Welcome to the SecAware blog

I spy with my beady eye ...

30 Apr 2007

Tell everyone you know! [UPDATED]

There's another old old story doing the rounds here in NZ, concerning someone in a carpark offering cheap purfume that turns out to be ether.

Poppycock! Stuff and nonsense!

It's an urban legend.

The warning signs are there in the story:
- The story sounds plausible to someone who doesn't understand how ether works [ether has a very strong "fumy" smell, not pleasant like perfume; it would take a strong dose e.g. on a rag pressed over the victim's mouth & nose to cause unconsciousness]
- It happened (or nearly happened) to 'someone else', never the storyteller
- The storyteller is taken in by the story and is keen to tell everyone else
- Emails end with "Tell all your friends!" and/or "Tell your women friends!" and impart a sense of urgency

Best of all, the urban legend is systematically dismantled on www.Snopes.com. If you want to pass on a good piece of advice to all your friends, tell them about Snopes dotcom.

UPDATED 10th May: Aside from Snopes, a CERT Cybertip on hoaxes recommends the following sites: Urban Legends and Folklore; Hoaxbusters; Truth Or Fiction; Symantec; and McAfee.

29 Apr 2007

Hey I've got $1.5 million!

Well, what do you know!


It appears I'm the beneficiary of a sum of $1.2 million (ONE POINT TWO MILLION DOLLARS) that is being held for me by a kindly official in a little West African state, who for some obscure reason appears to be using a Russian email system. I was beginning to think perhaps this was just another 419 scam but no!

this is due to many abnormalities had happened in the institutions where some top official of the apex institutions are interested in your payment and they collaborate with impostors who are carrying a fake portfolios with levies misled and misguided about the position of your fund and having the opportunity to extort money from you that made it too longer up till date that explains why you receive different kinds of untrue emails and phone call from different people everyday.

So that's cleared it up then. The money has accumulated because of the impostors and fakers with abnormalities who have been trying to scam and extort money from me.

Finally be inform that your funds are fully free of any liens or
encumbrances and are clean, clear and non-criminal origin and are available to pick, this guarantee is witness by the World Bank Group, International Monetary Funds IMF Paris and London Club of creditors, European Economic Community EEC, EFCC Africa and the Envoy's of our Correspondence International Bank of Settlement world Wild.

Phew! I'm relieved to hear that the "International Bank of Settlement world Wild" says it's OK. Apparently I have to send my contact details and pay a charge:

They will chargeyou $165 a great deal less than a money wire service would to enable the programming of your information in the micro chip compartment of
central computer and your code will be send to you to enable you cash your money at your convenient time.

$165 to program the micro chip compartment sounds entirely reasonable.

Full marks to the scammer for his creative writing skills. This email is almost funny enough to be worth $165 just to find out the next thrilling installment ... but not quite.

PS It's OK, I've just received an offer of help from the [Nigerian] Financial Crime Commission (variously calling themselves "the finance security commission" and "THE FOC TEAM"). All I have to do is send them details of the scams and they will refund me. Golly! Here it is:

ATTN : this is not one of the popular jingo that has to do with 'you have won a lottery-Lotto scam' 'Represent our company-cashiers check scam' 'Business proposal deal -All in the way to make you fork out an upfront fee’. Nigeria as you well know is the den for evil perpetrators which are well classified by the dictionary to as scammers.

Not the "popular jingo", oh no.

Permit me to introduce our establishment to you if this letter concerns your interest, the financial crime outburst in collaboration with the Nigerian finance security commission is out with an aim to make back refunds to the victims of the society and oversea whom has in one way fell a victim of the advance fee fraud so far since either presently or in the past.

So, "the financial crime outburst" is working in collaboration with "the Nigerian finance security commission", eh?

We had a surveillance on cyber cafes and made a scrutiny on account holders of young stars (who are particularly the initiators of this web scam).We have in our custody arrested outh over hundreds and confession stories of how various innocent people oversea particularly USA society are being defrauded on daily basis.

