http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-11-09 23:44:55 - RLR UK : I have recently been speaking to many security professionals and asking them about black box and white box testing I have used it as an interview question on many occasions as well People's answers are varied and interesting, but I thought I would share my views briefly here Firstly, what are black box testing and white box testing, or grey box testing for that matter Simply put, a black box test is one where the tester has no knowledge of the internal structure or workings of the system and will usually test with security protections in place They may not even be given credentials to a system that requires authentication This would be equivalent to what a hacker would have access to The opposite extreme is a white box test, where the tester has full knowledge of the system and access to the code, system settings and credentials for every role, including the administrator The tester will likely be testing from inside the security perimeter Grey box testing sits somewhere in the middle, where the tester will have knowledge of the functionality of the system and the overall components, but not detailed knowledge They will usually have credentials, but may still test with some security controls in place So, when would you use the different levels of testing Personally, I think that grey box testing is neither one thing nor the other and holds little value For me, the motivation behind black box testing is compliance, whereas the motivation behind white box testing is security With a white box test you are far more likely to find security issues, understand them and be able to fix or mitigate them effectively, so why wouldn't you do it The black box test is supposedly what a hacker would see, but they have far more time, so it isn't even representative The only reason to perform a black box test is to pass some audit that you are afraid you might fail if you perform a full white box test, in my opinion If you actually want to be secure, then make sure you always commission white box tests from your security testers http://www.secuobs.com/revue/news/589586.shtmlhttp://www.secuobs.com/revue/news/589586.shtml Secuobs.com : 2015-02-20 15:28:10 - RLR UK - Ok, so I'm being a little facetious, but I do think that putting Security departments under IT is a bad idea, not because they don't naturally fit well there, but because usually it gives the wrong impression and not enough visibility Security is far more wide reaching than IT alone and touches every part of the business By considering it as part of IT, and utilising IT budgets, it can be pigeonholed and ignored by anyone who wouldn't engage IT for their project or job Security covers all information, from digital to paper-based and is concerned with aspects such as user education as much as technology There is a clear conflict of interest between IT and Security as well Part of the Security team's function is to monitor, audit and assess the systems put in place and maintained by the IT department If the Security team sits within this department then there can be a question over the segregation of duties and responsibility In addition to this, Security departments can end up competing with other parts of IT for budget How well does this work when project budgets are allocated to one department responsible for producing new features and fixing the vulnerabilities in old ones The Security department should answer directly to the board and communicate risk, not technology It is important that they are involved with all aspects of the business from Marketing, through Procurement and Legal, to the IT department You will, more often than not, get a much better idea of what the business does and what's important to it by sitting with the Marketing team than with the IT team Hence the title of this post http://www.secuobs.com/revue/news/560417.shtmlhttp://www.secuobs.com/revue/news/560417.shtml Secuobs.com : 2015-02-20 15:20:37 - RLR UK - The Article 29 Working Group advising the EU Commission on Data Protection has published their opinion on the security and privacy concerns of the Internet of Things A couple of interesting quotes come from this document and it points to possible future laws and regulations Many questions arise around the vulnerability of these devices, often deployed outside a traditional IT structure and lacking sufficient security built into them users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific One thing is for sure, privacy is likely to get eroded further with the widespread adoption of IoT devices and wearables It is critical that these devices, and the services provided with them, have security built in from the start http://www.secuobs.com/revue/news/560415.shtmlhttp://www.secuobs.com/revue/news/560415.shtml Secuobs.com : 2015-02-11 00:20:00 - RLR UK - I presented on a panel today at the European Information Security Summit 2015, entitled 'Should you launch an internal cyber attack ' We only had 45 minutes and I thought I'd share some of my thoughts, and what I didn't get to say, here Firstly, as we all know, the concept of a network perimeter is outdated and there is a real blurring of whether devices should be considered internal or external these days It's not just about BYOD, but most organisations provide laptops for their employees These laptops get connected at home, airports, hotels, etc Any number of things could have happened to them during that time, so when they are reconnected to the network, they may have been compromised For this reason, it should be every system for itself, to a certain extent, in the network, ie assume that the internal machines are compromised and try to provide reasonable levels of security anyway Secondly, the user is the weakest link It has been said many times that we spend our time and budget on protecting the first 2000 miles and forget about the last 2 feet This is less and less true these days, as security departments are waking up to the fact that education of the users is critical to the security of the information assets However, the fact still remains that users make mistakes and can compromise the best security So, should we launch internal cyber attacks against ourselves Yes, in my opinion - for several reasons Internal testing is about audit and improvements If we launch an internal Pentest or Phishing attack, we can see the effectiveness of our controls, policies and user education The critical point is to not use the results as an excuse to punish or name and shame - this is not Big Brother looking to punish you If a user does click on a link in a Phishing email then we should see it as our failure to educate properly If a user bypasses our controls then our controls haven't been explained properly or they are not appropriate at least there may be a better way An example was discussed on the panel about people emailing a presentation to their home email account to work on it from home In the example, this was a breach of policy and, if the categorisation of the presentation is confidential or secret, then they shouldn't be doing this However, rather than punish the user immediately, try asking why they felt that they needed to email it to their home computer Was it that they don't have a laptop Or their laptop isn't capable enough Or that they think they are doing a good thing by emailing it so that they don't have to take their corporate laptop out of the office as they know they're going to the pub for a couple of hours and are worried about it getting stolen There are motivations and context to people's decisions We see, and usually focus on, the effects without stopping to ask why did they do it Most people are rational and have reasons for acting as they do We need to get to the heart of those reasons Education is critical to any security system and as security professionals we need to learn to communicate better Traditionally and stereotypically security people are not good at communicating in a clear, non-technical, non-jargon-filled way This has to change if we want people to act in a secure way We have to be able to explain it to them In my opinion, you have to make the risks and downsides real to the user in order to make them understand why it is that we're asking them to do or not do something If you just give someone a directive or order that they don't understand then they will be antagonistic and won't follow it when it is needed, because they don't see the point and it's a hassle If they understand the reasoning then they are likely to be more sympathetic Nothing does this better than demonstrating what could happen Hence the internal attacks The next question we have to ask ourselves is what constitutes the internal part of an internal attack Is it just our systems, or does it include all those third party systems that touch our data I could quite happily write a whole blog post on outsourcing to third parties and the risks, so I won't delve into it here I do also have to say that it worries me that we seem to be educating our users into clicking on certain types of unsolicited emails that could easily be Phishing attacks An example that I used was the satisfaction or staff survey that most companies perform these days These often come from external email addresses and have obscured links To my mind we should be telling our users to never click on any of these links and report them to IT security Why shouldn't they ask our advice on an email they're unsure about We're the experts One final point was suggested by a speaker, which I think is a good idea If we educate users about the security of their family and assist them with personal security incidents and attacks as if they are those of our company, then we are likely to win strong advocates http://www.secuobs.com/revue/news/558957.shtmlhttp://www.secuobs.com/revue/news/558957.shtml Secuobs.com : 2014-05-24 20:12:56 - RLR UK - Well eBay are in the news due to their breach of 145 million users' account details There are a few worrying things about this breach, beyond the breach itself, that point to architectural issues in eBay's security The first issue is that a spokeswoman according to Reuters claimed that it used 'sophisticated', proprietary hashing and salting technology to protect the passwords This sounds very much like security through obscurity, which doesn't work So, either they are using a proprietary implementation of a publicly known algorithm, or they have created their own Both of these situations are doomed As always, no one person can think of all the attacks on an algorithm, which is why we have public scrutiny Even the best cryptographers in the world can't create new algorithms with acceptable levels of security every time Do eBay have the best cryptographers in the world working for them I don't believe so, but I could be wrong Also, if their argument is that hackers don't know the algorithm so can't attack it, then I'm fairly sure they're wrong there too Even if the algorithm was secure enough to stand up to analysis of the hashes only, as hackers have eBay staff passwords perhaps they also have access to the code If, on the other hand, they have their own implementation of a public algorithm I have to question why Many examples are available of implementations that have gone wrong and introduced vulnerabilities, eg Heartbleed in OpenSSL Do they think they know better The second issue is that they don't seem to encrypt Personally Identifiable Information PII This is obviously an issue if a breach should occur, but, admittedly, doesn't solve all problems as vulnerabilities in the web application could still expose the data However, it is likely to have helped in this situation Finally, and most importantly, how did gaining access to eBay staff accounts give attackers access to the data Database administrators shouldn't have access to read the data in the databases they manage Why would they need it Also, I would hope that there are VPNs between the corporate and production systems with 2-factor authentication So how did they get in Well, either eBay don't use this standard simple layer of protection, they leave their machines logged into the VPN for extended periods or they protect the VPN with the same password as their account Even if eBay do implement VPNs properly with 2-factor authentication, the production servers shouldn't have accounts on them that map to user accounts on the corporate network Administrative accounts on production servers should have proper audited account control with single use passwords Administrators should have to 'sign out' an account and be issued with a one-time password for it by the security group responsible for Identity and Access Management IAM All this leads me to think that eBay have implemented a weak security architecture http://www.secuobs.com/revue/news/515331.shtmlhttp://www.secuobs.com/revue/news/515331.shtml Secuobs.com : 2014-04-30 00:17:34 - RLR UK - Recently it has become clear to me that, although the terms Denial of Service DoS , Distributed Denial of Service DDoS and Brute-Force are used by many, people don't really understand them This has caused confusion and problems on more than one project, so I thought I would write my thoughts on their similarities, differences and protection mechanisms A Denial of Service is anything that happens usually on purpose, but not necessarily that takes a service off line or makes it unavailable to legitimate users This could range from a hacker exploiting a vulnerability and taking the service off line, to someone digging up a cable in the road However, a Denial of Service could also be triggered by legitimate use of a service without any 'vulnerabilities' Consider a service that performs operations on large sets of data that take a few seconds to complete If I put in multiple requests for this service then I could tie it up and make it unresponsive for several minutes Similarly, consider a website that has a page with a large video or flash animation on it Again, relatively few requests for this resource could make the server slow and unresponsive DoS is not just about hackers finding vulnerabilities Distributed Denial of Service, on the other hand, is a deliberate attempt by someone to deny service by performing large numbers of requests from a large number of hosts at once Whilst it is relatively easy to spot a single host attempting a large number of requests and block them, it can be hard to pick up on many hosts making few requests and harder to block them There are many solutions to combat DDoS by caching content and providing high bandwidth to large numbers of nodes, such as those available from the likes of Akamai However, logic flaws or lengthy processing in the application can only really be fixed by the application developers Brute-Force, on the other hand, has nothing to do with DoS or making a service slow or unavailable I was amazed that people didn't know this Brute-Force is all about submitting a, usually, large number of requests to a service to obtain information that was not intended by the developer An example would be having no account lockout after several incorrect login attempts It would then be possible to try a whole dictionary or even every character combination to eventually find the password for a user This is an example of Brute-Force, but there are many others, such as finding database versions, telephone numbers, transactions, parcel delivery addresses, etc This can only really be stopped with application logic http://www.secuobs.com/revue/news/511004.shtmlhttp://www.secuobs.com/revue/news/511004.shtml Secuobs.com : 2014-04-29 22:19:16 - RLR UK - There is often a fundamental disconnect between security professionals and senior management As I have stated in a previous post about slips, mistakes and violations, if senior management don't 'buy in' to security then nor will the rest of the organisation and ultimately it will fail Middle management want to be senior management and will model themselves on them, often seeing the breaking of rules as a mark of status So, it is vital that senior management lead by example Unfortunately, it is often very hard to get senior management to 'buy in' to this concept and not have a 'them-and-us' attitude of there being those rules that apply to the rest of the organisation and those that apply to them This is as much the fault of the security professionals as senior management though Security professionals have spent so long saying no to everyone and stalwartly refusing to budge or see someone else's point of view that people have stopped listening and taking note To be honest, rightly so If you want someone to change their point of view or come round to your way of thinking, by far the easiest way is to sell it to them as a positive thing that will be beneficial to them and 'bring them with you' rather than dictate Saying no all the time is not positive and will ultimately fail as people will stop listening Make it personal to them and put it in terms they understand Relating security to risk and money will usually be more successful http://www.secuobs.com/revue/news/510993.shtmlhttp://www.secuobs.com/revue/news/510993.shtml Secuobs.com : 2012-12-19 18:04:37 - RLR UK - I have seen so many websites hosted and developed insecurely that I have often thought I should write a guide of sorts for those wanting to commission a new website Now I have have actually been asked to develop a web hosting security policy and a set of guidelines to give to project managers for dissemination to developers and hosting providers So, I thought I would share some of my advice here Before I do, though, I have to answer why we need this policy in the first place There are many types of attack on websites, but these can be broadly categorised as follows Denial of Service DoS , Defacement and Data Breaches Information Stealing Data breaches and defacements hurt businesses' reputations and customer confidence as well as having direct financial impacts But surely any hosting provider or solution developer will have these standards in place, yes Well, in my experience the answer is no It is true that they are mostly common sense and most providers will conform to many of my recommendations, but I have yet to find one that, by default, conforms to them all Site Categorisation There are several different categories of hosting and several different ways to categorise sites, with different requirements However, in my opinion, sites should be categorised based on the information that they contain and the level of interaction allowed Sites should then be logically and physically separated into their categories Sites can be categorised as brochure sites if they have static content or do not collect information These sites can then further be categorised into public or private depending on whether the data that they contain is public or not Sites within these categories may be co-hosted with other sites in the same category, but the two categories should be segregated Sites can be classed as data collection apps if they collect sensitive or personally identifiable information PII from the user Sites within this category should be hosted on their own servers with no co-hosting and be segregated from all other sites The data must be stored on separate segregated database servers that are secured and firewalled off Finally, any site with even more sensitive data on it or company secrets should be hosted internally if you have the expertise in house Hosted Environment The following list is an example of the requirements for secure web hosting It is not necessarily complete, but if you do not have the following then you may have issues in the future All websites and web applications must be hosted on a dedicated environment - the hosting machine may be virtual or physical, but must not be shared with any 3rd parties Multiple websites and applications from the same company may be hosted on the same machines according to the categories above have DDoS protection in place have AV running and configured properly on the server along with appropriate responses and reporting be hosted behind a Web Application Firewall WAF to protect against common attacks, plus allow the ability to configure it for specific services be hosted on security hardened Operating Systems OS and services to an agreed build standard be subject to regular and timely patching of the OS and services be subject to regular security testing and patching of any Content Management System CMS in a timely manner if used be subject to active monitoring and logging by the provider for security breaches and reporting to from the organisation have formal incident management processes for both identifying and responding to incidents not be co-hosted with additional public services beyond HTTP HTTPS eg no public FTP not allow DNS Zone Transfers use proper public verified SSL certificates - with a preference for Extended Validation EV certificates ensure that management services and ports are on different IP addresses and domain names preferably, but must not be available through the normal login or visible on the website ensure that administrative interfaces and services are restricted to certain IP addresses at least, but make use of client-side certificates or two factor authentication 2FA if possible ensure staging servers are available for test and development, which must not be shared with live sites and should be securely wiped at the end of testing as soon as the site is deployed live ensure staging and test environments are not available on the public Internet or, if there is no alternative, they must be devoid of branding and sensitive information in all ways and restricted as above be built on a tiered architecture, or at least the database DB server must not sit on the same server as the web front end, must not be accessible from the Internet and must be securely segregated from the front end use encrypted storage for all sensitive information, eg passwords and sensitive information Hosting Services It is up to the hosting provider and third party developers, but should be backed up by specific contractual clauses, to ensure that the site is backed up regularly off site in a secure location using encrypted media where the keys are stored separately from the media and able to be restored in a reasonable time frame with a suitable rotation and retention policy hardware and media that has reached the end of its life is securely destroyed all sites are made available for pentesting prior to going live and at regular intervals all vulnerabilities considered of medium risk and above should be remediated