Maxims

These (http://www.ne.anl.gov/capabilities/vat/seals/maxims.html) from the security team at the US Argonne National Laboratory are worth a three-day seminar...

Ouch!

As Fail goes, this one is a) personal and b) embarrassing.
Four years ago, just as I was starting this position, I met a recent contractor leaver on the train. In our conversation it emerged that he was getting email from his work account. I asked him how and he wouldn't tell me. Playful, but definite, refusal. I think he wanted to impress me with his skills. I checked -- with some difficulty, our logging is better now -- and his account was definitely disabled, the VPN accesses made sense, and I had a hundred other holes to fix, so I let it go. He was an honest man, so I was annoyed rather than fearful.
Now one of the things we fixed, as four years roll by, is the leaver process. Accounts are disabled on departure and deleted after three months and we have two independent cross checks to confirm that. Home drives and mailboxes are kept for three months for reference, archived, and deleted with the account.
So now, in 2009, we're looking at data leakage. I wrote a report to identify top correspondents to specific mail addresses -- looking for a John Smith sending two hundred mails a week to johnsmith8209@yahoo.com. To cut a long story short, I found what I was looking for, but I also found, way up that list, a leaver: left a couple of months ago. She shouldn't have been sending anything, but there it was -- all off to personal accounts -- several of them, apparently.
And this is my problem. We disable the accounts and log-off or re-build the workstations, but that doesn't -- contrary to all the assumptions of auditors and provisioning experts, stop leavers from running code. You can't disable an Exchange mailbox and so any server-side rules -- and yes, that includes forwarding rules -- will continue to run.
I don't quite know what to do about this.

• It's quite laborious to set up to remove rules from someone else's mailbox as outlook only displays ruls from the primary mailbox.
• The MAPI Editor lets you remove rules if you attach the box to your profile, but it's a complex tool with a huge capacity for mischief or misfortune, and anyway I'd really rather disable them.
• There are some gateway options, but they're very global, and I don't want a global ban (I might go for it though, if it's all I can do.)
• We could do the box early in the leavers process, but not instantly, and that's when I want the rules to stop.

It seems like there should be a utility -- point it at a mailbox and it unchecks the "enable" on every rule that forwards mail -- ideally, every rule that forwards mail to a non-local address. I can find documentation for Exchange 2K10 which has Get-inboxRule and Disable InboxRule. But twenty minutes with MAPI Editor shows me it may not be that easy.....

In Favour of Delinquency

Anti Virus software doesn't work if it's not installed, running, and updating signatures. What with one thing and another, it's hard to keep AV installed and running on every machine, and so we need a metric to manage by.

It's conventional to measure coverage: "90% of our machines have updated their signature file within the last week". The number and the age are arbitrary -- it could be 80% or 99% or whatever within a day or a month. (But it certainly seems hard to stay above 90% with McAfee....)

But I think coverage is an inadequate target, especially for servers. You have to watch it, certainly, but it's not enough. The problem is that a coverage report says nothing about how long machines are out of compliance -- you risk being satisfied that some machines never, ever, have current AV scanners. Imagine a network with a thousand machines -- if everything is up to date except for two file servers and and the DCs, then your coverage is over 99%, but your overall situation is not at all pretty.

Worse, coverage isn't a good guide to the best next action. Are you going to fix the agent on that critical server with its rare maintenance window? or patch up a couple of workstations? If you just want to get the coverage up you're going to choose the workstations, and you'll be wrong to do so.

Delinquency is a different metric. It measures the proportion going unfixed. It's the percentage of the non-compliant machines in the latest snapshot that were also unfixed at an earlier one, and haven't been fixed in between. The lower the delinquency the better -- a high delinquency means that AV installs are breaking and not getting fixed, a low one means that you are keeping up with the workload.

The levels I like are these:

• For servers, I think the delinquency should be zero, but the lookback period should allow for the time taken to get a maintenance slot on a server. For us, that's seven weeks. It's simply a claim that everything should be fixed in one maintenance cycle, so you can't leave those DCs without current AV.
• For workstations, some delinquents are acceptable. So we say 10%, with a lookback of one week.

It's not ideal. It's harder to compute as you need historical data. But it does tell you what to do first.

And coverage? Well, if you're fixing the breaks, it hardly matters. Like all metrics, delinquency can be gamed if it's your only target, so the best plan is to set something easy like 90% and leave it at that.

