On the move

Security Circus has moved to it's new home at http://www.security-samurai.net/

Please update your bookmarks and join us in the dojo!

Google Hacking

Remember Johnny Long's Google Hacking database?

Well it's back


The team at Exploit Database have recently resurrected the GHDB to help you harness the power of google to do reconnisance or just be nosey. Use it to check out your webservers or network and your users before the bad guys do!

Sadness...is a lost laptop

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

"The Great Cyberheist"

The New York Times have an interesting article up on Albert Gonzalez the hacker-turned informer-turned double agent who a key part of the Shadow Crew who comitted (amongst other things) the intrustion at Heartland Payments / TJ Maxx that netted over 94,000,000 credit cards.

Although it doesn't go into technical details, it is worth a read for an interesting insider view.

Fashion sense?

A friend passed along a link to the must-have accessory for the aspiring data smuggler this year: USB Flashdrive cufflinks!

Of course hidden USB drives is nothing new, from USB drive Barbie, a chap stick, chewing Gum or cigarette lighter to the 'hiding in plain sight' USB Bowling ball drive!

I hope it holds more than 64MB!

If they're all too big you can go for a MicroSD card hidden inside a coin instead (just don't spend it by accident!).

The point of bringing up these amusing and imaginative storage devices is that it's trivially easy to transfer large quantities of data in a non-obvious fashion (well except that bowling ball...). The best way to protect aganist them all is to have your defences on the data and if you allow the use of unfettered USB storage and are protecting portable confidential information, have some kind of host-based DLP strategy.

As for the USB cufflinks, I don't claim to know much about fashion, but they're ugly enough that a strictly enforced dress code might protect you...

The stealth cloud

IT world have an interesting article on what they're calling the 'stealth cloud'. It's not an exactly new concept - mostly bigger companies have had to deal with the 'shadow IT' problem for some time now.

How to spot a Shadow IT user...

However the recent proliferation of cloud service providers has the potential to greatly exacerbate the problem. As organizations already struggle with governance and meeting requirements such as SOX, PCI-DSS, Privacy Laws and industry regulation; having business units run out and sign up to external SaaS/Cloud services to fast track projects sounds like a disaster (if not a lawsuit or breach fine) waiting to happen...

Many of these services are pitched at consumers, who use them and enjoy the benefits of the likes of cloud file storage or a personal online knowledge base and these same consumers come to the office and want the same services at work.

So how do you combat the problem? There's no easy answer (like just about everything in Security!) but a combination of education/communication - ensure the managers of the business units understand why storing confidential corporate documents via dropbox is risky - and being prepared to be able to formally evaluate the security and risks of the SaaS/Cloud providers to allow resulting decision made out in the open may go a long way to easing the headache.

It's been said before but is worth saying again, most business computer users have no understanding of security. In a recent conversation an office worker was somewhat shocked to hear that email was not 'secure' or even particulary 'private'. Education and communication are the keys and probably the best way to combat those pesky Shadow IT ninja or Stealth Cloud Shinobi! (since they won't let me bring a katana to work...)

The OS that would not die!

Halloween is not a big deal down under. Certainly when I was a kid, nobody celebrated halloween, but these days it is starting to pop up more and more. What does Halloween have to do with security you ask? Well it seemed quite apt that on Halloween night I saw this article from computerworld on how 48% of surveyed companies plan to run XP post Microsoft end-of-support in 2014.

Now if that isn't scary I don't know what is! While I can understand the pain in the need to to test applictions, run a pilot group, train users in a new interface and finally roll out a new desktop OS, I suspect it pales in comparison to getting your desktop fleet pwned by the first never-to-be-patched-in-your-OS vulnerability on April 9th 2014.

Don't get me wrong. I liked XP. It did what was needed and was a solid OS. It was rock solid enough to make it's successor, Vista, look like crap. I still have it running on one machine at home. But Windows 7 is no Vista. IMO it's worth the switch. Anyway by 2014 I doubt I'll even still be using Windows 7, (with plans for Windows 8 in 2012) let alone a 13 year old OS!

I don't care how much you 'like it', continuing to use WinXP post april 2014 for your desktops is just asking for trouble. Think about it.... a 13 year old OS. That's akin to using Windows 95 in 2008. Or continuing to use Windows 98 until next year.

Now that's scary!

Unisys Security Index

Unisys have released their latest security index reports which also have a break out section for Australia. While this report covers far moer than InfoSec (it includes items such as terrorism/national defence, health and financial security) there are sections on Internet Security, shopping & banking online and computer security (viruses and spam).

From their summary:
  • Six out of 10 (58%) Australians never secure their mobiles, PDAs or smartphones by using, and regularly changing, a password or PIN. Only 18% say they always secured their mobile device
  • Young Australians are protecting their identities online by limiting the information they post on social networking sites with 70% of 18-34 year olds saying they do it always, compared with only 44% of those aged 50+
  • The top two areas of concern for Australians are ID theft related: Unauthorised access to/misuse of personal information (56%) and other people obtaining/using credit card/debit card details (55%)
Australians are ending the year more relaxed than they started. The overall level of concern on key security issues, tracked by the Unisys Security Index, stands at 115 out of 300, down 8 points compared to April 2010. This reflects a drop in concern for all four areas of security with the biggest fall recorded for national security which has an index of 110 down 11 points since April.

What's interesting is the state-by-state comparion, with people in WA, NSW and VIC more worried (+7%) about internet security than those in SA and QLD.


Those over in WA seemed to be the most worried overall, topping the lists for all four sections: national security, financial security, internet security and personal security.

Still here!

