RSS
 

The lessons in Mat Honan’s terrible, horrible, awful day

15 Aug

Wired columnist Mat Honan recently published an article detailing how his iPhone, iPad and laptop were all wiped clean – just because some hackers wanted to get control of his “cool” 3-letter Twitter handle; @mat. Since coming out, Mat’s story has been the talk of the tech news circuit. The Security Now podcast even postponed its normal schedule to dedicate an entire episode to discussing Mat’s experience.

Mat has done an excellent job telling his story, including acknowledging his own mistakes that contributed to the hackers’ ability to take over his digital life. And many others have added their thoughts, but most of the discussion has been quite long and can be difficult to parse for the average person. I’d like to take a moment to call out the 3 key lessons I feel we can take away from what happened to Mat:

1. The myth that you “don’t have anything worth stealing

I hear this frequently when I talk to people about adopting better security practices. The concept goes something like this:

I don’t keep any of my financial information on my computer. I’m nobody important. There’s nothing of value to anybody else on my computer.

And it’s completely wrong. The hackers who deleted Mat’s only pictures of his daughter didn’t care about his memories – they just wanted his Twitter account. Why? Because they thought an account with so few letters was cool. I’m willing to bet Mat never thought his account was valuable enough to be worth stealing either.

The truth is; if you have a computer you have something of value to hackers. If nothing else, the computer itself is something they can use. Once they gain control of it they can use your PC to attack other computers, run software to crack passwords, pretend to be you, etc, etc.

2. Trust. No. One.

If you listen to people who talk about security and privacy you will eventually hear the acronym T.N.O: Trust no one. It might sound paranoid, but in reality it’s just common sense. Obviously, we must trust others to a certain extent or we would never be able to make it through the day. The idea of T.N.O., however, is awareness. Every day we are enjoined by websites, startups, corporations, ads, etc. to

Sign up now!

Link to your Facebook account!

Upload your address book so we can find your friends!

Technology is a wonderful thing. It has the ability to give us unprecendented freedom to learn and see and create. But freedom comes with a price – responsibility. No matter how well intentioned the site you’re giving your information may be, no matter how much you may trust them, accidents can and will happen. T.N.O. says

  1. Think seriously about whether you really want or need to provide this information.
  2. What are the consequences when – not if – they lose control of this information?
  3. What can you do to maintain control and/or protect yourself?

 

It’s all about control. Are you willing to give up control of your personal information? Your identity? If not, then make sure you take steps to protect it.

3. Back up your stuff

This one has been mentioned in almost every discussion of the Wired article, and even by Mat himself, but it’s important enough that it bears repeating. No excuses. If you’re not already doing so, establish a regular backup routine. Ideally, follow the 3-2-1 rule:

  • 3 copies
  • on at least 2 different types of storage (hard drive, online, CD/DVD, The Cloud, etc.)
  • with 1 copy off-site (online, at a family member’s house, etc.)

 

Backing up your data speaks to numbers 2 and 3 under Trust. No. One. above: If you do lose control of everything can you get it back?

Be responsible

As some have noted, it’s important to note that the hackers who broke into Mat’s phone, computer and accounts did not crack his passwords. The techniques they used were all social engineering – they convinced support personnel that they were the rightful owners of Mat’s accounts. While having a strong password, and a different password for each separate account, is important protecting ourselves doesn’t stop there.

Just as you prepare for a potential earthquake, tornado or hurricane make sure you’ve prepared for the hacker that makes it past the harried tech support employee who maybe didn’t sleep well the night before.

 
No Comments

Posted in Security

 

Experimenting with a new tool for my Knowledge Base

31 May

For the last year or so, I’ve been slowly building up a personal Knowledge Base using Evernote (a direct link is to the right). This is a place where I save tidbits of information related to software development – stuff that I think I’ll probably want to look up later, because I’ve forgotten the precise syntax needed, etc. I also made this KB publicly available (link is to the right) so that others could hopefully benefit as well. So far, this has worked pretty well, but I don’t always have the time to organize and format the notes as much as I’d like.

About a month ago, I became aware of Diigo – an online tool for highlighting, bookmarking and notating content on web pages. I’d seen tools like this before, but I liked the way Diigo also collected everything I’d noted in one place and allowed me to organize, tag and share it.

So I’ve started a new, experimental Knowledge Base (again, link to the right) using Diigo. I’m hoping this format will make more sense and allow me to collect and organize information more quickly. If it continues to impress, it will eventually replace my previous KB.

 
No Comments

Posted in Programming

 

Avoiding headaches as a team programmer

15 Jul

Working as a member of a software development team (as opposed to being the only programmer on a project) can have some subtle, but very important differences. I’d like to share with you some of the tips and advice I’ve come up with over the years to reduce headaches and frustration – both for me and my fellow team members:

Communication

  • Don’t assume that your team will tell you everything you might need to know. There’s a lot to keep track of (even on small projects) and we’re all human. Sometimes we forget or don’t realize that the changes we’ve made impact somebody else’s code.
  • It can often be helpful to send out a status e-mail each night, letting the rest of your team know where you’re at – what’s done, what’s changed, etc.
  • Document any agreements/decisions made between two or more team members. This helps ensure that everyone came out of the discussion with the same understanding, and can keep new members from wasting time covering the same ground.

