NoticeBored July - The Hacking Threat

This month, our security awareness materials explain how hackers, crackers, phreaks and other assorted geeks go about their business. Hacking is a serious threat to organizations and individuals who depend on their information assets, and especially those of us connected to the Internet. A number of security surveys have shown however that hacking perpetrated by insiders is a threat even if your organization has no external network connections at all.
More (anti-)hacking resources here

Stego led CIA to a false alarm

There's an interesting story on MSNBC.com about the CIA drawing mistakenly concluding that Al Jazeera TV was broadcasting terrorist messages using steganography to hide the content in the ticker-tape news banner. It seems the high state of alert, verging on paranoia, led the CIA analysts to see phantom messages, yet they were credible enough to cause US authorities to cancel flights and raise the terror alert level from 'yellow' to 'orange'. I suspect the same false-alert could easily happen again due to the very nature of steganography but hopefully not without corroborating evidence from other sources. At least the false-alert was a fail-safe response.

More on confidentiality, crypto and steganography here

Never mess with privileged syadmins

Someone's resignation letter, whether it is actually true or not, makes fun reading but has a real sting in the tail. Read to the end and think about this the next time you appoint or dismiss a systems administrator or indeed anyone else with privileged systems access.

Targeted attacks pose new security challenge

Computerworld reports that "'We're clearly seeing a trend away from broadcast attacks to much more targeted and much more sophisticated types of attacks,' said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a drug maker in Basel, Switzerland. 'Dealing with it is much tougher.' That's because 'the cons in the attacks are so much better customized' for the specific companies they target, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry. 'The chances of them being successful are much higher' than in large-scale attacks, he said." The potential for malware attacks targeting specific companies, or even individuals, looks clear to us, and we're not just talking about phishing/pharming type attacks. We can forsee worms, for instance, that are slow spreading, benign and cryptic (thereby largely evading the interest of the antivirus community) unless/until they find themselves inside the target organization whereupon they spring to life with devastating concequences. A senior manager at antivirus supplier Sophos with whom we discussed this very point three months ago did not see this as a serious threat but we beg to differ.
More email and malware resources

Implement Sender ID or be labelled a spammer by Microsoft

Cnet News is reporting that Microsoft intends to mark all emails not carrying the Sender ID tag as spam on entry to the Hotmail and MSN networks. The fact that Microsoft remains the main supporter of Sender ID, and that an IETF working group on it was dissolved last September due to their inability to agree on the details, means that those of us not using Sender ID need not be unduly worried at this point ...
More email security links

Deloitte Global Security Survey 2005

Deloitte's latest infosec survey continues the trend of other recent surveys: "... since fraudsters will always target what they perceive to be the weakest link, their efforts are now focused on the human factor." It's a bit like what's happening to car security: as the doorlocks and alarms get stronger, car thieves turn to carjacking or simply stealing car keys as more effective ways to get their hands on the vehicles. We will publish a brief review of Deloitte's survey on the freebies section of NoticeBored.com as soon as we've finished reading and dissecting the report.

Seven steps to security awareness

I wrote this white paper as an extended response to a simple question on the Yahoo groups Security Awareness mailing list. Someone simply asked for sources of posters and other materials for security awareness ... I responded by inviting him to think more broadly about his requirements for the awareness program, and to plan the program more professionally rather than, as he possibly implied, just putting up a few free or cheap posters. The response turned into a short white paper about the process for planning, selecting, evaluating and procuring security awareness products and services - really just the standard procurement process applied to security awareness. Enjoy.

Email exam misery shared

USATODAY.com reports that 119 University of Kansas students who failed classes last semester inadvertently found out who shared their misfortune. The email informing them was sent "To:" all 119 students so all recipients could see who else received the email - if it had been "BCC'd" (Blind Carbon Copied) instead, the recipients might have remained anonymous.
More email security links

UK agency warns about emails bearing gifts

"Employees are tricked into installing the malicious programs by cleverly-crafted e-mails loaded with infected documents. In some cases, the attackers download publicly-available documents off the Internet, load the documents with the Trojan horse, then e-mail them to carefully-selected employees who would be likely to open such a file. To make the notes even more realistic, the e-mail appears to come from a co-worker." So says the UK's NISCC (National Infrastructure Security Coordination Centre - home of the UK WARPs) in a generic public warning.
More email security and malware links.

