NoticeBored blog

"Password protected" again

noreply@blogger.com (NoticeBored) — Tue, 20 May 2008 21:54:00 +0000

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

ISC2 blog launched

noreply@blogger.com (NoticeBored) — Sat, 10 May 2008 21:40:00 +0000

(ISC)2, the organization behind SSCP, CISSP and CISSP-concentration certifications, has released a new blog aimed primarily at qualified information security professionals but also relevant to those just considering qualification and in fact anyone with an interest in information security. I'm delighted and humbled to have been invited to join the blogging panel alongside a range of well known and highly experienced colleagues.

As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines.

WE SCREAMED! BE AWEAR!

noreply@blogger.com (NoticeBored) — Thu, 08 May 2008 09:28:00 +0000

Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example:

-------------------------

Assistant Director in Charge
Joseph Persichini, Jr

J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007
http://www.fbi.gov
ROBERT MUELLER
EXECUTIVE DIRECTOR FBI
FBI SEEKING TO WIRETAP INTERNET.

ATTNETION

THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF
INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL
REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE
MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE
(INTERNATIONAL CREDIT SETTLEMENT
DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.)

WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT
WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND
INHERITORS IS MADE TO THEM COMPLETELY THROUGH TELEGRAPHIC WIRE TRANSFER DR.
YAKUBO YADI DIRECTOR TELEGRAPHIC DEPARTMENT CENTRAL BANK OF NIGERIA.

SEQUEL TO THIS DEVELOPMENT,YOUR INFORMATION APPEARED AS ONE OF THE
CONTRACTORS IN OUR RECORD TO RECEIVED THEIR PART PAYMENT.

THEREFORE,WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) WASHINGTON DC IN
CONJUNCTION WITH THE ECONOMIC AND FINANCIAL CRIMES COMMISSION (EFCC)
HAVE SCREAMED AND FOUND OUT THAT THE TRANSACTION YOU HAVE WITH THE
DIRECTOR OF OPERATIONS INTERNATIONAL CREDIT SETTLEMENT/KTT DEPARTMENT)
CENTRAL BANK OF NIGERIA IS NOTING BUT LEGAL.

YOU HAVE THE LAWFUL RIGHT TO CLAIM YOUR PART PAYMENT AS WE ADVICE YOU
TO GO AHEAD AND DEAL WITH THEM FOR WE ARE MONITORING ALL THEIR SERVICES
WITH THE NIGERIA (EFCC.) IT MIGHT INTEREST YOU TO CONTACT THE (EFCC) ON

FINANCIAL CRIMES COMMISSION OFFICE
15 Awolowo Road Ikoyi
Lagos State Nigeria
EMAIL: financialinvestigationnig@post.ro

YOU SHOULD STRICTLY FOLLOW THE PROCEDURES OF THIS DEPARTMENT BECAUSE
AS A DEPARTMENT, THEY HAVE THEIR OWN LEGAL PROCEDURES WHICH WE HAVE
EXAMINED AND CONFIRMED LEGAL .

IN RESPECT TO THIS, FOLLOW THEIR INSTRUCTION WHILE YOU KEEP US UPDATED
FOR MORE DETAILS. WE WILL LIKE YOU TO KEEP US UPDATED SO FAR AS WE KEEP
OPEN COMMUNICATION WITH THIS KTT DEPARTMENTS OFFICIALS OF CENTRAL BANK
OF NIGERIA.

BE AWEAR THAT THE DIRECTOR OPERATIONS OF THIS DEPARTMENT IS NO OTHER
PERSON THAN DR. YAKUBO YADI DIRECTOR TELEGRAPHIC FOR YOUR INFORMATION.

REPLY THIS MAIL AS SOON AS YOU RECEIVE IT.

THANKS FOR YOUR CO-OPERATION.

WASHINGTON DC.
FBI Director
Robert S. Mueller,

Compliance - a matter of managing risks

noreply@blogger.com (NoticeBored) — Wed, 07 May 2008 07:08:00 +0000

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS.

One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be a simple binary condition. For a start, in most cases, the requirements are more complex than that. It is conceivable for the organization to be fully compliant with certain parts of the requirements but not so for others. Furthermore, the extent of compliance with any one requirement is often subject to interpretation, either because the requirement is ambiguous (hopefully not!) or because the organization and whomever is assessing compliance (law enforcement, lawyers, auditors, regulators, management) have their own viewpoints and prejudices. Finally, there is a chance that noncompliance might not be detected, or even if it is, it might not lead to the worst case consquences often paraded by the compliance lobby.

