bill’s blog

It’s all about being professional… The more one prepares the better you present! One thing most people fear is speaking in front of a crowd. Creating an outline of all your talking points is more important that having a scripted presentation. If you speak from a script you’re going to come across as dry and rehearsed. People all too often put everything they want to say in slides. People for the most part are visual learners. Reading off a slide is the quickest way to put your audience to sleep. It is often said that Steve Jobs is one of the best presenters in Silicon Valley. Why because he is passionate. Why because he knows his product offering. He sets up the protagonist and then along comes Steve (Apple) to save the day! He may a sentence quoted from a magazine (his evidence) one a slide but there’s never more than one or two words for any given slide when he’s presenting product.

Why am I spending so much time on this… because one needs to come off as polished as opposed to contrived. We may not always be able to set up a protagonist BUT we can be intimately familiar with our product offering (whatever it is we are trying to say). We can be passionate! We can be polished. Have outline. Know your talking points… BUT don’t spend extreme amounts of effort getting your wording prefect! Learn from your mistakes… very often as part of my job responsibilities, I have to present technical material. Often I have to give the same presentation over and over. I learn what works from what doesn’t. I make adjustments… I may use the same lines over and over but you never get the same presentation twice. I try to present technical matters as simply as possible. In explaining bandwidth concerns, I often use plumbing as an analogy (the bigger the pipe, the more water can go through it). Put your ideas into words most people can relate to. Remember you’re not speaking to yourself… and those who are familiar with your ideas… you’re speaking to the an audience that can be made up of people from various different technical backgrounds. You have to assume they aren’t as familiar with the subject matter as you (otherwise you wouldn’t be there)! These are the people you need to convince. So convince them!

It truly is amazing how one of the most basic of protocols is the foundation of the Internet. DNS is a service/protocol that is essential to traffic out on the Internet AND in many cases MORE important on internal networks. Humans, by nature, aren’t really adept at remembering long strings of numbers. Hell, most of us can’t remember a name five minutes after you tell it to us! And while IPv4 addresses are broken down into four octets separated by decimals (or dot-decimal notation), it’s still longer than most phone numbers. Servers (or hosts) are not usually referred to by their IP address but rather their hostname (www) followed by the domain’s name (yahoo.com). Enter DNS (or the Domain Name System). It takes a domain name (such as weblog.randomdog.net) and converts it to an associated IP address for that domain (such as 69.0.94.158). It also does the reverse (converting IPs to domain names). DNS is a hierarchical naming system meaning that there are a few top-level domains (.com, .net, .org, .gov, etc) that pass requests to authoritative name servers for each domain, and in turn pass request authoritative name servers for their sub-domains.

Today DNS has expanded beyond its humble roots! It supplies the name of the administrator for the domain and the IP address of the mails servers for that domain. Additionally, DNS has also been expanded to provide listings of where services can be found out on a network, as in the case of SRV records. These SRV records inform systems as to where on the network certain resources (LDAP, AD, mail) can be located. Many other services rely on a properly functioning DNS system. In fact, Microsoft’s Active Directory and Apple’s OpenDirectory will break without a properly functioning DNS.

SO what if DNS breaks?

Well that’s a problem. DNS was not designed with security in mind. It actually grew out of a shared file. Before DNS, people passed host files around. The thought of actually tampering with the associations between host and address was not likely. People wanted to be able to reach the host they were looking for. Times have changed and there’s money at stake. DNS cache poisoning is a very real problem. If I were able to redirect your web browser to a ‘fake’ banking site, I could collect your credentials and make unauthorized withdrawals against your account. In March of 2008, Dan Kaminsky met with various software vendors than provide DNS solutions to discuss a vulnerability he had discovered. The consequences of this discovery were of such concern that all vendors present agreed to release a software patch that would fix the vulnerability on the same day. In very simple terms, Kaminsky’s vulnerability centered on the possibility of a “man in the middle” cause by the lack of true randomization of transaction IDs possible with only 65,000 values available. A DNS look-up query is assigned a random translation ID, but Kaminsky observed that when a vulnerable DNS server is able to perform recursive DNS queries, it was possible to guess the transaction ID and redirect the results (Vamosi, 2008).

Enter DNSSEC!

DNSSEC (short for DNS Security Extensions) adds a layer of security to DNS. Its aim is to minimize threats against the Domain Name System. These threats include the following:

1. DNS Cache Poisoning
2. DNS Amplification Attacks
3. DNS Man-in-the-Middle Attack
4. DNS Spoofing Attacks

The US government has already deployed DNSSEC on the root servers for the .gov and .mil domains. Unfortunately, as of today DNSSEC has not been deployed for the root server of the .com, .net and .org top-level domains.

