4Sec - 4 Seconds -- For Security

Failures of Disk Encryption

2008-02-24T07:56:00.002+03:00

"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.

Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:

Social engineering targets jobseekers

2008-02-10T23:16:00.000+03:00

Social engineering for profit see no limits. This time the social engineer aka Hackers are targeting the job seekers by creating a fake web site which is collecting:
- personal data
- CV information
- fees for visa processing (profit motive)

Please find the links to the original site:
- Real Ministry of Labor http://www.mol.gov.ae/
and the fake site
- Fake Ministry of Labor http://www.uaeministryoflabour.tk/

Real site and Fake site are mirror copies of each other as pictured below.
More details about the story can also be found here.

Security Issues with social networks

2008-02-05T22:18:00.000+03:00

I have been using heavily social networks for the past 3 years, started with linkedin can now reach over 7,000,000 persons online. So the power of the technology is really incredible. Theses are some of the top ones I use:

linkedin
xing
ecademy
plaxo
youtube
slideshare
twitter
mypodcast
lastfm
myspace
face book
...

But these social networks practical experiences are bring in some important questions (which will try to address over this year posts). Some of the main security issues I see are:

propagation of malware (virus, trojans, keyloggers)
defacement of profile, impact in public image
who owns the data? some networks make it easy to get the data in but very difficult out (usage of images to protect contact information)
how to archive and backup this data? who is responsible?
how to delete the data permanently if required?
predator attacks against minors and kids (parents must learn new ropes)
identity theft, impersonation
how to maintain so many user IDs (opendID is trying to address this)
how to move data from one site, application to the other (open social is work on this), some users have seen this usage blocked after using automated conversion, migration tools
how to do investigations, forensics on so many sites to track down criminals effectively
how to separate between business, and personal lives?
effects on corporate information
leakages
effects on corporate productivity

In short network, do business, have fun, but becarefull out-there.

More details on:

2008 Security Priorities

2008-02-01T20:54:00.000+03:00

Just finished conducting a poll with the help of Plaxo on security priorities of 2008. About 9% of the persons requested replied (from a poll size of approximately 2000 persons 183 replied).

The top 3 areas of focus are therefore:
- Governance and compliance
- Infrastructure security
- Business Continuity and Disaster Recovery (as mentioned by some in the survey comments, the BCP, DRP issue is much bigger then being just part of security, we all agreed on this ...)

So what are your plans for security for 2008... Be ready as this year will be full of events.

Identity Theft Slidecast

2008-01-30T20:18:00.000+03:00

Identity Theft continuous to become an increase threat to security and must be address by using regular awareness sessions with end-users.
The following is an identity theft slidecast and podcast which is simultaneously published on slideshare (slides and audio) and mypodcast (audit only)
...

| View | Upload your own

Are you ready for Cyberwar?

2008-01-29T18:27:00.000+03:00

Last year I wrote about the events of cyberwar between Estonia and Russia. Other ones have happened recently as well such as:

between USA and China, (more covert activities and experimentation)
between AlQaeda and USA
between North and South Korea
between India and Pakistan
....

In any cyberwar there are: "cyberwarriors", targets (key infrastructure such as financial institutions, government, utilities) and collateral damage (potentially your innocent business). So are we ready? Do we understand the dangers? A recent story in CSO magazine highlight the threat level and readiness of given countries as they focus resources for cyberwar.

Country	Est Mil Budget	Status	Est Threat
China	$56B	complex	4.78
Russia	$44B	complex	4.39
Iran	$9.7B	advanced	3.79
N Korea	$5.2B	advanced	3.03
Libya	$1.3B	advanced	2.86

from this table we notice both China and Russia devoting a substantial military budget and having acquired a complex infrastructure with associated Threat level (ranked from 1 to 5, 5 being highest)
More details on this story can be found here.

UK government mandates encrypted Laptops

2008-01-26T02:01:00.000+03:00

In response to the one of the largest disclosures of information in history the UK government responds with policy which mandates the usage of encryption on laptops and media devices when taken away from the offices.
An email was sent to all UK civil servants (government employees) which informs them of the new policy--"prohibts laptops and hard drives containing sensitive data from being taken out of the government buildings unless the devices are encrypted.
More details on this story are contained here:
- Vunet News
- MOD information Security
This is good news for organization like Secude which offer advanced solutions for hard disk encryption and laptop encryption.

Largest Bank Fraud $ 7 Billion dollars

2008-01-22T19:12:00.001+03:00

French bank SOCGEN, Societe General is the victim of the largest bank fraud of the year total amount $7Billion (over €5billion Euros). A junior trader Jerome Kerviel makes trades that cause the bank substantial losses. Jerome is capable of hidding is actions by modifying the information in the Banks computers.

