Welcome to the SecAware blog

I spy with my beady eye ...

26 Jan 2007

Google Germany site hijacked

Don't forget that domain names are intellectual property and as such are vulnerable to information security issues. Google temporarily lost control of google.de earlier this week when someone, somehow, managed to get the DNS entries transferred from Google's ISP to another.

A spike in the incidence of domain hijacks made headlines three or so years ago but the numbers fell when ISPs and registrars improved the registration and transfer process controls. It is quite difficult now even for the legitimate domain owner to transfer it - one of the typical hidden costs of security.

More IPR links

24 Jan 2007

More USB thumb drive mischief

Manufacturing Computer Solutions, one of the lesser known sources of cutting-edge information security news (I love you Google!), is reporting a security study by the NCC Group. Seems the NCCG delivered a "party invitation of a lifetime" gift box (a Trojan horse shaped box would have put the icing on the cake!) with USB drive to finance directors at 500 UK companies and, surprise surprise, the clueless ones simply plugged the USB drives into their machines. Compounding the problem, many even clicked on the "Yes I want to install some software" option without a clue about what the software was actually going to do.

Paul Vlissidis, NCCG's head of penetration testing, said “This demonstrates a fundamental lack of healthy suspicion by IT users, even at a senior level. The need for real security awareness has never been greater… This kind of technique could easily be adopted by genuine hackers and these directors could have seriously jeopardised the security of their company’s networks. Not only could fraudsters have customers’ or employees personal details to steal their identities, but they could also have gained full control of an FD’s email account, allowing them to access information regarding forthcoming unreleased trading statements or even results which they could then use to influence share dealing.”

So, now we know (for sure) that the 'free USB thumb drive' trick is yet another social engineering technique that works well. The big unanswered question is what we are actually supposed to do about the threat. 'Raising awareness' is much easier said than done, getting people to change their behavior even more so. Perhaps USB lock-down technology (and/or Sumitomo's super superglue solution) is the best option here with the added benefit of frustrating those wayward employees who would steal gigs of data from right under the noses of the their managers, colleagues and security guards using thumb drives or iPods.

More security awareness, social engineering and mobile IT security links.

IT performance proportional to change management

A well-written piece in the IIA's IT Audit by Dwayne Melancon outlines the results of a research study conducted by the IT Process Institute. The ITPI went looking for characteristics of the controls infrastructure that distinguish high- from low-performing IT departments. The researchers picked out IT process controls from COBIT and ITIL/ISO 20000 frameworks and measured 98 organizations - not a huge sample but statistically significant and adequate given the depth of study.

The headline is that they found a clear link between the quality of an organization's change management controls and its performance. Since top/medium/low performers were determined by the "number of controls for which respondents scored in the top 50th percentile if all respondents" across controls for access, change, release, configuration, service level and resolution (presumably of problems/incidents), it is inevitable that high performers scored well on the selected 6 control areas. The study indicates that the strongest link occurs in the change management domain.

The report picks out some interesting correlations between specific controls and high performers e.g.:
- monitoring for authorized/unauthorized and successful/unsuccessful changes;
- firm consequences for those who intentionally make unauthorized changes;
- formal processes and automation of configuration management.

These in turn suggest potential metrics e.g.:
- percentages of changes that are authorized and successful (the proportion of unplanned work that an IT department undertakes has been previously identified as a worthwhile metric; the "proportion of problems that are fixed first time" is another good one);
- percentage of unauthorized change incidents that lead to disciplinary action (measuring management's commitment to enforcing change management controls);
- percentage of configuration information that is accurate and complete.

The full study report costs $1,695 and may be hard to justify but the free executive summary is worth reading if you have an interest in the relationship between IT governance, risk, control and security.

More IT governance and change management links

17 Jan 2007

Foreign spies in America

2006 Technology Collection Trends in the U.S. Defense Industry, an unclassified report released in June 2006 by the US Defense Security Service Counterintelligence Office, notes espionage incidents involving 106 foreign countries in 2005 (up from 90 the year before), a handful of which are briefly outlined in the appendix. Information systems are not surprisingly the most frequent targets for those seeking, um, information. The body of the report summarizes typical spy tactics and presents countermeasures in succinct tables like the one shown above. The same tactics and countermeasures apply whether the targets are military secrets or proprietary IP - in fact, they are often one and the same (so-called 'economic espionage').

More IPR resources

Anti-piracy FAQ

The Software & Information Industry Association (SIIA) has a handy FAQ about software piracy. Their newsletters are one way to keep up with copyright, patent and other IPR news stories - good material there for case studies and anecdotes to bring management up to speed with IPR issues. Even their tagline might be a good for an awareness poster: "It's more than a copy. It's a crime."

