If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest : "A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said. The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid v...

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls , as we head towards the new year. My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Offices are the “information factories” where most of an organization’s intellectual property gets created and processed, and a lot of information assets are stored. They are the knowledge workers’ natural habitat. Some of us practically nest in our cubicles. Numerous information security risks affect offices, including IT/computer security and telephony risks from viruses, power glitches, IT/network capacity and reliability issues, physical security risks such as thefts, fires and floods, and process-related risks e.g. if untrustworthy visitors are not properly authenticated on arrival or are allowed to wander freely around the offices. Despite us having covered office security issues in many other NoticeBored modules, almost all of the materials have been written from scratch for this one, bringing them all together in a context that most employees will relate to.

If you or someone you know in the Middle East is thinking of taking the CISSP exam, Clement Dupuis will be leading a boot camp-style intensive CISSP training course in Dubai on 11-15 February 2008. Clement has stacks of experience at CISSP training and will be using Shon Harris' course materials recently updated to reflect the latest CBK. The course is being offered in conjunction with the Open Information Systems Security Group . For those who don't know Clement, he is the inspiration and driving force behind CCcure.org , recommended reading for all CISSP candidates and indeed for those seeking other information security qualifications or who simply want to keep their knowledge and skills up-to-date.

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users. The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype , perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better. Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data: "The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly ...

Click here for a full size screenshot The screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness. What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malwa...

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft: 1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea. 2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another. 3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust. If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant. Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situati...

"Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow." If you frequent chat and dating sites, especially Russian ones it seems, beware robots posing as fellow frequenters that chat with you, flirt with you even, and extract personal information. From the news report, it sounds like this bot passes the Turing test .

A survey of information security concerns at 455 US SMBs (small to medium sized businesses with 5 to 1,000 employees) is mostly same old same old but one statistic caught my eye (see graph above). Three-quarters of those surveyed believe that security awareness would help to improve the level of security in their company. Most SMBs are not that bothered about their security budget or how many security people they have. "Employees are not the only people who need to be ‘educated’. One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security and, possibly, the range of security measures that could be implemented." Why is it, I wonder, that security awareness is in such high demand? It's great for our business, of course, but still I'm curious as to the attraction. Is it that security awareness is just too difficult for most people? Or is it just this month...

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business. The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability an...

Two news stories illustrate the increasing sophistication of email security threats. The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more. Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social ...

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document. Here's an extract from the overview: "To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources." This document is part of Microsoft's Midsize Business Security Guidance collection .

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story : "The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt." This was clearly a social engineering incident.

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing ( ~US$39 from Amazon , when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking , and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion . According to an interview in CSO Magazine , Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use". Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology. I haven't read the book ye...

CSO Magazine reports on a security consultant cum botnet operator, PayPal account hijacker and fraudster. He infiltrated a Dutch company, exploiting the trust placed in him to install malware on thousands of machines. It's a salutory lesson in the need for pre- and para-employment vetting of employees in such sensitive positions.

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states. SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public. The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298: " AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an ...

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference. The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web. Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a r...

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals. The brief story sounds remarkably similar to case studies in Ira Winkler's books, in which Chinese officials coerce Chinese nationals working abroad into providing insider information on targeted organizations. Is this all just smoke and mirrors or a genuine threat? Despite being 'professionally paranoid', I normally dismiss claims about Chinese hackers and spies , specifically, as mere xenophobic propaganda by the US and its allies, especially when specific details of the alleged attacks are conveniently omitted. The Times refers to a letter from MI5 to 300 UK businesses warning them about the Chinese threat, and outlines an alleged Chinese Trojan attack on Rolls Royce. There are many other allegations flying around a...

Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls. Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak! In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a c...

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event. Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage. The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and dow...

Watchfire's latest awareness video offers advice on choosing a strong password, in the style of a 1950's public service announcement (but with modern day video effects: look out for the steaming hot coffee and more). Watch as hapless Bud makes every password mistake in the book! Shudder as he blunders through one near calamity after another. Chuckle at the painful familiarity of his plight. Will Bud ever succeed in his quest to LOG IN? Short videos like this are good to break up security awareness/training presentations.