Resources:

Vamosi, R., (2008, July 9), Massive, coordinated DNS patch released, Retrieved on May 27th, 2009 from http://www.zdnet.com.au/news/security/soa/Massive-coordinated-DNS-patch-released/0,130061744,339290456,00.htm

Security surrounding PDAs and other “smart-phones” is a complicated issue. I for one own an iPhone (but hopefully for not much longer)! I know… I know! Here comes the classic iPhone / Blackberry debate. It’s been a hotly contested acquisition! IT would prefer I use a Blackberry. They feel they have more control over the device and in many respects they do… BUT they don’t want to pay my expenses and I’d much rather a richer Internet experience. Fortunately for me many senior VPs in the organization wanted an iPhone as well.

Why give all the background?

Because sometimes technology is driven by the business and thus needs to be supported by IT. We need to find the best way to make these devices secure even tough they may not have all the security bells and whistles IT is looking for.

These devices have allowed us to spend a little less time in the office and a little more time doing the things we want… But there is a cost. Sometimes in the course of using information we have to deal with data that is sensitive… whether it is of a military nature or mere intellectual property concerns! The reality is these devices are now capable of holding a lot more information. In fact some of these device now offer the ability to extend its capabilities though the use of SD cards! So how do we protect the company and the data we all work so hard to create? Corporate policy! We need to have clear guidelines as to what data we will allow on any device… that includes USB thumb drives!

Most of us use these so-called smart-phones as glorified email and calendaring clients. Both Blackberry and the iPhone offer differing levels of security over these devices… Both offerings allow for remote wipe! Blackberry does this though the use of its proprietary server product… the iPhone relies on its implementation of Microsoft’s ActiveSync. Certainly RIM’s offering is a lot more feature rich… but one needs to keep in mind the type of data we are protecting.

Email in many ways has become the ultimate corporate communication tool. I’ve recently rolled out a BPM solution where I work and as I’ve been demo’ing the application, I’m constantly asked if the tool will email everyone involved in the project. And while it is possible I stress that the tool is not a replacement for picking up the phone and speaking… collaborating… understanding! Another example… the people I support in Asia have 10’s of GBs worth of emails… dating back 10 or more years. Why? To cover their bottoms! I think the need to cover one’s bottom is pervasive in many corporate cultures… and thus email is the perfect tool. Now one has it in writing, one can receive delivered and read notifications too!

Just picture it… “There’s no denying you read my emails!” as I slap down a stack of printed copies like Perry Mason.

I bring up Perry Mason because like it or not we are a very litigious society! We sue over the smallest thing! Some rightfully so, other suits… ahh not so much! E-discovery has become a big thing. In American law, discovery is the pre-trial phase in a lawsuit in which each party through the law of civil procedure can request documents and other evidence from other parties and can compel the production of evidence by using a subpoena (wikipedia.org, 2010). Therefore e-discovery is the production of electronic evidence, which can include… IM chats transcripts, excel/word documents, PDFs, web pages, source code, databases, graphic files or in our case emails. Not only does the defendant have to produce these documents, they need to provide complete records and in a timely fashion. If the defendant does not comply accordingly, many jurors perceive this as… “They have something to hide.” These documents are required to be preserved. Additionally, the company needing to disclose these documents needs to provide a document detailing the extent of the search they conducted.

E-Discovery is no small matter and requires a great deal of attention to adequately produce relevant documents. Systems need to be put into place to ensure e-discovery compliance. These systems include a stated policy on the retention of email distributed within a company. Centralizing data is another way to minimize the efforts required to comply with discovery demands. Additionally, organizing the data and providing mechanisms to rapidly search documents for specific keywords across the entire enterprise. Maintaining strong access controls over your data is essential to providing strong evidence! If a lawyer can prove that you didn’t have full control over your data, they can then argue that the data could have been tampered with reducing its credibility in court.

Ultimately, being able to produce evidence in a timely fashion helps your credibility in court. Noncompliance can be costly as well! Fines and other legal sanctions can be placed upon an organization that fails to “protect” its data!

Resources:

Various, (2010, February 9th), Discovery (law), Retrieved on February 23rd, 2010 from http://en.wikipedia.org/wiki/Discovery_(law)

A quick message from Izzy to her Grandmoms!

Problems Viewing? Download it Here!

Let us be judged by our acts!

Filesystems for the Macintosh were developed to handle the unique nature of the OS. In the beginning Apple was not a GUI based OS. In fact DOS was originally used and this was later to become Apple ProDOS. Both of these Operating Systems were very much command line driven. With the release of the original Macintosh, Apple boldly introduced the world to the Finder (the Graphical User Interface).