prior to go-live all sites are available for on-going regular automated Vulnerability Assessments domain names, code and SSL certificates are registered to the company and not a third party there are agreed processes for identifying approved personnel to authorise changes change management processes that track all changes are in place along with rollback and test plans capacity and bandwidth are actively managed and monitored all management actions are accountable unique accounts allocated to individuals all management should be through secure ingress from trusted locations egress filtering should be in place to block all non-legitimate traffic http://www.secuobs.com/revue/news/417862.shtmlhttp://www.secuobs.com/revue/news/417862.shtml Secuobs.com : 2012-12-19 15:40:18 - RLR UK - I was asked to provide details of the 'Penetration Testing Phase' for a particular project by someone who was putting together a Test Approach Document today The categories I was asked to fill in were Objective of the phase Responsibility Authority Dependencies, risks assumptions Entry Exit criteria When discussing what they really wanted it became clear that they didn't know what a penetration test was or why we do them The questions and document were set up expecting a deliverable from the pentest itself The report was being treated as the deliverable without any thought of why a report was being produced or how it will be used It was a tick in the box - We require a pentest to be able to go live, so if we've had the report we can tick that box and move on Pentesting is not an end in itself Pentesting is a standard, finite snapshot of the security of a system, which, if taken in isolation as a goal, is fairly useless Pentests don't make you secure Performing a pentest and having a report with lots of pretty colours and charts saying that high and critical vulnerabilities exist is only any good if you then remediate or mitigate those vulnerabilities You could pentest your system every month, but if you never change anything in the system, every report will be the same and you will be as much at risk as you were before you had the pentest done Indeed, you are likely to get progressively worse results as new vulnerabilities are discovered all the time The test and report themselves don't do anything for security A pentest is used by security professionals to inform and shape a project and decisions The actions taken based on the findings from a pentest are what improve your security and help you identify the best use of finite resources or, at the very least, enable you to understand the risk Do you need to perform a pentest Absolutely you do in order to understand the threat landscape properly and identify vulnerabilities, but it's what you then do with that knowledge that is important and will make you more secure or not http://www.secuobs.com/revue/news/417819.shtmlhttp://www.secuobs.com/revue/news/417819.shtml Secuobs.com : 2012-10-21 15:04:02 - RLR UK - Security teams often attract antagonism from the business that they are supposed to serve, appearing as self-appointed policemen in a police state This is unhelpful and not what we are or should be aiming for Security departments should be providing a secure environment in which business users are free to do what they want Obviously this environment will have boundaries, but they must be agreed with the business and not just imposed arbitrarily Take an example from children's play areas, children should be safe within the confines of the soft play area and not too much harm will come to them They can run around and play whatever game they like as long as they stay within the boundaries Children can't wear shoes in a soft play area as they may hurt another child, but this doesn't stop them from doing what they want as the play area has been engineered so that they don't need shoes to stop them from hurting their feet or getting wet and dirty The same principles can be applied to security If we build a safe and secure environment that has everything that people need within it already then they are free to do what they want and need, and are far less likely to break the rules or circumvent security controls The architecture has to be secure and services should be tailored to the business functions and not just imposed by the security teams A good example is to provide a Choose Your Own device CYO offering to avoid the problems of Bring Your Own BYO or the restrictions of imposing a single device It is possible to support a range of devices and then even offer a restricted service on some further devices, but allow the users choice In the end there will always be a certain amount of policing required, but if, as a security professional, you are spending most of your time in that role then your network, architecture and attitude are wrong http://www.secuobs.com/revue/news/406866.shtmlhttp://www.secuobs.com/revue/news/406866.shtml Secuobs.com : 2012-07-13 16:31:49 - RLR UK - There is a new take on an old phone scam currently hitting people The old scam was to pretend to be the telephone company and phone someone saying that they are about to be cut-off if they don't pay a smallish amount by card over the phone immediately If people don't believe them they are actually encouraged to hang-up and then try to make a call When they hang-up and then pick the phone up again it is dead How do they do this Well it's actually very simple - the scammer doesn't hang-up, they just put their phone on mute The call was never torn down So, what's the 'new take' on this scam Well, they are now hitting bank and credit card customers The scammers now pretend to be from the bank and start asking for card details, etc If you get suspicious or even sometimes prompted by the scammer themselves you are encouraged to hang up and call them back on the telephone number shown on the back of your card They then provide you with an extension number or a name to ask for When you hang up they do not, similar to before However, this time they play the sound of the dialling tone to you until you start 'dialling' the number All they have to do is wait for you to finish dialling the number then play the ringing tone to you All the while they haven't hung up and you haven't dialled your bank at all The scammers then 'answer' the phone and pass you to the person you were speaking to before You now think you're speaking to your bank You did the right thing, but were still trapped What can you do about this My suggestion is to call back on a different line Call your bank back on your mobile, not the landline you first received the call on http://www.secuobs.com/revue/news/387117.shtmlhttp://www.secuobs.com/revue/news/387117.shtml Secuobs.com : 2012-06-13 17:11:06 - RLR UK - Sometimes user input may be reflected in the HTTP Response Header from the server If this is the case we may want to inject additional headers to perform other tasks, eg setting extra cookies, redirecting the user's browser to another site, etc One example of this is a file download from a website with a user defined filename that I tested The web application took a user inputted description for a dataset that was used in several places It was passed through several layers of validation for output to the screen and to a CSV file for download However, it was also used as the filename for the CSV download and was not subject to enough validation The filename was written to the HTTP headers as an attachment, eg Content-Disposition attachment filename outputcsv However, if we want to add a redirect header to the response from the server then we have to manipulate the filename description If we add a CRLF carriage return line feed ie a new line then we can add a new header, such as Refresh 0 url http wwwgooglecom q passwordcsv This will redirect the user's browser to the URL after 0 seconds, ie give them no chance to abort it We need to send the CRLF ASCII character codes to the server to force it to put a new line in This can be achieved by adding pourcents0dpourcents0a CRLF into the description In this case the csv was added to the end automatically, which could be ignored by the malicious website or used as in this example above So the full description becomes outputcsv pourcents0dpourcents0aRefresh 0 url http wwwgooglecom q password The output of this in the HTTP Header is Content-Disposition attachment filename outputcsv Refresh 0 url http wwwgooglecom q passwordcsv In this case, though, I came up with a problem If I used the above injection I got the following error Error 500 Invalid LF not followed by whitespace It turns out that the character set is not properly dealt with by the web server You cannot just add a space after the codes either as this will appear as a space at the beginning of the header line that we are injecting, which is interpreted by the browser as a continuation of the previous header line The solution came from https wwwaspectsecuritycom blog to-redacted-thanks-for-everything-utf-8 where overly long data is inserted knowing that it will be truncated to the correct codes The following codes will be truncated to the CRLF pourcentsc4pourcents8a pourcentsc8pourcents8a pourcentsccpourcents8a Now the working attack payload becomes outputcsv pourcentsccpourcents8aRefresh 0 url http wwwgooglecom q password The simplest way to fix this is to use a hardcoded output filename, eg outputcsv The user can change this when they download it if they want Otherwise, more sophisticated validation is required to look for certain character codes and sequences http://www.secuobs.com/revue/news/381343.shtmlhttp://www.secuobs.com/revue/news/381343.shtml Secuobs.com : 2012-05-02 18:39:10 - RLR UK - When will people learn that compliance does NOT equal security I blogged about this back in September 2009 Recently Global Payments has suffered a breach despite being PCI-DSS compliant article from The Register Security standards, and being assessed against them, are like getting a driving license Passing your driving test means that you have achieved a minimum standard of driving, but it doesn't mean that you are a good driver or that you will never have an accident The same is true of compliance to a particular standard - it doesn't mean that you can be any less vigilant about security or that you will never be compromised, it just means that you have met an agreed minimum level People forget that the PCI-DSS is only concerned about payment card data and won't necessarily look at all systems and processes It is perfectly possible that a system is legitimately considered out of scope, but that the compromise that system allows a platform to attack a system that is within scope The penetration tests performed are usually more focused on external access to PCI data as well What if I can compromise the administrator's laptop though Attacks from more adept hackers won't always go straight for the target there are often easier ways PCI-DSS, and any other standard, should not even be considered the minimum requirement It should be a given that the organisation will pass their compliance as they should be aiming so far beyond the standards I realise that resources are not unlimited, but that doesn't mean that you should be satisfied with scraping through audits If fewer resources were wasted trying to fudge results to pass compliance then more could be spent on actually securing the environment and compliance would be practically automatic The goal is a secure, trusted environment, not getting a bit of paper from the auditors http://www.secuobs.com/revue/news/373185.shtmlhttp://www.secuobs.com/revue/news/373185.shtml Secuobs.com : 2012-04-23 12:25:09 - RLR UK - Recently I have tested a couple of commercial web-based applications that send configuration details to the client-side to determine the functionality available to the user These details were sent as XML to a Java applet or JavaScript via Ajax So, what s the problem The applications in question had several user roles associated with them, from low privilege users up to administrative users All these users log into the same interface and features are enabled or disabled according to their role In addition, access to the underlying data is also provided based on their role However, in both cases, features were turned on and off in client-side code either XML or JavaScript One application actually sent isSuperUser true for the administrative account and isSuperUser false for others A simple change in my client-side proxy actually succeeded in giving me access to administrative features The other application had several parameters that could be manipulated, such as AllowEdit This gave access to some features, but I noticed that there were other functions available in the code that weren t called by the page It was a simple matter of looking for the differences between the page delivered to the administrator and that delivered to a low privilege user to find the missing code to call the functions This was duly injected into the page via a local proxy again and new buttons and menus were added that gave administrative functionality enabled by manipulating the parameters sent, as above Some might argue that this attack isn t realistic as I needed an administrative account in the first place, but the code injected would work on every install of the application You only need that access to one installation of the application, which could be on your own machine, then you can copy and paste into any other instance or you could simply Google for the code It shouldn t be this easy Anything set on the client can be manipulated by the user easily The security of a web application must reside on the server, not on the client Web application developers must start treating the browser as a compromised client and code the security into the server accordingly http://www.secuobs.com/revue/news/371416.shtmlhttp://www.secuobs.com/revue/news/371416.shtml Secuobs.com : 2011-12-12 20:03:45 - RLR UK - It is possible to deliver applications remotely to users via a solution such as Citrix or Microsoft RemoteApp part of their Remote Desktop solution This has the advantage of only delivering the application rather than the whole desktop to the user The user isn't even necessarily aware that the application is running remotely, as it will appear like any locally installed application when running An example of the type of application delivered in this way might be Microsoft Office If, however, the Citrix or RemoteApp environment hasn't been set up properly, then this can lead to security problems such as arbitrary file upload and running commands remotely I'm not going to look at macro security, even though this can lead to complete compromise of a system However, what some people are not aware of is that you can upload files through the Open and Save As dialogs in Office These files can then be executed on the remote system through the same dialogs The figure below shows the options in the Open dialog of Word, with All Files selected as the file type and having navigated into the Windows directory Selecting either Open or, in this case, Run as administrator will execute the application The same could be done with a batch file or script file after first uploading it by copying and pasting into this same dialog Arbitrary files can be uploaded to a remote system and executed in this way IMAGE What if you don't have direct access to Office applications If they are installed on the system, you may still be able to exploit this Consider Internet Explorer for instance If this application is delivered remotely and Office is installed on the system, then you will probably have the option to edit the page in Office as the screenshot below shows, with the 'Export to Microsoft Excel' option in the context menu IMAGE In a remote application environment, this will open a new window to allow you to interact with the new application You can then upload your file and execute it as before If you are deploying remote applications, you will have to think carefully about what you are delivering and secure the deployment properly with group policies, etc, to make sure that you do not fall foul of such simple tricks http://www.secuobs.com/revue/news/346704.shtmlhttp://www.secuobs.com/revue/news/346704.shtml Secuobs.com : 2011-11-25 14:08:13 - RLR UK - This post is just a quick note to remind people who use encrypted ZIP archives to store or transfer confidential information, that the headers of the archive are not encrypted Therefore, the filenames, dates and sizes of all the files within the archive can be read by anyone, without the key Is this a problem Well, I believe it is Many people and organisations have naming conventions for files How do you know which report to open if the filename doesn't give you some clue Often filenames will include project names or codes, departments and even the names of the people writing the report Would you give this information out to anyone walking down the street I have seen targeted Spear Phishing attacks on users whereby emails have been sent with what look like project spreadsheets attached with the correct naming conventions and project codes These attacks were very convincing for an unsuspecting user Filenames can leak enough data to start launching social engineering attacks and to concentrate cracking effort on the correct files What can you do Either don't use encrypted ZIP archives to send sensitive data, or rename every single file to random names before adding them to the encrypted archive remember that you should really do this to all files every time you want to add anything to an encrypted archive, even if the filename doesn't reveal anything as otherwise you will again be potentially advertising the really sensitive files http://www.secuobs.com/revue/news/343814.shtmlhttp://www.secuobs.com/revue/news/343814.shtml Secuobs.com : 2011-11-05 14:33:23 - RLR UK - I was at a company the other day that uses a well-known email encryption solution as they have some very sensitive information that they need to send both internally and externally As is common for these solutions, it is possible to automatically sign the email by putting a keyword in the subject line, such as 'signemail' Similarly, the mail will be encrypted automatically if the confidential flag is set or a keyword, such as 'encryptemail' is added to the subject So far, so good There are no messy button presses or extra steps for the user However, there is a flaw with the solution I should point out that at this moment it is unclear if it is a product problem or a configuration problem, hence my not mentioning the product The issue is that the signing the message appears to take precedence over encryption So, if you add both keywords to the subject then the message will only be signed and not encrypted Now the encryption solution does also sign the message, so if you want it encrypted then you don't need to specifically sign it as well So is this really a problem or am I just making a fuss Well, I can envisage several situations when it would be a problem The most likely is probably replying to a signed message with confidential data Let's say that Alice puts in a request for sensitive information from Bob via a signed email - only certain people can have access to the information so it is reasonable to expect Alice to digitally sign the request, but the request is not sensitive in itself Now, if Bob replies to that request with the sensitive information attached he will follow policy and mark it as confidential and add the encryption keyword, 'encryptemail', to the subject line He will now assume that the information will automatically be encrypted However, if he doesn't remove Alice's 'signemail' keyword it will just be signed and not encrypted This then violates the policy and sends confidential information in plaintext while the user believes that it has been encrypted It also highlights that you shouldn't use a keyword that might be used as part of everyday language For example, don't use the keyword 'sign' as someone could send a sensitive document with a subject something like 'Contract for you to sign' I suggest that everyone using this type of solution should test it to see if this happens on their system If it does, you will, at the least, need to publish an advisory warning to your users http://www.secuobs.com/revue/news/339035.shtmlhttp://www.secuobs.com/revue/news/339035.shtml Secuobs.com : 2011-10-12 12:07:35 - RLR UK - Sony have detected someone trying to gain access to their various networks again, by using ID and password pairs that Sony conclude have been extracted from someone else's network This may be a valid conclusion as it was only a small percentage of users that were affected less than 01pourcents, which is still 93,000 Sony have been upfront and quick to react, disabling the affected accounts and putting out a notice However, their next step, according to the notice given by their Chief Information Security Officer CISO , is to send all the users who have been affected an email asking them to change their password Cue phishing scam Surely some bright spark will now construct a phishing email to send out to everyone saying that theirs was one of the 93,000 IDs compromised and could they now change their password A simple copy of the site would then enable someone to lift thousands of valid credentials from accounts that weren't compromised The problem is that Sony's users are now expecting an email to arrive to tell them to change their password The work to trick someone to follow a link has already been done by Sony and the media How about not sending an email Instead, publicise the attack and that some accounts have been disabled Sony has done this Next, let the users come to the Sony sites and try to log in Then you can inform them that their account has been disabled and what the password reset procedure is http://www.secuobs.com/revue/news/334261.shtmlhttp://www.secuobs.com/revue/news/334261.shtml Secuobs.com : 2011-10-11 16:46:01 - RLR UK - I know that many security 'professionals' will scaremonger and preach doom and gloom at every turn in order to drive up sales However, they're not always wrong I read the article 'Mobile device users fail to take basic steps to protect themselves, survey finds' and wanted to relate an event that happened this weekend Many people are saying that mobile device security threats are hype and that nobody is actually exploiting them That's possibly true to a certain extent at the moment, but for how long Another article claims that identity theft is now more profitable than car theft A mobile phone is a very good start for this purpose An interesting figure