Welcome to the SecAware blog

I spy with my beady eye ...

30 Dec 2006

Online banking dongle

Dongles are cryptographic hardware devices with which the PC communicates, firstly to establish that the device is present and secondly that the device is authentic. They are commonly used as copy-protection devices to unlock protected software but one vendor is selling a dongle for Internet banking. It communicates with the PC via the headset jack, rather than say USB.

More authentication and IPR resources

29 Dec 2006

New awareness module on IPR

The knowledge economy depends on the exchange of proprietary information between trading partners, or between suppliers and consumers. Intellectual Property Rights (IPR) are crucially important. Without effective IPR controls, there would be few if any real barriers to the theft or plagiarism of creative ideas, inventions etc., meaning less motivation to create and share materials for fear of losing control. I, for one, would be out of a job in no time!

From a security awareness perspective, “IPR” is a rather dry concept to put across so we use more familiar terms such as copyright, patents and trademarks. Through the seminars and briefing materials in the new NoticeBored awareness module, we explain the link between IPR, copyright and software licensing and briefly describe other important IPR controls inclding DRM and contracts.

January's newsletter provides an analysis of the risks associated with IPR. Sign up for your free copy.

Please bear in mind that we do not dispense legal advice. IPR is one of those areas where it pays to take advice from qualified professionals familiar with the ins-and-outs of copyright, patent, trademark and contract law, especially if your business operates in more than one country.

IPR links collection here

26 Dec 2006

POGO sticks at it

POGO (Project on Government Oversight) is a self-appointed activist body keeping a watchful eye on US government spending and governance issues. It encourages whistleblowers from public service to expose dubious fiscal and environmental practices or corruption, provides support and anonymity. It has been in existence since 1981. "In the beginning, POGO (which was then known as Project on Military Procurement) worked to expose outrageously overpriced military spending such as the $7,600 coffee maker and the $436 hammer. After many successes reforming the military, POGO expanded its mandate to investigate systemic waste, fraud, and abuse in all federal agencies."

POGO encourages and supports whistleblowers in public service: "Whistleblowing is often not easy. Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not "gone public" and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor. The mental, emotional, and fiscal hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information - publicly or not. In recent years, protections for federal employees have been unraveled by hostile judicial rulings. As a result, federal employees have little protections against retaliation."

More IT governance, fraud and audit resources

IT security's place in the world

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management and linking to business strategy, through ITIL IT service management and COBIT. It's good to see such a broad perspective on IT security, especially one that puts the business rather than security objectives at centre stage.

More information security management resources

25 Dec 2006

Congressional aide socially engineered

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

23 Dec 2006

Free security awareness calendar

To herald the arrival of another new year, we have once again recycled some of our favorite poster images from 2006 into a security awareness calendar for 2007. The PDF is a little over a meg but, given the high-resolution of the original poster images, the MS Word document is haf a gig. Strangely enough, we decided only to make the PDF available online but NoticeBored customers are very welcome to the Word version on CD (just let us know).

Under cover for 23 years

A remarkably successful identity thief was eventually brought to justice in Britain when an alert immigration officer spotted false documentation, sparking checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) lived for some 23 years under an assumed name. The genuine Christopher Edward Buckingham died as a child. The fraudster's real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company ... which itself raises all sorts of interesting insider threat questions.

More identity theft resources

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

22 Dec 2006

Physical security control myths busted

An unusual source of security information has come to light: the entertaining Mythbusters TV series has explored a variety of physical security controls including fingerprint readers (defeated by a latex copy of a fingerprint ... and even by a photocopy of a fingerprint), intruder detectors that detect body heat (defeated by a pane of glass), and a safe-breaking technique involving water and a depth charge (! That one works.). Another episode busted the myth about being able to cross a criss-cross laser-beamed room by visualizing the beams, and showed how to defeat a pressure switch with duct tape.

More physical security resources

21 Dec 2006

Your pig, my name

Isn't the World Wide Web Wabsolutely Wonderful? In the course of researching DMCA, DRM, copyright, patents and trademarks for the next NoticeBored awareness module on IPR, I chanced across this bizarre story of a Danish artist who is providing "free" pigs and goats to Ugandan villagers in exchange for them adopting his surname. It's only a click or two away from genuine research materials ...

Links to further IPR and perhaps piggy resources will follow, next month.

20 Dec 2006

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

Audit checklist for information security management

The IT Compliance Institute has amassed an excellent collection of IT governance-related white papers, articles and resources. Their IT audit checklist for reviewing information security management, a new addition, has many potential uses [access requires you to register on the website]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be looking for. Those designing and implementing Information Security Management Systems will appreciate the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS. All in all, a nice paper from the IT Compliance Institute. It's worth browsing the ITCi website for other similar resources including the biannual IT Compliance Journal [again, "free" to those who register].

More information security management, IT governance and IT audit resources

19 Dec 2006

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

18 Dec 2006

Phone hacker sues bank for payment

Having been prosecuted and then discharged without conviction for hacking the Reserve Bank of New Zealand's telephone system, Gerry Macridis is now threatening legal action to be paid $7,500 for his unsolicited security advice. Gerry claims to have acted honourably by identifying security flaws in the bank's system and advised them of what they needed do to to resolve them. I've never met Gerry and based on the news reports I have no reason to doubt his integrity but his somewhat naive and direct approach must be a thorn in the bank's side.
More hacking links

15 Dec 2006

Spear phishing case study

In Spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. "Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read "Urgent - employment issue," and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site." The article seems a little confused about the distinction between spammers and fraudsters but is basically sound. Other local hospitals were reportedly targeted so it is possible that this was in fact simply an ordinary spam, but the potential for delivery of keyloggers, rootkits and other malware is plain to see.
More malware, email and social engineering links

14 Dec 2006

Phishing up 8,000% but stay calm

The Beeb is reporting that FSA, the UK Financial Services Authority, says phishing has increased "8,000% over the past two years" (that's x80 for those of us who are numerically challenged - me included) but apparently, according to APACS, the UK's financial services industry body, it's OK and we're not to worry because there are still rather few incidents.

I'm reminded of the story of a prizewinner being offered the choice between taking $1m today or taking 1 cent today, two cents tomorrow, four cents the day after and so on every day for a month. Which would you choose? Now do your sums and see if you chose wisely. [And no, I'm not getting into arguments about NPV, the risk of the prizegiver defaulting or the investment income you can make during the month.]