Apple needed a way to interact with the underlying file-system on disk. Because the GUI environment was controlled by a mouse selecting a file to open… Apple needed a way for the operating system to know which application should launch when a file was clicked on. Apple developed what became known as a forked file system. One fork (the data fork) contained the structured data while the resource fork contained the file’s metadata. Metadata at that time contained such things as the association between file/data and the application used to create the file, thumbnail previews and what type of file it was (.jpg, .tiff, .psd, etc.).

To keep track of the dual forked file, Apple needed a filesystem that could keep track of both halves of the file and have them “appear” as one. Apple developed MFS (or the Macintosh File System) to handle the storing of data on disk. The downside to this filesystem was that it was flat… meaning it did not allow for nested folders or a hierarchy or a means of organizing the data on disk. Realize… at that point in time the Macintosh was still booting from floppy disks and that in and of itself allowed users to store similar data on separate disks. Unfortunately, MFS had a upper limit on capacity (20MBs). This quickly became a problem because it was not long after the introduction of the Macintosh that hard drives as we known them today started to make their way into personal computing. Apple needed a way to address the additional space provided for in these new devices! As mentioned earlier MFS stored all files on the root level of the disk. This presented a performance problem. As anyone whose worked with databases knows… the more records that are added to a table the slower that table is to preform. Meaning anytime someone needed to access a file, the OS had to read from all files on disk. By breaking down files into groupings or directories… file searches became significantly faster. And thus HFS (or the Hierarchical File System) was born!

The problem with storage is that it grows exponentially! There was a time that a 32MB hard drive seemed exceedingly large. “You’re never going to full that thing!” Today to can’t even purchase a USB thumb drive that small. By the late 1990’s it was clear that Apple’s original filesystem design was start to show it’s age. HFS was limited to 65,536 blocks per volume (or partition). When disk capacity was small (say a 32MB hard drive) this wasn’t a problem. If you had a 1KB file and your block size was 512 bytes, it would take up two blocks of disk space without wasting disk. BUT as disk became bigger so too did the block size. On a rather small 128MB because the the block limitation the minimum block size became 2KB. The OS would write that same 1KB file to one block occupying 1KB of the 2KB block wasting 1KB in the process. Now this is a very basic illustration but now let’s imagine a 1GB hard disk… the size of the data contained in the file would not increase but the block size had too(16KB)! Thus the amount of disk wasted became greater! Apple introduced HFS Plus (or HFS Extended) with it 8.1 OS release. To address the file allocation block problem, certainly Apple would say that’s not the only reason it created HFS Plus. For a more detailed look into the technical aspects of HFS you can read Technical Note TN1150 – HFS Plus Volume Format which can be found at: http://developer.apple.com/mac/library/technotes/tn/tn1150.html#HFSPlusBasics

One thing the iPhone is not real good at is battery life when transferring data over a 3G connection.

One thing that the iPhone does really well is seek out public Wi-Fi networks.

Many of us gladly connect to “free” hot spots to save battery life BUT that presents big security risk. The iPhone really doesn’t inform you that you are associating the phone with a true AP or an ad-hoc device. One must use care with sending passwords over an “untrusted” network! While not exactly trivial to do… it isn’t exactly hard for someone to set up a rogue AP. These devices can cause you a lot of aggravation. These ad-hoc APs could be used to perpetrate a Man-in-the-Middle attack while using the hot spot. Additionally, it could be used to “poison” your phone’s browser cache, which in turn could be used to display fake Web pages or even steal data at a later time. It’s always a good idea to clear Safari’s cache after connecting to an unknown AP. So how does one go about clearing the cache on the phone?

Choose Settings > Safari > Clear Cache.

ISO (or the International Organization for Standardization) is an international body that tries to define best practices with regard to the operation of various workflows. This can be something as simple as define how to examine a HD for acceptance into courts of law to something as great as ISO 9001 (which defines the formal business practices).

One needs to understand the ISO tries to define best practice and while that may be good enough to 90% of the time… it is after all a best practice and there may be situations that require other methods for getting the job done. Forensics is all about system collection of data. If we can valid that the data was collected cleanly, if we can confirm consistent results to the acquisition, validation, extraction and reconstruction of the data then it really doesn’t matter whether you’ve used an ISO standard or NOT. BUT if one deviates from an ISO standard one needs to be able to explain to a jury in non technical terms that the above mentioned process to meticulous and in criminal cases this needs to be proven without doubt. This is not always achievable and thus stick with ISO standards may help you convince a jury though may not always be the easiest/fastest way to collect data.