Welcome to the SecAware blog

I spy with my beady eye ...

30 Aug 2005

Hacker intrigue

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese-government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.
More [anti-]hacking and cracking resources

25 Aug 2005

Cisco patches released

Cisco users have their own patching worries. Check out the latest Cisco patches including a fix for a privilege escalation vulnerability in the Cisco Intrusion Protection System (oops).

More change management resources

22 Aug 2005

Oracle patching process unreliable

Users of Oracle systems are advised to double-check that the patches they think they have applied have in fact been successfully applied. Inconsistencies in the internal inventory of Oracle programs maintained by an Oracle installation, for example, may result in relevant patches being missed. [The article is based on a somewhat self-serving press release by an Oracle specialist, but has a ring of truth. A similar situation applies to Microsoft: Microsoft Update does not always apply all relevant MS patches, so it is worth running something like Microsoft Baseline Security Analyzer every so often to double-check the installation. Regression testing and penetration testing can also be useful if sufficient resources are available to 'keep the lights on'.]
More change management resources

5 steps to data Nirvana

Starting with a comment from Gartner that “More than 25% of critical data in Fortune 1,000 databases is inaccurate or incomplete”, a thought-provoking piece in Baseline magazine suggests five steps improve your data accuracy: (1) Acknowledge the problem; (2) Determine the extent of the problem; (3) Establish the costs of getting it right (and wrong); (4) Use available tools; and (5) Put somebody in charge.
More integrity resources

19 Aug 2005

Slow patchers hit by worms

Systems at CNN, ABC, the New York Times, DaimlerChrysler and others were reportedly either hit by the Zotob-family worms or were taken offline to apply the Microsoft patches. The decisions about whether and when to apply security patches are especially difficult in the case of critical business systems. It sounds like some organizations either didn’t get the right answers from their risk assessments or simply fouled up implementing the patches. However their contingency plans (presumably at some point involving the command ‘apply those **** patches, NOW!’) seem to have limited the damage, so far, although companies that were infected with Zotob now have to deal with the threat that their systems may perhaps be 0wn3d with keyloggers and other nasties quietly doing their stuff.
More change management resources

18 Aug 2005

Patching Window closed

Certain "security experts" reportedly believe that the patching window is non-existent. I guess the journalist who swallowed that line must have missed out on the last few year's discussion about zero day attacks. He goes on to discuss the merits of the white hat community sharing information about vulnerabilities and patches (again, largely ignoring the ongoing professional discussion about vulnerability disclosure) and ends with the implication that patching even quicker is somehow the answer to the patching window being closed. Errrrm ... call me a cynic but how does that work?
More change management resources

16 Aug 2005

Techworld.com - Critical Veritas attack code loose

Contrary to uninformed opinion, MS Windows is, of course, not the only vulnerable software Out There. Right now, there’s a race between those seeking to exploit an announced vulnerability in Symantec's Veritas Backup Exec Agent for Windows and those who are desperately patching their Veritas systems.
More change management and hacking resources

(IN)SECURE Magazine

The third edition [9Mb PDF file!] of (IN)SECURE, The Digital Security Magazine, carries an article on security vulnerabilities, exploits and patches.
More change management resources

15 Aug 2005

F-Secure Computer Virus Information Pages: Zotob.A

The Zotob.A worm exploits a Plug-and-Play vulnerability, targeting unpatched Windows machines by scanning port 445 and downloading a virus using ftp. The worm was released within just 5 days of Microsoft releasing August’s security patches. HAVE YOU PATCHED ALL YOUR WINDOWS SYSTEMS YET?
More change management and malware resources

13 Aug 2005

Amazon pays $40m in patent dispute

If anyone still doubts the economic value of intellectual property, Amazon 's out-of-court settlement of a $40m claim by a patent holder should be a salutary lesson. The patents relate to Internet shopping processes used by Amazon ... and Gap ... and presumably many other eCommerce-enabled companies. Amazon has deeper pockets than most but the writing is on the wall for those who flagrantly ignore patent infringements.
More intellectual property resources

