NoticeBored blog

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Labels: Confidentiality, Crypto, Physical

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

Labels: Authentication, Awareness, Crypto

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.

Labels: Development, ISO27000

I can barely believe the cheek of this email that plopped into my inbox today:

HELP HAITI LONDON
13 Liverpool Road,
Islington, London,
N1 0RW

Dear.Friend

On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.

This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.

Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.

we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed

Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.

PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!

Receiver:Ann Brown
Location:London Uk
Email: helphaitinow@consultant.com
send her all related information or call john on +447031842276

Please if you make any donation send us the following informations for reference .
1) Your full name:

2) Sex:

3) Age:

4) Occupation:

5) Mobile / Telephone Number:

6) Country:

6) Nationality:

As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.

Thank you,

David Cole

Just in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.

Scumbags.

Labels: Awareness, Social engineering

A report from Government Technology caught my eye this morning: CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors. "Mmmm, looks interesting" I thought, especially when I saw this:

"But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well."

So, less than 60% of organizations surveyed spend at least 1% of their 'security budget' (whatever that means) on 'awareness training' (whatever that means also). I can't say I'm surprised by that but I'd like to know more and check the original source for details.

The GovTech report didn't include a link to the survey, merely a link to the CSI website. There's an obvious link to the survey on CSI's home page, but Heuston we have a problem: it seems the only way to obtain the survey is either to purchase membership of CSI, for over US$200, or obtain a 'free preview' of the report .... which requires me to enter a bunch of personal information.

If, as the GovTech article, suggests there really is a problem with security awareness, it seems rather ironic that the CSI report is not freely available to all without invading our privacy. The report sounds like it might be useful from an awareness perspective but not at that price.

Similar surveys are freely available from many other organizations. Guess I can live without CSI's.

Labels: Awareness

In connection with this month's NoticeBored awareness materials on the security aspects of software development, I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices.

From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.

One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.

The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.

Labels: Awareness, Confidentiality, Development, Privacy

Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.

The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).

As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.

By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.

All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!

Labels: Awareness

Well here's a new take on an old scam - well possibly two old scams in one as it has elements of both 419 advance fee fraud and phishing about it (click on the email screenshot to see it in its full glory - I added the red highlighting).

I must say I have never before had scammers offering to send me my own "account online log in and password". What's the betting there is a small charge to release the information?

Labels: Authentication, Email, Fraud, Social engineering

The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box:

"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."

Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.

This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].

By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.

After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."

The 'U.N Government'?! Gosh, I must have missed that election. Silly me.

"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).

After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.

Still, at least I got yet another entertaining case study out of it. And a wry smile.

Labels: Awareness, Email, Fraud, Social engineering

Using banned-word lists to block spam may be a simple and hence cheap control but it may be too crude or simplistic to work properly. Blocking emails with "teen" in them, for example, is perhaps not the smartest move made by New Zealand's Social Development Ministry.

Labels: Email

A set of policies, presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media:

"The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them.

We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community."

The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be crystal clear about the limits on employees discussing the organization, its products, customers or related matters in any public forum (including all social media), particularly if all such pronouncements should normally be explicitly sanctioned by Public Relations, Law, Marketing or other interested parties.

Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.

Labels: Awareness, Social engineering

The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.

Labels: Awareness, Social engineering