Things have been quiet here at the Circus, as work and Uni have been in high gear alongside preparing for the CISM exam.

I will hopefully be back on a regular blogging schedule soon, in the meantime here is a gem from reddit.com:
Oh dear.

"Scary Internet Stuff"

Symantec Education have posted some pretty good videos to help explain internet nasties to non-technical people:

#1 Phishing
#2 Botnets
#3 Cybercrime Underground
#4 Drive-By Downloads
#5 Misleading Applications
#6 Denial of Service Attacks
#7 Pests on your PC
#8 Losing your Data
#9 Net Threats

They're quick and easy to watch without being too heavy on the marketing.

Password Reuse

Richard pointed out that the ever-amusing xkcd has a cartoon today that relates to the point I was making in an earlier post (except the bit about google turning evil...didn't that happen already?)

Hack is Whack is hacked yo!

Oh the irony...

HackisWhack...hacked!

'nuff said.

Hack is Whack yo!

It's been a busy time under the Security Circus Big Top of late which has led to a distinct lack of blogging.

But what busy time it has been in the InfoSec world! What with Intel buying McAfee for almost $8 billion and Snoop Dog declaring "Hack is Whack!" (which is how the cool kids, in this case Symantec Norton and Snoop, say "please don't commit cybercrimes").

It's been a tumultuous time here down under, with a deadlocked parliment after a recent Federal Election meaning we're in Governmental limbo which must somehow be the cause of the recent week of system outages amongst financial institutions such as the Commonwealth Bank, ANZ Bank and not to be outdone, Westpac. I can only assume the National Australia Bank (or 'NAB' as they prefer to be called these days) will have an outage tomorrow, as the 'big four' banks like to do everything together*. Not to be left out, the Australian Tax Office (ATO) also has a minor outage today. Whatever happened to testing patches? Hmmm.

Time fo' me to bounce off to my crib with my homeys and bust some phat cyphers to win that grand prize and meet Snoop!

Waitaminute.... "2 tickets to Snoop concert, meet his mgmt/agent, Toshiba Laptop"

Meet his mgmt/agent?

Weak? fo'shizzle!

*for the non-Australians, these four major banks have been accused of interest rate collusion in the past...

Pizza, passwords and octopus!

I've been meaning to post this for a little while, ever since I read about the data breach that occurred 'across the ditch' at the popular 'Hell Pizza'.

The cause of the breach was some spectacularly bad development work that had the flash font-end making effectively unrestricted SQL calls to the back-end database. The database contained customer name and address details, their order history and their unencrypted password for the site.

But it's only a pizza website? Who cares!

The problem is that many people use the same password (or a variation thereof) or a wide variety of websites, pizza websites included. When the pizza website gets hacked for usernames, email addresses and passwords, you can bet that someone will try to use those same credentials (or a variation) against other sites, such as webmail, social networking and internet banking. That 'lowly' pizza website and it's abysmal security may have just trumped your higher security internet banking or webmail site.

It's the same old problem we always have with passwords, that people simply have to remember too many passwords. A Microsoft study [pdf] from back in 2007 found that: "the average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day".
From informal discussions I've had with friends and family, I'm surprised the number is 6.5 passwords as the feedback I've received is that the number is closer to 3-4 different passwords.

Unfortunately password-based authentication isn't going anywhere anytime soon, so the advice I give to non-IT people (on top of using complex, non-dictionary, unrelated passwords) is to set themselves with some different 'levels' of passwords.
The bottom level is a 'throwaway' password that you can use for anything that really doesn't matter - your pizza website, one-off registrations to download documents or software or other sites you rarely ever frequent or suspect of low security standards (like internet forums).
The next level of password is for your more frequently used sites with generally better security, like social networking or webmail sites. (While I'd advise to keep social networking and webmail passwords separate, I'm working on the 3-4 password theory...).
The next level of password is your 'online shopping' passwords, such as Amazon or eBay. This is for the types of sites where a password breach could run up a serious bill on your credit cards.
Finally the last password level is your 'high security' password, solely used for internet banking. The important part about the high security password is not only that it is strong, but it is not used anywhere else.

While i admit the above is far from perfect, neither are passwords or people! At least following that advice your average internet user might be somewhat better protected that using the same password everywhere.....

Onto another tasty subject, octopus! (in fact octopi! Or is it octopuses?)

Octopus #1:
A hacker in Japan has been arrested for releasing a virus that overwrites files on your PC with manga pictures of Octopuses and Squid. The funny part? It's the second time he's been arrested for this. Two years ago he was arrested for the same thing and charged with copyright infringement as he used copyrighted manga images. To show that Mrs Nakatsuji raised no fool, this time he used images he drew himself so he couldn't be charged with copyright infringement again! While I hope Japan has revised their computer crime laws since his first arrest, you have to admire his logic!

Octopus #2: The Octopus card is a common smart payment card in use in Hong Kong that is used in the MTR subway, convenience stores and fast food restaurants like McDonalds. Everyone I know in Hong Kong has one, and as a frequent visitor over there I have one in my wallet right now. Well it seems that the card issuer had sold the personal data of nearly 2 million customers to six business partners for HK$44 million over the past four years, the exposure of which has led to the resignation of their Chief Executive. For all the good work we security people may do in protecting our corporate data from the 'bad guys', it is all for nought if the bad guys are in the boardroom....

Now all this talk of Octopus and pizza has made me hungry! I wonder if Hell Pizza deliver to Australia?