that comes from the article above is that 160,000 mobile phones are lost or stolen every day I assume that this is just in America, as in Britain the figure is around 20,000 a day Whether or not these figures are accurate is immaterial, the fact remains that a lot of phones go missing What do you have access to from your mobile The recent incident that I mentioned above happened on Sunday Someone left their iPhone at a sports training ground I was at On inspection of the phone, there was no authentication set on it at all I was able to see photographs, names, addresses and telephone numbers of family and friends In addition to this, they had a Facebook App, which was still signed in It would have been very easy to update their status with a malicious link for all their friends to visit Worse than this, however, was the fact that they had access to their corporate email and address book from the phone - a FTSE 100 company Again, this was still signed in with no additional authentication required What corporate information could I have gained access to As it was, a phone call to the telephone number entered as 'Home' enabled the phone to be returned without stripping data off it or sending phishing messages However, what if someone else had picked it up The survey in the article stated that, of those interviewed, over 65pourcents used their mobile phone to access corporate email and networks Do you send or receive sensitive information via email should have been the next question Businesses and employees should think carefully about the data held on their devices and the level of access they have to the corporate network At the very least people should always have some form of authentication set on their phone, eg a PIN, password or stronger authentication The majority of users leave applications, such as email and social media accounts, perpetually logged in and many users leave their devices unlocked Even when they are forced to lock them due to policies, they don't always really secure the device I have seen many users with corporate phones that require passwords use simple passwords such as 'qwerty' so that they are easy to type They site difficulties in typing complex passwords as being the major reason for choosing simple passwords, which is in line with the findings of the survey The bottom line is that these devices are part of the corporate network, whether the IT department is aware of them or not They need protection Even as an individual, protect your identity and your contacts by employing automatic locking of your mobile with passwords or long PIN numbers and don't leave apps permanently logged in I find it surprising worrying that I have to give this warning advise http://www.secuobs.com/revue/news/334044.shtmlhttp://www.secuobs.com/revue/news/334044.shtml Secuobs.com : 2011-09-20 16:36:55 - RLR UK - I have just been sent an email giving me a tracking number for a City Link parcel due to be delivered On checking this on their website, I found that I only need the tracking number to track the parcel and no other information Is this a problem Well, I think it is Via my tracking number I am able to find the company name of the sender and my postcode Now, postcodes normally only relate to around a dozen properties at most However, that's not the end of the story By entering different numbers based on the one that I received I was able to get the details of other parcels being sent around Incidentally, their format is AAAddddd - representing three uppercase letters followed by sequential numbering Does this matter Well, by going backwards through the sequential numbering system I was able to find a parcel that had just been delivered at 1350 to be precise to a postcode in West Yorkshire - BD22 I have omitted the last part of the postcode here Helpfully, they include the surname of the person that signed for the parcel Then it was a simple matter of doing a quick search on the properties to find someone with the correct surname I found Denise and Jonathan X living at that address for a number of years and was able to find additional information, such as the fact that Jonathan worked for a local University Crucially, I was able to find email addresses for them It would now be very simple for me to launch a phishing attack on them as I have real details with which to trick them There is simply a privacy issue here as well Do you want anyone and everyone knowing what deliveries you receive and from which organisations This could make a very good profile How hard would it be for City Link to require some additional information before giving out the detail A simple solution would be to ask for the correct postcode in addition to the tracking number, then it would be much harder for someone to extract the details Anyway, I'm off to write a script to extract the details for the postcodes of City Link employees, MPs and newspaper reporters to see where they shop http://www.secuobs.com/revue/news/329940.shtmlhttp://www.secuobs.com/revue/news/329940.shtml Secuobs.com : 2011-08-04 21:03:18 - RLR UK - I was reading a well-known telco s document on the trade-off between productivity and network security recently A lot of what they said is fair comment and they do have some helpful suggestions However, their response to security risks, like those of many organisations, jumps straight for the technology solution with only a thin veneer of trying to deal with people Many organisations will talk about people and process and how important they are and that you need education programmes most of which miss the point and are not terribly effective , but they say it as if they have been told to and don t really believe it themselves At the end of the day they will jump on the technology bandwagon and sell you buy the latest bit of kit One statement in this document stood out though full administration rights to all data are rarely appropriate for the entire workforce What When are they EVER appropriate for the entire workforce When is full admin rights over all data ever appropriate for even one person in the organisation I ll give an example Suppose you are an organisation that stores the financial data of your clients in a database Should the network administrator have full admin rights over the data Certainly not Under what circumstance does the network administrator require any access to that data What about the database administrator Again, no The DB administrator needs administrator rights to the database management system, but they don t need to be able to read the actual data contained in the database What about those users that may need access to the data contained in the database Well, they can be granted access, but you wouldn t give a user administrative rights over the data surely This also highlights the problem that many organisations have with leaking data If you give people rights over the database they can extract the data, store it on their local machine and lose it or transmit it What s wrong with keeping the data in the database and accessing it from there If you download it, you will only have a snapshot anyway Leave the data in the database and protect it from everyone who doesn t need access to it, which includes the IT department http://www.secuobs.com/revue/news/321134.shtmlhttp://www.secuobs.com/revue/news/321134.shtml Secuobs.com : 2011-06-09 21:22:27 - RLR UK - It seems that many users are receiving Phishing phone calls through Skype from a profile called 'ONLINE HELP' This call, if answered, plays a recorded message telling the user that their computer is not protected and that they must go to visit wwwhosogcom If you do visit this site, it is riddled with malware This is a phishing scam The user account that I have observed is drationlinehelpgb and shows as being registered in the US, but seems to have been taken down now However, others have reported a user account of drajizonlinehelp, which appears to be registered in Afghanistan This one is still live at the time of writing and is using the same 'ONLINE HELP' profile name It would appear that new accounts are being created as the old ones are blocked by people and reported for abuse to Skype It is slightly worrying the number of people who are reporting having answered this call If you receive any unsolicited calls through Skype from users outside your contacts, don't answer them Indeed you should actually change your privacy settings in Skype if you haven't already Choose the Privacy menu item in the Skype menu to open up the Privacy settings tab in the Options dialog Make sure that all the options are set to people in my Contact list only I suggest that you also don't share your online status on the Web You shouldn't now receive calls out of the blue from scammers The problem is that people are becoming trained into accepting connections in social media sites and it spills out into their other online activities People still think that SPAM and phishing scams only happen over email Actually, people are usually fairly vigilant with their email, so it is more likely to be successful if they try other avenues Sophos did an experiment at the end of 2009 where they created two fictitious Facebook users, one with a profile picture of a rubber duck They had thousands of people sign up to 'friend' them How carefully do users check links from their 'friends' It opens up a very good channel for SPAM and phishing attacks As a general rule of thumb don't connect or share details with anyone you don't personally know through social media, voip, email, etc Also, if you use these media channels a lot, you should think about investing in a security product to help protect you http://www.secuobs.com/revue/news/310255.shtmlhttp://www.secuobs.com/revue/news/310255.shtml Secuobs.com : 2011-06-03 15:19:02 - RLR UK - I was asked to comment yesterday on the story that emerged about the Google mail accounts that were compromised over the last few days, so I thought I put some of my answers down here First off, Google wasn't compromised a set of phishing emails were sent out and a fake Gmail login set up to harvest login details These were used to set up forwarding rules to copy mail to another account Unfortunately, although a large number of people are aware of phishing and are to a certain extent vigilant, it only takes one person within the organisation to fall for the attack to compromise security The scammers are becoming better at targeting people and making the initial phishing contact more believable to some people Phishing is not just about email, although that is the most common avenue for the initial contact Social media is also commonly used and we have seen the use of SEO to force phishing sites to the top of search engine rankings as well User education is the only real way out of this Could this be cyber espionage I would think that is most likely given the profile of those targeted Information is worth a lot of money and political weight In recent years we have seen a decrease in attacks designed to deface destroy delay deny services and information Instead, we are now seeing information and identity theft as major goals Viruses won't necessarily stop your computer from working, but they will use Trojans to steal your login credentials Malware now will silently sign your machine up to botnets rather than perform an obviously malicious action What can companies like Google do to stop this Well, they can improve their SPAM filtering for a start It is possible to eliminate the vast majority of phishing emails, which would drastically reduce the problems However, many of the major vendors aren't strong enough on this Secondly, user education would help a lot, but can't always help you against the best social engineers To be honest, though, the governments and organisations that these people work for shouldn't allow the use of gmail, or other accounts which have fewer controls than a corporate email setup , for official business and should educate their users to use different passwords, be vigilant, etc Spear phishing is a more difficult one to combat as it targets a specific user or group of users that the attacker has knowledge of If I know your habits and who your friends are then I can use that information to trick you much more easily If you receive an email or Facebook message from your partner, do you hesitate before opening it The reason this doesn't happen more is that it takes background research and, by definition, targets very few people This technique is only relevant if you want what that specific user has access to Hence it is more likely to be information that they were after Another way to combat these types of attack is to use one-time passwords as well, so that intercepting a single logon only gives you access during that session, and isn't valid in the future However, tokens are prohibitively expensive for Google to hand out to everyone There are other solutions such as SMS tokens, but these aren't all that cheap, when multiplied up by the number of gmail users, and aren't without their problems Software token solutions such as Swivel, GrIDsure, FireID, etc, are possibly cost-effective enough to be implemented and could drastically reduce the success of these attacks However, none of these stop the man-in-the-middle MITM attack, so you could still hijack the session and set up a forwarding rule to obtain a copy of all their mail Google do allow you to set up alerts and have to validate changes through a 2-step process, but you have to enable this This should be the default for all of these services Perhaps they could also add a footer to all versions of the email to specify where it has been forwarded to How worrying is this sort of attack Well, that depends Most people can be socially engineered - look at Derren Brown For the individual, spear phishing is unlikely to be a problem, but with a lack of education they may well fall for a bulk phishing scam anyway thousands do or nobody would bother However, for those with access to secrets or other valuable information, it is a serious issue It all comes down to how good the attacker is I believe that HM Treasury is the most attacked entity in this country and that is mostly for information rather than evading tax or performing Denial-of-Service, etc They should be worried about this type of attack http://www.secuobs.com/revue/news/308997.shtmlhttp://www.secuobs.com/revue/news/308997.shtml Secuobs.com : 2011-05-26 18:47:56 - RLR UK - There are many factors that influence the risk to your organisation and they are by no means all about hackers However, we do have to deal with hackers and have to realise that they are a fact of life that won't ever go away So how much risk are we at from hackers The truth of the matter is that the risk your organisation faces from hackers is proportional to the skill of the hacker There are many different types of hacker, from the person who downloads a free tool, through script kiddies to highly intelligent, technically skilled people who can discover and exploit any vulnerabilities you may have The tricky thing is to figure out who you will likely get attacked by Many organisations have the attitude that they are not a natural target so nobody will attack them and they don't need to worry about security Unfortunately that just isn't true Computers are very good at doing repetitive tasks without getting bored As a test we have standard ADSL line with a web server sitting on it, which is completely non-advertised, yet it gets attacked 4 times a day on average The problem is that if you have simple vulnerabilities or use the same components and services as others that are targets then they could be discovered on your network and exploited by simple to use tools The problem is that the exploits are created and distributed in freely downloadable tools for all to use It is relatively easy for a hacker to find and exploit your system even if you aren't an obvious target http://www.secuobs.com/revue/news/307384.shtmlhttp://www.secuobs.com/revue/news/307384.shtml Secuobs.com : 2011-05-01 22:10:41 - RLR UK - I have blogged about 3M's privacy filters before and their gold filter still remains, in my opinion, the best privacy filter on the market If you want to find out more about that one and why you need a privacy filter, see my previous blog post Why do I need a privacy filter 3M's new Vikuiti Gold Privacy Filter I also blogged about their mobile phone privacy filter The problem with their mobile phone privacy filter last year was that it was only available in their standard grey louvered filter, so didn't work well with accelerometer phones that can be used in portrait or landscape modes - you had to pre-select which orientation you wanted to use your smartphone in Also, the light transmission wasn't as good as the gold filter nor was the touch quite as good after applying it Well, they've addressed this and lanuched a new filter for mobile phones and slates at InfoSecurity Europe The filter is now significantly thinner with excellent touch response and better light transmission - they also have a clarity measure which makes the screen easier to read with the filter it does kind of work, having seen an iPad with only half the screen covered They also have in the lab a grey louvered filter in two planes This stops people from being able to read the screen if they aren't directly in front of it and deals with mobile phones and slate devices that can be used in the two orientations This filter isn't available yet, but 3M told me that they were targeting the end of this year for these new filters 3M also assured me that the new filter with double-louvers will be no thicker than the current one This, combined with 3M's great adhesive that allows for a simple application, will make 3M's new privacy filters for mobile phones and slates the one to have, especially as they double as screen protectors Unfortunately they only do pre-cut versions for iPhones, iPads and HTC phones at the moment If you don't have one of these then you will have to either cut it yourself or get a third party to cut one for you http://www.secuobs.com/revue/news/301882.shtmlhttp://www.secuobs.com/revue/news/301882.shtml Secuobs.com : 2011-03-10 02:02:44 - RLR UK - I have once again come across an IT department who were are firmly convinced that the commercial web application that they use is secure and has encrypted user details What it actually does is Base64 encode the password This is not encryption and must be treated as plaintext So what is Base64 encoding and why do we have it Well, a large number of popular application layer protocols are ASCII text based, ie they transfer plain text over the network A good example of this is HTTP - the protocol used to transfer HTML or Web pages around Originally, only text pages were sent with markup embedded to style it However, soon other resources were added to the web including pictures, documents, etc HTTP is designed to transfer plain ASCII text, so how do you transfer a JPEG photograph Answer You convert it into plain ASCII text The basic principle of converting a file into text is to use the data to represent an index to the ASCII character, eg 'A' is 63, 'B' is 64, 'a' is 97, '8' is 56, etc So, if the first four bytes of your file are 63, 64, 97 and 56, this can be represented by 'ABa8' without loss However, ASCII is actually only 7 bits and we usually use 8-bit bytes because of IBM setting the standard - actually a byte was historically just the number of bits required to store a character Also, ASCII character 13 is a carriage return, 27 is escape and 8 is backspace These are non-printable and, worse than that, could corrupt the communications as well as remove other characters So, we can't just do a straight conversion from bytes to ASCIIThis is where Base64 conversion comes in We split the file up into 6-bit 'bytes', rather than 8-bit 6 bits give us 64 possible values These are then represented by the digits, upper and lowercase letters and a couple of symbols ensuring that they are always printable and don't cause problems So, the Base64 encoded password is just a 6-bit 'byte' representation of an 8-bit byte password and it is trivial to convert between the two There is no security in Base64 encoding anything Perhaps I should repeat that againBase64 encoding something is not encrypting it and provides NO SECURITY whatsoever I am constantly surprised and disappointed that people think that Base64 encoding something will protect it I know TLS has its problems, but why aren't all web applications using it Enter Text Base64 encode decode text with JavaScript Encode Decode http://www.secuobs.com/revue/news/290603.shtmlhttp://www.secuobs.com/revue/news/290603.shtml Secuobs.com : 2010-12-31 17:06:39 - RLR UK - Much of security relies on randomness - encryption keys should be random and random passwords are more secure than dictionary words or predictable sequences The problem is, how do we generate a random number Well, actually, this is a trick question The answer is that you can't generate random numbers, but you can observe them Most programming languages give you a random number generator, so why not just use that Well, it's not actually a random number generator, but a Pseudo-Random Number Generator PRNG , or more accurately a Pseudo-Random Sequence Generator PRSG Given the same seed value, it will produce the same output every time Try seeding the random number function in your favourite programming language then run your program a few times You should see the same numbers coming out each time The reason for this is the function used to produce random numbers is just a mathematical formula that takes an input and gives an output To have a random number out, you need a random starting value Most will seed themselves on the clock, but this isn't random it isn't even unpredictable A simplistic example of a PRNG, as given by Knuth in his seminal books, is as follows X a X c mod m Random number X m for some suitable large prime number m and fixed values a and c both less than m indeed c is usually a small number 10 This can be seeded by setting X to the seed value and will give the same sequence of pseudo-random numbers out, as can be seen However, it isn't random If I know your seed value I can recreate your sequence of numbers If you seed it on the clock it is often possible to work out a window of opportunity and obtain a range of seed values Admittedly, this could be large, but an exhaustive search of these would be quicker than breaking the code that relies on them in many cases Recently, a large Linux distribution was found to have a flaw in its key-generation that introduced a major weakness into the