More IPR resources

13 Jan 2007

Intel - Transmeta patent dispute

Another high technology patent dispute has flared up. Transmeta accused Intel of violating some of its patents at last October. Intel has now retaliated in like fashion.

More IPR resources

12 Jan 2007

Trademark spat over "i"-anything

Precis: whereas Apple holds several "i" trademarks such as "iPod" and has built a family of "i"-branded products, CISCO holds the US trademark specifically for "iPhone". Having attempted to obtain the "iPhone" trademark for themselves, Apple launched their own "iPhone" at a US trade show. CISCO responded by filing suit in a Californian court claiming trademark infringement, unfair competition, false description and injury to business reputation.

Analysis: IANAL but, prima facie, CISCO appears to have the stronger legal case being the current holder of the US trademark at issue (having purchased its original corporate owner - it is conceivable that the trademark was the only genuine asset in the deal). Apple may have believed they were sufficiently close to agreement with CISCO to just take a chance on launching the product. Alternatively, Steve Jobs may indeed have "brass balls" as stated in the News.com story. He may well be working on the basis that "there ain't no such thing as bad publicity", in other words win or lose, people will at least be aware that Apple has a new product. Maybe he thinks going poublic will force the negotiations to a close in order for both parties to avoid expensive legal action? CISCO does not have an entirely clear run though due to Apple already having a family of other "i" products. Other companies have also released iPhones, apparently without CISCO's approval.

More IPR links

A Nigerian tragic comedy

I though I'd share the following email, which plopped into my inbox overnight, with you. It's one of the funniest I've seen in ages, a truly tragic comedy:

Mohammed M. Abacha.
NO.16.Queen's Drive Victoria Island,

Dear Friend,
as-Salam-u-'Alaikum!I heartily solicit for your honest/Godly assistance to safe our soul.Following the sudden death of my father General Sani Abacha the late formerNigeria head of state, in August 1998, I have been thrown into a state of utter confusion,frustration and hopelessness by the present civilian administration, I have been subjected to physical and psychological torture by the security agents in the country. As a child that is so must have heard over the media reports and the Internet on the recovery of various huge sums of money deposited by my father (General Sani Abacha) in different security firms abroad, some companies willingly give up their secrets and disclosed our money confidently lodged there or many out right blackmail. In fact the total sum discovered by the Government so far is in the tune of US$700. Million dollars. And they are not relenting to damage my family.

Further info.Website:

I got your contacts through my personal research, and out of desperation decided to reach you. I will give you more information as to this regard as soon as you reply. I repose great confidence in you hence my approach to you due to security network placed on my day affairs I cannot afford to visit the embassy so that is why I decided to contact you and I hope you will not betray my confidence in you. My father deposited the sum of US$350.000.00 million dollars with a security firm in abroad in which I want you to clear at least US$50 million first so that you will use part of the fund to clear the remaining fund and the security deposit company have affiliate collecting centre all over the global. whose name is withheld for now until we open communication. I shall be grateful if you could accept to conclude this transaction and keep this fund for safe keeping. This arrangement is known to you , my mum Zainab and our Attorney alone,so our Attorney will deal directly with you as security is up my whole being.I am seriously considering to settle down abroad in a friendly atmosphere like yours as soon as this fund get into your custody. I will require your telephone and fax numbers so that i can forward them to me to enable you and me to communicate immediately.
Listen carefully, I not in doubt of what my late father did, but I want you to understand that present President (Gen. (Rtd)) Olusegun Obasanjo intentionally dealing with my family based on the political misunderstanding he had with my late father of the past Nigeria is a wealthy country and no Government since 1977 to this day that is not dubious,
President (Gen. (Rtd)) Olusegun basanjo and his family today has syphoned the ecomony (fund) of this nation. I hereby take you back to the history of this nation (Nigeria) from 1977 to this day and you willunderstand my point.
President (Gen. (Rtd)) Olusegun Obasanjo made up his mind to damage my family out of his share wickedness. I am once in Nigeria Government and hereby giving you assurance that Nigerian are corrupt from the top to it's base. Please don't disclose the telephone number to the third part for the good interest of my family and the safety of this business.
Call my direct line +23450408864 or email: allajimohammed_abacha@yahoo.com.au for more info.

Sincerely yours,
Mohammed M. Abacha.

The email header (viewable in Outlook using View > Options > Internet headers) was interesting too. The "From:" address (which may well have been spoofed) was a US-based ISP. The "Reply-to" address was an address at Yahoo in the UK, different to the Australian Yahoo reply address included in the main body of the email. I've notified all three by the way so now the race is on between the processes that will delete the mailboxes, and the scammer's activities to gather personal information from those poor fools who might have fallen for his amusing sob story.

