The Broken Window Theory applied to Information Security

An observer could peer straight through the bu...

Image via Wikipedia

The Broken Window Theory has two popular accepted approaches to it’s application.

The original was an economic theory proposed in the 1850s.  Essentially it stated that even something bad that happens (e.g. the breaking of a window) has a positive effect on the economics of a society (need to create another window and employee someone to install it).

There is a more contemporary theory that is focused on criminology originally proposed in the March 1982 edition of The Atlantic Monthly.  It basically states that, if a few broken windows go un-repaired, then from that there is a higher propensity for other windows to be broken.  From that, there is even more chance that other nefarious activities will be more prevalent in that location.

I’m going to take a leap here and compare the second theory with Information Security and reducing risk.

According to the theory, there are three factors that support why the condition of the environment affects crime (and the opportunity for crime):

  • social norms and conformity
  • the presence or lack of monitoring, and
  • social signalling and signal crime

In this first part, I’ll use Information Security examples to explain these factors:

Whether intentionally or not, the policies we create and enforce will affect the social norms of our computing environments.  If you do not enforce the needs of proper patch management or secure coding, you create a social norm where it is implicitly acceptable to not follow those policies.  Social norms tell us that people will do as the group does and will monitor others to make sure they act in the same manner.  If this holds true, then here inlines the answer to many departments problem.  Make sure you have a policy, it’s well enforced and communicated to your end users, and the end users will help expand your monitoring capabilities to ensure they are being followed.  Seems too simple right?

The second factor is the presence of monitoring.  Because of the nature of our environments, it’s not always possible for people to get feedback from those around them and you cannot rely on (or even expect) to have any norms being transmitted from others.  In this case, you turn to your tools.  Even though you may have created and communicated the appropriate policies, now you need some technical controls in place to enforce them.

These technical controls are the third factor (signals) that indicate to the end users that they are (or are not) compliant with their activities.  So add accurate, timely, and visible monitoring to your list.

The other key component to take away from the Broken Window’s theory is that addressing problems when they are small will give you the opportunity for easy, less expensive fixes to problems.  A sound Risk Management methodology would tell you that Addressing issues like patch management, policy violations, secure coding practices earlier, are less costly and less difficult than addressing them after they have been exploited and you are now dealing with a breach or data loss.

Sadly, the early economic theory of Broken Windows would state that all these things are good.  If a breach occurs many people will be employed conducting the investigation and doing research.  I feel I can confidently say that the business we own or work for would not be satisfied with us following that theory.  It would be far more acceptable to accept the social/criminology theory and begin to remediate many of our issues before they become larger problems.


“Two” many calendars on your BlackBerry?

After a week of having duplicate calendars on my BlackBerry driving me crazy, I did some research to figure out what was going on.  (This is not original information, but is good to have if you find yourself in my situation.)


In order to update to the most current version of BlackBerry OS on your device, you’re best to install the BlackBerry Desktop Manager.  Having completed this (including the OS update) a second calendar showed up on my device. However there were enough other features to the new OS to keep me occupied so the calendar issue went to the back of my mind for a while.  That was, until I started to get duplicate updates for every event I had.  That got old fast.

After trying the calendar options, finding I could really only change the color for the calendars I had already installed, I found that my answer was not in the device options.

After reading quite a few other web postings on the subject, there were many recommendations about deleting service books for all CICAL entries, etc.  But that too wasn’t the answer.

If you have two calendars, here is the most direct way to consolidate them into a single calendar (assuming that is your goal):

  1. Open the Calendar.
  2. Press the menu key.
  3. Choose Options
  4. Type MOVE on the keypad.
  5. You will be asked to move all appointments in the base system calendar. Choose YES to accept moving all entries in the Device Default calendar to the default active calendar.
  6. Perform a hard reset of the BlackBerry by taking the battery out while the phone is still powered on and placing it back in.

This operation will move all calendar entries existing on the Device Default calendar to the active calendar shown in OptionsAdvanced Options > Default Services.

At this point, I was good.  And in fact this may be all you need to do also.  However if you had this issue because you have two calendars on two separate email addresses, you may need to do the following:

  1. Go to Options > Advanced Options > Default Services.
  2. Verify the correct email address is shown for Calendar [CICAL].
  3. Press the back arrow and save the changes if prompted.
  4. In the Advanced Options menu, choose Service Book.
  5. Highlight the entry for the calendar you do not want. This will appear as [CICAL].
  6. Press the menu key and choose Delete.

When deleting a CICAL, any calendar entries associated with it are moved to a Device Default calendar.

Hopefully this is helpful.

Why you should hack your iPhone

or really why you shouldn’t.

I know quite a few people who have jailbroken their iPhones.  And I will apologize to many of them now, but I can tell you that most all of them should not have done it.

