Welcome to the SecAware blog

I spy with my beady eye ...

31 Oct 2007

A virtuous circle for information security management

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases:
(1) Prediction (essentially risk assessment);
(2) Prevention i.e. classic preventive security controls;
(3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and
(4) Response and recovery - corrective controls, a last resort.

Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model!

[By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

Creatures of the Net

Spooks everywhere will enjoy the University of Arizona's novel take on Hallowe'en. Four ghostly hours of security awareness on a ghoulish theme.

Now that's an idea ...

Which is the real First Niagra?

A trademark spat between two financial services companies reveals a deeper issue.

First Niagara Insurance Brokers use the domain FirstNiagra dotcom. First Niagara Financial Group, previously known as Lockport Savings Bank, changed its name in 2000 and tried to purchase FirstNiagra dotcom from the present owners, who refused. They then registered First-Niagra dotcom as their address for emails.

Customers of First Niagra Financial Group sometimes forget to include the crucial hyphen when emailing them, so their emails end up at First Niagra Insurance Brokers. Some emails contain sensitive information because (shock! horror!) customers sometimes send Social Security Numbers etc. in plaintext emails.

With clear evidence that customers are being confused by the similar domain names, the trademark infringement issue should't be too taxing on the judge, but this case may perhaps open Pandora's box on similar cases.

30 Oct 2007

ITCi Journal

The IT Compliance Institute's journal should be on your reading list if compliance is on your radar screen. The Fall 2007 issue has good articles on ISO/IEC 27001 & 27002 vs. NISTs SP800 series, symmetric encryption key management and eDiscovery.

The piece 'Holding auditors accountable for data security' is not about making internal auditors accountable for the organization's information security, but rather about the obligations on external auditors to secure privileged information they obtain during the course of audits. For a while it seemed de rigeur for big name auditors to lose laptops containing confidential client information but I can't recall any similar breaches since about 18 months ago. Did the audit firms clean up their act, or are these stories no longer newsworthy? Being of a cynical nature, I suspect the latter. Anyway, the article advises great caution when handing highly sensitive business records to the auditors, for example requiring that they are reviewed on-site and not taken away. I can almost feel the wave of horror passing across any auditors in the audience! If the organization has a strong information security policy, perhaps in response to its compliance obligations under SOX and PCI DSS, management should indeed be extremely cautious about handing information to any third party. On the flip side, though, the auditors need to be able to do their jobs and won't appreciate (further) constraints, although I guess they may just 'add it to the bill'. It is not unreasonable to insist that security compliance, confidentiality and liability aspects are incorporated in suitable clauses in the audit contract, for example by insisting that the auditors should be ISO/IEC 27001 certified. In fact, why not have your CEO formally express the importance of information security to the audit team before they start work? That's one way to make an impression ...

Standards are for everyone else, not BSI

When I tried to notify BSI-Global (formerly the British Standards Institute) about a possible phishing email using them as a lure this morning, their automated mailing system sent me the following curt response:

"This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.


So much for standards. RFC 2142 has only been out there for ten years. Perhaps BSI is above the standards that apply to us lesser mortals?

Resistance is useless

You know you want to. Visit the NoticeBored website to find out about the new security compliance module. We have stripped down and completely rebuilt the 'laws, regulations and standards' awareness module last delivered 3 years ago and soon realized what business people mean when they complain about the compliance load. When you look into it, there's a huge pressure to comply with externally-mandated laws, regulations and standards, plus the rules organziations make up for themselves, the strategies, policies and contractual terms.

Being a security awareness service, we focus on the information security rules of course but I believe there are possibly one or two non-information-security laws, regs and standards out there too ...

27 Oct 2007

Iron Mountain security failures continue

Iron Mountain Inc. is back in the headlines again - this time a customer's storage media went missing from an Iron Mountain truck when the driver "did not follow established company procedures when loading the container onto his vehicle".

The backup device belonging to the Louisiana Office of Student Financial Assistance (LOFSA) contained thousands of names, birth dates and Social Security numbers. It was unencrypted - evidently LOFSA is "working on a plan to encrypt all backup data stored off site". It was also "in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan".

23 Oct 2007

Yet another redaction failure

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs.

Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible.

Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé.

The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen -> scan -> load' method.

UPDATE: a man has been arrested in Bangkok following release of the unredacted photo.

20 Oct 2007

Automated field gun kills 9

This tragic story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun during a live-firing military exercise, the gun turned to the left and fired a rapid burst of ½kg cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all.