Those "young stars" !

Our aim on this is that the Nigerian government is trying to create a restoration of the country’s image on the internet by making back refunds to victims to make a sustainable development of the .

They are trying to sustain development of the full-stop to restore Nigeria's image?? Now I'm confused.

This letter however is a calling out to victims whom have lost monies no matter how small or large ( this would be paid and doubled up) after due processing irrespective of where they got you on the scam, they could approach you with a deal from United Kingdom,canada,Spain,Nigeria....but they are certainly from Nigeria. the lines which they communicate with you from are tapped diverted lines. This is to say that every scam has its root from NIGERIA.

Aha, "this would be paid and doubled up". We see the first sign of an appeal to greed. The bait is laid.

Like i did explain above, if you wish to receive your hard earned money back (doubled up) or you have a close colleague who was victimized, kindly send us such information with proof of transaction details you have with these con men to enable necessary proceedings. But if you have never been scammed you could contact us for internet web advises on tractions which you are currently having at the moment, this puts you on safe grounds.

I'm doubled-up just reading this! I don't think I will be contacting them for "web advises" even if it will "puts [me] on safe grounds".

The punch line is the sig:

...restoring the image of Nigeria
Hotline- (234) 8032 140873

(234) is the country code for Nigeria where these bozos are most probably located. I don't think they are doing much to restore Nigeria's image though.

PPS FraudAid is yet another site offering assistance to the victims of 419ers and other scamsters. The site looks legit but who knows. Maybe it is run by a young star in a Nigerian cyber cafe?

27 Apr 2007

A map for NIST Special Publications

NIST has published over 250 Special Publications, FIPS standards and guidelines on IT security, all available for free download from the NIST Computer Security Resource Center. There are so many that newcomers tend to be overwhelmed by the choice. NIST's response is to publish yet another document - a guide to their publications that categorises them by 'family', by topic cluster and by [US] legal requirement.

The choice of a PDF document for the guide was presumably a no-brainer for NIST and, I guess, will suit people who like reading printed documents. I hate to criticise NIST but the guide doesn't even have URLs for the listed documents. New draft and final standards are published every month but the guide will only be updated twice a year.

The Google search box on the CSRC home page has the advantage of easier, more flexible and more up-to-date searching. I think I'll stick to that, thanks.

On building an incident response capability

Mich Kabay has released a superb white paper synthesizing various pieces he has written previously on building an effective Computer Security Incident Response Team. It's 31 golden pages long. I appreciate his comments towards the end, for example, about post-incident reviews coming up with an action plan clearly stating "who intends to deliver precisely what operational result to whom in which form by when". As a former IT auditor, I know the value of going the extra mile, pinning people down to commit to making the changes necessary for actual control improvements. Otherwise, history just repeats. Hindsight may be 20/20 but why is it so difficult to get management to DO the things they admit ought to be done?

Mich has also republished the contents of a training CD on incident response from US DoD's Defense Information Systems Agency (DISA), with their permission. At over 300 megs, it's not short of content.

25 Apr 2007

Boundary? Wot boundary?

Disappearance of the network boundary is a 28-page ISF Digest (report of a special interest group) from the Information Security Forum about the increasing Internet connectivity of today's typical corporation. As the traditional fortress wall/network perimeter is dissolved, the boundary security controls can expand to somehow incorporate untrusted devices Out There in webInterland or contract to protect devices In Here from all other devices [this is a false dichotomy if changes may take place in both directions at once]. The report recommends gradual evolution of current security controls in the short term and investigation of other options in the longer term.

