Welcome to the SecAware blog

I spy with my beady eye ...

31 Dec 2007

EPO incident

If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest:
"A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said.

The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid vulnerable to shortages, Matthew St. Amant, a California Highway Patrol officer assigned to an FBI task force, wrote in an affidavit. No blackout occurred because the incident - which cost $14,000 for 20 computer specialists to repair - happened on a Sunday, investigators said. Denison was identified by surveillance-tape footage and his security-access code, the affidavit said. He pleaded guilty to attempted damage of an energy facility, a felony. He is to be sentenced Feb. 29 by U.S. District Judge Garland Burrell."

If you don't already subscribe to RISKS, it's highly recommended.

30 Dec 2007

Top information security risks for 2008

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls, as we head towards the new year.

My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Awareness module

Offices are the “information factories” where most of an organization’s intellectual property gets created and processed, and a lot of information assets are stored. They are the knowledge workers’ natural habitat. Some of us practically nest in our cubicles.

Numerous information security risks affect offices, including IT/computer security and telephony risks from viruses, power glitches, IT/network capacity and reliability issues, physical security risks such as thefts, fires and floods, and process-related risks e.g. if untrustworthy visitors are not properly authenticated on arrival or are allowed to wander freely around the offices.

Despite us having covered office security issues in many other NoticeBored modules, almost all of the materials have been written from scratch for this one, bringing them all together in a context that most employees will relate to.

Read more about January’s NoticeBored security awareness module and get in touch if we can interest you in a subscription to NoticeBored, the modular security awareness service. Happy new year!

27 Dec 2007

CISSP course in Dubai

If you or someone you know in the Middle East is thinking of taking the CISSP exam, Clement Dupuis will be leading a boot camp-style intensive CISSP training course in Dubai on 11-15 February 2008. Clement has stacks of experience at CISSP training and will be using Shon Harris' course materials recently updated to reflect the latest CBK. The course is being offered in conjunction with the Open Information Systems Security Group.

For those who don't know Clement, he is the inspiration and driving force behind CCcure.org, recommended reading for all CISSP candidates and indeed for those seeking other information security qualifications or who simply want to keep their knowledge and skills up-to-date.

22 Dec 2007

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

19 Dec 2007

UK insurance firm fined for pretexting incidents

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data:

"The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft."

The official FSA report makes interesting reading, disclosing for instance that fraudsters were using information obtained legitimately from public records held at Companies House to respond to authentication questions.

The company has since smartened up its act with better policies, procedures and (hopefully) compliance activities but I doubt that even it would claim to be immune to social engineering risks. Pretexting is a relatively cheap and easy form of attack and the juicy personal data in such databases is clearly luring fraudsters.

18 Dec 2007

Infosec risks top ten

Fellow infosec pros,

Tim Bass recently posted a stimulating entry to his blog proposing a top ten list of information security threats - not "risks" but threats specifically. This struck me as an interesting idea and an opportunity to add some depth to the rather banale top ten IT security risks lists that appear every new year. So, shamelessly extending a good idea, I've set up a shared document on Google Documents and now invite you to participate in a collaborative project to draw up a more meaningful list of current infosec risks, starting with separate lists of threats, vulnerabilities and impacts, then working on the risks, and finally the controls and conclusion.

If you would like to get involved, please check the shared document as it stands today and then email me (Gary@isect.com) to add you to the list of users with update access to the shared doc. Google Docs is cool but if you can't be bothered to update the doc yourself, just email me with your comments and I'll have a go. I'm particularly interested in emerging trends, as perceived by qualified information security professionals rather than journalists and marketers. What are you working on today and what do you expect to be doing in the year ahead?

I'm planning to publish the finished item on the Web under a Creative Commons license on or before Jan 1st 2008, acknowledging all contributors. Please don't ask me if you can earn CPEs for this though!

Kind regards,

UPDATE Dec 19th: the lists of threats, vulnerabilites and impacts are nearing completion so it's time to make a start on pulling things together as "risks". See the shared paper as it stands today and by all means have your say - pop a comment below if you like.

12 Dec 2007

Why HTML email is BAD

Click here for a full size screenshotThe screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness.
What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malware, thank you very much.

Carelessness threatens privacy

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:

1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.

2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.

3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.

If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.

Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.

11 Dec 2007

Social engineering bots pass Turing test

"Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow."

If you frequent chat and dating sites, especially Russian ones it seems, beware robots posing as fellow frequenters that chat with you, flirt with you even, and extract personal information. From the news report, it sounds like this bot passes the Turing test.

