Welcome to the SecAware blog

I spy with my beady eye ...

27 Mar 2008

New module on IT audit

IT audit is probably not one of the first topics you'd think of when planning a security awareness program but it does add value. The latest batch of awareness materials from NoticeBored explain what IT auditors do, what interests them and how they work. If your only experience of IT audit has been SOX (Sarbanes Oxley) work, you have a lot to learn!

25 Mar 2008

Desperate for data on 25m Brits FINAL UPDATE?

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents.

The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption this would cause has far-reaching consequences.

UPDATE 19th Jan: more stories of improper disclosure of personal information by officials are adding to the Government's woes, and more importantly increase the risk of identity theft of British residents. Today we read that (1) a Ministry of Defence laptop, stolen from a car (doh!), contained personal details on 600,000 applicants to join the forces, some of whom will have provided the full nine yards necessary to undergo security clearance; and (2) papers containing personal data on benefits claimants were found strewn across a West country roundabout, for at least the second time in two months. The man who discovered the latest batch of papers found and reported a similar load at the same place in November. We don't know if any more papers might have been lost or abandoned there and discovered by criminals during the last two months, or indeed previously or subsequently. ['Strewn across a roundabout' is a rather extreme example of "unstructured data". An article in December 2007's ISSA Journal on managing unstructured data patiently explains how to get a grip on unstructured data in ten steps, most of which are virtually impossible to do any Real World organization and all of which ignore paper records. Data Leakage or Loss Protection (DLP), another security industry buzzword, likewise deals with a small part of the problem, and not very well at that. \rant]

Who will be held accountable for these security screwups? Will anyone lose their job, be fined or end up in prison as a result? Somehow I doubt it. It is the British Government after all. A press release on AccountingWeb says:
"The Information Commissioner, whose office was established to protect personal information and take appropriate action where the law is broken, described the scale of the loss as “unprecedented” and stated that data protection laws have almost certainly been breached. This loss of information serves as a timely reminder to businesses and organisations that they are legally obliged to ensure the safety of personal information relating to individuals."

UPDATED Jan 20th: a USB stick lost by a hospital worker had personal details of thousands of patients but apparently it's OK because "The loss was an accident rather than any systematic failing in management and governance". I assume from the BBC item that the data on the memory stick were not encrypted. What's more, "diaries containing patients' names and addresses were stolen from staff cars in two separate incidents in June." There are two good examples of "a systematic failure of management and governance", and here's a third: local management evidently decided not to inform the patients about the loss of their personal data because, in their estimation, the data could not be used for identity theft. I hope the patients concerned will complain and the Privacy Commissioner will prosecute the hospital under the Data Protection Act.

UPDATE 22nd Jan: the MoD (that's Ministry of Defence, yes, Defence, Her Majesty's Government department charged with, and paid vast amounts of taxpayers' money to protect the Realm and maintaining the freedom of her people) has now revealed that it has lost laptops with sensitive personal data on potential recruits at least twice before. With typical British understatement, shadow defence secretary Liam Fox called it a "dreadful mess". He really is awfully, awfully sorry.

"Data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Banking details were also included for around 3,700 people ... It is clear that the database files were not encrypted, in breach of MoD procedures ... Some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004."

The same BBC news story reports that:
"The new rule on laptops comes in an e-mail from the Civil Service chief, Cabinet Secretary Sir Gus O'Donnell, to all government departments. It said: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

New rule? NEW RULE! From now on!! Someone has evidently been asleep at the wheel. The situation is completely out of hand in the UK. Government departments cannot ignore the law and have a clear duty to protect the personal information entrusted to them by citizens. They need to be held to account. If not, citizens will, quite justifiably, withhold their information from public bodies, like for example the tax office and social security department ... and there lies the route to anarchy.

UPDATE Jan 26th: The BBC reports that:
"Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees. The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted. The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008."

So it would appear that laptop encryption is now mandatory in the UK for any organization handling personal data!

UPDATE 5 Feb 15th: 5,000 patients of a Dudley hospital face anxiety over possible identity theft thanks to the theft of a laptop. We're told the laptop was "password protected" which, as we all know, is spin on "not encrypted".

"A spokesman for the trust said the laptop and database were protected with two separate passwords, making it very difficult to access. He added: "We would like to apologise for any concern this matter has caused those patients affected and would like to reassure them that the information on the database is unlikely to be recoverable."

Yeah, right.

UPDATE #6 22 Feb 08: personal medical records on 3,000 patients in Bolton were dumped in landfill. Eee, it's grim up North.

UPDATE #7 Leapday: some good news at last! A laptop and CD which appears to have belonged to the Home Office has been recovered by Police after it was purchased on eBay and sent to a repair shop. Even better news is that the CD and laptop were encrypted. Police are investigating how it ended up there. The repairman should be congratulated for reporting it. As to whether Al Qaida is now moving into the laptop repair business, we can only speculate.

UPDATE #8 - the final update? With no end in sight, I'm getting bored of this blog item, so it's time to close with perhaps just a little hope for the future. I've just chanced across a Liberal Democrat's blog listing several security/privacy incidents that I've mentioned here and a few more for good measure. The blogger, Frank Little, describes himself as a semi-retired hack computer programmer. I'm not entirely sure if that's hack as in journo or hack as in hacker, but at least he has an obvious interest in the UK's data protection mess. Vote wisely at the next election!

22 Mar 2008

10,000 infected pages

McAfee has been warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia is a useful tool to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when your system falls behind.

20 Mar 2008

Signature based AV is dead. Long live sig AV!

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms, given the escalating rate of release of new/variant malware and its inability to block data theft (which is what Data Leak Prevention is all about: personally, I never expected AV software to do this so that is a rather curious point).