Social Engineering CTF

Social engineering is back! Did it go away? Not really, but it's back in the mainstream news. One of the competitions at DefCon this year has been a 'social engineering contest', where contestants were given a list of information they have to obtain and a target company that they have to obtain it from.
They were given a limited amount of time to get as much of the information as they could. And the the result? Not good.
We've touch upon Social engineering before and unless (or even if) you're a super-secret organization with highly trained personnel it is something that is damn near impossible to stop. I would imagine it is easier to do against larger companies (such as those targetted in the contest; the likes of Apple, Microsoft, Cisco, Ford, Coke and BP) , especially those with areas that routinely deal with the public and whose staff are encouraged and trained to be helpful and friendly.

Only 3 out of the 50+ employees contacted by the competitors were skeptical enough to hang up without providing information (and all three were women....so much for the skeptical male stereotype!). Apparently:

"People went as far as opening up their e-mail clients, Adobe Reader, versions of Microsoft Word, and clicking on 'Help/About' and giving the exact version numbers of their software," said Aharoni. "For an attacker, the exact version number would provide a much higher level of success," allowing an attack to be tailored to exploit a vulnerability in that exact program.

The contest was sponsored by social-engineer.org who seek to "Exploit the HumanOS".

While I can see the validity of the contest, I hope the details of those called is not released to avoid any punishment or ridicule from their employers or fellow workers. The urge to be helpful is part of human nature and it is a sad fact that there are those who will exploit and manipulate that nature for their own ends.

Time to go and review your Security Awareness training...

Cloudy Weather

The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)

autopwn

Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.

While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.

If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:

Also I recently stumbled across this little gem from ex-MS (now Amazon) Security guru Steve Riley:

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

I hadn't seen that registry key mentioned before, but it looks well worth investigating...

Extreme Pentest

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.

Twitter Trouble

While playing with my new ipad, I can across an interesting article on The Last Watchdog about the US Federal Trade Commission's complaint against Twitter.

I'd read about twitter's security breach in April last year where an employee's personal email account was hacked and provided admin passwords to the social networking site, but had somehow missed the earlier breach where apparently nothng more complicated than a brute force attack revealed the site's weak, lower case, common dictionary word administrative password!

From the article some of the major points from the FTC's complaint are Twtter's failure to:
  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
  • Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
  • Restricting access to administrative controls to employees whose jobs required it
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses
Additonally Twitter are "barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years".

Hackers, Fraudsters and Politicians.

The House Standing Committee on Communications have released the results of their findings into Cybercrime in a report entitled Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime.

I haven't had a chance to digest the near 300-page document yet, but news.com.au has reported some interesting excerpts from it:

Among its final 34 recommendations were:

— The creation of an around-the-clock cyber crime helpline.

— Changes to the law to make unauthorised installation of software illegal.

— Companies who release IT products with security vulnerabilities should be open to claims for compensation by consumers.

That last point seems to be the most potentially controversial and problematic, but I'll hold judgement until I've had a chance to read the entire report...

BYO Forensic Lab

After recently reading and learing about the requirements for setting up a Forensic laboratory, I did a little more research into the subject and came across a fairly recent article on csoonline.com entitled "How to Build Your Own Digital Forensics Lab - for Cheap". While the article is fairly brief and doesn't go into issues such as chain of custody or the capture of volatile data, the author does provide some cool tips on making a usb device read only and points to some free tools for imaging a suspects disk.

The article also has a link to the handy little "Secret Service's Best Practices For Seizing Electronic Evidence, Pocket Guide for First Responders" [pdf] which has tips such as photographing the screen before powering off a suspect machine and performing the power-down by yanking the power cord (and where appropriate removing the battery). For servers in a business it recommends not yanking out the power cord, but calling a pro and restricting access to avoid damaging the system, disrupting legitimate business and (of course!) reducing the potential for officer and department liability.

It's a cool little guide and an intersting insight into law enforcement procedures.

Top 10 Hollywood Stupid Hackers

News.com.au has a fun little gallery on the "Top 10 Hollywood Stupid Hackers" covering films from 'the Net' and 'Firewall' to 'Tron' and 'Jurassic Park'.

They did miss 'Swordfish', which showed that hacking was all about how quickly you can mash the keyboard...

Best quote of the lot: "I shouldn't have written all of those tank programs" by Kevin Flynn (Jeff Bridges) in TRON.

Wii Forensics

A recent article on Networkworld.com mentions how difficult it can be to recover information from smartphones and game consoles.

I can imagine smartphones are particularly difficult, given the constantly changing nature of the hardware in use and the proliferation of mobile operating systems such as Windows Mobile 7, Android, iphone OS, WebOS and BlackBerry OS. The modified or custom file systems can also be challenging as I've read that the xbox360 uses FATX and that the PS3 uses a proprietary version of ext2.

However a particular quote from the article that caught my eye was ""You can take a Wii onto the Internet and it doesn't save sites or browser history....If you type in a Web address and surf, 10 minutes later there's no record of it." Intrigued by this comment, a bit more digging came up with this paper [pdf] on Wii Forensics.

Dr Turnbull highlights the lack of internal storage (excluding the 256MB flash memory) and proprietary file system as being some of the difficulties in Wii Forensic analysis. The paper makes for interesting reading.

Shout outs

A couple of plugs for blogs of friends:

Fellow AISA member Steven Atcheson has recently started his own Information Security related blog blog called 'Keeping it Simple'.

Another friend, Tim Davoren of ENSTOR also has a blog largely based around storage, backup and disaster recovery called Dav's Disorder.

CSIRT

ENISA (The Europrean Network and Information Security Agency) have freely released alot of materials on setting up a CSIRT or CERT.

The step-by-step guide [pdf] seems like a great starting point and they even include exercise materials.