It's the same with speeding laws. If I break the speed limit, even by 1 mph, I am strictly failing to comply with a mandatory legal obligation. In practice, however, it is extremely unlikely I would ever be stopped for 1 mph over because (a) there are insufficient policemen with radar guns to track my every journey; (b) their radar guns have tolerance limits; (c) my speedo has tolerance limits, and the police and/or prosecutors allow me some flexibility; (d) if I am caught, there's a chance I might talk my way out of it; (e) even if I am fined, I might escape justice by fleeing the country, or I might get off "on a technicality". The situation changes for every mph over the limit - as indeed do my chances of being involved in a fatal accident. I weigh all this up every time I drive. [And yes I make mistakes: I have been fined for speeding. I didn't flee the country, I paid up and "learnt my lesson".]

So, all of this is, in fact, a risk management exercise. I assess the threat (of being caught speeding), the vulnerability (how far over the limit I am going) and the impact (the fines, the grief).

Something like SOX can be treated in the same way. Management may consciously choose NOT to be totally compliant, assessing the risks like any other business decision. Maybe they will get away with it. Maybe they can present good enough excuses to the auditors etc. to escape the full force of the law. Maybe the commercial benefits of noncompliance justify it in purely economic, if not ethical, terms.

I haven't seen this kind of perspective discussed anywhere but I am not a compliance expert. Perhaps it's old hat and I've just stumbled across somethig that is already well known. Or perhaps this stuff actually happens but nobody is willing to acknowledge it openly? I'd be interested in your thoughts.

Love hurts

noreply@blogger.com (NoticeBored) — Tue, 06 May 2008 07:01:00 +0000

A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual.

Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation.

A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a car accident". The requests continued and so did his generosity, sending thousands more by Western Union for taxes, expenses and air fares to Pretoria and Ghana, mostly on his Mastercard.

The woman even wrote to his mother, saying "I love him and I will get the money to him". All lies of course, but it's easy for me to say that. I'm a cynic who has seen thousands of 419ers before. For those caught up in the drama, it's not nearly so obvious. "It was all believable" said his mum, but when he was already $10k down, the bank stopped his card and when he asked her for more money, mum said "Err, this sounds like a scam. I'm not happy about that. It just sounds ... like ... bullshit." But still she lent him the money "because that's what mothers do."

After the total crept up to around NZ$20k, the penny finally dropped when he noticed that the cellphone bill recorded calls to Ghana not South Africa. "The weren't just alarm bells. They were great big gongs!".

The passport copy she had sent him was a fake and her claimed address didn't exist, according to Google (naturally). Her 'friend' via whom he had been sending money turned out to be a known scammer using different aliases. "I thought oh-oh, I've been scammed! I've been conned ... I'm stupid. Gullible ... 10% of me, even now, thinks she still might be genuine." And that, of course, is how the scam works.

Security awareness: a 'How not to do it' guide

noreply@blogger.com (NoticeBored) — Tue, 06 May 2008 05:42:00 +0000

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item, you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious point to make in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond.

Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs.

1. The 'awareness program' takes the form of a website and simple (first generation?) Learning Management System, basically a series of web pages plus questions covering a range of information security topics. There was almost no introduction, explaining why I might want to pay attention (presumably because the only way anyone can be persuaded to do this stuff is if management cracks the big whip). There was very little latitude for the user in sequencing the topics - just start at the first and proceed one by one until you reach the end. If I had questions about password construction, for example, I had to have answered the first nine of 15 modules to get to number 10 on passwords. The only concession to usability was that I could have interrupted the flow (between, not during any module) and could return later to the saved checkpoint.

2. The information pages appeared to have been lifted from existing materials - policies and guidelines, complete with legalese and cross references (which didn't work since there was no way to alter the delivery sequence of the awareness package, and there were no active hyperlinks). There was a lot of tedious content to read. I suspect that much of it would have gone right over the heads of many of the employees taking the course, even those diligent enough to read every tedious word. Worse still, there were inconsistencies within the text, sometimes direct and explicit contradictions - for example in one paragraph stating that limited personal use of corporate IT facilities was permitted with various caveats, and two paragraphs further on stating that corporate IT facilites were only to be used for legitimate organizational purposes.

