NoticeBored blog

While researching for our next awareness module on SCADA security, I came across the Omron PLC website and couldn't help laughing when I read their news items. They haven't been well translated from the original - at least I doubt anyone would seriously have meant to write "The reverend converts the broadcasting waves echolike backwards from the RFID attach into digital aggregation that crapper then be passed on to computers that crapper attain ingest of it.". Let's hope we make more sense of SCADA security in our awareness briefings!

Labels: Incidents, Integrity, SCADA

An email allegedly from an Asian domain name registrar based in China caught my eye in the spam box today.  The email basically says an investment company intends to register NoticeBored.ASIA and NoticeBored.CN, and that we'd better act fast to stop it.

Dear Manager,

We received a formal application on intending to register "noticebored" as their domain name and Internet brand in China and also in Asia from an investment company pn Sept.7th,2008. During our audit period, we find that this Investment company has no trade mark, brand or patent. As a professional institution of domain name registration, we have reasons to suspect this investment company to be a domain name grabber. Therefore, we need your confirmation on two points as follows.
First of all, whether this investment company is your business partner or distributor in China?
Secondly, whether you are interested in registering these domain names?
(According to the rules of domain name registration, the investment company will be entitled to obtain a domain name but not need the permission from the original trademark owner.) If you are not in charge of this issue, please transfer this email to the right department.
This is a letter for confirmation. If the mentioned third party is your business partner or distributor in China or in Asia, please DO NOT reply. We will automatically think that this application was from your business partner after our audit period.

Hebe

Asia Domain Name Registrar
TEL : 86-21-312 609 71
FAX : 86-21-312 609 72
Email: hebe@asiadomainnameregistrar.com
Web:www.domainorg.net.cn

It's a scam of course, but one of the better ones having a certain ring of authenticity and credibility to it.

A quick Google search soon found a blog entry about it from where links led me to another.  Blog commenters note that the registrar is blatantly overcharging for domain registrations and, in any case, there are official ICANN procedures in place to deal with 'domain name squatting' and trademark abuse.  Needless to say, I shan't be responding to their email but our lawyers and I will be fascinated to see whether those domains are ever actually registered ...

Labels: Email, Fraud, Incidents, Integrity, IPR, Social engineering

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.

Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.

So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.

If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.

OR

'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?

Use "I-Cards" to:

- login to websites with a single click

- create relationships with those you want to do business with

- manage your personal data in one place that only you and those you allow have access.

- wield the claims that other people and institutions say about you.

- prove that you are who you say you are without revealing details using trusted identity providers.

The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.

I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.

The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.

I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.

Labels: Authentication, Fraud, Hacking, ID theft, Integrity, Privacy, Risk, Secrecy, Trust

According to the Beeb, the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking.

"Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian."

Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all.

"The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006."

Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year.

"The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found."

OK, now I'm starting to see a pattern. Busy professionals in the rat-race that is London, who probably don't have time to bother with small details such as checking their credit card statements or worry about dubious requests from their bank to 'update their details'. Life's too short.

"It takes an average of 18 months for people to realise they are victims."

Oh boy, that's a killer! Just imagine how much damage an identity thief can do over that kind of timescale, and how difficult it must be for the scammed busy professionals to re-establish their identities and credit records after someone has been living their life for 18 months or more.

18 months! I still find it hard to believe. What is going so badly wrong in the financial services industry that such a commonplace fraud takes so long to detect? Does nobody find it remotely strange that one "John Smith" appears to be taking money out of an ATM in Chiswick at the very instant that the same "John Smith" is purchasing first class tickets to Acapulco over the web or in a travel agency in Glasgow? Or that clean-living stay-at-home busy executive and housewife "Jane Smith" has suddenly taken to online gambling and porn in a big way?

I'm trivialising the problem, I know, but there must surely be visible symptoms of fraud when identity theft is evidently happening on such a wide scale, if only someone is looking for it .... My guess is that the British banks and credit card companies are looking hard at their own customers but jealously guarding their data from those nasty competitors who might just be able to make the connections. Further, I bet the Data Protection Act figures large in the executives' thinking, regardless of the ability to disclose information for legal purposes.

Perhaps, like those busy executives, the British financial institutions are just so caught up in the money-making rat race that they can't be bothered with trivial details such as [escalating] phishing, identity theft and other fraud losses - something Bruce Schneier refers to as delinquency. After all, 'ten grand' is a lot for a single customer to lose but nothing to a bank making billions. Maybe the personal impacts of identity theft on victims' lives simply don't register with the banks. Being 'serviced' by the bank used to be something that customers valued rather than feared.

