Tuesday 30 December 2008
New awareness module on hacking
What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them.
Please sign-up here to receive the free monthly awareness newsletter. We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].
Sunday 28 December 2008
capitally Challenged 419er
Anti-Terrorist and Monitory Crimes Division.Oh, OK, so I'm supposed to suspend disbelief for a moment and accept that the FBI is writing to me out of the blue, with a grammatically incorrect and anonymous email, warning me about impostors from Nigeria? Right. Let's see what they want ...
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C
Telephone Number : (206) 984 - 0470
ATTN: BENEFICIARY
This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents.
During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.I haven't fulfilled by Financial Obligation, eh? And you want to send me an ATM CARD which, by some curious method I don't understand, will contain $800 grand? Why the Spurious Capitals, SUNSHINE?
So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD.
Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $150 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction:I guess I should expect the ATM CARD to be processed by an ATM CARD CENTER, but I'm a bit puzzled about the need to procure an Approval Slip. Surely the mighty FBI can just make a deposit straight into my bank account? I don't have $ 150 USD to fritter away on this kind of nonsense, especially via Western Union or MoneyGram. Last time I checked, I was not criminally insane.
CONTACT INFORMATIONOh, but I thought I was dealing with the ATM CARD CENTER. Is this a different place? Or have they just discovered that marvellous invention called CAPS LOCK? Surely the mighty FBI already knows my address, phone number, current occupation and the name of the bank that, apparently, has been scamming me? After all, it was they who supposedly discovered the scam.
NAME: MR. Paul Bryant
EMAIL: atmworldcenter991@gmail.com
Immediately contact Mr. Paul Bryant of the ATM Card Centre with the following information:
Full Name:
Address:
City:
State:
Zip Code:
Direct Phone Number:
Current Occupation:
Bank Name:
Once you have sent the required information to Mr. Uzoma Dominic he will contact you with instructions on how to make the payment of $150 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent.Oh oh, I see Mr Paul Bryant has taken a leave of absense half way through this email. Poor Mr Bryant. I guess he's gone to spend all the advance fees he's been making lately.
Once you have completed payment of $150 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly.Phew, what a relief! A seal to accurately guarantee my safety! I'll put it in my wallet in place of the $150 USD shall I?
FBI Director
Robert Mueller.
NOTE: To ensure you have been AUTHORIZED to pay the required fee's stated above, kindly find below an Authorized Signature and also our Federal Bureau Of Investigation NSB ( National Security Branch ) Seal to accurately guarantee your safety towards completing this transaction.
Friday 26 December 2008
Will your cellphone spill your secrets
As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.
The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.
Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.
The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.
Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.
Wednesday 24 December 2008
Ultraportables - are they really "special"
"Ultraportable" lightweight slimline laptops are all the rage, apparently (I've been using them for years already - ahead of my time maybe, or just wary of the old luggable portables?). A Computerworld piece "Small laptops pose a big security threat" claims that because they run with "a stripped down" Linux or Windows XP operating system instead of, presumably, Vista, they are inherently insecure. Well maybe there are drawbacks but I'm not entirely convinced that they are significant - properly configured, I would rate XP and Linux at least as if not more secure than Vista.
On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious "laptop bag", making theft less likely I hope.
The article's comments on WiFi and USB connectivity are irrelevant since the same applies to standard laptops and I really don't agree with the author's comments to the effect that ultraportables are treated carelessly like toys, except perhaps in the case of the very cheap ones anyway. The truth is that, for many years now, the value of personal and corporate data on the average PC has far outstripped its hardware replacement value. The equipment is, in corporate terms, disposable with near zero book value though the data on it or accessible from it may well be the most valuable asset [not] on the company's books.
The article's final points about the need for user security awareness ring true at least.
On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious "laptop bag", making theft less likely I hope.
The article's comments on WiFi and USB connectivity are irrelevant since the same applies to standard laptops and I really don't agree with the author's comments to the effect that ultraportables are treated carelessly like toys, except perhaps in the case of the very cheap ones anyway. The truth is that, for many years now, the value of personal and corporate data on the average PC has far outstripped its hardware replacement value. The equipment is, in corporate terms, disposable with near zero book value though the data on it or accessible from it may well be the most valuable asset [not] on the company's books.
The article's final points about the need for user security awareness ring true at least.
"Employee education in acceptable-usage practices is a must, regardless of the IT security systems used, Enderle says. Leja agrees. "You have to count on continual security awareness," she says. "Make sure that [students or employees are] being conscientious, and then use the few tools that do exist to help."Hear hear!
Friday 19 December 2008
HMG loses two gizmos a week
In the past year, the British Government admits to having lost:
The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.
As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.
- 53 computers
- 36 BlackBerrys
- 30 mobile phones
- 4 memory sticks; and
- 4 disc drives.
The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.
As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.
Tuesday 16 December 2008
Gizmo security cluelessness
Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...
Friday 12 December 2008
How to create a security policy for social networks
The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University. Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic:
"Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them."Our recent NoticeBored security awareness module on social engineering used example scenarios based on LinkeDin and other social networking sites for exactly this purpose. We suspect few managers think of LinkeDin as a social networking site, let alone consider the security implications of publishing all sorts of personal information about themselves. It's a useful topic to get their attention.
Thursday 4 December 2008
Security awareness for less than $1,000 per year
Despite our standard subscription charges being probably the lowest in the marketplace, some prospective customers struggle to find any money for security awareness. We are very conscious of the global credit crunch and financial turmoil out there so, for a trial period, we are offering a special SME version of NoticeBored for less than US$1,000 per year. Read more about NoticeBored Lite.
Wednesday 3 December 2008
Gizmo security awareness
December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.
Wednesday 5 November 2008
PwC 2008 infosec survey
A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance:
"One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them."Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training.
"What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-day operational needs of the business or incurring the exorbitantly high price tags associated with a reactive response to an unexpected (but foreseeable) crisis. And that requires getting key information about the risks to an organization’s data and systems very quickly from the front row to everyone else in the house. Expanding security awareness at every level of the enterprise is essential."
Tuesday 4 November 2008
Social engineering - exploiting the weakest links
Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA:
- outlines social engineering methods such as pretexting, phishing, spear phishing and vishing;
- presents an interview with acknowledged social engineer Kevin Mitnick;
- discusses three studies portraying how easily naive/untrained users are manipulated;
- identifies five defence measures; and
- offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing).
Wednesday 29 October 2008
New awareness module on social engineering
The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretexting, phishing and other techniques used by social engineers to fool employees.
Policies, procedures and guidelines are essential controls against social engineering, but these are useless unless employees both know about them and follow them in practice. Social engineering is therefore a particularly important security awareness topic, one of our “core topics” in fact that merits being covered annually in all awareness programs. Employees need to be taught about how social engineers work in order to spot them and stop them. It’s a tricky task since social engineers are adept at finding ways to build and exploit trust, slipping quietly beneath the corporate radar. The best social engineering attacks are never detected. Our aim is not to completely prevent social engineering attacks from succeeding but to create significant barriers that block simple attacks and frustrate more advanced ones, such that social engineers hopefully move along to softer targets.