3. The quiz questions were mostly idiotic. It is common practice to include one obvious distractor in a multiple choice question, something that is clearly wrong. However, some of the questions had 2 obvious distractors with only one remaining option. About a third of the questions showed no creativity whatever, being merely "true/false" or "yes/no" choices. In most cases, the correct answer was easily identified from the quiz alone i.e. without needing to reference the information previously presented, typically because it was the longest and most legalese answer and/or it repeated key words from the question. I had to try especially hard to answer anything wrong ...

4. When I entered an incorrect answer, the system told me it was correct and highlighted the correct answer in bold. It gave me absolutely no further information about why my chosen answer was wrong or why the correct answer was right. There was no opportunity for me to go back to the information page to re-read and check my understanding - in fact the introduction to every module said I could not return to the information page after starting the questions. In other words, this was really a quiz not an awareness activity.

5. At the end, the system told me "congratulations", emailed me a certificate of completion (whoop whoop! Lashings of ginger beer all round, I've got a CERTIFICATE!), and finished with "See you next year!" SEE YOU NEXT YEAR!! Oh boy, it seems this is a once-a-year process. I will have trouble remembering all that content tomorrow. I will probably forget chunks of it and important details by the end of this week. Next month, I will have forgotten I even took the test and wrote this rant. What's the point of once-a-year anything? Imagine if, say, learning to drive a car was done this way! Or sex!

6. Some of the information and questions were inaccurate, ambiguous or misleading, occasionally technically incorrect. For example, a "complex password" that fulfils the corporate minimum specifications (8 characters, mixed case with numbers) is actually WEAKER than a substantially longer password example. There are indeed "more than 97,000 viruses" but that data item is, oh, about a decade out of date. There were grammatical errors and logical errors too. I admit to still being in a particularly picky and cynical mood today but these problems should have been addressed by more careful proofreading before this was released for use. It is being used to assess tens of thousands of employees in an organization for which information security is extremely important. Couldn't they afford to pass it by a competent reviewer first?

7. There were 15 modules. I'm a lightning quick reader and an infosec professional. It took me about 5 to 10 mins to read each module and do the quiz. That's an hour or two facing the little screen - many employees would need much longer. It was a totally humorless, soul destroying and, yes, boring exercise. Almost entirely text, with no diagrams and only a few nasty cartoon icons for company. I came away thinking "Thank , that's over for a year!". It was a distinctly negative experience, equating information security with tedium and slog. Q: What's in it for me? A: Nothing. In fact, the entire perspective was around protecting the organization's interests, not the indivudual user. Maybe if it had explained why installing and updating antivirus software on my home system would help protect me and my family from identity theft, then I might just have paid more attention.

8. Some modules appear to have been updated, including a couple of mentions of a major information security breach that hit the news headlines, oh, about 2 years ago. All the impact has gone. Old news is an oxymoron. Its such a shame because the news media, IT press and infosec specialist press is full of highly relevant, topical and, dare I say it, INTERESTING news and incidents. Even better, the organization has undoubtedly suffered infosec incidents that could have made even more relevant and interesting case studies. But no.

9. Some of the modules mention (relatively) new infosec risks, including social engineering. Great! Unfortunately, they provided no (zero, nothing at all) advice on what I ought to be doing about the social engineering and similar 'new' threats such as wireless network hacks. "X could be really nasty! It's a big issue! You're on your own kid!" is hardly the most productive awareness content. I wonder if this is partly because someone would have to create (and ideally proofread!) new content ... and if there is nobody on the payroll with the competencies and time to do it, that means going back cap-in-hand to the supplier of the "leading edge online information security awareness and training" pup they've been sold.

OK OK I'm ranting I know, but the reason is to point out that:
(a) with little investment and even less thought, security awareness can be done really badly;
(b) bad security awareness is unlikely to be effective, and in fact could be counterproductive;
(c) the ineffectiveness of badly designed, constructed and delivered awareness programs says nothing about the potential for well designed, well constructed and effectively delivered programs; and
(d) it really doesn't take a genuis to figure out how to improve security awareness, especially when starting from such a low base. A 20 minute team seminar about information security would have achieved so much more than this hour or two of extreme tedium. Almost ANYTHING else would have been better!

I cannot understand why security awareness seems to be stuck in the mold of once-a-year inform-and-test (I used to call it the "sheep dip" approach to awareness, but subsequently found out that sheep are dipped more often than most employees are made to jump through the awareness hoops!). It's high time for a new approach and some fresh ideas. ISC2's Cyber Security Awareness Resource Center offers a range of freely available creative materials and ideas. Rebecca Herold's wonderful book "Managing an information security and privacy awareness and training program" is full to the brim with sound advice.

