NoticeBored blog

This blog is now located at http://blog.noticebored.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://blog.noticebored.com/feeds/posts/default.

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says:

"Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations’ security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training."

So although they are 'generally adequate', the security awareness and training arrangements evidently need better planning, monitoring and record-keeping. Only one of the four agencies audited had an actual awareness and training plan - the rest presumably make it up as they go along.

The report continues: "none of the organisations had any training or briefings targeted at the
roles and responsibilities of security cleared staff". I find this somewhat hard to believe. Security cleared staff presumably handle protectively marked information, systems etc., but despite the clearances, their obligations towards protecting those information assets are not spelled out to them? Seems odd. It's not as if the requirements are undefined - the government's Protective Security Manual surely lays out the most important aspects in black and white.

"None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities." So the agencies are investing an unknown but presumably significant amount in security awareness and training but not bothering to see whether all this public money is well spent?

This is hardly rocket science. Awareness and training strategies, plans and metrics are straightforward enough, aren't they?

Oh well, perhaps we can anticipate sales enquiries from our Australian colleagues. We'd love to help them with planning, delivering and measuring best practice awareness and training programs ...

Labels: Awareness

An burglar who stole stuff from an NZ home was snapped by the owner's webcam that had been set to monitor the scene for movement. When triggered, the camera sent still images to the owner by email, alerting him to the burglary in progress. Unfortunately the police arrived just too late to nab the intruder but his face is quite clearly recorded for posterity ...

The news cutting says the owner used software called "Motion", possibly this package which is promoted on the strength of its use for home security monitoring - CCTV on the cheap.

Labels: Physical

A somewhat self-contradictory piece in The Register regarding DNSsec was pointed out to me by a fellow CISSP. The way the Internet root DNS servers work is going to change soon - essentially after May 5th, they will only respond to DNS queries that have been digitally signed using the DNSsec protocol. Until then, I believe DNSsec is running on some of the root servers, allowing organizations to try out their software and get any wrinkles sorted out.

Kevin Murphy, the Register's columnist, indicates that some ISPs or large organizations running old software without the facility for DNSsec may thereafter be unable to make DNS queries, which mnay be true but seems rather unlikely to be such a problem as he implies. As I understand it, DNSsec has been around for years, implying that ISPs etc. who have not updated their software probably have other more serious security problems. On top of that, end users (like me!) are not tied to their ISP's DNS offerings. Personally, I have used both OpenDNS and the faster Google DNS successfully for years, particularly as my ISP's DNS had trouble resolving the very useful SANS Internet Storm Center address for some obscure reason.

Anyway, your ISP and/or your IT Department should be well on top of this by now, but for the sake of availability, it might be worth double-checking.

Labels: Network

Fascinating BBC report on GCHQ, the UK Government Communications HQ - "GCHQ: Cracking the Code".

There's a nod to Bletchley Park's work cracking Enigma in WWII.

Clifford Cocks talks about inventing PKI "overnight".

GCHQ employees talk enthusiastically about the buzz their work gives them and the 'culture of security' which extends to home life, avoiding any specifics of course.

The reporter and guides describe the 10,000 square metres of computer halls in the centre of the donut, and their dependence on cooling water ...

They mention monitoring Web 2.0, VOIP and other Internet comms globally, and the need to adapt quickly to agile targets exploiting new security technologies and constantly watching for new exploits.

The ethics of snooping/spying and the inevitable privacy compromises that entails get a good mention: the very fact that the program was produced at all is surely a positive sign of GCHQ management and indeed the British government's intent to be more open.

GCHQ people are now 'embedded' with military units deployed around the world, sharing intelligence (no doubt in both directions).

Bonus marks for picking out all the other the physical security controls mentioned throughout the programme, and the social engineering potential of a program like this, no matter how carefully produced and edited.

Labels: Confidentiality, Crypto, Network, Physical, Secrecy, Social engineering

Here's a scam I've not seen before, received by email:

Hello, My name is Raphael Scott I would be in your country for a seven days business meeting with 10 people. Do you have any vehicle or vehicles we could use during the period of our stay. The vehicle(s) would needed during on the following dates: ARRIVAL DATE: 23TH APRIL 2010 DEPARTURE DATE: 30TH APRIL 2010 Remember our movement basically from airport to hotel and venue conference, about 20 miles within the vicinity. Your duty is only to arrange vehicles and drivers that will contain 10 people for seven days. We would be happy if you could provide us with any of the following 2 mini buses , 2 sedans, 8 to 16 cheater bus or a Limousine. Let know a quote or estimate for the seven days. We would need the car with a driver. I would send a deposit via credit card details as soon as this booking is confirmed. I hope you do accept credit cards? Kindly email me if you have availability on those dates, also tell me the area you operate in your country. Kindly confirm this booking with the vehicle details and total cost for the 7 days. Best Regards Raphael Scott 28 Montague Street London WC2B 5BP +447011196388

I presume the intention is to get victims to launder credit card payments, as money mules, in much the same way as those lame requests along the lines of "I want to buy your products. Do you take credit cards? Please send me your prices ...".

