Welcome to the SecAware blog

I spy with my beady eye ...

26 Sept 2007

Credit card numbers posted on eBay forum

Someone appears to have posted a load of personal data including credit card numbers on an eBay discussion forum, paradoxically one on trust and safety. Around 1,200 eBay users' details may have been compromised.

Why anyone would do this remains a mystery. Is it just some sort of publicity stunt, or a hacker's brag?

eBay shut down the forum and pulled the pages about an hour after being informed of the incident. There's more about the incident on an eBay blog.

"eBay spokesperson Nichola Sharpe said Tuesday afternoon that posts made on the Trust & Safety board early this morning contained name and contact information for 1,200 eBay members and called the person posting the information a "malicious fraudster." She said the incident was not the result of a security breach from eBay and could have been obtained as part of an account takeover."

It's possoble that a merchant's account may have been compromised, I guess.

25 Sept 2007

Putting a mole in the camp for awareness purposes

Fellow blogger Jason Bevis set me thinking today with a paper suggesting that one might deliberately seed a 'mole' in a software development project team whose job is secretly to exploit his colleagues using social engineering techniques. The idea, then, is that the results of his/her underhand activities would provide enlightening and motivational fodder for security awareness/training sessions.

You'll see from the discussion on the paper that I'm dubious about the possibility of even being allowed to do this as a deliberate ploy, although I agree that 'catching people in the act' can provide good case study-type materials. I've suggested that similar information can be obtained openly using typical penetration testing, audits, management reviews etc., without the need for cloak-and-dagger stuff that can so easily backfire ... but what do you think? Would you try something along these lines?

23 Sept 2007

Windows security spec with free audit tool

The US Government's plans to use standardized Windows desktop environments has advantages for non-US Government entitities also. The Federal Desktop Core Configuration (FDCC) specifies reasonable Windows XP and Vista security settings, and application software vendors are encouraged to make sure their products work on a standard spec PC. Tools such as Secutor Prime (free for non-commercial use) will audit a PC against the FDCC and report discrepancies, with enough details for a competent sysadmin to resolve. It's not quite point-n-click one-button-security for the masses but is useful for those who want to improve security of their own Windows systems. Companies that rollout standardized Windows desktops would be well advised to check their standard builds against FDCC too.

I won't go into the downside of encouraging a PC monoculture at this point but leave that for your homework, and Google.

21 Sept 2007

SCO loses the will

An extended intellectual property/copyright dispute between SCO Group (Santa Cruz Organization) and Novell over Unix and UnixWare has resulted in SCO's defeat in court. It has now filed for Chapter 11 bankruptcy protection from its creditors, partly due to losing the copyright case but also it appears because of its failure to adapt to the open systems form of software licensing. Linux companies generally provide their operating systems software for free (or near enough), making their money from support services. SCO stuck with the older model, charging heavily for the software itself, and has paid the price in the long run.

19 Sept 2007

Spam experiment on video

Will a can of spam blend? Find out here.

PS No matter how much you want to, don't try this at home.

18 Sept 2007

CSI's 12th Annual Computer Crime and Security Survey

One of many graphs in the survey report
The latest Computer Crime and Security Survey from America's CSI (Computer Security Institute - not the TV show) is a handy source of statistics to consider and perhaps spice up your security awareness materials. The survey is well respected, being vendor independent, having just under 500 responses and being consistently designed from year to year.

Key findings:
- Since last year, the estimated average loss has nearly doubled to $350k per organization per annum
- Nearly 1 in 5 respondents who suffered security incidents said they’d suffered a "targeted attack" i.e. a malware attack aimed exclusively at them or similar organizations
- Financial fraud caused the greatest financial losses
- Insider abuse was the most prevalent security problem
- Just under half of respondents said they had suffered security incidents, similar to but slightly less than the past 2 years
- 29% of organizations report security incidents to law enforcement

Being a security awareness specialist, the following caught my beady eye:
"Almost half—48 percent—spend less than 1 percent of their security dollars on awareness programs. While this may be the case simply because some forms of awareness training (such as putting reminders on corporate intranet sites) aren’t expensive, one is tempted to conclude that while the industry talks a good game about teaching users how to be good stewards of company network resources, they don’t yet put real dollars behind the proposition."

~Half spend less than 1% of their security budgets on awareness! Golly! Given that security budgets are around 10% of IT budgets, there must be a lot of managers out there that are so frugal on security awareness that they 'squeak when they walk'. Our very own security awareness products typically cost about the same as a single cup of coffee per employee per annum, barely enough to merit a budget line item. Cost is surely not the issue: many organizations evidently don't appreciate the potential business benefits of a well-run security awareness program. Perhaps they think employees will just 'be secure' without any guidance? Flying pigs optional. Security incidents averaging $350k p.a. are (at least partly) the inevitable result of such wishful thinking.

419ers' conference

Such a shame: I missed the opportunity to attend a conference for Nigerian 419 scammers in Nigeria back in 2003. The 3rd Annual Nigerian Email Conference was held at the Abuja Sheraton, famed for its amenities.

eCriminals teaming up for more chaos

Symantec has disclosed some data supporting the widely-held belief that electronic crime is on the up, with eCriminals teaming-up to leverage their skills and information."