Security awareness is dead. Long live security awareness!

Errors in financial accounts

noreply@blogger.com (NoticeBored) — Sun, 04 May 2008 22:17:00 +0000

A study reported in CFO Magazine identifies 'internal errors' (mistakes by employees) as the biggest cause of financial restatements, responsible for 56%. Next biggest was 'regulatory demands' at 38%. [Deliberate] 'manipulation' and 'complexity' accounted for just 3% each.

Logo fun

noreply@blogger.com (NoticeBored) — Sun, 04 May 2008 21:12:00 +0000

A new logo at the UK's Office of Government Commerce looks fine, until you turn it on its side.

This reminds me of the issue of naming products that will be sold internationally. Something totally innocent in one country may be highly inappropriate in another. I won't be too specific here but some of the model names I spotted in Japan last month would be considered offensive in some other countries.

Or, as Anton would say, "context is everything".

Information Security Awareness Forum

noreply@blogger.com (NoticeBored) — Sun, 04 May 2008 04:41:00 +0000

I've finally found some time this Sunday afternoon to take a look at what's been going on in the UK with the new Information Security Awareness Forum (ISAF). While my passion for security awareness is undented, it's hard to support the ISAF as currently constituted.

My first thought was to browse their website ... except that today it is unavailable:

Perhaps not the best advertisement for a security awareness initiative!

Luckily the ISAF launch at InfoSecurity last month was recorded and the presentations are still online.

According to David King, Chairman of the ISAF, the ISAF is focused on raising security awareness in the UK by coordinating existing security awareness activities. He told us, more than once, that 'not reinventing the wheel' is a key ISAF goal but curiously enough, the ISAF is essentially UK-only, so presumably he thinks nobody else in the world faces the same challenges. Further he implied that the ISAF will not create anything new, presumably just repackaging materials "donated" by their sponsors. He was also decidedly ambiguous about the ISAF's target audiences: is it large (British) businesses, (British) SMEs, (Her Majesty's) government and the public sector, the general (British) public, all of the above, or something else? Being delivery focused with minimal red tape, relying on trust and mutual support by ISAF "members" [sponsors] is a laudable goal, but is this realistic?

On the whole, speakers from the organizations sponsoring ISAF seemed to agree that security awareness is important although paradoxically Louis Gamon from ISSA pointed out the common perception that security awareness doesn't work (Louis: awareness done badly is more or less bound to fail but that doesn't mean it is worthless, just that it needs to be done better. Please don't throw out the baby with the bathwater).

The sponsors evidently have different perspectives and objectives for ISAF but there was general consensus on the threats (primarily phrased in terms of Internet security threats such as phishing, "organized crime" and so forth - the sort of stuff that ISO/IEC 27032 will tackle) and the need to 'educate the general public' (and perhaps SMEs) about information security appears to be a common goal. A few ideas were presented on how to do this but apart from the presentation by ISC2's John Colley, most of the discussion emphasized how difficult this is to achieve in practice. The idea of 'Making security interesting and relevant for everyone' was widely supported but again there was little in the way of pragmatic advice on how to actually achieve that.

The presentation by Tony Neate, MD of GetSafeOnline, included recent statistics from a UK survey on perceived Internet security threats and incidents. He pointed out that the general public tend to deny responsibility for their online security. Naturally, he promoted GetSafeOnline, demonstrating a clear bias towards Internet security.

Martin Smith of The Security Company, ostensibly representing the "Security Awareness Special Interest Group" (a closed user group sponsored and controlled by ... you guessed it ... The Security Company), made a convincing case for the value of security awareness in a commercial organization, but segued directly into a full-on sales pitch for The Security Company's products. I'm more than happy to declare my own prejudice here: Martin and I are commercial competitors. However, I fear Martin has undermined not just his own company but the 'security awareness industry' (such as it is!) by letting his commercial interests overshadow the ISAF's laudable aims. I've already heard others complaining at the commercial edge to ISAF. It's sad to say but unfortunately I suspect continued involvement of The Security Company in ISAF may seal its eventual fate.