RSA public-key codes generated on those machines This was due to predictability of the keys and a lack of randomness So, what can we do We can observe randomness in the natural world Randomorg uses background white noise as a source of randomness This gives good randomness and distribution of numbers They offer several options to generate random numbers, sequences or even passwords An example of their random number service is given below I'm not saying that they are the best option or the only option, but you must use truly random numbers in your cryptography and secure systems The numbers generated by this widget come from RANDOMORG's true random number generator http://www.secuobs.com/revue/news/275107.shtmlhttp://www.secuobs.com/revue/news/275107.shtml Secuobs.com : 2010-12-18 22:46:56 - RLR UK - Recently I had someone come to me with their laptop saying that they had a new anti-virus program that they didn't remember installing and that 'other things' on their laptop didn't seem to work any more The same thing happened to a corporate desktop machine I was asked about a couple of weeks later, that was originally running McAfee Finally, two days ago I saw another corporate machine running McAfee that was saying that it had a hard drive failure A tool, called HDD Tools, then automatically ran to diagnose the problem and stated that if they purchased the full HDD Tools product then it could fix the problem Each of these was a piece of malware that had infected the machine and was trying to get the user to enter their credit card details into a website so that money can be taken from their account and maybe their card cloned These malware programs go along with the fake anti-virus software that the APWG have reported a huge rise in recently These are a collection of programs that purport to be useful software and will fix a problem that you are experiencing The truth of the matter is that it is that software that is causing you the problems in the first place and paying them the money will just cause more trouble The later breed of scams using these supposedly useful tools do one of two things in general - either they cost you money and they may try to clone your card, or they will enlist your machine in a botnet For a discussion of this type of malware and its proliferation, see this blog post Here I wanted to tell you a couple if simple steps to remove this type of software if you do get infected Obviously, it should go without saying that you should do everything possible to try to avoid getting infected in the first place rather than try to recover from it - the damage may already be done However, there are many similarities between them and you will need to remove them A simple procedure can often work to get rid if them as follows NB this will not always work and if you make a mistake you can make things much worse 1 Detect that you have rogue software malware on your system This isn't always hard as, in the case of HDD Tools, it will keep popping its window up and not allow you access to the C drive of your computer Other things to look for are if your AV product doesn't work or if you get strange services appearing in the Task Manager Often the malware will stop Task Manager from running by disabling the Run command and the right-click functionality on the Taskbar However, sometimes you can still get access to it by pressing Ctrl Shift Esc Look for processes with random names HDD Tools uses a number like 20418112exe, that will change with each infected machine 2 Reboot your machine in Safe Mode by pressing F8 during boot that's the function key F8, NOT press the F key then the 8 key If your machine boots up normally then you didn't press F8 early enough - you need to reboot again You need to go into Safe Mode as the malware will prevent you from deleting it normally by having a background service running This will not be started in Safe Mode, so you can remove it 3 Once in Safe Mode, you can begin to remove the malware First, you need to find out what the malware is and where it's stored Mostly the malware won't appear in the list of installed programs so can't simply be uninstalled, but that's worth a check However, sometimes this can be used to reinfect the machine, so be wary If you have rogue software on your system then it will probably have created some kind of shortcut on the desktop or in the Start menu to make it seem legitimate Have a look at where this points to and what the name of the file is Other places to look are in the Startup folder and in the list of services installed on the machine In the case of HDD Tools, it installs a desktop icon and Start menu folder 4 Navigate to the path in Windows Explorer to find all the files you are looking to remove, but don't remove them yet HDD Tools stores its files in your temporary folder, eg C Documents and Settings username AppData Local Settings temp, or C users username AppData Local temp You may need to show hidden files and folders to be able to see this folder in Windows Explorer by changing the settings in Folder Options 5 Run a file search on your machine to see if there are any other instances of those files anywhere else for you to remove 6 Run Regedit from the Run command to open up the registry editor Warning messing around with the registry can ruin your machine Now run a search for the filename in the registry 7 You will need to go through the registry to remove all references to the malware and any keys that it has created In general, if the only entries in the key relate to the malware you can remove the key, otherwise just remove the values These often appear in HKEY_LOCAL_MACHINE or HKEY_CURRENT _USER in the Software Microsoft Windows CurrentVersion key 8 Once you have deleted these, you can go back and delete the original files 9 Reboot normally and check your machine It is still possible to get infected even if you have a properly managed device with Anti-virus software installed The problem is that they are not 100pourcents effective See 'How secure is your AV Product ' http://www.secuobs.com/revue/news/272881.shtmlhttp://www.secuobs.com/revue/news/272881.shtml Secuobs.com : 2010-09-22 18:15:09 - RLR UK - McAfee have launched a Beta URL shortening service with added security features As Brett Hardin pointed out they are a little late to the game However, there are so many abuses of URL shortening services that I commend them for trying Basically, what their service does is allow you to create short easy URLs like any other service However, unlike other services, when you click on the link, it open a frames page with the content in the bottom frame and the McAfee information in the top frame This information includes details about the domain you are connecting to, the type of company it's registered to and a big green tick or red cross to tell you whether the site is safe or not This is decided by their 'Global Threat Intelligence', which will block known bad URLs and phishing sites That's good, if it works I said above that I commend them for trying to provide this service There are some obvious failings in their solution though, that render their protections useless other than to make it easier for people to phish users as the page has the McAfee stamp of approval Below is their site working properly to block a known bad phishing URL As you can see, this site was blocked and marked as a phishing URL, which it was Excellent, it's working Hold on a minute though Have a look at the screenshot below where I can access the same URL through their service by embedding it in an iframe I now get the big green tick and I'm told that it is safe You can see from the source that the iframe is showing the exact same URL as was blocked before Incidentally, the page says that the site is a Business Internet Services company, which is extremely misleading as I can assure you that this wasn't put on a domain run by a Business Internet Services company Also, what about if I code my page to not accept being in a frames page Then the service falls down again The screenshot below is of Twitter accessed through this service The problem is that I can hide all sorts of other links in the page to fool McAfee and the user won't see them I know McAfee will block these URLs in time, but they will only be blocking the host page and they will have to block all of them It's a nice idea, but it just doesn't work Interestingly, other services also have some security in them TinyURL, for example, wouldn't allow me to create a short URL for this phishing site in the first place as it was recognised as such McAfee happily let me produce the short URL, they just blocked it later - not such a good strategy in my opinion I know that a new phishing URL would fool TinyURL as well, but I particularly chose a URL that had been around for the best part of a month to give them a chance and I think TinyURL has done better Incidentally, TinyURL also allowed me to produce a short URL for my test page One good thing about TinyURL is the preview facility, but that doesn't protect me against a site that looks like the real thing Moral follow any links at your own risk and don't think that a green tick makes it safe http://www.secuobs.com/revue/news/250695.shtmlhttp://www.secuobs.com/revue/news/250695.shtml Secuobs.com : 2010-09-18 18:50:09 - RLR UK - Comodo's Time Machine is a software application that runs on your Windows machine and periodically either manually or automatically takes snapshots of your system You are then able to roll back to any of these snapshots in the future Indeed you can jump backwards and forwards in the tree and new branches appear as you make changes to the system The idea behind it is that if you suffer any problems with corrupted software, malware, etc, then you can roll back to a known good state and start again You can lock snapshots so that they don't get deleted and then clear out the ones that you don't want to keep any more This is quite important, especially if you take automatic snapshots You have to remember that every change made to the computer ie every time you run it or change a file the changes are stored When a new snapshot is created, if you change a file you will have a new version on your system as well as the old one Due to this, it requires a fair amount of space on your system However, the upsides are fairly obvious I have been using it quite a lot recently on test boxes while performing testing of security software against various malware and other attacks It enabled me to perform a test, roll back to the pre-test state and perform it again or try another attack from a fresh system It greatly reduced the testing time for certain attacks as I wasn't having to deal with an imaging server, etc For the normal user, however, this does mean that if you get infected with malware or something else goes wrong with your system, you can very quickly and easily roll back to a previous state and carry on working There are a few issues to keep in mind though Firstly, as I've already mentioned, the space required can be quite large if you keep taking snapshots and don't clear previous ones off the system Secondly, if you roll back your system, you won't have access to any new files or software that you have put on the system - you will need to roll forward again to get at these Finally, I did have one or two occasions where the restore failed When I say the restore failed, I mean one snapshot failed so that I couldn't boot into it At the boot stage I had to select another snapshot to boot from I could always find a snapshot the did work, but it is slightly worrying that there were occasions when the one I wanted wouldn't boot This could be due to the fact that I was installing various service packs, updates and malware onto the system and switching between them many times, but it is still worth noting that you will require a full system backup and you must backup all your data regularly Of course there are other products out there that do the same thing and some reviewers say that they are better eg Acronis However, I found Comodo's Time Machine very easy to use and it is free I'm not necessarily endorsing Comodo's product I'm saying that this type of software is worth a look for keeping your systems running http://www.secuobs.com/revue/news/249334.shtmlhttp://www.secuobs.com/revue/news/249334.shtml Secuobs.com : 2010-07-26 01:28:43 - RLR UK - I have recently been thinking about Steganography again and various carriers as well as applications For those of you that don't know what Steganography is, it simply means 'hidden writing' from the Greek Some examples of steganography are tatooing the scalps of messengers and then waiting for their hair to grow back writing a message on the wood of a wax tablet before pouring the wax in 'invisible inks' pin pricks above characters in a cover letter etc Basically, we have a 'cover', which could be an image, passage of text, etc, that we are happy for anyone to see and a message that we want to hide within it so that it is undetectable It turns out that this last part is quite hard Anyway, I thought I'd look at techniques to embed data within Twitter as it is popular now and people are starting to monitor it Hiding within a crowd, however, is a good technique as it takes quite a lot of resources to monitor all activity on a service like Twitter The techniques described here would work equally well on other social networks, such as LinkedIn, Facebook, etc How do we embed data within a medium that allows only 140 plaintext characters though Well, there are several methods, a few of which I'll talk about here I'm only going to discuss methods that would be quite simple to detect if you knew what you were looking at, but that will go undetected by the majority of people The first method is to use a special grammar within your Tweet If the person you are communicating with knows the grammar then you can alter a message to pass data back and forth A simple example of this technique would be to choose 2, 4 or 8 words that mean the same thing, but each one represents a value For example, you could use fast, speedy, quick and rapid to represent 0, 1, 2 and 3 respectively, effictively giving you 2-bits of embedded data If we had 8 words then we would have 3-bits and so on This can be extended to word order in the sentence and even the number of words per sentence However, messages can be difficult to construct in such a way as to be readable and this is not a high data rate We could probably get only one or two bytes worth of data in an update message Another method is suggested by Adrian Crenshaw He used unicode characters, giving access to two versions of the charcterset So the lower range represented 0's and the upper range of characters represented 1's This is a good scheme, as you then transfer as many bits as there are characters in your message This gives a maximum of 140 bits The issue with his scheme is that on some devices and Twitter clients the two character sets look quite different and it is definitely detectable However, a good idea nonetheless Following on from this, we can encode bits within the message, so that they aren't seen by the user, by appending whitespace to the end of the message Whitespaces are things like a space or a tab, ie a place where a letter isn't A simple method to embed your data is to represent a 0 by a space and a 1 by a tab The good thing is that web browsers will display multiple whitespaces as only a single space, so this will be invisible within a browser Other clients will print them out, but there's nothing to see Now, Twitter, and most social media clients, will strip whitespace from the end of your message as they assume that you added them by accident This will destroy your data However, if you add the HTML code to the end of your message then it will keep all the whitespace indeed, you could put any character at the end, but you may see multiple spaces in some clients The advantage of using the is that it is a whitespace character and won't be displayed in your message Now, you will need to write a short message and add the non-breaking space at the end, so you won't have that much space, but you should be able to get up to nearly 16 ASCII characters in this way, but certainly over 100 bits if you keep your message short We can also be quite blatent with our data We can rely on the fact that people won't know we're transferring data and won't look very hard A simple URL shortening service can be exploited in two ways to embed data The simplest method is to make up a URL Twitter users rely on http bitly and http twitpiccom extensively If we base-64 encode our text or data, then we can add 6 bytes or characters to a URL For example, I could tweet Just read this http bitly UkxSIFVL and saw the photo http twitpiccom IEx0ZC4 Now, these URLs are fake and don't lead anywhere However, the base-64 encoded text of the two URLs decodes to RLR UK Ltd and how many people will follow your link anyway Even if they do, the two sites here will just put up a helpful message that there was an error with the URL You can now appologise and provide two real URLs Meanwhile the message has got across Obviously more URLs mean more data - up to 36 bytes if you just send 6 URLs The second method of using a URL shortening service is to write your own Now you can provide real URLs but flag particular IP addresses or require the addition of an extra parameter to the URL to make it show a different page to the person you are trying to communicate with, eg a password This isn't really Steganography as such, but could be used to transfer URLs that can be checked by someone else and don't reveal the true target The final method I'm going to discuss here is the use of a Stego Profile Image All social media networks allow you to upload and display a small image on your page Why not use traditional Steganographic techniques to embed data within this image If you change your image regularly then it won't look suspicious when you change it to transfer data to someone There are tools on the Internet to do this for you by replacing the Least Significant Bit LSB of every pixel with one bit of your data This is a simple scheme and easy to detect There are other much better schemes that are not only harder to detect, but that will give you more 'space' within the image to store your data To give you some idea, a 4-colour, 73x73 pixel GIF like Twitter's default images can store nearly 4KB of data with no visual impact However, that's for another blog post http://www.secuobs.com/revue/news/243731.shtmlhttp://www.secuobs.com/revue/news/243731.shtml Secuobs.com : 2010-07-23 18:28:41 - RLR UK - These are my slides on Network Security, presented at the Intensive Programme on Information and Communication Security IPICS 2010 The topics covered are Access COntrol Devices, Firewalls, Network Protection, Network Authentication Protocols, TLS, VPNs Remote Access A PDF of the slides can be downloaded from here http://www.secuobs.com/revue/news/243327.shtmlhttp://www.secuobs.com/revue/news/243327.shtml Secuobs.com : 2010-05-25 19:45:50 - RLR UK - I have been talking to a company that provides telephone exchanges and services to companies this week on behalf of a client and it has highlighted a worrying backdoor It turns out that many of these companies have a way to remotely connect to their exchange for support purposes - they can remotely control, configure and troubleshoot your system to get you back up and running Exchanges often have additional modems in them to allow for remote connections This is all very well and good from a managed service point of view, but what about the rest of your network Can this be exploited to gain entry to your network Quite possibly in some cases - it certainly needs to be included in your security audit and perimeter testing Talking about a specific company now, they supply the software to monitor and bill phone calls through the exchange They remotely install, monitor and manage this software How do they do that Well, it turns out that they install LogMeIn on your machine Now this will make outbound connections through the firewall to make the internal machine accessible from the outside world Hang on you're making my networked machine that controls my exchange and billing accessible by anyone By default LogMeIn will use simple username password type authentication The user who accesses the computer has to set up their account with LogMeIn and will use the same username and password combination on all machines as far as I can see Does the company have a universal account that they use to remotely access the machines or does each user have their own If the company uses one default username password, then what happens if someone gets hold of that information or someone leaves Does the password get changed If everyone has their own account, then are they removed when they leave the company As this is all done through the Web, they could still gain access if they aren't specifically removed from the user group How much do you trust all the employees of that external company How much do you trust the disgruntled ex-employee from them who has access It might not be that they are trying to attack you, but they may be careless about the credentials or not revoke them properly Also, consider the case where all the internal employees of an organisation are required to have 2-factor authentication and remote access is locked down What's the point There is a simple username password entry point into the network that bypasses all the secure remote access services you may have in place How secure are the passwords that the external company use Would they match up to your complexity requirements If they are simple, easily guessed or shared, then they open full administrative control over a machine on your 'secure' internal network Who patches the machine and who updates LogMeIn How about installing a keylogger in such a firm to pick up on their username password combinations so that you can gain full access to every customer's network Once on the internal machine, malware can easily be installed and attacks launched on other internal machines unhindered How many organisations have followed best practice and installed a UTM firewall in the core of their network to segregate their servers, etc, from other internal machines Would a machine running this software be on a normal user subnet or on the management subnet anyway Do many SMEs have more than one subnet anyway Needless to say, my advice was to avoid installing LogMeIn on the machine and temporarily allow a more controlled access to the machine with a temporary account, all of which can be disabled