NOTE: “Documenting” doesn’t need to be a formal process. An e-mail, IM or shared discussion area is fine. The important thing is that the information is recorded and shared.

Source control

  • Multiple, smaller sets of changes are much easier to rollback, troubleshoot and/or fix than large, sweeping code changes that span several days/weeks.
    • Whenever possible, try to organize your coding tasks into chunks that can be completed and checked in within a day.
    • At the end of the day check in as much as you can – anything that doesn’t break the project for somebody else.
  • Before checking in your work; pull down and build the latest files to make sure your changes don’t conflict with any recent changes made by other developers.

NOTE: I do this even when nobody else is working on the project – because that might not be an accurate assumption. If the project is in the repository, anybody can make a change at any time.

  • Before beginning each new task/chunk of work; pull down and build the latest files from the shared repository. This will catch pre-existing issues before you start adding your changes.
  • Key project-wide files (e.g. settings, configuration, the project file) should be checked in as soon as possible. And don’t forget to also check in any new files and/or changes they may reference.

Documentation

Even if nobody else is going to be looking at your code, any experienced programmer will tell you that in a couple of months you won’t be able to recall what you were thinking either.

  • Use clear, descriptive names for your classes, methods, etc.
  • Add comments to code that varies in any way from what it appears to do, has a side effect, etc.

All this can seem like a lot to do in the moment. It can feel like you don’t have time. Establishing a routine can help. Decide on a few things you are going to do every morning, before you start coding, or first thing when you get back from lunch. This can also help you get into the right frame of mind for getting back to work.

 
1 Comment

Posted in Programming

 

Security best practices in the real world

09 Mar

I recently had a discussion with a co-worker regarding physical security. Our two departments share a small building with 9 offices. Each of us has a key to the building, a key to our own office, and a key to a shared storage room nearby. This co-worker was gathering feedback for a proposal he was putting together with the following goals:

  • Reduce the number of keys we have to carry.
  • Potentially provide access to both the building and the offices with a single key (for each employee).
  • Increase access to resources by having more people able to gain access to more spaces.  (For example; getting a book from the office of a co-worker that is on vacation.)

During our conversation, my co-worker requested that I stop being so abstract in my arguments and address more factual, concrete ideas of what could (or might) actually happen. The more I thought about it in the days following our conversation, the more I realized:

This is a common mistake when thinking about security.

It’s natural to want to better understand the threat by thinking in terms of real threats that need to be protected against, but what security researchers now know is that doing so puts us at a significant disadvantage.  If we’re focusing only on concrete, defined scenarios we are limiting ourselves to what is known (or can be guessed). Are you sure you considered every scenario a potential attacker might possibly come up with? Did you take into account every possible new technology/standard/practice? How about every policy change your organization might implement? History has shown us that even if your security measures start out ahead, this approach 1) will eventually be compromised by something you didn’t think of, and 2) quickly becomes reactionary – where you find yourself implementing new security measures in response to new exploits as they are discovered.

Follow established Best Practices.

Rather than relying on a never-ending game of cat-and-mouse (where each side is constantly one-upping the other) modern security efforts attempt to follow established security practices that are known to provide protection by their very design – regardless of the type of attack that might be leveraged against them. With this recent discussion around physical security fresh in my mind, I thought I’d take a moment to talk about a couple of those best practices. This by no means an exhaustive list, and if you’d like to know more I highly recommend the podcast Security Now (which also has transcripts, if you’d rather read than listen).

Security In Depth

The phrase security in depth is a paraphrasing of the NSA‘s defense in depth approach and refers to having layers of security. Frequently, I hear people say things like; “We don’t need to encrypt account information because our servers are behind a firewall”. Relying on a single security measure means you have a single point of failure. If that mechanism ever fails or is compromised – and statistically, the chances are it will be at some point – then all bets are off. Similarly, new attacks could be developed which bypass the firewall by being completely valid network traffic.

Security in depth means wearing a belt and suspenders – if one fails, your pants still stay up. Classic medieval castles are another great example of security in depth:

  1. A moat.
  2. The wall.
  3. Often, the streets inside a castle would be zig-zag so they wouldn’t provide a straight path to the palace at the center.
  4. An inner wall.

Somebody, someday will break in eventually – so you want to make it as difficult and time-consuming as possible to get to the valuable stuff. In the case of our offices, this is accomplished by both the building and the offices having doors – each with their own key.