I feel a bit sorry for those who fall for this kind of nonsense, but on the other hand some of them are just greedy and must surely know this is not legit.

Steer well clear.

Labels: Awareness, Fraud

Malware, an old favorite, is the security awareness topic for this month's NoticeBored module. One of the issues noted in the awareness materials is that of user PCs picking up infections simply by visiting infectious websites ... like for example a 'bargain shopping' site in Australia that had evidently been exploited by hackers. According to the news report, certain browsers warned users when they visited the site and hopefully, if the users were aware enough to take note of the warnings and not override the technical controls, that would have significantly reduced the risk of being infected. On top of that, the malware was probably recognized by normal antivirus software, further reducing the risk. However, unaware users without these controls may well have drawn the short straw, and to make matters worse they may still be blissfully ignorant of the infection.

Labels: Awareness, Malware

Consonus, a US data-center/co-location facility provider that prides itself on its "highly secure and reliable data centers", suffered a rather embarrassing physical security incident at one of its data centers on Saturday February 20th. An email from the Consonus data center manager to his customers indicates that an Inergen automated fire suppression system was accidentally triggered during a routine 6-monthly inspection of the fire system. This incident somehow damaged a large number of disks in the facility - I understand from other less reliable sources that as many as five hundred disks may have bitten the dust. Oops.

The point of this blog posting is not to poke fun at Consonus, who have clearly invested heavily in state-of-the-art controls and appear to have a comprehensive approach to information security, but rather to indicate that control failure remains a risk that we should all consider, no matter how strong we believe our controls may be.

In this incident, disk damage was evidently not the anticipated result of triggering the fire suppression system. It was an unforseen risk, exactly the kind of thing that contingency planning is designed to mitigate. I wonder how many of Consonus' customers either buy its optional disaster recovery and data protection (evidently meaning backup and archival) services, or have their own contingency controls in place, or didn't but now wish they did ...

At the same time, this incident is probably not generating the kind of publicity that Consonus would welcome (although there's truth in the saying that there's no such thing as bad publicity!). I wonder if their customer services team has its own contingency plan for this kind of event?

This unfortunate incident would form the basis of an excellent case study for security awareness purposes, but it's far from isolated. The truth is that unpredictable and costly information security incidents happen more often than most people realize [and here I'm talking in general terms, explicitly not referring to Consonus!]. In the course of my career, I have seen many and, I'm ashamed to admit, been personally involved in a few.

Investing in high availability technologies and strong security measures still cannot guarantee that essential IT services will be 100% available under all circumstances. Testing the fire system 'outside normal office hours' reduces but does not eliminate the risks. Siting IT facilities above the anticipated '100-year flood level' is merely gazing into some weather man's crystal balls. 'Uninterruptible power supply' is an oxymoron.

Even if information security is truly taken to heart by an enlightened senior management, as IT technologies and services get ever more complex, some types of coincident or catastrophic failure (including those caused by the very security controls we are implementing) become more not less likely.


Contingency planning depends on contingency thinking, which starts with someone posing the inevitable "What if ...?". There's a fine art to getting managers to suspend their rather charming but somewhat dubious trust in technology just long enough to consider what might happen if things don't in fact work perfectly, while at the same time not going so far as to be accused of just spreading FUD or constantly crying wolf (which is where classic "worst case scenarios" can easily lead). This is exactly the area where security awareness really helps in that it aligns information security and business thinking, focusing everyone on the risks and controls with the benefit of knowledge of what can, and indeed does, go wrong in similar situations elsewhere.

And that's why case studies make such good awareness tools. Better to learn from other people's misfortunes than to suffer them yourself.

Labels: Awareness, DCP, Physical

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Labels: Confidentiality, Crypto, Physical

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

Labels: Authentication, Awareness, Crypto

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.

Labels: Development, ISO27000

I can barely believe the cheek of this email that plopped into my inbox today:

HELP HAITI LONDON
13 Liverpool Road,
Islington, London,
N1 0RW

Dear.Friend

On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.

This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.

Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.

we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed

Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.

PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!

Receiver:Ann Brown
Location:London Uk
Email: helphaitinow@consultant.com
send her all related information or call john on +447031842276

Please if you make any donation send us the following informations for reference .
1) Your full name:

2) Sex:

3) Age:

4) Occupation:

5) Mobile / Telephone Number:

6) Country:

6) Nationality:

As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.

Thank you,

David Cole

Just in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.

Scumbags.

Labels: Awareness, Social engineering