The trader was able to create fictitious accounts to hide is actions; and support this with falsified documents. In short massive risk, massive losses and total lack of appropriate controls.

In security there is a simple concept known as dual control; under this control critical system transactions of system information can not be updated by a single individual but requires approval and verification from another party or employee in the organization (these controls are contained in the most basic and simple accounting systems). Why were such controls absent or ignored, I am sure the investigations and postmortem analysis will provide plenty of reading....
D.K. Matai good friend and Chairman of Asymmetric Threats also discusses the topic in MI2G press release postings.
Some more recent updates on the story are contained here:
- Reuters Time Line
- Telegraph UK
- the company explanation
- Financial Times

Security for the iPod generation

2008-01-17T23:59:00.000+03:00

The iPod generation likes to stay informed while on the move by downloading music, book, news, podcasts to their portable device. The following Podcast on security gives you a good source to stay in tune with security while on the move "Security Now!". The example of this podcast, talks about:

latest virus and trojans
corporate security
security policies

The text transcript Security Now Jan 17 oryou can listen by clicking/higlight icon...

Security now full site can be found here...

Bruce Schneier on Security And Psychology

2008-01-17T02:40:00.000+03:00

Bruce Schneier visited the Kingdom of Bahrain for the first time in 2005 for the conference HITB 2005 organized by E-Security Gulf Group - eSgulf. It was Bruce first visit to Middle East, we also toke the time to visit Riyadh in the Kingdom of Saudi Arabia as well. During this he presented security in a practical in modern way. He also authored the book beyond fear distributed during the conference. In security Psychology plays an important part to achieve the objectives of success.
At Penguicon 2007 during last year Bruce addresses Security And Psychology the podcast of this talk can be listened here...

Are you the passenger or the pilot

2008-01-15T21:37:00.000+03:00

When you get in the seat of your airplane today you have a complete entertainment and communication system which gives you more then you expected. According to FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

According to the FAA document published in the Federal Register. Vulnerability exists because the plane's computer systems is connected to the passenger network with the flight-safety, control and navigation network. It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews.

The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."

The information is published in a "special conditions" document that the FAA produces when it encounters new aircraft designs and technologies that aren't addressed by existing regulations and standards. Also more details here...

http://www.wired.com/politics/security/news/2008/01/dreamliner_security

Top 10 Data Breaches of 2007

2008-01-14T02:22:00.000+03:00

2007 was a year were several information records were broken for quantities of private information being leaked or hacked...
The Chief Security Officer - CSO magazine top 10 are:
1. TJX Credit cards
Victims: Millions of bargain shoppers worldwide
2. Her Majesty’s Revenue and Customs -- One Regrets the Error
Victims: 25 million
3. TSA, 2 of 2 - Thieves stole a computer hard drive
Victims: 100,000
4. The Nature Conservancy and Recycled Data
Victims: 14,000
5. Swedish Urology Group - Doctors lost 3 drives containing patients personal info
Victims: "Hundreds"
6. Shaw’s Supermarket -- Passwords
Victims: 472 store employees
7. TSA 1 of 2 Doing DHS Proud!
Victims: 3,930
8. Indianapolis Power and Light
Victims: 3,000
9. Commerce Bank of Wichita, Kansas
Victims: 20
10. Monster.com -- CISO looking for New Job
Victims: 1.3 million

Full details are here.... CSO site

Fear as a tool

2008-01-13T02:14:00.000+03:00

Fear can be used as a very effective tool for home land security. The biggest users of this tool are the politicians in every country. The media amplifies the news being broadcast and feeds it for public consumption; so always:
- beware
- ask, question
- investigate
- collaborate from multiple sources (eliminate duplicates)
- use common sense
- mis-information is used as a tool

Security Awareness Calendar 2008 on Slide Share

2008-01-11T11:39:00.000+03:00

Added a security awareness calendar and introduction presentation(s) on slide share.
One security tip for each month of the year. You can download the PPT and custimize it for your own organization. Have a safe 2008.

| View | Upload your own

Is my LCD screen secure?

2008-01-10T13:13:00.000+03:00

Can someone see your computer LCD screen, behind a wall?
The answer is yes, someone can recreate and see your screen information. If the person, company or government organization has the know how... The technology required to do it is freely available. This can be done yes... Because the technology we use today emits "wireless" waves which can then be amplified, captured, processed and enhanced to "reverse engineer" the original information.
This kind of research is not new, it was done a few years back under the names of "TEMPEST" and "Van Eck", for older CRT screens.
Markus Kuhn a researcher from Cambridge University, published a paper on this some time back. Reading your Screen through a Wall. The technology is low cost and could easily be put together.
A result sample of the screen can be seen here...