12 Aug 2005

8 vulnerabilities per day

NIST's National Vulnerability Database reports an average of 8 new security vulnerabilities every day, with over 12,000 already listed. It's not difficult to see that keeping track of new vulnerabilities, assessing whether they are relevant, testing and applying patches to all relevant systems is no trivial matter for the average corporation. Any organization that lacks adequate IT resources must surely struggle.
More change management resources

NIST SP on patching and vulnerability management

NIST is inviting public comments on a new draft Special Publication SP800-40 on Creating a patch and vulnerability management system (1Mb PDF file). Comments are especially welcome in three areas: (1) patching metrics, (2) required duties of the patch and vulnerability management group and (3) the overall patch and vulnerability management process. The summary earns a big thumbs-up from us with the sentence: “Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable and available vulnerabilities and patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities.” Other NIST drafts are also open to comment.
More change management resources

Microsoft fixes yet more bugs

As eagerly anticipated, Microsoft released yet another a bunch of fixes on a few days ago, three of which were rated critical. It is widely reported that problems with the patch files originally made available from some download locations may have interfered with the update process, although we understand everything is working fine now. Nevertheless, Microsoft customers are well advised to double-check that all necessary patches have been applied to all relevant systems using Microsoft Baseline Security Analyzer (MBSA), Microsoft Update (which updates both Windows and Office) or other patching utilities. There are rumors of exploit code already in circulation for the announced vulnerabilities so consider the risks carefully if you are not certain that all your systems are fully patched.

More change management resources

Racing to beat full disclosure

Bruce Schneier discussed the race to fix and close vulnerabilities before they are publicly disclosed in his Crypto-Gram newsletter way back in 2000. The risk-time graphs are illustrative, of course, but do seem to reflect reality.
More change management links

11 Aug 2005

How to spot spoofs and fake emails & websites

A tutorial from eBay to help customers spot spoof/fake emails and websites, is of general interest to anyone who uses the Internet.
More IT fraud resources

10 Aug 2005

The value of currency

Microsoft's HoneyMonkeys project is using XP PCs with various levels of patching to search for malicious download sites. If an original unpatched XP PC is affected by malware on visiting a website, an XP SP1 machine is sent to the same site to see whether the SP1 patch fixed the vulnerability. If that fails, an SP2 machine is tried, and so on up to the most recent fully-patched version of XP. If the latest version is still vulnerable, they are presumably facing a 'zero day' exploit, worth further examination. The project confirms the importance of maintaining version currency to minimize the level of known vulnerabilities.
More change management resources

Information Security Awareness book review

Having just read Tim Layton's new book "Information Security Awareness - The Psychology Behind the Technology", I wrote a book review to share my thoughts. The bottom line: it's too academic to recommend to practitioners, and difficult to read thanks to a poor writing style, but worth reading Chapter 7 at least.
More security awareness links

9 Aug 2005

Going on holiday? Think security!

Out of Office (OoO) automatic replies to incoming emails are a menace to mailing lists and can cause security issues, primarily disclosure of sensitive information. It is quite common for those going on vacation or traveling on business to want to tell other people that they are not around to respond to inbound emails, and it is quite easy for end users to configure OoO replies themselves. Unfortunately, OoO information is of interest to spammers and social engineers as well as legitimate email correspondents. ‘As I will be away from the office from date1 to date2, please address your queries to XXX@company.com or phone (123) 456 789. John Doe, Security Manager’, for example, gives away quite a lot of useful information unnecessarily. Advice on how to configure email systems for OoO replies is given in this IETF draft proposal (an incomplete work-in-progress but well worth a read). As so often in information security, the technical controls should be complemented by suitable policies, procedures and awareness of this issue.
More email security resources

5 Aug 2005

Oracle's view of the patching treadmill

A rare insight to the change management problems caused by vulnerabilities disclosed by 'security researchers' is provided by the CSO of Oracle. She argues that although fixing an identified problem may only take a few minutes, it can be far more involved. Furthermore, she claims there are customer-friendly reasons for delaying the release of fixes [which seems just a tad far-fetched to me]. She also admits that one quarter of security fixes are a result of information provided by third parties, an amazing fact given that Oracle has complete 'glass box' access to its own source code and the best Oracle professionals on the planet at its disposal.
More change management resources