A clutch of Microsoft patches

Hurray! It's patch Tuesday! Microsoft has released patches for a clutch of security issues including one affecting Outlook Web Access and another affecting Outlook Express. It's important to keep up with security patches to minimize the risk of compromise by worms or hackers attacks. If you/your organization uses OWA or Outlook Express, or indeed other vulnerable software that has just been patched, you may only have hours or days before exploits begin causing problems. Act now to prevent breaches.
More email security links

Information retention and destruction

With some analysis of the Enron case, The Register's piece Shred It! says you should "establish a clear and reasoned and workable [document retention] policy ... [and ideally] automate the process of document destruction ... Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents." However, things change if your organization is under investigation. "Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended." In other words, you must not artificially use the policy to destroy evidence.
More physical security and confidentiality links

Phishing antidote

In "Man Bites Phish", Robert Cringely suggests a novel approach to the phishing problem: visit the phisher sites and enter realistic-loooking but inaccurate junk information. The idea is that the phishers will give up trying to separate the wheat from the chaff if enough people send them junk data. Given their motivation to steal money, the phishers may not be too bothered but the problem is that there are few other effective approaches against phishing.
More email security links

Phishing for domain registration info

As well as phishing directly for personal information such as bank account details, credit card numbers etc., it appears that phishers are also trying to fool domain owners into relinquishing control of their domains, potentially in order to redirect legitimate traffic through the phishers' systems. CIRA, registrar for the .ca domains, released this news bulletin on June 8th.
More email security and IT fraud links

Bin Laden email Trojan

According to CNET News and The Register, a Trojan attached to an email promising pictures of the capture of Bin Laden has been contained, presumably by effective antivirus software.
More malware links and email security links

SCADA security

I've just stumbled into the ISA website regarding an ongoing project to develop ANSI/ISA security standards for SCADA (Supervisory Control And Data Aquisition) systems used to control industrial machinery including large chunks of the critical global infrastructure (e.g. power plants, water treatment works, and no doubt the production lines at Rover - oops). In my limited experience, many old-fashioned SCADA systems pre-date modern thinking on information security controls other than availability, perhaps: the reason old SCADA systems remain a problem is that many of them have continued running more or less unchanged for decades.
More availability resources

The insider threat

In Looking at the insider threat!, Doug Schweitzer picks up on the need for organizations to protect themselves against attacks by insiders - employees and others working within the physical and logical perimeter. "Security starts from the inside out" neatly encapsulates it. We'll have more to say on hackers, both insider and outsider versions, in next month's NoticeBored security awareness materials.

Preserving digital evidence

Deb Schinder's Computerworld article Preserving Digital Evidence to Bring Hackers and Attackers to Justice is a brief but useful overview of how to deal with a PC that may contain forensic evidence of a breach. The key elements are: don't switch it off, disconnect it from the network; don't run any programs on it; don't open files to examine them; do call on forensic experts; do take bit-level disk and memory copies to another machine. "Pull out the network cable" is a good phrase to teach your IT help desk and information security staff, and should perhaps be splashed across the front of the incident response procedure manual, a bit like "Don't panic" across the Hitchhiker's Guide To The Universe.
More on incident management

Nigeria overwhelmed with spam

A new OECD report into the spam problem notes that developing nations lack the resources to cope with spam. Whereas the costs of spam filters, wasted bandwith and wasted disk space are not a significant issue for organizations in the developed world, places like Nigeria are being overwhelmed. [Given the volume of 419 scams still originating in that part of the world, some might call this peotic justice ... but spam is an indiscriminate problem and does not just affect the fraudsters].
More email security links

ITIL portal

Loads of free information on the IT Infrastructure Library.
More IT governance links

Email security awareness

We have just released the latest NoticeBored Classic security awareness module on email security. Email security is one of our core awareness topics - almost everyone in business these days uses email and should be aware of the security risks they face. Our core modules are updated and re-released every year.
Click here for our email security links collection