One of the issues we cover, for instance, concerns the publication of personal details by employees on social networking sites. Names, addresses and birthdates are fabulous starting points for enterprising identity thieves and social engineers to pretend to be someone. Being cautious about what you publish is a simple control but is only valuable if you appreciate the risk sufficiently to be careful, hence the value of awareness.
Find out what's in the awareness module and read all about the NoticeBored service.
Friday 10 October 2008
Malicious 'M$ update' attachment
Here's a crude attempt to get me to install malware, fresh from my inbox:
I wonder how many non-infosec professionals would fall for it though.
Dear Microsoft Customer,Doh!
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Thank you,
Steve Lipner
Director of Security Assurance
Microsoft Corp.
I wonder how many non-infosec professionals would fall for it though.
Wednesday 8 October 2008
The ethics of entrapment
Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).
But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.
UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.
But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.
UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.
Friday 3 October 2008
Worth a look: Computer Ethics book
My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books.
Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!
Thursday 2 October 2008
Dual use IT
A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!
The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?
[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].
That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.
Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.
Of course, thieves will see things differently.
The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?
[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].
That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.
Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.
Of course, thieves will see things differently.
Wednesday 1 October 2008
Bootstrapping for software developers
Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art?
A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations.
The notelets fall into two groups:
Download the complete pack here (1Mb PDF file).
The editable MS Word version of the pack is available free of charge on request by NoticeBored customers. An earlier version of the pack was delivered in the module on ‘SDLC integration’ in 2006.
A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations.
The notelets fall into two groups:
- Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements.
- Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs).
Download the complete pack here (1Mb PDF file).
The editable MS Word version of the pack is available free of charge on request by NoticeBored customers. An earlier version of the pack was delivered in the module on ‘SDLC integration’ in 2006.
Tuesday 30 September 2008
New awareness module on ethics
Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once.
Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.
The NoticeBored newsletter explores the risks around ethics and sets the scene for the remainder of the awareness module. The module covers aspects such as:
- Responsible disclosure of security vulnerabilities
- Cheating and hacking
- Management responsibilities to set the right ethical tone at the top
- Employee responsibilities to uphold ethical principles
- Whistleblowing on unethical practices
- The slippery slope from entirely ethical to entirely unethical behaviors.
Friday 19 September 2008
Institute of Information Security Professionals
A blog entry by Gerry O’Neill, CEO of the Institute of Information Security Professionals, gives us an update on the IISP's progress towards defining and implementing a certification process for its members.
Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas (e.g. referring to a "common body of knowledge", presumably similar to the CISSP CBK?). He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value." The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security. Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations and standards on its members, and thirdly achieve broad acceptance by the general public and the authorities is an open question at this point. They have set themselves a worthwhile but extremely difficult task, attempting to shortcut the thousands of years that other professions have had to develop their professional practices.
While there will be a Disciplinary Committee to ensure compliance with the IISP Code of Conduct, I wonder whether they will also establish a professional practices and ethics board to assess claims from the public or authorities that its members are incompetent, incapable, unethical or otherwise unsuitable to be called information security professionals? Policing the members and upholding the highests professional standards is another important though difficult role for a professional body - it's an integrity issue for the individuals concerned, the professional body and indeed the profession as a whole.
The Institute has defined a list of 33 skills as a basis for both developing and assessing information security professionals. Three items in the list caught my eye: I1 Research, I2 Academic Research and I3 Applied Research. Most security certifications (other than MSc and similar academic qualifications) emphasise practical expertise and implementation skills rather than research. As a former research scientist myself, I welcome the emphasis on original research which will both help advance the profession and provide an entry route for students.
All in all, I'm interested to see this initiative develop and welcome the IISP extending its remit from the UK to the rest of the world, in due course.
Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas (e.g. referring to a "common body of knowledge", presumably similar to the CISSP CBK?). He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value." The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security. Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations and standards on its members, and thirdly achieve broad acceptance by the general public and the authorities is an open question at this point. They have set themselves a worthwhile but extremely difficult task, attempting to shortcut the thousands of years that other professions have had to develop their professional practices.
While there will be a Disciplinary Committee to ensure compliance with the IISP Code of Conduct, I wonder whether they will also establish a professional practices and ethics board to assess claims from the public or authorities that its members are incompetent, incapable, unethical or otherwise unsuitable to be called information security professionals? Policing the members and upholding the highests professional standards is another important though difficult role for a professional body - it's an integrity issue for the individuals concerned, the professional body and indeed the profession as a whole.
The Institute has defined a list of 33 skills as a basis for both developing and assessing information security professionals. Three items in the list caught my eye: I1 Research, I2 Academic Research and I3 Applied Research. Most security certifications (other than MSc and similar academic qualifications) emphasise practical expertise and implementation skills rather than research. As a former research scientist myself, I welcome the emphasis on original research which will both help advance the profession and provide an entry route for students.
All in all, I'm interested to see this initiative develop and welcome the IISP extending its remit from the UK to the rest of the world, in due course.
Friday 12 September 2008
AsiaDomainNameRegistrar scam
An email allegedly from an Asian domain name registrar based in China caught my eye in the spam box today. The email basically says an investment company intends to register NoticeBored.ASIA and NoticeBored.CN, and that we'd better act fast to stop it.
It's a scam of course, but one of the better ones having a certain ring of authenticity and credibility to it.
A quick Google search soon found a blog entry about it from where links led me to another. Blog commenters note that the registrar is blatantly overcharging for domain registrations and, in any case, there are official ICANN procedures in place to deal with 'domain name squatting' and trademark abuse. Needless to say, I shan't be responding to their email but our lawyers and I will be fascinated to see whether those domains are ever actually registered ...
Dear Manager,
We received a formal application on intending to register "noticebored" as their domain name and Internet brand in China and also in Asia from an investment company pn Sept.7th,2008. During our audit period, we find that this Investment company has no trade mark, brand or patent. As a professional institution of domain name registration, we have reasons to suspect this investment company to be a domain name grabber. Therefore, we need your confirmation on two points as follows.
First of all, whether this investment company is your business partner or distributor in China?
Secondly, whether you are interested in registering these domain names?
(According to the rules of domain name registration, the investment company will be entitled to obtain a domain name but not need the permission from the original trademark owner.) If you are not in charge of this issue, please transfer this email to the right department.
This is a letter for confirmation. If the mentioned third party is your business partner or distributor in China or in Asia, please DO NOT reply. We will automatically think that this application was from your business partner after our audit period.