Likewise, Kevin Bocek from PGP evidently saw the ISAF presentation as an opportunity for a straight sales pitch. In Kevin's little world, it seems data encryption technology (or rather PGP's version of it), not awareness, is The Answer To Everything. All very odd since PGP is supposedly supporting the ISAF. The only mentions of awareness I spotted in his presentation were around awareness of (PGP) encryption. [Wake up Kevin, there's a whole world out there!]

According to speakers from ISACA and the CMA, IT governance (not awareness) is The Answer. Once again, why they are even involved in the ISAF is something of a conundrum.

Mark Chaplin from the Information Security Forum initially focused on Generation Y - people born after the 1980s according to Mark - and their easy familiarity with complex technologies that their parents probably do not comprehend. The presentation diverted briefly into road safety awareness by Australian kangaroos (I kid you not) before meandering back to core issues such as changing behaviours (not just making people aware) and achieving cultural change. These are important concepts, albeit buried so deep in the ISAF launch ceremony that a large part of the audience was probably semi-comatose at that point.

So, the bottom line is a rather disappointing launch and uncertain future for the ISAF. As a security awareness professional, I'm very reluctant to knock any security awareness initiative but, frankly, this was a poor show. With too many competing agendas, it's hard to see any unifying theme or predict any genuinely useful output from this initiative. If the ISAF does get it together, fabulous. If not, well I guess there's nothing lost ... except a golden opportunity.

Breaches harm trust

noreply@blogger.com (NoticeBored) — Thu, 01 May 2008 21:26:00 +0000

Here's another aspect to trust, something that we covered only peripherally in the latest NoticeBored module.

After a security breach that affects third parties, guess what? The affected parties no longer hold the breached organization in such high regard. Along with reputation, trust is damaged.

Here's an example from an April 10th piece in Deseret News:

Federal officials said a former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. During a joint press conference Thursday, federal and state officials said this was the largest security breach at the Department of Workforce Services and were working to re-instate the public's trust. ... "We sincerely regret this breach of security," said DWS Executive Director Kristen Cox in a statement. "Our former employee's alleged misconduct certainly does not represent the long-standing honesty, integrity and dedication of our staff to the well being of each and every one of our customers."

Computer-aided retail fraud

noreply@blogger.com (NoticeBored) — Wed, 30 Apr 2008 06:45:00 +0000

A 46-page academic paper by Richard Thompson Ainsworth of Boston University School of Law describes "zappers" - programs designed to divert some sales transactions from the normal sales processing and accounting systems. Fraudsters with sufficient access to an organization's sales systems (e.g. small business owners) sometimes use zappers either to misappopriate the entire sales income for the diverted sales (steal the entire value from the company - the sales don't go through the books) or to to manipulate the value (for example to steal the VAT/GST/sales tax content).

So-called "zap" and "super-zap" programs have existed for decades in the mainframe world. They allow intervention on databases, overriding normal access constraints to manipulate the data, and potentially programs, directly. They are supposed to be used only under carefully controlled emergency conditions, for instance to modify or delete a rogue data record that is somehow blocking an entire batch from processing. Most competent sysprogs (systems programmers) or systems administrators have the knowledge and capability to run zap programs and can potentially meddle with the systems in a virtually unstoppable and undetecable manner, if they are careful anyway: well-written programs have built-in integrity checks and other controls that at least identify and flag direct interventions. Unfortunately, if the sysprogs also have the capability to suspend or edit the audit trails, or substitute hacked programs, or subvert the operating system calls, or ... or ... all bets are off. Remember this possibility if you ever hear a sysprog for a financial institution bragging about the speed of his new Ferrari.

Going back to sales zappers, the article points out differences in the ways such frauds are detected in the UK and EU. In the States, it seems the evidence suggests that income tax investigations "often" (or rather occasionally!) catch zapper users, while in EU they are more likely to be caught by sales tax investigations. This begs the question: why not do both? And while you're at it, why not take a close look at those "shrinkage" stock losses - the ones that conceal employee as well as customer thefts of goods?

New awareness module on trust, integrity & fraud

noreply@blogger.com (NoticeBored) — Tue, 29 Apr 2008 08:52:00 +0000

Trust is an important concept in security but few awareness programs give it the coverage it deserves. This month’s NoticeBored module brings together trust, integrity, fraud in an IT context, and touches on closely related concepts such as honesty, governance and whistleblowing.

Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as the recent incident at Société Générale Bank) and numerous other information security incidents provide no shortage of topical content for our 60th module.

