Welcome to the SecAware blog

I spy with my beady eye ...

31 Aug 2006

CompTIA infosec report

This year's security survey by CompTIA (the Computing Technology Industry Association) reportedly indicates an increase in the proportion of security incidents relating to human error - up from less than half last year to just under 60% this year. "The most frequently mentioned cause for these errors was failure of staff to follow internal security policies and procedures. Clearly, it is still the human behind the PC that requires behavior modification when it comes to safe computing practices. But there is a disconnect in the responses that organizations are marshalling to combat the threats posed by their employees. Just 29% of organizations surveyed said that information security training is a requirement at their company. Yet among those who require security training for all employees, 84% said such training has resulted in a reduced number of major security breaches since implementation." Whilst we might quarrel with the author's specific reference to 'security training', we would wholeheartedly agree with the thrust of his article. [We are awaiting formal publication of the CompTIA survey report. This article is dated tomorrow.]
More security awareness resources

30 Aug 2006

ATM credits $700,000,000 instead of $74

An ATM error in Ekaterinbug city in Russia's Ural region allegedly led to a customer who deposited around $74 being credited with around $700,000,000 , not once but twice. The man 'fessed up to the bank clerks who initially said they were too busy to deal with it, until the man turned up with shoe boxes full of cash. The ATMs were soon switched off. [This story has the feel of an urban myth. The ATM receipt shown in the newspaper article could easily be a fake - they are available to purchase from online sources for joke purposes, although I haven't yet seen the Cyrillic option].
More integrity links

29 Aug 2006

Australian tax office sacks 'spies'

The Australian Taxation Office has taken action against 27 employees for inappropriate access to taxpayers' personal data. Two were prosecuted under the Tax Administration Act. This story, coupled with last week's revelation about a similar issue at Centrelink and news of similar crackdowns at other Australian government bodies, presumably indicates a hardening of attitudes. Employees don't seem to realise that the database systems they access may record all sorts of incriminating evidence in their logs. Presumably the relevant audit functions have been looking closely at the records.
More identity theft links

28 Aug 2006

Identity thieves spoof caller ID

The South Florida Sun-Sentinel reports that caller ID is a popular tool for identity thieves. The journalist explains how simple it is for callers to spoof their caller IDs and, with a straightforward bit of social engineering, obtain personal data from their marks. The article mentions a few actual incidents, including those where the caller claims to be working for the courts collecting fines (!).
More identity theft resources

26 Aug 2006

Addressing risks in legacy IT systems

The diagram comes from an excellent new white paper by Israeli security specialist, Danny Lieberman. It eloquently describes a systematic approach for assessing and addressing risks in legacy systems. It examines the question of why there are so many bugs (including defects that cause security issues) in software, and goes on to explain the derivation of threat models (using the Practical Threat Analysis tool) to design appropriate controls.
More risk management, secure development and Bugs! links

25 Aug 2006

Australian privacy breach

Around 100 staff have resigned, 19 have been sacked and around 350 have been disciplined as a result of a two-year investigation into their unauthorized use of database facilities at Centrelink, the Australian federal government's social security and welfare agency. As such, Centrelink staff have access to a wide range of personal information. Five cases were serious enough to be referred to the federal police. It is reported that spyware was used to track staff use of the systems. A Centrelink general manager said "It was done for a whole range of reasons - from just sticky-beaking, through to at the more serious end of records actually being changed ... What this shows is that we have zero tolerance for any people who have surfed the details of the family and friends or peeked at records of their neighbours in our system." This statement fails to acknowledge the potential for abusing such wideranging access to personal data in order to commit identity theft.
More identity theft resources

24 Aug 2006

US bank guidance on multifactor authentication

The Federal Financial Institutions Examination Council (FFIEC) has released an FAQ about their requirement for US banks to improve user authentication for Internet banking customers. The “guidance” to banks issued in 2001 and updated in October 2005, and the impending deadline is evidently causing some consternation in the US banking world. The FAQ ‘clarifies’ issues such as multifactor authentication and tokens. These are not absolutely required but there are certain very limited circumstances under which they might not be needed. “An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.” There you go, clear as mud.
More identity theft and user authentication resources

US hospital laptop theft puts 28,000 IDs at risk

A Beaumont Hospital Home Care laptop was stolen from the car of a home care nurse, reports Metro Detroit. The nurse, a new employee, "broke hospital policy by leaving her access code and password with the computer". Doh! Data on more than 28,000 present and former patients have been compromised. "The best protection is to train and educate people who use this information as part of their jobs, to have an awareness of the things they need to do to keep this protected," said Michael Friedman, an attorney in Detroit who has handled several HIPAA cases. "It's not a sophisticated technological solution." Having covered identity theft in this month's NoticeBored security awareness module, we'll be moving on to mobile/portable IT and teleworking next month ... what more can we do to encourage organizations to invest proactively in security awareness?
More identity theft links

23 Aug 2006

Free awareness materials on ID theft

We released some of August's NoticeBored security awareness materials on identity theft to support Global Security Week. In September, we released almost all of the identity theft module as a set of PDF samples to demonstrate NoticeBored Classic.
More identity theft resources

Whistleblowers:courageous or foolhardy?