They also have a section on CSIRT-related tools which lists useful tools for every stage of an investigation.

National Cyber Security Awareness Week

It's National Cyber Security Awareness week this week (6–11 June)

From the website:
National Cyber Security Awareness Week is an annual initiative of the Australian Government held in partnership with industry, community and consumer groups and state and territory governments.

It is designed to raise awareness among Australians of cyber security risks and simple steps they can take to protect their personal and financial information online.

National Cyber Security Awareness Week 2010 is from 6 to 11 June. It will promote six easy tips for better online security:

1. Install security software and update it regularly.
2. Turn on automatic updates so that all your software receives the latest fixes.
3. Get a stronger password and change it at least twice a year.
4. Stop and think before you click on links or attachments.
5. Stop and think before you share any personal or financial information about yourself or your friends and family.
6. Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.

Forensics & Virtual Machines

I'm a big fan of virtualization, and have seen first-hand how much of a 'game changer' it has been when it comes to infrastructure. With my recent studies of Digital Forensics I wondered how does virtualization 'change the game' when it comes to forensics?

In my so-far brief researching, there seems to have been a bit written about the use of virtualization in forensic analysis. The paper entitled 'Virtual Forensics' [pdf] from ForensicsFocus.com is an interesting start, discussing VMs as a target and the use of VMs to make analysis easier. This presentation from 2005 is boldy titled "Virtual Machines: The Ultimate Tool for Computer Forensics" while this paper [pdf] claimed that "the environment created by VMWare differs considerably from the original computer system, and because of that VMWare by itself is very unlikely to produce court admissible evidence" and suggests that a hybrid approach of using a standard forensic image along with a VM for analysis is the best approach.

There also seem to be plenty of ready to run virtual machine images or appliances to assist the forensics practitioner, but what happens when the target machine is a VM?

This article from cio.com mentions one of the potential problems is that VMFS (VMWare's file system used to store the 'guest' virtual machine images) is not well understood. A virtual machine is simply files on a disk, but when you want to capture a forensic image of a VM do you simply capture the 'disk files' (eg: vmdk file, NVRAM file, etc) or do you need the underlying host storage volume (the VMFS partition) to capture metadata (such as the last accessed time etc)?

The sheer size of the VMFS partition may also cause problems (think multi-terabyte LUNs), along with the fact that vmfs partitions may be shared amongst many guest VMs, which may cause problems if a forensic investigator is only authorized to investigate a single machine.

With continuing explosive growth of server virtualization and now the increase in interest in desktop virtualization it will be interesting to see what changes (if any) will be required for digital forensic investigators in the near future.

Crooks & Crypto

"Criminals are a superstitious cowardly lot" said none other than the caped crusader, Batman. But it seems they're a lazy lot too. The Register has an article on how 'belief that they won't get caught' and laziness has meant that the feared widespread use of cryptography by criminals has not come about.

It was this fear that has lead governments (most notably the US) to float the idea of criminalizing the use of encryption software or requiring the Government hold a key in escrow (such as with the Clipper chip).

A few years go the UK passed a law ("RIPA section 49")requiring suspects to hand over encryption keys when requested or face fines and up to two years jail. They have since charged suspects under it.

A great piece on the controversy of whether encryption is harmful or not is also available here.

Cryptography is a tool and can be used for good or for ill. Personally I don't believe in a system where the Government holds keys in escrow without unprecedented transperancy around who is accessing keys (and why!) and don't believe such a system would ever be workable. Make Cryptography illegal? Well the 'bad guys' are already breaking the law and only law-abiding citizens would be disadvantaged.

Oh, and I'm more than happy for criminals to remain a lazy, overconfident and superstitious cowardly lot!

HDD decryption

Forensics Focus had an article about some software that "Decrypts TrueCrypt Hard Disks in Minutes". A pretty impressive & scary claim! Wondering how it works? I was too, so a quick visit to the manufacturers website gives some details on how the software works for HDD decryption:

Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked), extracts all the encryption keys, and decrypts the given volume. Such memory images can be acquired using Passware FireWire Memory Imager (included in Passware Kit Forensic), or third-party tools, such as ManTech Physical Memory Dump Utility or win32dd.

Overall Steps

* Acquire a memory image of the seized computer
* Create an encrypted disk image (required for BitLocker only)
* Run Passware Kit to recover the encryption keys and decrypt the hard disk

So there is no gaping hole in the full disk encryption of bitlocker or truecrypt, the software extracts the keys from the forensically captured physical memory while the encrypted volume is mounted. This just further highlights the importance of being able to perform a live acquisition of the physical memory when the use of encryption is suspected...

Hacking a hacker?

While doing some recent reading on Digital Foerensics I came across a particularly interesting older case where a Russian hacker was caught by the FBI and charged with computer intrusion and fraud. While this doesn't sound like anything too out of the ordinary what caught my attention was some of the details.

The FBI alleged that Ivanov and other international hackers gained unauthorized access into computers at CTS Network Services (an ISP) and used them to attack other e-commerce companies, including two credit card processors, where he stole customer financial information and used this information in the usual fraud schemes. Nothing too out of the ordinary so far.

Once the FBI had identified their culprit, in order to make the arrest they lured him and an accomplice to the US on the premise of offering a job as an IT security consultant. When the pair arrived, the FBI had them remotely connect to their machines back in Russia as a demonstration of their skills for the new prospective employer. But not all was as it seemed, as the FBI were keylogging the machines the Russians used in the US and used these captured credentials to connect to the Russian computers and extract the evidence they needed (without a search warrant) to prosecute Ivanov and his accomplice.

