Saturday, December 25, 2010

Sunday, December 19, 2010

17 Dec Security Roundup on the week that was

Symantec, a leading security product vendor released the Global Intelligence Quarterly for June-Sept 10. There were two findings of special interest. The first was on the brands affected by phishing attacks. Phishing attacks are attempts to spoof company websites to fool consumers into entering their identity and authentication credentials such as banking and credit card details, which can later be used to make fraudulent purchases or transactions. At the top of the list, 73% of phishing attacks were directed towards financial institutions such as banks. What caught my attention was the number 2 position, which at 11% was taken up by ISP’s. This statistic attains great significance as ISP credentials provide access to an email account, which may in turn expose a wide range of other social networking, and financial accounts. All a hacker needs to do is to click on the “forgot” password option on company websites, which in turn conveniently mails a temporary password to the compromised email account.
The second was the report that 38% of data loss is caused due to theft of computers or flash drives (also commonly known as USB drives or pen drives). Annually, around 500 million external and internal hard drives and 300 million flash drives are sold each year.
How many of us actually remember where all our flash drives are and what information is on them?
Flash drives are very susceptible to theft, disposure without or with simple content deletion and inadvertent loss due to misplacement. Information on these flash drives may find their way to media, competitors or criminals. An important point to be aware of is that the use of the “Empty Recycle bin” functionality in Windows or deleting files using the 'Delete' button, doesn't really delete files from your computer, removable disks, USB-flash drives, memory sticks, or flash memory cards. The operation just removes the reference to the file but the file still exists and can be recovered with off the shelf software.
Besides theft, hard drives that contain an even greater amount of data are normally not properly erased before disposal. Disposal mechanism normally includes donation, and sale resulting in easy access to these drives. There is a much publicized BBC news report about NASA selling shuttle PC’s without wiping top secret data. An investigation unveiled 10 cases where PCs were sold despite failing data removal procedures and another four PCs - which were about to be sold - were found to contain data restricted under arms control rules. Many organizations do not have properly implemented hard disk disposal policies. For less than 100 dollars, one can purchase data recovery software, which recovers corporate and individual information from inadequately erased hard disks sold on auction sites.

Recommendations


Phishing attacks can be mitigated through self awareness. After all, it’s the user who loses the money. The simplest method is to verify websites is through the SSL certificate, seen as a lock icon in the browser bar and additional site authentication certificates like VeriSign Secured Seal A user needs to click on the browser icon or VeriSign Secured seal to verify the site url they authenticate. This is vital to the verification process.

Handle USB’s carefully, prevent misplacement, and securely erase all files prior to disposal. To securely erase a flash drive you may need to procure special purpose wiping software or you could exhaust the USB memory by copying non essential log data or large commonly available files downloaded from the Internet onto it. This process will make it quite difficult to recover over written data, but will become tedious as flash memory sizes increase.

Saturday, December 11, 2010

3rd Dec Security Round up the week that was

This week will go down in cyber history as the first cyber war, brought about by the attempt to shut down Wikileaks and arrest Julian Assange unleashed angry protests and retaliatory responses on organizations that denied Wikileaks hosting, funds transfer or domain registration. 
Retaliatory responses were in the form of a distributed denial of service (DDOS) attack, in which hundreds of computers sent traffic towards a particular web domain choking bandwidth, exhausting site compute power and preventing access to customers through severely degraded services or site unavailability. For the record, all targeted sites stuttered and eventually went offline for several hours even though many belonged to organizations with massive redundant IT infrastructure.
These DDOS attacks were set-up using over 30,000 computers in a sustained and coordinated attack. Interestingly, while the modus operandi was the same, the attack came in two flavors, a volunteer and a non volunteered initiated attack. The non volunteered attack used a network of malware infected desktops firing traffic bursts without the owner’s knowledge. Technically called a botnet, it is a group of bots which act in a master slave fashion. The master initiates an attack sequence and the bot fires a traffic burst. A bot is a malware downloaded unknowingly while surfing malicious websites, downloading movies, music and documents or using seemingly innocuous programs on social networks and mobile application stores.
What fascinated me most was the volunteer based attack, where over 43,000 volunteers downloaded a modified stress testing program called the low orbit ion cannon (LOIC) and clicked a button to become part of a network that fired traffic bursts at targeted sites. This activity is reminiscent of mob mentality, wherein normally rational individuals engaged in crowd fueled mania, end up committing acts unimaginable in normal circumstances.  What is frightfully evident is the success of the volunteer approach, in convincing people to willingly download a malicious program (in this case a modified opensource application) from an unknown underground organization unmindful of the consequences of punishment under cyber laws or disguised malware.
In the real world when right groups or unions rise up in protest, they block roads, sabotage machinery, and prevent employees from entering factory premises. Today’s cyber protest targeting online properties could become a trend or a new reality. Employees who know of vulnerable spots in an organisations online infrastructure can be exceedingly destructive in compromising data and infrastructure assets.  The impact may be severe as normally reserved employees, their friends and communities may be encouraged to participate, as in this form of protest there are no victims or physical damages and hence few moral repercussions.  
Recommendations: 
Businesses should evaluate the consequence and risk of online cyber reprisal from citizens or employees in protest of their actions or policies. I believe this may become a reality in the future. Besides the embarrassing consequence such protests bring about, it would be difficult to prosecute protesting citizens and employees.


Wednesday, December 8, 2010

Arrest of Julian Assange, the Wikileaks founder starts the first war in Cyber Space

The first war of the cyber world is taking place and it is not between two nations, but the angry uprising of Hackers or Hacktivists who believe in free speech on the Internet. Triggered by the arrest of Julian Assange, counter strikes have been initiated against all sites that refused Wikileaks hosting, DNS, and payment services and websites of government officials and departments that tried to stop the redistribution of Wikileaks content.

