Welcome to the SecAware blog

I spy with my beady eye ...

30 Sept 2006

CyberSpeak forensics podcast

CyberSpeak is a technology podcast covering computer security, computer crime and computer forensics, hosted by two former federal agents who investigated computer crime. It comes highly recommended by a fellow CISSP.
More incident management and forensics links

29 Sept 2006

Awareness module on IT incident management

October's NoticeBored Classic information security awareness module is about information security/IT incidents - how they are identified, reported, analyzed, contained, resolved and closed out. We encourage organizations to conduct Post Incident Reviews routinely on all significant incidents, not to apportion blame but to identify control improvements and, most importantly, make sure someone is identified to "own" the corrective actions arising. This is a typical learning loop leading to continuous improvement, yet so often thigs are just left drifting after the dust has settled on an incident. Perhaps it's a maturity thing. I've witnessed first-hand quite a range of responses to serious infosec breaches, ranging from "headless chicken mode" to "stay calm, everything is under control". The headless chickens were far too disorganized to consider let alone conduct effective Post Incident Reviews, preferring to continue lurching from breach to breach. If only their stakeholders knew the true state of management!
Incident management links collection here. Further relevant contributions always welcome.

PowerPoint zero-day

Hot on the heels of the VML bug in Microsoft Internet Explorer comes news of yet another zero-day Microsoft exploit affecting PowerPoint. Gosh.
More incident management links

28 Sept 2006

Being born yesterday

Hackers are so desperate to exploit vulnerabilities such as the VML bug, they are becoming quite incoherent in their excitement. Here's the text of an email I just received:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Needless to say, I didn't open the attachment (which had already been quarantined by the antivirus software, in any case). Phew, that was a close one!
More Bugs! and malware links

VML exploit awareness video

If you've been following the information security headlines over the past week or so, you will have heard about a nasty zero-day Microsoft exploit in the wild - or rather three exploits in fact, all targeting a buffer overflow in Internet Explorer's handling of Vector Markup Language.
Watchguard's excellent VML exploit video demonstrating the attack is an object lesson in technical awareness presentations - professionally produced, clear and straightforward, and just over 4 minutes long. Nice. Microsoft issued an emergency patch for the bug this week. Meanwhile, SANS and MessageLabs are reporting that malicious eCards are in circulation, exploiting unpatched vulnerable systems.
More links on bugs!

27 Sept 2006

Disabling USB storage

A few organizations that recognize the security issues created by USB thumb drives, hard drives, CD-RWs etc. decide to lock down the USB ports on their systems. The usual way to do this is to buy, test and install additional USB control software. A Microsoft MVP (Most Valuable Professional) has come up with a low cost solution using native Windows functionality - specifically, Group Policy. WindowsDevCenter explains how to define a policy to disable the USB storage driver. A Microsoft Knowledge Base article contains the necessary code. This looks like a viable option if you only want to turn off USB storage devices on your Windows network machines. If you need more fine-grained control such as the ability to allow read not write or to log and report use of the devices, you'll presumably still have to buy, test and install the USB control software though.
More portable IT security links

26 Sept 2006

Over 1,000 unencrypted laptops missing

The Washington Post reports that over 1,100 laptops have gone missing from the US Commerce Department since 2001. Congress was told that "1,137 laptops had been stolen, lost or otherwise vanished since 2001, mostly from the Census Bureau and the National Oceanic and Atmospheric Administration. Of these, 249 contained personally identifiable information, nearly all from the Census Bureau. All were password-protected, a low-level safeguard. Only 107 of the computers were fully encrypted." So if the Census Bureau or other parts of the Commerce Department has sensitive data about you on its laptops, you'd better hope it is on the one-in-ten encrypted systems.
More laptop security links

25 Sept 2006

iPod slurping

Slurp is a program to download MS Office files from the C:\Documents and settings area onto the hard drive of an iPod through a PC’s USB connector. The risk is that someone with physical access to the PCs in your office (such as a hacker in the guise of an unescorted visitor, maintenance worker or cleaner) may have much more than ripped MP3s on their iPod.
More portable IT security links

21 Sept 2006

Information Protection Made Easy

Information Protection Made Easy: A guide for employees and contractors is a new security awareness book by David Lineman. In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.
More security awareness advice

Portable IT mishaps

A list of the top ten out of 50,000 jobs handled in 2006 by data recovery specialists DiskLabs reveals a number of threats to portable IT devices not specifically considered in the NoticeBored newsletter this month. Some of them have the ring of "the dog ate my homework" but they appear vaguely credible. Perhaps we should add "jilted lovers" to the standard list of IT threats we consider?
More portable IT security resources

19 Sept 2006

USB drive security woes

The press release for a survey of information security relating to USB thumb drives and other removable media mentions a number of incidents involving the little blighters. Small drives cause big problems includes the line "Some alarmed companies are even super-gluing USB ports shut so data cannot be downloaded from PCs and laptops." This may be a reference to an attempted theft of information worth £220m (US$423m) from Sumitomo bank in London using keyloggers, after which Sumitomo reportedly gunked up its USB sockets. According to the BCS article, the National High-Tech Crime Unit (which has since become the Serious Organised Crime Association SOCA) described USB devices as the 'Swiss army knife of the cyber criminal'.
More links on securing portable IT

16 Sept 2006

CIO/CSO/PwC infosec survey 2006

The State of Information Security 2006, a worldwide study by CIO, CSO and PricewaterhouseCoopers was published today. A well-written press release summarizes the main findings but I look forward to reading the full report in depth in due course.
Surveys like this frequently provide snippets of security awareness information that Mean Something to management. It's easy to take comments and statistics out of context that appear to support pretty much any position you want to promote ... but the real value is in being able to put some context around current trends and build a more strategic view of information security in relation to business imperatives. Catching management's interest enough to get them to read the report is an even better outcome.