The APACS spokesman reportedly "said just because a bank had been targeted, did not mean its security systems were worse than its competitors. [That's true. But still I have to ask why the phishers are so actively targeting that one British bank - is it their brand value, I wonder, or are the phishers locked in a cat-and-mouse game with the bank's security team? Most of all, which one is it?] "There is no evidence that one bank is any worse or any better-off than another," he told the [Lords science and technology] committee. [Oh, that's alright then: they are all equally as bad!] He also rejected a call for banks to routinely inform customers of security breaches involving their details, such as when a bank employee's laptop was stolen. He said banks did not want to cause undue alarm to customers, as had been in the case in some US states, where customers were constantly given such information." [Alarm? Alarm? Who would have thought, eh, that being told by your bank that they have suffered a security compromise and disclosed your supposedly private and personal information to either some spotty geek or The Criminal Underworld is in any way 'alarming'? Stories of an upsurge in shoe sales so Brits can stash their wads under the bed are mere conjecture of course.]

My favourite quote of all comes from Philip Robinson, the FSA's head of financial crime, who said he believed internet banking was generally "safe". Now any fans of the Hitchhikers Guide To The Galaxy will be familiar with the proposed update to the entry in Encyclopaedia Galactica for earth: "Earth - mostly harmless". "Generally safe": isn't that a bit like being "almost dead" or "nearly pregnant"?

More identity theft and social engineering links

"Client-side attacks" social engineering webcast

Core Security Technologies is offering a webcast on "client-side attacks" at 2pm EDT on December 19th and December 21st. The press release is not entirely clear about what they mean by "client-side attacks" but two examples are quoted: opening a malicious Word, Excel or PowerPoint document sent via e-mail, or browsing malicious web sites that exploit vulnerable client-side code.
According to the PR, "During this 45 minute webcast you learn how:
* to assess how vulnerable your information assets are to spear phishing attacks targeted at end users;
* Outlook, IE and other applications can provide an attacker an easy path into your organizations;
* a social engineering attack can be successfully deployed against your network; and,
* to better protect your organization’s critical assets."
I presume they will promote technical security control measures but I hope they will also promote security awareness to address the human vulnerabilities at the root of such attacks. We'll see.
More social engineering resources
[I have no connection with Core Security Technologies, apart from our common interests in social engineering and information security]

12 Dec 2006

Bank robbery, the social engineering way

A classic social engineering attack on a bank, as described by the boss of a penetration testing company, is just as scary as the case studies in Ira Winkler's Spies Among Us. The perpetrator gains access to the bank network simply by posing as a photocopier technician. It's scary because the story rings true. It's a typical Security Manager's nightmare scenario. The customer service ethic of the front line bank staff trumped any security awareness they might have had. The inadequate technical security controls on the bank LAN are entirely credible. [Thanks to my friend Alisdair for sharing this link.]
More social engineering resources

10 Dec 2006

You've got infected mail!

Attackers are actively exploiting an MS Word zero-day vulnerability by tricking users into opening malicious Word files using a form of social engineering. Infected files may arrive as email attachments from people you know and trust, as well as from those you’ve never heard of. It’s not yet clear whether Microsoft will release a patch on Tuesday: if not the fix may slip to January unless M$ releases an interim emergency patch. It all depends on the quality of their coding and the speed of their QA and release processes. Meanwhile take extra care with email attachments, even from friends and colleagues, and make sure your antivirus software is bang up to date. We'll be releasing an updated malware module early in the new year and a new module on application security shortly afterwards: don't let your organization become a statistic or case study!
More social engineering, incident management, bugs!, secure software development and malware links

8 Dec 2006

The fallibility of technical controls

A piece apparently due to be published in Computer Weekly next Tuesday outlines a range of network security issues relating to mis-configuration of IT equipment, and then (almost as an afterthought) ends with the following:
"... security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites. And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information."

The fact that IT systems and networks are misconfigured by people surely implies that security awareness programs need to include IT professionals?
More on network security and security awareness

Pretexting may be outlawed by US Senate

Way back in April, the US House of Representatives voted unanimously to ban "pretexting" but the draft law sat on the sidelines pending Senate committee discussions ... then the HP boardroom incident occurred ... and now suddenly the Senate looks likely to vote the pretexting law through on a fast-track procedure (provided nobody objects). Pretexting in general is already outlawed in California and throughout the US if used to obtain financial information.
More social engineering resources

419 scam nets $200k

If you're not a regular reader of the Manawatu Standard, you might have missed a sad story about a 71-year old New Zealand lady and her son having been taken in by 419 scammers to the tune of over $200,000 to date. Even with advice from the New Zealand police, still they play along. "The pair are trusting who they believe to be the Central Bank of Nigeria to 'investigate' the fraudulent email scam and have paid a further $10,000 for the privilege." Psychologists probably have a term for the situation the pair are in. Over the course of 18 months, they have fallen for the scam hook, line and sinker to the point that they barely even acknowledge the possibility of fraud that is as clear as day to most of us looking on. They forlornly hope that the last payment to the 'investigator's will bring a resolution, and if it doesn't, their natural inclination is to pay again, whether it's 'court fees' or 'late payment charges' or whatever.

More links on IT fraud and social engineering

6 Dec 2006

The dangers of social networking

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.
More social engineering and privacy links

1 Dec 2006

The oh-so-helpful Help Desk

"'Phone Phishing', a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to "take care" of callers and often they are more than willing to help." So says a piece in India's Economic Times. I must say that, in my experience, security aware customer service agents (those first two words are vital!) can be one of the information security manager's strongest allies in the battle against social engineers. Through security awareness/training/education, coupled with proper management support and sensible policies, guidelines and procedures, IT Help/Service Desk workers should not only be permitted to refuse to service dubious callers, they should be actively encouraged to be careful.
More social engineering resources

29 Nov 2006

CERT podcasts

Thanks to a tip-off from Gideon Rasmussen on the insider threat email reflector, I've come across a series of information security podcasts by CERT, aimed at 'business leaders'. The podcast on security Return On Investment (ROI) contains an interesting comment relating to research by "a couple of economists at the University of Maryland named Lawrence Gordon and Martin Loeb" who are said to have determined that a security control investment should only go ahead if the cost is no more than 37% of the expected return. I find this a very curious statement: from a purely economic point of view, almost any net positive return is financially worthwhile provided that (a) there is sufficient funding available for the investment (i.e. it is not outranked by other higher return investments) and (b) the projected costs and returns are realistic ... which is perhaps the issue here. Security projects in the main create returns by reducing risks and hence reducing projected future losses compared to the do-nothing option. The economists seem to be saying the security and risk professionals are seriously overestimating projected savings. They may have a point.
More security awareness and risk management resources

28 Nov 2006

Data protection in Japan

In Japan, "More than 71 percent of people worry their personal information will be leaked as a result of inadequate security measures, according to a recent government survey." The article summarizes an opinion survey regarding awareness of and support for Japan's data protection laws introduced last year. Judging by the large number of Japanese companies already certified against ISO 27001, Japan is taking information security very seriously but the Japanese populace is not yet comfortable.
More links on ISO 27001 and data protection

25 Nov 2006

Scambaiter interview

This Way Up on National Radio in New Zealand interviewed Mike Berry, a famous scambaiter, about his activities. Mike clearly has a lot of fun baiting the 419 scammers through his 419eater.com website, even getting one to send impressive wooden sculptures of Creature Comforts characters and a Commodore 64 computer ... but there's a serious undercurrent to the story. Estimates vary but thousands of dollars are thought to be lost to 419ers every day. Thousands of New Zealanders and millions of Americans fall prey every year, getting drawn-in like obsessive gambling addicts convinced that the next payment will secure the promised windfall. Mike has received death threats. Later in the podcast, Liz McPherson of the NZ Ministry of Consumer Affairs warns the public about falling for the scams and promotes the NZ Ministry of Economic Development's consumer affairs scamwatch website.

