Category Archives: End-user Focused

Child Pornography Resource Materials for Businesses

Posted on by
3

Sadly, as an information security professional, we are sometimes engaged with clients who either suspect or have discovered the presence of child pornography in their computing environment. Another way that such materials come to our attention, is during pen-testing or incident response work, we may discover the materials on a system and be forced to bring the materials to the attention of law enforcement.

In many cases, clients ask us why we are required to notify law enforcement, and/or why they are required to notify law enforcement about this material. Perhaps your organization has struggled with this in the past. In any case, we hope the following information helps organizations understand the US legal requirements for handling such materials. (If you live outside of the US, please consult local legal assistance for your laws and procedures.)(NOTE: MSI is not providing legal advice of any kind, consult your attorney or council for legal advice. This material is simply meant to be a pointer for education. MSI is NOT qualified to offer legal advice under any circumstance.)

The Department of Justice lists the following federal statutes for online child pornography:

  • 18 U.S.C. § 2251- Sexual Exploitation of Children (Production of child pornography)
  • 18 U.S.C. § 2251A- Selling and Buying of Children
  • 18 U.S.C. § 2252- Certain activities relating to material involving the sexual exploitation of minors(Possession, distribution and receipt of child pornography)
  • 18 U.S.C. § 2252A- certain activities relating to material constituting or containing child pornography
  • 18 U.S.C. § 2256- Definitions
  • 18 U.S.C. § 2258A- Reporting requirements of electronic communication service providers and remote computing service providers
  • 18 U.S.C. § 2260- Production of sexually explicit depictions of a minor for importation into the United States

A summary of these laws is that it is the federal law that mandates this duty to report specifically requires that “electronic communication service providers” report child pornography. (18 USC § 2258A. Reporting requirements of electronic communication service providers and remote computing service providers.) An “electronic communications service” means “any service which provides to users the ability to send or receive wire or electronic communications.” The term “electronic communication,” for purposes of the reporting requirement, means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.” All of which is to say that both the business/employer that provides the computer or phone system over which the data is communicated, as well as the IT company that helps the employer maintain those systems, are covered by this law. A business or IT service company ignores child porn at its peril. Failing to report the information to the National Center for Missing and Exploited Children violates the Section 2258A reporting requirements. Deleting the material might make the company an accessory to the underlying crime of possessing the information in the first place. Making copies of the material and then transmitting the copies, except at the direction of law enforcement officials or as required by section 2258A, also runs afoul of the laws proscribing possession of child pornography. A first violation of Section 2258A carries a penalty of up to a $150,000 fine. A second violation can be penalized by up to $300,000.

A full summary of other elements of Child Pornography laws from the Department of Justice website is here.

According to the Department of Justice website, to report an incident involving the production, possession, distribution, or receipt of child pornography, file a report on the National Center for Missing & Exploited Children (NCMEC)’s website or call 1-800-843-5678. Your report will be forwarded to a law enforcement agency for investigation and action as detailed here.

It may be required or optional to report to local law enforcement as well, and is dependent on state and local laws and statutes.

According to the National Conference of State Legislatures website, the state of Ohio does not have explicit state policies requiring businesses to report the incident, as detailed here (as of Sept 2013), though again, local statutes may vary by location.

We also found this article, which might be helpful in understanding risks from a legal perspective for businesses who might find child pornography on their server, as it lays out a process for organizations to follow.

Lastly, this white paper from the American Bar Association may also prove useful for organizations.

Let’s Get Proactive with End User Security

Posted on by
2

Where do most of the threats to the security of our IT systems lurk? The Internet, of course! Powerful malicious software apps are all over the Net, like website land mines, just waiting to explode into your computer if you touch them. And how about accessing social networks from your company work station? Do you really think that content on these sites is secured and only available to those you chose to see it? If so, then Im sorry to disillusion you.

So why do most concerns still let their employees casually access and surf the Web from their business systems? Especially in the present when most everyone has a smart phone or pad with them at all times? Businesses should embrace this situation and use it to their advantage. Why not set up an employee wireless network with all the appropriate security measures in place just for Internet access? (This network should be totally separate from business networks and not accessible by business computers). Its not expensive or difficult to administer and maintain a network like this, and employees could access websites to their hearts content (on their off time of course). And for those employees that are without a smart phone (an ever dwindling few), you could stand up a few kiosk computers that they could access using their employee wireless network password.

