4Sec - 4 Seconds -- For Security

2011-03-26T13:46:00.001+03:00

The arms race used by ME event organizers to protect access to social networks http://ping.fm/0i1Da

2011-03-10T20:50:00.001+03:00

Anonymous group will also now focus on large business and US Gov. http://ping.fm/RWrkJ

The value of IDS/IPS visualization in Managed Services

2010-01-11T02:46:00.001+03:00

Parents responsibility and security

2009-11-24T18:05:00.003+03:00

Are parents being responsible for the security of their kids online? As a parent you must take responsibility for your kids actions online. The following video from Winn highlights this in a practical educational way:

Patch, Patch, Patch, Tuesday?

2009-11-03T18:16:00.001+03:00

It is Tuesday? what is on the menu? Patches

In the world of security awareness metrics are sometimes important. One of these metrics comes from using the Microsoft operating system and having to patch it every tuesday.

The article to computer world brings in the numbers:
- 6 years of Patch Tuesdays,
- 400 security bulletins,
- 745 vulnerabilities

Patch Tuesday Article

Importance of Security Awareness at highest levels.

2009-10-15T22:33:00.000+04:00

When Obama talks people listen, not only because he is a well versed speaker but also because he holds a post of the highest responsibility. So getting a message of security awareness at not only the individual, corporate, regional, state/province but country level raises the importance of the message it provides. Enjoy and take action

October is security awareness month!

2009-09-30T18:10:00.000+04:00

October is security awareness month, so here is a top 10 presentation and movie trailer from Winn Security Awareness blog:

Background checks and human nature

2009-08-24T22:41:00.001+04:00

Background checks are an important part of the security process. Background checks are used for:

- hiring new employees

- vetting employees for high risk positions

- providing security clearing for government organizations

- providing military clearance

However background checks are not performed by automated machines but rather by people. As mentioned many times before people are the weakest link in the security chain. Since people are not always good at discipline, consistency and process.

If we combine these commons flaws further with greed the mixture delivers an unreliable proposition for security. So in background check always "double check" . The following article and evolving story highlights the problems of background checks...

When I go to UVA Security Awareness

2009-07-30T00:00:00.000+04:00

When I go to UVA is a short video on security awareness...

Hacking expense claims

2009-06-30T22:57:00.000+04:00

Money always provides a motivation for the criminal mind. A psychology study done for common individuals (that means your employee) rates them into three categories:

- honest (nothing to worry about but it accounts for only 10-15% or so)

- dishonest (you need to take full measure here, but also it accounts for only 10-15% or so)

- waver (this is everyone else or 60-80%)

We are are apply Vincento Paretto principle also known as 80/20 rule.

The 80% or the majority you need to put in place the controls to avoid problems. One example could easily be made in expense claims. The internet goes even further by make it easier with sites like:

- the sales receipt store, will provide you a receipt for any occasion.

So take the time to verify the source of these expense claims it can save your corporation lots of valuable money.

Memory stick best practices for end-users

2009-04-30T22:18:00.004+04:00

We are using increasingly powerful portable memory technology the "USB Memory Stick". Originally developed for the cameras and photo world, the memory stick made its transition to the portable word via the USB format.

Today the USB memory sticks can carry 8GB or more in a format the can easily be carried. 8GB is more them hard disk capacity of earlier PC or even Mainframes.

So with the extra capacity comes the extra risk of higher amounts of information being disclosed by this high density portable medium.

We normally now recommend the users encrypt the information contained on these USB memory sticks as a "best practice". This same best practice advises that the key or password used to encrypt the USB should be kept in separate location.

Many users forget easily this simple fact, the consequences can be quite dramatic disclosure of confidential information. See the following article from BBC which highlights this case.

New ways to sniff what you type?

2009-03-31T21:49:00.000+04:00

Ways to capture what you type on a keyboard have always be of interest to both hackers and intelligence agencies. Many approaches have existed for years:

- capturing electronic emanations

- using dongle memory devices which attach to keyboard cable

- altered keyboards which record key strokes and get replaced during warranty period with all the valuable information

- keystroke trojans

- etc...

But technology for sniffing what you type is here. This technology is based on laser listening technology similar to the one which is used today to listen to you talk across walls and windows.

The following article from Zdnet provides more details...

Monitoring Skype is valuable?

2009-02-28T21:42:00.002+03:00

The NSA wants to learn how to do better skype monitoring ("lawful interception"). As we know by now skype is used by:

- cyber criminals

- traditional criminals

- terrorists

- sex offenders

to escape monitoring and detection.

So the monitoring of skype is of great interest to intelligence agencies such as NSA or others.

More details from the register article...

Can the technology we use introduce risk?

2009-01-15T18:54:00.003+03:00

The technology we use today makes our lives easier (sometimes). However this same technology introduces risk:
- Identity theft (impersonating)
- Cyber-war (facilitating)
- Terrorism (facilitating)

Some of the technologies we use today have a certain element of risk:

- Linkedin can be used to impersonate you

- Facebook can be use to collect information on you and your friends

- Unpatched windows can be used to propagate botnets, these computer once infected can be use to launch cyber-warfare (see case of Estonia attack)

- Twitter can be use to track you and has been used by Terrorist during the attack in India

- Skype and peer to peer, both these technologies can help bypass legal interception and avoid detection

- Google earth and World of Warcraft has been used by terrorist for planning and training

All the technologies we use today have both a good and bad side.

Screen Passwords

2008-12-24T18:27:00.000+03:00

The following cartoon from Dilbert introduces the importance of screen passwords in a funny way.

Difference between traditional crime and Identity Theft

2008-07-01T23:33:00.000+04:00

This short audio clip provide a funny view of Identity Theft. Useful for security awareness programs.

