Welcome to the SecAware blog

I spy with my beady eye ...

30 Dec 2006

Online banking dongle

Dongles are cryptographic hardware devices with which the PC communicates, firstly to establish that the device is present and secondly that the device is authentic. They are commonly used as copy-protection devices to unlock protected software but one vendor is selling a dongle for Internet banking. It communicates with the PC via the headset jack, rather than say USB.

More authentication and IPR resources

29 Dec 2006

New awareness module on IPR

The knowledge economy depends on the exchange of proprietary information between trading partners, or between suppliers and consumers. Intellectual Property Rights (IPR) are crucially important. Without effective IPR controls, there would be few if any real barriers to the theft or plagiarism of creative ideas, inventions etc., meaning less motivation to create and share materials for fear of losing control. I, for one, would be out of a job in no time!

From a security awareness perspective, “IPR” is a rather dry concept to put across so we use more familiar terms such as copyright, patents and trademarks. Through the seminars and briefing materials in the new NoticeBored awareness module, we explain the link between IPR, copyright and software licensing and briefly describe other important IPR controls inclding DRM and contracts.

January's newsletter provides an analysis of the risks associated with IPR. Sign up for your free copy.

Please bear in mind that we do not dispense legal advice. IPR is one of those areas where it pays to take advice from qualified professionals familiar with the ins-and-outs of copyright, patent, trademark and contract law, especially if your business operates in more than one country.

IPR links collection here

26 Dec 2006

POGO sticks at it

POGO (Project on Government Oversight) is a self-appointed activist body keeping a watchful eye on US government spending and governance issues. It encourages whistleblowers from public service to expose dubious fiscal and environmental practices or corruption, provides support and anonymity. It has been in existence since 1981. "In the beginning, POGO (which was then known as Project on Military Procurement) worked to expose outrageously overpriced military spending such as the $7,600 coffee maker and the $436 hammer. After many successes reforming the military, POGO expanded its mandate to investigate systemic waste, fraud, and abuse in all federal agencies."

POGO encourages and supports whistleblowers in public service: "Whistleblowing is often not easy. Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not "gone public" and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor. The mental, emotional, and fiscal hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information - publicly or not. In recent years, protections for federal employees have been unraveled by hostile judicial rulings. As a result, federal employees have little protections against retaliation."

More IT governance, fraud and audit resources

IT security's place in the world

A neat presentation and webcast by George Spafford brought out the value of integrating IT security processes with general IT operations, risk, change and configuration management and linking to business strategy, through ITIL IT service management and COBIT. It's good to see such a broad perspective on IT security, especially one that puts the business rather than security objectives at centre stage.

More information security management resources

25 Dec 2006

Congressional aide socially engineered

A congressional aide has admitted asking two jokers at Attrition.org to hack into his college's network and adjust his college grades. The jokers (who he evidently believed to be l33t hax0rs, except that he would have not the foggiest idea what those words mean) led him into believing they would do what he wanted, and in the course of the incident, got him to reveal his Social Security Number and other personal information to make their hacking job easier. The email exchange is very amusing: the victim had no clue that he was being taken for a ride, even providing photographs of a [secret] squirrel at one point to validate his location. Be sure to read the news piece on Network World that revealed the victim's details and printed his admission and apology for making a big mistake ... and led to him being fired ... but his 15 minutes of fame now include a Wikipedia entry.

More social engineering, hacking and accountability resources

23 Dec 2006

Free security awareness calendar

To herald the arrival of another new year, we have once again recycled some of our favorite poster images from 2006 into a security awareness calendar for 2007. The PDF is a little over a meg but, given the high-resolution of the original poster images, the MS Word document is haf a gig. Strangely enough, we decided only to make the PDF available online but NoticeBored customers are very welcome to the Word version on CD (just let us know).

Under cover for 23 years

A remarkably successful identity thief was eventually brought to justice in Britain when an alert immigration officer spotted false documentation, sparking checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) lived for some 23 years under an assumed name. The genuine Christopher Edward Buckingham died as a child. The fraudster's real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company ... which itself raises all sorts of interesting insider threat questions.

More identity theft resources

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

22 Dec 2006

Physical security control myths busted

An unusual source of security information has come to light: the entertaining Mythbusters TV series has explored a variety of physical security controls including fingerprint readers (defeated by a latex copy of a fingerprint ... and even by a photocopy of a fingerprint), intruder detectors that detect body heat (defeated by a pane of glass), and a safe-breaking technique involving water and a depth charge (! That one works.). Another episode busted the myth about being able to cross a criss-cross laser-beamed room by visualizing the beams, and showed how to defeat a pressure switch with duct tape.