More email security, IT fraud and social engineering resources

21 Nov 2006

SANS (finally) recognizes the human factor

The latest SANS Top 20 hotlist of information security vulnerabilities at last includes "humans" on the list of horrors alongside the usual range of Windows, UNIX and other technical security weaknesses. SANS specifically identifies the vulnerability to 'spear phishing' (i.e. highly targeted phishing/spoof email attacks), which is of course just one of a very large class of potential vulnerabilities. According to a recent article in Infoworld, SANS' Allan Paller feels that, in the face of ever increasing security threats (agreed), technical information security is improving (possibly true) whilst human being remain as weak as ever (hopefully not for NoticeBored customers!). Some of us have been saying that for years, and rather than simply 'blaming' users for being naive, a few of us are even doing something about it ...
More security awareness resources

Risk management audit checklist

An audit checklist from the IT Compliance Institute (ITCi) explans what auditors would typically want to know about enterprise risk management practices. The checklist, written by the infamous Dan Swanson, offers practical advice to auditees as well as auditors. The ITCi "strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities."
More risk management and IT audit resources

20 Nov 2006

FAIR point

Alex Hutton runs a weblog for IT risk geeks focusing on the FAIR (Factor Analysis of Information Risk) risk analysis method that his employer Risk Management Insight LLC (RMI) promotes. In his blog, Alex takes me to task for my previous blog entry about the FFIEC, FAIR enough, and complains that the NoticeBored blog only accepts comments from authenticated users. Well OK, I've relaxed the restriction to encourage more feedback although I'll be moderating comments, not to censor what people say but merely to block spam. [Alex: why didn't you email me? Gary@isect.com]
Meanwhile, I took another look at FAIR. What follows is a rather harsh and cynical critique of the FAIR method as described in the undated draft FAIR white paper, partly because the paper's author, Jack Jones, invites comment towards the end of the document: "It isn’t surprising that some people react negatively, because FAIR represents a disruptive influence within our profession. My only request of those who offer criticism is that they also offer rational reasons and alternatives. In fact, I encourage hard questions and constructive criticism". So here goes.
Right away, I was intrigued by a statement at the front of the paper regarding it being a "patent pending" method that commercial users are expected to license. Unless I'm mistaken (which is entirely possible!), "patent pending" means "not patented" i.e. it is not currently protected by patent law, or else it would presumably be labelled "Patented" and give a patent number. Judging by the content of the introductory paper, FAIR appears to be a conventional albeit structured risk analysis method so I'm not clear what aspect of it would be patentable in any event. [My snake oil-o-meter starts quivering around the 5% mark at this point.]
"Be forewarned that some of the explanations and approaches within the FAIR framework will challenge long held beliefs and practices within our profession. I know this because at various times during my research I’ve been forced to confront and reconcile differences between what I’ve believed and practiced for years, and answers that were resulting from research. Bottom line – FAIR represents a paradigm shift, and paradigm shifts are never easy." [Not only is it claimed to be patentable, but it's a paradigm shift no less! The snake oil-o-meter heads towards 10%.]
The paper defines risk as "The probable frequency and probable magnitude of future loss". [Strictly speaking, risk includes an upside too, namely the potential for future gain which FAIR evidently ignores.] FAIR considers six specific forms of loss: productivity, response, replacement, fines/judgments, competitive advantage and reputation. [Management's loss of confidence in any system of controls that fails is evidently not considered in FAIR - in other words, there is an interaction between management's risk appetite and their confidence in the control systems they manage, based on experience and, most importantly, perception or trust. These apparent omissions hint at what could potentially be a much more significant problem with the method: there is no clear scientific/academic basis for the model underpinning the method, meaning that there are probably other factors that are not accounted for. Obtuse references to complexity and this being an "introduction" to details that are to be descibed in training courses etc. further imply incompleteness in the model and hence limited credibility for the method. Snake oil-o-meter jumps to half way.]
"A word of caution: Although the risk associated with any single exposure may be relatively low, that same exposure existing in many instances across an organization may represent a higher aggregate risk. Under some conditions, the aggregate risk may increase geometrically as opposed to linearly. Furthermore, low risk issues, of the wrong types and in the wrong combinations, may create an environment where a single event can cascade into a catastrophic outcome – an avalanche effect. It’s important to keep these considerations in mind when evaluating risk and communicating the outcome to decision-makers." [I wonder whether FAIR adequately describes risk aggregation, possible geometric increase and the "avalanche effect" noted here, in scientific terms? The author accepts the need to take such things into account but does FAIR actually do so? Snake oil-o-meter swings wildly around the half way point.]
[FAIR looks to me like a practitioners' reductionist model, something they have thought about and documented on the basis of their experience in the field as a way to describe the things they feel are important. FAIR might *help* an experienced information security professional assess risks but I'm not even entirely sure of that: the method looks complex and hence tedious (=costly) to perform properly. I wonder whether, perhaps, the FAIR method should be applied by a consultant such as someone from, say, RMI? Snake oil-o-meter settles around two-thirds full scale.]
To give him his due, the author acknowledges some potential criticisms of FAIR, namely: the "absence of hard data" and "lack of precision" (which are simply discounted as inherent limitations as if that settles the matter); the amount of hard work involved in such a complicated method (which is tacitly accepted with "it gets easier with practice"); "taking the mystery out of the profession" and resistance to "profound" change (I know plenty of information security and IT managers who would dearly like to find an open, sound, workable and reliable method.) [FAIR does not appear to be a profound change so much as an incomplete extension of conventional risk analysis methods. Snake oil-o-meter creeps up again.]
The appendix outlines a "basic risk assessment" in 4 stages: (1) "Identify scenario components" ("identify the asset at risk" and "identify the threat community under consideration"); (2) "Evaluate Loss Event Frequency (LEF)" ("estimate the probable Threat Event Frequency (TEF)", "estimate the Threat Capability (TCap)", "estimate Control strength (CS)", "derive Vulnerability (Vuln)" and "derive Loss Event Frequency (LEF)"); (3) "Evaluate Probable Loss Magnitude (PLM)" ("estimate worst-case loss" and "estimate probable loss"); and finally (4) "Derive and articulate Risk". Many of these parts clearly involve estimation, implying subjectivity (e.g. "estimate probable loss" could range between zero to total global destruction in certain scenarios: the appendix does not say how we are meant to place a mark on the scale). The details of the method are not fully described. For example, the TEF figure seems to be obtained by assigning the situation to one of a listed set of categories "Very High (VH): > 100 times per year"; "High (H): Between 10 and 100 times per year"; "Moderate (M): Between 1 and 10 times per year"; "Low (L)" Between .1 and 1 times per year"; or "Very Low (VL) < .1 times per year (less than once every ten years)." Similarly, the category boundaries for worst case loss vary exponentially for no obvious reason ($10,000,000; $1,000,000; $100,000; $10,000; $1,000; $0). [The use of two dimensional matrices to determine categories of 'output' value based on simple combinations of two 'input' factors is reminiscent of two-by-two grids favored by new MBAs and management consultants everywhere. The rational basis for using these nonlinear scales and the consequent effects on the derived risk probability are not stated, nor is method for determining the appropriate category under any given circumstances (how do we know, for sure, which is the correct value?). This issue strikes at the very core of the "scientific" (theoretically sound, objective, methodical and repeatable) determination of risk. The snake oil-o-meter rises rapidly towards three-quarters.]
The appendix casually includes a rather worrying statement: "This document does not include guidance in how to perform broad-spectrum (i.e., multi-threat community) analyses." [Practically all real-world applications for risk analysis methods necessarily involve complex real-life situations with multiple threats, vulknerabilities and impacts. It is not clear whether the full FAIR method can cope with anything beyond the very simplest of cause-effect scenarios. Snake oil-o-meter creeps up to 80%]
To close this critique, I'll return to a comment at the start of the FAIR paper that information risk is just another form of risk, like investment risk, market risk, credit risk or "any of the other commonly referenced risk domains". [The author fails to state, though, that risk is not managed 'scientifically' in these domains either. Stockbrokers, traders, insurance actuaries and indeed managers as a breed use, but cannot be entirely replaced by, scientific methods and models. Their salaries pay for their ability to make sound decisions based on expertise, meaning experience combined with gut feel - clearly subjective factors. Successful ones are inherently good at gathering, assessing and analysing complex inputs in order to derive simple outputs ("Buy Esso, sell BP" or "Your premium will be $$$"). From the outset, it seems unlikely the method will meet its implied objective to develop a scientific approach. Being based on "development and research spanning four years" is another warning sign since risk analysis in general and information security risk in particular, have been studied academically for decades. Although this is an 'introductory' paper with some strong points, it is quite naive in places. The snake oil-o-meter peaks out at around 80%.]