Hebe
Asia Domain Name Registrar
TEL : 86-21-312 609 71
FAX : 86-21-312 609 72
Email: hebe@asiadomainnameregistrar.com
Web:www.domainorg.net.cn
It's a scam of course, but one of the better ones having a certain ring of authenticity and credibility to it.
A quick Google search soon found a blog entry about it from where links led me to another. Blog commenters note that the registrar is blatantly overcharging for domain registrations and, in any case, there are official ICANN procedures in place to deal with 'domain name squatting' and trademark abuse. Needless to say, I shan't be responding to their email but our lawyers and I will be fascinated to see whether those domains are ever actually registered ...
More on SF rogue network admin
The drip-feed of news about the Terry Childs case continues. [Quick recap: Childs held the City Government of San Francisco to ransom by refusing to divulge the city's network admin passwords that were under his sole control.] The Washington Post tells us:
'Thousands of gigabytes'? That's an impressive capacity for a personal storage device.
The Post also says Childs had a criminal record:
Good idea!
Still, I agree with the thrust of the article that SF management's failings extend well beyond checking Childs' references. Childs was a privileged insider placed in a position of great responsibility and trust by management. It appears that management recognized the risk but failed to address it adequately. Dawn Capelli's comments about the insider threat are very apt. I'd call this a governance failure.
September update: San Francisco city's Department of Telecommunications and Information Services (DTIS) has spent just under $200k already, investigating what Childs has done to the network and hunting for a terminal server providing him a back-door. The full cost is estimated to be around $1m.
"Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains."
'Thousands of gigabytes'? That's an impressive capacity for a personal storage device.
The Post also says Childs had a criminal record:
"Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggravated robbery and theft, according to court documents. He also served four years in the Kansas state prison. Childs kept this from his employment application, court documents note. Vinson said San Francisco will probably expand its employee background checks to cross state lines."
Good idea!
Still, I agree with the thrust of the article that SF management's failings extend well beyond checking Childs' references. Childs was a privileged insider placed in a position of great responsibility and trust by management. It appears that management recognized the risk but failed to address it adequately. Dawn Capelli's comments about the insider threat are very apt. I'd call this a governance failure.
September update: San Francisco city's Department of Telecommunications and Information Services (DTIS) has spent just under $200k already, investigating what Childs has done to the network and hunting for a terminal server providing him a back-door. The full cost is estimated to be around $1m.
Tuesday 9 September 2008
Free access to MIT courseware
Dan Swanson just put me on to the fact that MIT, the world-renowned Massachusetts Institute of Technology, publishes course notes from many of its classes, for free, on the Web. This includes the Sloan School of Management with its broad range of fascinating courses about managerial psychology and other topics of interest to security awareness professionals and management students alike - take a look at Advanced Corporate Risk Management for example to understand a bit about futures and options trading where amazingly enough, risk has an upside!
Thanks Dan!
Thanks Dan!
Friday 5 September 2008
AOL phisher gets seven-year sentence
Infoworld reports on the sentencing of a phisher:
Dolan conned AOL users into disclosing their credit card numbers, using fake greetings cards. He also "attempted to bribe a codefendant, threatened to kill someone he thought was a government informant, and suborned perjury from his girlfriend" according to the article, indicating the sort of person he is."A West Haven, Conn., man has been sentenced to seven years in prison for masterminding a phishing scheme that targeted AOL users over a four-year period. Michael Dolan, 24, was sentenced Wednesday in Connecticut federal court. The seven-year sentence was the maximum he could have received, said Assistant U.S. District Attorney Edward Chang, via e-mail. Dolan was also sentenced to three years' supervised release, and a $200 special assessment, he added. Last year Dolan pleaded guilty to fraud and aggravated identity theft charges. ..."
Wednesday 3 September 2008
Ice hockey coach emails himself to prison
The BBC reports that a father, concerned about his under-age daughter's relationship with an adult ice hockey coach, installed spy software on the family PC to monitor her online liaisons. It soon became apparent from the emails and Messenger chat the pair were exchanging that they were having unlawful sexual intercourse. The coach was arrested, charged and convicted of five counts of sexual activity with a child and jailed for 4½ years.
In a corporate setting, it is not entirely obvious to many IT, HR and information security professionals whether an employer has the legal right to monitor it's employees' use of email and other IT facilities in the same way, even if those facilities clearly belong to the organization and are provided to employees for work purposes. In some countries, privacy laws constrain what employee monitoring employers can reasonably do but there are often exceptions to permit more intrusive monitoring in order to investigate suspected illegal activities - not random interception, perhaps, but targeted monitoring of specific individuals which the organization has good reason to believe are doing something illegal. There may be further exceptions in relation to serious crimes such as pedophilia, allowing organizations and law enforcement to present pretinent information obtained by chance as evidence in court, even though they had no prior knowledge of the crime. [NB: this is not legal advice! I am not a lawyer! Consult a competent lawyer familiar with the laws in your country to find out what you can and cannot do.]
In a corporate setting, it is not entirely obvious to many IT, HR and information security professionals whether an employer has the legal right to monitor it's employees' use of email and other IT facilities in the same way, even if those facilities clearly belong to the organization and are provided to employees for work purposes. In some countries, privacy laws constrain what employee monitoring employers can reasonably do but there are often exceptions to permit more intrusive monitoring in order to investigate suspected illegal activities - not random interception, perhaps, but targeted monitoring of specific individuals which the organization has good reason to believe are doing something illegal. There may be further exceptions in relation to serious crimes such as pedophilia, allowing organizations and law enforcement to present pretinent information obtained by chance as evidence in court, even though they had no prior knowledge of the crime. [NB: this is not legal advice! I am not a lawyer! Consult a competent lawyer familiar with the laws in your country to find out what you can and cannot do.]
New NB awareness module on email security
Email security is our topic for September's NoticeBored module. This is a core topic covering perennial issues worth reminding employees about every year.
By the way, we've had some problems with the blog feeds lately but hope things are working OK now. I'm also posting occasionally to the (ISC)2 blog in the company of other CISSPs and luminaries. Do take a look if you're not already subscribed.
By the way, we've had some problems with the blog feeds lately but hope things are working OK now. I'm also posting occasionally to the (ISC)2 blog in the company of other CISSPs and luminaries. Do take a look if you're not already subscribed.
Saturday 23 August 2008
Facebook fairy
This is just too funny to resist.
I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.
I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.
Friday 22 August 2008
PCI DSS update
An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October.
Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.
Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]
Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.
Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.
[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]
Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.
Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]
Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.
Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.
[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]
Wednesday 20 August 2008
Help for ISO27k implementers
Over at ISO27001security dotcom I've just posted:
- a 2.2Mb ZIP file containing the full contents of the free ISO27k Toolkit
; and
- a printoutable PDF version of the ISO27k FAQ.