More worryingly, said Mr Beer, were signs that different sections of the underground economy were starting to collaborate to improve their chances of catching people out. Hi-tech criminals with information culled from job sites, online games or social networking sites were teaming up with phishing gangs and spammers, said Mr Beer. The end result was well-crafted e-mail campaigns that gained a gloss of credibility by combining several different bits of data.

Narrowly targeted phishing emails ("spear phishing") use information that the victims believe 'must be legitimate' to fool them into opening infected attachments, visit phishing/infected websites etc.

Email users must:

1) Avoid opening executable email attachments that turn up unexpectedly, even those that appear to come from a legitimate source such as someone they know (if they intend to open executable attachments, users should first phone the sender to confirm what was sent);

2) Avoid following URLs provided in emails, and watch out for URLs ;

3) Make sure their antivirus software is maintained constantly up-to-date;

4) Not fiddle with the security configuration of antivirus, personal firewall, email, browser and other software;

5) Take regular off-line backups of all important data, making sure that the data are correctly stored and can in fact be retrieved if (when!) needed;

6) Run anti-phishing utilities such as phisher site warning add-ons for browsers;

7) Most of all, remain alert to email security threats. Be EXTREMELY wary of providing any personal data (names, addresses, passwords, PIN codes, credit card numbers etc.) to a website or form provided by email. Corporate email users should report suspicious events to their IT Help/Service Desk or information security function the sooner the better - it may not be too late to prevent further damage.

ISMS documentation checkllist

If you are planning or just starting out on your ISO/IEC 27002 implementation project, this may be just what you need. The ISMS Documentation Checklist is simply a list of the documents typically required by and/or created by an Information Security Management System. Your project plans should include researching, drafting, reviewing, approving, publishing and promoting your own suite of ISMS documents, so it helps to know what is typically expected.

The list was created by a team of ISMS users on the ISO27k implementers' forum, a mailing list run at ISO27001security.com

Phase 2 of this collaborative project involves collecting and publishing examples of each of the documents in the checklist. If you would like to get involved in the project, please contact me (Gary@isect.com) to join the fun. We anticipate publishing example documents gradually between now and the end of the year.

17 Sept 2007

Viagra spam from Pfizer computers

A story in Wired shows that even major corporates are vulnerable to hackers and spammers. At least 138 Pfizer computers have been blacklisted for distributing spam for drugs such as Viagra, a Pfizer product, and Cialis, a competitor's product. The computers have presumably been taken over as 'bots' or 'zombies', remotely controlled by the hackers and used to distribute spam. It is entirely possible that the compromised machines have access to Pfizer's valuable proprietary information. Previous stories about Pfizer employees using peer-to-peer software, for example, indicate the kinds of information security weaknesses that could have led to the infections but, not surprisingly, Pfizer is not saying much about it.

14 Sept 2007

McLaren fined $100m

The McLaren-Ferrari industrial espionage incident is drawing to a close with McLaren being fined $100m by the FIA and losing all their points in the constructors' championship. McLaren's drivers who top the drivers' championship have been spared the whip, thanks in part to their cooperation with the FIA's investigation.

4 Sept 2007

Privacy in the 21st Century

This week is the third annual Global Security Week. This year's topic is Privacy in the 21st Century. For information on GSW events, free awareness materials to download and links to further privacy resources, visit the GSW website.

There's also a GSW blog: I've just posted the following item to the GSW blog and there are contributions from supporters of GSW.

Does your organization have a policy on promptly informing those affected by privacy incidents and, where necessary, disclosing breaches to the proper authorities? If not, a privacy incident at John Hopkins Hospital might make you think again:
"A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft. The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen."

Another suggestion is to make sure your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances.

1 Sept 2007

STBO on email security

A report into email vulnerabilities, 'sponsored' by a handful of email security companies, is available for free until 21st September although one has to register and is supposed to provide one’s email address plus other personal information to obtain it ... to save you the bother and risk that that entails, here are the report's three stunning conclusions:

"Develop comprehensive email security strategies that address both inbound and outbound vulnerabilities; Actively monitor, assess and address email vulnerabilities on an ongoing basis – new threats appear daily; Include email vulnerability assessment in an overall threat analysis, looking at threats across email and the Web as well as across desktops, laptops, servers and networks."

The report demonstrates a circular/specious argument by pointing out the differences between what "best in class" organizations are doing versus the rest. If one takes the trouble to wade through the report to find out how "best in class" organizations are identified, one finds (surprise surprise) that they are those who demonstrate the very practices that are called out. This is like me lining up a bunch of people against a wall by height, then making a big song-and-dance about the fact that the people towards one end of the bunch are 'height advantaged' or 'height challenged' (depending on which end I'm talking about) compared to the rest.

Of course the report is replete with plenty of impressive-looking statistics and graphs which are no doubt being quoted as fact ... by those email security companies who 'sponsored' the study.

Good thing it's free.

[STBO = Statin The Bleedin Obvious]

Email encryption

A short piece at Enterprise IT Planet looks briefly at the technical architecture options for email encryption e.g. endpoint-to-endpoint vs. endpoint-to-email-gateway. Thanks to input from the company behind PGP, the article only mentions PGP but similar principles and concerns apply to other email encryption protocols.