NoticeBored blog

Cracking encrypted VOIP?

2010-01-31T16:29:00.003+13:00

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Cryptography in the dock

2010-01-31T14:25:00.002+13:00

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

ISO27k application security standard

2010-01-21T08:30:00.003+13:00

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.

Making money from the Haitian quake

2010-01-17T20:27:00.004+13:00

I can barely believe the cheek of this email that plopped into my inbox today:

HELP HAITI LONDON
13 Liverpool Road,
Islington, London,
N1 0RW

Dear.Friend

On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.

This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.

Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.

we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed

Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.

PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!

Receiver:Ann Brown
Location:London Uk
Email: helphaitinow@consultant.com
send her all related information or call john on +447031842276

Please if you make any donation send us the following informations for reference .
1) Your full name:

2) Sex:

3) Age:

4) Occupation:

5) Mobile / Telephone Number:

6) Country:

6) Nationality:

As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.

Thank you,

David Cole

Just in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.

Scumbags.

Privacy/security awareness

2010-01-11T09:49:00.003+13:00

A report from Government Technology caught my eye this morning: CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors. "Mmmm, looks interesting" I thought, especially when I saw this:

"But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well."

So, less than 60% of organizations surveyed spend at least 1% of their 'security budget' (whatever that means) on 'awareness training' (whatever that means also). I can't say I'm surprised by that but I'd like to know more and check the original source for details.

The GovTech report didn't include a link to the survey, merely a link to the CSI website. There's an obvious link to the survey on CSI's home page, but Heuston we have a problem: it seems the only way to obtain the survey is either to purchase membership of CSI, for over US$200, or obtain a 'free preview' of the report .... which requires me to enter a bunch of personal information.

If, as the GovTech article, suggests there really is a problem with security awareness, it seems rather ironic that the CSI report is not freely available to all without invading our privacy. The report sounds like it might be useful from an awareness perspective but not at that price.

Similar surveys are freely available from many other organizations. Guess I can live without CSI's.

Secure software development

2010-01-05T16:35:00.004+13:00

In connection with this month's NoticeBored awareness materials on the security aspects of software development, I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices.

From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.

One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.

The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.

Security awareness research

2009-12-10T15:32:00.004+13:00

Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.

The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).

As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.

By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.

All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!

419 phisher mash-up

2009-11-12T19:13:00.003+13:00

Well here's a new take on an old scam - well possibly two old scams in one as it has elements of both 419 advance fee fraud and phishing about it (click on the email screenshot to see it in its full glory - I added the red highlighting).

I must say I have never before had scammers offering to send me my own "account online log in and password". What's the betting there is a small charge to release the information?

Cheapskate copycat 419 scammers

2009-11-07T21:03:00.007+13:00

The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box:

"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."

Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.

This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].

By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.

After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."

The 'U.N Government'?! Gosh, I must have missed that election. Silly me.

"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).

After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.

Still, at least I got yet another entertaining case study out of it. And a wry smile.

Word-based email blacklisting

2009-11-04T09:27:00.001+13:00

Using banned-word lists to block spam may be a simple and hence cheap control but it may be too crude or simplistic to work properly. Blocking emails with "teen" in them, for example, is perhaps not the smartest move made by New Zealand's Social Development Ministry.

Blogging policies

2009-11-02T15:50:00.005+13:00

A set of policies, presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media:

"The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them.
We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community."

The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be crystal clear about the limits on employees discussing the organization, its products, customers or related matters in any public forum (including all social media), particularly if all such pronouncements should normally be explicitly sanctioned by Public Relations, Law, Marketing or other interested parties.

Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.

Blogging policy

2009-10-30T10:00:00.002+13:00

The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.

New NB module on social networking

2009-10-28T20:07:00.002+13:00

Social networking has become extremely popular of late and is getting lots of coverage on new and traditional news media. Given the fact that a great deal of network/Internet use and applications have traditionally been social in nature, this is hardly surprising: what is more surprising is that the media and technology pundits seem to feel that we need to have a special term for it. Like most Internet and IT developments, it’s more evolution than revolution, and in fact more hype than substance in many cases.

Businesses are making use of interactive social media for corporate (primarily marketing) purposes. While these applications are, at the moment, more projected than proven, it is undeniable that many enterprises are either openly examining social networking and so-called Web 2.0 technologies, or are facing covert use of these systems and technologies by rogue employees. Either way, employees need to find out about the concerns and security dangers related to such use before landing themselves, their family, friends and colleagues, and maybe even their employers, in trouble.

Humans are social animals. Social networking websites such as MySpace, Facebook and Twitter, plus associated network applications, provide a conduit for social interaction by individuals, for example keeping in touch with family and friends, making new acquaintances and friends, and often publishing details of their normally private and personal activities on the Interwebnet.