The demise of signature-based AV detection has been predicted many times before but it stubbornly remains a relatively effective and inexpensive control, on the whole. I'm worried about bespoke malware, custom-written to infiltrate specific target organizations, but there other techniques come into play, DLP and checksumming being two of them. So called "heuristic scanning" has a bad press for generating too many false positives, but that's another piece of the defense-in-depth puzzle, along with prompt patching and (of course) security awareness. There's no need to detect avoided malware.

CERT malware tips

CERT has re-issued a Cybertip on malware.

18 Mar 2008

Addressing the growing botnet threat

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

16 Mar 2008

Spyware impacts productivity

single spyware infection on a work computer can impact the productivity of the typical small business employee for two-and-a-half days, according to research commissioned by the Computing Technology Industry Association (CompTIA).

A survey of employees at businesses with 10 to 200 computer users found that more than one in four computer users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware inflections.

Definitions of spyware vary but the take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

14 Mar 2008

Drive-by malware alert

McAfee is warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

10 Mar 2008

Tamper resistant =/= Tamper proof

Ross Anderson's team at Cambridge University has demonstrated physical security vulnerabilities in two of the devices commonly used to validate chin-and-PIN cards in the UK. The vulnerabilities would enable an attacker with sufficient physical access to the devices and some manual dexterity with a needle or bent paper clip to hack them, exposing PIN codes. With PIN codes plus data from the magnetic stripes, card hackers could create fake cloned cards that work in non chip-and-PIN validators (which are becoming uncommon in the UK now, but less so abroad), or in chip-and-PIN validators that fallback to the magstrips if card chips don't work.

This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usability etc., including the decision to retain magstripes on chipped-cards (as the team puts it, "Essentially, the vulnerabilities we exploit are not just a matter of hardware design, but also of the options many banks chose as they implemented EMV"). Hackers, as a breed, feed on such security compromises. There is no shortage of fodder. We've already seen miniature CCTV cameras plus magstripe readers used in the wild to capture PINs and card data on ATM skimmers, and chip-n-PIN device tampering in frauds at Shell service stations in the UK in 2006.

The team draws out some general lessons in the paper, aspects such as:
- the complexity of the EMV specifications (leading to local interpretations and the introduction of further unintended flaws)
- obvious conflicts of interest that result from equipment vendors selecting and paying security labs to assess their products against Common Criteria - something economists call "moral hazard" apparently - plus the commercial pressure on labs to issue pass slips like confetti (same with ISO/IEC 27001 certifications!)
- further issues that arise when product assessments and certifications are clouded in secrecy, thanks to the whole banking industry closing ranks and lax controls by the UK's Common Criteria certification body (apparently, anyone can claim to have had their product Common Criterial Evaluated, whereas they must have actually passed the tests to claim Common Criteria Certified ...)
- the potential applicability of this kind of hack to other tamper-resistant mechanisms such as on electronic voting terminals. The same class of attack would probably succeed against devices using biometric mechanisms (fingerprints, iris scans, whatever) for user validation: if the codes sent by a biometric reader can be captured in the clear en route to the encryption/validation guts, they can probably be replayed or used for other attacks. Blog-reading designers of dual-interlock atomic missile launch fire biometric authorization mechanisms please take note. Tamper resistance has its limits.

The paper is well written and thought provoking for hackers and security professionals alike, even those with only fleeting interest in chip-n-PIN while paying for stuff.

7 Mar 2008

Inept phisher award

I just thought I'd share this little gem with you. It's possibly the most inept phishing email I've seen. The phisher has evidently heard of "ISO 27001" certificates and either hasn't got a clue what that means, or figures most of his victims won't understand.

I have removed the embedded URL for your safety. Who knows what kind of inept malware might be lurking there?

-----Original Message-----
From: Wachovia Connection banking Consumer support [mailto:techsupport@wachovia.com]
Sent: Thursday, 6 March 2008 11:14 p.m.
To: press@globalsecurityweek.com
Subject: Notice: : New Certificates 2008 wachovia.com


All Users - Must Accept New Digital Security Certificate 2008 (SecurityISO 27001 Certification Consulting)

Customers of numerous banks have been victims of ACH and wire transfer fraud in recent weeks, resulting in the origination of unauthorized ACH entries and wire transfers from customers' computer systems.

Wachovia Enhanced Security Authentication
We have enhanced the Wachovia security access to further safeguard access to your account information.

Starting from tomorrow system of access to work fields is transferred to coding with a certificate. It means that your password and ID will not be changed but will be logged differentially. The only necessary conditions includes the following: you only need to log the first source-certificate which will generate further conversion. Thereto you have to follow the link http://wc.wachovia.com/online [real URL deleted GH] and enter your access code and ID in the appropriate fields.

We would like to draw your attention to the fact that all fields must be filled out, otherwise the system will block escape to the next level and you can not start work with your personal data.

Should all necessary fields be filled in and password and ID concur with those registered in our system, you will get access to the work field. After that your personal identification Certificate will be successfully logged in the system. No other operations from your part are required.

Thank you for cooperation and support.
IT Security Department

¿ 2008 Wachovia Corporation. All rights reserved.

5 Mar 2008

Fraud Awareness Week

Government departments in Australia and New Zealand, in collaboration with some local banks and other firms, have launched Fraud Awareness Week 2008 with a website offering two quality posters (one two), a plain leaflet and a tri-fold leaflet.

Their simple message is "Fight the scammers. Don't respond."

The after-the-early-evening-news current affairs program on NZ TV has run stories on a similar theme this week.

The main website address is supposed to be www.SCAMwatch.govt.nz although this currently redirects to www.consumeraffairs.govt.nz/scamwatch/fraud-awareness/FAW2008.html which is ironic really, since misleading links and browser tricks are often part of the scammer's toolbox.