Welcome to the SecAware blog

I spy with my beady eye ...

21 Jun 2006

The reality of identity theft

To Catch a Thief is a blogger's story about how her identity was stolen and abused by criminals a year ago. There follows a harrowing and involved tale of the steps taken to investigate, report and stop the abuse. The victim hardly mentions the anguish the incident caused but it's not hard to imagine being in exactly the same position. Right up front she mentions having sent her credit card number by email (doh!) and when she paid for some shoes in a shop, the shop assistant curiously went behind the scenes with her card ... innocuous acts to someone who isn't security aware. [Whilst you are clearly security aware because you are reading this blog, I'd encourage you to read the story and pass-it-on to your less aware friends and relatives].
More IT fraud resources

20 Jun 2006

System security config guides & tools

A raft of new or updated security checklists and verification tools have been released by NIST covering: access control; application & database security; DNS; Enclave; .NET framework; network infrastructure; SAN/sharing peripherals across the network; UNIX; VoIP; and Windows 2000, XP and 2003 Server. The combination of comprehensive security checklists recommending specific parameter settings and automated tools to check system configurations against the recommendations makes the security manager's job that bit easier.
More IT Ops & system security links

18 Jun 2006

Zero-day exploits follow M$ patches

It is presumably just a coincidence that a zero-day Microsoft Excel vulnerability was acknowledged by Microsoft just a few days after this month's MS Patch Tuesday. It is conceivable, though, that major MS exploits might be released deliberately to coincide with Patch Tuesday since patches are unlikely to be released for at least another month. who knows? I'd say it is more likely that the black hats hope their exploits will remain just below the radar for as long as possible so the release timing is irrelevant.
Perhaps not such a coincidence: Symantec is reporting that a PowerPoint zero-day exploit was released just after July's M$ patch Tuesday.
More malware links

15 Jun 2006

Audit on a stick

WinAudit is a great little PC audit utility to load on your USB thumb drive. Plug in the drive, run the file and browse the voluminous output with a web browser. Find out all the usual hardware info plus details of installed software and system configuration. Look for unlicensed software or discover your user privileges, for examples.
More audit resources

Economic espionage, a clear and present danger

The latest CSO ezine contains an eye-opening assessment of the risk of 'economic espionage' (a.k.a. industrial espionage or intellectual property theft). Secrets Stolen, Fortunes Lost recounts several case studies and makes the point that traditional security measures are no longer effective in today's e-everything world. Information security threats require different controls, and in turn this requires senior management to update their attitudes towards securing the company's crown jewels. Simply acknowledging the value of their proprietary and personal information would be a good start, let alone recognising the vulnerabilities and impacts of information security breaches.
More IPR resources

14 Jun 2006

Spotting online auction fraud

I don't normally blog other blogs (seems a bit like cannibalism to me) but this time I'll make an exception. In 25 Ways to Avoid Auction Fraud, blogger Ted Richardson highlights a suite of 'things to be wary of' if using PayPal and similar auction sites. Despite the claim that the original blogged article was written by a fraudulent vendor and so might be suspect, the advice looks sound to me and well worth a read if you don't fancy the idea of you, your relatives or your friends being scammed. Do you know how to spot shill bidding, for example? Do you even know what it is? I don't have much time for blogging but Ted's blog is one of the few I subscribe to using Google's excellent blog reader. I'll list the others another time. Meanwhile, which information security-related blogs would you recommend?
More IT-related fraud links

13 Jun 2006

From dawn raids to dumpster diving

If you like news stories with a pinch of drama and intrigue, Martha Baer's piece on identity theft will grip you. Starting with the description of a police raid on an identity thief's home, the story focuses on a particularly successful e-crimes unit dealing with everything from lone drug pushers to gangs of assorted criminals actively exploiting identity theft to scrape their sordid living. Their success stems from selectively checking-up on fraudsters released on parole. Strangely enough, they find a significant proportion of former offenders re-offend.
More authentication links

11 Jun 2006

Insider security

The Definitive Guide to Security Inside the Perimeter is a "free" 200+ page eBook by Rebecca Herold (free except that you need to provide an email address and other information to the publisher and sponsor). It explains the security risks arising from insiders working within the organization, and outlines a broad range of controls. Security awareness and training are mentioned frequently, as you might expect.
More security awareness resources

10 Jun 2006

On finding a lost USB drive

Social Engineering, the USB Way is a rather worrying report into a successful penetration test using a mixture of social engineering and malware techniques. One morning before work, the testers scattered USB thumb drives containing Trojans in the parking lot and smokers' corners outside their target credit union premises. The workers duly discovered the 'lost' drives, took them in, plugged them in and compromised their systems security. The worrying part is the success rate, the potential impact and the likelihood of success elsewhere. Possible controls include security awareness training, antivirus tools, IDS and USB blocking software.
More social engineering and malware links

M$ kills more bugs

Microsoft's Security Program Manager Chris Budd explains Ten Principles of Microsoft Patch Management. Chris clearly knows what he is talking about because Microsoft is highly experienced at releasing patches for its software. The Technet article guides Microsoft's valued customers in how to design and implement efficient processes for sticking plasters over the cracks caused by the vendor's quality control failures. Why do we still put up with this nonsense? What's worse, why do we continually pay for it? [Sorry, I'm feeling particularly cynical today and getting rather tired of battling the legion of bugs.]