Do the ends justify the means? The Russian Federal Security Service, or FSB, didn't think so, started criminal proceedings against the FBI Agents for unauthorized access to computer information. Meanwhile back in the States, the Agents involved were awarded the director’s award for excellence as the case was the first in bureau’s history to “utilize the technique of extra-territorial seizure.”

The assistant US District attorney commented that he "wouldn't call it hacking" when discussing the Agent's actions and a federal judge agreed, rejecting motions filed that sought to suppress the evidence obtained from the computers with Ivanov eventually being sentenced to three years in prison.

Do, in this case, the ends justify the means? Or is it simply the beginning of a slipperly slope allowing state-sanctioned hacking in the name of justice?

This case is wan older one and was 'pre-9/11', so I wonder what effect the PATRIOT act has had in the intervening years...

Secure Search

Google have released a beta of their SSL-enabled search page. An interesting concept in that while it protects the end user while performing searches, any ssl protection is lost when the searcher clicks on a link and goes directly to the desired page.

An important point is: "...Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it."

Personally i'd prefer a version of their search engine that didn't maintain my search data, but given some of Google's other recent actions and CEO Eric Schmidt's views on privacy, I'm guessing it isn't coming soon....

On the other hand they are making the recent awesome interactive 'pac man' google logo a permanent feature! (although not everyone thinks it was a good idea...)

Last Accessed Timestamps

I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:

In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.

(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)

Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).

This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.

Windows Computer Investigation Guide

During my current Digital Forensics study I recently stumbled across a guide from Microsoft entitled the “Fundamental Computer Investigation Guide for Windows" which is a download containing the basic Microsoft guide, a sample Internal Investigation Report, a sample Chain of Custody document and a sample Impact Analysis document.

Although at 55 pages the guide isn't going to make you a Forensics guru, as a free starters guide it hits all the main points we've learnt so far - initially assessing the situation, obtaining authorization, reviewing any policies or legal restrictions, bieng thourough and methodical in the assessment, acquisition of data, analysis of the data and reporting on the findings. It also contains an applied scenario to tie together all the points previously discussed (set at the Woodgrove Bank - an organization, along with Tailspin Toys and Contoso, that will be all too familar to those who've done a few Microsoft exams).

The tools referenced in the guide are generally all included in the OS or free sysinternals tools, such as filemon, portmon, process explorer, etc, although EnCase and FTK are mentioned for performing a bit-wise acquisition.

While Microsoft do get bashed about alot of things (and security in particular), I am always surprised about the sheer amount of material they generate and freely distribute. If you deal with Windows and aren't familiar with the sysinternals tools, I recommend checking them out.

IBM Distributes Malware

Probably not the best place to go distributing malware.

(hmmm... these posts seem to be getting shorter... maybe tomorrow...)

Facebook Privacy

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).

vSphere Hardening Guide

VMWare have recently released their vSphere Hardening guide. The blog post about it is here, and the guide can be downloaded directly from here [pdf].

From an inital runthrough, it seems quite comprehensive.

InfoSec Legal Risks II

Back in Feb I mentioned a Book I'd come across: Information Security: Managing the Legal Risks by Nick Gifford.

Recently Nick gave a great presentation at the AISA Risk Management Special Interest Group (RMSIG) in Sydney.

Some of the points that came out of his presentation** that I found rather interesting follow:
  • Most InfoSec-related cases are brought under the tort of negligence
  • Damages cannot be recovered under negligence for pure economic loss
  • No cases have yet been tried in Australia for under the tort of Negligence for InfoSec breaches ~ although cases have been settled before going to court
  • The highest privacy breach payout in Australia is around $8000 ~ leaving privacy breaches more damaging to reputation than financially (barring lost revenue from reputational damage of course!)
  • The Trade Practices Act Section 52 is the key area to pay attention to for Australian InfoSec professionals when verifying legal liability ~ it has less hurdles that proving negligence and can be 'creatively' applied by the courts.
  • The ALRC has recommended a new tort of "serious invasion of privacy" and recommended compulsory disclosure laws in Australia.
Nick also referenced an intersting quote from the FTC paper on Identity Theft [pdf]:
The Rule specifies that what is “reasonable” will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue. This standard recognizes that there cannot be “perfect” security, and that data breaches can occur despite the maintenance of reasonable precautions to prevent them
The formal acknowledgement that "perfect" security cannot exist from someone outside of IT is interesting to see.

Nick gave a great talk, and I do recommend his book.

**Any errors or omission of information in this post are my fault and not Nick's. I am no lawyer! So go seek your legal advice from someone who is!

Security the Amex way

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.
This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.
We discourage the use of special characters because hacking softwares can recognize them very easily.
More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?
Scary. Although a friend did comment "Well at least they have a password policy!"

COFEE vs DECAF

I'm currently studying Digital Forensics and a recent bit of google-inspired research lead me to one of the big stories of late last year (which I vaguely remembered) where a Microsoft forensic tool designed for use by law enforcement called COFEE (Computer Online Forensic Evidence Extractor) was leaked on the internet.

Given the prevelance of computer-based crime and the level of skill required to perform proper forensic analysis, it makes sense for Microsoft (or someone else) to develop a simple-to-use wrapper for what apparently was a number of common forensic tools available elsewhere on the internet.

The reaction to the leak seems to have been mixed, with Microsoft claiming they weren't bothered by the release of the software, although noting it is licenced for use by Law enforcement only, to someone developing a counter-forensic tool called (of course..) DECAF. What was the thinking in creating this counter to COFEE? One of the developers said:

"We saw Microsoft released COFEE and that it got leaked, and we checked it out," the man said. "And just like any kid's first day at the fair, when you walk up to that cotton-candy machine and it smells so good and you see it, it's all fluffy – just so good. You get up there and you grab it and you bite into it, it's nothing in your mouth.