immediately after remote installation is completed This opens up the problem of how to obtain support, but access can be temporarily granted and then removed when support is required with relatively little effort Clearly any such system needs to be well documented and be part of the security audit I would advise that companies also ask for security audit and policy information from any external company who has any kind of access to the network - this should be standard procedure http://www.secuobs.com/revue/news/225524.shtmlhttp://www.secuobs.com/revue/news/225524.shtml Secuobs.com : 2010-05-20 17:04:06 - RLR UK - The Care Quality Commission CQC has decided to put registration of Care Providers online to make everything faster and easier for the providers At least that's what they said In practice, care providers had to fill in the online forms addressing standards that won't be published for another 5 months after the registration deadline Ignoring all the problems, ridiculous re-branding to avoid inconsistencies and money wasted, there was a serious problem lack of understanding that has lead to this blog post All care providers and managers have to register online individually and have to agree to particular terms in order to be registered and, therefore, trade I have no problem with this as these care providers are looking after vulnerable people However, it became obvious that there are serious problems with their system First off, it isn't possible to change the owner's name if you make a mistake they can't change it either apparently Therefore, if you make a mistake, you now have to lie to say that all the details are correct, otherwise you can't register and you'll be out of business - not a good start However, this is overshadowed by the fact that the CQC uses only email to verify care managers First of all they sent a 6-character password to the main business email address with the URL and details of how to log in no paper verification was done at all Don't they realise that email is all sent in plaintext and can be read by anyone with a packet sniffer When logged in, the care provider has to fill in some initial forms as the owner and then list the care managers that they employ Following this, each care manager is sent a 6-character password via email in order to log in and register their care service There are a couple of problems with this Firstly, the email addresses are just entered during the initial form filling exercise and are not checked and secondly, you can't reuse the same email address So if you are the manager for more than one care service you have to use two different email addresses The stupid thing is that they accept any email address from an alias to the same mailbox through to hotmail accounts with no checking at all They don't seem to realise that half the email addresses people use are just aliases onto other email accounts On one of my accounts I have 9 email addresses all delivering mail to the same mailbox as they are various options of name and domain all relating to the same company However, CQC would treat this as 9 different people There is no checking done to see if that really is the care manager at all Anyone could sign up as long as they intercept the initial password Who has access to the standard email address for the organisation Usually several people and usually not the actual owner of the business - the only person who should receive that email Due to the way their system works, if someone were to intercept that email such as a disgruntled ex-employee they could sign up with a random free email address begin the registration process, not complete it and put the care provider out of business as they won't have registered in the set time This is mostly a PR exercise as far as I can see and a bad one They say that they are checking providers and improving standards However, it is perfectly possible for the owners and managers to be completely unaware of their registration process because no actual checking is done In addition, to assume that two email addresses entered into a website are for two different people, and base your authentication on that, shows a lack of understanding of the technology that they are forcing on people http://www.secuobs.com/revue/news/224036.shtmlhttp://www.secuobs.com/revue/news/224036.shtml Secuobs.com : 2010-05-11 01:48:55 - RLR UK - I was recently sent a survey from a well-known survey company actually, on second thoughts, I'll name them Capita and it made me very cross Why so cross Well, I spend a considerable amount of time trying to educate people about their role in the security of the network and about phishing social engineering This is all undone by survey companies such as the one in question See for yourself the email sent and use it as a template for future 'white-hat' testing Have your Say Fill in your Staff Survey today Dear Colleague It s important to complete the Staff Survey to ensure your voice is heard The purpose of the survey is to make further improvements to staffs working lives at Target Organisation Your responses will come direct to Capita Surveys Research Unit, and will be totally anonymous No one outside the research team and certainly no one at Target Organisation will know who has responded or be able to identify individual responses The survey findings will be analysed by Capita Surveys Research Unit and only aggregate results will be reported To ensure that you have adequate opportunity to participate, the survey closure date is date month year In order to participate in the survey visit https sascapitasurveyscouk targetorganisation and enter your password AAdddd If you have any queries or require support completing the survey please contact us at Capita Surveys Research Unit on 0800 587 3115 Yours sincerely Cheryl Kershaw Director of Surveys and Research Capita Surveys Research Unit What's wrong with this Many things Phishing scams are on the increase and are one of the biggest threats to security at the moment Targeted phishing, or spear phishing, is also on the increase and these surveys could easily fall foul of this type of attack The survey emails are in a standard format with no personalisation It appears as a classic phishing email, albeit with better grammar It would be easy to exploit this 'legitimate' survey to ask for additional personal details Points to consider 1 There is no personalisation Dear Colleague 2 The email doesn t come from the organisation in question staffsurveys Capitacouk 3 The URL does not point to the organisation in question https sascapitasurveyscouk organisationname 4 There is no contact within the organisation presented in the email for confirmation contact Capita Surveys Research Unit on 0800 587 3115 5 They do not use an EV SSL certificate on their site, only DV QuoVadis Global SSL ICA certifying that this is sascapitasurveyscouk, which could be a phishing site for all a user knows, as it isn t certified to be Capita or Capita Surveys Research Unit see post on EV versus DV certificates This would be very easy for someone to impersonate, particularly if they register a similar URL, such as https sascrapitasurveyscouk organisationname and then use masking as well Users are being conditioned into clicking on links without questioning their validity All I would have to do is know or guess that this organisation conducts surveys of this type from an organisation like this OK, Capita suggests that organisations publicise the survey, but this isn't always done well and can be used to produce a fake version before the real one goes live It gets worse though When I phoned Capita Surveys, a nice helpful lady called Liz told me who they were currently providing surveys for I won't give out the organisation names here as that would be irresponsible, but if Capita would like to check with me I can prove this It would be very easy to quickly knock up a copy of their site with a similar URL and registered SSL Certificate, add in a few extra questions, send those emails and wait for the information to roll in Well done Capita They say they take people's security seriously and that answers are secure because they use SSL However, I would beg to differ Capita aren't the only culprit though I was also recently sent a survey for Microsoft from Mori, which was just as bad They have to take steps to ensure that their surveys can't be hijacked for targeted attacks There are anti-phishing technologies and techniques available that, whilst not infallible, would help, so why aren't they used http://www.secuobs.com/revue/news/220752.shtmlhttp://www.secuobs.com/revue/news/220752.shtml Secuobs.com : 2010-05-10 23:59:26 - RLR UK - I am currently producing a series of videos demonstrating the anti-spyware capabilities of Trusteer's Rapport So far I have looked at keylogging software and screen capture Specifically, I have demonstrated it with Zemana ScreenLogger, Zemana KeyLogger and SpyShelter I will be adding more videos over the next few days The first two videos are embedded below Links to the YouTube videos are below Trusteer's Rapport Demo 1 - Zemana ScreenLogger Trusteer's Rapport Demo 2 - Zemana KeyLogger Trusteer's Rapport Demo 3 - SpyShelter http://www.secuobs.com/revue/news/220711.shtmlhttp://www.secuobs.com/revue/news/220711.shtml Secuobs.com : 2010-04-30 11:52:46 - RLR UK - At this year's InfoSecurity Europe I visited the 3M stand again to see what developments they had for their privacy filters They had their excellent Gold filter there of course, which is now properly on sale in the UK and the best on the market in my opinion I previously blogged about this filter in my post Why do I need a privacy filter 3M's new Vikuiti Gold Privacy Filter So what's this blog post about Well, they have now produced privacy filters for mobile phones Let's add a bit of context to this decision How many businesses provide mobile devices to their employees that are connected to the corporate network with access to email, contacts, calendars and corporate documents If you were reading an email from a client or reviewing a sensitive document would you be happy for someone to peer over your shoulder Maybe you're paranoid like me and try to avoid reading emails in public places and stand with your back to the wall, shielding the screen when you have to read something urgently Note you shouldn't really store sensitive documents on a mobile phone in the first place, but that's another topic However, 3M have made the whole thing a bit easier and allowed people to look a bit more normal than I do when using email in a public place I had a bunch of questions that I wanted to ask 3M about this new filter and I got some answers that I will share with you here Firstly, I'll give you a brief introduction to their product, which can be seen in the image below This is basically a screen protector with the privacy filter combined It uses the standard matte grey louvered filter that gives privacy in one plane I'll explain this in a bit and the problem with it It uses the matte film as reflective films would get scratched with the type of use that a mobile gets according to the guys on the stand The film is self-adhesive, using 3M's Post-It note glue, so it should come off with no residue and be easy to fit This is effectively a replacement for your standard screen protector with the added benefit of including the privacy filter 3M's new mobile privacy filter Now to some of the questions I had Does it work with touch screens - Yes it does They had an iPhone there and it worked perfectly Does it work with a stylus - Yes it does They had an Windows Mobile-based XDA there, which also worked with no problems Does it make the mobile hard to use - No, the dimming of the screen caused by the filter is not too much of a problem With the backlight off you pretty much can't read the screen, but how many people use their mobile with the backlight off There is some drop in brightness, but you can increase the brightness of the screen to compensate However, this does have the big side-effect of reducing battery life - a major problem on smartphones What if I have a mobile that I can use in landscape as well as portrait, like an HTC or iPhone - Well, you have a problem It comes back to what I said above the filter only works in one plane The filter has vertical louvres so that as you move to the side they overlap and block out the screen, like vertical blinds However, vertical movement doesn't change the overlap of the louvres, so there is no blocking of the screen in this plane So, you have to decide which way you want the filter, portrait or landscape - it will only provide privacy in one plane Now, this isn't a problem for a lot of phones, particularly the majority of Blackberries, which are still the preferred business machine by many organisations It is a problem, however, for iPhones which aren't business phones in my opinion and many Windows Mobile phones with the iPhone-esque interface Couldn't we have the Gold filter on a mobile to sort this problem - Unfortunately, not yet, but they are working on it There are a few technical difficulties apparently Firstly, there is the point I made earlier, that mirror finished filters would scratch too readily on a mobile device that is thrown in a bag or stuffed into a pocket with other things Apparently, they have a matte version of the Gold Filter in the lab, but it isn't available yet or in the near future There is a second problem Apparently, the Gold Filter doesn't take to being glued so easily as the grey filter However, they are working on this as well and hope to have a solution soon Do they come pre-cut to my mobile - Yes and no If you have a Blackberry or iPhone then yes, otherwise no You buy a sheet and cut it yourself I believe that there are other companies, such as wrappzcom, that will be able to cut one for your device in the future I think this is a must for the uptake of the filter How many business executives are going to sit down with a craft knife and straight-edge to cut their filter to the exact shape and size of their phone as well as the holes for the buttons, cameras, speakers, microphones, etc The problem for 3M is that mobiles come in all shapes and sizes, with absolutely no standardisation Laptops and monitors, on the other hand, do have standard sizes What's my verdict Another good product from 3M I think this would be very good for executives with the Blackberry-type device and still help those with touchy-feely, accelerometer-driven interfaces, as long as they remember to only access sensitive information in one plane They will have a great product when they get the matte Gold filter stuck to the mobile http://www.secuobs.com/revue/news/217643.shtmlhttp://www.secuobs.com/revue/news/217643.shtml Secuobs.com : 2010-04-11 22:28:40 - RLR UK - I was recently talking to a fellow security professional who develops secure plug-ins for browsers and we started talking about the security of various different browsers Most of the talk around browsers centres around how fast they are and what sort of features they have, but rarely do people talk about the security of their browser Unfortunately, the browser is one of your weak points on the network as users have the ability to navigate to sites containing malware or phishing attacks as well as install plug-ins or run scripts that are malicious So, which browser is the most secure Any guesses All browsers and all security products for that matter have security weaknesses and vulnerabilities However, the architecture of the browser and certain features can make browsing safer The feature I'm going to put forward first is web browser protection against socially-engineered malware phishing sites According to many of the big AV and security vendors, phishing is on the rise and set to be the biggest headache of this year Two statistics worth quoting are according to Trend Micro, 53pourcents of malware is delivered via Internet downloads against only 12pourcents via e-mail and Microsoft claim that 05pourcents of the download requests through IE8 are malicious and they block a download for one in 40 users every week In January 2010 NSS Labs tested five of the latest browsers against socially-engineered malware Their full report is worth reading, but I have shamelessly reproduced their main graph here Graph showing the Browser Mean Block Rate for Socially-Engineered Malware According to NSS Labs, Internet Explorer 8 blocked 85pourcents of these malware sites using their SmartScreen Filter The next nearest was Safari 4 at 29pourcents and 02pourcents behind that was Firefox 35 Chrome 4 was worse, on only 17pourcents, and Opera 10 was bottom of the pile, achieving less than 1pourcents blocking By far the best of the pack was IE8, but even that still lets through 15pourcents of malware An interesting and noteworthy aside to this is that I believe Safari and Firefox use Google's Anti-Phishing API and achieve a 29pourcents blocking rate, yet Google's Chrome only achieves 17pourcents If you want to see what the SmartScreen blocking looks like in IE8, you can see an example below, where IE8 is blocking it and Comodo's Dragon a Chrome derivative is not Also, again according to NSS Labs, Firefox had an 'average add time' of 57 hours, the fastest, versus Microsoft's 67 hours The average add time is how long on average does a user have to wait before a visited malicious site is added to the block list Speed is very important here, but it does actually have to get blocked in the end to make this a valid metric These figures are better than the other three browsers, which scored Safari - 90 hours Chrome - 147 hours Opera 824 hours Screenshot of IE8 SmartFilter blocking a phishing site alongside Comodo Dragon Having mentioned Comodo's Dragon now I will give you a brief introduction, if you haven't heard of it before It is a free Chrome derivative browser from Comodo This browser has been designed to be more secure than the average browser It doesn't perform well in the above tests, but has several other features up its sleeve centred around privacy Some of the main features include not sending the HTTP Referrer so that you cannot be tracked from site to site, it won't send crash and problem reports so your history remains on your machine only , it highlights DV only secured sites and will give a visit history with the certificates If you don't know the difference between a DV and an EV SSL TLS Certificate then read this blog post An example of the DV certificate warning can be seen in the screenshot below Screenshot of DV Certificate warning in Comodo Dragon One problem I have with the privacy tag associated with this browser is the UserAgent string I have blogged about Cookieless Browser Tracking by using the UserAgent string before The point is that the string sent to a web server by your browser to identify its and your machine's capabilities gives about a third of the information required to uniquely identify you There will only be a handful of machines with the same UserAgent string, especially if you stray from the most common browsers IE Firefox I also think that 'Never save passwords' should be the default setting and 'Allow all cookies' should not be the default setting It is a new browser though, and I'm sure it will improve over time as the company is committed to security in many guises Certainly its positive features are good and something that other browser vendors should follow The next point is about actual downloads from the Internet Dragon, and other browsers, will give a warning when downloading executable files, but will just download ZIP, PDF, etc, and allow you to open them without warning Bear in mind that PDFs and ZIP archives can contain malware IE8, on the other hand, will ask you to confirm the software used to open a download, regardless of its type This will always give you the chance to opt out if it wasn't what you were expecting Also, IE8 will tell you if it is a signed or unsigned download, if it is a plug-in or an executable Other browsers do not support this feature What does it mean though Well, if I am a software vendor, like Adobe, and I want you to download and install my plug-in I will sign it with a digital signature When you download it, you can verify the signature, which will tell you that I or Adobe created and signed the download and that nobody has tampered with it in the meantime If the download isn't signed, then how do you know that this isn't a phishing or pharming site pretending to be Adobe or intercepting the download with a proxy giving you a version containing a Trojan or some other malware The answer is that you don't So, you should only download and install signed plug-ins and executables Unfortunately, Internet Explorer is one of the few browsers that will control this for you and it makes a distinction between signed and unsigned plug-ins even when they are installed Which brings me onto my final point as this post is getting very long and a bit like a rant Internet Explorer is, I believe, the most attacked browser as it has, until recently, been the most widely used Due to this, Microsoft has had to build it in a secure fashion, controlling all plug-ins carefully Firefox, on the other hand, performs many of its tasks by using a plug-in architecture, even for standard functionality As far as I am aware, there is little or no distinction between a 'built-in' plug-in and one installed from a third party at a later date This is very dangerous in my opinion Firefox now enjoys the top position for browsers and it won't be long before the hackers make the switch from attacking IE over to Firefox I think it will be harder to secure Firefox against this onslaught than it will be for Microsoft to keep up with their architecture It is interesting to note that the speed of the browser runs roughly inversely to the graph at the beginning of this post, ie Chrome is very fast and IE is considered the slowest of the big 4 However, security always comes at a price - processing being a big loser Could it be that the reason why IE is such a leviathan and slower than its rivals is because they're doing much more checking and keeping you much more secure I think so Microsoft have a way to go though and can't rest on their laurels I will be watching Comodo Dragon with interest to see if they can really push for the top spot in terms of a secure browser It certainly does something for user education and privacy http://www.secuobs.com/revue/news/210923.shtmlhttp://www.secuobs.com/revue/news/210923.shtml Secuobs.com : 2010-04-02 23:49:25 - RLR UK - I have tried out GrIDsure with a set of users now to see how easy it was to use I was using the Windows client 2-factor