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics. So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to thin...

ISSA has a “PCI Compliance” webcast on December 6th 2007. Speakers will present "live and online" giving you the opportunity to interact in real-time from the convenience of your desk. Register for this free event .

A blogger bemoaning the effect of inadequate awareness and training on mobile computing and wireless networking security asks who should be responsible for it? Why do so few organizations run comprehensive security awareness and training? The blooger seems to think the CIO, or possibly HR, should be responsible but I'm not sure about either of those suggestions. Most CIOs naturally focus on IT - as in technical - security, if indeed they take any interest in security. Relatively few HR people I've worked with have had much interest in IT, let alone information security. No, it seems to me the blogger has created a false dichotomy, offering a choice of two inappropriate owners. The more appropriate home for security awareness is surely the Information Security Manager, especially if management are open-minded enough to ensure that the ISM role has influence right across the enterprise, rather than being buried out of sight in the depths of IT. The ISM should be working ha...

The Payment Cards Industry (PCI) Security Standards Council (SSC) is adopting Visa's Payment Application Best Practices (PABP) standard as the Payment Application Data Security Standard (PA-DSS) . It is due to be finalized and released early in 2008. Anyone wishing to access and contribute to the draft standard must join the PCI SSC ( i.e. this is not an open standard). PA-DSS will presumably be implemented by mandating it on those developing commercial credit card applications (not those developed and used internally) and checking their compliance through a network of Qualified Security Assessors (QSAs), accredited by PCI SSC. It will complement the existing PCI Data Security Standard (PCI DSS) .

A Chicago shared data center (a "co-location facility") has been broken into and robbed for the fourth time in two years, despite claiming physical security measures that would put some data centres to shame. Masked robbers allegedly broke in through a wall using a power saw (although this is disputed by customers who visited the site), tazered and hit the center manager, and made off with a hoard of servers worth at least $20k (presumably that's just the hardware cost: the data content could be worth rather more and CI Host customers whose websites are down are fast losing their customers). The following physical security controls are mentioned in the Register piece and on CI Host's website , although the existence of some is doubted by slashdotters : - Multiple layers of 24x7 security cameras with 360-degree perimeter and roof surveillance and Facilities 24 hour DVR systems with 14 day video storage (foiled by masks and by allegedly stealing the CCTV equipment ) ...

A new checklist from the IT Compliance Institute on privacy and data protection suggests some 270 items to check, and offers advice and tips on the associated controls. It also gives hints on what the auditors do/don't expect to see, good for getting your house in order before they call.

Unisys is using market survey techniques to assess public perceptions of the state of security in various nations. I'm not entirely clear quite what the survey tells us (other than the general state of paranoia in the countries surveyed), or what use it is (apart from the pharmaceuticals companies selling brain-calming drugs), but no doubt selected numbers will magically appear in assorted PowerPoint slide decks in due course supporting all sorts of hypotheses.

SecurityCatalyst blogs on two new US information security laws. Minnesota's Plastic Card Security Act adds a legal mandate to PCI DSS. The Identity Theft Enforcement and Restitution Act gives victims of identity theft compensation rights. I'm hunting for more information on both of these and will provide an update if I have add anything to add to SecurityCatalyst's post .

A blog describing Intel's 'defense in depth' approach to information security has a neat description of the 4 main phases: (1) Prediction (essentially risk assessment); (2) Prevention i.e. classic preventive security controls; (3) Detection and monitoring for threats that evade, disable or bypass preventive controls; and (4) Response and recovery - corrective controls, a last resort. Add a pinch of continuous improvement to learn from every event, and there you have it. Sure beats ISO/IEC 27001's somewhat simplistic plan-do-check-act model! [By the way, Intel, the 'defense in depth' concept also applies within any of those phases e.g. using multiple information sources to broaden and deepen the analysis of security vulnerabilities in phase 1, or combining real-time alerting with near-time log anaysis in phase 3.]

Spooks everywhere will enjoy the University of Arizona 's novel take on Hallowe'en. Four ghostly hours of security awareness on a ghoulish theme. Now that's an idea ...