More physical security resources

21 Dec 2006

Your pig, my name

Isn't the World Wide Web Wabsolutely Wonderful? In the course of researching DMCA, DRM, copyright, patents and trademarks for the next NoticeBored awareness module on IPR, I chanced across this bizarre story of a Danish artist who is providing "free" pigs and goats to Ugandan villagers in exchange for them adopting his surname. It's only a click or two away from genuine research materials ...

Links to further IPR and perhaps piggy resources will follow, next month.

20 Dec 2006

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

Audit checklist for information security management

The IT Compliance Institute has amassed an excellent collection of IT governance-related white papers, articles and resources. Their IT audit checklist for reviewing information security management, a new addition, has many potential uses [access requires you to register on the website]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be looking for. Those designing and implementing Information Security Management Systems will appreciate the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS. All in all, a nice paper from the IT Compliance Institute. It's worth browsing the ITCi website for other similar resources including the biannual IT Compliance Journal [again, "free" to those who register].

More information security management, IT governance and IT audit resources

19 Dec 2006

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

18 Dec 2006

Phone hacker sues bank for payment

Having been prosecuted and then discharged without conviction for hacking the Reserve Bank of New Zealand's telephone system, Gerry Macridis is now threatening legal action to be paid $7,500 for his unsolicited security advice. Gerry claims to have acted honourably by identifying security flaws in the bank's system and advised them of what they needed do to to resolve them. I've never met Gerry and based on the news reports I have no reason to doubt his integrity but his somewhat naive and direct approach must be a thorn in the bank's side.
More hacking links

15 Dec 2006

Spear phishing case study

In Spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. "Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga., received e-mails saying they were being laid off. The subject line read "Urgent - employment issue," and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site." The article seems a little confused about the distinction between spammers and fraudsters but is basically sound. Other local hospitals were reportedly targeted so it is possible that this was in fact simply an ordinary spam, but the potential for delivery of keyloggers, rootkits and other malware is plain to see.
More malware, email and social engineering links

14 Dec 2006

Phishing up 8,000% but stay calm

The Beeb is reporting that FSA, the UK Financial Services Authority, says phishing has increased "8,000% over the past two years" (that's x80 for those of us who are numerically challenged - me included) but apparently, according to APACS, the UK's financial services industry body, it's OK and we're not to worry because there are still rather few incidents.

I'm reminded of the story of a prizewinner being offered the choice between taking $1m today or taking 1 cent today, two cents tomorrow, four cents the day after and so on every day for a month. Which would you choose? Now do your sums and see if you chose wisely. [And no, I'm not getting into arguments about NPV, the risk of the prizegiver defaulting or the investment income you can make during the month.]

The APACS spokesman reportedly "said just because a bank had been targeted, did not mean its security systems were worse than its competitors. [That's true. But still I have to ask why the phishers are so actively targeting that one British bank - is it their brand value, I wonder, or are the phishers locked in a cat-and-mouse game with the bank's security team? Most of all, which one is it?] "There is no evidence that one bank is any worse or any better-off than another," he told the [Lords science and technology] committee. [Oh, that's alright then: they are all equally as bad!] He also rejected a call for banks to routinely inform customers of security breaches involving their details, such as when a bank employee's laptop was stolen. He said banks did not want to cause undue alarm to customers, as had been in the case in some US states, where customers were constantly given such information." [Alarm? Alarm? Who would have thought, eh, that being told by your bank that they have suffered a security compromise and disclosed your supposedly private and personal information to either some spotty geek or The Criminal Underworld is in any way 'alarming'? Stories of an upsurge in shoe sales so Brits can stash their wads under the bed are mere conjecture of course.]

My favourite quote of all comes from Philip Robinson, the FSA's head of financial crime, who said he believed internet banking was generally "safe". Now any fans of the Hitchhikers Guide To The Galaxy will be familiar with the proposed update to the entry in Encyclopaedia Galactica for earth: "Earth - mostly harmless". "Generally safe": isn't that a bit like being "almost dead" or "nearly pregnant"?