More risk management links

17 Nov 2006

419 baiters' flash mob this weekend

Some people clearly take the 'sport' of scam-baiting (i.e. retaliating against the 419 advance fee fraudsters) very seriously. A flash mob taking place this weekend is an opportunity to learn about 419ers and the techniques for taking their fake banking and lotter scam sites offline. The Artists Against 419 website is one of many scambaiter sites combining education with ironic humor.

More IT fraud links

16 Nov 2006

Online banks vs users

A well-researched and well-written article about online banking user authentication discusses the range of authentication methods being used or trialled at a number of primarily US banks. Whereas the FFIEC regulations were anticipated to force US banks into using tokens for user authentication by the end of this year, banking customers are proving resistant to the technology and want an easier way to authenticate to the bank [the problem of the bank authenticating to the user merits a brief mention too]. User authentication is crucial to the issue of accountability: a customer cannot be held totally accountable for dubious transactions on his bank account if the bank cannot prove that the customer, rather than 'someone else' (normally a fraudster), logged in and submitted or authorized the transactions. The article discusses device as well as user authentication, in other words 'fingerprinting' the users' PCs to identify their normal machines. Not surprisingly, it barely touches on the back-end anti-fraud systems the banks are using to identify unusual customer activities that might be symptomatic of a fraud in progress: these details are proprietary to each bank (which limits the amount of information sharing between banks) and a closely guarded secret (to avoid tipping-off the very fraudsters they are designed to trap).

More accountability and authentication links

15 Nov 2006

Handbook of Information Security

The Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols, edited by Hossain Bidgoli (~$900 from Amazon), is a huge triple-volume 3,366-page classic textbook comprising chapters on a wide range of information security management topics by acknowledged subject matter experts. This is a properly researched and peer-reviewed collection of top-notch material that is suitable both as a practitioners’ reference and as the course book for information security Masters degrees. If you are seriously interested in information security management, this is your Bible.
More information security management resources

DoS attacks outlawed in the UK

Amongst other police reforms, the new Police and Justice Act 2006 makes Denial of Service attacks illegal under British law and clarifies other aspects of computer misuse. The Computer Misuse Act 1990 made it an offence to alter a computer without authority, covering most hacking attacks but not explicitly DoS attacks. Criminal hackers who commit, for example, DoS-based extortion ("Send us loads of money or we will continue disrupting your online betting service ...") can now be called to account under the new Act.
More links on laws, regulations and standards and accountability

24 Oct 2006

Party party! We've passed the 3,000 mark!

I almost missed it! Earlier this month, I noted that over 2,800 organizations had been certified compliant with ISO 27001 or the equivalent national standards. Well, the number has just crept over 3,000 mark and seems to be increasing exponentially (I really ought to graph it at some point). It's no secret that I've been an ardent fan of BS 7799 and the standards it has spawned for well over a decade, since before it even became a British Standard. I've been predicting for years that it would take off, rather like the ISO 9000 series quality assurance standards did. Well, we're still on the up-curve but all the signs are positive. I reckon, before too long, we'll start to see organizations compelling their first tier suppliers to confirm their ISO 27001 certifications as a condition of bidding for information security-relevant products and services ... and they in turn will conmfront the second tier ... and soon it will be a basic condition of entry into certain markets. "The military" and government departments will probably lead the way, closely followed by financial and information services companies.
More on the ISO 27000-series standards here

19 Oct 2006

Oracle admits 100 critical security flaws

Oracle, which "leads in customer relationship management" according to its home page has released a shed-load of patches containing : 22 security fixes for Oracle Database; 6 security fixes for Oracle HTTP Server; 35 security fixes for Oracle Application Express; 14 security fixes for Oracle Application Server; 13 security fixes for Oracle E-Business Suite; 8 security fixes for Oracle PeopleSoft Enterprise PeopleTools and Enterprise Portal Solutions; 1 security fix for JD Edwards EnterpriseOne; 1 security fix for Oracle Pharmaceutical Applications; and a partridge in a pear tree. If you run Oracle software, get busy with the patching to miminize the risk of incidents. If you work for Oracle, how about some of that customer relationship management i.e. better quality software for your valued customers?
More links on incident management and bugs!