Although they are already useful and generating good feedback, these are both works-in-progress. Further contributions to the toolkit and FAQ are always welcome. If you have implemented the ISO27k standards, are there policies, procedures etc. that you would be willing to donate to the cause? If you wish, I can help you format them to suit the purpose, for example removing any proprietary content to make them generic and adding a Creative Commons license. In return, you will be openly acknowledged as the contributing author in the material and on the website. Clearly, it is vital that you either personally own the materials you submit or have the copyright owner's express permission since they will end up in a public forum.
Visit the website or contact me (Gary@isect.com) for more info.
Thursday 31 July 2008
Systemic security management:: the ICIIP model
I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security, I couldn't resist a look.
A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system).
Digging a bit deeper, authors Laree Kiely and Terry Benzel explain slide-by-slide the labels on the model. In each case they outline what they mean by the labels, fair enough, and then follow up with 'recommendations' ... and here I start to wonder how they came up with the specific recommendations. The authors' previous works are cited but not properly referenced in the paper, so readers are left guessing.
For example, their recommendations for the governance tension are as follows:
Standards, education and accountability seem reasonable if not exactly Earth shattering proposals, but why did they pick these out and how do they relate to the management of information security.
There's a lot missing from the presentation slides (such as how the "tensions" relate to the nodes) which, presumably, the authors fill-in when presenting. However, there are several other materials from Dr. Kiely and Benzel on the USC Marshall website which I shall enjoy exploring at my leisure.
A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system).
Digging a bit deeper, authors Laree Kiely and Terry Benzel explain slide-by-slide the labels on the model. In each case they outline what they mean by the labels, fair enough, and then follow up with 'recommendations' ... and here I start to wonder how they came up with the specific recommendations. The authors' previous works are cited but not properly referenced in the paper, so readers are left guessing.
For example, their recommendations for the governance tension are as follows:
• Understand the criticality of security issues
• A different attitude regarding governance role and duties
• Emergent, cross-industry communities of interest and communities of practice who could develop standards
• New security knowledge and criteria for CEO selection, performance review, and compensation
• Require development and education for Boards and C-Suite as part of new self-regulating standards
• Criteria implemented corporation-by-corporation
• Hold vendors and suppliers accountable for implementing these standards/criteria
Standards, education and accountability seem reasonable if not exactly Earth shattering proposals, but why did they pick these out and how do they relate to the management of information security.
There's a lot missing from the presentation slides (such as how the "tensions" relate to the nodes) which, presumably, the authors fill-in when presenting. However, there are several other materials from Dr. Kiely and Benzel on the USC Marshall website which I shall enjoy exploring at my leisure.
Wednesday 30 July 2008
New awareness module on infosec governance
The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk.
In August's security awareness module we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend.
You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused (Terry Childs) was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence. While it’s far too early to determine whether there is any truth behind the allegations, the story has fascinating governance implications that find their way into a case study and the latest newsletter.
Wednesday 23 July 2008
SQL as an audit tool
Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes.
Abstract:
In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.
All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]
Abstract:
"Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits."
In the same issue, Fred Cohen discusses the specification of control requirements for [real-time process] control systems and SCADA, an area that relatively few information security managers and IT auditors have experienced. I have had some exposure to this at power generation and engineering companies but admit I know next to nothing about it. Having seen conference presentations on "exploring" SCADA networks and Building Management Systems, I'm sure these are targets for curious hackers who relish the challenge of understanding obscure comms protocols and exploiting inadequate security controls. Fred's comments about the ever-deepening Internet connectedness of such networks and the historical lack of attention to security ring very true. I often wonder what fun would lay in store for hackers with access to the networks and devices, perhaps exploiting the numerous wireless command and control systems out there. Let's hope they are responsible enough to use their powers for good not evil.
All in all, another excellent issue. [The fact that I'm one of many on the EDPACS editorial board is purely coincidental, of course!]
Sunday 29 June 2008
Are you using TPM yet?
Secure Computing Magazine explains what the Trusted Platform Module (TPM) is, and what it can be used for. It stops short of explaining how to use it but has links to other sites that do so.
The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc.
Here's a list of the top 10 uses for TPM, extracted from the article:
1. Multi-factor authentication.
2. Strong login authentication.
3. Machine binding.
4. Digital signatures.
5. Password vaults.
6. File and folder encryption.
7. Strong client/server authentication.
8. Network access control.
9. Endpoint integrity.
10. Trusted client/server security.
Cool!
The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc.
Here's a list of the top 10 uses for TPM, extracted from the article:
1. Multi-factor authentication.
2. Strong login authentication.
3. Machine binding.
4. Digital signatures.
5. Password vaults.
6. File and folder encryption.
7. Strong client/server authentication.
8. Network access control.
9. Endpoint integrity.
10. Trusted client/server security.
Cool!
Saturday 28 June 2008
New awareness module on infosec risk management
We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure.
Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work.
You'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to put across the essentials of any information security topic (potentially in more depth than any other awareness program we know of), yet short enough to avoid everyone getting totally bored by the same old same old. Next month we'll move on to a new topic (information security governance), hopefully before the eyelids start dropping and the posters disappear into the background.
We're clearly passionate about our approach to security awareness but keenly aware that we don't have a monolopoly on the subject. Please email me (Gary@isect.com) or comment on this blog if you have other security awareness ideas or approaches that work for you. We'll gladly acknowledge your input if we take up your ideas, and maybe something more substantive will find its way to your inbox as our way of saying thanks.
Wednesday 25 June 2008
Information cards
The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.
Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.
So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.
OR
'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?
The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.
I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.
The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.
I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.
Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.
So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.
If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.
OR
'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?
Use "I-Cards" to:
- login to websites with a single click
- create relationships with those you want to do business with
- manage your personal data in one place that only you and those you allow have access.
- wield the claims that other people and institutions say about you.
- prove that you are who you say you are without revealing details using trusted identity providers.
The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.
I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.
The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.
I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.
Monday 23 June 2008
Password protected =/= Encrypted
At last! Indiana has seen the light!
A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably).
The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system and access all the data. Or they could run one of the 'retrieve lost admin password' utilities, typically booting the laptop from an external boot drive or compromising the system's Firewire connection etc.
Unfortunately, the article doesn't make it clear that brute force attacks might also work against the password/passphrase commonly used to secure encryption keys. Multifactor authentication, for example using biometrics or token in addition to the usual user password/passphrase, would make a significant difference, along with tamper-resistant hardware protection for the keys themselves (e.g. the "Trusted Platform Module" or cryptographic smart card). And even then, there are potential attacks if the attacker has sufficient resources, skills and experience.
I haven't read the statute but I'm curious about how it defines 'encrypted'. For example, does it mandate AES with a 256 bit key or would DES with a 56 bit key, or even a Caesar cypher with key of 5, be considered good enough? Defining such things in law would be tricky since the state of the art is moving along constantly. Caesar's cypher was considered good enough 2 millennia ago.
