Welcome to the SecAware blog

I spy with my beady eye ...

30 Dec 2008

New awareness module on hacking

What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them.

Please sign-up here to receive the free monthly awareness newsletter. We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].

28 Dec 2008

capitally Challenged 419er

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C
Telephone Number : (206) 984 - 0470


This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents.
Oh, OK, so I'm supposed to suspend disbelief for a moment and accept that the FBI is writing to me out of the blue, with a grammatically incorrect and anonymous email, warning me about impostors from Nigeria? Right. Let's see what they want ...

During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.

So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD.
I haven't fulfilled by Financial Obligation, eh? And you want to send me an ATM CARD which, by some curious method I don't understand, will contain $800 grand? Why the Spurious Capitals, SUNSHINE?
Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $150 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction:
I guess I should expect the ATM CARD to be processed by an ATM CARD CENTER, but I'm a bit puzzled about the need to procure an Approval Slip. Surely the mighty FBI can just make a deposit straight into my bank account? I don't have $ 150 USD to fritter away on this kind of nonsense, especially via Western Union or MoneyGram. Last time I checked, I was not criminally insane.


NAME: MR. Paul Bryant

EMAIL: atmworldcenter991@gmail.com

Immediately contact Mr. Paul Bryant of the ATM Card Centre with the following information:

Full Name:
Zip Code:
Direct Phone Number:
Current Occupation:
Bank Name:
Oh, but I thought I was dealing with the ATM CARD CENTER. Is this a different place? Or have they just discovered that marvellous invention called CAPS LOCK? Surely the mighty FBI already knows my address, phone number, current occupation and the name of the bank that, apparently, has been scamming me? After all, it was they who supposedly discovered the scam.
Once you have sent the required information to Mr. Uzoma Dominic he will contact you with instructions on how to make the payment of $150 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent.
Oh oh, I see Mr Paul Bryant has taken a leave of absense half way through this email. Poor Mr Bryant. I guess he's gone to spend all the advance fees he's been making lately.
Once you have completed payment of $150 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly.

FBI Director
Robert Mueller.

NOTE: To ensure you have been AUTHORIZED to pay the required fee's stated above, kindly find below an Authorized Signature and also our Federal Bureau Of Investigation NSB ( National Security Branch ) Seal to accurately guarantee your safety towards completing this transaction.
Phew, what a relief! A seal to accurately guarantee my safety! I'll put it in my wallet in place of the $150 USD shall I?

26 Dec 2008

Will your cellphone spill your secrets

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.

The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.

Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.

24 Dec 2008

Ultraportables - are they really "special"

"Ultraportable" lightweight slimline laptops are all the rage, apparently (I've been using them for years already - ahead of my time maybe, or just wary of the old luggable portables?). A Computerworld piece "Small laptops pose a big security threat" claims that because they run with "a stripped down" Linux or Windows XP operating system instead of, presumably, Vista, they are inherently insecure. Well maybe there are drawbacks but I'm not entirely convinced that they are significant - properly configured, I would rate XP and Linux at least as if not more secure than Vista.

On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious "laptop bag", making theft less likely I hope.

The article's comments on WiFi and USB connectivity are irrelevant since the same applies to standard laptops and I really don't agree with the author's comments to the effect that ultraportables are treated carelessly like toys, except perhaps in the case of the very cheap ones anyway. The truth is that, for many years now, the value of personal and corporate data on the average PC has far outstripped its hardware replacement value. The equipment is, in corporate terms, disposable with near zero book value though the data on it or accessible from it may well be the most valuable asset [not] on the company's books.

The article's final points about the need for user security awareness ring true at least.
"Employee education in acceptable-usage practices is a must, regardless of the IT security systems used, Enderle says. Leja agrees. "You have to count on continual security awareness," she says. "Make sure that [students or employees are] being conscientious, and then use the few tools that do exist to help."
Hear hear!

19 Dec 2008

HMG loses two gizmos a week

In the past year, the British Government admits to having lost:
  • 53 computers
  • 36 BlackBerrys
  • 30 mobile phones
  • 4 memory sticks; and
  • 4 disc drives.
If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high:

The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.

As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.

16 Dec 2008

Gizmo security cluelessness

Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...

12 Dec 2008

How to create a security policy for social networks

The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University. Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic:
"Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them."
Our recent NoticeBored security awareness module on social engineering used example scenarios based on LinkeDin and other social networking sites for exactly this purpose. We suspect few managers think of LinkeDin as a social networking site, let alone consider the security implications of publishing all sorts of personal information about themselves. It's a useful topic to get their attention.

4 Dec 2008

Security awareness for less than $1,000 per year

Despite our standard subscription charges being probably the lowest in the marketplace, some prospective customers struggle to find any money for security awareness. We are very conscious of the global credit crunch and financial turmoil out there so, for a trial period, we are offering a special SME version of NoticeBored for less than US$1,000 per year. Read more about NoticeBored Lite.

3 Dec 2008

Gizmo security awareness

December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.