"That's the same thing we did with COFEE. So, knowing that and knowing that forensics is a pretty important factor, and that a lot of other pretty good forensic tools are getting overlooked, we decided to put a stop to COFEE."

This arguement seems fairly disingenuous as COFEE seems to hardly have been aimed to replace any existing tools, but to simply make them easier for a less-well trained law enforcement operator to use in order gather crucial forensic evidence. The fact the tool was released by Microsoft probably had more to do with creating a counter-tool than noble thoughts of 'better tools being overlooked'.

No matter what the task, there is almost always a 'better tool', whose use might not be desirable because of cost, complexity or the expert knowledge required to operate it. Much of the history of software innovation has been designed around making complex tasks easier so more people can perform them, Windows being the prime example as it took desktop computers from the realm of geeky hobbyists to mainstream use in businesses and in homes. While simplifying (or as some may call it 'dumbing down') tasks may grate the nerves of the some, it is an inevitable and in many ways, desirable end goal.

Following the Road Rules

It struck me this evening while driving home that there is a nice analogy to be made between information security and road safety. All that maintains our roads in the organised state of chaos that they are, rather than total anarchy, is a set of conventions that ensure that we drive on the left (in Australia), stop at stop signs and give way to the right at round abouts.

I would imagine, though I have nothing to back this up with, that a large proportion of car accidents happen in situations where it is unclear what is expected of the driver. As a case in point, as I drive home there is a place where two lanes merge into one, however, there is nothing to indicate which lane is ending. This lack of direction causes the occasional irritated honk of the horn or shake of the fist from drivers who believe they have been wronged and, if it hasn't happened already, at some stage a minor collision is inevitable.

The same applies for information security, whether browsing the internet, opening an email from an unknown source or disposing of sensitive documents, where a well known course of action exists the decision is easy, it is when users are presented with the unfamiliar that trouble strikes (scammers are well aware of this and utilise the familiar to make targets feel comfortable). Ensuring that users know the correct course of action requires an ongoing education program coupled with a strong set of policies to guide users on the right course of action.

I have this picture in my head of the users of a network, be it a corporate network or the internet, as drivers in vehicles of all different sorts, some in Abrams tanks, others on mopeds (the ones in the Abrams are likely Mac users blindly driving around opening files without regard to the consequences).

Other parallels exist too, particularly in corporate networks where user activity is much more heavily regulated, particularly the use of incentives both positive and negative to ensure compliance with the rules. When drivers don't comply with the regulations they may be fined and if caught infringing enough times may lose privileges or be compelled to take remedial training. In much the same way users of a corporate network may be more inclined to comply with and contribute to information security endeavours where it is assessed as part of their job performance and tied back to bonuses, pay increases and advancement within the company. A points system similar to that used with Australian drivers licenses may actually work quite well to identify users requiring remedial training. More on incentives in a later post.

Some credit for the ideas in this post has to be given to the paper I am currently reading from he Internet Security Alliance (ISA) and the American National Standards Institute (ANSI)

Photocopier peril

Affinity Health in the US has had to notify @400,000 customers and staff of a potential data breach. A firm suffering a data breach? "Nothing new there!" you say.

In this case though, the method the data was lost is a little more unusual (as was the method of discovery). You see, CBS was investigating the ticking "digital time bomb" of office photocopiers and purchased 4 copiers. Upon removing the hard drives and running a forensic tool over them they found confidential police data on 2 machines, construction plans and payroll data on a third and on the fourth - patient information from Affinity Health.

A quick search on datalossdb shows a few entries for fax machine breaches (mostly by sending a fax to the wrong number), but only one entry for copiers - the Affinity Health breach.

The CBS article asks, "Has the industry failed..to inform the general public of the potential risks involved with a copier?" to which the President of Sharp Imaging says "yes".

They do point out all the major manufacturers offer 'encryption options' or security packages, but without providing any information on what percentage of buyers are willing to pay the extra dollars.

Here's a thought - include it by default! Make it impossible to buy a digital photocopier without encryption or secure deletion!

I think it was in the Mitnick book "Stealing the Network" (or perhaps it was in "The Art of Intrusion") that a hacker stealthily entered a network and took control of a digital copier.

In the meantime, what does you organization do with it's old copiers when the lease ends or they end-of-life?

Security Incidents in Australia & New Zealand

One of the difficulties of working in the infosec space in Australia can be the lack of region-specific information available. I blogged recently about a Ponemon institute study that was Australian-based and have recently come discovered Chris Gatford of hacklabs.com had started maintaining a record of security incidents in Australia and New Zealand.

This is a nice addition to some of the existing resouces available, such as datalossdb.org (which records all different kinds of data loss) and zone-h.org which keeps a good record of website defacements.

The enemy of my enemy is my.....enemy?

Oh McAfee what have you done? Last week McAfee released an update for their antivirus software that crippled Windows XP SP3 machines. This is not the first time McAfee have had this problem, having crippled machines last year with a bad update as well.

Of course, the 'bad guys' have immediately jumped on the bandwagon as well, flooding google with links scareware sites promising to fix the problem.

What to do? Well I'm not here to bash McAfee (they have enough angry customers right now to do that), and all the big vendors make mistakes, but this does expose a serious problem in the quality control of another big AV vendor.

Last year I sat through a presentation by McAfee where they talked about the massive rise in malware and viruses, a comment that was echoed by Symantec in a presentation around the same time. The Sophos 2010 Security Threat Report [pdf] states that "Sophos’s global network of labs received around 50,000 new malware samples every day during 2009".