Labels: Fraud, ID theft, Integrity, Trust

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

Labels: Accountability, Confidentiality, ID theft, Incidents, Integrity, Secrecy, Trust

A study reported in CFO Magazine identifies 'internal errors' (mistakes by employees) as the biggest cause of financial restatements, responsible for 56%. Next biggest was 'regulatory demands' at 38%. [Deliberate] 'manipulation' and 'complexity' accounted for just 3% each.

Labels: Fraud, Integrity

A 46-page academic paper by Richard Thompson Ainsworth of Boston University School of Law describes "zappers" - programs designed to divert some sales transactions from the normal sales processing and accounting systems. Fraudsters with sufficient access to an organization's sales systems (e.g. small business owners) sometimes use zappers either to misappopriate the entire sales income for the diverted sales (steal the entire value from the company - the sales don't go through the books) or to to manipulate the value (for example to steal the VAT/GST/sales tax content).

So-called "zap" and "super-zap" programs have existed for decades in the mainframe world. They allow intervention on databases, overriding normal access constraints to manipulate the data, and potentially programs, directly. They are supposed to be used only under carefully controlled emergency conditions, for instance to modify or delete a rogue data record that is somehow blocking an entire batch from processing. Most competent sysprogs (systems programmers) or systems administrators have the knowledge and capability to run zap programs and can potentially meddle with the systems in a virtually unstoppable and undetecable manner, if they are careful anyway: well-written programs have built-in integrity checks and other controls that at least identify and flag direct interventions. Unfortunately, if the sysprogs also have the capability to suspend or edit the audit trails, or substitute hacked programs, or subvert the operating system calls, or ... or ... all bets are off. Remember this possibility if you ever hear a sysprog for a financial institution bragging about the speed of his new Ferrari.

Going back to sales zappers, the article points out differences in the ways such frauds are detected in the UK and EU. In the States, it seems the evidence suggests that income tax investigations "often" (or rather occasionally!) catch zapper users, while in EU they are more likely to be caught by sales tax investigations. This begs the question: why not do both? And while you're at it, why not take a close look at those "shrinkage" stock losses - the ones that conceal employee as well as customer thefts of goods?

Labels: Database, Fraud, Integrity, Trust

Trust is an important concept in security but few awareness programs give it the coverage it deserves. This month’s NoticeBored module brings together trust, integrity, fraud in an IT context, and touches on closely related concepts such as honesty, governance and whistleblowing.

Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as the recent incident at Société Générale Bank) and numerous other information security incidents provide no shortage of topical content for our 60th module.

We’ve all had our share of disappointments and incidents in life due to misplaced trust in someone or something. Such painful experiences are all part of the rich experiential lessons from life’s School of Hard Knocks. With hindsight, things would have been different, we hope. On the upside of risk, we are sometimes pleasantly surprised when people and systems deliver on their promises, or even better exceed expectations. Such is the way in which trust is built up.

Trust comes in two flavors: blind faith means we ‘just trust’ something or someone with no rational basis beyond our belief system. In most cases, however, trust must be earned, in other words a level of trust is established gradually over a period of successful interaction and performance. By the same token, trust can be damaged or destroyed by negative events – when a person, organization or system “lets us down”, we are naturally more dubious about it the next time.

There can be immense personal satisfaction in being trusted and respected by someone else. Computer systems and other inanimate objects may not have feelings but those that prove their worth accrue value above those that are unreliable in practice. How would you feel about, say, a heart monitor that sporadically shut down or gave nonsensical readings? Do you dread getting into an elevator that sometimes jerks or stops between floors? That subconscious sense of unease tinged with fear is the result of not being able to trust something.

Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).

In relation to information, specifically, trust brings up related subjects such as integrity and fraud. The NoticeBored awareness materials explore these concepts through presentations, briefing/discussion papers, case studies and more. We’re delivering a bundle of 30 different types of awareness material (see below), too much for all but our largest customers to use perhaps but that’s not the intention. Customers are encouraged (through the ‘awareness activities’ paper provided) to review the materials and pick out the pieces that are most appropriate for them, given their circumstances and the maturity of their awareness programs.
Content of the module

May’s NoticeBored security awareness module is out now. If you're not already a NoticeBored customer, see what you're missing on the NoticeBored website.