18 Oct 2006

Open Information Security Risk Management Handbook

Clement Dupuis over at cccure.org put me on to a new infosec risk management handbook from an organization I haven't come across before - a Swiss organization called the Security Officers Management and Analysis Project. The handbook is described as "high level informations" containing 14 core pages on risk management, both in general and specifically in relation to information security - in fact, it probably has more to say on information security management than risk management. It aims to describe "how to plan, implement and manage an information security risk strategy and ISMS (Information Security Management System) activities." The language is rather naive in places but this could easily be due to its being translated into English, and the meaning comes through. For example: "A security officer never should be the owner of an asset. Even if this could look like a good idea, it is not. At the end the security officer would be responsible for all the assets which he obviously can not be." It is loosely structured around ISO 17799 / ISO 27001.
The accompanying Information Security Risk Assessment Guide is still in development with a 31-page draft already available. The guide looks as if it will focus on risk management in greater depth than the handbook. At the moment, it is little more than a collection of placeholders, ideas and notes to be explained/expanded later.
Both documents are released under the GNU Free Documentation License giving recipients the freedom to create and sell derivative works provided they reference the originator, retain section headings etc. SOMAP are actively inviting readers to get involved with and contribute to the project. If their appeal succeeds, the project has the potential to clear up an area of information security management that remains poorly served by other works. Although maybe a dozen information security risk management methods are in use worldwide, they seem to be the realm of specialists rather than general practice in the field.
More risk management resources

17 Oct 2006

When POTS becomes VOIP

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Not just the VA

SC Magazine reports that, since January 2003, all 19 agencies included in a US House Government Reform Committee summary reported at least one breach. So, it's not just the beleagured US Department of Veterans Affairs after all.
More links on incident management

13 Oct 2006

Patch within 15 mins

Microsoft has dumped another bucket of patches on its customers. Read the Microsoft info page or, for another perspective, check out what SANS Internet Storm Center has to say. The ISC picks out three critical patches, one of which they rate "PATCH NOW" since it is being actively exploited. If you are too busy to check, test or download the patches, remember that the clock is ticking. A few days back, the BBC reported that a honeypot system running unpatched XP Home gets compromised within ~15 minutes of web connection. Get your patching processes up to scratch or face trying to explain to your stakeholders why you suffered avoidable information security incidents ...
More incident management and bugs! resources

Pre-incident forensics

Managers seem to expect forensic evidence to appear as if by magic when an employee is caught committing fraud or circulating porn on company IT equipment. The reality is that, while system, network and firewall logs usually record some information, it is unlikely to be sufficient or suitable for forensic purposes unless the logs and controls have been designed and maintained with that potential use in mind. Aristotle has an unusual network usage/content monitoring product that claims to address this kind of controls gap. It is targeted at schools and offices, for example identifying children contemplating suicide or employees stealing corporate data. It retains forensic evidence and provides the reporting tools to use of it.

More incident management links

11 Oct 2006

Litany of privacy breach incidents

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Xerox copy center hack

A presentation at Black Hat 2006 by Brendan O'Connor covered Vulnerabilities in Not-So Embedded Systems. Specifically, it described a hack on a Xerox mulitfunction device (copy-scan-print). The machine has an embedded AMD CPU running Linux and Apache with the Xerox applications layered on top. Accessing the device remotely thanks to its web and telnet interfaces, the hacker exploited vulnerabilities in parameter handling by the applications to compromise the root account. To Brendan, this was a bit of a lark. He clearly enjoyed explaining how to hack the machine and, for example, photocopy and scan a stray paper clip and set it up as a default printing template. For Xerox, however, the presentation and exploit represents a security incident that forced them to roll out urgent security fixes to their understandably irate customers. It seems unlikely to have enhanced their reputation in the market.
More security incident management and hacking links

Computer room environmental controls

Seems I'm not alone in having trouble locating good information online about computer room environmental requirements (power, air-con, physical access controls, raised floor design etc.). A fellow infosec professional searching specifically for air-con parameters published some useful links on the CISSPforum today i.e. IBM, HP and more HP, Sun and the University of Texas. I recommended a book from the Sun Blueprints series by Rob Sneveley: Data Center Design and Methodology (~$62 from Amazon). I'm still looking for relevant standards.
More physical security links

10 Oct 2006

Do you want garlic bread with that?

A story about inadequate security practices by Pizza Hut has graduated to a public relations nightmare thanks to the local news media in New Zealand. The incident which sparked it involved a customer noticing that the delivery boy's delivery note included her name, address, phone number, full credit card number, credit card expiry date and cardholder's name - apart from the lack of CVV2 data, that's game, set and match for identity thieves, potentially including Pizza Hut staff, delivery boys/girls, their relatives/friends and indeed anyone who finds a carelessly discarded delivery note. A consumer advice site that broke the story was given the run-around by Pizza Hut and fobbed off with an unhelpful response from their PR agency. Pizza Hut NZ is evidently planning to change its systems not to print the full credit card number ... by March next year ... so, meanwhile, Pizza Hut NZ customers are well advised to pay in cash or find a pizza supplier that actually gives a hoot about their customers' security.
More resources on security incidents

The reality gap

An international survey reveals a fascinating discrepancy between what teleworkers say they do in the way of information security and what they actually do. For example, about a quarter admit to personal use of company laptops yet around half say they shop online (OK, some might be shopping with the corporate credit card, but probably not all of them). There are significant implications for those of us who use questionnaires and interviews to assess the level of security awareness. Essentially, the survey warns us against believing everything are told and to beware the gap between perception and reality.