The primary information security risks relating to social networking and social media can be classed as social engineering - the deliberate manipulation of vulnerable people in order to gain control over the information assets they own or have access to, and the use of information so obtained to deceive or manipulate others. With systems and networks getting ever more complex, ordinary users are getting more and more remote from the underlying technologies, which opens them to new threats from hackers who know how to turn the technologies and processes to their advantage.

You can find out more about the information security risks associated with social networking in this month’s NoticeBored security awareness newsletter, and take a look at what's in store in the new awareness module here.

Yet another inept 419er

2009-10-15T07:44:00.003+13:00

Some Nigerian thinks I was born yesterday:

Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20091014171244.7474f21fec20@kunde.business-light.com>
Date: Wed, 14 Oct 2009 19:12:44 +0200 (CEST)

From :The Honourable Officeof the Finance Minister.(FMF)In collabration with (CBN)Office.ATT : Honourable Contr(FMF/CBN) Payment Notification Update. In order to eradicate the fraudulent rampant extortion of money from contractors as transfer charges and taxes by non-exiting individuals and corrupt Government officials.I am obliged to reach you concerning the immediate payment of your fund by ATM Visa Card. Be- informed that this communication superside any other you must have had with any office in connection with your payment. Investgations reveal that you have paid some good money in the past as transfer charges and taxes which did not reflect in the bank treasury, that means officials concern have help themselves to the money at your own detriment. Now that your file has scaled their huddle and your file is on my table.I want to ensure the immediate payment of your fund by ATM Visa Card. You are thereby advise to re-confirm to me the following:Your full Name 2) Your Telephone and Fax number (3)Your receiving Address &Banking particulars. (4)Copy of your international passport. This is imperative to enable me confirm your informations and make my recommendations to Foreign Operation ATM Department of FMF for immediate payment of your fund by ATM Visa Card.Note:If your file returns to the cabinet without my recommendation you will end up not benefiting from the present batch of beneficiaries.PETER EZE,Minister Ministry of Finance FMFFederal Republic of Nigeria.Contact me via my private e-mail address;( petereze.eze@gmail.com)

The "non-exiting individuals" interest me but I'm not pleased my email address has "scaled their huddle", even if it does "superside" others.

Give it a break you idiots. We're tired of all this spam.

Directions in Security Metrics Research

2009-09-03T08:42:00.004+12:00

NISTIR 7564 "Directions in Security Metrics Research" says:

"Advancing the state of scientifically sound, security measures and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems."

Hear hear!

"... Enterprise-Level Security Metrics, was included in the most recent Hard Problem List prepared by the INFOSEC Research Council ..."

That I didn't know, but I totally agree: security metrics is indeed a Hard Problem.

If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.

Locational privacy

2009-09-02T11:49:00.002+12:00

The Electronic Freedom Foundation's paper on locational privacy explores the privacy issues relating to automatic road toll devices and similar systems that check the locations of users. Such systems can be designed to incorporate locational privacy controls but this increases their complexity and cost - the question is whether that's justified by the privacy benefits.

It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.

HSBC fined for not protecting customer confidentiality

2009-09-01T19:11:00.002+12:00

Info4security published news about HSBC's privacy lapses:

"The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen ... During its investigation into the firms' data security systems and controls, the Financial Services Authority (FSA) found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets, and could easily have been lost or stolen. In addition, it was noted that members of staff had not been given sufficient training on how to identify and manage risks such as identity theft."

Read the whole item here.

New security awareness module on privacy

2009-09-01T16:13:00.001+12:00

Privacy is both a narrow, intensely personal issue relating to the individual, and a broad democratic principle relating to society at large. It’s one of those things in life that perhaps we don’t truly appreciate until it’s gone – ask anyone who has suffered intrusive media coverage for instance, lost their identity to an identity thief, or had their medical, personnel or credit card data records “lost presumed stolen”.

A lay person might define personal information as “Details about someone that they would consider private.” That definition may make perfect sense to you and me but is probably too subjective for the courts. Personal information is defined more narrowly in the legislation, but annoyingly the definitions vary between countries.

Read more about what’s in September’s NoticeBored module and the free security awareness newsletter, or follow along with us on Twitter or our blog as we continue gathering links to interesting privacy news.

Cradle-to-grave security awareness

2009-08-21T13:43:00.004+12:00

Today's release of Information Security 101 adds another valuable tool to the Information Security Manager's security awareness toolkit from IsecT Ltd.

Information Security 101 was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work.