More resources on bugs!

A solid information security manual

NIST Special Publication 800-100 "Information Security Manual: A Guide for Managers" is a 174-page draft released in June 2006 for public comment. It refers throughout to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident management and, of course, awareness training and education. It's a good-un, well worth a serious look.
More infosec laws, regulations and standards

6 Jun 2006

Information gushes forth

A Proofpoint/Forrester survey on outbound email content scanning found that around a third of the 400+ US and UK 1,000+ employee companies surveyed have been impacted by the exposure of sensitive or embarrassing information in the last 12 months. More than a third! They estimate that around one in five outbound emails contains sensitive information that poses a legal, financial or regulatory risk. Given that not all organizations scan outbound email content, the true figures seem likely to be even higher. About half of email that should be encrypted is encrypted. [The fact that Proofpoint sells email security solutions may put a question mark over the validity of the survey although it was conducted on their behalf by Forrester Research.]
More email security links

Spammer hammered

The Chicago Tribune is reporting a $1m settlement of two civil lawsuits by a notorious Texan spammer. Note to spam king: You got nailed outlines the spammer's unethical business practices and his apparent reformation (he is now trying to sell anti-spam consultancy ...). Would you employ a former cracker in your information security department? How about employing former bank robbers to advise on bank security? Or former pedophiles as school teachers?
More email security resources

5 Jun 2006

Industrial espionage laid bare

As a former NSA employee, Ira Winkler is well known on the speaking circuit for disclosing some of the cloak-and-dagger techniques used by genuine spies. His book, Spies Among Us, should be required reading for all MBA students and managers. Secrets of Superspies, a conference keynote presentation by Ira, has the usual hallmarks of his case-study style plus the analysis to explain why corporate espionage is a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors. It's enough to make me even more paranoid.
More confidentiality, social engineering and hacking resources

Encrypted email - too hard?

Special delivery - secure email is a presentation by Fred Avolio of BAESYSTEMS about encrypted email, from a conference a year ago. It outlines the process of symmetric and asymmetric encryption used for secure message and key exchange, respectively, and briefly mentions the main options available for secure email. The big question remains: why do so few people use email encryption? Is it just ‘too hard’? Hushmail is one easy option - it's an encrypted webmail system. Just point and click!
More email security resources

British nurse hackmailed

A Manchester nurse has been hackmailed, possibly the first victim of so-called Ransomware in the UK. A somewhat confusing BBC news report indicates that hackers got onto her PC, encrypted some of her files and then blackmailed her to decrypt them. The article also mentions a virus called Archiveus, which F-secure in fact lists as a Trojan called MayArchive.B. Victims are evidently told to buy pharmaceuticals from a Russian Internet company. Ransomware is also the name of a licensing scheme to raise a certain amount of money from software before releasing it to the Open Source community, so I prefer the term "hackmail".
A blog entry from September 2005 notes variants on the theme, using Distributed Denial of Service for example to extort money from victims. Whereas DDOS attacks have generally targeted online businesses such as gambling companies and, of course, Blue Security, it's possible the nurse story is an example of increasing criminal interest in targeting individual people. Cybercriminals have traditional hacking, malware, social engineering and spam in their toolboxes and identity theft is another lucrative con against individuals. The Internet provides many opportunities for criminals to hide their own identities and launder funds. It's the World's Wild West.
More malware links

4 Jun 2006

Okopipi anti-spam project

Blue Frog beget Black Frog beget The Okopipi Project, an open source project to implement FrogNet, a peer-to-peer version of Blue Security's Blue Frog anti-spam response. The Okopipi wiki (tagline: "United they spam, divided they fall") explains what's going on.
More email security links

Operation Global Con

The US Department of Justice has released a fact sheet on a global operation to arrest and prosecute hundreds of fraudsters involved in running lottery and investment scams through the Internet. Some 565 people were arrested in five countries, indicating the cooperation of international law enforcement bodies to tackle these so-called borderless crimes.
More IT fraud resources

2 Jun 2006

Email Security School

Back in March 2005, SearchSecurity.com released a 3-lesson Email Security School on email security. Each lesson consists of a webcast presentation by an email security guru, a technical paper and a quiz to check your comprehension.
More email security links

Blue Frog RIP Long live Black Frog

Google's growing collection of news items on the Black Frog project seem to indicate that Blue Frog's demise will not be in vain. A small community of designers and developers is working hard on the next incarnation of the anti-spam frog. As I indicated before, Blue Frog may have lost the battle but the war on spam continues.
More email security links

Email security awareness

June's NoticeBored security awareness module covers email security, one of our "core topics" that practically all security awareness programs are bound to cover. We look beyond the obvious issues such as spam, malware and phishing to aspects such as libel, harrassment and unauthorized contracts.
Email security links