PhoneBoy’s Security Theater

As I write this, I am still a Nokia employee. Yesterday's announcement did not change that, at least until the deal closes sometime in the next three months. Meanwhile, here are a few of the more interesting pieces that appeared online regarding the announcement.

• Check Point to buy Nokia security appliance business (from Reuters)
• Check Point to buy Nokia security appliance business (from Globes [online])
• Check Point Sees Better Product Through Nokia Acquisition (from eWeek Channel Insider)
• Check Point to acquire Nokia's security appliance business (from ThreatChaos)
• Check Point acts on my advice (from Network World)

I've been thinking about the compromise of President-Elect Barack Obama's mobile phone records at Verizon Wireless. Verizon Wireless recently fired the guilty parties, as they should. However, this is not the end of the problem. In fact, it's only the beginning.

As I work in a customer service organization, I understand the business need for customer service agents to have access to customer records. In order to provide quality service to a customer, access to their relevant data is vital.

How much access to that data is needed? Does every rep need access to all that data 24x7, anytime? The CISSP in me says absolutely not. Do companies properly control access to this data? Not in my opinion.

There are always going to be people who need access to all customer data, e.g. management or management designates. However, the number of people who have that level of access should be relatively small. All access to that data should be heavily audited.

For the lowly customer service rep--the people who typically answer the phone when a customer calls in--they should have access to the customer's records unless the customer provides a PIN of some sort. Without a valid phone number and the appropriate PIN, the customer service reps should not be able to pull up the records at all.

Of course, there are going to be exceptions to this rule, for example if a specific rep is working with a specific customer on a specific issue, but as a rule, only people with a valid business reason to have access to the customer data right now should have that access. This needs to be enforced by business process as well as the tools themselves.

Really, though, it's a simple matter. If you don't have a legitimate business reason for looking at customer data, don't do it. This has always been my policy back from when I was a systems administrator. Reputable customer service agents follow this rule, the good ones don't even have to be told.

Back to Verizon Wireless for a moment. While I know it is a matter of a few rogue employees and I feel they responded to the situation appropriately, it shouldn't have happened in the first place. A large telecom like Verizon Wireless should have systems in place to prevent this kind of "data leakage" already. Clearly, whatever measures they employ either weren't followed or were ineffective.

I hope that all telecommunications carriers learn from this experience.

Andrew Hay and Warren Verbanec, two of my former co-workers, along with Peter Giannoulis and Keli Hay have come together to make the Nokia Firewall, VPN, and IPSO Configuration Guide. These folks have put together a comprehensive tome covering all of Nokia's network security solutions, though the primary focus is on Nokia IPSO and Check Point VPN-1. I also played a small role in this book by writing the foreward for it, as well as helping both Andrew and Warren with various things over the years.

Of course, since the time this book was finished, but before it was printed and bound, and available on amazom.com and other places, Nokia announced it was selling off the Security Appliance business. Even if the boxes have a different name on them, which must happen eventually as result of new ownership, they'll still be the same high-quality systems you've come to know and love from Nokia.

Several current and former Nokia colleagues are involved in a project called The Academy where a number of videos are posted related to configuring security appliactions. The website has been relaunched and it's shaping up to be a great resource for the security geeks out there. Now, where's some videos on Sourcefire, Peter? :)

The thing that has consumed my waking thoughts on Monday was the fact that Nokia has announced they are in the advanced stages of discussions with a financial investor to purchase this Security Appliance business from Nokia. Since this is the part of Nokia I work in, I am obviously a bit concerned by this.

All indications are that the Security Appliance part of Nokia's business will be spun out--intact--and made an independent company under new ownership. By itself, Nokia's Security Appliance business is fairly substantial. Not as big as Nokia's handset business, obviously, but it's still a reasonably sized business.

For customers, it should be business as usual. Operationally speaking, most of what makes up the Security Appliance business in Nokia is already fairly independent of the rest of Nokia. The relationships with Check Point, Sourcefire, and others will continue and likely strengthen. The only real change will be the name on the front door, though you will likely to continue to see the Nokia brand in use for a period of time while the marketing folks roll out the new branding.

I think it will be a positive thing for the business as a whole. I personally see a lot of opportunities in this new world order, both for myself and the business. That being said, I won't be part of Mother Nokia anymore, which I believe also has some interesting opportunities, but opens others. It's giving me a lot to think about.

In the evenings, I like to work downstairs on one of the kids computers. It's nice to sit somewhere else and work. Keeps the mind fresh, and it also allows me to experiment a bit.

One problem with doing this is the web filters, which I've set up to prevent "accidental" exposure to the naughtiness of the Internet. I'm using K9WebProtection, which is a free Windows-based filter that only filters access via the web browser. It does not filter other programs.

The problem is, I have the settings set fairly stringent. The default setting blocks access to Flickr, YouTube, Share on Ovi, and others. Things I tend to look at while I'm blogging. Whitelisting those sites is possible, but not happening. Having to type in my password every 15 minutes is just annoying.

I stumbled upon a solution this evening with some Googling. It completely and utterly bypasses K9WebProtection and could easily be done by someone without user privileges.

How did I do it? I'm not going to say. For obvious reasons. However, search the Oracle of Google and you'll find the answer. However, at least now I can do my work without disabling the Internet filter.

It's interesting to see Charlie Schick, one of my Nokia colleagues discuss--on the corporate blog no less--a subject that has gotten a lot of attention thanks how well the Nokia E71 was kept secret before it's launch. And like Charlie, I'm going to drag out some thoughts from Nokia's internal blogosphere--my own specifically. However, unlike Charlie, I don't work in marketing and, obviously, am not speaking for the company here.