A Sky News piece Faulty Parts Danger On Holiday Jets explains that two former internal auditors at Boeing did their job by reporting dubious safety practices to management, who instead of thanking them for doing their jobs, allegedly marginalised and intimidated them and eventually demoted and dismissed them. The auditors went a step further by blowing the whistle to the FAA and are now locked in a legal dispute with their former employer under the US whistleblower law. Boeing, naturally enough, says their whistleblowers' case is "without merit" and stress the multi-level safety controls. [Speaking as a former internal auditor at Airbus, I can vouch for the multi-level safety controls and quality assurance practices in the aerospace industry, and also for the intense competition between the major players. I didn't see dubious safety practices in my time at Airbus, quite the opposite in fact but, that said, I was an IT auditor not an engineering/procurement specialist. I did see management and politicians heavily engaging in competitive strategies but (to my knowledge), passenger safety was paramount. Design engineers were actively encouraged to cut weight and cut costs but without compromising safety. Safety did not appear to be a competitive issue at Airbus.]

21 Aug 2006

Zoomable CCTV on Florida trains

When passengers on new Metrorail Tri-Rail trains in Southern Florida press buttons to alert guards to incidents, the new on-board CCTV system automatically zooms-in on the area. Additional cameras monitor the outside of the train plus fore and aft. Taking this idea a step further, the technology exists potentially to zoom-in on users who cause security alerts on our network systems, get their passwords wrong or make typing errors ... George Orwell would be proud of us.
More physical security links

19 Aug 2006

Two more contractors lose client personal data

A news item in Computer World reports that Unisys (in conjuction with the Veterans Administration and FBI) is offering a $50,000 reward for information leading to the return of a missing desktop computer containing personal data on 38,000 vets. The machine went missing from a Unisys office.
The same article notes the theft from an unnamed accountancy firm of a portable PC containing personal details on an unknown number of Chevron employees. Another report on the Chevron incident says the firm notified employees that "a laptop computer was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans". The data included names and Social Security Numbers (at least), and was protected 'by a password'. The absence of a clear statement re the use of encryption is worrying but is all too common. Wake up!
More identity theft info

Bank of Ireland customers phished

According to Ireland's Electric News, Bank of Ireland customers who fell for a phishing scam have lost a total of €113,000. It is unclear at this point whether the Bank will refund customers' losses.
More identity theft links

16 Aug 2006

SEC ID theft advice to online traders

The US Securities and Exchange Commission piece Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information warns those trading their stocks and shares online to beware identity theft. It's unusual to see the three main types of control laid out so clearly: eight tips on how to avoid being scammed (preventive controls) offer sound advice, as do the two on identifying that you have been scammed (detective controls) and three on how to resolve such issues (corrective controls).
More identity theft links

13 Aug 2006

HSBC's Internet banking logon vulnerability

If, like me, you saw the news items lately about a Cardiff University researcher revealing flaws in the Internet banking user authentication process used by the UK part of HSBC, you have probably been wondering about the details. The journalists refer somewhat vaguely to the exploit involving the use of keyloggers on customers' PCs, which is a significant vulnerability in the first place although unfortunately not uncommon these days. They say capturing details from just 9 logins or less provides sufficient information to complete the exploit - this presumably points to the hacker needing to capture the user's complete password even though only parts are requested each time. Various amateur researchers have been analysing the mathematics involved in the login process, but while there are flaws, they cannot analyse their way directly to being able to capture the complete password in "nine tries or less, typically 5" as mentioned in some of the original news aticles. At least one article referred specifically to a flaw in the web scripting which perhaps hints at a weakness in the exchange of information between the bank and the logging-in customer: my guess would be a vulnerability in the algorithm that "randomly" selects which digits are required. Perhaps it is not truly random, maybe a simple sequence or at least a predictable sequence, due to an implementation flaw I suspect. If so, it wouldn't be the first encryption scheme to fail through supposedly random numbers in fact having predictable patterns.
More identity theft links

Identity theft advice to students

The (US) Office of Inspector General offers sound advice to students and prospective students about identity theft scams targeting them. A typical example is a phone call to a prospective student asking them for their banking information 'in order to process an application fee'. Students seldom have much money but fraudsters can obtain credit in their names and rack up bigger bills quicker than even the most profligate party animals. [This story was brought to my attention by the latest RISKS newsgroup digest, referencing a news article from Stanford University.]
More on identity theft here

9 Aug 2006

Identity stolen a decade earlier

It wasn't until David Richardson had a lot of trouble getting a mortgage that he discovered his identity had been stolen ten years earlier. The BBC News reports that after David's birth certificate and passport had been stolen, an identity thief fraudulently opened two accounts in his name and racked up £6,000 in debts. "I would advise anybody to look after their personal details." he said. "It's amazing what kind of information you can get from a basic utility bill. People should be very careful with their personal items and documents."
More identity theft links

4 Aug 2006

IdentityStuff blog

IdentityStuff is a blog on identity management and related topics. Worth a quick browse, maybe, to see what's happening in the field.
More identity theft resources

BBC broadcast on 419ers

A BBC World broadcast gives an account of the 419 and “black money” scams committed by Nigerian fraudsters, and the UK police investigating corruption, cheque fraud and money laundering committed by ordinary criminals and Nigerian state governors.
More IT fraud resources

2 Aug 2006

FFIEC infosec manual

Although it is evidently intended to be an exam manual or study guide, the Federal Financial Institution Examination Council's IT Examination Handbook on Information Security could easily be mistaken as an information security manual. It bears more than a passing resemblance to ISO 17799, NIST, COBIT and SAS70 (amongst others) which are acknowledged as reference sources. There are "action summaries" containing key points from each section, such as this one for authentication: "Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include: Selecting authentication mechanisms based on the risk associated with the particular application or services; Considering whether multi-factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and Encrypting the transmission and storage of authenticators (e.g., passwords, personal identification numbers (PINs), digital certificates, and biometric templates)." A free 138 page infosec manual is not to be sneezed at.
More authentication and identity theft resources