According to news reports, "Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety.

The South African Department of Defence is under pressure to conduct an inquiry.

Don't the procurers of such automated weaponry specify mechanical safety interlocks capable of physically preventing the turret from turning beyond set azimuth (and perhaps elevation) limits?

19 Oct 2007

Tips for physically securing your IT equipment

A page from the University of Bristol's new security awareness site, aimed at students, offers some worthwhile advice on avoiding physical damage or loss to your IT equipment, things like:
- Don't cover the PC or monitor with anything (fire risk)
- Don't drink near the system (water damage risk)
- Don't be in a rush (a common explanation for why laptops etc. get left on public transport is that the owner was in a hurry ... I suspect asking students to get out of bed 5 minutes earlier is a bit of a tall order).

The rest of the site is straightforward enough - basic advice on antivirus, firewalls, patching, backups and so on. Not a bad start.

Who owns what you throw away?

An interesting angle on the dumpster-diving craze comes from Singapore. A judge has previously ruled that confidential information discovered in the trash cannot be used against someone, but the issue is to go to appeal.

It seems to me the burden is and should be on the person discarding information to take care to make it unreadable, for example by cross-cut shredding and burning. It seems fair to me that it's their fault if they fail to take sufficient physical security measures to protect the information.

Top ten employee security gaps

The IT Compliance Institute's top ten list of 'employee security gaps' makes sense, expanding on five key areas (training, policies and procedures, disaster recovery and business continuity planning, audits and risk analysis) that seem to be common to most organizations.

My favourite, of course, is number ten:

Train, train, and train some more

If there’s a common thread the experts all agree on in addressing each of these issues, it’s the importance of education and training. Poor training and unaware employees lie at the root of many if not most employee security breaches. All three of the interviewed security experts emphasized one point: Use real-life examples from today’s headlines to shake employees out of security complacency and to help make your points. Unfortunately, there’s no lack of those stories into the foreseeable future.

Global Security Challenge grand final

The Global Security Challenge grand final conference takes place in London on November 8th.

Global Security Challenge is an annual business plan competition to find the most promising security technology startups in the world. The winners of three semi-finals (!) in Europe, Asia and the U.S. stand to win a $500,000 grant in prize money and mentoring.

Keynote speakers and judges include:
- Sir Richard Dearlove, former Chief of the UK's Secret Intelligence Service (MI6)
- Ken Minihan, former Director of the U.S. National Security Agency (NSA)
- Alastair MacWillson, Managing Partner, Accenture
- Jeff David, Deputy Director, TSWG, US Department of Defense
- Stephen Bonner, Global Director, Barclays

One-click becomes none-click

Amazon's 1997 patent on the 'one click' system has been successfully challenged by a New Zealander who has studied commercial law and lists 'American patents' as a hobby. Peter Calveley of Auckland discovered a prior claim. In 2005, Peter filed a challenge with the US Patent Office that has now overturned Amazon's patent. Amazon say they will appeal the decision.

17 Oct 2007

New ISF standard released!

The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:

1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!

2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.

The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.

I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.

12 Oct 2007

Award winning awareness program

On reading that the University of Notre Dame's security awareness program won an an Award of Excellence from the Special Interest Group on University and College Computing Services (SIGUCCS), I took a look at their website. I can't access the university-only security awareness materials, of course, but the public materials and the site's design demonstrate its winning ways. Striking graphics and easy navigation, clearly-written guidelines and policies, a decent range of security topics, an FAQ and more.

Well done University of Notre Dame. Nice work.

Tips for your next black bag run

Rebecca Herold lists some 18 common security breaches to look out for when undertaking an office physical security review out of hours (also known as a black bag run when the reviewer/auditor collects up and quarantines sensitive/valuable materials left on desks).

We'll be looking at office information security specifically in January's NoticeBored Classic awareness module but Rebecca's list is an excellent starting point. It's hard to think of other breaches.

10 Oct 2007

Secure disk erasure how-to

Anyone who sells a used hard drive, or a system containing one, should follow the step-by-step guide to using DBAN (Darik's Boot And Nuke), a great free program to securely erase everything, BEFORE packaging and sending the goods to an anonymous eBay or car boot sale buyer.

DBAN does a good job but overwriting the entire disk surface several times with random data is not a quick five-minute-or-less job - it may literally take hours to do thoroughly. Don't leave it to the last minute and don't cut it short if there is anything vaguely incriminating on the disk.