Continuing this line of thinking leads to the inevitable conclusion that personal data cannot be totally secured on a laptop or other device to which an attacker has unrestrained physical access. So, perhaps businesses that lose encrypted laptops containing personal data should come clean anyway since they can still rightfully state that the data were protected by encryption.
Previous posts on this topic: Password protected =/= hacker proof and "Password protected" again
A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably).
"Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password.
The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system and access all the data. Or they could run one of the 'retrieve lost admin password' utilities, typically booting the laptop from an external boot drive or compromising the system's Firewire connection etc.
Unfortunately, the article doesn't make it clear that brute force attacks might also work against the password/passphrase commonly used to secure encryption keys. Multifactor authentication, for example using biometrics or token in addition to the usual user password/passphrase, would make a significant difference, along with tamper-resistant hardware protection for the keys themselves (e.g. the "Trusted Platform Module" or cryptographic smart card). And even then, there are potential attacks if the attacker has sufficient resources, skills and experience.
I haven't read the statute but I'm curious about how it defines 'encrypted'. For example, does it mandate AES with a 256 bit key or would DES with a 56 bit key, or even a Caesar cypher with key of 5, be considered good enough? Defining such things in law would be tricky since the state of the art is moving along constantly. Caesar's cypher was considered good enough 2 millennia ago.
Continuing this line of thinking leads to the inevitable conclusion that personal data cannot be totally secured on a laptop or other device to which an attacker has unrestrained physical access. So, perhaps businesses that lose encrypted laptops containing personal data should come clean anyway since they can still rightfully state that the data were protected by encryption.
Previous posts on this topic: Password protected =/= hacker proof and "Password protected" again
Saturday 14 June 2008
Lack of awareness in awareness
A survey by CompTIA on security for mobile IT devices reveals the continuing lamentable and rather puzzling lack of investment in security awareness:
So, security awareness works but few organizations are using it. More fool them!
Jay Cline, writing in Computerworld, describes the top five mistakes of privacy awareness programs:
1. Doing separate training for privacy, security, records management and code of ethics.
2. Equating "campaign" with "program."
3. Equating "awareness" with "training."
4. Using one or two communications channels.
5. No measurement.
[Read Jay's piece if these are not immediately obvious.]
I agree with all five issues, particularly his point that "A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year". Multimedia, multiple audiences and multiple activities together make for a more effective awareness program.
"Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced."
So, security awareness works but few organizations are using it. More fool them!
Jay Cline, writing in Computerworld, describes the top five mistakes of privacy awareness programs:
1. Doing separate training for privacy, security, records management and code of ethics.
2. Equating "campaign" with "program."
3. Equating "awareness" with "training."
4. Using one or two communications channels.
5. No measurement.
[Read Jay's piece if these are not immediately obvious.]
I agree with all five issues, particularly his point that "A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year". Multimedia, multiple audiences and multiple activities together make for a more effective awareness program.
Tuesday 3 June 2008
Domain name owners being phished
ICANN's Security and Stability Committee has released a 12-page advisory on 'registrar impersonation phishing attacks' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.
Friday 30 May 2008
The business case for security awareness
Today we've released an updated version of our business case for a security awaeness program. I wrote the first complete version of this paper a few years ago, developing a set of ideas I'd had and written into budget applications and investment proposals over previous years. It gets updated every year or so to reflect the state of the art and remains one of the most popular white papers on our website.
I'm currently working on an ENISA project developing advice for organizations on building the business case for security awarness. The project team members represent a variety of experiences and backgrounds so it will be fascinating to see how things work out. I'm sure the end result of our work will be a useful and worthwhile document but, as is so often the way with collaborative projects of this nature, a productive team gets even more value from the writing process - sharing thoughts and methods, discussing common issues, explaining things and illuminating the topic as we go.
I'm currently working on an ENISA project developing advice for organizations on building the business case for security awarness. The project team members represent a variety of experiences and backgrounds so it will be fascinating to see how things work out. I'm sure the end result of our work will be a useful and worthwhile document but, as is so often the way with collaborative projects of this nature, a productive team gets even more value from the writing process - sharing thoughts and methods, discussing common issues, explaining things and illuminating the topic as we go.
Thursday 29 May 2008
Profile of an identity theft victim
According to the Beeb, the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking.
Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all.
Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year.
OK, now I'm starting to see a pattern. Busy professionals in the rat-race that is London, who probably don't have time to bother with small details such as checking their credit card statements or worry about dubious requests from their bank to 'update their details'. Life's too short.
Oh boy, that's a killer! Just imagine how much damage an identity thief can do over that kind of timescale, and how difficult it must be for the scammed busy professionals to re-establish their identities and credit records after someone has been living their life for 18 months or more.
18 months! I still find it hard to believe. What is going so badly wrong in the financial services industry that such a commonplace fraud takes so long to detect? Does nobody find it remotely strange that one "John Smith" appears to be taking money out of an ATM in Chiswick at the very instant that the same "John Smith" is purchasing first class tickets to Acapulco over the web or in a travel agency in Glasgow? Or that clean-living stay-at-home busy executive and housewife "Jane Smith" has suddenly taken to online gambling and porn in a big way?
I'm trivialising the problem, I know, but there must surely be visible symptoms of fraud when identity theft is evidently happening on such a wide scale, if only someone is looking for it .... My guess is that the British banks and credit card companies are looking hard at their own customers but jealously guarding their data from those nasty competitors who might just be able to make the connections. Further, I bet the Data Protection Act figures large in the executives' thinking, regardless of the ability to disclose information for legal purposes.
Perhaps, like those busy executives, the British financial institutions are just so caught up in the money-making rat race that they can't be bothered with trivial details such as [escalating] phishing, identity theft and other fraud losses - something Bruce Schneier refers to as delinquency. After all, 'ten grand' is a lot for a single customer to lose but nothing to a bank making billions. Maybe the personal impacts of identity theft on victims' lives simply don't register with the banks. Being 'serviced' by the bank used to be something that customers valued rather than feared.
"Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian."
Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all.
"The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006."
Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year.
"The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found."
OK, now I'm starting to see a pattern. Busy professionals in the rat-race that is London, who probably don't have time to bother with small details such as checking their credit card statements or worry about dubious requests from their bank to 'update their details'. Life's too short.
"It takes an average of 18 months for people to realise they are victims."
Oh boy, that's a killer! Just imagine how much damage an identity thief can do over that kind of timescale, and how difficult it must be for the scammed busy professionals to re-establish their identities and credit records after someone has been living their life for 18 months or more.
18 months! I still find it hard to believe. What is going so badly wrong in the financial services industry that such a commonplace fraud takes so long to detect? Does nobody find it remotely strange that one "John Smith" appears to be taking money out of an ATM in Chiswick at the very instant that the same "John Smith" is purchasing first class tickets to Acapulco over the web or in a travel agency in Glasgow? Or that clean-living stay-at-home busy executive and housewife "Jane Smith" has suddenly taken to online gambling and porn in a big way?