Now, you may be thinking (as my co-worker was) that having two keys for two doors won’t offer any more protection if a thief steals my entire keyring, leaving him with both keys. That’s absolutely a fair point. But recall that it only addresses one scenario where keys might be compromised. What if I’m in an accident, the keys from my ring are strewn across the road, and a bystander surreptitiously picks one of them up? What if I leave my keys sitting out somewhere and a potential attacker makes a quick imprint of one? What about the potential scenarios I haven’t even considered?

Furthermore, there’s the problem that that one key could (potentially) open all of the offices – which brings us to…

Compartmentalization

When things are separated from each other, each in their own compartment, we say that they are compartmentalized. In a security context this typically also means that each compartment is isolated from the others. The benefit here is that if one is compromised the attacker doesn’t automatically gain access to the others. In the building/office scenario above, this means

  • A thief would only have access to the building and the office of the employee they stole the key(s) from.
  • A disgruntled employee would only have access to their own office.
  • The chances of a co-worker entering an office while the occupant is changing, or engaged in a private phone call are greatly minimized.

Certainly, we can scoff at some of these examples – say they’re extreme, not likely to happen, or that we can do other things to prevent them (like knocking on an office door before entering). But the point is; what of the scenarios we haven’t thought of? What about social engineering techniques that would never occur to us?

Modern security best practices shift the focus from trying to anticipate what kinds of attacks we might see to a more holistic approach that seeks to create an environment which naturally resists attacks.

 
No Comments

Posted in Security

 

Adding a Database Reference to an external database

05 Dec

Managing database projects within Visual Studio can be extremely confusing. There seems to be very little information out there on how to use the provided project templates properly, and what little there is is often cryptic and clearly written by insiders. Watch this blog for a forthcoming article which will hopefully clear up some of this confusion, but for now I wanted to share what I’ve learned about referencing other, existing databases from within your Visual Studio database project.

With the 2010 release, Visual Studio’s database project templates appear to want you to encapsulate your entire database within the project – and the IDE. This can create a problem when the new database you’re creating needs to reference some objects from another database on the server (an enterprise data store, for example) – since the project doesn’t know anything about this other database two things happen:

  1. You lose those handy IntellisenseTM tips when referencing the external database, and
  2. Attempting to build and/or deploy the project spews a bunch of errors about missing references.

An afternoon of hunting revealed that there are a couple of ways to address this – one of which involves creating another project, importing the other database, and then adding a reference to the first project. I don’t know about you, but that sounds like an awful lot of work and overhead for what’s essentially a Reference link.

Fortunately, there is a slightly easier way: The key is the .dbschema file. These files represent the compiled state of a database which is ready to be deployed with Visual Studio or some other tool. But what is useful for us here is that Visual Studio can also use these files to determine what objects are in the database – providing IntellisenseTM and reference mapping. So this is what we need to do:

  1. Create a .dbschema file for the external database we want to reference
  2. Add that file to your SQL Server 2008 Database Project

Creating the .dbschema file

The reason some people recommend creating another database project in Visual Studio is because that will create the .dbschema file for you, but there is also a handy tool you can use by the name of VsDbCmd. This command-line tool for deploying Visual Studio database projects can be found in the following location:

C:Program FilesMicrosoft Visual Studio 10.0VSTSDBDeployvsdbcmd.exe

(Note: It will be in C:Program Files (x86) on 64-bit Windows.)

While most of the documentation out there focuses on how VsDbCmd can be used to deploy database projects, it can also be used to generate a .dbschema file from an existing database. To do this, use the following syntax:

vsdbcmd /a:Import /cs:”ConnectionString” /dsp:Sql /model:DatabaseName.dbschema

Where ConnectionString is the full connection string for the database you want, and DatabaseName is the name of the file to create.

Adding the Reference

Now that you’ve created the file, it’s time to add it to your Visual Studio project as a Database Reference. Expand the project node in the Solution Explorer, right-click References, then select Add Database Reference…. Finally, make the following changes to the Add Database Reference dialog:

  • Select the Database project schema radio button, and Browse to the .dbschema file you just created.
  • Check the Define database variable box and enter the name of the external database for the following values:
    • Name:  $(DatabaseName)
    • ValueDatabaseName
  • Check the box that says Update the existing schema object definitions and scripts to use the database reference variables.

After clicking OK, and a bit of processing on Visual Studio’s part, you should now be able to compile your database project without errors.

Please feel free to comment below if you have any questions or information to add.

References used for this post:
 
No Comments

Posted in .NET, Visual Studio, Windows

 

Tool: DNS Benchmark

15 Nov

Steve Gibson, the host of Security Now, has published a new freeware tool; DNS Benchmark.  Like all of Steve’s freeware, it’s a stand-alone executable (great for USB drives) and is very compact – at less than 200k.

I haven’t tried out this final release, but did experiment with an early version.  It’s a great tool for power users and/or anyone maintaining a network.  The primary purpose of DNS Benchmark is to provide speed tests and other information about publicly available Domain Name Servers, since the ones you’re using now may not provide the fastest or most secure service.

 
No Comments

Posted in Tools & Utilities, W.I.N.E., Windows