Posts

Showing posts from December, 2007

EPO incident

If like me you've been wondering over the Christmas break "Just how many computer specialists does it take to reset an Emergency Power Off [EPO] button?", here's your answer from the latest RISKS mailing list digest : "A Sacramento County computer technician has pleaded guilty to trying to shut down California's power grid by pushing a button marked "Emergency Power Off," authorities said. Lonnie Charles Denison, 33, of South Natomas, admitted Friday in U.S. District Court in Sacramento that he went into a room at the Independent System Operator's data center in Folsom (Sacramento County) on April 15, broke a glass cover and pushed the button, prosecutors said. Denison, a contract employee at the data center, was upset with his employer, authorities said. The ISO oversees electricity purchases and distribution. Denison prevented the data center from communicating to the electricity market for about two hours, leaving the electrical power grid v...

Top information security risks for 2008

We have completed and published our collaborative white paper listing the top information security threats, vulnerabilities and impacts, along with some risk scenarios and controls , as we head towards the new year. My sincere thanks are due to all who participated in the project, contributing directly to the shared document on Google Docs or commenting on it through the fora. I suspect there are still several points of disagreement but I hope we are all reasonably happy with the end result. I have certainly enjoyed the process and value the discussion.

Awareness module

Offices are the “information factories” where most of an organization’s intellectual property gets created and processed, and a lot of information assets are stored. They are the knowledge workers’ natural habitat. Some of us practically nest in our cubicles. Numerous information security risks affect offices, including IT/computer security and telephony risks from viruses, power glitches, IT/network capacity and reliability issues, physical security risks such as thefts, fires and floods, and process-related risks e.g. if untrustworthy visitors are not properly authenticated on arrival or are allowed to wander freely around the offices. Despite us having covered office security issues in many other NoticeBored modules, almost all of the materials have been written from scratch for this one, bringing them all together in a context that most employees will relate to.

CISSP course in Dubai

If you or someone you know in the Middle East is thinking of taking the CISSP exam, Clement Dupuis will be leading a boot camp-style intensive CISSP training course in Dubai on 11-15 February 2008. Clement has stacks of experience at CISSP training and will be using Shon Harris' course materials recently updated to reflect the latest CBK. The course is being offered in conjunction with the Open Information Systems Security Group . For those who don't know Clement, he is the inspiration and driving force behind CCcure.org , recommended reading for all CISSP candidates and indeed for those seeking other information security qualifications or who simply want to keep their knowledge and skills up-to-date.

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users. The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype , perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better. Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

UK insurance firm fined for pretexting incidents

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data: "The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly ...

Why HTML email is BAD

Image
Click here for a full size screenshot The screenshot above is an email spotted today in my spam box. It's a conventional phishing email with a classic call-to-action and a link whose URL takes victims to the phishing site rather than CitiBusiness. What caught my eye, though, was the hex encoded gibberish at the bottom. I can't be bothered to convert it all to readable characters and probably don't have the skills necessary analyze it and figure out exactly what it's doing but the few unencoded words (api, update, end, exe, create, engine, close, define, revision, tmp, hex, URAW, rev., create, root:, LHY, serv, 22MP., source:, Y1TM, cvs, revision, 60T, 376T:) do rather give the game away: it looks like some sort of attempt to get victims' email software to execute code. My bet is that it exploits a bug in the way HTML emails are handled. Needless to say, my machine is configured to read emails as plaintext. I can live without the fancy text formatting, and malwa...

Carelessness threatens privacy

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft: 1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea. 2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another. 3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust. If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant. Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situati...

Social engineering bots pass Turing test

"Robot chatters are just one type of social-engineering attack that uses trickery rather than a software flaw to access victim's valuable information. Such attacks have been on the rise and are predicted to continue to grow." If you frequent chat and dating sites, especially Russian ones it seems, beware robots posing as fellow frequenters that chat with you, flirt with you even, and extract personal information. From the news report, it sounds like this bot passes the Turing test .