I'm trivialising the problem, I know, but there must surely be visible symptoms of fraud when identity theft is evidently happening on such a wide scale, if only someone is looking for it .... My guess is that the British banks and credit card companies are looking hard at their own customers but jealously guarding their data from those nasty competitors who might just be able to make the connections. Further, I bet the Data Protection Act figures large in the executives' thinking, regardless of the ability to disclose information for legal purposes.
Perhaps, like those busy executives, the British financial institutions are just so caught up in the money-making rat race that they can't be bothered with trivial details such as [escalating] phishing, identity theft and other fraud losses - something Bruce Schneier refers to as delinquency. After all, 'ten grand' is a lot for a single customer to lose but nothing to a bank making billions. Maybe the personal impacts of identity theft on victims' lives simply don't register with the banks. Being 'serviced' by the bank used to be something that customers valued rather than feared.
Wednesday 28 May 2008
New awareness module on phishing & identity theft
It's out! The latest NoticeBored awareness module on phishing and identity theft.
It's no coincidence that this module follows last month's on IT fraud, integrity & trust. We try to link successive modules in some way for continuity, making the awareness program flow a little. It will be an interesting challenge for us to link from phishing/ID theft to next month's one on information security and risk management, though, but we'll give it a go.
Wednesday 21 May 2008
"Password protected" again
The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:
The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.
But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.
So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.
"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."
The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.
But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.
So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.
Sunday 11 May 2008
ISC2 blog launched
(ISC)2, the organization behind SSCP, CISSP and CISSP-concentration certifications, has released a new blog aimed primarily at qualified information security professionals but also relevant to those just considering qualification and in fact anyone with an interest in information security. I'm delighted and humbled to have been invited to join the blogging panel alongside a range of well known and highly experienced colleagues.
As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines.
As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines.
Thursday 8 May 2008
WE SCREAMED! BE AWEAR!
Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example:
-------------------------
Assistant Director in Charge
Joseph Persichini, Jr
J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007
http://www.fbi.gov
ROBERT MUELLER
EXECUTIVE DIRECTOR FBI
FBI SEEKING TO WIRETAP INTERNET.
ATTNETION
THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF
INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL
REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE
MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE
(INTERNATIONAL CREDIT SETTLEMENT
DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.)
WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT
WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND
INHERITORS IS MADE TO THEM COMPLETELY THROUGH TELEGRAPHIC WIRE TRANSFER DR.
YAKUBO YADI DIRECTOR TELEGRAPHIC DEPARTMENT CENTRAL BANK OF NIGERIA.
SEQUEL TO THIS DEVELOPMENT,YOUR INFORMATION APPEARED AS ONE OF THE
CONTRACTORS IN OUR RECORD TO RECEIVED THEIR PART PAYMENT.
THEREFORE,WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) WASHINGTON DC IN
CONJUNCTION WITH THE ECONOMIC AND FINANCIAL CRIMES COMMISSION (EFCC)
HAVE SCREAMED AND FOUND OUT THAT THE TRANSACTION YOU HAVE WITH THE
DIRECTOR OF OPERATIONS INTERNATIONAL CREDIT SETTLEMENT/KTT DEPARTMENT)
CENTRAL BANK OF NIGERIA IS NOTING BUT LEGAL.
YOU HAVE THE LAWFUL RIGHT TO CLAIM YOUR PART PAYMENT AS WE ADVICE YOU
TO GO AHEAD AND DEAL WITH THEM FOR WE ARE MONITORING ALL THEIR SERVICES
WITH THE NIGERIA (EFCC.) IT MIGHT INTEREST YOU TO CONTACT THE (EFCC) ON
FINANCIAL CRIMES COMMISSION OFFICE
15 Awolowo Road Ikoyi
Lagos State Nigeria
EMAIL: financialinvestigationnig@post.ro
YOU SHOULD STRICTLY FOLLOW THE PROCEDURES OF THIS DEPARTMENT BECAUSE
AS A DEPARTMENT, THEY HAVE THEIR OWN LEGAL PROCEDURES WHICH WE HAVE
EXAMINED AND CONFIRMED LEGAL .
IN RESPECT TO THIS, FOLLOW THEIR INSTRUCTION WHILE YOU KEEP US UPDATED
FOR MORE DETAILS. WE WILL LIKE YOU TO KEEP US UPDATED SO FAR AS WE KEEP
OPEN COMMUNICATION WITH THIS KTT DEPARTMENTS OFFICIALS OF CENTRAL BANK
OF NIGERIA.
BE AWEAR THAT THE DIRECTOR OPERATIONS OF THIS DEPARTMENT IS NO OTHER
PERSON THAN DR. YAKUBO YADI DIRECTOR TELEGRAPHIC FOR YOUR INFORMATION.
REPLY THIS MAIL AS SOON AS YOU RECEIVE IT.
THANKS FOR YOUR CO-OPERATION.
WASHINGTON DC.
FBI Director
Robert S. Mueller,
-------------------------
Assistant Director in Charge
Joseph Persichini, Jr
J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007
http://www.fbi.gov
ROBERT MUELLER
EXECUTIVE DIRECTOR FBI
FBI SEEKING TO WIRETAP INTERNET.
ATTNETION
THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF
INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL
REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE
MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE
(INTERNATIONAL CREDIT SETTLEMENT
DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.)
WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT
WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND
INHERITORS IS MADE TO THEM COMPLETELY THROUGH TELEGRAPHIC WIRE TRANSFER DR.
YAKUBO YADI DIRECTOR TELEGRAPHIC DEPARTMENT CENTRAL BANK OF NIGERIA.
SEQUEL TO THIS DEVELOPMENT,YOUR INFORMATION APPEARED AS ONE OF THE
CONTRACTORS IN OUR RECORD TO RECEIVED THEIR PART PAYMENT.
THEREFORE,WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) WASHINGTON DC IN
CONJUNCTION WITH THE ECONOMIC AND FINANCIAL CRIMES COMMISSION (EFCC)
HAVE SCREAMED AND FOUND OUT THAT THE TRANSACTION YOU HAVE WITH THE
DIRECTOR OF OPERATIONS INTERNATIONAL CREDIT SETTLEMENT/KTT DEPARTMENT)
CENTRAL BANK OF NIGERIA IS NOTING BUT LEGAL.
YOU HAVE THE LAWFUL RIGHT TO CLAIM YOUR PART PAYMENT AS WE ADVICE YOU
TO GO AHEAD AND DEAL WITH THEM FOR WE ARE MONITORING ALL THEIR SERVICES
WITH THE NIGERIA (EFCC.) IT MIGHT INTEREST YOU TO CONTACT THE (EFCC) ON
FINANCIAL CRIMES COMMISSION OFFICE
15 Awolowo Road Ikoyi
Lagos State Nigeria
EMAIL: financialinvestigationnig@post.ro
YOU SHOULD STRICTLY FOLLOW THE PROCEDURES OF THIS DEPARTMENT BECAUSE
AS A DEPARTMENT, THEY HAVE THEIR OWN LEGAL PROCEDURES WHICH WE HAVE
EXAMINED AND CONFIRMED LEGAL .