Labour pains for ISO 27002

Like expectant parents, we are anxiously awaiting news of the renaming of ISO/IEC 17799:2005 to ISO/IEC 27002:2007. We are keeping our beady eye (just the one, you understand) on the ISO and BSI websites and all the usual press release outlets. Idly searching Google to distract us from the noise of the labour, we chanced across a Forrester Research report in 2005 that spells out the pros and cons of ISO 17799. Author Michael Rasmussen neatly summarized the benefits of applying accepted good practices in information security management, and the drawbacks of expecting too much from a framework. The ISO standards are necessarily generic guidance, meaning that the nitty-gritty details of risks of concern to, and controls that are required by, any specific organization are left to management and expert advisors. The argument that ISO 17799 is "not specific enough" is widely made but minsunderstands the value and purpose of such international best practice management systems standards.

Anyway, we wil soon be taking up knitting or smoking or something. The tension is killing us.

24 Apr 2007

Return on Information Security Investment

Return on Information Security Investment (ROISI), perhaps more commonly if less accurately known as ROI or ROSI, is one of those topics that is often discussed but never truly resolved. It has been declared a zombie topic on CISSPforum for that reason: we're tired of hearing the same old arguments re-hashed every few months. That said, we are always open to new angles on the old saw. Masters student Adrian Mizzi took a long hard look at ROISI and wrote his thesis around it. Adrian's model involves finding an optimal investment choice by balancing three key factors: “Viability of Expenditure”, “Successfulness of Attack” and “Motivation to Attack”. Adrian's thesis has been published as a book ($37) or PDF ($25) for those who are interested in some primary and secondary research on this important topic.

20 Apr 2007

The lure of VA Tech

Hot on the tail of the shocking massacre at VA Tech comes news of spammers and probably other scamsters using the incident as a lure for their evil deeds. According to a message on SANS Internet Storm Center today, spammers have sent emails inviting recipients to follow a link for video of the shooting ...

By the way, the SANS ISC makes a good default home page if, like us, you want to keep up with infosec news.

UPDATE: Wired has a piece on this too.

More network security links

17 Apr 2007

Infosec salaries up 6½% on 2005 - woop woop

Amongst the usual boring drivel about why a certain statistic is marginally up or down on previous values, one section caught my eye in the latest SC Magazine survey of information security salaries:

"The other thing that I think we’re starting to finally see is that security is becoming more and more integrated into the other operational areas of IT, whereas if you go back a few years, you needed a staff of absolute security specialists that sort of rode herd on the whole thing," he says. "Now what’s becoming more important is that security is integrated into all facets of the IT operations. It’s that cross-pollination, I think, that’s happening and, as security gets integrated more and more into the mainstream of the organization, you’re going to see that differentiator for people as security specialists in a standalone mode change." That means that no longer will companies need to hire "a team of security killers," but "a bunch of IT professionals with good security awareness," he adds.

So, information-security-savvy IT professionals are going to be in demand, are they? We'll see.

I agree with some of the other points in the magazine article though, such as the change of emphasis from hiring information security managers with pure technical skills to those with business-plus-technical competencies. If you haven't already done it, Mr Information Security Manager, it's high time to take a serious look at doing an MBA or similar qualification through a good business school. At the very least, you'll learn how to speak management doublespeak and perhaps you won't be quite so terrified of phrases like "security strategy" and "business case".

ISO 27001/2 implementation process

Today I've published a generic flowchart showing a typical process for implementing ISO 27002 (formerly ISO 17799 and before that BS7799 Part 1) and gaining certification against ISO 27001 (formerly BS 7799 Part 2), within the FAQ at ISO27001security.com The website is purely an information source - no advertising, nothing to sell - but judging by the number of hits we are getting, this is definitely a hot area. Anyone reading this who is actively using the ISO 27000-series standards is invited to join their peers in the free ISO 27000 implementers' discussion forum - a self-help community for information security practitioners. I've uploaded the Visio version of the flowchart to the forum's files area as a benefit for members: further contributions are very welcome.

