The InfoSec Blog

Forty-one percent of small businesses surveyed by Visa Canada said they
don’t believe data thieves and hackers will target them because of their
size.

Where have we heard that before?
Isn’t there some security adage about the hackers (aka criminals) going or “the low hanging fruit” – the easy to get at stuff – first?

I must admit, this isn’t quite what I expected when I read the headline. I was expecting the contents of the laptop that had somehow come into the hands of the police or DEA to contain evidence that lead to the bust.  As it was, the recovery was a result of “phone home” software and the
bust was an incidental.

Security software built into a stolen laptop computer led police to a
Hoisington residence on Tuesday. Authorities not only found the
computer, but they also uncovered what appears to be a methamphetamine
lab.

So what is the procedure around the ‘phone home‘ software? Does it
contact the police directly? Does the owner notify the ‘phone home‘
software vendor and they in turn notify the police when they have a trace?

Detective Denton Doze at the Great Bend Police Department said the
$9,000 computer, along with hand tools and power tools, was stolen
during a burglary reported last Friday at the My Town project, 1419 Main
Street.

That must have been quite some laptop!

As of Wednesday evening, the missing tools had not been accounted for.

Well, obviously. They don’t have ‘phone home‘ software that runs when they are used. Read the rest of this entry »

In this article at TechRepublic, Tom Olzak tries to address the issue of insider threat by talking about why your employees might ‘go rogue’.  I think he completely misses the point by discussing the motivation for spies and convicted traitors. This is a different class of people from toss that commit financial fraud and take revenge on employers who they think have wronged them.

Lets be fair, how many of these characteristics would have applied to people like Nick Leason, Jerome Kerviel, the rogue traders such as Yasuo Hamanaka at Sumitomo Corporation of Japan in 1998 and John Rusnak at the Allied Irish Bank in 2002, Toshihide Iguchi at Daiwa Bank, John Rusnak was a former currency trader at Allfirst bank, Matt Piper of Morgan Stanley, Anthony Elgindy, Thom Calandra and Brian Hunter – never mind the rogue executives as WorldCom, Enron and Parmalat and many other corporate and accounting scandals that were motivated by greed.

The list on the blackboard in the cartoon doesn’t, I think, apply to the ‘rogue traders’. It applies only somewhat to the rogue executives but it does apply more comprehensively to the spies and traitors like Ames & Early.

However Donn Parker’s point that (many) white-collar criminals are led into crime by “intense personal problems” makes more sense and also applies to people such as Brian Molony at the CIBC. So I don’t think this is a very good article. Donn’s observation si more geenral and more useful than Tom’s.

More to the point, since Tom’s article fails to address issues such as senior management ignoring the business controls that are in place because the people concerned were making a profit (aka greed in high places) and because it doesn’t address the issue of having internal resources where staff can come to get advice about pressing personal problems, and finally because it doesn’t deal with the possible channels for ethics complaints and whistle-blowing, it fails to address its title; there is nothing here about prevention – only detection, and very limited form of detection at that.

http://news.hereisthecity.com/news/business_news/6786.cntns

Related articles by Zemanta

• The 20 biggest trading scams
• Bradford & Bingley: ‘Management failure’ added to problems, admits chairman

http://www.dailytimes.com.pk/default.asp?page=2008\117\story_7-11-2008_pg1_8

Only in Pakistan? Shame!

The penalty is limited to an offence that ‘causes death of any person’,
according to the ordinance that will be considered effective from
September 29.

And, thinking of the “for want of a nail” poem, how indirect does this causality have to be? OK, I can see zapping someone’s pacemaker, but how about this:

Suppose a ‘capture the flag’ context such as the one in Kuala Lumpur, Malaysia in late October,  exposed a flaw that allowed someone to hack a database and get a batch of credit card numbers and those were sold off and used, and it happened that one of the cards belong to someone who had their card refused at the gas station and ran out of gas and had to walk home and was attached and raped and killed … in another country. Read the rest of this entry »

No, not a Google its a Sagan!

I’m sure that like me you get mails that read something like

From:Mr.John Lewis
Phone No: 44-702 409 9061

This is to inform you that your funds of US$15 Million
has been approved for immediate delivery to you.

For the purpose of clarification,you are advised to
reconfirm your Full Names,Direct Telephone
Numbers,Physical Address with Zip Code so that there
will be no error during the delivery of the funds to
you in your country of residence.

Your quick response will be highly appreciated.
Congratulations in advance.your mail to this email address .
johnlewis477@yahoo.com.hk
Please Try and call me now Phone No: 44-702 409 9061.
It is very Urgent.
Mr.John Lewis

Its always struck me as illogical that these are rarely addressed to me personally, they are usually to ‘undisclosed recipients’. That’s plural.
Lots of people have been sent this offer for $15M then.