IN RESPECT TO THIS, FOLLOW THEIR INSTRUCTION WHILE YOU KEEP US UPDATED
FOR MORE DETAILS. WE WILL LIKE YOU TO KEEP US UPDATED SO FAR AS WE KEEP
OPEN COMMUNICATION WITH THIS KTT DEPARTMENTS OFFICIALS OF CENTRAL BANK
OF NIGERIA.
BE AWEAR THAT THE DIRECTOR OPERATIONS OF THIS DEPARTMENT IS NO OTHER
PERSON THAN DR. YAKUBO YADI DIRECTOR TELEGRAPHIC FOR YOUR INFORMATION.
REPLY THIS MAIL AS SOON AS YOU RECEIVE IT.
THANKS FOR YOUR CO-OPERATION.
WASHINGTON DC.
FBI Director
Robert S. Mueller,
Wednesday 7 May 2008
Compliance - a matter of managing risks
Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS.
One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be a simple binary condition. For a start, in most cases, the requirements are more complex than that. It is conceivable for the organization to be fully compliant with certain parts of the requirements but not so for others. Furthermore, the extent of compliance with any one requirement is often subject to interpretation, either because the requirement is ambiguous (hopefully not!) or because the organization and whomever is assessing compliance (law enforcement, lawyers, auditors, regulators, management) have their own viewpoints and prejudices. Finally, there is a chance that noncompliance might not be detected, or even if it is, it might not lead to the worst case consquences often paraded by the compliance lobby.
It's the same with speeding laws. If I break the speed limit, even by 1 mph, I am strictly failing to comply with a mandatory legal obligation. In practice, however, it is extremely unlikely I would ever be stopped for 1 mph over because (a) there are insufficient policemen with radar guns to track my every journey; (b) their radar guns have tolerance limits; (c) my speedo has tolerance limits, and the police and/or prosecutors allow me some flexibility; (d) if I am caught, there's a chance I might talk my way out of it; (e) even if I am fined, I might escape justice by fleeing the country, or I might get off "on a technicality". The situation changes for every mph over the limit - as indeed do my chances of being involved in a fatal accident. I weigh all this up every time I drive. [And yes I make mistakes: I have been fined for speeding. I didn't flee the country, I paid up and "learnt my lesson".]
So, all of this is, in fact, a risk management exercise. I assess the threat (of being caught speeding), the vulnerability (how far over the limit I am going) and the impact (the fines, the grief).
Something like SOX can be treated in the same way. Management may consciously choose NOT to be totally compliant, assessing the risks like any other business decision. Maybe they will get away with it. Maybe they can present good enough excuses to the auditors etc. to escape the full force of the law. Maybe the commercial benefits of noncompliance justify it in purely economic, if not ethical, terms.
I haven't seen this kind of perspective discussed anywhere but I am not a compliance expert. Perhaps it's old hat and I've just stumbled across somethig that is already well known. Or perhaps this stuff actually happens but nobody is willing to acknowledge it openly? I'd be interested in your thoughts.
One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be a simple binary condition. For a start, in most cases, the requirements are more complex than that. It is conceivable for the organization to be fully compliant with certain parts of the requirements but not so for others. Furthermore, the extent of compliance with any one requirement is often subject to interpretation, either because the requirement is ambiguous (hopefully not!) or because the organization and whomever is assessing compliance (law enforcement, lawyers, auditors, regulators, management) have their own viewpoints and prejudices. Finally, there is a chance that noncompliance might not be detected, or even if it is, it might not lead to the worst case consquences often paraded by the compliance lobby.
It's the same with speeding laws. If I break the speed limit, even by 1 mph, I am strictly failing to comply with a mandatory legal obligation. In practice, however, it is extremely unlikely I would ever be stopped for 1 mph over because (a) there are insufficient policemen with radar guns to track my every journey; (b) their radar guns have tolerance limits; (c) my speedo has tolerance limits, and the police and/or prosecutors allow me some flexibility; (d) if I am caught, there's a chance I might talk my way out of it; (e) even if I am fined, I might escape justice by fleeing the country, or I might get off "on a technicality". The situation changes for every mph over the limit - as indeed do my chances of being involved in a fatal accident. I weigh all this up every time I drive. [And yes I make mistakes: I have been fined for speeding. I didn't flee the country, I paid up and "learnt my lesson".]
So, all of this is, in fact, a risk management exercise. I assess the threat (of being caught speeding), the vulnerability (how far over the limit I am going) and the impact (the fines, the grief).
Something like SOX can be treated in the same way. Management may consciously choose NOT to be totally compliant, assessing the risks like any other business decision. Maybe they will get away with it. Maybe they can present good enough excuses to the auditors etc. to escape the full force of the law. Maybe the commercial benefits of noncompliance justify it in purely economic, if not ethical, terms.
I haven't seen this kind of perspective discussed anywhere but I am not a compliance expert. Perhaps it's old hat and I've just stumbled across somethig that is already well known. Or perhaps this stuff actually happens but nobody is willing to acknowledge it openly? I'd be interested in your thoughts.
Tuesday 6 May 2008
Love hurts
A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual.
Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation.
A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a car accident". The requests continued and so did his generosity, sending thousands more by Western Union for taxes, expenses and air fares to Pretoria and Ghana, mostly on his Mastercard.
The woman even wrote to his mother, saying "I love him and I will get the money to him". All lies of course, but it's easy for me to say that. I'm a cynic who has seen thousands of 419ers before. For those caught up in the drama, it's not nearly so obvious. "It was all believable" said his mum, but when he was already $10k down, the bank stopped his card and when he asked her for more money, mum said "Err, this sounds like a scam. I'm not happy about that. It just sounds ... like ... bullshit." But still she lent him the money "because that's what mothers do."
After the total crept up to around NZ$20k, the penny finally dropped when he noticed that the cellphone bill recorded calls to Ghana not South Africa. "The weren't just alarm bells. They were great big gongs!".
The passport copy she had sent him was a fake and her claimed address didn't exist, according to Google (naturally). Her 'friend' via whom he had been sending money turned out to be a known scammer using different aliases. "I thought oh-oh, I've been scammed! I've been conned ... I'm stupid. Gullible ... 10% of me, even now, thinks she still might be genuine." And that, of course, is how the scam works.
Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation.
A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a car accident". The requests continued and so did his generosity, sending thousands more by Western Union for taxes, expenses and air fares to Pretoria and Ghana, mostly on his Mastercard.