More links on information security standards and laws

IT audit checklists

The IT Compliance Institute has so far published a set of four useful checklists providing practical guidance for IT, compliance, and business managers on preparing for successful internal audits of various aspects of their operations. In addition to helping managers understand what auditors look for and why, the checklists can also help managers proactively complete self assessments of their operations, thereby identifying opportunities for system and process improvements that can be performed in advance of actual audits. The four checklists are:
- information security audit checklist
- IT governance and strategy audit checklist
- IT risk management audit checklist
- PCI compliance audit checklist

Access to the downloads requires registration but if you are sufficiently interested in these checklists to download them, you would probably benefit from the occasional email updates and other information from the institute. They don't spam me, anyway.

More IT audit and IT governance links

Fortune 1000 companies botnetted

An article in the New York Times on spam and botnets quotes some ballpark figures:
- 11% of the 650 million computers on-line contain botnet code
- 250,00 new systems get botted every day
- 80% of all spam originates from botnets

That little snippet of news came from Support Intelligence, a commercial company that is monitoring the Internet for spam, botnets etc., analyzing the origins and publishing some of the more interesting details in their blog (as well as selling the data to their clients). Many big-name companies are named and shamed, in other words spammers have evidently infitrated major corporate networks, setting up botnets that spew forth spam through the corporate email systems, some of which run mainstream antispam software such as Ironport (perhaps it is configured only to spam-check inbound email?).

More network security links

16 Apr 2007

Pen testers' confidence boost

Penetration Testing with Confidence: 10 Keys
to Success
is a SANS webinar on Tuesday, April 17th at 1PM EDT (17:00 UTC). According to the blurb:
Penetration testing is fast becoming essential for IS professionals
seeking to comply with security mandates, assess defensive IT
infrastructure, and assure customers of privacy protections. At the
same time, a poorly planned or executed penetration test can turn
into a costly liability. Whether you're an experienced pen tester
or a first-timer, this webcast will give you the insight you need to
approach all pen tests with confidence.

More network security links

12 Apr 2007

Anti-spam tips

A little CERT cyber alert on spam has been republished, expanding on the following nuggets of advice:
- Don't give your email address out arbitrarily
- Check privacy policies
- Be aware of options selected by default
- Use filters
- Don't follow links in spam messages
- Disable the automatic downloading of graphics in HTML mail
- Consider opening an additional email account
- Don't spam other people

More email security links

11 Apr 2007

Get poor quick schemes

Purveyors of classic "Ponzi" or "pyramid" get-rich-quick schemes that have fleeced countless naive and desperate investors of their savings over decades have found a wonderful new outlet: the Web. The curiously named Haisoj Network reports problems with a site inviting people to earn attractive returns on their investments simply by surfing the web ... and by recruiting further members - which looks to me like a huge clue to the true nature of the beast. If investment returns for existing members are being paid at least partly from the investments of new members, there inevitably comes a tipping point when the whole scheme collapses. Cast aside those greedy thoughts about 'getting in there early': the originators are the only people likely to make real money, unless they end up in court facing fraud charges in which case their lawyers get rich quick.

As with phishing exploits, phools and their money are easily parted. Pyramid scheme investors would be better-off investing their hard-earned dosh in a roll of tin foil.

More IT fraud resources

8 Apr 2007

NIJ guide to investigating hi-tech crimes

The National Institute of Justice is publishing a series of guides for those engaged in responding to, investigating and presenting evidence in US courts about high-technology crimes. In 137 pages, Investigations Involving the Internet and Computer Networks, the latest publication, covers investigations involving email and websites, Instant Mesage, chat rooms and IRC, file sharing networks, network intrusion and denial of service, listservs and newsgroups. It provides basic advice on technology and legal issues, with a brief nod to IT forensics. The guide a little outdated in places but us a useful introduction to the requirements.

More network security resources

6 Apr 2007

How I got started on security awareness

Having been 'tagged' by a colleague from the Security Catalyst community, it seems I must explain 'how I got started' in infosec and specifically how I ended up in security awareness.

My first contact with computing was in connnection with my childhood interest in amateur radio and electronics. I saw a demonstration of one of the first PCs at the radio club, running the game "Life" ata bout one generation per 15 seconds. It was amazing!