I am not opposed to the policy of not discussing publicly announced products. I understand the reasoning. That being said, it's frustrating at times to not be able to participate in a particular conversation about something everyone knows about thanks to a product leak. I think pretending the leak didn't happen is simply silly, which is the corporate policy today.

When a product leak does occur--and let's face it, it's going to happen despite our best efforts--we need to have a communications plan in-place for dealing with it. Immediately, not when the product releases. Somewhere between the current "stonewall" policy and "spilling the beans." I'm not sure how realistic that is, but at least that way we might have some control over the messaging versus in the current regime where the blogosphere has already told all before anyone inside Nokia has had a chance to say word one.

Of course, even if every Nokia employee keeps their lips tight about upcoming products, the mobile phones themselves leak information. Whenever you visit a web site, or upload a picture to Share on Ovi or Flickr, the phone will leave bits of information indicating what kind of device it is as well as certain capabilities. For example, look at the number of photos on Ovi taken with the E71. All of the pictures here right now were taken with a pre-production E71. I can tell you from personal experience that pre-production units are somewhat different than production ones, both in terms of hardware and software. Using this sample to judge picture quality will give misleading results.

While this isn't the same as leaking a picture or sending a damned prototype to a reviewer, it's information none the less. It's the kind of information that shouldn't be out there--especially if we can't actually talk about an unreleased device. Our devices--at least in their pre-production form--should not inadvertently leak information about themselves.

I actually think there might be an interesting "security" feature here: relay as little about the end user device as possible with these service, or even provide the facility change it to something else entirely. I know this is possible to do. Why not make this a built-in feature, along with changing EXIF data and other identifying information?

I have more thoughts on this, but most of them are not well formed or not well suited for outside consumption. What do you think about product leaks and what should be done about them, if any?

To the average person, the number of computers in my home is appalling. There are three computers downstairs alone, one for the other members of my family. Then there's my office.

One problem with the downstairs computers is that they all, without exception, have web filtering software on them. I am not under the delusion that they are a substitute for parental oversight--there's a reason the kids computers are in a public room--but it's nice to have something around to catch most accidental exposures to inappropriate material. Let's face it, when the kids are old enough, if they want to get around the filters, they'll figure out a way.

Meanwhile, I occasionally use the kids computers. Mostly it's because I like to go downstairs when the kids are trying to go to sleep. It's also nice to have a change of environment. However, the web filters end up creating problems for me when I try to, say, read my RSS feeds and people link to the latest cool video on YouTube. Or I want to check what's happening on Plurk or Twitter. Unfortunately, it means fighting with the web filter.

Now I suppose I cold buy a "better" web filter rather than rely on K9 Web Protection from Blue Coat, but I like the filter. It generally works, it's free, does a fairly good job of catching inappropriate or questionable websites, and doesn't try and do everything. It also helps that their CEO used to be in charge of the part of Nokia I worked for many, many moons ago, and I thought he was a nice guy.

The solution: a portable computing environment embedded in a flash drive. I could dual boot the computers, but that creates other problems. The flash drive solution is clean.

Linux is the only feasible OS one can install on a flash drive--at least easily. There are actually a number of different distributions you can install on a USB flash drive, many of which are featured--complete with step-by-step instructions on how to install it--on a site called Pen Drive Linux.

I wasted an evening on trying to get Ubuntu (along with various derivatives) installed on a flash drive, but ran into a problem where the distribution was failing to boot because it was trying to find the non-existent floppy drive on this IBM ThinkPad T43 I am using.

What ended up working the best for me, at least, was Slax. It is based on Slackware Linux, which has been around forever. It was one of the first Linux distributions I started playing with in the mid-1990s. It includes a number of modules, including a relatively recent build of Firefox 2 complete with Adobe Flash integrated. It's not set up the most optimally out of the box--for example, the default user runs as root, which is almost as bad as the default Windows behavior--but with a little bit of hacking, it works just fine without needing to run as root.

I now have my own environment complete with some local storage on a older 1 gigabit flash drive. I can stick it into any computer that is able to boot off of USB, and it should give me access to the Internet and a few other programs. Works pretty well for me.

photo credit: boredzo

As someone who spends an inordinate amount of time working from home, I always have to know where my SecurID token is. Without it and the six digits it provides, I will pound sand trying to get into the corporate network.

But the SecurID token is lame. Sure, it comes in a number of form factors, but I'd rather not mess with it at all. That being said, as a security person, I think it is a necessary evil.

I was excited when I initially read this article on SMS Text News about using SecurID with something I also need to know where is at all times--my mobile phone! Clickatell offers a service that sends those 6 digit codes over SMS to your mobile phone when you need to authenticate some place requiring strong authentication. You then provide that number--along with your PIN--to the remote server.

I like this solution because it requiers no software to be installed on the phone. It can be problematic when your provider has delays with SMS--happens more often than I care to think about, actually. That being said, it appeals to me greatly.

Every once in a while, the part of Nokia I work for announces new stuff. Today, it's a new piece of gear: the Nokia IP1280. Excuse the marketing speak, but I occasionally like to promote the things my part of Nokia is doing. :)

For some reason, I found the phrase "dealt deep layer enterprise security threats another blow" found in the press release announcing the Nokia IP1280 funny. I suppose it does that, since this 2U, quad-core Intel CPU powerhose can handle 24 ports, up to 14 Gbps of throughput with optional ADP modules, hot-swappable components, and a starting price of $39,995 USD. Yes, the IP1280 runs Check Point VPN-1, as most of the Nokia Appliances do.

As someone who works for the group that supports the Nokia Appliances, I would certainly appreciate it if when your company buys one of these platforms, you'd avail yourself of Nokia's First Call, Final Resolution support. At least that's what the marketing types have been calling it for many moons now.