Oh and don't try this on any disk drive whose contents you actually still might need (doh!).

Creativity unleashed

Anyone who has been in a medium or large company for more than a few months has no doubt been subjected to the tyrrany of "team building" and "vision sharing" sessions in which ideas for unlocking employee's inner strengths are shared with the 'team' by some eager HR person or on-something training consultant. These can be great fun if the facilitator is full of life and the 'team' is in the mood for it. They can also be painfully lame.

Well, here's a shortcut - a wiki on creative thinking techniques. Explore the ideas in the safety and comfort of your very own private cubicle, with no need to disclose your innermost fears in public, play ridiculous rigged games, sing 'team' songs, raft whitewater rapids, rappel down a precipitate cliff in your underpants and generally make a blithering idiot of yourself in front of the office belle (or beau).

Physical security podcasts

Podcasts at SecurityInfoWatch cover topics such as voice recognition biometrics, CCTV camera technologies, terrorist threats and more. They are mostly interviews with representatives of companies selling associated products and services (i.e. advertorials or infomercials) but still the information content may be just what you need.

9 Oct 2007

Attn: beneficairy!

Another vaguely amusing 419 email arrived in my bulging inbox last night. I won't bore you with all the details about the large unclaimed inheritance awaiting my instructions as a "beneficairy", but the following paragraph made me smile:
"You may have also been directed to visit different cities and countries with the instruction that your fund would be released at such payment post or that your fund could be delivered to you at your residence. All these are cooked up Stories from impostors who wish to extort money from you while they do not have any knowledge of the true position of your fund transfer."

So, impostors are cooking up Stories, eh? Would you believe it!

7 Oct 2007

Top secret NSA data lost on thumb drive

It's not A Good Idea to lose a USB memory stick containing top secret data from the NSA, even if you are a foreign citizen working at the Hague in Holland.

Similarly, it's not A Good Idea to shred your top secret papers with a plain cut shredder and hand the shreddings to an untrustworthy Taiwanese courier.

Security camera security

If your CCTV security camera system uses IP transport to cut costs, don't forget to factor the cost of network and device security into the mix. It has long been known that many IP-enabled CCTV cameras are pumping live video onto the Web with no encryption or access control. It now appears that exploiting security vulnerabilities in the camera controllers may allow hackers (or bank robbers) to manipulate the video stream, for example replacing it with a 'blank scene' while they crack the vault.

Boeing sacks whistleblower

A press report about Boeing firing an IT auditor for blowing the whistle on alleged mishandling of SOX compliance work by Boeing's IT Department is troubling on a number of levels:

1. If the allegations are true, Boeing may have internal control problems affecting its governance, financial accounting systems and/or reporting.

2. Nothing else matters as much as the truth of point 1.

Instead of firing the auditor, Boeing management should face up to the charge and clarify their position. Control problems that are acknowledged can be fixed. Sweeping things under the carpet, shooting the messenger of bad tidings and intimidating his (former) colleagues is hardly 'facing up'.

Auditors are professionally obliged to act in the best interests of their employers or clients. On rare occasions, this includes blowing the whistle on malpractice or incompetence. If employers/clients can simply dismiss whistleblowers, it is a very brave (and self-confident) auditor who has the nerve to speak out and risk losing hiss/her job ... so the question comes down to whether we believe in the professional integrity and ethics of the auditor or that of the employer/client. An honest disclosure of the facts of the alleged control issue will surely resolve this one way or the other?

Password protected =/= Hacker proof?

Gosh: another stolen laptop contains personal data. But it's OK, we're told, because the laptop is "password protected".

"Password protected" could mean a BIOS boot password, a hard drive access password, a Windows/UNIX user login password, or a data encryption key. Using hacker or forensics techniques, all but the latter control can be broken, and even encryption can often be brute-forced given enough time and a weak pass phrase. If the laptop's data or entire hard drive had been strongly encrypted, we'd presumably have been told so and the people whose personal data are on the stolen laptop could sleep easier.

Call me paranoid but "password protected" sounds very much like "insecure" to me.

At least the Gap company 'fessed up that their stolen laptop was unencrypted.

UPDATE Dec 9th 2007: after a laptop was stolen from a Citizens' Advice Bureau employee's car, the CAB confirmed that it was protected with "a high level of encryption". Presumably 'high level' means strong encryption using a current encryption algorithm (such as AES) with a long key length (at least 128 bits, ideally 256 or more) and a strong password/passphrase policy, ruthlessly enforced (long non-dictionary phrases). Anyway, if it were my personal data on the laptop, the fact that the PR people specifically state that the laptop was encrypted would give me a lot more confidence than the usual mention of "password protection".