Labels: Awareness, Fraud, Integrity, Trust

I just thought I'd share this little gem with you. It's possibly the most inept phishing email I've seen. The phisher has evidently heard of "ISO 27001" certificates and either hasn't got a clue what that means, or figures most of his victims won't understand.

I have removed the embedded URL for your safety. Who knows what kind of inept malware might be lurking there?

-----Original Message-----
From: Wachovia Connection banking Consumer support [mailto:techsupport@wachovia.com]
Sent: Thursday, 6 March 2008 11:14 p.m.
To: press@globalsecurityweek.com
Subject: Notice: : New Certificates 2008 wachovia.com






IMPORTANT SECURITY NOTICE

All Users - Must Accept New Digital Security Certificate 2008 (SecurityISO 27001 Certification Consulting)

Customers of numerous banks have been victims of ACH and wire transfer fraud in recent weeks, resulting in the origination of unauthorized ACH entries and wire transfers from customers' computer systems.

Wachovia Enhanced Security Authentication
We have enhanced the Wachovia security access to further safeguard access to your account information.

Starting from tomorrow system of access to work fields is transferred to coding with a certificate. It means that your password and ID will not be changed but will be logged differentially. The only necessary conditions includes the following: you only need to log the first source-certificate which will generate further conversion. Thereto you have to follow the link http://wc.wachovia.com/online [real URL deleted GH] and enter your access code and ID in the appropriate fields.

We would like to draw your attention to the fact that all fields must be filled out, otherwise the system will block escape to the next level and you can not start work with your personal data.

Should all necessary fields be filled in and password and ID concur with those registered in our system, you will get access to the work field. After that your personal identification Certificate will be successfully logged in the system. No other operations from your part are required.

Thank you for cooperation and support.
IT Security Department






¿ 2008 Wachovia Corporation. All rights reserved.

Labels: ID theft, Integrity

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

Labels: Awareness, Bugs, Change, Integrity, Malware

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Labels: Hacking, Incidents, Infosec, Integrity

George Spafford wrote "there are a number of behaviors that can dramatically increase the odds of human error yet organizations fail to manage them". He identifies a wide range of factors that make human errors more likely including: complexity; deadlines; fatigue; multitasking; poor planning; insufficient testing; lack of change management ... and many more (just read George's paper and I'm sure you will think of more).

George continues, "some organizations may have multiple behaviors that when combined further increase risk levels. Organizations must take a careful look at their culture and processes to understand and subsequently manage the level of human error being introduced." 'Taking a look at' culture and processes is easy enough but changing them (especially the culture) is a different matter entirely. That said, George's list of issues implies a whole load of options for those willing to take up the challenge.

Integrity links

Labels: Awareness, Change, Integrity

Does it matter if I offer to sell 610,000 things at 1 Yen each instead of 1 thing at ¥610,000? Errr, yes it does, especially if I'm a broker trading shares live on a busy Tokyo Stock Exchange. The broker's typo cost Mizuho Securities, Japan's second largest bank, ¥40.7bn (approximately US$340m) in charges to buy back the shares. The broker tried four times but was unable to cancel the trade due to 'a problem' with the exchange systems. In a typically Japanese form of accountability, the president, IT head and managing director/executive officer of the stock exchange all resigned, the cock-up following hard on the heels of earlier 'technical problems' i.e. capacity constraints, availability failures and functional limitations of the exchange's dealing systems.

It seems curious to me that the apparent lack of data validation on the brokerage's own systems is not even mentioned in the news reports. Being such as cheap price and more than 40x the actual number of shares in the company, the sell offer was so far out of whack with reality that the brokers' systems (both buyers and sellers) should have flagged it as a probable typo if not trapped the deal pending confirmation. It can't be easy to validate trades in such a high-pressure environment where occasional deals are bound to be outlying data values but surely if must be feasible to impose some pragmatic limits?

More links on integrity, incident management and accountability

Labels: Accountability, Availability, Incidents, Integrity

A remarkably successful identity thief was eventually brought to justice in Britain when an alert immigration officer spotted false documentation, sparking checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) lived for some 23 years under an assumed name. The genuine Christopher Edward Buckingham died as a child. The fraudster's real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company ... which itself raises all sorts of interesting insider threat questions.