More security awareness links

Security awareness poster contest

Budding graphic artists with an interest in information security are invited to enter the Southern Methodist University of Dallas, Texas' Security Awareness Poster Contest by November 3rd. Winning entrants receive prizes and get to see their posters in a security awareness calendar (I wonder where SMU got that particular idea from?!).
More on security awareness

6 Sept 2006

NIST guide to email security

A new draft Special Publication from NIST addresses email security. SP 800-45A has the depth and breadth we have come to expect from NIST with over 140 pages covering security breaches such as the following examples:
- Since exchanging email with the outside world is a requirement for most organizations, email is allowed through their network perimeter defenses. Because of this, attackers are increasingly using email as a vector for their attacks. At a basic level, viruses and other types of malware may be distributed throughout an organization via email. Increasingly, however, attackers are getting more sophisticated and are using email to deliver targeted zero-day attacks to users in an attempt to compromise their workstations. If successful, the attackers will then have an attack platform within the organization’s internal network.
- Given email’s nature of human to human communication, it can be used as a social engineering vehicle. Email can allow an attacker to exploit an organization’s users to gather information or get the users to perform actions that further an attack.
- Flaws in the mail server application may be used as the means of compromising the underlying server and hence the attached network. Examples of this unauthorized access include gaining access to files or folders that were not meant to be publicly accessible, and being able to execute commands and/or install software on the mail server.
- Denial of service (DoS) attacks may be directed to the mail server or its support network infrastructure, denying or hindering valid users from using the mail server.
- Sensitive information on the mail server may be read by unauthorized individuals or changed in an unauthorized manner.
- Sensitive information transmitted unencrypted between mail server and client may be intercepted. All popular email communication standards default to sending usernames, passwords, and email messages unencrypted.
- Information within email messages may be altered at some point between the sender and recipient.
- Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the mail server. For example, once the mail server is compromised, an attacker could retrieve users’ passwords, which may grant the attacker access to other hosts on the organization’s network.
- Malicious entities may attack external organizations from a successful attack on a mail server host.
- Misconfiguration may allow malicious entities to use the organization’s mail server to send email-based advertisements (i.e., spam).
- Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal action.
Comments on the draft are welcome before October 6th.
More email security resources

Laptop hacking step-by-step

In a piece ostensibly in the same vein as Catch Me If You Can, Spies Among Us or Know Your Enemy, the author of Laptop hacking step-by-step invites us to consider how data thieves or hackers might break into laptops in order to identify necessary security controls. The laptop security vulnerability assessment is rather narrowly focused, highlighting certain issues (such as missing or weak passwords) and controls (such as disk encryption) but compeltely missing many other issues (such as lost data or malware) and controls (such as backups and antivirus).
More on mobile security

5 Sept 2006

Bugging you

And now for something completely different.
More links on bugs! and other portable security issues

Security awareness for outsource partners

A security manager outlines the security issues he is tackling during a tour of various offshore partners in parts of the world where intellectual property rights don't necessarily mean quite what they do at home. He describes doing an hour's security awareness presentation , starting with an explanation of intellectual property by analogy to the [secret] recipe for chocolate chip cookies. Fair enough but I'm left with the impression that his well-meaning pep-talk will be forgotten as soon as he leaves the premises. Do they even eat chocolate chip cookies there, I wonder?
The article hints at the issues involved in generating security awareness amongst culturally diverse populations, something that we are constantly reminded of in our own security awareness products. On the trivial end of the scale, we sometimes let the odd English spelling or phrase slip into our US-biased writing and very occasionally someone feels compelled to tick us off about it (now that's a culturally charged phrase!). At the other extreme, we are struggling to make any headway whatsoever into the Middle and Far Eastern markets and I suspect the problem goes much deeper than the language of our materials. It is entirely possible that "security" means different things in different cultures, despite being generally accepted as a fundamental human/animal concept.
The Japanese lead the world in BS 7799-2/ISO 27001 certificates so information security is clearly important to them but I can't recall offhand a single sales inquiry from Japan. If anyone can tell me how the Japanese tackle security awareness, I'd love to know and to learn more.
Read our security awareness white paper and find more links on intellectual property protection

1 Sept 2006

BCP lessons from hurricane Katrina

A report published by the Federal Financial Institutions Examination Council (FFIEC) does a great job of distilling the key disaster management and contingency planning lessons learned from hurricane Katrina

The report deserves a wider audience than the financial services industry since the lessons apply more broadly:
  • Some organizations may not have anticipated or prepared for the extensive destruction and prolonged recovery period resulting from Hurricane Katrina.
  • To be realistic, disaster drills should include all critical functions and areas.
  • Anticipate disruptions in communications services, possibly for extended periods of time.
  • Critical staff may not be able to reach their assigned recovery location.
  • People are essential to the recovery of operations.
  • Replacement supplies may be difficult to obtain during a protracted recovery period.
  • Financial institutions' facilities could be damaged or destroyed, creating a need for alternate facilities.
  • The location of any back-up site can be critical to successful recovery efforts.
  • Processing transactions may be extremely difficult.
  • Be prepared to operate in a "cash only" environment.
  • The financial industry is dependent on numerous critical infrastructure sectors that potentially have competing interests.
  • A financial institution's involvement in neighborhood, city, state, federal, and non-profit or volunteer programs can facilitate a community's recovery from a catastrophic event.

New NIST documents

NIST has released Special Publication 800-88 Guidelines for Media Sanitization and Interagency Report (IR) 7337 Personal Identity Verification Demonstration Summary. If you are a security professional, it's worth signing-up for NIST's high signal-to-noise computer security publications mailing list to keep up with new security standards.
More links on information security standards, laws and regulations