Wednesday, October 29, 2014

A lack of Infosec in the home buying process.

I often get a little edgy when people who are dealing with personal information throw around the word “secure.” Also when they say something is “100% safe” it tends to grate me as well. Nothing is secure. We’ve been trying to buy a house and during this process of applying for a mortgage and verifying income with lenders at multiple banks, it’s been a few months, I’ve noticed a few leaks or weak links in the chain of info that unnerve me in terms of my personal information security.

When we first started the process, the mortgage company asked for the usual: bank statements, tax returns, year-to-date profit-and-loss statements, IDs, and check stubs, everything to verify that we can afford the house we’re trying to buy. When I asked how do you want us to provide this information to you, their initial response was “e-mail.”

E-mail is NOT SAFE
Had the person I’m dealing with read their own email disclaimer that goes out on every email they send, they would have noticed that it states:
Do not use email to send us confidential information such as credit card numbers, PIN numbers, passwords, Social Security Numbers, Account numbers, or other important and confidential information.”

If you don’t want anyone to find out something, you definitely don’t send it through e-mail. There are typically at a minimum, 4 copies of an e-mail created for every message sent... sometimes 6.
  1. When you send the e-mail a copy is likely stored in your sent items folder, locally cached. Anyone can open this if they get ahold of your e-mail account, either by system compromise on your own terminal, but guessing your password and breaching your e-mail service provider’s system, or by getting into your e-mail through your mobile device (if you have your e-mail setup on the device). This also includes any other devices that have a copy of the e-mail or access to something like a IMAP server.
  2. The Internet is not a series of pipes. Connections to servers can take several different routes depending on the network load. In fact when you connect to your mail server, if it is offsite, there are multiple nodes on the network between your computer and the mail server itself that are rarely consistent. These nodes are not always "secure." Then the email travels from your mail server, hopefully after authentication, to your recipient’s mail server (between their networks), when it can then be stored and downloaded by your recipient to multiple devices wherever they are downloading the message. Work, Coffee Shops, Non-secure home networks, and schools on computers, tablets, Internet mail accounts, and cell phones.
  3. Not all e-mail uses SSL or TLS to connect. Some e-mail connections transmit e-mail information from point-to-point in clear text often referred to as plain text. This means anyone listening can read every word.
  4. PDF files are not inherently secure even though they require a special program to open them. While you can encrypt a PDF file by requiring a password, this is not the default. Go onto Google and do a search for any term followed by the text “filetype:pdf” and you will see thousands of results from clear text or plain text PDF files. Google knows what is in these files because their servers automatically read the PDFs and in some cases they will optically recognize the contents of the PDF to make a text version.
  5. If you provide a password to someone for the PDF, don’t send it in the same message with the PDF. In fact if you can send it a different way, either via text message or tell someone over the phone, you’re even better off. Then hope they don’t forward the message with the password to someone else, or worse decrypt the message and then forward it (as was done in our case by a county worker).

People still use fax machines?
In the `90s, fax machines were physical machines. While they might have had a buffer where a user could reprint faxes, they were essentially a modem hooked to a copy machine. You hit send and it scanned the image and sent a really low quality version over the phone line directly to another fax machine where it was almost immediately printed.

If the physical security of the fax machine was okay, you didn’t have to worry about someone tampering with the information. If the fax was sent to the wrong number, then all bets were off.

Today, fax machines are entirely different, sometimes they’re actually copy machines with a built-in computer and a hard drive. These messages can stay on these machines for a very long time. If the machines don’t have a custom password, meaning they use the default password, many of the faxes can be retrieved from the machines remotely if someone is savvy enough to go online and look for the manual for the machine itself.

If the fax machine is one of the new cheap all-in-one faxes that receives and transmits over Wifi, then the information will come into the machine, then it’s beamed as an image or an unencrypted file to the computer from the wireless fax printer to a computer. I say beamed, Wifi is not a direct connection either. Wifi transmits in all directions. If the network isn’t “secure,” anyone listening can again pull down this info with a simple network packet sifter. While it’s likely someone will not copy the fax from the airwaves when it comes in, it is a remote possibility if this entity is a potential target for information theft.

Then there is a likely possibility, an Internet fax. This is a web server somewhere, that receives the fax like the old fax machine, and then forwards an image of the fax to someone via unencrypted e-mail (usually). While some of these services can encrypt the image, they’ll likely use the same key for all encryptions for an account. If the user has to log into the service to download the image there is a better for security, but if the image is simply e-mailed sight-unseen, not only is this information stored in the end recipient’s e-mail, it may be stored on the Internet fax server as well: logs, cache files, buffers, and account folders. If the Internet fax service does any sort of OCR (optical character recognition) before creating the unencrypted file, the contents of the fax are again transmitted as clear text.