I think I'll print out and laminate this classic 419 email for the office wall. As well as being a useful lesson in security awareness, it's one of a dying breed (/wishful_thinking_mode)

More email security, IT fraud and security awareness links

11 Jan 2007

Whistleblower hotlines work!

An excellent 36-page report by The Network ,Inc., a company that runs whistleblower services, and CSO Executive Council gives the results of their statistical analysis of 180,000 whistleblower hotline calls from 550 organizations over 4 years. That's quite a sample on a seldom-reported topic. Here are a few salient points from the 2006 Corporate Governance and Compliance Hotline Benchmarking Report - a Comprehensive Examination of Organizational Hotline Activity:

- 65% of calls were 'serious enough to warrant investigation' - that's management-speak for "Oh shit" - with nearly half resulting in 'corrective action';

- 71% of callers gave information that was 'news to management'. 71%! Managers I have known think they are well-connected to the workforce. "I'm all ears", they say. "My door is always open" or "I Manage By Walking About." Yeah, right;

- just over half of the callers prefer anonymity, with callers alleging corruption/fraud (10% of calls) less likely to remain anonymous than those reporting other things such as HR issues, policy/code violation, environment/health and safety concerns etc. In my experience, managers considering whistleblower policies seem overly concerned about anonymity, claiming that it encourages frivolous or scurrilous calls, and that they won't be able to investigate calls made anonymously. More poppycock! It seems to me they need to focus more on addressing the content of the calls than on the callers;

- What I would categorise as "blue collar workers" are more likely to use whistleblower lines than "white collar workers", with retail and transportation/comms/utilities employees leading the way.

Does your organization have a whistleblowers' policy, with or without a hotline? Was its introduciton driven by SOX, by Audit, as a result of a particular incident or for some other reason? Who answers the calls/emails and how do they handle them? How useful is the information obtained in relation to the effort/cost involved? If you could start over, how would you set it up? Comments and further links are very welcome. I'm eager to learn more.

10 Jan 2007

Infosec laws, standards & regs cross-referenced

The IT Compliance Institute (ITCi) has produced a useful cross-reference matrix showing the points of contact/overlap between a whole bunch of US/international laws, standards and regulations relating to information security (free access requires registration on the ITCi site - there are other useful resources too so it's probably worth doing). Some of the main ones are: ISO 17799 and 27001, COBIT4, COSO ERM, NIST SP 800-14/26/53, FISMA, Mastercard SDP, HIPAA, various FFIEC, SAS 94, PCAOB and SOX. They are listed along one axis with control objectives on the other axis and the page or section references in the body note the coverage.

So, here are three ways you might use the matrix:

- ISMS coverage by control objective: check down the list to confirm that your ISMS covers most of the control objectives, and if there are any you do not recognize or you know are weak, look across the rows to find references from the standards that will explain the requirements;

- ISMS coverage by laws/standards/regs: highlight the vertical columns for all those laws/stds/regs which which your organization has to comply, then highlight the horizontal rows where there are any entries in a marked column. Rows with multiple entries are common controls so you probably already have them but implementation should integrate the multiple requirements. Be careful about the rows with single entries: do you have them all covered in your ISMS? If not, there's a noncompliance risk to consider.

- Linking standards to laws & regs: management are strangely concerned about compliance to laws and regs if not standards, presumably because they fear the personal accountability and business impact of non-compliance. The cross-reference matrix can help the information security manager who is promoting best practice ISMS standards by identifying the legal and regulatory requirements that coincide with best practice controls.

A lot of work must have gone into compiling the matrix. Make the most of it.

There's further information on ISMS best practices at our ISO 27001 Security website.

A webinar explains the ITCi's Unified Compliance Project which is making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem across laws, standards and regs.

More information security links here

9 Jan 2007

Credit card data sent over AOL IM link

Here's a curiously amusing tale about a shop using AOL Instant Messenger to send a customer's credit card details, unencrypted, to another shop where the EFTPOS terminal was. The shop assistant had a slight clue about credit card security: on the hand-written receipt, he used X's in place of most of the credit card number!

We use little scenarios like this (and some not so little) in our case studies and other security awareness materials ...

More identity theft and security awareness links

PayPal eCommerce safety guide

PayPal has released a new eCommerce Safety Guide with 20 pages of good advice on how to spot and avoid various forms of fraud on the Internet - auction fraud, phishing, identity theft and more. It's well written and easy to read.