The second thing that is illogical is that if there is this much money surely they could do the background check on me so they don’t need to ask for my name, address and all the other stuff. I’m in the phone book. And the on-line phone book.

Some of these even give physical addresses and phone numbers in countries – is that ’44′ UK and not HK? – which may look convincing but s a bit stupid in this day and age when so many people travel and have relatives and friends in other countries. I do recall reading on the net of someone who did scam one of these people by having friends in that country following up.

But that ‘lots of $15M’ raises an interesting question.
Presumably the scam artist is appealing to greed.
The trouble is that its unrealistic.

What would be realistic?
Would $15,000 sound more reasonable for some long lost relative?
After all what if I am the eldest son of an eldest son of an eldest son, so some collateral branch of the family we lost contact with during the war leaves a legacy part of which follows that path?

Yes, I know its more than most scamers would think worth while, but just as the ‘Net has pushed down the cost of unsolicited mail, so to has it pushed down the cost and effort of genealogical research.

Does being sucked in by the smaller but more reasonable amount make more sense that the obviously impossible millions?

Because lets face it, pitches like

We happily announce to you the draw (#1106) of the UK
INTERNATIONAL LOTTERY,online Sweepstakes International program
held on 12th May, 2007.

Your e-mail address attached to ticket number:56475600545 188
with Serial number 5368/06 drew the lucky numbers:
04-05-16-19-21-49 (bonus no.20), which subsequently won you the
lottery in the 2nd category i.e match 5 plus bonus. You have
therefore been approved to claim a total sum of �500,000 (Five
hundred thousand pounds sterling) in cash credited to file
KTU/9023118308/03.

That went out to ‘undisclosed recipients’ as well.
But since when do these jackpots get disbursed in cash rather than cheques with lots of publicity. And why should the cash be credited to a file and not the winner?

So what it comes down to is that these scams are targeted to people who are dazzled by big numbers and don’t have a lot in the way of critical thinking and scepticism. Scott Adams, the author of the Dilbert cartoon strip, would call them “In-duh-viduals”.

I’m tempted to say that there’s a lot of that about in the western world today for a number of reasons, religious fanaticism, lack of education in statistics, believing that you have a right to gobs of money with no effort … One school of thought is that civilization needs the Marching Morons to act as consumers and keep the machinery of society working, but we don’t want the to be too smart or
they might rebel. Fred Pohl and Cynic Kornbluth explored this idea in their short story
“The Marching Morons“. (I recall the false speedometers in cars that gave the impression you were doing the Ton when you were only just doing a bit over 60. This too has come to pass.) Its been explored in other utopian/dystopian novels such as Ira Levin’s “This Perfect Day” or the sex slaves of Charles Fourier‘s (yes THAT Fourier) Utopian vision.
Utopia for some.

If you want to see it applied to our society – yes Virginia, we do have sex slaves and a ‘conspiracy’ (or at least an emergent property) to dumb us down. While John Gatto has written about how our school system is rigged for this (See

http://antonaylward.com/articles/2006/12/01/dumbing-us-down)

he omits that in many ways the society we have NEEDS the Marching Morons. Large scale questioning of roles and existence would be too disruptive. Isaac Asimov touches on this in his stories, for example ‘Strikebreaker’ (someone has to do the dirty jobs like garbage collection and build and maintain the sewers…) and “Profession“

But doesn’t that in and of itself mean that the under-educated classes must exist and must therefore be susceptible to scams like the ones I describe above?

Its a sad, sad world.

Related articles by Zemanta

• 80 Nigerian E-Mail Scammers Arrested
• Why Google is now my homepage instead of Yahoo
• In brief: New Line ex-bosses build new foundations on Asimov
• CRA warns Canadians about tax scam

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation – they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

http://government.zdnet.com/?p=3874

There’s an old joke about a man brought before the court for breaking and entering, not because he was caught in the commission of a crime but because he was found in possession of housebreaking tools – crowbars, glass-cutter and so forth.

When found guilty by the judge he said “well you better convict me for rape as well since I have the tool for that“.

This case is neither new nor precedent setting as Alan Dershowitz pointed out … back in 1988 in this book “Taking Liberties“. Some of his orther books at Amazon are listed here.

http://www.informationweek.com/news/showArticle.jhtml?articleID=202101781

Convicted hacker Robert Moore, who is set to go to federal prison this
week, says breaking into 15 telecommunications companies and hundreds of
businesses worldwide was incredibly easy because simple IT mistakes left
gaping technical holes.

“It’s so easy. It’s so easy a caveman can do it,” Moore told
InformationWeek, laughing. “When you’ve got that many computers at your
fingertips, you’d be surprised how many are insecure.”

