Woman 4 times more likely than men to give passwords for chocolate

•April 16, 2008 • Leave a Comment

This is a nice little story the week before the big show.  It is good to highlight issues.. including a key aspect of Information Assurance, Integrity.  Can you prove the passwords were real?  Not too easily.  Not the point of an awareness campaign though.




Mobile device policy enforcement

•April 13, 2008 • Leave a Comment

It is now possible to implement policies within Windows Mobile 6.1 and Exchange 2007 SP1 to enable or prevent services on mobile devices. This is a good step forward and should enable the use of Windows Mobile devices to be considered as enterprise end points in environments where strong controls are required.

The capacity to disable Cameras and Bluetooth features is a welcome addition. Both of these features are much loved by many businesses and individual users and provide some real benefit to them. There are however a number of environments where the choice of handset has been limited due to many ‘business handsets’ and Windows devices providing too many features and creating and compliance issues for the organisational IA or InfoSec policies. Design secrets or secure installations do not enjoy the benefits of a 3 megapixel camera available to mobile phone users. The ‘benefit’ to business of the always on Bluetooth culture can now be managed in a way that should enable an enterprise to reduce the risk of employees having their devices remotely accessed as they move around, restaurants, coffee shops and bars.

Now if only you could enable a policy to ensure that people stopped leaving the mobile devices in cabs, restaurants, bars….



Chip ‘n’ Pin

•April 11, 2008 • Leave a Comment

Last month the BBC ran a story about how nice and safe card readers involved in the ‘Chip ‘n’ Pin’ process for purchases were.  These devices had been amended to enable the card information and the ‘Pin’ Number to be stolen.  In effect acting in a manner similar to a key logger.  This is quite a problem as most people are not in a position to ensure that no one tampers with the device that you are placing your card and pin number into.  One of the reasons that this is even possible is down to limited security between the card and reader.  This is not secured in earlier cards (apparently if your card has been issued since the start of 2008 then the ‘improved technology’ will protect you…) why would you not encrypt  all data sent from the card and keypad to the banking system?  Why would you not make the devices tamper proof?

I have never understood why the banks and retailers did not take the opportunity to combine the ‘Chip ‘n’ Pin’ technology with the existing technology…A Signature!  By combining the two you would reduce the threat further as duplicate cards made with the stolen electronic data would have to have all of the signature foils as well.

If you have ever implemented 2 factor authentication systems you will be familiar with the addition of the token information to your existing authentication details such as a uniques username and (strong!)password.  Try convincing an accreditor that the new system with a token no longer needs the strong password.

Electronic Threats 2008

•March 10, 2008 • Leave a Comment

The evolution of events in 2007 where the ‘Spamthru’ trojan moved to become the ‘Storm Worm’ is leaving the threat landscape with a lasting issue for 2008. The great ‘success’ of Fast Flux or Bullet Proof Hosting has enabled the malware to keep a large install base across the globe. This resilience is enabling the controllers to continue delivering ‘services’ from the Bots. The capacity of this network is beyond the current use observed by the security vendors working to protect their customers and reduce the threat landscape. The bots have a theoretical spamming capacity almost 10 times the current activity. But it is not just the volume of traffic that is different from the past. Traffic profile for this has also changed from the previous bots and spam engines. The new profile that can be measured is now in narrow spikes of activity set to reduce the chances of an electronic fingerprint being created for the spam message and associated malware. If this is achieved then the success of delivering the spam is increased. The fine tuning of this has been reviewed over the past 12 months and it can be shown that the time frame for the attack is as short as 11 minutes.

The history of these botnets or even the earlier mechanisms for spam and malware distribution has been through untargeted or ‘carpet spamming’. The growing trend for 2008 is the targeted distribution based on the aggregation of relevant information relating to individuals or positions within organisations based upon their business. These are growing to be very sophisticated and individuals are unwittingly assisting the criminals by publishing greater and greater volumes of information about themselves directly onto the web. The continued growth and enthusiasm for social networking sites combined with public records are making the targeting easier and easier. Individuals need to pay much closer attention to the way that they propagate information about themselves and how it will effect them individually and as an employee. Some companies have witnessed targeted attacks escalate from a couple a week to almost 1,000 in a few hours per day. This is a real growing threat.

So what is being delivered through this increase in sophisticated, targeted, swift and resilient infrastructure?