For a slightly different perspective on eBay and PayPal fraud, check this out.

More identity theft and security awareness links

8 Jan 2007

Charity phishing lure

Many of us will have seen the emails circulated just after hurricane Katrina struck, inviting us to visit a number of dubious websites to "donate" to the disaster fund. Well here's something similarly sinister that just landed in my inbox:

---------- Email received -----------

You have a personal invitation to join S.O.S. Children's Villages donation program.

Today there are over 143 million children orphaned worldwide. S.O.S. Children's Villages is working hard to provide homes for these children, protecting them from abuse and exploitation, and giving them a place to call home...

Help us to help children in need. Any contribution you are able to make helps make a difference in the lives of children, giving them a new, loving home, a proper education, and health-care - in short, giving them the chances in life they deserve.

S.O.S. Children's Villages' work is built upon the generosity of our donors all over the world and all contributions, large or small, regular or occasional, go towards helping us make a difference to children's lives. What better way to secure the future of our world than supporting the world's children?

Give the Gift of Hope - Make a Donation to Help Orphaned Children! <- There was a dotted-decimal URL here>

Our online donation form is a fast, convenient and secure way for your online donation. When making your online donation, you can either specify a continent where you would like your contribution to go, one of our featured projects, or decide to help where you money is needed most.

Thank you for wanting to contribute to give children a new home and a family.

S.O.S. Children's Villages International.

---------- End of email -----------

I believe S.O.S. Children's Villages is a legitimate global charity based in Austria. However, the URL embedded in the email was a numeric dotted-decimal URL that is registered to an ISP in Japan - it is most likely a compromised system being used by fraudsters, not a genuine charity server. The (probably spoofed) sender's email address belongs to a domain registered by an Indian biometrics/security company (nice touch!) that is not currently in use. I discovered these facts simply with a bit of digging on Google, Wikipedia and using the handy IP/domain lookup WHOIS function provided by DNSstuff. I also did a quick search on the wonderful HoaxBusters site but this particular type of scam isn't listed.

By the way, this was an HTML email. Outlook normally hides the actual URL under the link text, in this case the line "Give the Gift of Hope...". If you hover the cursor over the link, a 'tooltip' appears, showing the true URL (this works in Mac Mail too, I believe). I have my Outlook set to display all emails as plain text by default (Tools > Options > Preferences > E-mail Options > Check the option to "Read all standard mail as plain text") which means it displays all URLs in angle brackets. Sure, I sometimes need to click the option to "Display as HTML" emails from people I trust but on balance, I prefer to check the true URLs of links I might be following.

I've taken the precaution of removing the embedded URL from the email above just in case it installs a Trojan on your machine. Needless to say, I will not be visiting it on this occasion.

This kind of social engineering attack using a charity as a lure is particularly nasty as it plays on the goodwill and naivite of ordinary people like you and me. I hope this topical little example, or something similar from your own inbox, finds its way onto the security awareness pages on your corporate intranet as a warning to your colleagues. Tell your family and friends too. I'm sure it will not be the last one we see.

More links on phishing and security awareness.

PS I have notified the charity, the ISP, the biometrics company and HoaxBusters, offered my help and directed them to the excellent Anti-phishing Working Group for professional assistance

PPS The charity's Internet Manager has indeed confirmed this is a fake that started circulating last Friday. Anyone who wants to donate is invited to visit www.sos-usa.org.

4 Jan 2007

Outsourcing in India

We all know about the off-shore call-centers in places like India and Indonesia, but there's more to outsourcing than call-centre operations. A fascinating article in Bank Technology News paints a beautifully clear picture of IT outsourcing in India, particularly the islands of investment awash in a sea of poverty.

It's easy for us Westerners to overlook the cultural differences and make false assumptions about India, especially if we have never visited that part of the world. Outsourcing may be a massive earner for India and is still growing strongly but the local infrastructure is creaking under enormous strain. The caste system survives, meaning inherent inequalities. India has over a billion citizens, half of them under 25, and an average wage of just US$3,300 per year. Whereas two thirds of the population survives on less than a dollar a day, highly-trained IT specialists earn well and are in short supply. High IT staff turnover creates its own security issues.

The article specifically calls out the information security and privacy concerns in India. "... background checks of personnel remains a nagging concern. No central criminal databases exist and credit agencies remain relatively new, so any background checks must be done in person, which is often invasive. "Sometimes they'll just ride around the [potential employee's] neighborhood and talk to the constable," says Crosby. "None of this stuff is documented."