We’ve all had our share of disappointments and incidents in life due to misplaced trust in someone or something. Such painful experiences are all part of the rich experiential lessons from life’s School of Hard Knocks. With hindsight, things would have been different, we hope. On the upside of risk, we are sometimes pleasantly surprised when people and systems deliver on their promises, or even better exceed expectations. Such is the way in which trust is built up.

Trust comes in two flavors: blind faith means we ‘just trust’ something or someone with no rational basis beyond our belief system. In most cases, however, trust must be earned, in other words a level of trust is established gradually over a period of successful interaction and performance. By the same token, trust can be damaged or destroyed by negative events – when a person, organization or system “lets us down”, we are naturally more dubious about it the next time.

There can be immense personal satisfaction in being trusted and respected by someone else. Computer systems and other inanimate objects may not have feelings but those that prove their worth accrue value above those that are unreliable in practice. How would you feel about, say, a heart monitor that sporadically shut down or gave nonsensical readings? Do you dread getting into an elevator that sometimes jerks or stops between floors? That subconscious sense of unease tinged with fear is the result of not being able to trust something.

Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).

In relation to information, specifically, trust brings up related subjects such as integrity and fraud. The NoticeBored awareness materials explore these concepts through presentations, briefing/discussion papers, case studies and more. We’re delivering a bundle of 30 different types of awareness material (see below), too much for all but our largest customers to use perhaps but that’s not the intention. Customers are encouraged (through the ‘awareness activities’ paper provided) to review the materials and pick out the pieces that are most appropriate for them, given their circumstances and the maturity of their awareness programs.
Content of the module

May’s NoticeBored security awareness module is out now. If you're not already a NoticeBored customer, see what you're missing on the NoticeBored website.

IT Assurance Framework

noreply@blogger.com (NoticeBored) — Fri, 25 Apr 2008 22:29:00 +0000

IT Assurance Framework - a professional practices framework for IT assurance is a new product - a ~70-page PDF document - from ISACA.

"ISACA has tapped its global network of leading IT governance, control, security, and assurance experts to develop a widely embraced framework to help ensure the quality, consistency, and reliability of IT assessments. ITAF also contains a helpful set of good practice-setting guidelines and procedures."

The ITAF content is largely a repackaging of existing ISACA standards and guidelines in the areas of IT audit, assurance and governance. I'm pleased also to note that the ISO27k standards merit a mention.

ITAF is free to ISACA members, $45 for infidels.

USB security risk self-assessment

noreply@blogger.com (NoticeBored) — Thu, 24 Apr 2008 21:52:00 +0000

City of London Police officers thinking of transferring information on USB memory sticks can self-assess the risks using a questionnaire. It's a simple idea really: a police officer's responses to a few questions determine the 'risk score' leading to approval (or rather a requirement to seek approval from the relevent level of management authority, and/or to use USB sticks with additional security controls) or disapproval of the use of a USB stick for the intended situation.

Being self-assessment, the system depends on users answering appropriately and is open to deliberate abuse and inadvertent errors. However, this risk is offset to some extent by compliance procedures and structures in the police. Furthermore, it's better than nothing - without the system, police officers presumably make such decisions on a more arbitrary basis, assuming they even consider the security risks. The tool at least raises security awareness (assuming the tool is suitably promoted, for instance by being embedded in standard operating procedures).

Automating USB risk assessment is interesting at another level too. The decision tree in this instance is relatively simple, much simpler than with many other information security risks yet still complex enough to benefit from being presented as a structured questionnaire. The assessment output is based simply on the net total of scores from each question, and has only a few possible recommendations. Someone has had to write the questions and determine the score ranges and recommendations, somehow. The assessment could give inappropriate responses under certain circumstances since it does not take account of all possible situations (e.g. whether the police officer has lost numerous USB sticks before).

Contrast this to, for example, the assessment of security risks relating to a software application. There are so many elements to the risk and so many potential outputs that it is infeasible to automate the assessment - or is it? Some sort of artificial intelligence/knowledge based system is possible and could arguably give better answers than either of the two usual alternatives: asking an information security person to assess the risks or skipping the assessment altogether.

Now that would make an interesting research project for someone.

Canadian audit resources

noreply@blogger.com (NoticeBored) — Thu, 24 Apr 2008 21:13:00 +0000

The Auditor General in Manitoba has released high level guidance on the role of audit committees, the need for 'legislative' (legal compliance) audits and more on their website. They also offer some basic advice on policy development.