More identity theft resources

Labels: ID theft, Insider, Integrity, Law

Having been prosecuted and then discharged without conviction for hacking the Reserve Bank of New Zealand's telephone system, Gerry Macridis is now threatening legal action to be paid $7,500 for his unsolicited security advice. Gerry claims to have acted honourably by identifying security flaws in the bank's system and advised them of what they needed do to to resolve them. I've never met Gerry and based on the news reports I have no reason to doubt his integrity but his somewhat naive and direct approach must be a thorn in the bank's side.
More hacking links

Labels: Hacking, Integrity

The transition from POTS (Plain Old Telephone System) to VOIP (Voice Over IP) is likened in an article by CSO Magazine to Swedes changing the side of the road on which they drive. It's a dramatic analogy but acts as a worthwhile counterpoint to the usual arguments about VOIP simply replicating POTS security issues. In fact, VOIP/IPtel introduces some novel risks:
- Confidentiality: unauthorized disclosure of information by snooping on calls, copying or redirecting them;
- Integrity: change management; authentication of users and security administration;
- Availability: additional complexity caused by implementing new IT/networking equipment to replace tried-and-trusted PABXs; convergence of voice and network technologies potentially creating new unanticipated technical issues;
- Financial: risks relating to the implementation project's business case;
- Operational: changing pattern of use of phone systems may open up novel working practices and business opportunities with unique security/risk implications (e.g. remote Internet teleworking potentially including offshore, wireless phones).
Analysing the risks on another axis gives a different view:
- Threats: accidental misconfiguration or operator errors causing software/system/network failures; man-in-the-middle attacks on voice calls (manipulating voice traffic in real time to change conversations);
- Vulnerabilities: new technology (compared to POTS); all the usual information or IT security vulnerabilities (e.g. bugs); all eggs in one basket;
- Impacts: simultaneous loss of network data and voice capability causing business disruption; disclosure of confidential information; regulatory or legal implications such as retention of calls.
More web and network security links

Labels: Availability, Infosec, Integrity, Network, Secrecy

An ATM error in Ekaterinbug city in Russia's Ural region allegedly led to a customer who deposited around $74 being credited with around $700,000,000 , not once but twice. The man 'fessed up to the bank clerks who initially said they were too busy to deal with it, until the man turned up with shoe boxes full of cash. The ATMs were soon switched off. [This story has the feel of an urban myth. The ATM receipt shown in the newspaper article could easily be a fake - they are available to purchase from online sources for joke purposes, although I haven't yet seen the Cyrillic option].
More integrity links

Labels: Integrity

Patrick O'Beirne, author of the highly-recommended book Spreadsheet Check and Control, will be speaking at a meeting of the Irish Computer Society on March 21st. The lecture will be webcast simultaneously for those unable to get to Dublin. If you use spreadsheets, or know someone who does, don't miss this!
More integrity resources here

Labels: Integrity

Starting with a comment from Gartner that “More than 25% of critical data in Fortune 1,000 databases is inaccurate or incomplete”, a thought-provoking piece in Baseline magazine suggests five steps improve your data accuracy: (1) Acknowledge the problem; (2) Determine the extent of the problem; (3) Establish the costs of getting it right (and wrong); (4) Use available tools; and (5) Put somebody in charge.
More integrity resources

Labels: Integrity

Someone's resignation letter, whether it is actually true or not, makes fun reading but has a real sting in the tail. Read to the end and think about this the next time you appoint or dismiss a systems administrator or indeed anyone else with privileged systems access.

Labels: Infosec, Integrity, Risk

The latest AusCERT computer crime and security survey says "Only 35% of respondent organisations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (compared to 49% in 2004 and 42% in 2003)." ONLY 35%! Am I the only person who finds it perverse to regard a situation in which MORE THAN A THIRD of those surveyed suffered business impacts as a success? 3.5% maybe but not 35. This is an outrageous indictment of the state of information security.

Labels: Availability, Integrity, Network

Barcelona is home to a hacking school, more precisely a course teaching students about information security risks and control techniques. The course is backed by ISECOM, the Institute for Security and Open Methodologies, which describes itself as an 'open-source collaborative community ... dedicated to providing practical security awareness, research, certification and business integrity'.

Labels: Awareness, Integrity

Data entry errors were the fourth leading cause of medication errors in 2003, up from seventh position in 2000, according to a report by US Pharmacopeia. Perhaps robots can help? Perhaps simplifying the names of drugs as well?
More integrity resources available here

Labels: Integrity