A trademark spat between two financial services companies reveals a deeper issue. First Niagara Insurance Brokers use the domain FirstNiagra dotcom. First Niagara Financial Group, previously known as Lockport Savings Bank, changed its name in 2000 and tried to purchase FirstNiagra dotcom from the present owners, who refused. They then registered First-Niagra dotcom as their address for emails. Customers of First Niagra Financial Group sometimes forget to include the crucial hyphen when emailing them, so their emails end up at First Niagra Insurance Brokers. Some emails contain sensitive information because (shock! horror!) customers sometimes send Social Security Numbers etc. in plaintext emails. With clear evidence that customers are being confused by the similar domain names, the trademark infringement issue should't be too taxing on the judge, but this case may perhaps open Pandora's box on similar cases.

The IT Compliance Institute's journal should be on your reading list if compliance is on your radar screen. The Fall 2007 issue has good articles on ISO/IEC 27001 & 27002 vs . NISTs SP800 series, symmetric encryption key management and eDiscovery. The piece 'Holding auditors accountable for data security' is not about making internal auditors accountable for the organization's information security, but rather about the obligations on external auditors to secure privileged information they obtain during the course of audits. For a while it seemed de rigeur for big name auditors to lose laptops containing confidential client information but I can't recall any similar breaches since about 18 months ago. Did the audit firms clean up their act, or are these stories no longer newsworthy? Being of a cynical nature, I suspect the latter. Anyway, the article advises great caution when handing highly sensitive business records to the auditors, for example requiri...

When I tried to notify BSI-Global (formerly the British Standards Institute) about a possible phishing email using them as a lure this morning, their automated mailing system sent me the following curt response: "This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. abuse@bsi-global.com" So much for standards. RFC 2142 has only been out there for ten years. Perhaps BSI is above the standards that apply to us lesser mortals?

You know you want it: the new security compliance module.  We stripped down and completely rebuilt the 'laws, regulations and standards' awareness module last delivered 3 years ago and soon realized what business people mean when they complain about the compliance load. When you look into it, there's a huge pressure to comply with externally-mandated laws, regulations and standards, plus the rules organizations make up for themselves, the strategies, policies and contractual terms. Being a security awareness service, we focus on the information security rules of course but I believe there are one or two non-information-security laws, regs and standards out there too ...

Iron Mountain Inc. is back in the headlines again - this time a customer's storage media went missing from an Iron Mountain truck when the driver "did not follow established company procedures when loading the container onto his vehicle". The backup device belonging to the Louisiana Office of Student Financial Assistance (LOFSA) contained thousands of names, birth dates and Social Security numbers. It was unencrypted - evidently LOFSA is "working on a plan to encrypt all backup data stored off site". It was also "in the process of developing our disaster and recovery plan, but [the loss] occurred before we could get it in place and establish it as a standard plan". [Shakes head, muttering incoherently]

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs. Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible. Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé. The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen ->...

This tragic story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm MK5 anti-aircraft twin-barrelled gun during a live-firing military exercise, the gun turned to the left and fired a rapid burst of ½kg cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all. According to news reports , "Defence pundit Helmoed-Römer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety. The South African Department of Defence is under...

A page from the University of Bristol's new security awareness site, aimed at students, offers some worthwhile advice on avoiding physical damage or loss to your IT equipment, things like: - Don't cover the PC or monitor with anything (fire risk) - Don't drink near the system (water damage risk) - Don't be in a rush (a common explanation for why laptops etc. get left on public transport is that the owner was in a hurry ... I suspect asking students to get out of bed 5 minutes earlier is a bit of a tall order). The rest of the site is straightforward enough - basic advice on antivirus, firewalls, patching, backups and so on. Not a bad start.

An interesting angle on the dumpster-diving craze comes from Singapore . A judge has previously ruled that confidential information discovered in the trash cannot be used against someone, but the issue is to go to appeal. It seems to me the burden is and should be on the person discarding information to take care to make it unreadable, for example by cross-cut shredding and burning. It seems fair to me that it's their fault if they fail to take sufficient physical security measures to protect the information.