The "Secure" E-mail Alternative
My mortgage broker sent me a message through what she was calling a "secure e-mail service" which turned out to be a "secure" document exchange from a financial services company. Unfortunately she used "password" as the password. In this service I had no way of changing the password once I logged in.

Another possibility
Something else to consider with the rise of cloud services in information storage is that your personal information may not be in the control of the institutions which are part of the process. If they use cloud-based applications for information storage, all that can be hoped for is strong encryption and very strong passwords. Even these practices can be thwarted by bad habits.

Who gets a copy of the information? It seems like everyone known to man.
I was surprised at the number of individuals being copied on all of the back and forth communications with the Realtor: mortgage brokers, assistants, financial advisors, bosses, inspectors, banks, credit agencies, property owners; the list goes on. Any of these people who doesn’t have a “secure” system in place for any of the messages can become the weakest link in the chain. From a jail broken phone, to an unpatched copy of Windows 98 running on some back office computer, the list of potential vulnerabilities is enormous. What's worse is in my experience most of the government agencies on a local or state level lack the funds necessary to appropriately secure communications, much less look for breaches. For most of my clients I'm only called after a breach has occurred.

Why would someone target these places?
All of the entities I’ve mentioned deal in a lot of personal information. Anyone who wanted to get information on anyone in the process only has to do a little research to determine the infrastructure and shortcomings. Whether it’s intercepting a packet of information delivered by the Postal Service, or not shredding every non-pertinent piece of data, the 250 pages of detailed personal information that we’ve provided to date has been redistributed at least 6 times by my count, not including the copies my e-mail program makes itself. This doesn’t include versioning because of changed closing dates and updates to the applications.

It’s enough to make any information security professional’s head spin.

What can you do?

Get involved in Infosec as a career and change the system. Until then save enough money to pay cash. Once it's all said and done, call to lock your credit records and change all of your accounts. Also be sure to purge sensitive information from all locations where possible.

Tuesday, September 16, 2014

When mail is [potentially] tampered with and you don’t even know it.

I’ve been a fan of the buy postage online and slap it on a Priority Mail envelope for the longest time, until today. I had to send some sensitive information through the mail because I wasn’t quite ready to drive 40 miles round trip to use FedEx, because I feared my package of sensitive info setting in some FedEx box on a weekend awaiting pick-up was a bad idea. I also thought about encrypting the files and sending them digitally but I’m not entirely sure the parties on the other end would be able to deal with the procedure to access them; even passwords elude some people so two-step authentication via an online method was out of the question.

So I opted for the most “secure” method of delivery possible from the US Postal Service, selecting the “Require Adult Signature” tick box in addition to insuring the package on the USPS website. This is really ridiculous in hindsight, but at the time it felt good. I guess I can thank Seinfeld for causing my fears about mail pricing class systems and mail carrier preferential treatment in regard to extra postage or lack-thereof; that's a fallacy as well because if anything more money for "security" means the more precious the cargo.

Patiently I awaited the tracking info on the website to say “Delivered,” but it never came, even though today was the target delivery date. The reason being, the main sorting facility in the city where the package was being delivered dragged their feet on sorting my high priority package. So when it was finally sorted for its destination, it was already almost 10:00 in the morning. It’s likely sitting in the sorted stacks of mail in the sorting facility waiting for delivery in the morning, but this doesn’t keep my mind from wondering.

How could someone tamper with my mail unknowingly?
Physical tampering on a letter is fairly evident. When someone opens an end and tapes it closed you will likely notice because there are physical signs that it has been tampered with. 

I started thinking about the ubiquitous packaging used by the US Postal Service with their campaign “If it fits, it ships.” Sorting facilities likely have stacks of these preprinted boxes lying around. So if someone were to abscond with a package (for a short time while the tracking info said it was at the sorting facility, or in my case “out for delivery”), they could grab a similar package to the one that I have used (eg. Priority Mail Envelope), and go to their local office where a scanner and printer reside.

Then they could rather carelessly extract all of the documents, make copies, take pictures, or scan the items. Next they would use their new package to repackage my documents, and then scan and reprint the delivery label from my package. Place it on the new package and return the items back to the sorting facility or the waiting pile.

It’s not just mail
Then I started thinking about that expensive option of using a service like FedEx who also uses the same sort of standardized packaging. The same scenario applies. Also in regard to FedEx if someone were to notice a pattern of deliveries, they might interlope to satisfy a curiosity.

So, How Can You Really Tell?
Using simple two-step authentication (verification) is one method. The best way I thought of so far was to mark the package in a way that was nearly impossible to replicate, or in a way so that a normal onlooker for the package would not notice. Colored markers, color printout of an image from the web, but basically you mark the package.