authentication solution I blogged about here If you don't know their product you must read either their website or my other blog post above before reading this post as it won't make a lot of sense otherwise It turns out that the users had no problem setting it up and using the login - no training required other than a simple explanation of how it works Doing this trial reminded me of discussions I had with GrIDsure about their Enterprise version of their product, which is fairly new and has more features being added all the time One feature that I thought was noteworthy is their anti-phishing verification Phishing, as you will know from here, is a big problem and is often spread by obscured links in emails, such as http wwwmicrosoftcomphishersorg , which has absolutely nothing to do with Microsoft, but is just a sub-domain of phishersorg There are many ways to combat phishing, the best of which is user education and awareness I have, for a while, thought that a solution similar to that of MasterCard's SecureCode could be applied to many emails and on-screen login pages to verify the sender If you're not familiar with MasterCard's SecureCode, when you set up your credit card to have SecureCode, you enter a password and a phrase that is personal to you any phrase so long as you recognise it and someone else wouldn't guess it When you confirm payment for something you are presented with your phrase on screen and asked to enter three characters from your password The point is that if you don't see your phrase then it isn't MasterCard, so don't enter your password characters The problem would be spear-phishing, targeting individual users In this case you could just copy the phrase and fool the user However, you can't just attack a batch of users or all MasterCard users, for example GrIDsure have done something along the same lines to authenticate the sender of emails and other messages with their SDK it could be made to do this for any number of situations What their system does is send you a code which, along with your unique key, generates a particular grid Only you can generate that grid, as only your devices have that key devices plural, as this could be a desktop application and on your mobile phone They then tell you what your PIN is on that grid The verification is simple enter the code on your device and read your PIN off the resulting grid, if it matches the one in the email it's valid, otherwise delete the email and ignore it This is just a very simple way to verify an email to make sure that it is not a phishing scam Of course there is one issue - replay attacks If an attacker copied the code and PIN from the email then they could verify any email to that user However, this does limit it to spear-phishing individual users rather than a mass blanket phishing attack This could be reduced if a timestamp were introduced as well, eg entering the date as part of the code to generate the grid, reducing the window of opportunity to the same day I would like to see GrIDsure push this and eliminate replay attacks to help stop people falling for phishing scams More people need to think about technologies like this to verify their emails - alternatively, they could just digitally sign them all as practically all email clients have the ability to verify a digital signature http://www.secuobs.com/revue/news/208544.shtmlhttp://www.secuobs.com/revue/news/208544.shtml Secuobs.com : 2010-03-03 18:39:57 - RLR UK - I received my free sample filter for 3M a week ago now - it is one of the first of their new Vikuiti Gold Privacy Filters Before I tell you about my experiences with it though, I think I ought to cover the question 'Why do I need a privacy filter ' So, what is a privacy filter It is a thin sheet of plastic that fits over your screen to reduce the viewing angle LCD manufacturers spend all their time increasing the viewing angle of their screens so that many people can view the TV from all over the room or crowd round a computer screen to share information The problem with this is the advantage itself - what if I have sensitive information on my screen that I don't want everyone to be able to read The privacy filter reverses the wide angle viewing trend to reduce it as close to straight on as is practical The point of a privacy filter is to stop prying eyes and shoulder surfing Do you need a privacy filter I was speaking to one professional a little while ago and they told me about the time they were on a plane travelling back from an exhibition He was sat beside a competitor who was working on their laptop for the whole journey, looking at details of their sales leads from the exhibition At the end of the flight he thanked his fellow passenger for the information Do you or your users have corporate laptops that they use in a public location Shoulder surfing documents, usernames, security procedures, etc, can be a serious issue We can spend all our time and effort protecting the storage and transmission of information and forget about the display and viewing of them 3M Gold Privacy Filter Back to the new 3M Gold Privacy Filter The viewing angles of filters are around 40 degrees from perpendicular Mostly they work in a similar way to vertical blinds - if you are straight on then you only see the thin edge, but as you move off the perpendicular they start to show until they overlap and you can't see through them The problem with this is that you can still see the screen if you move in the vertical plane The 3M Gold filter seems to have a narrower angle of view which is good for a privacy filter and also cuts out vertical shifts to a certain extent This is due to the gold mirror-like surface that cuts out the light from the screen and reflects the surroundings The matte filters from 3M and other vendors are not so effective due to the lack of reflections However, in bright ambient light with the laptop LCD panel turned to minimum brightness it can be harder to see the screen effectively with a shiny filter This can be mitigated, to a certain extent, by the gold filter as it shows a brighter, clearer image than the grey ones in my opinion Which brings up another problem with privacy filters they do reduce the brightness of the screen However, with the brightness turned up on my laptop, I can see the screen with no problems in any ambient lighting environment The one poor feature of the filter is the fitting Small clear plastic tabs get stuck to your laptop round the screen they have to protrude over the screen The filter then slides in behind these and fits the screen perfectly you have to buy the correct size Fitting the filter is fairly easy but can be a bit fiddly on a screen like mine as the sides of the laptop slope towards the screen and removing it is very easy However, you are left with the tabs over the edges of the screen even with the filter removed They aren't that obtrusive though and you don't really notice them when the filter is in place Overall, I think that the 3M Gold Privacy Filters are probably the best filters on the market at the moment - certainly the best ones I've seen, though I haven't seen them all http://www.secuobs.com/revue/news/197664.shtmlhttp://www.secuobs.com/revue/news/197664.shtml Secuobs.com : 2010-02-19 21:36:10 - RLR UK - Let's get some perspective on this first no security product is 100pourcents secure and just because there may be an obscure way round a product doesn't mean you shouldn't use it and that it won't protect you against a lot of attacks How secure is your Anti-Virus AV product Certainly not 100pourcents, so we need layers of security Rapport is another layer of security and could help protect your machine I have said in my previous post about this issue how well Trusteer dealt with me So, now to the method of keylogging Trusteer It's quite simple really, but requires a special setup Rapport hooks onto the keyboard driver to prevent keylogging However, if you invoke the remote desktop feature in Windows then a different keyboard driver is invoked, which Rapport cannot hook onto So, if you're using a remote desktop connection into your machine then Rapport will not be giving you the full protection it still has other layers of protection that work in this scenario Is this such a special case that you don't need to worry about it Well not necessarily There are a plethora of remote access software solutions available to users who are increasingly using them to access their machines at home or at work There is also another technology that can be leveraged to cause this effect whilst the user is at the actual machine Microsoft have introduced RemoteApps to the Windows desktop environment to allow for legacy applications to appear to run seamlessly on Windows 7 This is done via Virtual PC running another OS and the RAIL QFE update to allow applications to be exposed from a desktop machine as RemoteApps However, we can use this technique to look back at the machine and expose the web browser as a RemoteApp, which the user should not notice As I say, it's a special case and not one a user would normally encounter, but it is possible There are other issues with Trusteer as well, being able to capture the screen of protected websites and information leakage as highlighted on ReviewMyLifecouk here It doesn't mean you shouldn't use Rapport though, just know and trust the machine that you're using Basically, don't ever connect to any secure site or service from an untrusted machine, no matter what's installed on it http://www.secuobs.com/revue/news/193653.shtmlhttp://www.secuobs.com/revue/news/193653.shtml Secuobs.com : 2010-02-19 21:36:10 - RLR UK - Coventry Building Society have recently introduced the Grid Card as a simple form of 2-factor authentication It replaces memorable words in the login process Now the idea is that you require something you know ie your password and something you have ie the Grid Card to log in - 2 things 2 factors For more about authentication see this post How does it work Very simply is the answer During the log in process, you will be asked to enter the digits at 3 co-ordinates For example c3, d2 and j5 would mean that you enter 5, 6 and 3 this is the example Coventry give Is this better than a secret word Yes, is the short answer How many people will choose a memorable word that someone close to them could guess Remember, that this isn't a password as such, it is expected to be a word and a word that means something to the user The problem is that users cannot remember lots of passwords, so remembering two would be difficult Also, having two passwords isn't really any different from having a longer, stronger password, it's still single-factor The idea behind the Grid Card is that you have a set of random numbers shared between you and the bank that are very hard to guess I only say very hard to guess because I don't know how they generate the cards in the first place and if this isn't truly random - which it almost certainly won't be - then you can predict parts of the grid given other parts of it Randomness is a rare but essential commodity There are 50 co-ordinates on the card and Coventry ask for 3 each time, giving 19,600 possible combinations, assuming they'll never ask for the same co-ordinate more than once per login order doesn't matter as we're told which grid squares Does this mean that someone would have to log all 19,600 combinations before they could regenerate the card No Each co-ordinate appears 1,176 times in the 19,600 Each pair of co-ordinates appears 48 times There are only really 17 unique combinations of co-ordinates such that they aren't repeated and that's a cheat, because one co-ordinate will appear twice if we have 17 as 17x3 51 However, it is unlikely that these 17 would get asked for in succession, so it would take significantly more observations before we have the whole grid, but we won't need the whole grid before we're very likely to be able to login Indeed, there's a 173pourcents chance that at least one co-ordinate will be repeated on the next login Also, a shoulder surfer with camera phone or CCTV cameras could take a photo of the whole card in one go, so this is an authentication mechanism to be used only in the 'safety' of your own home This is, however, a step in the right direction, so they should be commended for it What else do you need to login to Coventry Well, a Web ID and date of birth, both of which are easily pharmed So the security is based solely on the password and Grid Card, which is better than two passwords They do also have an anti-phishing technique bundled in there as well When you sign up you choose a picture that they will display during your login along with your last login date and time If the picture or date is incorrect then this isn't Coventry or your account has been compromised It's good to add a picture here, because many people don't actually check the last login date and time even if it's put up on the screen The picture is obvious and hard to miss though These mechanisms don't really stop spear phishing or targeted phishing , but they do stop blanket or mass phishing attacks It's about time more banks started issuing 2-factor authentication for login and Coventry should be congratulated on being amongst the first However, we have to be careful about how it's implemented http://www.secuobs.com/revue/news/193652.shtmlhttp://www.secuobs.com/revue/news/193652.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - These are my slides on Information Security Risk Assessment, presented at the Intensive Programme on Information and Communication Security IPICS The topics covered are the System-Holistic Approach to ICT Security Risk Assessment approaches, strategies terminology Three Card RAG Obstacle Poker OCTAVE - Operationally Critical Threat, Asset and Vulnerability Evaluation A PDF of the slides can be downloaded from here updated I will publish more information on the topics covered in due course and if anyone asks However, more information on Three Card RAG Obstacle Poker can be found in a previous blog post http://www.secuobs.com/revue/news/192938.shtmlhttp://www.secuobs.com/revue/news/192938.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - What are EV SSL Certificates Simply they are Extended Validation SSL Certificates What does this mean Well, simply put the Certification Authority goes to more lengths to validate the identity of the person asking for paying for the certificate The EV SSL Certificate then will make the browser address bar go green to certify that this really is the site you think it is and not a phishing or pharming site It gives the user a very visual check of the validity of the website that they are using Isn't this what Digital Certificates were supposed to do in the first place Yes, but the Certification Authorities were more interested in taking people's money than verifying that they actually were the people in question This led to almost anybody being able to sign up for a certificate claiming to be almost anybody This, obviously, isn't a workable situation, so EV SSL Certificates were introduced to do the intended job, only at a higher price than the standard SSL Certificate in part due to the actual identity validation performed no doubt That being said, they are not expensive in the grand scheme of things and should be used far more widely than they currently are - for example NatWest still doesn't use an EV SSL Certificate at the time of writing this, instead they have ended up implementing Trusteer's Rapport at a much higher cost To give you some idea of cost of a digital certificate, Comodo's price is 214 per year US 359 359 for a single fully qualified domain name ie per website this includes their 'Corner of Trust' logo Compare this with somewhere near 1 per customer for Trusteer's Rapport or even hosting fees and business profits Admittedly, their cheapest SSL Certificate is only 4195 per annum, but is 214 too much to ask when you are giving customers peace of mind, assurances over authentication and tackling phishing pharming Why aren't normal certificates secure Well, the problem is that most Certification Authorities don't do very much checking Usually they check your domain name by sending you an email to an address that has the same domain name extension All this says is that someone who has access to an email address on that domain wants to set up a secure web server They don't actually check who you are They are more interested in whether you will pay than if they should issue the certificate This was demonstrated at IPICS today, when it was shown that VeriSign had given out a Digital Certificate to someone using the name William Gates They have also fallen for scams, where they were duped into issuing a code signing certificate for the Microsoft Corporation by someone proving the point that they are not careful enough I decided to see if this was the case with other organisations, and it is I have set up an SSL certificate just by being able to view an email sent to an address on that domain I also wanted to know if I could be Steve Ballmer - the new Bill Gates So, I set up an email account SteveBallmer livecouk using details about him, such as his year of birth 1956 I then decided to try Thawte out, as they provide free email certificates for personal use Sure enough, after entering the data below, I was sent an email to my address with codes to verify myself I now have a digital certificate to sign emails from SteveBallmer livecouk Surname Ballmer Forenames Steve Date Of Birth 1956 03 24 Nationality the United States Email steveballmer livecouk Where were you born Detroit Where did you go to school Detroit Country Day School First company you worked for Procter Gamble What is your spouse's Name Connie Snyder How many children do you have 3 Now, Thawte has a little trick up its sleeve here, which aides security Before they will assign the name Steve Ballmer to the certificate, I must pass their Web of Trust, ie I must convince some other users that I am indeed Steve Ballmer first by meeting them face-to-face However, if I could supply them with details such as passport number and social security number, then I'd be set So, I can still sign my email, but if users look closely at the signature and check the certificate, they will see that I haven't been verified However, if they don't actually look at this carefully, and with knowledge of what it means, then they will be fooled into thinking I really am Steve Ballmer Why should the ordinary user know about this Comodo and VeriSign, on the other hand, provide no such backup So, I can now sign my email as Steve Ballmer Here's my Public Key for Steve Ballmer from Comodo showing that I really am Steve Ballmer This isn't really good enough in this day and age of phishing scams Post Script Edit Two things have happened since writing this blog post Firstly, I have become aware of an attack on SSL Certificates by using a null value inserted in the domain name to trick the CA into issuing a certificate on an invalid domain For example, wwwnatwestcom null value phishersorg will result in an SSL certificate being issued for wwwnatwestcom to the phishersorg site, which will appear valid in many browsers but not all Link to blog post This won't shouldn't affect EV SSL Certificates though, only the Domain Validated ones Secondly, Comodo, to their credit, do admit that this is a problem and are takling it They have sent me a link via email to a video clip, which in turn links to more information That can be found here The bottom line really is that these EV certificates are more secure, don't cost that much and should be the norm As an industry we should be educating users into recognising and looking for these security features http://www.secuobs.com/revue/news/192937.shtmlhttp://www.secuobs.com/revue/news/192937.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - OCTAVE-S stands for Operationally Critical Threat, Asset and Vulnerability Evaluation for Small organisations It is a version of the full OCTAVE methodology aimed specifically at small to medium sized organisations, ie those with up to 100 employees OCTAVE is a risk-based strategic assessment and planning technique for security It is a top-down approach that is driven by the business's missions and objectives, and is not technology focussed OCTAVE-S is simply a streamlined version of OCTAVE, with simple worksheets and less expertise required The outputs of OCTAVE-S should be similar to those of OCTAVE, it is just that it may be possible to shortcut some of the process in smaller orgnisations OCTAVE itself is designed to be applicable to any organisation, no matter how large The Main OCTAVE principles are as follows Core Information Security Risk Evaluation Principles Self-directed The organisation takes responsibility for the evaluation The organisation makes the decisions Flexible adaptable in the face of Changes to best practices Evolution of known threats Technical weaknesses A defined process Responsibilities are set out and assigned to people How activities should be performed is documented Standards are set for documentation artefacts tools, worksheets, catalogues etc A continuous process over time General Risk Management Principles general principles beyond InfoSec Forward looking proactive Identify future asset that may be significant New classes of threat Focus on critical few Resources are always constrained Avoid spreading effort too thinly Integrated management Information security as routine consideration for general business strategy Organisational Cultural Principles Open Communication Information sharing avoidance of blame judgment Global perspective Consult widely and integrate all views Widen perspective to organisational goals Based on teamwork To find out more about OCTAVE-S visit the website, where you can download the Implementation Guide, which contains introductory materials as well as the actual guidelines and worksheets http://www.secuobs.com/revue/news/192936.shtmlhttp://www.secuobs.com/revue/news/192936.