As for employees that need Internet access to perform their work duties, you should lock their access down tight. The best thing to do is to add needed websites to a white list and only allow those employees with a business need to access only those websites that are necessary and no others. Black listing and web filtering are partially effective, but they dont really work well enough. I cant tell you how often we have seen such filters in place at businesses that we assess that prevent access to gaming and porn sites, but still allow access to traps like known malicious websites in foreign countries! Go figure.

And dont forget to properly segment your business networks. Users should only be allowed access to those network resources that they need for business purposes. Users in workstation space should never be allowed to seeinto server space. Preventing this will go a long way in curtailing attacks from the other big danger the malicious insider. 

Thanks to John Davis for writing this post.

Deals for Replacing XP for Home & Small Business

Posted on by
4

Now that Windows XP is end-of-lifed, it is wise to replace it at home and in businesses of all sizes. Malware and vulnerabilities for XP are likely to skyrocket over the coming months, making it a very unsafe platform, indeed.

To help with replacement, we at MSI went shopping for some deals on Windows 7 and Windows 8 for you. Here are the deals we found on newer Windows software. Please note, we have no affiliation with any of these vendors and can’t recommend them in particular. We simply found the best prices we could identify for Windows OS. Your milage and paranoia may vary.

Here are the deals we could find:

For one PC license of Windows 7 Pro for as low as $69.99.

If you need more than one,  the lowest is $219.99.

For Windows 8 Pro – $79.94 for single computer use.

The price is $199.99 for multiple computer to use Windows 8 Pro.

We hope that helps some of you who still need to upgrade. Until next time, thanks for reading & stay safe out there! 

OpenSSL Problem is HUGE – PAY ATTENTION

Posted on by
1

If you use OpenSSL anywhere, or use a product that does (and that’s a LOT of products), you need to understand that a critical vulnerability has been released, along with a variety of tools and exploit code to take advantage of the issue.

The attack allows an attacker to remotely tamper with OpenSSL implementations to dump PLAIN TEXT secrets, passwords, encryption keys, certificates, etc. They can then use this information against you.

You can read more about the vulnerability itself here. 

THIS IS A SERIOUS ISSUE. Literally, and without exaggeration, the early estimates on this issue are that 90%+ of major web sites and software packages using OpenSSL as a base are vulnerable. This includes HTTPS implementations, many mail server implementations, chat systems, ICS/SCADA devices, SSL VPNs, many embedded devices, etc. The lifetime of this issue is likely to be long and miserable.

Those things that can be patched and upgraded should be done as quickly as possible. Vendors are working on patching their implementations and products, so a lot of updates and patches will be forthcoming in the next few days to weeks. For many sites, patching has already begun, and you might notice a lot of new certificates for sites around the web.

Our best advice at this point is to patch your stuff as quickly as possible. It is also advisable to change any passwords, certificates or credentials that may have been impacted – including on personal sites like banking, forums, Twitter, Facebook, etc. If you aren’t using unique passwords for every site along with a password vault, now is the time to step up. Additionally, this is a good time to implement or enable multi-factor authentication for all accounts where it is possible. These steps will help minimize future attacks and compromises, including fall out from this vulnerability.

Please, socialize this message. All Internet users need to be aware of the problem and the mitigations needed, even for personal safety online.

As always, thanks for reading, and if you have any questions about the issues, please let us know. We are here to help!

On Complexity & Bureaucracy vs Security…

Posted on by
5

“Things have always been done this way.” —> Doesn’t mean they will be done that way in the future, or even that this is a good way.

“We know we need to change, but we can’t find the person who can authorize the changes we need.” —> Then who will punish you for the change? Even if punishment comes, you still win, as you’ll know who can authorize the change in the future.

“We don’t have enough time, money or skills to support those controls, even though we agree they are necessary.” —>Have you communicated this to upper management? If not, why not? How high have you gone? Go higher. Try harder.

“That’s too fast for our organization, we can’t adapt that quickly.” —>Welcome to the data age. Attackers are moving faster that ever before. You better adapt or your lack of speed WILL get exploited.

In many of my clients, complexity and bureaucracy have become self re-enforcing regimes. They lean on them as a way of life. They build even more complexity around them and then prop that up with layers and layers of bureaucracy. Every change, every control, every security enhancement or even changes to make existing tools rational and effective, is met with an intense mechanism of paperwork, meetings, “socialization” and bureaucratic approvals.

