PhoneBoy’s Security Theater

Anyone who's following the Check Point Twitter, Facebook page, or has been peeking around in User Center has probably seen the release of R75--Check Point's next major release. DLP, Mobile Access, Identity Awareness, and Application Control are all now available as Software Blades--modules that can be enabled as needed.

Over the past several months, as part of my normal duties at Check Point, I have talked with a number of the people involved in this release. I've learned about some of the technologies that went into this release, and I have to say, it's quite amazing how it all comes together!

Take R75 out for a test drive. Even if you don't immediately use the new features, there are some usability enhancements in the SmartConsole applications, an improved IPS engine, and, of course, AppWiki, which is a great resource to find out about applications--even if you're not using our Application Control Software Blade!

From Using Firesheep is illegal in the US, UK, and most of the world:

One thing that many sites have glossed over is the inherent illegality of using Firesheep. "Go on! Try it! It's cool!" -- yes, it is shockingly cool, but if you use it on a public network you are breaking the law.

In general, the interception of any communication -- digital or otherwise -- is prohibited by law. Government agencies are the only exception and even then a warrant is usually required. Firesheep, by intercepting digital communication and re-routing it to your Web browser is a wiretap. Unless you're trying to crack the local organized crime racket and you have a warrant in your pocket, you are breaking the law.

Making something illegal doesn't mean people--especially criminals--won't do it. Besides, one could argue that this communication is being broadcast unencrypted and can easily be sniffed passively, thus one should not have had a reasonable expectation of privacy.

The goal of this program isn't to let people hijack each other's web sessions anyway, it's to clearly demonstrate the threat of using unencrypted WiFi using unencrypted protocols, which has existed since WiFi was first conceived. Unfortunately, easy-to-use programs like this are what's needed to apply the appropriate pressure to change our protocols and practices.

From Why Firesheep’s Time Has Come | Steve (GRC) Gibson's Blog:

In case you’ve been somewhere off the grid, and have somehow missed the news, Firesheep is an incredibly easy to use add-on for the Firefox web browser that, when invoked while connected to any open and unencrypted WiFi hotspot, lists every active web session being conducted by anyone sharing the hotspot, and allows a snooping user to hijack any other user’s online web session logon with a simple double-click of the mouse. The snooper, then logged on and impersonating the victim, can do anything the original logged on user/victim might do.

I've experimented with Firesheep on my own system. Normally, I use Google Chrome, but I installed a fresh copy of Firefox just for the occasion to try Firesheep.

Within a few moments, I was able to pick up web sessions happening from my Google Chrome browser. I was able to use both my Facebook and Twitter from Firefox without having to log into them! It did pick up my Google login, but before I hit Gmail, I had to provide authentication. Remember, this was a fresh installation of Firefox on a machine that did not previously have Firefox installed at all!

This is scary stuff. As Steve Gibson says, though, this has always been possible with unencrypted WiFi by anyone with enough 1337 5killz to pull it off. Now, it's as simple as installing a web browser plugin.

From an article on Cnet announcing a mobile security product:

The [product] runs on all mobile operating systems and devices. It includes antivirus, personal firewall, antispam, and remote monitoring and control services. It remotely backs up and restores data and can locate devices that are lost and stolen, as well as wipe data from stolen devices. It also can send an alert when a SIM card has been removed or replaced. For enterprise users, it protects devices accessing networks with SSL-based virtual private network.

And it makes great toast, too!

Reality check. The functionality of the above mentioned product is highly dependent on the mobile platform we're talking about. A quick trip to the vendor's website shows you what options are available on which platform, and it's clearly not the same.

Mobile operating systems are designed more secure from the get-go. That doesn't completely reduce the need for security, but it does reduce or eliminate certain classes of threats. Also, each mobile OS has their own unique restrictions on the kinds of apps that can be written. Each mobile OS has different security services that can be utilized in different ways.

In short, what you can do on iPhone and what you can do on Android are very different. Even if a vendor provides the same application on multiple platforms, it is not going to provide the same level of functionality. It simply cannot.

The author of the above-linked piece did not even attempt to articulate this critical point. If you're looking at a mobile security solution for your enterprise, you simply have to be aware of this reality so as you don't expect something that cannot be delivered.

Disclaimer: My employer offers a competing product: Mobile Access Software Blade. However, the above thoughts are my own.

From Check Point isn't for sale, says Shwed - Haaretz Daily Newspaper | Israel News:

Two months ago, antivirus systems giant McAfee was sold to Intel for $7.7 billion. At the time, a number of analysts suggested that Check Point Software Technologies would also be an attractive target for takeover. Gil Shwed, the company's founder and leader, yesterday shrugged at the idea in conversation with reporters, after the company filed its third-quarter financials.

Anything's possible, Shwed said: but he's been very consistent in his position for the last 17 years, which is that Check Point isn't for sale. "We are very proud of the fact that we are an Israeli company, an independent one," he said.