Combine that with the constant need to beat the competitors to market with the latest protection and it's no wonder a mistake like McAfee's recent one was made. It seems almost inevitable it will happen again.

But what can be done to protect your servers and desktops? Do AV updates need to be treated like patches and be run through a testing regime before deployment? Is this even feasible in an era of daily (or multiple times daily) signature updates?

I'm no developer and not in the AV business, but it would seem to me having a 'whitelist' of known good items (such as critical windows components) might be a way to stop something like this occurring again...

Government and Google

I came across this very cool tool, from Google while perusing the Tech section of SMH Online today, it gives a breakdown of the number of requests from governments around the world to Google to have content removed either from search results or sites controlled by Google and for information about users of Google's products.

A nice bit of transparency from Google with data which I doubt many governments would be as forthcoming with.

Escaping Documents

This goes squarely in the 'oh dear' category and comes only months after this lapse, it appears government bodies need to be a little more mindful of where they are putting sensitive information...

Congratulations!

Just wanted to shout out a congratulations to fellow Security Circus blogger Richard on graduating (with distinction!) his Master of Information Systems Security degree this week.

Great work Richard!

Airport Security Antics

Not strictly Information Security, but certainly pertaining to organizational security culture,
News.com.au ran a story today that just makes me sad..or is that mad? Or both?

A security gate at Dubbo Airport has been found to have the access pin number to a printed out and stuck above the keypad.

According to the article, Government officials will review security at Dubbo airport next week. I wonder what else they'll find?

Something this balantly idiotic is a sign of a generally poor (or non-existent?) security culture. Sure you may have one 'helpful' person who decides to post the PIN number (along with the helpful "please touch pad softly" message), but for others using the gate to not step in and remove the sticker is a worrying sign. Some more of those airport security dollars may need to be spent on basic staff security awareness and less on security theatre like confiscating nail clippers but not cigarette lighters...

Rewarding Failure?

Richard pointed out to me a great little blog post entitled "Does Software Development Have A Culture Of Rewarding Failure".

The post asks why those who bring home projects over budget and over time with a huge flurry of last minute effort seem to be more rewarded than those who get it all done on time and on budget.

Unfortunately it is not only during software development that this type of behaviour occurs, it can permeate many other industries and business environments. But why is this so?

Is it simply everyone loves a hero, the underdog, fighting against incredible odds to achieve the near-impossible?
They certainly are more visible, appearing incredibly dedicated, sacrificing their evenings and weekends as they struggle to complete that big project on time (or at all) as opposed to the other team who 'easily' got it all done on time and within budget.
The author makes the point "...everyone expected the project to go well and when it did, no-one was surprised, everything went according to plan, why would anyone reward or even acknowledge it when things go according to plan?"

It reminds me a little of the old Y2K bug (remember that one?). Lots of people working very hard to ensure nothing went wrong. And when nothing did go wrong (ie: success!) the question was asked by some management: "Geez what did we spend all that time and effort for? Nothing happened!"

Information Security is in a similar boat. Money and resources are allocated to security projects can seem to be wasted when, well, nothing happens! Which of course in many cases was the point of the expenditure; to stop the bad thing from occurring.

I'm reading Nassim Nicholas Taleb's excellent book 'The Black Swan: The Impact of the highly Improbable'* at the moment, which discusses (amongst many things) our cognitive bias towards narratives. We like a story, a bit of colour, and this can affect our rational view of facts. In regards to the current topic, consider the following:
  • The Project finished on time.
  • The Project finished on time because we all worked 7 days a week, 16 hours a day for the last two weeks to meet the deadline.
Which statement seems more likely? I'd wager that, from the gut, for most people it is the second one.

There can also be a mindset of "if you're not running around in crisis mode at crunch time, then you must have budgeted too much time to start with!". We value effort, and in 'deadline crisis mode' the effort is more visible.
Some of this may also be the result of the vicious circle created by 'rewarding failure' in the past because in people's experience all the projects that arrive with a big bang and flurry of 'crunch time' activity to meet the deadline are the ones most valued (ie: rewarded).
Never mind the hidden costs of the project deadline death-march, which may be represented by cut corners, resulting in quality and security problems to be addressed 'sometime' down the track.

This whole topic brings to mind an old Dilbert comic about an employee getting an award for working overtime and weekends fixing the mistakes he caused in the first place.

I can only agree with Alan Skorkin on this one when he states "I for one would love to see a little bit more appreciation from everyone for projects where things go according to plan and especially for the people on those projects...rather than celebrating the belated delivery of the latest death-march, how about digging into it and trying to figure out why it was 6 months late and why people had to work 80 hour weeks to keep it from complete disaster".

*If you're involved at all in looking at (or trying to second guess!) future events or trends - like many Infomation Security professionals - I highly recommend Mr Taleb's book.

Cost of a Data Breach

The Australian has reported that the Ponemon Institute has released a report on the Cost of a Data Breach based on data from the Australian market.

For those of us 'down under' it is great to see some reporting based on the local conditions, rather than the usual reports from the US and Europe. Unfortunately the report is only based on the 16 completed responses from the 114 companies that were asked to participate, however I see it as a good start that I hope will continue.

So is that your PIN number?

In the spirit of Richard's post below on a little 'no tech hacking'; on a couple of occassions recently I've had friends wanting to show me photos taken on their iphones, and inadvertantly reveal some potentially quite damaging information.