Security awareness a commonplace concern

A survey of information security concerns at 455 US SMBs (small to medium sized businesses with 5 to 1,000 employees) is mostly same old same old but one statistic caught my eye (see graph above). Three-quarters of those surveyed believe that security awareness would help to improve the level of security in their company. Most SMBs are not that bothered about their security budget or how many security people they have.
"Employees are not the only people who need to be ‘educated’. One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security and, possibly, the range of security measures that could be implemented."

Why is it, I wonder, that security awareness is in such high demand? It's great for our business, of course, but still I'm curious as to the attraction. Is it that security awareness is just too difficult for most people? Or is it just this month's fad (I sincerely hope not!)?

With NoticeBored Classic starting at just US$2300 for organizations with less than 500 employees, security awareness is surely within reach of even the smallest SMBs.

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business.

The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability and rigour. I wonder whether PCI DSS has this? Are PCI DSS auditors re-assessed from time to time? Does the PCI consortium check the quality of their assessments, for example by independently re-auditing certified PCI compliant merchants to confirm whether they are truly compliant? If not, I doubt that the PCI DSS scheme warrants the confidence level it currently enjoys.

Email scams increasingly sophisticated

Two news stories illustrate the increasing sophistication of email security threats.

The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more.

Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social networking sites or elsehere off the Web) to fool them into following dubious links. Their PCs are then infected with malware, typically keylogging Trojans according to the article. Thereafter, everything the exec types in (bank details, passwords, secret documents, whatever) is also available to the scammer. Nasty.

Both stories demonstrate the effectiveness of social engineering methods. We humans naturally trust our friends and acquaintances. Scammers who somehow succeed in appearing to be our friends and acquaintances are taking advantage of that trust.

UPDATE Dec 11th: The "I'm stuck in Nigeria - please send money" email scams evidently work just as well in India too.

Microsoft advice on social engineering controls

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document. Here's an extract from the overview:
"To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources."

This document is part of Microsoft's Midsize Business Security Guidance collection.

10 Dec 2007

Social engineers steal $4m IT equipment

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story:
"The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt."

This was clearly a social engineering incident.

7 Dec 2007

No Tech Hacking

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon, when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

According to an interview in CSO Magazine, Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use".

Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology.

I haven't read the book yet but it's on my Christmas wishlist (hint hint Santa).

Social engineer exploits Dutch employer

CSO Magazine reports on a security consultant cum botnet operator, PayPal account hijacker and fraudster. He infiltrated a Dutch company, exploiting the trust placed in him to install malware on thousands of machines. It's a salutory lesson in the need for pre- and para-employment vetting of employees in such sensitive positions.

Breach disclosure net widens

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states.

SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public.

The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298:
" AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional."

6 Dec 2007

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

4 Dec 2007

Social engineers infiltrate Shell

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals. The brief story sounds remarkably similar to case studies in Ira Winkler's books, in which Chinese officials coerce Chinese nationals working abroad into providing insider information on targeted organizations.

Is this all just smoke and mirrors or a genuine threat? Despite being 'professionally paranoid', I normally dismiss claims about Chinese hackers and spies, specifically, as mere xenophobic propaganda by the US and its allies, especially when specific details of the alleged attacks are conveniently omitted. The Times refers to a letter from MI5 to 300 UK businesses warning them about the Chinese threat, and outlines an alleged Chinese Trojan attack on Rolls Royce. There are many other allegations flying around about the Chinese ... just as there were allegations about WMD in Iraq and Reds Under Beds. I'm not privvy to the inside track on these stories, but I bet the CIA and US/allies' secret services, diplomats and mercenaries are every bit as active in China and other "foreign places".

3 Dec 2007

Social engineering awareness module released

Security awareness - the key to counter social engineering attacks
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.

Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak!

In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a competitor. The social engineers may also need other pieces of information, such as login details for the network and a database server, in order to get to their ultimate goal.

Social engineers may also be interested in information about employees. Private investigators, for example, investigating suspected marital infidelity, may try to find out what time an employee normally leaves for home and where he is planning to go on his next business trip. Journalists might go fishing for information to corroborate a news story. Fraudsters and identity thieves would be interested in Social Security Numbers, bank account and credit card numbers, dates of birth etc.

Social engineers depend on being able to fool people into believing they have a legitimate right to information. The deception often works best if they look just like us: they dress like us, talk like us, behave like us. Which social engineer do you think would be more successful at ‘tailgating’ (following an employee into a building): someone who appears to be just another regular employee or someone wearing a stripy top and black face mask and carrying a bag marked SWAG? What about someone dressed as a maintenance engineer or policeman: would you refuse to let them pass? The deception is even easier on the telephone or email, since there are no visual clues to a person’s identity.

December’s NoticeBored security awareness module
identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.

[Please see December’s NoticeBored newsletter for more background and an analysis of the social engineering threat.]