More links on teleworking security and security awareness

6 Oct 2006

European CERTs

If you ever need advice or professional assistance to deal with serious information security incidents involving European organizations, ENISA maintains a useful inventory of European CERTs (Computer Emergency Response Teams). Navigate through the online map, print it out as a poster for your office or download the inventory as a PDF for the files. [Thanks to our Spanish security friends at www.iso27000.es for the pointer to this information.]
More incident management resources

Laptop security is a top priority

ZDnet reported "The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority. The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain." I would of course agree that loss or theft of data on laptops is important ... along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

More portable IT security and wireless networking links

30 Sept 2006

CyberSpeak forensics podcast

CyberSpeak is a technology podcast covering computer security, computer crime and computer forensics, hosted by two former federal agents who investigated computer crime. It comes highly recommended by a fellow CISSP.
More incident management and forensics links

29 Sept 2006

Awareness module on IT incident management

October's NoticeBored Classic information security awareness module is about information security/IT incidents - how they are identified, reported, analyzed, contained, resolved and closed out. We encourage organizations to conduct Post Incident Reviews routinely on all significant incidents, not to apportion blame but to identify control improvements and, most importantly, make sure someone is identified to "own" the corrective actions arising. This is a typical learning loop leading to continuous improvement, yet so often thigs are just left drifting after the dust has settled on an incident. Perhaps it's a maturity thing. I've witnessed first-hand quite a range of responses to serious infosec breaches, ranging from "headless chicken mode" to "stay calm, everything is under control". The headless chickens were far too disorganized to consider let alone conduct effective Post Incident Reviews, preferring to continue lurching from breach to breach. If only their stakeholders knew the true state of management!
Incident management links collection here. Further relevant contributions always welcome.

PowerPoint zero-day

Hot on the heels of the VML bug in Microsoft Internet Explorer comes news of yet another zero-day Microsoft exploit affecting PowerPoint. Gosh.
More incident management links

28 Sept 2006

Being born yesterday

Hackers are so desperate to exploit vulnerabilities such as the VML bug, they are becoming quite incoherent in their excitement. Here's the text of an email I just received:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Needless to say, I didn't open the attachment (which had already been quarantined by the antivirus software, in any case). Phew, that was a close one!
More Bugs! and malware links

VML exploit awareness video

If you've been following the information security headlines over the past week or so, you will have heard about a nasty zero-day Microsoft exploit in the wild - or rather three exploits in fact, all targeting a buffer overflow in Internet Explorer's handling of Vector Markup Language.
Watchguard's excellent VML exploit video demonstrating the attack is an object lesson in technical awareness presentations - professionally produced, clear and straightforward, and just over 4 minutes long. Nice. Microsoft issued an emergency patch for the bug this week. Meanwhile, SANS and MessageLabs are reporting that malicious eCards are in circulation, exploiting unpatched vulnerable systems.
More links on bugs!

27 Sept 2006

Disabling USB storage

A few organizations that recognize the security issues created by USB thumb drives, hard drives, CD-RWs etc. decide to lock down the USB ports on their systems. The usual way to do this is to buy, test and install additional USB control software. A Microsoft MVP (Most Valuable Professional) has come up with a low cost solution using native Windows functionality - specifically, Group Policy. WindowsDevCenter explains how to define a policy to disable the USB storage driver. A Microsoft Knowledge Base article contains the necessary code. This looks like a viable option if you only want to turn off USB storage devices on your Windows network machines. If you need more fine-grained control such as the ability to allow read not write or to log and report use of the devices, you'll presumably still have to buy, test and install the USB control software though.
More portable IT security links

26 Sept 2006

Over 1,000 unencrypted laptops missing

The Washington Post reports that over 1,100 laptops have gone missing from the US Commerce Department since 2001. Congress was told that "1,137 laptops had been stolen, lost or otherwise vanished since 2001, mostly from the Census Bureau and the National Oceanic and Atmospheric Administration. Of these, 249 contained personally identifiable information, nearly all from the Census Bureau. All were password-protected, a low-level safeguard. Only 107 of the computers were fully encrypted." So if the Census Bureau or other parts of the Commerce Department has sensitive data about you on its laptops, you'd better hope it is on the one-in-ten encrypted systems.
More laptop security links

25 Sept 2006

iPod slurping

Slurp is a program to download MS Office files from the C:\Documents and settings area onto the hard drive of an iPod through a PC’s USB connector. The risk is that someone with physical access to the PCs in your office (such as a hacker in the guise of an unescorted visitor, maintenance worker or cleaner) may have much more than ripped MP3s on their iPod.
More portable IT security links

21 Sept 2006

Information Protection Made Easy

Information Protection Made Easy: A guide for employees and contractors is a new security awareness book by David Lineman. In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.
More security awareness advice

Portable IT mishaps

A list of the top ten out of 50,000 jobs handled in 2006 by data recovery specialists DiskLabs reveals a number of threats to portable IT devices not specifically considered in the NoticeBored newsletter this month. Some of them have the ring of "the dog ate my homework" but they appear vaguely credible. Perhaps we should add "jilted lovers" to the standard list of IT threats we consider?
More portable IT security resources

19 Sept 2006

USB drive security woes

The press release for a survey of information security relating to USB thumb drives and other removable media mentions a number of incidents involving the little blighters. Small drives cause big problems includes the line "Some alarmed companies are even super-gluing USB ports shut so data cannot be downloaded from PCs and laptops." This may be a reference to an attempted theft of information worth £220m (US$423m) from Sumitomo bank in London using keyloggers, after which Sumitomo reportedly gunked up its USB sockets. According to the BCS article, the National High-Tech Crime Unit (which has since become the Serious Organised Crime Association SOCA) described USB devices as the 'Swiss army knife of the cyber criminal'.
More links on securing portable IT

16 Sept 2006

CIO/CSO/PwC infosec survey 2006

The State of Information Security 2006, a worldwide study by CIO, CSO and PricewaterhouseCoopers was published today. A well-written press release summarizes the main findings but I look forward to reading the full report in depth in due course.
Surveys like this frequently provide snippets of security awareness information that Mean Something to management. It's easy to take comments and statistics out of context that appear to support pretty much any position you want to promote ... but the real value is in being able to put some context around current trends and build a more strategic view of information security in relation to business imperatives. Catching management's interest enough to get them to read the report is an even better outcome.

More security awareness links

Security awareness poster contest

Budding graphic artists with an interest in information security are invited to enter the Southern Methodist University of Dallas, Texas' Security Awareness Poster Contest by November 3rd. Winning entrants receive prizes and get to see their posters in a security awareness calendar (I wonder where SMU got that particular idea from?!).
More on security awareness