Wikileaks has released an insurance file probably to protect the life of Julian Assange and other Wikileaks members. The huge file, posted on the Afghan War page at the Wikileaks site, is 1.4 GB and is encrypted with AES256. No one knows what the file contains in it.

This event demonstrates the idealism which hackers had in the late 90’s, in reinforcing the importance of free speech, adequately priced services and liberty, is alive and much more powerful. The attack power used is a fraction of the immense potential that can be unleashed if malware unconsciously downloaded by millions of users is activated by their controllers. Such power could cripple the online economy of a country not just a site.

Recommendation:

Popular news events are exploited by hackers to trick people into downloading malware onto their computers. People are lured to fictitious news sites or may be sent mails with a save Wikileaks campaigns or even offered modified copies of the insurance file.

 I would recommend reading WiKiLeaks news on reputed websites, not opening any Internet campaign attachment (there is no such official campaign yet) and not to download the Wikileaks file from any site. If you must, get the file from the official site, it may be safer.

Saturday, December 4, 2010

26th Nov 10 Security round up of the week that was

Dangers of Social Networking

A news report blamed Face book and Twitter for 1 in 5 divorces in US as there is a spike in the number of cases that use tweets, posts, pictures from these sites as evidence against cheating. Privacy in social networks has always been a concern given inadequate privacy settings, technical glitches and advertising interests. Increasingly with over 500 million users social networking sites are a defacto social meeting place, so much so that dating activity on dating sites has started to drop.

Recommendation: - Limit information on social networks and ensure that privacy settings are set knowingly. Social networks are safe if used carefully.

Speaking of dating, there is always a hidden danger in a face to face meeting with a person you met online. The outcome may always be risky as the anonymity behind social networks mask criminals and antisocial elements behind plagiarized images of pretty faces. In two separate instances these turned perilous when boys who went for face to face meetings with girls they met online, ended up in the clutches of criminals. One boy was drugged, robbed of all valuables and end up in an intensive care unit and the other robbed and beaten severely.

Recommendation: - Online chatting though it may seem harmless can result in physical dangers during face to face contact. Teenagers are most susceptible. Such contact may also result in cyber harassment, blackmail and bullying. Social networks are safe if used carefully.

Loose Talk

Talking in the GYM has become life threatening. Conversations between groups of Builders and Jewelers in a Mumbai GYM were reportedly picked up by the underworld through a network of GYM Trainers who listened in. The underworld issued extortion demands, which if not met, resulted in physical threats, intimidation through random firing outside builder’s offices or in some cases assassination.

Recommendation: Ensure that confidential matters are discussed in closed rooms and not open places. One does not know who maybe listening. Tone down any tendency to be loud on phones or to discuss confidential issues in public places

Legal Interception and Privacy

In the Indian 2G Telecom scam, spectrum was allegedly sold to unqualified buyers at a low price resulting in an enormous loss to the exchequer. Taped conversations between a political lobbyist and industrialists, media and politicians intercepted by investigators were released on You Tube and via the media. Out of 5000 recordings a newspaper report stated 104 were out in public. The recordings damaged the reputation of top industrialists, telecom firms, journalists and politicians as many conversations leaked were unrelated to the scam. .
The interception of the lobbyist’s phone calls was legally done by the investigation body under Section 5 of the Indian Telegraph Act. But several questions arise.
• How did these leaks occur?
• Did they occur through the investigation agency or the service provider where the calls were intercepted?
• Were the conversation leaked to fuel media pressure or to damage the reputation of firms and its senior employees?
• Are our procedures for protecting intercepted information adequate or in need of an overhaul?
• Do we have a process for background checks of people doing the interceptions?
• How limited is the role of the telecom service provider given the lack of technical knowhow on the systems used for interception by the investigators?
• Are there third parties other than the investigators and service provider who may have access to these tapes?
A leading industrialist has filed a plea for privacy in the Supreme Court and investigations are on into the source of the leaks. I hope that we have enforcement of laws that punishes such acts in India.

Recommendation: - Phone conversations may not be as secure as one imagines them to be. Increasingly new technology is being made available where hackers can intercept calls over the air. The protocols used by GSM networks are old and proprietary.

WikiLeaks – The Saga continues

Julian Assange is on the run. Equipped with a laptop and a cell connection he continues to manage his Wikileaks empire even with an Interpol Red Alert on him, and a massive site denial of service attack by Jester, a so called political hacker. This has not stopped the distribution of a new round of documents on US policy. Amazon the cloud based service provider which hosted WikiLeaks has taken down the site from its US servers, perhaps under pressure from the government to curb distribution.
A CNN news statement titled, “Government Agencies warn employees not to look at WikiLeaks” stated that the White House Office of Management and Budget sent a memo Friday afternoon forbidding federal government employees and contractors from accessing classified documents publicly available on WikiLeaks and other websites using computers or devices like BlackBerrys and smart phones. The memo, explains that the publishing by WikiLeaks does "not alter the documents' classified status or automatically result in declassification of the documents.

Speak about closing the coop once the birds have flown.

Recommendation: The US and perhaps other governments are vigorously attempting to curb the leaks. In today’s Internet age, even with vast resources at their disposal, shutting up WikiLeaks has not been successful. Governments will need to enhance their information classification policies and back them up with technical security controls to prevent leaks occurring rather than control them later. I trust this incident does not affect Internet free speech and give added impetuous to governments imposing regulations on its use.


A biography from Julian will be a best seller or a sensational movie.

Read my earlier blog post debating the ethical angle of hacktivism