Next you would take a picture of the markings and either text, or e-mail it to the recipient (if it is someone you can contact). Let them know that you are sending a package and send them the picture so they can verify that it is indeed the envelope or package that you initially packed.

If you have budgets for custom printing you can print your customized envelope for the internal documents and wrap the interior of your package with something that's not easily replaceable. Companies like Uline sell tape and tamper-evident bags that show indication of tampering. If the document arrives in a non-standard format you know the package was tampered with, and you can then start an investigation with the delivery service.

What companies would be the target of such an attack?
Banks, finance companies, mortgage lenders, payroll companies, Realtors, insurance companies, basically any company that receives sensitive personal information through a standardized delivery service such as FedEx or the US Postal Service in the States. Outbound mail from these companies likely isn't so much of a target in this regard for this type of attack. It's much easier to just take the letter outright if there is no tracking. Mail gets lost everyday right? The bank would assume the information was lost in transit and resubmit. If it was unexpected (like a replacement credit card), the end recipient would be clueless to the attack. Corporations only care about protection of personal information in regard to the bad press or negative media fall-out.

In regard to identity theft the corporations aren't necessarily liable if someone finds a way to game the system, so the companies will not invest money for a potential threat.

Inbound mail or packages from individuals tend to have people's personal information in them, like in instances where the senders are completing a correspondence or form. Since they have a vested interest in maintaining their identity security they will likely opt for more postage.

Final thoughts

Call it paranoia, but I notice patterns, and when I’m sending sensitive info in high profile packages to consistent recipients in a way that would normally not have a time delay or interference, the anomalies in transit do pique my interests. If anyone tells you that snail mail is safer than e-mail or encrypted files they do not know what they are talking about unless they're using a complicated verification method like I've discussed here.

Remember security is an illusion.

Thursday, September 11, 2014

CentOS: Create a Blank file or redirect the default Apache Welcome Page

When managing or hosting a CentOS box, Apache will show the CentOS welcome page. This page contains information you likely don’t want people to have, so things like the fact that you’re running Apache on CentOS. While these things can also show up in the headers, you want to remove the default page in the event someone hits the website from the IP address only or if they use a domain that resolves to the box, but there is no directory setup for that domain.



Quite a few of the online discussion forums and even the notes on the welcome screen suggest that you should visit the file at /etc/httpd/conf.d/welcome.conf on CentOS.

If you cat the file you’ll likely see something like this:

# This configuration file enables the default "Welcome"# page if there is no default index page present for# the root URL. To disable the Welcome page, comment# out all the lines below.                                                                       
<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Their suggestion is to comment out the lines. By doing so, you’re not presenting the visitor with a blank page, but rather a different error message. To edit the file you’ll need to be logged in as root (su -) or be a member of sudoers and use sudo.

Use the editor of your choice. I’m using emacs myself, but vi will also work. So my command looks like:

emacs /etc/httpd/conf.d/welcome.conf

So if I comment out those lines with # comment tags and save the file, then nothing happens.

#<LocationMatch "^/+$">
# Options -Indexes
#ErrorDocument 403 /error/noindex.html
#</LocationMatch>

This is because changes to configuration files in Apache require a server restart. No need to restart the box, just the Apache server; as root:

service httpd restart

You should see something similar to the following:




When you visit the page showing the welcome page before, now you’ll see a Forbidden error. This still lets savvy users know that you’re running Apache.


For me this wasn’t enough, so I took it a step further.

Since I don’t want anyone to see anything, I created a file in /var/www/error called noerror.php. Assuming you’re running PHP on your box you can do this with something like touch, so :

touch /var/www/error/noerror.php
If you want the page to blank, then you’re done with the file at this point. If you're not running PHP but only want the blank page you can call it noerror.html

For the Redirect
If you want the file to redirect somewhere else you can edit the contents to do something like this:

<?php header('Location: http://www.somedomain.com'); ?>

If you wanted this to be a permanent redirect you can add the 301 redirect declaration heard above the header line. Note if you permanently redirect you will have to flush your cache to access a directory that delivered a 403 Forbidden error.

header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.somedomain.com");


Set appropriate permissions on the file for your setup.

Edit the welcome.conf file again. (Usually you can press the up arrow on your keyboard to cycle through.)

Uncomment the lines suggested by the comments. So you should be back to this.

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

Change the ErrorDocument path to /error/noerror.php, so the contents should look like this:

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noerror.php
</LocationMatch>

Save the file. Restart the webserver again. Now instead of seeing the Welcome Screen you should see the domain from the redirect.

Hope this helps someone.


Note: If you don’t have an index file in the server you’re redirecting to it might create an endless loop.