All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added. Information Security 101 still provides three parallel 'streams' of materials addressing three audience groups with subtly different information needs and perspectives:

General employees or staff have broad responsibilities for information security and need to know the simple things such as choosing good passwords, running antivirus and backing up their data. For them, security is an incidental aspect of their work and home life that most don't really consider without some conscious effort being made to make them aware;
Managers and Directors have specific governance and compliance obligations in respect of information security although they may not at first appreciate this. They are invariably busy people, yet take an interest in high level security strategies, policies and so forth. Getting managers on board with information security significantly improves the chances of the awareness program resonating with staff and ultimately being successful;
IT professionals have an obvious interest in the more technical IT security controls. They are broadly expected to design, implement and operate most of the IT security controls on behalf of general IT users throughout the organization, yet it is not uncommon to find that IT pros have had limited exposure to even fundamental information security principles during their formal education, let alone leading security practices such as federated identity management and multifactor authentication.

As well as its use for induction/orientation purposes, Information Security 101 gives extra value by helping organizations launch (or relaunch!) best-practice security awareness programs. Bringing the whole employee base quickly up to speed on information security ensures that everyone has a firm grasp of the basics, preempting the regular security awareness activities that follow. [For this reason, Information Security 101 is supplied free of charge to customers of our flagship product, NoticeBored - a US$695 value.]

NoticeBored is a security awareness subscription service providing a fresh package of creative awareness materials on a different information security topic each month. This innovative approach is designed to drive "rolling" or continuous-delivery awareness programs giving year-roound coverage to a brad range of information security topics. The NoticeBored materials also have three parallel streams covering the same three target audiences on relevant issues in familiar terms. The materials themselves are delivered as ordinary Microsoft Office files, making it easy for customers to customize or adapt the materials to suit their purposes. Customers can reference their own information security policies and procedures, provide contact details for their Information Security, Physical Security, Legal, HR and Compliance people, and incorporate the NoticeBored materials into intranet websites and Learning Management Systems supporting information security throughout the organization.

Other security awareness materials in the NoticeBored product family include:

The Back Catalog, a comprehensive library of awareness materials covering more than 30 information security topics - ideal to get your awareness program off to a flying start without having to wait for the monthly NoticeBored deliveries.
A generic information security policy manual based on the good security practices and controls recommended by ISO/IEC 27002. Organizations that are implementing Information Security Management Systems use our manual to develop their own custom set of policy principles, axioms and detailed policy statements reflecting the ISO27k standards.
A range of over 200 high-quality security awareness posters, supplied as JPG images for customers to customize and brand, then print as many hardcopies as they actually need at no extra charge.
A set of Internal Controls Questionnaires covering some 31 information security topics. These are useful prompts or guides for risk assessments, gap analysis, internal audits or management reviews, helping customers assess the extent to which their security controls actually mitigate the organization's information security risks. The questions posed are deliberately open-ended to encourage intelligent and flexible application, as opposed to the usual brain-dead compliance tick-lists that achieve so little in practice.

Thanks to our low overheads, we are able to offer unbeatable prices across the whole NoticeBored product range. Given that awareness leverages existing investments in technical and other forms of security controls, as well as being the only rational way to address the human elements of social engineering, fraud, phishing and similar security risks, NoticeBored provides outstanding value for money.

Last but not least, NoticeBored embodies our passion for the subject. Few if any information security managers would dispute the importance of security awareness, training and education, yet they seldom have the time or indeed the skills to really do it justice. By providing "camera ready" security awareness materials on topical subjects, we release our customers from the tedious burden of researching, writing and polishing the awareness content, leaving them free to concentrate on the fun part - interacting with employees, promoting good security practices and enthusiastically spreading a little of that passion we mentioned. In some ways, it's a shame we can't walk the last mile with you ... good luck.

Twitter admin email password reset incident

2009-08-07T11:09:00.002+12:00

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity

Digital Forensics Mag

2009-08-07T10:37:00.004+12:00

A new magazine for fans of digital forensics will debut later this year, covering:

• Cyber terrorism
• Law
• Management issues
• Investigation technologies and procedures
• Tools and techniques
• Hardware, software and network forensics
• Mobile devices
• Training
• eDiscovery
• Book/product reviews

Meanwhile they are seeking input - perhaps we should recycle one of our recent security awareness deliverables ...

Office comms risks and controls

2009-08-07T09:06:00.004+12:00

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary.

This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).

Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.

Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:

Incident notification and specific response procedures covering these kinds of incident;
Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
"Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
Disciplinary procedures taking account of incidents of this nature, typically using examples.

[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]

Tax passwords are valuable!

2009-08-06T10:30:00.003+12:00

The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems.

It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.

Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.

It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?

Office and email security awareness

2009-08-06T10:23:00.003+12:00

We've released a thoroughly refreshed and updated awareness module on office security, covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.

Forensic examination of secondhand disks

2009-07-03T21:03:00.005+12:00

Used hard disks bought on an online auction site were found to contain personal and proprietary data. Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equipment, is anyone's guess.