I realize that in their frustration to have the iPhone be all the things that it is capable of being, many users feel the need to bypass the constraints put in place by Apple.  Unfortunately they also bypass a lot of the security functions (roughly 80%) built into it also.  I see the stat that nearly 7% of all iPhones are jailbroken.  Given that 90% of those probably have not done anything to increase that security posture, there are roughly 2.1 million “vulnerable” iPhones in use today (given 34 million in use Q9 2009).

So, for you to have the ability before anyone else to teather, MMS, Google Voice, etc you open yourself up to the following:

  • Default SSH password setting –  since this is often not changed by users who jailbreak their iPhones, this is the easiest port to access the phones OS.
  • Use of iPhone to proxy your connections

Via those vectors “one” can easily connect and:

  • See the iPhone OS file system… hmmm what files can I see and copy over from there?  How about:
  • Email
  • SMS Messages
  • Voicemail in .amr format
  • Addressbook/Contacts
  • Call History
  • Notes
  • Bookmarks
  • History
  • Cookies (could really find some interesting things with persistent cookies here)
  • Even more fun?  What about recAudio?  Remotely, from the command line, enable the audio recording feature of the microphone.  The audio is then stored to a local file (.aiff) that I can now SCP from the iPhone to the machine I’m on.  Bamo… you have your own remote bugging device and no one will think twice about it sitting in a conference room while they are talking about… well anything.
  • Uber stalker?  You can also query the iPhones GPS API to return HI RES latitude/longitude information in XML format.  Put those coordinates into Google maps and you can (with a tremendous amount of accuracy) track the path of an iPhone user.
  • Make phone calls?  What about making the remote phone make calls?  You can make someone prank call without their knowledge.  If you know them, you can make them call you and give them a hard time about calling and not saying anything.  The uses are endless, eh?
  • Remember the use of your phone as a proxy connection?  How many users connect their iPhones to their office or home wireless networks?  Since there are multiple interfaces on the iPhone and you can route between them.  “One” could now use this as a bridge into a private network.  So much for your firewalls and perimeter devices protecting your network.

Sweating yet?

Well believe it or not, there is good news for you jailbreakers out there.  AT&T has begun to filter addresses on their NAT’d wireless network.  But only quite recently.  Prior to this, “one” could pop an AT&T aircard into a laptop, get onto a mobile wireless segment, get “one’s” own IP address and quickly scan that entire segment for users.  A port scan will tell you which of those devices are iPhones.  With this filtering in place (and only in some places) you are limited and not able to (as easily) map the devices around you.  So this is a hurdle, but don’t take too much comfort in it being high enough to keep very crafty people out for long.

So the long a short of it?

Given how much information is contained on your iPhone, I don’t think there’s any application you need so badly that you’d be willing to give up access to all your personal information.  So suck it up and use the apps/functions/features that Apple has available.  When it can be provided securely (and probably profitably for Apple) it will be released.  Until then, go play outside.

Special thanks to Trevor Hawthorn for his research and demonstration of these exploits at Schmoocon 2010.

Just say no! BlackBerry + Facebook = Security FAIL

Point 1:

I’m not the biggest fan of any RIM device, though I do utilize one for my job.

Point 2:

I support the development of applications for mobile devices.  Applications are key to driving the adoption and growth of many of the new “smart” (and I use that term loosely) phones on the market.

Point 3:

Applications, regardless of what platform they are developed for, should all be done securely and efficiently.  And in that order.

What the heck does all this have to do with the BlackBerry and Facebook????


Thanks to the guys that really spend a lot of time reviewing social media stuff (specially Tom Eston and Kevin Johnson), they have noted that specifically crafted SPAM messages will show up as a Facebook notification in your Facebook for Blackberry application.

What makes this troublesome from an information protection standpoint is that, the Facebook application is actively scanning your email inbox.  In the case of many, many Blackberry users, this is not your personal email, but your corporate email.  Of the 13,934,752 monthly active users (according to I’m sure you all read the EULA when you installed the app right?  That’s another post…

To be fair, this is how the application is presented to the end user: “Facebook for BlackBerry smartphones allows BlackBerry smartphone users to connect their friends’ profile pictures, Facebook names, and company names to existing BlackBerry smartphone contacts in the Contacts application. Facebook for BlackBerry smartphones updates the caller ID pictures of your synchronized friends with their latest profile pictures.”

So in order to do this, you have full access to contact names.  So if you’re on a corporate BES, the information contained therein is your corporate email directory?  Uh, yeah.  So corporate BlackBerry users with the Facebook app are willingly providing a valid contact list for their entire company.  My understanding of SPAM and capitalism is that this is quite valuable information and can be sold to email distribution list providers quite readily.  Can someone please point me to the data management policy that protects this information from disclosure?  I’d be ecstatic if it existed.