While many organizations decry “change management” and “security maturity” as being at the core of these processes, the truth is, more often than not, complexity for the sake of bureaucracy. Here’s the sad part, attackers don’t face these issues. They have a direct value proposition: steal more, get better at stealing and make more money. The loop is fast and tight. It is self correcting, rapid and efficient.

So, go ahead and hold that meeting. Fill out that paperwork. Force your technical security people into more and more bureaucracy. Build on complexity. Feed the beast.

Just know, that out there in the world, the bad guys don’t have the same constraints.

I’m not against change controls, responsibility or accountability, at all. However, what I see more and more of today, are those principals gone wild. Feedback loops to the extreme. Layers and layers of mechanisms for “no”. All of that complexity and bureaucracy comes at a cost. I fear, that in the future, even more so than today, that cost will be even more damage to our data-centric systems and processes. The bad guys know how to be agile. They WILL use that agility to their advantage. Mark my words…  

Tool Review: Lynis

Posted on by
1

Recently, I took a look at Lynis, an open source system and security auditing tool. The tool is a local scanning tool for Linux and is pretty popular.

Here is the description from their site:
Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
– Available authentication methods
– Expired SSL certificates
– Outdated software
– User accounts without password
– Incorrect file permissions
– Configuration errors
– Firewall auditing 

As you can see, it has a wide range of capabilities. It is a pretty handy tool and the reporting is pretty basic, but very useful.

Our testing went well, and overall, we were pleased at the level of detail the tool provides. We wouldn’t use it as our only Linux auditing tool, but is a very handy tool for the toolbox. The runs were of adequate speed and when we tweaked out the configs with common errors, the tool was quick to flag them. 

Overall, we would give it a “not too shabby”. 🙂 The advice is still a bit technical for basic users, but then, do you want basic users administering a production box anyway? For true admins, the tool is perfectly adequate at telling them what to do and how to go about doing it, when it comes to hardening their systems.

Give Lynis a try and let me know what you think. You can give me feedback, kudos or insults on Twitter (@lbhuston). As always, thanks for reading! 

Make Plans Now to Attend Central OH ISSA Security Summit 2014

Posted on by
2

Brent will be speaking again this year at the ISSA Security Summit in Columbus

This year he has an interesting topic and here is the abstract:

A Guided Tour of the Internet Ghetto :: The Business Value of Tor Hidden Services

Following on the heels of my last set of talks about the underground value chain of crime, this talk will focus on a guided tour of the Internet Ghetto. You may have heard about Tor, the anonymizing network that rides on top of the Internet, but this talk takes you deep inside to visit the slums, brothels & gathering places of today’s online criminals. From porn to crimes against humanity, it is all here.

This talk will discuss Tor hidden services, help the audience understand what they are, how they operate, and most importantly, how to get business and information security value from them. If you think you know the dark side of the net, think again! Not for the feint of heart, we will explain some of the ways that smart companies are using hidden services to their benefit and some of the ways that playing with the dark side can come back to bite you.

Take aways include an understanding of Tor, knowledge of how to access and locate hidden services and underground content, methods for using the data to better focus your business and how to keep an eye on your kids to make sure they aren’t straying into the layers of the onion.

 Come out and see us at the Summit and bring your friends. It’s always interesting and a great event to catch up with peers and learn some amazing new stuff. See ya there!

Topic Analysis with TigerTrax

Posted on by
3

Recently, my team was asked to use our TigerTrax platform to observe a body of social media content around a specific topic for 12 hours and extract meaningful data. The topic chosen by the client was “fracking”.

As you might expect, there was quite a bit of conversation on the Internet about fracking during that period. The client wanted specifically to focus on a specific set of data and to identify potential activism or criminal activities that might be gathered from the data set. So, mission in hand, we engaged the TigerTrax platform and after 12 hours of data gathering, began our analysis.