Well this is changing also. The number of direct attachments to mail items is reducing. A decade of internet based email in common use in industry and in the home has led (very slowly..) to some awareness of the risks of attachments. Now this is due to real incidents and to urban myths but which ever is the most effective the result can be the same. Some degree of thought prior to opening an attachment (but only a little). The rise (also slowly!) in AV products deployed properly and kept up to date in the work environment and within the domestic situation is beginning to reduce the effectiveness of attachment based vectors. The growing trend is now malware in URLs within the email message. These are very rarely blocked by AV/AS tools or firewall applications. These really do require another round of education for people who do not work within IT Sec or InfoSec. So many email messages have URLs in them that it is difficult to get this message across. They are almost like background noise, you could be forgiven for not noticing them at first. But beware these are a real risk to you…

Vulnerability Patch Testing

•February 5, 2008 • Leave a Comment

Is testing patches really worth it?

Usually when patches are released IT departments should be taking the patches and implementing there test procedures to determine any business impact from implementing the patch. This can include preventing that important application in marketing from working, but mostly the crayons are still OK. After this has happened within the separated Test Environment, the Change Control Procedure is conducted before this new patch is deployed into the live environment of the organisation.

Now in one or two organisations this process may be slightly less rigorous than in others. This process takes time and resources. A risk assessment should have been undertaken to determine the likelihood and impact of the vulnerability being exploited for that organisation. It could take a week or more to conduct this process effectively.

So we then ask ‘How long does it take from the patch for the vulnerabilities being released to the first attacks using that exploit being available?’ …

This used to be a time frame in keeping with the above effective process in testing and change control, recently though it appears that the game has moved on. It has been shown that attacks are often available 4 days after Patch Tuesday and in some cases even faster.

The combination of less than perfect ‘test environments and procedures’ and short timescales to attacks being available has led several large organisations to consider deploying patches immediately they are released to protect their systems.  This view is assisted by ever expanding mechanisms for application and system delivery including thin client, centralised virtual desktops and application virtualisation.  By providing the capacity to ‘roll back’ to a known state swiftly and effectively it is becoming possible for orgainsations to reduce the risk in patching early and gain the benefits.

To lose one laptop may be regarded as a misfortune; to lose many looks like carelessness

•January 21, 2008 • Leave a Comment

Mobile computing it a marvel of the modern age.  Only a generation ago a portable computer required a healthy physique to carry it around and use in the manner advertised or intended.  Fast forward to today and many people will know of families where the children have a laptop rather than a access to a regular PC.  They can be seen used everywhere, planes, trains and yes automobiles (have you seen them perched on the dashboards of European trucks as they trundle along the motorways?).

The reduced weight has really brought the use of mobile computing to the fore.  There does appear to be a down side.  Physically keeping hold of what is yours. 

In the last week the media has once again highlighted several instances of organisations ‘losing’ laptops.  The loss of these is likely to be very inconvenient for the people who were meant to use them.  It is however the wealth of information that can be extracted from the devices that is of grave concern to everyone else.

First to break cover was Middlesborough Council with the loss of 9 laptops containing sensitive Social Care information relating to a reported 63 cases.  It was explained when asked about security and the possibility of encryption that some measures where in place but the Council had an ‘adhoc’ attitude to Information Security.  It also became clear that the Council had suffered a burglary and the loss of another laptop last year.

Only days later the next story to break relates to the loss of another laptop.  This time from the MOD.  The data this time included a reasonable amount of personal data for 600,000 people.  When the question about security was raised a very suprised answer came that this laptop also had no drive encryption software in use. 

This leads to so many questions.  Why did a laptop contain so much live data that should be securely stored in a database in a data centre? Why was no full disc encryption tool deployed to this device as outlined by organisations such as CESG?  Why was nothing changed after the previous losses? 

Oh Yes..previous losses.. roll call;

Two military laptops containing the unencrypted details of at least 500 military personnel and potential new recruits had been lost in the last two years

68 MoD laptops were stolen in 2007

66 in 2006

40 in 2005

173 in 2004

After that number you might expect that taking your own advice on security seriously would be important but apparently not.  We have been told that they are recalling all the similar laptops.

Let this be a lesson to any organisation.  A laptop will cost you £450 and drive encryption software can be purchased for approx £80.  The overall cost compared to the risk is low.  If you create, read, transport, store or use sensitive information relating to your line of business be smart..secure the information

Clarkson stung after bank prank

•January 16, 2008 • Leave a Comment

This is a nice story.  It is not pleasant for the English celebrity but it does openly show an issue that I have tried to explain to people for many years.  If you provide someone with basic details of your banking arrangements they can (and will) take money from you.  Best of all your bank will not do anything to prevent this.

Surely a more robust method of checking authentication and authorization is possible to stop this open wound in our banking system?

TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column.

The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was “wrong” after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.

Clarkson published details of his Barclays account in the Sun newspaper, including his account number and sort code. He even told people how to find out his address.

“All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,” he told readers.

But he was proved wrong, as the 47-year-old wrote in his Sunday Times column.

“I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account,” he said.

“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.

“I was wrong and I have been punished for my mistake.”

Source BBC website