PS Sorry for the long blogging pause - I've been at an ISO conference in Kyoto.

BT uses spyware to audit broadband use

noreply@blogger.com (NoticeBored) — Fri, 04 Apr 2008 03:09:00 +0000

BT has admitted to secretly using spyware to monitor the web surfing habits of tens of thousands of its British broadband customers. According to BT, this was merely a technical trial. Allegedly no personal data were collected since machines were identified "by anonymous code numbers" (presumably IP addresses - hardly anonymous) and content keywords were recorded, not website addresses (so what? It's still unethical and possibly illegal inteception in my book).

April fools spotted in the wild

noreply@blogger.com (NoticeBored) — Tue, 01 Apr 2008 01:49:00 +0000

The US power grid is not changing to DC by 2020.

We are not going to shift our watches a minute a day to avoid the problems caused by daylight savings time.

Please send further fools-in-the-wild spottings to us. We'll probably mention information security and risk-related ones here.

Malware blamed for supermarket data breach

noreply@blogger.com (NoticeBored) — Mon, 31 Mar 2008 22:25:00 +0000

A supermarket security breach late last year/earlier this compromised over 4 million credit/debit cards and led to thousands of fraudulent transactions. The breach has been blamed on malware on the store's servers. The fact that the store systems were PCI DSS compliant, apparently, doesn't exactly inspire confidence in the system of independent security audits but on the other hand it's a reminder that malware is an omnipresent threat.

New module on IT audit

noreply@blogger.com (NoticeBored) — Thu, 27 Mar 2008 05:53:00 +0000

IT audit is probably not one of the first topics you'd think of when planning a security awareness program but it does add value. The latest batch of awareness materials from NoticeBored explain what IT auditors do, what interests them and how they work. If your only experience of IT audit has been SOX (Sarbanes Oxley) work, you have a lot to learn!

Desperate for data on 25m Brits FINAL UPDATE?

noreply@blogger.com (NoticeBored) — Mon, 24 Mar 2008 21:06:00 +0000

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents.

The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption this would cause has far-reaching consequences.

UPDATE 19th Jan: more stories of improper disclosure of personal information by officials are adding to the Government's woes, and more importantly increase the risk of identity theft of British residents. Today we read that (1) a Ministry of Defence laptop, stolen from a car (doh!), contained personal details on 600,000 applicants to join the forces, some of whom will have provided the full nine yards necessary to undergo security clearance; and (2) papers containing personal data on benefits claimants were found strewn across a West country roundabout, for at least the second time in two months. The man who discovered the latest batch of papers found and reported a similar load at the same place in November. We don't know if any more papers might have been lost or abandoned there and discovered by criminals during the last two months, or indeed previously or subsequently. ['Strewn across a roundabout' is a rather extreme example of "unstructured data". An article in December 2007's ISSA Journal on managing unstructured data patiently explains how to get a grip on unstructured data in ten steps, most of which are virtually impossible to do any Real World organization and all of which ignore paper records. Data Leakage or Loss Protection (DLP), another security industry buzzword, likewise deals with a small part of the problem, and not very well at that. \rant]

Who will be held accountable for these security screwups? Will anyone lose their job, be fined or end up in prison as a result? Somehow I doubt it. It is the British Government after all. A press release on AccountingWeb says:

"The Information Commissioner, whose office was established to protect personal information and take appropriate action where the law is broken, described the scale of the loss as “unprecedented” and stated that data protection laws have almost certainly been breached. This loss of information serves as a timely reminder to businesses and organisations that they are legally obliged to ensure the safety of personal information relating to individuals."

UPDATED Jan 20th: a USB stick lost by a hospital worker had personal details of thousands of patients but apparently it's OK because "The loss was an accident rather than any systematic failing in management and governance". I assume from the BBC item that the data on the memory stick were not encrypted. What's more, "diaries containing patients' names and addresses were stolen from staff cars in two separate incidents in June." There are two good examples of "a systematic failure of management and governance", and here's a third: local management evidently decided not to inform the patients about the loss of their personal data because, in their estimation, the data could not be used for identity theft. I hope the patients concerned will complain and the Privacy Commissioner will prosecute the hospital under the Data Protection Act.

UPDATE 22nd Jan: the MoD (that's Ministry of Defence, yes, Defence, Her Majesty's Government department charged with, and paid vast amounts of taxpayers' money to protect the Realm and maintaining the freedom of her people) has now revealed that it has lost laptops with sensitive personal data on potential recruits at least twice before. With typical British understatement, shadow defence secretary Liam Fox called it a "dreadful mess". He really is awfully, awfully sorry.