I Read Your Mail Headers

Nobody comments on the most obvious feature of the Interception Modernisation Programme -- the scheme to put intelligent sniffers in every ISP, funnelling anything GCHQ wants back to Cheltenham.

It's totally unauthenticated. Sniffers are purely at the network level. It identifies IP addresses, but not users. Without getting into the great "IP is [not] Personally Identifiable Data" debate, it seems pretty clear that this material will have to work pretty hard to prosecute anyone.

So it's just intelligence gathering? Pure snooping?

If You've Done Nothing Wrong, You've Got Nothing to Fear

So we're told. But it didn't work for Jacqui Smith.

Spam Counter - 2009 May: 1358

That's bad.

I'm seeing Acai Berry among other approaches to the size of my waist and a renewed emphasis on the size and stiffness of my male member. There are fewer fake watches -- the SS Submariner -- and a very few swine flu.

Obvious Really

I'm not interested in concealing my identity, exactly, but I don't put my real name on these because any security writing that uses real-life examples will sometimes be about Fail, even if it's Fail rectified, and who wants to go public about their own employer's Fail?

Even so, I've always been circumspect about what I say because I've felt that the intersection of the things I talk about -- Kent, Finance, Computer Security, Old man -- is going to be a pretty sparse set. Anyone who cares could find out who I am.

So it's interesting to see Schneier blogging about some research from PARC. Apparently the end-points of a regular commute are sufficient to identify a huge proportion of people. Pretty much all that required is that the granularity is fine enough for people to be working in a different zip, county or whatever from the one they live in.

I'll be more careful in future. I have a plan.

Classic Fail

Went to pick up my printout from the printer and there it was: The biggest secret in the firm, and one from which I am firmly excluded. Ninety colour pages which someone had collected, collated and left prominently displayed to be picked up.

A few minutes in the event log of the print server gave the answer -- the same document printed twice in succession: the signature of a user losing track of what they've done. He's back on track now.

The report had been out on display for thirty minutes when I found it. I imagine the person who tidied it up will be one of the three people who used that printer between me and the inadvertent leak. But who else saw it is much harder to tell.

Contactpoint Security Misses the Point

ContactPoint, the government list of children, is live today in test areas. When it's complete, it will hold contact details for every child in the UK, with a NIN and a list of the agencies dealing with the subject.

The rights and wrongs of this are one thing, but there's a gap at the heart of the published security policy (pdf) -- they've left one point out, and it's the hard part that makes the rest work.

They're proud of the access control -- it'll be two factor and the web access won't work from just anywhere (I hope it'll be limited to registered IP addresses). Users will need to be in a role that requires access and have passed CRB checks.

But it fails, it misses the point. Apparently the designers expect there will be three hundred thousand users across the NHS, education authorities, LA social work departments, the police, courts and probation service. It seems on the low side, but just that number gives us around a thousand retirements a month. Add in all the role changes where users no longer need the access, or change employer or reporting line enough to change the origin of their entitlement and I call that around five thousand leaver events a month.

No-doubt ContactPoint has the staff to do it, but however will they hear about the leavers? We have enough difficulty finding the leavers in a few hundred users, and we have access to the payroll. It looks as though ContactPoint is going to be dependent on users or managers volunteering that they no-longer need the acccess. With all the good will in the world -- and social work departments are often very replete with ill-will -- that's never going to be anyone's top priority.

I'm not surprised they left it out. I wonder when it's going to bite.

Password-Stealing Spam

Big current spam trick: The stolen webmail account.

Hotmail etc. make it hard to register accounts for spamming, so a lot of mail out of their relays isn't spam. And that means that spam detectors mod up mail coming through those gateways -- if it's truly from Hotmail, it's much less likely to be spam. So we're seeing a resurgence -- it feels like 1998 -- of spam from public webmail services. Examined, it turns out:

• To be from a real MSN/Hotmail/Yahoo account (they're not just spoofing addresses -- that wouldn't work)
• To be pushing Chinese electrical goods (if it was stiffy lollies, the language would push the spam balance back to "block")
• It's all sent from Chinese IP addresses. Whether it's .fr, .co.uk, or whatever, it's all pirated from China.

I wrote about this, from the other side, last year. But this is more sophisticated, going to big lists, not just address books.

Just another penalty of being spywared.

Spam Counter - 2009 Apr: 986

But it was 1300 earlier in the month.