The woman even wrote to his mother, saying "I love him and I will get the money to him". All lies of course, but it's easy for me to say that. I'm a cynic who has seen thousands of 419ers before. For those caught up in the drama, it's not nearly so obvious. "It was all believable" said his mum, but when he was already $10k down, the bank stopped his card and when he asked her for more money, mum said "Err, this sounds like a scam. I'm not happy about that. It just sounds ... like ... bullshit." But still she lent him the money "because that's what mothers do."
After the total crept up to around NZ$20k, the penny finally dropped when he noticed that the cellphone bill recorded calls to Ghana not South Africa. "The weren't just alarm bells. They were great big gongs!".
The passport copy she had sent him was a fake and her claimed address didn't exist, according to Google (naturally). Her 'friend' via whom he had been sending money turned out to be a known scammer using different aliases. "I thought oh-oh, I've been scammed! I've been conned ... I'm stupid. Gullible ... 10% of me, even now, thinks she still might be genuine." And that, of course, is how the scam works.
Security awareness: how not to do it
I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item, you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious perspective to express in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond.
Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs.
- The 'awareness program' I tried takes the form of a website and simple (first generation) Learning Management System, basically a series of web pages plus questions covering a range of information security topics. There was almost no introduction, explaining why I might want to pay attention (presumably because the only way anyone can be persuaded to do this stuff is if management cracks the big whip). There was very little latitude for the user in sequencing the topics - just start at the first and proceed one by one until you reach the end. If I had questions about password construction, for example, I had to have answered the first nine of 15 modules to get to number 10 on passwords. The only concession to usability was that I could have interrupted the flow (in between - but not during - the modules) and could return later to the saved checkpoint.
- The information pages appeared to have been lifted from existing materials - policies and guidelines, complete with legalese and cross references (which didn't work since there was no way to alter the delivery sequence of the awareness package, and there were no active hyperlinks). There was a lot of tedious content to read. I suspect that much of it would have gone right over the heads of many of the employees taking the course, even those diligent enough to read every tedious word. Worse still, there were inconsistencies within the text, sometimes direct and explicit contradictions - for example in one paragraph stating that limited personal use of corporate IT facilities was permitted with various caveats, and two paragraphs further on stating that corporate IT facilites were only to be used for legitimate organizational purposes.
- The quiz questions were mostly idiotic. It is common practice to include one obvious distractor in a multiple choice question, something that is clearly wrong. However, some of the questions had 2 obvious distractors with only one remaining option. About a third of the questions showed no creativity whatever, being merely "true/false" or "yes/no" choices. In most cases, the correct answer was easily identified from the quiz alone i.e. without needing to reference the information previously presented, typically because it was the longest and most legalese answer and/or it repeated key words from the question. I had to try especially hard to answer anything wrong ...
- When I entered an incorrect answer, the system told me it was correct and highlighted the correct answer in bold. It gave me absolutely no further information about why my chosen answer was wrong or why the correct answer was right. There was no opportunity for me to go back to the information page to re-read and check my understanding - in fact the introduction to every module said I could not return to the information page after starting the questions. In other words, this was really a quiz not an awareness activity.
- At the end, the system told me "congratulations", emailed me a certificate of completion (whoop whoop! Lashings of ginger beer all round, I've got a CERTIFICATE!), and finished with "See you next year!" SEE YOU NEXT YEAR!! Oh boy, it seems this is a once-a-year process. I will have trouble remembering all that content tomorrow. I will probably forget chunks of it and important details by the end of this week. Next month, I will have forgotten I even took the test and wrote this rant. What's the point of once-a-year anything? Imagine if, say, learning to drive a car was done this way! Or sex!
- Some of the information and questions were inaccurate, ambiguous or misleading, occasionally technically incorrect. For example, a "complex password" that fulfils the corporate minimum specifications (8 characters, mixed case with numbers) is actually WEAKER than a substantially longer password example. There are indeed "more than 97,000 viruses" but that data item is, oh, about a decade out of date. There were grammatical errors and logical errors too. I admit to still being in a particularly picky and cynical mood today but these problems should have been addressed by more careful proofreading before this was released for use. It is being used to assess tens of thousands of employees in an organization for which information security is extremely important. Couldn't they afford to pass it by a competent reviewer first?
- There were 15 modules. I'm a lightning quick reader and an infosec professional. It took me about 5 to 10 mins to read each module and do the quiz. That's an hour or two facing the little screen - many employees would need much longer. It was a totally humorless, soul destroying and, yes, boring exercise. Almost entirely text, with no diagrams and only a few nasty cartoon icons for company. I came away thinking "Thank
, that's over for a year!". It was a distinctly negative experience, equating information security with tedium and slog. Q: What's in it for me? A: Nothing. In fact, the entire perspective was around protecting the organization's interests, not the indivudual user. Maybe if it had explained why installing and updating antivirus software on my home system would help protect me and my family from identity theft, then I might just have paid more attention. - Some modules appear to have been updated, including a couple of mentions of a major information security breach that hit the news headlines, oh, about 2 years ago. All the impact has gone. Old news is an oxymoron. Its such a shame because the news media, IT press and infosec specialist press is full of highly relevant, topical and, dare I say it, INTERESTING news and incidents. Even better, the organization has undoubtedly suffered infosec incidents that could have made even more relevant and interesting case studies. But no.
- Some of the modules mention (relatively) new infosec risks, including social engineering. Great! Unfortunately, they provided no (zero, nothing at all) advice on what I ought to be doing about the social engineering and similar 'new' threats such as wireless network hacks. "X could be really nasty! It's a big issue! You're on your own kid!" is hardly the most productive awareness content. I wonder if this is partly because someone would have to create (and ideally proofread!) new content ... and if there is nobody on the payroll with the competencies and time to do it, that means going back cap-in-hand to the supplier of the "leading edge online information security awareness and training" pup they've been sold.
OK OK I'm ranting I know, but the reason is to point out that:
- With little investment and even less thought, security awareness can be done really badly;
- Bad security awareness is unlikely to be effective, and in fact could be counterproductive;
- The ineffectiveness of badly designed, constructed and delivered awareness programs says nothing about the potential for well designed, well constructed and effectively delivered programs; and
- It doesn't take a genuis to figure out how to improve security awareness, especially when starting from such a low base. A 20 minute team seminar about information security would have achieved so much more than this hour or two of extreme tedium. Almost ANYTHING else would have been better!
I cannot understand why security awareness seems to be stuck in the mold of once-a-year inform-and-test (I used to call it the "sheep dip" approach to awareness, but subsequently found out that sheep are dipped more often than most employees are made to jump through the awareness hoops!). It's high time for a new approach and some fresh ideas. ISC2's Cyber Security Awareness Resource Center offers a range of freely available creative materials and ideas. Rebecca Herold's wonderful book "Managing an information security and privacy awareness and training program" is full to the brim with sound advice.
Security awareness is dead. Long live security awareness!
Subscribe to:
Posts (Atom)