Saturday, June 16, 2012

Threat Modeling with Customers as Assets

One thing I've been contemplating lately is if the security world isn't missing something when threat modeling.
Threat modeling will generally list assets and then see what kinds of threats can threaten those assets and see what the expected loss might be.  Assets are typically thought of as being physical systems like a web server or database. 

But a consideration has been percolating since I had a discussion with one very confident threat modeler working for a fortune 100 company.  I suggested that it would be possible to consider a customer, who has a company distributed token and can move their data from one service to another in seconds, could be considered an asset.  This credentialed expert was absolutely beside himself with indignation, "the business doesn't own the customer. And a customer is also not an asset because a customer can't be attacked or exploited!" 

Oh really?

Follow me down this rabbit hole and see if there isn't a case to be made for at least considering that your customers might be an asset.

An asset is defined as:
"Any item of economic value owned by an individual or corporation, especially that which could be converted to cash. Examples are cash, securities, accounts receivable, inventory, office equipment, real estate, a car, and other property. On a balance sheet, assets are equal to the sum of liabilities, common stock, preferred stock, and retained earnings. From an accounting perspective, assets are divided into the following categories: current assets (cash and other liquid items), long-term assets (real estate, plant, equipment), prepaid and deferred assets (expenditures for future costs such as insurance, rent, interest), and intangible assets (trademarks, patents, copyrights, goodwill)."

As a business do you invest money to retain customers? - maybe you don't own customers but you invest in them -
As a business do you carefully maintain and grow your customer base?
As a business do customers provide you money? (maybe not unlike accounts receivable?)
As a business, if all of your customers leave do your physical assets have any value beyond their depreciated physical value?

So I think a reasonable person would agree that customers are an investment which pays dividends over time.  Also note in the definition of asset the sub list of "intangible assets" which include... goodwill.  Your customers represent a huge pile of cash which may or may not be delivered to your revenue stream. (think Netflix when they changed their terms and service model)

So let's say for the sake of argument that customers are the embodiment of goodwill represented in terms of accounts receivable and have been invested in both in terms of advertising dollars and education as you have tried to help your customer keep themselves secure while they use your product.

Let's go further and examine this claim that a customer cannot be attacked by a hacker.  I would suggest that it's not only possible but it is part of your threat model and sphere of business.  It is your concern.  My justification is as follows:

1) customers can be socially engineered
2) customers can be attacked by spam, trojans, viruses
3) customers can be lured away if service is denied from the customer's computer
But when someone tells me that something is impossible the lateral thinker in me feels compelled to find an exception to the rule... what if the customer is attacked by DOS and thereby denied service and leaves your service because it never works?  What if a browser helper object is put on the user's browser that denies service to Amazon Web Services or Netflix or Gmail?  What if a BHO stops service to one company and facilitates it with another?  I can think of one such BHO - Cool Web Search. So such a thing has already happened.  Microsoft has already realized they they need to protect their customers via anti-spyware and anti-virus in order to keep their company alive.
So your customers can be threatened!  The customer can take their money elsewhere.  If compromised, the customer could lead to a general compromise of your entire system. The following source indicates that customer data is an asset and probably could be considered even when transient.  Consider for a moment what happens when the customer has tiny bit of our data such as an access key or certificate?

Could you educate your customer about how to keep their secret key secret? 

Could you educate your customers about how to avoid being socially engineered? 

Could you educate them on how to keep their computers secure? 

Could you educate your customer on how to avoid service interruptions? 

I think the answer to all these questions is yes even if it would lead to an extra expense...  You probably already have spent money trying to educate your customer to some degree.  So maybe you can't entirely control your customer but the customer can be educated and controlled, and even somewhat protected.  * almost like an asset *  You could provide your customer with a security token for example, or a X509 certificate.  Maybe you could even put a program on their computer that assists them in securing their credentials.

Now you can say that you're not responsible for the customer... and why should you be?  Why take on an extra expense for something you can't control?  Given the threats we face you may want to consider changing your thinking.  Operating system vendors like Microsoft understand that they need to make efforts to secure their customer in order to keep them.

The following is a hypothetical which may illustrate the point-

What happens if a customer uses your company's lowest assurance method of login to your cloud hosting services... a shared key for example.  A hacker uses Google to find the customer's exposed code using a specialized search.  Imagine then, the hacker uses the customer's login and secret key to create a fully authenticated message to the customer's account gaining access to a VM that can't be traced back to them.  Then the hacker uses the new zero-day ring 3 VM breakout to compromise the host running hundreds of VMs inside the cloud service.  From there, the hacker or nation-state can leverage sufficient computing power to crack other systems in minutes.  The hosting company now has a compromised reputation, and permanently compromised revenue stream all because they didn't consider their customer is an asset.

So should a business fold users into their threat model?  The answer I would say "depends".  Customer=Asset does not compute for every industry.  But if your customers have highly portable data that can be taken elsewhere and and your business' reputation for security is the only thing between it and disaster... including your customer as an asset in your threat models may be the only sensible approach.


Friday, June 01, 2012

Extreme Browsing


If you are testing security or you simply want to surf without tracks you might enjoy TAILS which is a bootable DVD running Debian.  Essentially this will allow you to turn most any machine into a completely safe virtual browsing envrionment.  Check out the download here:

Surfing "Home Style" with Socks

SSH tunneling for a home-away-from-home experience.  Ever find yourself behind a corporate firewall or untrusted network and want to check your personal email or your facebook account to see what you need to bring to the party tonight?  If you just need to browse safely you can easily do this via SSH and get your encrypted session from wherever you are to home.  Your home computer will then make requests on your behalf and pass the data back to your browser in an encypted session. If you're checking email you can usually do this via the web as well even on your POP accounts as most POP providers have browser front-ends you can access if you have the URL.

How do you set up this little magic trick and surf stright though firewalls and super IDS/IPS systems?

1) Set up a linux box at home with port 22 (SSH) incoming and outgoing on your firewall.  (Make sure the account has limited privileges and a very strong password)  If you know what you're doing you may even want to set up certificates.  

2) If you're on linux you're good to just open a shell and SSH -D (see the detail below) to your home machine and skip to step 3.  If you're on Windows you'll need Cygwin or Open SSH etc.  I have a small Windows app that I wrote to accomplish this in about 800KB if you want to set up on Windows and don't care to install a bunch of stuff.  [If you comment with your email I can send you a copy]

The popular thing is to use -N -L and pick your ports but there's a far easier way for the browser using built-in Sox proxy capability. Using a Sox proxy you can shorten your SSH command and save yourself some head ache and configure your browser more easily.

Execute on your client machine:
ssh -D 9050 [username]@[]
( is the IP or address of your linux box at home which is running SSH)

Your tunnel awaits!  Your session will expire eventually but while SSH is connected you will be able to set up your browser and surf safely using the port you chose.

3) Set your browser to use a Sox proxy at port 9050 (or whatever port you want to default to.  Type in your destination into the browser such as: and voila you're surfing around all sensible precautions and filters.

You can set a specific browser instance (say Chrome or FireFox or IE) to always connect Socks.  This way you can keep your regular browser normal and playing nicely through the firewall and then open your browse-by-home super secret browser and surf like you're on your home network.

Of course this violates all corporate policies we know and love.  It also gives you a taste of what can be done if you let your home network or corporate network get hacked.  You shouldn't use this if you intend to stay compliant with any sensible regulation or policy.  But in a pinch this will get you home-style access from behind the great firewall of China.

You are what you surf so be safe.