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - OK, so many people have asked me how I do my presentations and could they have a link that I've decided to put the links and a short explanation on my blog My presentations are all done in PowerPoint 2007, but I use a Microsoft Office Labs plug-in called pptPlex From their website come the following quotes pptPlex uses Plex technology to give you the power to zoom in and out of slide sections and move directly between slides that are not sequential in your presentation pptPlex can help you organize and present information in a non-linear fashion If you don't know what any of this means, then you should ask me to do a presentation - or have a look at their videos It's very simple to install and use However, remember that you need it to be installed on your presentation machine in order to give the Plex version of the presentation, otherwise it will just show as a normal PowerPoint presentation If the pptPlex Ribbon Tab doesn't display in PowerPoint There are several reports of the plug-in becoming disabled on some systems and the ribbon tab not displaying There are solutions on the forums for this, but most of them have an error in the selection of which plug-ins to manage, so I'll quickly give an explanation here If you have any other problems, don't ask me, use their forums 1 Click the round Office button and then click on PowerPoint Options 2 Select Add-Ins from the left 3 If pptPlex from Microsoft Office Labs appears in the disabled list then carry on, otherwise you have a different problem 4 Right at the bottom, select Disabled Items from the Manage drop down list box and click Go 5 Select the add-in from the list and click Enable, then click OK in the PowerPoint Options dialog you may need to shut PowerPoint down and start again http://www.secuobs.com/revue/news/192935.shtmlhttp://www.secuobs.com/revue/news/192935.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - With data leaks constantly in the news, I thought I would write a quick blog post about data anonymisation The problem seems to be that people think it's perfectly acceptable to walk around with sensitive information on mobile devices and removable media The solution, according to common thought, is to encrypt those devices This is a solution that should be adopted, but after the more fundamental problem has been addressed It should not be possible or necessary to store raw sensitive data on mobile devices or removable media Assuming that you need the data for business intelligence purposes and that the IT department can't or won't for some good reason allow this to be done online through a secure connection, then you must anonymise the data first and then encrypt it Why do you need to know the names, addresses and credit card numbers of your customers when on the road TK Maxx Why do you need the names, addresses, dates of birth, national insurance numbers, salaries and bank details of your employees when away from the office UPS I'm afraid, that the only reason I can think of to have the non-anonymised data is for fraudulent purposes please send me a comment if you can think of a legitimate reason Drawing from Pierangela Samarati's session at IPICS, I'll give a very brief overview of data anonymisation There are two basic techniques to anonymise data generalisation and suppression With generalisation, we use a more general value in place of the specific value, eg birth year rather than birth date, postal district rather than full postcode KT1 rather than KT1 2EE , credit card issuer rather than full credit card number 1234 56 rather than 1234 5678 9012 3456 , etc Alternatively, we can suppress the sensitive information by removing it totally Now there is a whole academic discipline surrounding data anonymity and how to achieve k-anonymity that I won't go into here I'll just look at what the above means to data such as a normal company might want to use for business intelligence reasons, rather than surveys and data gathering purposes In this sense, we are trying to protect the privacy of our customers, employees, etc, above all else, rather than have the minimum anonymity possible for the data set I will use the following table to illustrate the anonymisation Name DoB Postcode CC No Alice 02 02 64 KT1 1AB 1234 5678 9012 3456 Bob 16 02 64 KT1 1BC 1234 5678 9012 3467 Charlie 08 04 64 KT1 1CD 1234 6778 9012 3478 David 02 04 66 KT1 1DE 1234 6778 9012 3489 Edgar 04 04 66 KT1 2AB 1234 6778 9012 3490 There are many schemes for anonymising this data, but I'm going to concentrate on Attribute Generalisation combined with Attribute Suppression This basically means that we will generalise each value at the attribute level ie the same level of generalisation will be applied to all values Secondly, we will suppress any attribute that uniquely identifies someone Using minimal generalisation we would get the following table '-' denotes suppressed data and ' ' denotes generalised data Name DoB Postcode CC No - 02 64 KT1 1 1234 5678 9012 34 - 02 64 KT1 1 1234 5678 9012 34 - - KT1 1 1234 6778 9012 34 - 04 66 KT1 1 1234 6778 9012 34 - 04 66 - 1234 6778 9012 34 We have had to suppress Charlie's birthday, because she was the only one born in April 1964 Similarly, Edgar is the only one who lives in KT1 2 However, we haven't achieved anonymisation here If we know Charlie was born in April 1964, then this date doesn't appear in the table and only one date is suppressed, so we know her tuple in the table Similarly, if we know Edgar lives at KT1 2AB, then we know that his is the last tuple The credit card details should be generalised more than this as well, as others may store the last four digits of a credit card number, so it may be possible to cross reference Also, why do we need their credit card number for business intelligence Surely issuer is good enough So, we can do the following Name DoB Postcode CC No - 64 KT1 1234 56 - 64 KT1 1234 56 - 64 KT1 1234 67 - 66 KT1 1234 67 - 66 KT1 1234 67 This gives us a full count of customers, their geographic locations, age and credit card issuer I suggest that this is enough information to cover most queries that you may wish to run for business intelligence purposes and, therefore, the maximum that should ever be stored on a mobile device or removable media This data should also be encrypted Of course, this doesn't solve all problems What if you know Edgar was born in 1966 You now know his credit card issuer, which enables you to launch a directed phishing attack on him Data Anonymisation can fail in the face of attack, particularly when there is external knowledge, which you have no control over The moral is, don't store sensitive data on mobile devices or removable media If this really isn't possible to avoid, then you must anonymise it first and encrypt it http://www.secuobs.com/revue/news/192934.shtmlhttp://www.secuobs.com/revue/news/192934.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Wireless Networks are still causing businesses problems By their very nature they are insecure, as they are a broadcast network that frequently extends beyond your physical boundary - remember radio signals don't stop at your door There ARE security mechanisms to make them secure, but too often these are not implemented properly or are circumvented by users It is vital that all traffic on the wireless network be encrypted, and connections authenticated, otherwise anyone with a laptop can view all your traffic There are many mechanisms for achieving this, but at the very least you should use WPA with long pass phrases not simple passwords and MAC address authentication Don't use WEP it can be broken easily I won't bore you with details here, but I refer you to Google instead However, there are several flaws such as using a linear Integrity Check Value, such that predictable bit-flipping can be used to send invalid messages that will appear to be valid Secondly, the 40-bit shared secret is 'extended' by use of a 24-bit per-packet Initialising Vector As any cryptographer will tell you, the more often you use the same key, the easier it is to recover the plaintext particularly if you have known plaintext, which we do have in the headers of network packets of course IV collisions happen surprisingly quickly, especially on corporate wireless networks, as they will usually have reasonably heavy load TKMaxx found this out the hard way when they lost half a million credit card details to a hacker sitting in their car park This also shows that they almost certainly didn't segregate the traffic and force it through a firewall So what can we do about this Well, all modern equipment will support Wi-Fi Protected Access WPA and WPA2 A standard implementation of this is to use a Pre-Shared Key PSK , ie a pass phrase, and the AES block cipher for encryption This is the minimum requirement for a wireless LAN Again, don't use simple passwords, as the security of your system is relying on them You should use long complex pass phrases, with punctuation Another idea is to encrypt a pass phrase using itself or another as a key in an encryption tool then use the resulting base-64 encoded string as your PSK However, automatic key negotiation and the use of digital certificates is a better option in a corporate environment remember for wireless access you can run your own internal certificate server so that you don't incur additional costs This doesn't solve everything though A little while ago the head of a department in an organisation I was involved with decided that he didn't want to have to use the docking station for his laptop as it constrained where he could work in his office So, he didn't contact the IT department, but instead went to his local IT retailer and bought a cheap wireless access point He plugged this into the network and, not only did he not configure any security, but he didn't even change the default password on the device Do you categorically know that you don't have a rogue access point on your network This can be stopped by using technologies such as 8021X port-based authentication and a RADIUS server Wireless networks also need to be treated as insecure and separated from your wired network via a firewall, with real-time virus checking and an Intrusion Detection System This doesn't mean that they have to be unprotected themselves you should still protect them from outside attack by firewalling them off from the Internet The important point is not to let traffic flow, unchallenged, from the wireless network onto the wired network This is not often done though I was in Vienna recently on business and the hotel I was staying at had free wireless access for guests However, one night I couldn't get access and asked why I was told that they had switched it off as someone was trying to access their servers they weren't very proficient or experienced hackers fortunately The point that I found more worrying was that their public wireless network was directly connected to their servers, which the hold names, addresses and payment details of guests and even the door card programming details You can imagine what could happen if someone were to get into the servers Wireless networks and wired networks should not coexist on the same subnets This is for two reasons Firstly, it is easier to attack and, therefore, attach to a wireless network, so you don't know categorically that all stations are legitimate Secondly, most wireless networks are used to connect mobile devices, such as laptops and netbooks, to the network Do you know that these haven't picked up any malware whilst not connected to your corporate LAN You can address the latter with network access control, but that's a different topic However, all traffic from the wireless network should be treated with a level of suspicion and therefore separated You don't have to have a separate Internet connection or new wiring to achieve this VLANs or Virtual LANs can solve the problem by logically segregating the traffic into the firewall This also allows you to provide public wireless access for visitors customers as you can run two separate, VLANed wireless networks through the same access points onto the network - one with limited access to the corporate LAN and the other with none Wireless networks can be implemented securely, but remember to separate your wired and wireless networks and implement secure encryption and authentication http://www.secuobs.com/revue/news/192933.shtmlhttp://www.secuobs.com/revue/news/192933.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - I recently read an article in New Scientist entitled Want to clone bank cards Just press 'print' They state that it has been discovered that a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine It allows a gang member to walk up to an ATM, insert a trigger card, and use the machine's printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs Everything needed, in fact, to clone those cards and start emptying bank accounts This is possible because ATM Terminal vendors have succumbed to financial pressures, and the demand for greater functionality, and moved to using standard modular PC architectures and off-the-shelf operating systems, such as Microsoft Windows and Linux These ATM devices then become vulnerable to similar malware as their desktop counterparts SpiderLabs, part of Trustwave, identified that in this case a new version of the 50KB lsassexe Windows XP file is loaded onto the system via a compromised Borland Delphi installer utility, isadminexe note, that's LSASSEXE, not 1SASSEXE as some have reported You can view the full report from Trustwave as a PDF here The legitimate lsassexe executable is used to cache session data in Windows, so that users don't have to re-enter passwords when receiving new emails or returning to a website, which is essentially what the malware developers want to do with the card data Actually, this has no place on an ATM, but may not be picked up, due to the fact that it is, by default, on most Windows XP installs If a trigger card is not detected, the malware stores the transaction data to a file called tr12 and key or PIN data to a file called k1 in the C WINDOWS directory If a trigger card is detected, then a menu of 10 options is displayed for 10 seconds, with functions including uninstalling, deleting logs, printing logs via the built-in printer encrypted with DES and possibly the ability to export the data onto the trigger card This particular malware only works on transactions in US dollars, Russian Rouble or Ukrainian Hryvnia It is also said that chip-and-PIN cards across Europe are not vulnerable to this malware as the PIN is encrypted in the secure PIN pad It has been speculated that deploying the malware was either an inside job or the result of bribes and threats the reasoning being that an attacker would have to have physical access to the ATM to deploy the malware However, the ATMs and banking network, although separate from the Internet, have not necessarily been hardened enough Back on 25th November 2003 the first known case of a worm Welchia infecting Windows XP based ATM machines was reported, which used the closed financial network to propagate This was possible because the ATMs weren't patched by the financial institutions in question This brings on the whole problem of patch management on ATMs as well as placing greater restrictions on the financial networks How long will it be before keyloggers are available for chip-and-PIN cards as well http://www.secuobs.com/revue/news/192932.shtmlhttp://www.secuobs.com/revue/news/192932.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - The answer is yes and no note, in this blog, I'm not talking about cryptographic or identity trust, but systems trust There are two aspects to this Firstly, do you think your users will deliberately act against your organisation or try to harm the system This is not usually the case for corporate employees - you also have severe sanctions available if they do The second aspect is, do you trust your users NOT to make mistakes Everyone makes mistakes we're only human You don't want accidental updates or changes, so in this sense maybe you shouldn't trust your users Actually there are three overall approaches to system trust on networks We can trust all of the people all of the time bad idea, but much more common than you'd think , trust no one at any time maybe too excessive and hinder functionality , or we can trust some of the people some of the time The last one is usually the best strategy to adopt for your network Finally, we have to decide on the overall approach to security Are we permissive or restrictive In a permissive environment you can do everything, apart from those things on a blacklist In a restrictive environment, you can do nothing, apart from those things on a whitelist From a security standpoint restrictive is better, but from a usability standpoint permissive is better If you can manage the whitelist successfully, this is the better solution and only trust some of the users some of the time http://www.secuobs.com/revue/news/192931.shtmlhttp://www.secuobs.com/revue/news/192931.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Comodo Vision Video Blog Several recent data breaches at major enterprises and governmental agencies stemmed from the loss or theft of mobile computers and USB drives While encrypting the data on these devices isn t a bad idea, the larger question is why was sensitive personal information stored on the mobile device in the first place See my first video blog for Comodo Vision here http://www.secuobs.com/revue/news/192930.shtmlhttp://www.secuobs.com/revue/news/192930.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Comodo Vision Video Blog Responsibility for the notorious Heartland Payment Systems data breach late last year has been debated recently, with Heartland s CEO suggesting that their PCI auditors let the firm down, while the auditors insist they can t be responsible for checking absolutely everything This case brings to light the reality that absolute security is an impossible goal, and that audits are only as good as an organization s vigilance in following proper security procedures after the audit has been completed See my second video blog here http://www.secuobs.com/revue/news/192929.shtmlhttp://www.secuobs.com/revue/news/192929.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Computer Weekly recently conducted a survey via Twitter on how many organisations allow their users access to corporate email from their own private phone Unfortunately, I haven't seen any results from this survey as yet, but it made me think about organisations that do allow private devices to attach to the network, not just mobile phones I have also had many comments on my blog post entitled 'Mobile Device Data Breaches', which have fed into this post In one of those comments, someone pointed out that in their experience users are often a weak link Isn t it always the case that users are the weakest link A poorly educated trained user can compromise the best security Unfortunately, I have seen so many organisations that do not adequately train their users or make them aware that there are policies, let alone what they mean to their daily usage of the corporate systems I have also come across one organisation where a top executive had all the system passwords stored, unencrypted, on his PDA He didn t see a problem with this as he always carried it with him How many organisations these days have push email onto a mobile How many of those organisations send sensitive documents around via email Do they have encryption and password access on those devices Not many that I ve seen The typical Blackberry users that I see have no password or PIN access to their phone, but it does have full access to the corporate mail exchange These devices also have the ability to store, and even sync, corporate documents What policies do you have to cover them Quoting from ISO-27002 2005 1171 A formal policy should be implemented, and appropriate security measures adopted, for mobile computing and communications activities Controls should apply to laptop, notebook, and palmtop computers mobile phones and smart phone-PDAs and portable storage devices and media Controls include requirements for physical protection data storage minimization access controls cryptographic techniques data backups anti-virus and other protective software operating system and other software updating secure communication eg, VPN for remote access and sanitization prior to transfer or disposal The problem is that most organisations do not have adequate policies covering mobile devices Moving away from mobile phones, are you allowed to plug a USB device into your corporate machine Many of these devices can store sensitive data and even access the Internet themselves What about an insecure iPhone connecting to the Internet and leaking data Most organisations aren't even aware that you can lock down USB usage via tools, but policies should definitely be in place Alan Goode, from Goode Intelligence, said the following I feel that you can lock down with security policy and tools but this is a complex problem as the combination of mobility and technology diversity, eg I can use my iPhone to connect to the enterprise network and store sensitive data on it, is creating a major headache for infosec professionals As well as the problem with laptops and USB drives we are also seeing a growing use of employee-owned mobile devices, netbooks, games consoles, smart phones, all having IP and WiFi capabilities and all capable of picking up enterprise data and email There are a number of things we can do to stop these devices from compromising the network by blocking their use We can block USB devices from being able to connect unless they are a managed resource, so that users can't just plug anything they bring in from home All USB devices have an ID, which can be registered with a central authentication server to check before a computer allows it to be used Of course this needs third-party software, but can be done quite easily We can also block devices from being able to obtain an IP address or connect to the corporate network in the first place We shouldn't have a free-for-all attitude on the network It should be locked down to approved devices only Only managed devices can connect and they will have to authenticate I think it s asking for trouble to allow users to connect their own private devices to the network or services I don t see how you can comply with any standards or your own security policies when allowing this, as you don t know what s connected or how it s configured Even if they are secure a very big IF , by not knowing the configuration or being able to audit it, you are surely in violation of any accreditation or certification that you may have because you cannot test or 'prove' your compliance http://www.secuobs.com/revue/news/192928.shtmlhttp://www.secuobs.com/revue/news/192928.