6 Sept 2006

NIST guide to email security

A new draft Special Publication from NIST addresses email security. SP 800-45A has the depth and breadth we have come to expect from NIST with over 140 pages covering security breaches such as the following examples:
- Since exchanging email with the outside world is a requirement for most organizations, email is allowed through their network perimeter defenses. Because of this, attackers are increasingly using email as a vector for their attacks. At a basic level, viruses and other types of malware may be distributed throughout an organization via email. Increasingly, however, attackers are getting more sophisticated and are using email to deliver targeted zero-day attacks to users in an attempt to compromise their workstations. If successful, the attackers will then have an attack platform within the organization’s internal network.
- Given email’s nature of human to human communication, it can be used as a social engineering vehicle. Email can allow an attacker to exploit an organization’s users to gather information or get the users to perform actions that further an attack.
- Flaws in the mail server application may be used as the means of compromising the underlying server and hence the attached network. Examples of this unauthorized access include gaining access to files or folders that were not meant to be publicly accessible, and being able to execute commands and/or install software on the mail server.
- Denial of service (DoS) attacks may be directed to the mail server or its support network infrastructure, denying or hindering valid users from using the mail server.
- Sensitive information on the mail server may be read by unauthorized individuals or changed in an unauthorized manner.
- Sensitive information transmitted unencrypted between mail server and client may be intercepted. All popular email communication standards default to sending usernames, passwords, and email messages unencrypted.
- Information within email messages may be altered at some point between the sender and recipient.
- Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the mail server. For example, once the mail server is compromised, an attacker could retrieve users’ passwords, which may grant the attacker access to other hosts on the organization’s network.
- Malicious entities may attack external organizations from a successful attack on a mail server host.
- Misconfiguration may allow malicious entities to use the organization’s mail server to send email-based advertisements (i.e., spam).
- Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal action.
Comments on the draft are welcome before October 6th.
More email security resources

Laptop hacking step-by-step

In a piece ostensibly in the same vein as Catch Me If You Can, Spies Among Us or Know Your Enemy, the author of Laptop hacking step-by-step invites us to consider how data thieves or hackers might break into laptops in order to identify necessary security controls. The laptop security vulnerability assessment is rather narrowly focused, highlighting certain issues (such as missing or weak passwords) and controls (such as disk encryption) but compeltely missing many other issues (such as lost data or malware) and controls (such as backups and antivirus).
More on mobile security

5 Sept 2006

Bugging you

And now for something completely different.
More links on bugs! and other portable security issues

Security awareness for outsource partners

A security manager outlines the security issues he is tackling during a tour of various offshore partners in parts of the world where intellectual property rights don't necessarily mean quite what they do at home. He describes doing an hour's security awareness presentation , starting with an explanation of intellectual property by analogy to the [secret] recipe for chocolate chip cookies. Fair enough but I'm left with the impression that his well-meaning pep-talk will be forgotten as soon as he leaves the premises. Do they even eat chocolate chip cookies there, I wonder?
The article hints at the issues involved in generating security awareness amongst culturally diverse populations, something that we are constantly reminded of in our own security awareness products. On the trivial end of the scale, we sometimes let the odd English spelling or phrase slip into our US-biased writing and very occasionally someone feels compelled to tick us off about it (now that's a culturally charged phrase!). At the other extreme, we are struggling to make any headway whatsoever into the Middle and Far Eastern markets and I suspect the problem goes much deeper than the language of our materials. It is entirely possible that "security" means different things in different cultures, despite being generally accepted as a fundamental human/animal concept.
The Japanese lead the world in BS 7799-2/ISO 27001 certificates so information security is clearly important to them but I can't recall offhand a single sales inquiry from Japan. If anyone can tell me how the Japanese tackle security awareness, I'd love to know and to learn more.
Read our security awareness white paper and find more links on intellectual property protection

1 Sept 2006

BCP lessons from hurricane Katrina

A report published by the Federal Financial Institutions Examination Council (FFIEC) does a great job of distilling the key disaster management and contingency planning lessons learned from hurricane Katrina

The report deserves a wider audience than the financial services industry since the lessons apply more broadly:
  • Some organizations may not have anticipated or prepared for the extensive destruction and prolonged recovery period resulting from Hurricane Katrina.
  • To be realistic, disaster drills should include all critical functions and areas.
  • Anticipate disruptions in communications services, possibly for extended periods of time.
  • Critical staff may not be able to reach their assigned recovery location.
  • People are essential to the recovery of operations.
  • Replacement supplies may be difficult to obtain during a protracted recovery period.
  • Financial institutions' facilities could be damaged or destroyed, creating a need for alternate facilities.
  • The location of any back-up site can be critical to successful recovery efforts.
  • Processing transactions may be extremely difficult.
  • Be prepared to operate in a "cash only" environment.
  • The financial industry is dependent on numerous critical infrastructure sectors that potentially have competing interests.
  • A financial institution's involvement in neighborhood, city, state, federal, and non-profit or volunteer programs can facilitate a community's recovery from a catastrophic event.

New NIST documents

NIST has released Special Publication 800-88 Guidelines for Media Sanitization and Interagency Report (IR) 7337 Personal Identity Verification Demonstration Summary. If you are a security professional, it's worth signing-up for NIST's high signal-to-noise computer security publications mailing list to keep up with new security standards.
More links on information security standards, laws and regulations

31 Aug 2006

CompTIA infosec report

This year's security survey by CompTIA (the Computing Technology Industry Association) reportedly indicates an increase in the proportion of security incidents relating to human error - up from less than half last year to just under 60% this year. "The most frequently mentioned cause for these errors was failure of staff to follow internal security policies and procedures. Clearly, it is still the human behind the PC that requires behavior modification when it comes to safe computing practices. But there is a disconnect in the responses that organizations are marshalling to combat the threats posed by their employees. Just 29% of organizations surveyed said that information security training is a requirement at their company. Yet among those who require security training for all employees, 84% said such training has resulted in a reduced number of major security breaches since implementation." Whilst we might quarrel with the author's specific reference to 'security training', we would wholeheartedly agree with the thrust of his article. [We are awaiting formal publication of the CompTIA survey report. This article is dated tomorrow.]
More security awareness resources

30 Aug 2006

ATM credits $700,000,000 instead of $74

An ATM error in Ekaterinbug city in Russia's Ural region allegedly led to a customer who deposited around $74 being credited with around $700,000,000 , not once but twice. The man 'fessed up to the bank clerks who initially said they were too busy to deal with it, until the man turned up with shoe boxes full of cash. The ATMs were soon switched off. [This story has the feel of an urban myth. The ATM receipt shown in the newspaper article could easily be a fake - they are available to purchase from online sources for joke purposes, although I haven't yet seen the Cyrillic option].
More integrity links

29 Aug 2006

Australian tax office sacks 'spies'

The Australian Taxation Office has taken action against 27 employees for inappropriate access to taxpayers' personal data. Two were prosecuted under the Tax Administration Act. This story, coupled with last week's revelation about a similar issue at Centrelink and news of similar crackdowns at other Australian government bodies, presumably indicates a hardening of attitudes. Employees don't seem to realise that the database systems they access may record all sorts of incriminating evidence in their logs. Presumably the relevant audit functions have been looking closely at the records.
More identity theft links

28 Aug 2006

Identity thieves spoof caller ID

The South Florida Sun-Sentinel reports that caller ID is a popular tool for identity thieves. The journalist explains how simple it is for callers to spoof their caller IDs and, with a straightforward bit of social engineering, obtain personal data from their marks. The article mentions a few actual incidents, including those where the caller claims to be working for the courts collecting fines (!).
More identity theft resources