To all the BlackBerry users:

Rather than send out 14,000,000 apologizes, I put it out there now.  Sorry.  But if you have this app installed on your BlackBerry.  Uninstall it.  NOW! Do not finish reading this post, uninstall the app and come back to finish the post.


I trust (which is always a bad thing) when you provide a singed application that you have performed a review of how the application performs on your device and that it doesn’t do anything we don’t expect.  Like skim our emails and contact information.  Much like an application requests permission to utilize your GPS coordinates (which is another bad thing) why would you not have the same request when an application wants access to your personal information and email?

Let me check here… Options – Security Options – Application Permissions -….  hmmm I’m sure the app is on here, let me look again…

Options – Security Options – Application Permissions -… nothing.  So, when I install Facebook for BlackBerry devices, it doesn’t ask me for any permissions?  NONE?!?  FAIL!

But wait, during the setup there is an option to “allow” access to your messages, calendar, and contacts.  First, the statement that it will send a copy of your contacts to the FaceBook site should be alarming enough.  But worse yet, it seems that turning all these off during the setup did not affect a SPAM’ers ability to inject a properly crafted email.  I infer from this that it still reads emails from your message list.  So can I expect it will also send contacts even if I ask it not to?

To all BES admins (you know who you are):  (updated May2010)

It appears that RIM may be slightly ad odds with the application developers here.  In the 5.0 release of BES, the settings that allow an end user to do this are set to FASLE by default.  Which is what I would expect those settings to be. It is my hope at this point that you are running BES 5.0.  If so, please make certain the IT policy Disable Organizer Data Access for Social Networking Applications is used.  I also understand that this is backwards compatible to BES 4.x installs, so everyone has the opportunity to enable this policy.

Is the integrity of your public information vital?

My research on information classification policies kept turning up the statement that “the integrity of public information is not vital” for public and unclassified information.  I even stated the same in my earlier article on Information Classification.  I had taken for granted that this statement is correct.  That is, until I was called out by a co-worker.

“You can’t be serious, right?” was how I was approached.

“The integrity is not vital?”

She began to explain her viewpoint on it and my first thought was “…at least someone read my article…”.  Then I started to wonder, why did I take that for granted?

On its face, you could make the argument that, maybe they mean that you can’t control the information once it’s in the public so you can’t possibly be capable of maintaining its integrity.  Or could they really mean that you are concerned about the integrity of the source of the information and that as long as the source integrity is maintained, then your information is good?

Yeah, that justifies the statement.  Now we can all sleep peacefully.

But then you read further and statements are made to further qualify the position by providing examples of what types of information are included in this classification:

  • Product brochures widely distributed
  • Information widely available in the public domain, including publicly available Company web site areas
  • Sample downloads of Company software that is for sale
  • Financial reports required by regulatory authorities
  • Newsletters for external transmission

So if I put those pieces of information together, I can make statements like:  We are not concerned about the integrity of the information found in our product brochures. Hmm… don’t think that flies.

Okay, let me try again.  We are not concerned about the integrity of the software downloads that our customers (or potential customers) could download from our site. Okay we’re 0 for 2.  Remind me never to buy software from anyone who actually thinks this…

Last try.  We are not concerned about the integrity of the financial reports required by regulatory authorities. Um, hello, Enron?  I think we found your information classification policy.

So which is it?  Are the commonly accepted frameworks incorrect?  Or are they being widely misinterpreted?

Let’s address the frameworks first:

  1. ISO guidance states that”All information should be classified into categories. This classification should be based on value, sensitivity, legal requirements, and criticality to the organization. The classification policy should include guidelines for the initial classification and the reclassification of the data. The classification schemes should not be overly complex.”  Okay, nothing wrong there.
  2. The FFIEC Handbook states “A data classification program should be established to identify and rank data, systems, and applications in their order of importance.”  I’m good with that too.
  3. NIST says “The organization must assign assurance categories for all information types that can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. The organization must also assign appropriate assurance categories for each system and information type (low, moderate, or high for confidentiality, integrity, and availability) based upon the potential impact for the loss of each of the just mentioned assurance objectives.”

Well then.  I don’t see anything listed in the frameworks that makes any statement on integrity, other than you need to make a determination of integrity for each item/classification.

So what does that leave us with?  The mass redistribution of an incorrect statement across the Internet.  I would inset a poll to see how many people are surprised by that, but it seems a bit unnecessary.

Somewhere along the way, a policy or guideline was written and publically posted.  It was either one of the first references to the subject or had very good search engine results.  Because of that, it managed to make its way into many more articles and policies posted online.  So much so that the abundance of that information made it assumed to be correct.

So, you should take away two points from this post:

  1. Yes, the integrity of your public information is vital
  2. Don’t take for granted everything you read on the Internet

Neither of those should surprise you.