What makes the net so different?

2008-04-01T17:53:00.002+04:00

One of the challenges of implementing security awareness campaign is to explain to end users the internet ("net") and its complexity. One always says a picture is worth a thousand words, the following video introduces the "net" in a simple way:

Failures of Disk Encryption

2008-02-24T07:56:00.002+03:00

"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.

Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:

Social engineering targets jobseekers

2008-02-10T23:16:00.000+03:00

Social engineering for profit see no limits. This time the social engineer aka Hackers are targeting the job seekers by creating a fake web site which is collecting:
- personal data
- CV information
- fees for visa processing (profit motive)

Please find the links to the original site:
- Real Ministry of Labor http://www.mol.gov.ae/
and the fake site
- Fake Ministry of Labor http://www.uaeministryoflabour.tk/

Real site and Fake site are mirror copies of each other as pictured below.
More details about the story can also be found here.

Security Issues with social networks

2008-02-05T22:18:00.000+03:00

I have been using heavily social networks for the past 3 years, started with linkedin can now reach over 7,000,000 persons online. So the power of the technology is really incredible. Theses are some of the top ones I use:

linkedin
xing
ecademy
plaxo
youtube
slideshare
twitter
mypodcast
lastfm
myspace
face book
...

But these social networks practical experiences are bring in some important questions (which will try to address over this year posts). Some of the main security issues I see are:

propagation of malware (virus, trojans, keyloggers)
defacement of profile, impact in public image
who owns the data? some networks make it easy to get the data in but very difficult out (usage of images to protect contact information)
how to archive and backup this data? who is responsible?
how to delete the data permanently if required?
predator attacks against minors and kids (parents must learn new ropes)
identity theft, impersonation
how to maintain so many user IDs (opendID is trying to address this)
how to move data from one site, application to the other (open social is work on this), some users have seen this usage blocked after using automated conversion, migration tools
how to do investigations, forensics on so many sites to track down criminals effectively
how to separate between business, and personal lives?
effects on corporate information
leakages
effects on corporate productivity

In short network, do business, have fun, but becarefull out-there.

More details on:

2008 Security Priorities

2008-02-01T20:54:00.000+03:00

Just finished conducting a poll with the help of Plaxo on security priorities of 2008. About 9% of the persons requested replied (from a poll size of approximately 2000 persons 183 replied).

The top 3 areas of focus are therefore:
- Governance and compliance
- Infrastructure security
- Business Continuity and Disaster Recovery (as mentioned by some in the survey comments, the BCP, DRP issue is much bigger then being just part of security, we all agreed on this ...)

So what are your plans for security for 2008... Be ready as this year will be full of events.

Identity Theft Slidecast

2008-01-30T20:18:00.000+03:00

Identity Theft continuous to become an increase threat to security and must be address by using regular awareness sessions with end-users.
The following is an identity theft slidecast and podcast which is simultaneously published on slideshare (slides and audio) and mypodcast (audit only)
...

| View | Upload your own

Are you ready for Cyberwar?

2008-01-29T18:27:00.000+03:00

Last year I wrote about the events of cyberwar between Estonia and Russia. Other ones have happened recently as well such as:

between USA and China, (more covert activities and experimentation)
between AlQaeda and USA
between North and South Korea
between India and Pakistan
....

In any cyberwar there are: "cyberwarriors", targets (key infrastructure such as financial institutions, government, utilities) and collateral damage (potentially your innocent business). So are we ready? Do we understand the dangers? A recent story in CSO magazine highlight the threat level and readiness of given countries as they focus resources for cyberwar.

Country	Est Mil Budget	Status	Est Threat
China	$56B	complex	4.78
Russia	$44B	complex	4.39
Iran	$9.7B	advanced	3.79
N Korea	$5.2B	advanced	3.03
Libya	$1.3B	advanced	2.86

from this table we notice both China and Russia devoting a substantial military budget and having acquired a complex infrastructure with associated Threat level (ranked from 1 to 5, 5 being highest)
More details on this story can be found here.

UK government mandates encrypted Laptops

2008-01-26T02:01:00.000+03:00

In response to the one of the largest disclosures of information in history the UK government responds with policy which mandates the usage of encryption on laptops and media devices when taken away from the offices.
An email was sent to all UK civil servants (government employees) which informs them of the new policy--"prohibts laptops and hard drives containing sensitive data from being taken out of the government buildings unless the devices are encrypted.
More details on this story are contained here:
- Vunet News
- MOD information Security
This is good news for organization like Secude which offer advanced solutions for hard disk encryption and laptop encryption.

Largest Bank Fraud $ 7 Billion dollars

2008-01-22T19:12:00.001+03:00

French bank SOCGEN, Societe General is the victim of the largest bank fraud of the year total amount $7Billion (over €5billion Euros). A junior trader Jerome Kerviel makes trades that cause the bank substantial losses. Jerome is capable of hidding is actions by modifying the information in the Banks computers.

The trader was able to create fictitious accounts to hide is actions; and support this with falsified documents. In short massive risk, massive losses and total lack of appropriate controls.

In security there is a simple concept known as dual control; under this control critical system transactions of system information can not be updated by a single individual but requires approval and verification from another party or employee in the organization (these controls are contained in the most basic and simple accounting systems). Why were such controls absent or ignored, I am sure the investigations and postmortem analysis will provide plenty of reading....
D.K. Matai good friend and Chairman of Asymmetric Threats also discusses the topic in MI2G press release postings.
Some more recent updates on the story are contained here:
- Reuters Time Line
- Telegraph UK
- the company explanation
- Financial Times