Data security and backup

Data security and backups can be a pain for roving users using portable PCs but SecureTrieve is an attractive option. The system protects data stored on the PC using AES encryption and makes off-site backups through the web. Without the user's password, a thief can't easily see the encrypted files, and even if he can get at them, AES protects them. Meanwhile, the user can retrieve his valuable data from the off-site backup onto another machine. Combining this with PC Phone Home might even give the user a fighting chance of finding the stolen PC when it connects to the web.
More mobile and teleworking security resources

4 Aug 2005

Fix costs escalate 200x post implementation

It has been estimated that it is about 200 times more expensive to fix a problem when an IT system is in Production compared to fixing at the requirements analysis step during Development. The factor falls to about 4 for small IT projects but can exceed 500 for very large projects. Even if these figures are only vaguely close to the truth, the implications for quality assurance processes in IT development are crystal clear, as are the benefits of splitting massive projects into discrete sub-projects.

More change management, bugs and secure systems development resources

Emotional intelligence and change

Emotional intelligence, a relatively new form of psychological research, offers some fascinating insights into the part played by motivation in change activities. For anyone involved in dealing with people as part of change management, the Emotional Intelligence Consortium's Technical Report on Training and Developing Emotional Intelligence in the Workplace is well worth a read, as are the books on emotional intelligence.
More change management resources

Leading whole-organizational changes

In a McKinsey interview, the CEO of P&G discusses various aspects of leading and managing change across the entire organization. For example, targets that stretch too far risk demotivating people [whilst those that don’t stretch enough are lame]. Difficult concepts such as ‘core business’ have to be explained patiently and frequently to some people. Similarly, the CEO of D&B says of his change strategy “The primary focus was to repair the brand, change the business model to get funds to pay for the repairs, and create a new culture. Creating a new culture was fundamental to the new strategy.” [There are clear implications for security awareness programs here!]
More change management resources

3 Aug 2005

Contingency plans in action

I'm waking up this morning to news of three contingency situations. First of all, an Airbus A340 aircraft failed to stop on the runway on landing at Toronto. The Air France emergency evacuation procedures worked pretty much as designed with only relatively minor injuries, we hear.
Secondly, the space shuttle crew are about to undertake a 'delicate task', cutting away some ceramic spacer strips protruding between the shuttle's tiles using a makeshift tool. The tool and cutting process are themselves the product of a well-rehearsed contingency process (the Apollo 13 film is a popular case study for contingency situations).
Finally, today's Handler's Diary from the SANS Internet Storm Center recounts a power incident involving the partial failure of a standby generator and office UPS units. It seems the generator has insufficient capacity for the full startup load, and some of the UPSs were incorrectly installed by users, raising questions about the system design, installation and testing procedures.
Otto von Bismark said "Only a fool learns from his own mistakes. The wise man learns from the mistakes of others" - I'd rephrase the last part slightly: "The wise man learns from the successes and mistakes of others, and makes his own contingency arrangements."
More crisis management and contingency planning resources

Revision control

The description of 'revision control' at Wikipedia reads a lot like what is commonly called 'version control' or 'Software Configuration Management' (SCM), but is interesting nonetheless. The wiki itself provides an object lesson in revision control: users are invited to make changes, with the system automatically retaining checkpoints in case something goes wrong and optionally notifying other users that changes have been made.
More change management resources

2 Aug 2005

IIA Change and Patch Management Controls guide

The Institute of Internal Auditors’ final draft guide to change and patch management controls is “about managing risks that are a growing concern to those involved in the governance process. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. This enterprisewide impact makes change management of interest to many audit committees and, as a result, to top management. The objective of this guide is to convey how effective and efficient IT change and patch management contribute to organizational success.”

Security induction module

We have also released a special bonus module - a security induction module covering the basics of iformation security intended for use in induction training classes for new employees. The induction module might be useful to launch a new information security awareness program too. It is being provided free of charge to NoticeBored customers.
General/induction information security resources

Change management security awareness module

We've released a new NoticeBored Classic security awareness module on change management - an important information security topic seldom but covered in awareness programs.
More change management resources here