The data we extracted was pretty amazing to the client. They were quite interested in some of the findings. For example, we identified and presented the client with:

  • A word cloud of specific topics found in the data set and their relationships
  • A list and frequency count of the keywords used in the data
  • A ranked list of hash tags used to communicate
  • The top retweeted/reposted posts during the period
  • Profiles and demographics of the most influential posters during the period
  • Analysis of a variety of multimedia content for “virality” and potentially dangerous impacts
  • We identified an emerging damaging PR issue that the client was able to get in front of
  • Details of an organized campaign to damage the reputation and safety of executives
  • Videos and diagrams educating activists in vandalism and other aggressive techniques

The client was able to use this information to help educate their membership, strengthen their security during protest events and to better understand some of the emerging PR concerns around their operations. They also began to work with ISPs and other service providers to begin takedown requests for the more illicit content.

This is just a sample of some of the ways that clients are leveraging the new TigerTrax platform to assist them with business needs. Get in touch and let us know your ideas or specific problems and we will see how we can help. If you want to know what the world is saying and how it affects you, TigerTrax just might be the solution you are looking for.

Topic analysis can be performed with TigerTrax as a single deep dive event with a customized report delivered and open for re-use with other clients, or can be completely customized to the client organization and solely for their use. Ongoing monitoring and analysis of topics and events can also be done as a part of the TigerTrax services. If you would like to hear more about the TigerTrax platform, or Topic Analysis, please give us a call at (614) 351-1237 extension 206. You can also reach out to me on Twitter (@lbhuston), and we can arrange a discussion. 

As always, thanks for reading and until next time, stay safe out there.

CMHSecLunch for March is 3/10/14

Posted on by
5

J0289893

March’s CMHSecLunch is scheduled for March 10, 2014. The time is 11:30 to 1pm Eastern. The location this month is the Tuttle Mall food court. We usually meet pretty close to the middle of the place, but a bit away from the giant germ ball fountain. 🙂

I will not personally be able to attend this month, but will be back in full swing for the April edition. So enjoy this month without me and I we can break bread together in a short while.

As usual, you can register for the event (not needed), and find more details here. CMHSecLunch is open to all, free to attend and has been a tradition now in the security community for a couple of years. So, grab a friend, have some food and engage in some great conversation. We can’t wait to see you! 

Defending A Client with TigerTrax Investigative Services

Posted on by
1

Rounding out this week of TigerTrax™ blog posts, I wanted to discuss a particular case where we used our investigative social media and forensics capabilities to defend a professional sports client who was being accused of some illicit behavior. The case is a fairly powerful example of how TigerTrax can be used for reputational defense.

In this incident, the player was approached online by a young lady. This young lady began following the player on many social media networks, and the player’s software automatically followed/friended back the young lady, just as it does for all of the player’s followers on the social media networks. Over the next few weeks, the young lady in question began several conversations with the player. They would begin innocent enough, but would then begin to be filled with innuendo and inappropriate overtones. The player responded to the conversations, but remained in line with expected conversations that you would want a player to have with fans. The player, at no time, responded to any of the innuendo or more sexual content.

Later, the young lady began to edit the player’s content, posting it to other social networks and bragging about it to her high school friends. Eventually, her parents were informed, and confronted the young lady. The young lady told a story to her parents ~ a story that involved the player initiating the contact and being the one who was pursuing inappropriate overtones. The parents, naturally enraged, contacted the team and the player to discuss the situation. MSI was retained by the team to investigate prior to the meeting and provided with a printed version of what the young lady asserted were the details of the conversation online.

MSI leveraged the power of TigerTrax to gather the social media content relevant to the engagement. We captured both sides of the conversations, and to our amazement, we discovered that the young lady had edited the content to fit her tale. Many of the posts in her printed version of the conversation were heavily edited. Most of the posts made by her were deleted from her version (and in some cases deleted by her from the social media sites, but cached in TigerTrax archives and the search engines). Recreating the entire timeline and assembling the real content was done by the MSI analysts, and in the end, the factual stream of data was presented to the team. Once the parents and the young lady were provided with the copies of the report at the meeting, the young lady admitted her fabrication and came clean with the whole story. The parents apologized and the team and player expressed their understanding and completed the incident with their reputations intact.

MSI was proud to be able to help a client defend their reputation. We believe these capabilities will be a powerful addition to many professional sports teams, talent agencies and corporations who are seeking to protect their reputational integrity and remain vigilant against online behaviors that could damage their brand. To learn more about TigerTrax and the services surrounding it, please contact your account executive or reach out to me via Twitter (@lbhuston). We look forward to working with you.