at your personal / home PC / laptop / tablet etc, then you’re unlikely to have a test environment. This is the best place to try out new patches, but if you’re a home user then you probably don’t have the luxury of testing things there. In any event, its notoriously difficult to configure your test environment to exactly match your real, live environment, down to version numbers of DLLs and other components, so you’re probably just testing in a representation of your live environment and there will still be some risk when you deploy for real. So what should you do?

This is where having a good, robust (and tested) backup regime comes in. More on that in a future post, so watch this space…