More identity theft and social engineering links

"Client-side attacks" social engineering webcast

Core Security Technologies is offering a webcast on "client-side attacks" at 2pm EDT on December 19th and December 21st. The press release is not entirely clear about what they mean by "client-side attacks" but two examples are quoted: opening a malicious Word, Excel or PowerPoint document sent via e-mail, or browsing malicious web sites that exploit vulnerable client-side code.
According to the PR, "During this 45 minute webcast you learn how:
* to assess how vulnerable your information assets are to spear phishing attacks targeted at end users;
* Outlook, IE and other applications can provide an attacker an easy path into your organizations;
* a social engineering attack can be successfully deployed against your network; and,
* to better protect your organization’s critical assets."
I presume they will promote technical security control measures but I hope they will also promote security awareness to address the human vulnerabilities at the root of such attacks. We'll see.
More social engineering resources
[I have no connection with Core Security Technologies, apart from our common interests in social engineering and information security]

12 Dec 2006

Bank robbery, the social engineering way

A classic social engineering attack on a bank, as described by the boss of a penetration testing company, is just as scary as the case studies in Ira Winkler's Spies Among Us. The perpetrator gains access to the bank network simply by posing as a photocopier technician. It's scary because the story rings true. It's a typical Security Manager's nightmare scenario. The customer service ethic of the front line bank staff trumped any security awareness they might have had. The inadequate technical security controls on the bank LAN are entirely credible. [Thanks to my friend Alisdair for sharing this link.]
More social engineering resources

10 Dec 2006

You've got infected mail!

Attackers are actively exploiting an MS Word zero-day vulnerability by tricking users into opening malicious Word files using a form of social engineering. Infected files may arrive as email attachments from people you know and trust, as well as from those you’ve never heard of. It’s not yet clear whether Microsoft will release a patch on Tuesday: if not the fix may slip to January unless M$ releases an interim emergency patch. It all depends on the quality of their coding and the speed of their QA and release processes. Meanwhile take extra care with email attachments, even from friends and colleagues, and make sure your antivirus software is bang up to date. We'll be releasing an updated malware module early in the new year and a new module on application security shortly afterwards: don't let your organization become a statistic or case study!
More social engineering, incident management, bugs!, secure software development and malware links

8 Dec 2006

The fallibility of technical controls

A piece apparently due to be published in Computer Weekly next Tuesday outlines a range of network security issues relating to mis-configuration of IT equipment, and then (almost as an afterthought) ends with the following:
"... security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites. And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information."

The fact that IT systems and networks are misconfigured by people surely implies that security awareness programs need to include IT professionals?
More on network security and security awareness

Pretexting may be outlawed by US Senate

Way back in April, the US House of Representatives voted unanimously to ban "pretexting" but the draft law sat on the sidelines pending Senate committee discussions ... then the HP boardroom incident occurred ... and now suddenly the Senate looks likely to vote the pretexting law through on a fast-track procedure (provided nobody objects). Pretexting in general is already outlawed in California and throughout the US if used to obtain financial information.
More social engineering resources

419 scam nets $200k

If you're not a regular reader of the Manawatu Standard, you might have missed a sad story about a 71-year old New Zealand lady and her son having been taken in by 419 scammers to the tune of over $200,000 to date. Even with advice from the New Zealand police, still they play along. "The pair are trusting who they believe to be the Central Bank of Nigeria to 'investigate' the fraudulent email scam and have paid a further $10,000 for the privilege." Psychologists probably have a term for the situation the pair are in. Over the course of 18 months, they have fallen for the scam hook, line and sinker to the point that they barely even acknowledge the possibility of fraud that is as clear as day to most of us looking on. They forlornly hope that the last payment to the 'investigator's will bring a resolution, and if it doesn't, their natural inclination is to pay again, whether it's 'court fees' or 'late payment charges' or whatever.

More links on IT fraud and social engineering

6 Dec 2006

The dangers of social networking

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.
More social engineering and privacy links

1 Dec 2006

The oh-so-helpful Help Desk

"'Phone Phishing', a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to "take care" of callers and often they are more than willing to help." So says a piece in India's Economic Times. I must say that, in my experience, security aware customer service agents (those first two words are vital!) can be one of the information security manager's strongest allies in the battle against social engineers. Through security awareness/training/education, coupled with proper management support and sensible policies, guidelines and procedures, IT Help/Service Desk workers should not only be permitted to refuse to service dubious callers, they should be actively encouraged to be careful.
More social engineering resources