Technology, people and data sharing

2008-01-10T01:10:00.000+03:00

The number of sites we use keeps growing. Many times we have to re-enter the same information again and again. So data portability, data harvesting, data sharing, data migration, date integration is important; what about security in privacy. Some web sites like face book have monitoring which identify automated tools and will try to stop them. The approach is good but it may turn some powerful users away. Check out this users experience with technology. Also discussed here.

Some important announcements about progress in this area are coming form Google, Facebook and data portability.org.

iPhone Virus - Trojan

2008-01-09T02:21:00.000+03:00

The new iPhone is very tightly controlled by "Apple". Even this environment, virus are possible, no one is immune to all virus even the iPhone. The first virus for the iPhone is out.
The first warnings about this new virus were posted on on the iPhone modification forum ModMyiFone.com and then on Zdnet News.

Since this is a first, it is important for users to pay attention when installing new applications on the device. All applications must come from trusted sources.

Human Element

2008-01-03T02:13:00.000+03:00

The human element continues to lead the pace in security. There is a daily struggle towards more security and less risk...

1- Network diagram
2- pretty ? Beautiful?
3- Virtual machines accepting all the virus
4- Not a network diagram, but a displays of virus growing
5- Normal people look at aquariums ....

extracted from http://xkcd.com/350/

I am back and new website for 2008

2008-01-02T01:51:00.000+03:00

After a long absence from blogging it is time to return. As part of the New Year resolution for 2008 I will try to post new blog entries more often. The objective is to bring more security awareness. I will just have to stay up a little longer at night...
Maybe also try and learn new techniques like mobile blogging, more videos, audio blog entries.

In 2008 it was also time to launch a new web site with a fresh look for
"E-Security Gulf Group" -"eSgulf" details can be found here... www.esgulf.com
eSgulf now has presence in European Union - EU, Middle East and Asia.

Happy New Year 2008

2008-01-01T01:01:00.000+03:00

Happy New Year 2008, all the best for the family, friends, colleagues, coworkers, business partners, social networkers.
Welcome to "flat world of 2008"... Be safe and secure.

Power of Google

2007-10-15T03:02:00.000+04:00

The power of information comes through its access and ease of use. Google has become synonymous with this. Give us ease of access to information, some time private and confidential.
The two founders and owners of the company have found this out the hard way, by getting some potential embarrassing information published released on the news. Google and personal privacy on the news. The power of the Google engines is so deep that even the NSA could benefit from a few tips for future systems.
For those which want to become experts on google more details can be found in the Google Hacking Database.

Security can be seen from Different perpective

2007-09-22T02:49:00.000+04:00

In today's world quicker readiness and rapid response, can lead to dangerous situations.
One persons "piece of art" in this case a shirt with some circuit board and a few cables can be another persons (the security guard) "nightmare".
A student from Boston college got in trouble for wearing this shirt at Boston airport. So no only you must address the quantity of liquids you carry but also the potential dangerous look of your wear. More details Boston News.

Estonia cyberwar stories

2007-08-24T03:22:00.000+04:00

The more we depend on the technology the more exposed we are when an attack comes about. Estonia and a few friends working in security as well found this out the hard way during the cyberwar launched against this EU country. More detailed information can be found here.
In a country were technology plays such an important role, better defenses are required, the internet is not only used for banking (the branch--less bank can have serious consequences when there is no backup plan) but also for voting, click and elect...

Security in VoIP matures with new tools

2007-03-16T13:05:00.000+03:00

Voice over IP (VoIP) currently at 50Million users world wide is due to increase to 100Million by 2009. Recently Microsoft also launched a new beta offering into VoIP. All this means security focus on VoIP will become more important. There is an important web site devote to security over VoIP VoIPSA.org. VoIPSA just release a new set of tools to assist with VoIP Security testing. They are grouped as follows:

Sniffing
Scanning
Packet Creation
Fuzzing
Signal and Media Manipulation
Tutorials and Presentations

The tools can be found here VoIPSA tools.

Voting machines and security

2007-01-10T19:57:00.000+03:00

Even basic computers when not protected correctly, can have serious impact on our daily lives. One of the best examples is elections. Politicians are not always the most liked people given the decision and actions they take. But their election can also be hacked and stolen by attacking the now used electronic voting machines. We must then accept the elected decision for the next 3-5 years (or even more) depends on the countries. Critical devices such as voting machines therefore require extra protection, testing and validation before being put in productive usage.

Both videos can be view in their small version using "snapshoot" by passing with the mouse pointer over the links below.
Live example: Video 1
Funny video: Video 2

One in a more funny video the results could be remotely changed to satisfy the preferred candidate.