Even before I took up auditing as a profession every client I dealt with had glaring errors and omissions in their security arrangement, be it physical, logical or documentation.

Yes, this includes divisions of banks (brokerage firms were the worst).
Most of the horror stories would be familiar to people who read and contribute to security forums and blogs. This is what is, when it comes down to it, really astounding. The omissions from the ‘baseline’ of good practice and obvious issues like documentation (so as to span the employment of different sysadmins and communicate within the IT group); restriction on access to root password (especially for developers); not doing development on the production machine/database; backups – that reflect the business and not just the convenience of the hardware/sysadmin; documenting (and hopefully approving!) changes; actually installing and configuring the firewall, which, of course, assumes there is policy which
reflects the business needs rather than the ‘best guess’ of the sysadmin to determine how its going to be configured.

And so on and so on.

So it gets to be, if you’ll pardon the analogy, like worrying over the diseases of civilization like Alzheimer’s, Osteoarthritis/Osteoporosis, ALS, Macular degeneration, diseases due to over-rich diets, Senescence in general when you don’t have a adequate diet or clean water to drink.

“Standards” like a ISO-17799/27001, ITIL aren’t trying to do anything more than lead people though a process to make them deal with the basic good practices. When they talk of things like Risk Analysis they are trying to get people to think about risk and their risk posture, and that is, all to often, sadly, something most firms don’t seem to have got around to.

Judging by what I see people asking – as well as asserting – on other forums about security and risk, most of the IT industry is in a bad way and doesn’t even know it. Of course the dominance in IT departments of the techie-geek-and-proud-of-it who has a dislike for ‘suits’ means that there is an unhealthy obsession with equipment (rather than business processes) as assets, and with identifying and enumerating individual threats and vulnerabilities rather than they effect – as classes – on the business processes and how to mitigate or recover from those effects. (In other words FMEA. You knew I was going to get around to saying that, didn’t you )

Lets worry about the baseline before we try to address the esoteric.

When did you last secure your laptop?

The last year seems to have been a bumper one for stolen laptops, especially ones stolen from high profile companies and which contian plenty of personal information.

Many of the companies concerned seem to think that having passowrd proetction is adequate. Others think that because the laptop was stolen “for the hardware” and not for the information on it, all is OK. A couple think that firing the person who was using the laptop makes everythng OK.

Well, I don’t think so.

Will things change?

At the very least, the publicity has made it clear to theives that tTell me about when you saved the company a million dollars. Or when you successfully managed the million dollar project to deployment, on schedule and on budget. The infomation on the laptop is more valuable than the hardware. This year, 2007, any thief with any sense will sell the data and throw away the laptop. Perhaps on a rubish tip – oh, I see one did that

Here is a summary of some news articles from 2006

Read the rest of this entry »

http://news.bbc.co.uk/1/hi/technology/6220416.stm

We’ve seen the reports in the glossy weeklies about the revolutionaries in Africa recruiting young children. Our Western sensibilities are offended by this “corruption of innocents”. But here’s something more like the criminal ‘child labour’ gangs of Dickens.

Dickens had a unique perspective on the subject of child labour, reflecting upon his own experience working at Warren’s Blacking Factory at the age of twelve when his father was held in debtor’s prison. Completely on his own, working long hours in rat-infested quarters, young Dickens felt abandoned by his family, and his bitterness over this period of his childhood continued to influence his life and writings

How different from the well educated, well fed modern child of middle-class parents in a room of his own in suburbia surrounded by the trappings of modern adolescence and with all that computing power. Dickens would be hard pressed to pen a novel that fostered enough sympathy for the plight of such children as to press for social reform.

The boom in cyber crime is forcing criminals to go to great lengths to recruit skilled hackers, says a report.Some criminal gangs are paying students while they study to ensure they have a pool of tech-savvy workers to call on, says the report from McAfee.

Others are cashing in on the glamour of the hi-tech world to tempt youngsters into embarking on a life of crime.

McAfee said children as young as 14 years old were being targeted by some criminal gangs.

What a contrast from Dickens’s time when the children were forced by economic circumstance to work long hours under dreadful conditions with a high mortality rate.

Personally, I feel the media has a lot to be accountable for with the way it glamorizes “hackers” and criminal activity. The movie “Swordfish” probably rolls all these factors into one better than any other I can think of.

As well as the direct route of targeting students, some organised crime gangs were trading on the glamour surrounding the “hacker” label to help them recruit impressionable youngsters, revealed the report.

The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study.

So what will this lead to? More parental paranoia and control? By some, probably, but more likely not by those whose children are most at risk. The practice of instilling fear in parents about their children for any number of reasons, academic achievement, exposure to physical and on-line predators, that they don’t get enough ‘ice time’, and so many other factors is getting to be unhealthy.

But what are we to do?