26 Aug 2006

Addressing risks in legacy IT systems

The diagram comes from an excellent new white paper by Israeli security specialist, Danny Lieberman. It eloquently describes a systematic approach for assessing and addressing risks in legacy systems. It examines the question of why there are so many bugs (including defects that cause security issues) in software, and goes on to explain the derivation of threat models (using the Practical Threat Analysis tool) to design appropriate controls.
More risk management, secure development and Bugs! links

25 Aug 2006

Australian privacy breach

Around 100 staff have resigned, 19 have been sacked and around 350 have been disciplined as a result of a two-year investigation into their unauthorized use of database facilities at Centrelink, the Australian federal government's social security and welfare agency. As such, Centrelink staff have access to a wide range of personal information. Five cases were serious enough to be referred to the federal police. It is reported that spyware was used to track staff use of the systems. A Centrelink general manager said "It was done for a whole range of reasons - from just sticky-beaking, through to at the more serious end of records actually being changed ... What this shows is that we have zero tolerance for any people who have surfed the details of the family and friends or peeked at records of their neighbours in our system." This statement fails to acknowledge the potential for abusing such wideranging access to personal data in order to commit identity theft.
More identity theft resources

24 Aug 2006

US bank guidance on multifactor authentication

The Federal Financial Institutions Examination Council (FFIEC) has released an FAQ about their requirement for US banks to improve user authentication for Internet banking customers. The “guidance” to banks issued in 2001 and updated in October 2005, and the impending deadline is evidently causing some consternation in the US banking world. The FAQ ‘clarifies’ issues such as multifactor authentication and tokens. These are not absolutely required but there are certain very limited circumstances under which they might not be needed. “An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.” There you go, clear as mud.
More identity theft and user authentication resources

US hospital laptop theft puts 28,000 IDs at risk

A Beaumont Hospital Home Care laptop was stolen from the car of a home care nurse, reports Metro Detroit. The nurse, a new employee, "broke hospital policy by leaving her access code and password with the computer". Doh! Data on more than 28,000 present and former patients have been compromised. "The best protection is to train and educate people who use this information as part of their jobs, to have an awareness of the things they need to do to keep this protected," said Michael Friedman, an attorney in Detroit who has handled several HIPAA cases. "It's not a sophisticated technological solution." Having covered identity theft in this month's NoticeBored security awareness module, we'll be moving on to mobile/portable IT and teleworking next month ... what more can we do to encourage organizations to invest proactively in security awareness?
More identity theft links

23 Aug 2006

Free awareness materials on ID theft

We released some of August's NoticeBored security awareness materials on identity theft to support Global Security Week. In September, we released almost all of the identity theft module as a set of PDF samples to demonstrate NoticeBored Classic.
More identity theft resources

Whistleblowers:courageous or foolhardy?

A Sky News piece Faulty Parts Danger On Holiday Jets explains that two former internal auditors at Boeing did their job by reporting dubious safety practices to management, who instead of thanking them for doing their jobs, allegedly marginalised and intimidated them and eventually demoted and dismissed them. The auditors went a step further by blowing the whistle to the FAA and are now locked in a legal dispute with their former employer under the US whistleblower law. Boeing, naturally enough, says their whistleblowers' case is "without merit" and stress the multi-level safety controls. [Speaking as a former internal auditor at Airbus, I can vouch for the multi-level safety controls and quality assurance practices in the aerospace industry, and also for the intense competition between the major players. I didn't see dubious safety practices in my time at Airbus, quite the opposite in fact but, that said, I was an IT auditor not an engineering/procurement specialist. I did see management and politicians heavily engaging in competitive strategies but (to my knowledge), passenger safety was paramount. Design engineers were actively encouraged to cut weight and cut costs but without compromising safety. Safety did not appear to be a competitive issue at Airbus.]

21 Aug 2006

Zoomable CCTV on Florida trains

When passengers on new Metrorail Tri-Rail trains in Southern Florida press buttons to alert guards to incidents, the new on-board CCTV system automatically zooms-in on the area. Additional cameras monitor the outside of the train plus fore and aft. Taking this idea a step further, the technology exists potentially to zoom-in on users who cause security alerts on our network systems, get their passwords wrong or make typing errors ... George Orwell would be proud of us.
More physical security links

19 Aug 2006

Two more contractors lose client personal data

A news item in Computer World reports that Unisys (in conjuction with the Veterans Administration and FBI) is offering a $50,000 reward for information leading to the return of a missing desktop computer containing personal data on 38,000 vets. The machine went missing from a Unisys office.
The same article notes the theft from an unnamed accountancy firm of a portable PC containing personal details on an unknown number of Chevron employees. Another report on the Chevron incident says the firm notified employees that "a laptop computer was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans". The data included names and Social Security Numbers (at least), and was protected 'by a password'. The absence of a clear statement re the use of encryption is worrying but is all too common. Wake up!
More identity theft info

Bank of Ireland customers phished

According to Ireland's Electric News, Bank of Ireland customers who fell for a phishing scam have lost a total of €113,000. It is unclear at this point whether the Bank will refund customers' losses.
More identity theft links

16 Aug 2006

SEC ID theft advice to online traders

The US Securities and Exchange Commission piece Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information warns those trading their stocks and shares online to beware identity theft. It's unusual to see the three main types of control laid out so clearly: eight tips on how to avoid being scammed (preventive controls) offer sound advice, as do the two on identifying that you have been scammed (detective controls) and three on how to resolve such issues (corrective controls).
More identity theft links

13 Aug 2006

HSBC's Internet banking logon vulnerability

If, like me, you saw the news items lately about a Cardiff University researcher revealing flaws in the Internet banking user authentication process used by the UK part of HSBC, you have probably been wondering about the details. The journalists refer somewhat vaguely to the exploit involving the use of keyloggers on customers' PCs, which is a significant vulnerability in the first place although unfortunately not uncommon these days. They say capturing details from just 9 logins or less provides sufficient information to complete the exploit - this presumably points to the hacker needing to capture the user's complete password even though only parts are requested each time. Various amateur researchers have been analysing the mathematics involved in the login process, but while there are flaws, they cannot analyse their way directly to being able to capture the complete password in "nine tries or less, typically 5" as mentioned in some of the original news aticles. At least one article referred specifically to a flaw in the web scripting which perhaps hints at a weakness in the exchange of information between the bank and the logging-in customer: my guess would be a vulnerability in the algorithm that "randomly" selects which digits are required. Perhaps it is not truly random, maybe a simple sequence or at least a predictable sequence, due to an implementation flaw I suspect. If so, it wouldn't be the first encryption scheme to fail through supposedly random numbers in fact having predictable patterns.
More identity theft links