"Data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Banking details were also included for around 3,700 people ... It is clear that the database files were not encrypted, in breach of MoD procedures ... Some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004."

The same BBC news story reports that:

"The new rule on laptops comes in an e-mail from the Civil Service chief, Cabinet Secretary Sir Gus O'Donnell, to all government departments. It said: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

New rule? NEW RULE! From now on!! Someone has evidently been asleep at the wheel. The situation is completely out of hand in the UK. Government departments cannot ignore the law and have a clear duty to protect the personal information entrusted to them by citizens. They need to be held to account. If not, citizens will, quite justifiably, withhold their information from public bodies, like for example the tax office and social security department ... and there lies the route to anarchy.

UPDATE Jan 26th: The BBC reports that:

"Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees. The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted. The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008."

So it would appear that laptop encryption is now mandatory in the UK for any organization handling personal data!

UPDATE 5 Feb 15th: 5,000 patients of a Dudley hospital face anxiety over possible identity theft thanks to the theft of a laptop. We're told the laptop was "password protected" which, as we all know, is spin on "not encrypted".

"A spokesman for the trust said the laptop and database were protected with two separate passwords, making it very difficult to access. He added: "We would like to apologise for any concern this matter has caused those patients affected and would like to reassure them that the information on the database is unlikely to be recoverable."

Yeah, right.

UPDATE #6 22 Feb 08: personal medical records on 3,000 patients in Bolton were dumped in landfill. Eee, it's grim up North.

UPDATE #7 Leapday: some good news at last! A laptop and CD which appears to have belonged to the Home Office has been recovered by Police after it was purchased on eBay and sent to a repair shop. Even better news is that the CD and laptop were encrypted. Police are investigating how it ended up there. The repairman should be congratulated for reporting it. As to whether Al Qaida is now moving into the laptop repair business, we can only speculate.

UPDATE #8 - the final update? With no end in sight, I'm getting bored of this blog item, so it's time to close with perhaps just a little hope for the future. I've just chanced across a Liberal Democrat's blog listing several security/privacy incidents that I've mentioned here and a few more for good measure. The blogger, Frank Little, describes himself as a semi-retired hack computer programmer. I'm not entirely sure if that's hack as in journo or hack as in hacker, but at least he has an obvious interest in the UK's data protection mess. Vote wisely at the next election!

10,000 infected pages

noreply@blogger.com (NoticeBored) — Sat, 22 Mar 2008 00:39:00 +0000

McAfee has been warning about malware installed on 10,000 Web pages. The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs.

This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia is a useful tool to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when your system falls behind.

Signature based AV is dead. Long live sig AV!

noreply@blogger.com (NoticeBored) — Wed, 19 Mar 2008 20:52:00 +0000

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms, given the escalating rate of release of new/variant malware and its inability to block data theft (which is what Data Leak Prevention is all about: personally, I never expected AV software to do this so that is a rather curious point).

The demise of signature-based AV detection has been predicted many times before but it stubbornly remains a relatively effective and inexpensive control, on the whole. I'm worried about bespoke malware, custom-written to infiltrate specific target organizations, but there other techniques come into play, DLP and checksumming being two of them. So called "heuristic scanning" has a bad press for generating too many false positives, but that's another piece of the defense-in-depth puzzle, along with prompt patching and (of course) security awareness. There's no need to detect avoided malware.

CERT malware tips

noreply@blogger.com (NoticeBored) — Wed, 19 Mar 2008 20:49:00 +0000

CERT has re-issued a Cybertip on malware.

Addressing the growing botnet threat

noreply@blogger.com (NoticeBored) — Tue, 18 Mar 2008 00:41:00 +0000

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections.

If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available.

A little collection of information security-related podcasts from CERT. They are aimed at busy executives with largely nontechnical content.

Spyware impacts productivity

noreply@blogger.com (NoticeBored) — Sat, 15 Mar 2008 19:15:00 +0000

single spyware infection on a work computer can impact the productivity of the typical small business employee for two-and-a-half days, according to research commissioned by the Computing Technology Industry Association (CompTIA).

A survey of employees at businesses with 10 to 200 computer users found that more than one in four computer users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware inflections.

Definitions of spyware vary but the take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.