Security awareness a commonplace concern

Image
A survey of information security concerns at 455 US SMBs (small to medium sized businesses with 5 to 1,000 employees) is mostly same old same old but one statistic caught my eye (see graph above). Three-quarters of those surveyed believe that security awareness would help to improve the level of security in their company. Most SMBs are not that bothered about their security budget or how many security people they have. "Employees are not the only people who need to be ‘educated’. One in four IT executives want senior management to have a better understanding of security issues as this could have a bearing on the overall level of network security and, possibly, the range of security measures that could be implemented." Why is it, I wonder, that security awareness is in such high demand? It's great for our business, of course, but still I'm curious as to the attraction. Is it that security awareness is just too difficult for most people? Or is it just this month...

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business. The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability an...

Email scams increasingly sophisticated

Two news stories illustrate the increasing sophistication of email security threats. The New York Times describes the exploitation of someone's Web-based email account to send pleading messages to all their contacts, asking for money. The emails, of course, appear to come from the legitimate owner of the email address and are therefore more likely to be trusted implicitly by at least some of the recipients. This is far from the first time we've heard about hackers taking over webmail systems, eBay IDs and the like. How they acheive the take-over is not usually clear but there are several methods including brute-force guessing of the password, fooling the lame "I've forgotten my password" authentication checks, Trojan keyloggers and more. Meanwhile, the Wall Street Journal reports on successful spear-phishing attacks against executive managers. The scammers send emails use the person's name and other identifying information (perhaps gathered from social ...

Microsoft advice on social engineering controls

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document. Here's an extract from the overview: "To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker—someone who tries to gain unauthorized access to your computer systems—are similar to those of any other hacker: they want your company’s money, information, or IT resources." This document is part of Microsoft's Midsize Business Security Guidance collection .

Social engineers steal $4m IT equipment

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story : "The bogus police gained entry to the data centre by claiming that they were investigating claims that there were people on the roof of the building. Five data staff are thought to have been tied up, although none were seriously hurt." This was clearly a social engineering incident.

No Tech Hacking

Image
No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing ( ~US$39 from Amazon , when in stock) looks like an interesting new book by Johnny Long, famous for his earlier book Google Hacking , and Kevin Mitnick, famous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion . According to an interview in CSO Magazine , Johnny describes himself as a Christian hacker with plans to get the hacker community involved in charitable work. His writing reveals that he surely understands the Dark Side but, on the other hand, he does indeed openly promote the classical hacker ethic. Still, I'm quite sure Johnny would be the first to agree that social engineering and other hacker techniques could be classified as "dual use". Kevin Mitnick clearly has Dark Side experience on his CV but, like Johnny, has achieved a lot without getting too deep into the technology. I haven't read the book ye...

Social engineer exploits Dutch employer

CSO Magazine reports on a security consultant cum botnet operator, PayPal account hijacker and fraudster. He infiltrated a Dutch company, exploiting the trust placed in him to install malware on thousands of machines. It's a salutory lesson in the need for pre- and para-employment vetting of employees in such sensitive positions.

Breach disclosure net widens

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states. SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public. The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298: " AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an ...

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference. The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web. Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a r...

Social engineers infiltrate Shell

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals. The brief story sounds remarkably similar to case studies in Ira Winkler's books, in which Chinese officials coerce Chinese nationals working abroad into providing insider information on targeted organizations. Is this all just smoke and mirrors or a genuine threat? Despite being 'professionally paranoid', I normally dismiss claims about Chinese hackers and spies , specifically, as mere xenophobic propaganda by the US and its allies, especially when specific details of the alleged attacks are conveniently omitted. The Times refers to a letter from MI5 to 300 UK businesses warning them about the Chinese threat, and outlines an alleged Chinese Trojan attack on Rolls Royce. There are many other allegations flying around a...

Social engineering awareness module released

Image
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls. Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak! In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a c...