To set the scene, you're discussing a subject (such as a holiday) and your friend says "want to see the photos?". Applying the in the affirmative, they whip out their phone and hold it up for you to see, hitting a button and entering their unlock PIN to begin showing you the photos.
It's at this stage I ask "so, is that number you just entered the same as your ATM-card PIN?"
Sheepish looks ensue as they mumble "....yes...." and I reply "you might want to change that...or lend me your ATM card!"

Now this certainly isn't an 'iphone-problem' as such, or I'd wager even a new problem. It is however exacerbated by the new touchscreen smartphones and their big friendly on-screen keypads that make it much easier to 'shoulder-surf' from greater distances and see the PIN number more easily as it is entered.
ATM card PIN numbers are a little unusual as for a lot of people they are one of the few 'enforced' passwords they use. By 'enforced' I mean they are passwords that are dictated and not chosen by the end user, they are often just a random (or semi-random) 4-digit string that was supplied by the bank.
Although these days you can often choose a PIN number while opening a new account, this wasn't always the case and many people have had the same PIN number for years, from card to card, keeping the one they've already memorized. After all we are often creatures of habit.

So when the new phone arrives and needs to be set up with a 4-digit PIN number, it seems not uncommon to grab the first available 4-digit number that you already have memorized - your ATM PIN (I'd wager birthdays or borth year are the other popular options) and off you go.

What's the risk? Well it's probably pretty low. I'm not really going to run off with my friend's ATM card, nor bother remembering their PIN number after seeing it initially. But low risk is not no risk and doing something as simple as scrambing or reversing your ATM PIN (if that must be the basis of your phone PIN) is better than using the same number.

A little research into PIN numbers brought up an interesting fact; the inventor of the ATM PIN, Brtion Mr Shepherd-Barron wanted to use a 6-digit number (based on his army number), but his wife said she could only remember 4-digits - so that became the world standard!*

And btw, yes I have an iphone and no my PIN is not the same as my ATM card! (nor any derivative thereof!)

*Except for Switzerland, where apparently 6-digits is the default....

Mirror Image

It's actually quite a while since I started this post but I think it shows interesting potential for a little no tech hacking...

Captain's log, stardate 2009.8:
A week or so back I took delivery of my shiny new Diners Club corporate card. I dutifully signed the card, activated it and stuck it in my wallet, I left the letter which it came wrapped in on my desk, nothing to worry about, right? After all, the important bit (the card) was safe and sound in my wallet with my signature on the back. In fact all the details necessary to use the card were actually on the letter, the card number, my name and the ccv had all rubbed off on the paper leaving an imprint that could be read with a little bit of guesswork.

What's particularly worrying me at this point is that I loaned Justin the letter to use for a demonstration and I haven't seen it since...

Profiling the Defenders

I recently came across quite an interesting paper from Dalhousie University in the US on the psychology of Information Security professionals called "profiling the defenders"[pdf]. While being admitedly limited in it's scope (they surveyed only 79 people), it nonetheless opens the door to an interesting and (afaik) not well-researched area of psychological analysis on the IT Security 'good guys'.
Typically the 'bad guys' are the ones being profiled, to better understand their motivation, to 'get into their heads' and therefore be able to second-guess them. There are plenty of courses [pdf] and certifications that are designed to help you 'think like a hacker', but how do the defenders think, and what needs to be changed over on the blue team to make them better?

Findings such as that IT Security Pros were 10 times more likely than the (US) average to be INTJ-type personalities is interesting/ Also that there was such a difference between IT Security Pros and law-enforcement personalities, who are largely ESTJ-type personalities -- a type that was not reflected in any of the surveyed IT Pros.

While I certainly have no background in Psychology (and parts of this paper are well over my head!), it is well worth a read for those interested and I'd like to see the results of a study done with a larger, more representative, survey group.

Some good further reading on different aspects of Psychology and Security is available here.

More Aurora

I was pointed to some more information on Aurora by a Uni classmate. HBGary have a slightly more in-depth threat review of Aurora here [pdf] and are offering a 'Aurora inoculation shot' with details here. The inoculation does not address the social engineering aspect of the attack, it is more of a scanner to tell if you're already infected and help clean the infected machine (which to me seems like more of an after-the-fact action than the name 'inoculation' implies).

One thing in the HBGary report is the CRC algorithm used is claimed to "indicate the malware package is of Chinese origin". This was originally announced by Joe Stewart and widely reported, but there has since been some dispute as to whether the CRC is a 'smoking gun' indicating China.

We may never know...

On a somewhat related topic (malware in general), I often use virustotal to scan 'suspect' files, but a colleage recently pointed me to a coupleof other sites that provide a similar service: virusscan.jotti.org and threatexpert.com. All three are worth investigating if you haven't seen them before.

"Aurora" attacks

iSec has published a brief report [pdf] into the widely-reported "Aurora" attacks on Google (and others) that allegedly orginated from the Chinese Government. The report provides an interesting insight into a recent sophisticated attack that I suspect few organizations would have been able to repel, and is well worth reading.

An important point from the end of the report is that the:
"...most interesting aspect of this incident is that a number of small to medium sized companies now join the ranks of major defense contractors, utilities and major software vendors as potential victims of extremely advanced attackers. This is concerning for many reasons, not the least of which is that even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident."

Fraud Week

The Australasian Consumer Fraud Taskforce is running it's annual awareness campaign this week with the theme 'Online Offensive - Fighting Fraud Online'.

With identity theft often listed as the fastest growing crime, it's good to see the Government promoting awareness through sites such as scamwatch.

On a similar note, Bruce Schneier highlighted on his blog recently a facinating interview with a Nigerian Scammer that is well worth reading. It can be found here: part one, part two, part three.