"... the Indian Information Technology Act of 2002 makes cyber crimes a federal offense, enforceable by India's Central Bureau of Investigation. The CBI established the Cyber Crime Investigation Cell in March 2002 to patrol such crimes, including a crime lab to train investigators. Parliament is now debating an amendment to the act, already approved by the Cabinet, that would make fines and jail time more stringent for those convicted of IT privacy crimes."

Indian data centers are reasonably secure according to those who have inspected the facilities. "... most outsourcers are compliant and certified for BS779 and ISO17799 controls, the two U.S. best-practice controls for information security, which have now become internationally recognized." [Some artistic license there by the journalist: British Standard BS 7799 became ISO standard ISO/IEC 17799, neither of which are American!].

More privacy and information security management links

3 Jan 2007

New DVD copy protection scheme hacked

A scene reminiscent of the satellite TV crypto wars is emerging with Advanced Access Copy System (AACS), a new copy protection scheme designed to control the playing and copying of protected DVD/video content. A hacker claims to have broken AACS, the protection technology used by both the competing standards HD-DVD and Blu-ray. Blu-ray apparently has the capability to encode alternative protection mechanisms on the DVDs themselves which mitigates the risk a little but if the hacker's claims are true, HD-DVD is already in deep trouble.

Breaking/bypassing copy protection mechanisms to steal protected copyright content is clearly unethical and most likely illegal under copyright law and DMCA but, if the satellite TV situation is anything to go by, there is a substantial underground market both for pirated movies and for the cracking devices. Perhaps it's time for the movie studios and music business to disarm the pirates not (just) by technical wizardry but (also) by reducing the retail prices of the legitimate goods?

More IPR resources

Deep-linking not 'fair use'

Granting a preliminary injunction, a Texan judge has declared it unlawful to hyperlink to an audio webcast against the wishes of the copyright owner. Robert Davis, operator of Supercrosslive.com, had been deep-linking to live streaming audio of motorcycle racing events, bypassing the sponsored advertising on SFX Motorsports' website. The judge said "the link Davis provides on his website is not a 'fair use' of copyright material".

More links on IPR and laws, regulations and standards

The ¥40bn typo

Does it matter if I offer to sell 610,000 things at 1 Yen each instead of 1 thing at ¥610,000? Errr, yes it does, especially if I'm a broker trading shares live on a busy Tokyo Stock Exchange. The broker's typo cost Mizuho Securities, Japan's second largest bank, ¥40.7bn (approximately US$340m) in charges to buy back the shares. The broker tried four times but was unable to cancel the trade due to 'a problem' with the exchange systems. In a typically Japanese form of accountability, the president, IT head and managing director/executive officer of the stock exchange all resigned, the cock-up following hard on the heels of earlier 'technical problems' i.e. capacity constraints, availability failures and functional limitations of the exchange's dealing systems.

It seems curious to me that the apparent lack of data validation on the brokerage's own systems is not even mentioned in the news reports. Being such as cheap price and more than 40x the actual number of shares in the company, the sell offer was so far out of whack with reality that the brokers' systems (both buyers and sellers) should have flagged it as a probable typo if not trapped the deal pending confirmation. It can't be easy to validate trades in such a high-pressure environment where occasional deals are bound to be outlying data values but surely if must be feasible to impose some pragmatic limits?

More links on integrity, incident management and accountability

2 Jan 2007

Cheap source of ISO security standards

Here's some news to cheer your new year. ANSI is selling ISO 17799:2005 as a PDF download for just US$30. Bargain! The normal price elsewhere is at least $100 more so either they are having a January clearance sale prior to its imminent re-badging as ISO 27002 or someone made a typo on the pricing page (an integrity failure!).

A PDF of ISO 27001:2005 is also just $30.

The license permits installation and use of the PDFs on a single PC but I believe site licenses are also available.

More info on ISO 27001 and ISO 17799/27002

1 Jan 2007

A legal argument for security awareness

An article by Ryan Sulkin on Law dotcom starts thus: "As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program." Making the case for security training/awareness, it continues: "However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats." Ryan picks out GLBA, HIPAA, PCI, FFIEC and ISO 17799 as examples of laws, regulations and standards that require employees awareness, training and education in security. "Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security." Well said Ryan!

More resources for security awareness and laws, regulations and standards

Vista license management

In advance of its release by Microsoft, some people are concerned at the license management schemes in the new Vista operating system. In particular, it is claimed that MS can hobble a Vista system that is not properly authenticated as a legitimate licensed copy, and that Vista disables certain digital interfaces when playing protected content. MS finds itself in a tight spot, balancing the rights and requirements of the copyright owners (including MS) against the rights and requirements of its customers. These are strategic issues concerning the future direction of the IT industry, given the prevalence of Windows.

More IPR links