Why would Check Point put themselves up for sale when the financials continue to be strong and only getting better? I think it's just "wishful thinking" by the analysis.

Disclaimer: I work for Check Point.

From Schneier on Security: Stuxnet:

Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes its obvious. In the case of Stuxnet, theres a great story.

As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country thats a pariah to much of the world. The only problem with the story is that its almost entirely speculation.

What strikes me about the Stuxnet story is that it's really "nothing new." Yes there were some new zero-day vulnerabilities found. However, a virus that propagates by rogue USB keys? Didn't we learn anything from the 1980s when viruses propagated by floppy disks?

While I am sympathetic to people who would like some of the functionality that jailbreaking your iPhone provides--heck, I wouldn't mind some of it myself--anyone who is calling upon Apple to "call off the dogs" on jailbreakers clearly doesn't understand what they are asking Apple to do.

Jailbreaking is a process by which you can run programs on the iPhone that did not come from the App Store--apps that are not Steve Jobs approved, so to speak. Seems fairly straightforward, right? I mean, who is Apple to tell me what I can run on my phone, right?

The problem is: every single one of these jailbreaks is performed by exploiting a security vulnerability in the phone's software. Every single one. The most recent example of this was the Jailbreak Me website that, by simply visiting a web page and sliding a slider, would trigger an exploit in your phone that would cause it to execute the necessary code to jailbreak the device.

Of course, if the jailbreakers can cause your phone to execute arbitrary code, so can a bad guy. And that's the point behind Apple "stopping" the jailbreakers. It's not really to stop them, it's to stop the bad guys who can use the same vulnerabilities to do worse things.

Instead of being critical to Apple for stopping jailbreakers, how about we be critical to Apple for not allowing us to run software of our choosing on our own device, even if Apple doesn't approve of it? That's the real problem, and that's what we should be focusing on.

In my last post, I told people how to turn off your friend's ability to check you in via Facebook Places, the new location-based feature that Facebook made available this week. Of course, in typical Facebook fashion, they left the default settings wide open, potentially exposing users to potential privacy violations! In practical terms, this means:

• When you check in some place via Facebook Places, your friends will see it in their Facebook timeline.
• Your checkins at this location are logged and can be seen by people checking in there later on.
• Friends can check you in places if they are at or near that place.
• Third party Facebook applications your friends might use can access places you (or your friends) check you into.

This begs the question: how can you (or your friend) check into a location on Facebook? Right now, checkins are limited to mobile phones with GPS and you must be physically near the location that you check into (or your friend must be). So I can't, for instance, check my friends into someplace near their hometown unless I happen to be in their hometown near the location in question. Knowing Facebook, though, they could change this later on.

You probably don't want your friends checking you in places. Or maybe you don't want to use Facebook Places at all. Here how to adjust your settings for Facebook Places so you can stay as off the grid as you'd like. Note you can click on each image to get a full-size version.

First off, go to Account > Privacy Settings in Facebook:

From the next screen, choose Customize Settings:

First look under Things I Share:

If you want to opt out of Facebook Places. set Places I check In To to Only Me"and uncheck the Include me in "People Here Now" after I check in. Otherwise, adjust these settings as you see fit. If you want to prevent people from checking you into places (whether or not you want to opt out), look under Things Others Share. Set the Friends can check me into Places option to Disabled.

You may also need to go back and prevent third party applications from accessing your Facebook Places checkin data. Click on the Back to Privacy button on top and then click on the Edit your settings link under Applications and Websites.

Make sure to uncheck the Places I check in to option (and any other ones you want to uncheck) and click Save Changes.

If you have set these options to their most restrictive setting, congratulations, you have opted out of Facebook Places (as much as you can, anyway).

Go to Account > Privacy Settings, click Customize Settings. Under "Things others share", set "Friends can check me in to Places" to Disabled. Otherwise, your less scrupulous friends can check you into potentially embarrassing locations.

Optionally, under "Things I share", adjust the "Include me in "People Here Now" after I check in" and "Places I check in to" settings accordingly.

Update: you should see my more complete guide to changing your Facebook Places settings.

Crossbeam has issued a press release about their expanded strategic partnership with my employer, Check Point Software Technologies. The key paragraph in that press release:

Customers can now purchase integrated solutions from Check Point, complete with maintenance and support delivered by Check Point’s award-winning global service organization. Check Point will provide support for both its software products and Crossbeam’s X-Series platform. This simplifies the ordering process and promotes closer product, sales and technical collaboration between Crossbeam and Check Point to support customer needs.

The kind of customers that will buy Crossbeam X-Series platforms are the kinds of customers who want what we used to call "first call, final resolution" back at Nokia. This is exactly what this provides: a single point of contact for purchasing and support of Check Point software on Crossbeam hardware. What's not to like?