I started using IT systems at school (where the students knew more about IT than the teachers!) and in college I wrote programs for my own research project and for colleagues in the department working on DNA fingerprinting, fruit flies, bacteria and yeasts. That's where I started teaching IT - mostly 'demonstrating' to undergraduate and adult classes, passing on the few little tips that I'd picked up by trial and error. In the land of the blind, the one-eyed man is king.

In the late 1980s, I moved out of the science labs to become a system administrator for a pharmaceuticals company, eventually running the IT systems for several R&D sites in the South of England under the excellent tutelage of a canny Scotsman, Stef. A takeover by a larger American company was partly responsible for my specialisation in infosec: overnight, we plugged our two extensive DECnet networks together with no firewalls or other additional security measures. Trying to explain the changing risks to my managers was something of a challenge, one I eventually gave up on. By the way, Stef subsequently became the head of information security so I guess some of the things I was saying must have struck home.

I spent most of the 1990's in infosec and IT audit jobs for a privatised electricity utility. Security challenges there included all the normal office and eBusiness systems security issues plus real-time process control systems. I developed and ran an early security awareness program warning about the dangers of, amongst other things, boot sector viruses on floppy disks (remember them?). I wrote my first security policy manual based on the Code of Practice for Information Security Management (later BS 7799, then ISO 17799 and now ISO 27002) and technical security standards for VAX VMS, DECnet, X.25, "PCs" (well, VAXmates anyway!) and Iris graphics workstations. I also learned how to deal with management by playing them at their internal politics games. The value of security metrics and 'evidence' really came home to me in this time. I was amused to play the game of Life on my handheld PDA, at a few milliseconds per generation (the screen is just a blur).

From electricity, I moved first to aerospace and then to a series of consultancy assignments and eBusiness startups. Along the way, a little brainwave led to an awareness program suggestion to a client and, some months thinking and research later, the NoticeBored security awareness service was born. Security awareness has developed into an absorbing passion since 2000. I'm totally fascinated by the challenge of helping ordinary people understand and respond appropriately to the information security risks around us. Many people are waking up to the importance of security awareness, training and education, but relatively few of us get much beyond the "Something must be done!" stage.

So, that's me done, well mostly. It'll cost you a beer or two to fill in the gaps.

3 Apr 2007

Microsoft animated cursor fix

A bug in Windows' handling of animated cursor files is being actively exploited by The Dark Side. Those of us on the Light Side are advised to deploy an emergency patch just released by Microsoft ... or consider moving to an alternative, less bug-ridden operating system sharpish, assuming such a beast exists.

More network security resources

Spin the Wheel of Security Fortune

In a reminder about next week's Health Information Privacy and Security Week, Rebecca Herold (distinguished author of the best book on security awareness) mentions a security awareness idea I hadn't heard of before:

I loved doing awareness activities when I was responsible for information security and privacy for a large financial company; what a great creative outlet, and a nice change of pace from fighting information security fires! One year we set up a "Wheel of Security Fortune" outside the cafeteria for international computer security day. As people entered or left they would spin this huge wheel, and answer a question for the topic the clicker-pointer landed on. The questions incorporated our information security policy requirements and presented them in a way that related to work responsibilities and performing daily business. They were of varying degrees of difficulty and we gave prizes of various sizes for correct answers; from candy-wrapped mints with a picture of our information security mascot on it all the way up to a gift certificate to the cafeteria for a full meal. This was a great success; well-received, plus we were able to establish some metrics based upon the participation and percentage of correct answers for how aware our personnel were about the various information security topics.

More security awareness resources

2 Apr 2007

Google TiSP

Those of us who cannot squeeze another comms cable into our cable ducts might be interested in a new scheme promoted by Google. TiSP uses an unusual form of ducting available pre-installed in most homes and businesses. The installation kit provides all one needs to cable up a single location. TiSP brings the added benefit that the cable termination unit is ideally located for contemplative Web browsing sessions.