There's a big new botnet at work -- quarantines at have vastly increased lately. Mostly traditional stuff with rather more images and spam poetry than we've seen lately.

One thing that stands out is the new wonder drug: Magnesium Oxide. Why am I getting Magnesium Oxide spam? It's milk of magnesia -- an antacid. Why would anyone buy that online? What really perplexes me is that they obviously expect their target market to know why they want it -- or is it that people who respond to spam are precisely the people who will buy anything?

Uphill Battle

(Two FSA posts in two days -- bad sign.)

The FSA have lately been taking a very hard line on data leak risk, and they themselves deal with extremely sensitive information.

So it does seem rather hard that they can't accept or originate TLS encrypted email. It's doubly hard that they use Messagelabs which handles TLS easily -- encryption must have been explicitly disabled.

So I have to dick around with fancy encryption utilities to get something that should be free.

Facing Up To It

Just a little note about our pandemic planning.

When the system was set up, we canvassed the business very carefully. Who could work at home, and who would have to come in?

The message was clear. Investors and traders could not work at home. They needed their colleagues around them, they needed their morning meetings and their bosses and compliance reps needed to see them. Delivering the order management and dealing apps on the pandemic remote access system was unnecessary and actually dangerous. Fortunate really, as some of them do not respond well to Citrix.

Well, now here we are, and I sense a slight quavering of the upper lip. When you really think about it, the idea of wealthy, numerate, well-informed and self-confident men and women with family responsibilities actually risking a lethal infection to nurse their portfolio  is a bit daft. They'll stay home whatever the boss says. The first two or three, you can sack, but if it's the whole team, it becomes our problem not theirs.

Meeting tomorrow to start the the process -- "well, if that's not what you really meant, what do you mean?" We'll see how it goes.

Meanwhile, Mrs U is discussing what food to stock-pile.

G20 Meltdown Saves the Finance Sector

The protestors -- G20 Meltdown and the climate campers -- did a big favour to London finance firms.

For three years, the FSA has been nudging us to do "pandemic planning" -- to prepare for situations like a legal or de facto quarantine where most staff will be staying at home by choice or under legal compulsion (or a train strike, or civil disorder or ...) This isn't DR proper -- if you don't want to say pandemic (and I don't, it's silly) you can call it Colleague Availability Planning.

And since we are a good and dutiful regulatee we have done what we can. In our case, that's a Citrix farm and an SSL VPN, with security settings that make it a little less unsafe when it's accessed from untrusted PCs. To ensure it's running and up to date, we use it for most of our remote access (I've preserved a little dignity by insisting that remote admins, and staff  who need off-line access to data still have to use a trusted laptop.) The gimmick is that the equipment is grossly overspecified. Over a normal day, maybe 2% of staff log on. But the farm, the gateways and the Internet access is sized for 50%, and that presented us with a problem. We have no idea whether it is could handle the planned load, as we could never arrange that many to try it at once.

We got some information from the snow day in February -- that got us up to 15%. But the G20 demos were another thing again. Staff told to work at home, and pretty much told that unless they showed up on the VPN they'd be taking the day as holiday.

The first day, we struggled. A lot of silly glitches and one big one -- the presentation servers in the farm had not been built to specification. Very easy to fix, as it happened, and the second day went smoothly with about 40% of users -- pretty much the expected number -- on line.

And that's the gift that the G20 protesters gave us. Whatever you think of Mexican Swine Flu, you can be certain that we'll have to demonstrate to the FSA that our pandemic plan is up to scratch. And, now, thanks to the crusties, we can say, confidently and truthfully (and you need both to speak to the FSA) that it is.

Thanks, guys and gals! Was that what you wanted to do for us?

OPD (1 per Decade)

Naked-eye planets, obviously.

To be honest, I never expected to see Mercury. It's much harder to spot than Jupiter, Mars, Venus and Saturn. And I haven't seen Saturn, confidently, for a while.

When I went out  to shut up the chickens at 21 my eye was captured by the one of the prettiest new moons I've seen. A tiny crescent silver sliver reclining, cradling a huge oval of earthlight in the last purple of the sunset. And there it was -- just off the moon/sun line -- the only star visible between the moon and the horizon.

I'd been tipped off by the night sky column in the LMS's BBC Focus magazine. "Surprisingly bright" it said and bright enough it was. And that's my lot. If I want to see another planet, I'll need binoculars. But the LMS is off too a good start.