This is doubly important if you are, say, a government that regularly loses hundreds of laptops and desktops per year.

Data recovery from 'erased' CD-RWs

Picking up on a technique used to retrieve MP3s from an 'erased' CD-RW disk, a forensic investigator has succeeded in retrieving incriminating data from 'erased' CD-RWs, sufficient to secure the defendant's prosecution in a child abuse case.

The news article barely outlines the method: it appears to involve writing a new file to the 'erased' CD-RW but interrupting the write process. I presume the first part of the write creates the 'lead-in' file system synchronization and identification data. If interrupted soo after, the PC can presumably be fooled into reading the rest of the disk.

Presumably, also, if 'erasing' a CD-RW only involves wiping the disk sync and ID part leaving all the data intact just waiting to be overwritten by the next write operation (rather like deleting the directory on a hard drive), then surely it ought to be possible to manufacture forensic CD/DVD software or drives that sync directly to the data tracks to make their bitwise copies, all without having to overwrite the lead-in part of the (evidential) disk? Indeed, a very quick Google query reveals that one can buy data recovery software for damaged CDs. I wonder if the 'clever officer' in the news story tried such an approach?

Anyway, the take-home-message is not to discard even 'erased' CD-RWs that might contain valuable or sensitive data. Shredding/grinding/physical disintegration and burning remains the safest option.

5 Oct 2007

Nigerian scammers head for the slammer

A major police operation has blown open a Nigerian 419 scam ring and seized thousands of fake cheques, passports and other collateral worth ~US$16m.

"The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents. UK officials are working with agencies in the US, Holland, Spain and Canada to tackle "mass marketing fraud". A handful of people have been arrested in the UK with almost 70 more held overseas."

As usual, the scammers have been exploiting naive victims using social engineering techniques, sometimes using dating websites (where people seem naturally more vulnerable to being spun a lie).

6th October update: Reuters reports:
"An international crackdown on Internet financial scams this year has yielded more than $2.1 billion in seized fake checks and 77 arrests in the Netherlands, Nigeria and Canada, U.S. and other authorities said on Wednesday."

The seized assets appear to have swollen from $16m to $2.1bn in a few days, an alarming rate of inflation.

4 Oct 2007

Information Asset Protection guideline

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Physical & information security convergence

A security page at the ISACA website links to three resources on convergence between physical and information security:

1. A survey by Deloitte & Touche addresses the value of security as part of enterprise risk management and the benefit of a converged view of security in managing enterprise risk. Security executives provided insight into the general state of security convergence, integration of converged security as part of ERM, the role of risk councils and the benefit that a strategy for converged risk management plays in breaking down communications barriers.

2. Convergent Security Risks in Physical Security Systems and IT Infrastructures describes how enterprises are facing the risks that arise when physical and IT security risks collide.

3. Convergence of Enterprise Security Organizations is a Booz-Allen-Hamilton study examining how enterprises are addressing the converged issues surrounding their security.

Podcast on security awareness

I was interviewed for a podcast by Scott Pinzon at Watchfire. Hear how to make security awareness programs more effective by engaging managers, IT professionals and general employees, linking security in home life with security at work, and combining communications methods.

Suspected chemical attack on London

Since this month's awareness topic is physical security, I guess a story about a suspected chemical attack in London is not too far off-topic.

The subtext is that London remains on high alert for terrorist attacks.

2 Oct 2007

Economic spies charged

Two US citizens have been charged with economic espionage, theft of trade secrets and conspiracy to steal microchip designs from Netlogics Microsystems, their employer, and Taiwan Semiconductor Manufacturing Corporation, to sell to the Chinese army. If convicted, they could be sentenced to 15 years in prison.

Physical security awareness module

Lock up your assets
October's NoticeBored security awareness module covers the physical aspects of information security e.g.:
- Physical access controls such as fences, walls, doors, locks, security cables etc.
- CCTV, security guards, staff passes, visitor procedures, intruder alarms
- Environmental controls and supplies for the computer equipment e.g. UPS, air-conditioning, fire/smoke & flood alarms.

Since first writing and delivering this module in 2004, we've added a stack of new materials so the whole module now contains over 80Mb of rich content.

Do let us know if there are any physical security links to add to our links collection.