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Human failures are often described as Slips, Lapses, Mistakes and Violations These are grouped into two categories Errors and Violations The difference here is the intent - violations result from conscious decisions to disregard policies and procedures, whereas errors have no malicious intent Also, violations often involve more than one form of misconduct, whereas errors are often isolated Don Turnblade has stated that in his experience well trained staff had a 375pourcents unintentional non-compliance rate they did not realize that installed software compromised data security About 04pourcents of end users were intentionally non-compliant, generally willful persons with strong technical skill or organizational authority who were unaccustomed to complying with computing restrictions So what are the different types of error Dealing with each in turn, we have Slips, Lapses and Mistakes Slips - actions not carried out as intended, eg pressing the wrong key by accident Slips usually occur at the task execution stage Lapses - missed actions or omissions, eg forgetting to log out, or a step in a configuration process Mistakes - occur due to an incorrect intention, whilst believing it to be correct, ie they are deliberate actions with no malicious intent, eg misconfiguration of a firewall Mistakes usually occur at the planning stage So who causes the error or violation and how do we combat them Slips and Lapses are usually the fault of the user, but can be mitigated by making it more difficult for the user to make the error, eg by having confirmation dialogs for slips and better training for lapses Mistakes tend to be the fault of designers and are slightly more difficult to combat as designer education is required or outside technical expertise needs to be brought in However, this doesn't always solve the problem if they don't have the skills and knowledge required Finally, violations can often be laid at the door of the managers It is often the case that a culture of violations is accepted by senior management, who fail to impose proper sanctions or take the threat seriously All of these have to be dealt with to have a secure system and most of it boils down to having proper user education and training in place http://www.secuobs.com/revue/news/192927.shtmlhttp://www.secuobs.com/revue/news/192927.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - In this day of doing everything online, we still rely heavily on services delivered over POTS Plain Old Telephone Service Banks and credit card companies still require the telephone to make certain changes, queries and security checks, even though most functions can be performed online Medical records, bank details, security key order requests, etc, are routinely transferred by facsimile However, are these secure Are they more or less secure than doing the same thing online I'm not going to talk about the underlying security of POTS, but concentrate on a couple of easy attack vectors on the end device of the user that I have recently observed A couple of weeks ago, I needed to amend something on one of my credit card accounts I would tell you which bank, only it's my personal credit card and I don't want phisers knowing which banks I have accounts with This bank has an automated telephone answering system to make things more efficient and reduce staff required - pretty standard So I made sure that I was in a room on my own, to prevent eavesdropping my conversation, and dialled the number The automated system asked me to type in my full credit card number on the keypad The problem with doing this is that the telephone will remember these digits as part of the last number dialled Therefore, all someone would have to do is to recall the last number dialled and read off the credit card number If they actually dial it they would be put through as the legitimate card holder Now, admittedly they will probably ask some security questions on the other end before making any changes, but these may consist of simply asking for a date of birth, which is fairly easy to find out Even if you don't know this information, other information may be given away in the mean time eg who the card holder is as they normally use your name in any greeting The problem is compounded if you make a call from work, where you will probably be using an exchange Exchanges will store all the numbers dialled, including any options or credit card numbers entered on the phone's keypad This log can simply be printed out and your details read off Of course the number dialled will show which bank you are using as well, although this can also be gleaned from the first 6 digits of your credit card number Things can potentially get worse if you use facsimile or fax machines There are different types of fax machines that work in different ways Most will keep a log of calls and faxes sent and received This may or may not be a problem, depending on the level of detail of the log and whether you're typing in credit card details during a phone call made on the machine However, some fax machines use rolls of pigment on acetate or similar to print the fax out when received The problem here is that these rolls are wound through during printing and that part is never reused otherwise you will get gaps in your printing However, what this means is that when you come to throw the roll away once used, it will have a perfect facsimile of everything printed on the machine since the roll was put in, only in negative To get round this, you must shred, or otherwise destroy, the used roll, not just throw it in the bin As to whether this is more or less secure than an online transaction is a difficult question to answer On the one hand, you often need physical access to the phone or fax machine to get to the logs, although telephone exchanges are often online Also, sifting through a bin outside a premises isn't that hard and can often be very rewarding On the other hand, transactions online are encrypted and people are more aware of the security implications in general However, malware and man-in-the-middle attacks can still thwart this type of transaction, but it does require more skills than sifting through a bin Not all data leakage comes from computers, pen drives, etc Sometimes a seemingly innocuous device can betray your information and breach your security Unfortunately, you have to think of all possible attack vectors and mitigate the risks This is why a full information policy that covers all forms of data is required http://www.secuobs.com/revue/news/192926.shtmlhttp://www.secuobs.com/revue/news/192926.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - On 27th September the APWG released their First Half 2009 Phishing Trends Report This provides some interesting worrying reading Most notably is the rise and rise of rogue anti-malware programs Rogue anti-malware programs are programs that run on a user's machine and falsely identify malware infections They then inform users that the malware can be removed by purchasing their anti-malware program The installed software, in many cases, does absolutely nothing The malware author has made their money off the user and doesn't care about them or the fact that their machine is left vulnerable to other malware However, there is another breed of rogue anti-malware that will install other malware onto the user's machine, often adding them to botnets or adding trojans and spyware According to Panda Labs' Luis Corrons, rogue anti-malware programs are proliferating with exponential growth In the first quarter of 2009 alone, more new strains were created than in all of 2008 The second quarter painted an even bleaker picture, with the emergence of four times as many samples as in all of 2008 Most of these rogue anti-malware programs have a common root - they even look the same So how come they aren't detected as malware Well, often they employ server-side obfuscation so that each version is slightly different, thus defeating some signature-based scans Also, you have to remember that many of these don't perform any malicious actions and, therefore, don't trigger other alarms What can we do about rogue anti-malware Well, simply don't trust anything on the Web saying that you are infected or that they will scan you for free Do not install any anti-malware from a company that you do not know and always check for validity of links and downloads There are many companies out there providing free basic anti-malware or sophisticated products for a relatively low price that are legitimate, such as Panda Security, AVG, Comodo, Symantec, etc If you do get infected by one of these programs then you need to remove it Instructions for removing the most common ones can be found at http wwwanti-malware-blogcom - NB be warned that I have not assessed or validated their instructions and there is no guarantee that they won't cause other problems What about the rest of the report Well, phishing is still on the increase, with reported phishing highs for the first half of the year exceeding those of last year significantly about 7pourcents 21,856,361 computers were scanned to determine host infection rates 11,937,944 were found to be infected 54pourcents , which is an increase of over 66pourcents from the last quarter of 2008 Banking trojan password stealing crimeware infections rose by more than 186pourcents Finally, payment services have taken the top spot in the most targeted industry sector from the financial sector, although this is still a close second To see how this compares, a previous blog post of mine on this shows how things have changed For more information about the Anti-Phishing Working Group, to report phishing attacks or to see their reports yourself, visit http apwgorg http://www.secuobs.com/revue/news/192925.shtmlhttp://www.secuobs.com/revue/news/192925.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Comodo Vision Video Blog Cloud Services or Cloud Computing are getting a lot of attention in IT circles, promising cost-effectiveness, flexibility, and time-to-market advantages over traditional alternatives However, they also increase your security risk by expanding your security perimeter to include that of your service provider This video blog poses some key questions to ask your Cloud services Cloud Computing provider regarding data security as well as advice to reduce the risk to your business introduced by Cloud Computing See my third video blog for Comodo Vision here http://www.secuobs.com/revue/news/192924.shtmlhttp://www.secuobs.com/revue/news/192924.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - I was asked recently to look at the security of the PhoneFactor 2-factor authentication solution If you don't know what it is, then you can find out more here, but essentially you enter your username and password, then they phone you on your pre-defined number and press the key to validate the authentication The problem with just pressing the key is obvious, but they allow you to configure entering a PIN number rather than just pressing the key To my mind, there should be no other option than having to type in the PIN number However, this isn't necessarily a brilliant idea As I've said before in this blog, a lot of phones log the digits dialled, in which case that PIN isn't secure I was also told that the PSTN and GSM networks are secure, so this is a good solution I'm not sure I agree that PSTN and GSM networks have good security Analogue PSTN is easy to listen in to with proximity and GSM can theoretically be cracked, and probably will be within 6 to 12 months So that PIN number isn't really secure Plus there is the cloned SIM card problem as well http wwwmobileindustryreviewcom 2009 08 gsm-encryption-can-be-cracked-for-500html Having said that, PhoneFactor looks quite good as you enter the PIN on the phone line, not the login dialogue The problem that Bruce Schneier has referred to is that of a Man-in-the-Middle attack Most 2-factor authentication methods are susceptible to a MITM attack, including RSA tokens and other hardware tokens Basically, if I set up a website, for example, to mimic your corporate portal, then you will enter all your details into my page, including your one-time pass code I will forward them on to the real portal and do whatever I like logged in as you The one advantage is that I have to intercept every login attempt, and wait for you to login before I can gain access Without a 2-factor system, once I've read your username password combination I can login whenever I like PhoneFactor would appear to mitigate some of this risk by doing the authentication out of band However, there is still an attack vector for a MITM attack In the same way as before, you login to my portal, I forward your credentials, PhoneFactor phone you and you put in your PIN, they enable my session Obviously, there are other attack vectors as well Another potential issue is that you are charged for the phone calls made by PhoneFactor on your behalf These can be significant costs In the UK calls to landlines are free, but am I always at my desk when I want to log in No, I'd want it on my mobile that will cost me 023 per login East Timor 325 So, I could rack up the bill for you company by getting them to call through to someone If I do this enough times especially if that person is on holiday in another country with higher charges I can use up all your credit and none of your users can login There is a privacy issue as well PhoneFactor will know every time you log in or access your bank, etc How do they protect that data Do you want them to know that information, even if you do trust they won't accidentally disclose it However, I am not against 2-factor authentication Indeed I think it is a good thing, as users will choose poor passwords, reuse them everywhere and write them down Similarly, they will give them away to phishing scams 2-factor authentication removes all of those problems, but by no means is it absolutely secure PhoneFactor seems OK, but it's not particularly cheap or phenomenally secure There are some other good software solutions that are pretty cheap as well, and that can combat shoulder-surfing when entering PIN numbers, etc There are a couple of examples on a blog post I did a couple of months ago http blogrlr-ukcom 2009 06 user-friendly-multi-factorhtml The bottom line is that they are more secure than username password, but none of them are absolutely secure against all attacks http://www.secuobs.com/revue/news/192923.shtmlhttp://www.secuobs.com/revue/news/192923.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - Data stored in the cloud can be compromised or lost see my previous post So, we have to come up with a way to secure those files We can encrypt them before storing them in the cloud, which sorts out the disclosure aspects However, what if the data is lost due to some catastrophe befalling the cloud service provider We could store it on more than one cloud service and encrypt it before we send it off Each of them will have the same file What if we use an insecure, easily guessable password to protect the file, or the same one to protect all files I have often thought that secret sharing algorithms could be employed to good effect in these circumstances instead What are secret sharing algorithms They are algorithms that will share a secret between several parties, such that none of them can know the secret without the help of others Either all or a subset of them will need to get together and put their parts together to obtain the original secret A simplistic solution can be achieved by XORing the secret with a random number, then giving the result to one party and the random number to the other Neither one can find out what the secret was without the other To retrieve the secret they only need to XOR the two parts together again This can be extended to any number of parties A more sophisticated way would be to allow the secret to be retrieved from a subset of the parts distributed In the previous example, if any of the parties loses their part, or refuses to disclose it, then nobody can reveal the secret This isn't much good if one of our cloud service providers fails On the other hand, if we can share the secret between three people, but only require any two to regenerate the original, then we have some redundancy This is an example of a k,n threshold scheme with k 2 and n 3 How do we achieve this though Well, Adi Shamir proposed a simple secure secret sharing algorithm It is based on drawing graphs To uniquely define a straight line, you need two points on that line Similarly, to define a parabola you need three points A cubic requires four, etc So, we can distribute points on a line to each party we want to share the secret with The order of the line will determine how many of them need to get together to regenerate it So, we could define a random straight line and distribute three points on it to three different parties However, only two of them need to get together to regenerate the original secret We set up a k,n threshold scheme by setting the free coefficient to be the secret and then choosing random numbers for each of the other coefficients The polynomial then becomes the following where a0 is our secret Now we can distribute points on the line to each of the n parties simply by calculating y for a series of different values for x We can use the Lagrange Basis Polynomials to reconstruct the equation of the line from k points However, we do not need to reconstruct the whole line, we are only interested in the free term This simplifies the equations that we need to use For example, if we have a straight line, then we only need two points x0,y0 and x1,y1 We can then calculate a0 as follows Similarly, for a parabola and three points x0,y0 , x1,y1 and x2,y2 we have This should be fairly simple to implement and use You would need to sign up to a few cloud services, but you wouldn't have all your eggs in one basket and you wouldn't be reliant on weak passwords http://www.secuobs.com/revue/news/192922.shtmlhttp://www.secuobs.com/revue/news/192922.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - The University recently recently paid for a vulnerability assessment and penetration test, which came back saying that, apart from a few minor things, everything was fine and secure I take issue with this finding for several reasons, most of which I won't go into here Now, I haven't actually seen the report produced by the company, but I have had verbal reports from the IT technicians that 'nothing serious' was found The University uses a hateful product called Blackboard as a Virtual Learning Management System This is a web-based application allowing access to learning materials, grades, etc, from anywhere in the world The problem is that it doesn't use an encrypted connection and uses a simple Session ID cookie to assert that you are an authenticated user There are two problems with this Firstly, if I capture your cookie and send it with my HTTP request, then I will be treated as you and can see or do anything as you Secondly, and much more importantly, is that the username and password are sent in plaintext I shouldn't have to explain why this is such a bad idea, but I can't understand why this wasn't picked up as a major security hole A simple packet sniffer will pick up anyone's username and password, giving full access to the network and other services, such as email, home directories, etc The trouble is that it's not just students who login to this service, all the academics and admin staff do as well You can imagine what could be done by grabbing a lecturer's username and password How easy is it to actually launch a sniffing attack Well, surprisingly easy unless you are a pen tester, in which case it won't surprise you at all Consider the fact that people do connect to this service from public wireless hotspots or from shared networks, such as the halls of residence or the university network itself It isn't difficult for someone to sniff the network and extract the user's password 'MAJOR SECURITY WEAKNESS' not 'nothing serious' I advise people to connect to Blackboard instances via SSL connections at the very least It doesn't stop all the attacks, but it will stop simple packet sniffing http://www.secuobs.com/revue/news/192921.shtmlhttp://www.secuobs.com/revue/news/192921.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - It is quite common in Information Systems to use pseudo code to describe a process I have often thought that the same principle can be applied to the process of hacking an organisation, which may help people understand the process and how to protect themselves Below is my proposal for this pseduo-code for the hacking process This is very much a work in progress I would welcome feedback on it and I will update it as suggestions are made or as I feel it needs revising organisation proposed target organisationfootprint value, effort, risk profit value - effort risk if profit 0 then organisationenumerate select attack_type case DoS engage_botnet myBotnet myBotnetlaunchDDoS organisation case Access organisationgainAccess myAccount myAccountElevate organisationinstallBackdoor myAccount organisationcleanUP end select else exit end if This highlights the fact that we only need enough security to make it not worthwhile attacking, ie it will cost the attacker more to compromise our system than they will gain Who would spend 1m to get 10 worth of information We don't need indeed cannot have absolute security, just enough to protect our system It also highlights another interesting point Perhaps we should make our countermeasures public - not the actual implementational details or versions, but the fact that they are in place, eg that we have an IDS Consider blatant versus hidden CCTV cameras Cameras in plain sight deter most criminals, whereas hidden cameras spy on criminals while they perpetrate their crime We want to make the risk of being caught prosecuted value high, so that hackers require a higher value effort ratio, which we won't give them Given two identically protected organisations with the same value, would you attack the one that doesn't monitor activity or the one that does Obviously, the above is very vague and doesn't provide methods to complete these tasks, but that is not the point of this post Backdoors and Trojans are usually relatively easy to install if you have the right level of access to the system, so much of your security is going to hang on stopping a hacker from gaining access Gaining access to an organisation is usually performed in one of four main ways Malware Sniffing Direct Attack Social Engineering There are ways to protect yourself, up to a point Some of the most critical are Installing Antivirus Antispyware Latest OS and Application Patches Enterprise-level firewall, with IDS IPS, AV, etc Personal firewalls on all mobile devices Secure, hardened configurations Browser lock-down Encrypted communication eg SSL TLS, VPN, etc User Education The last point is often overlooked as a critical security practice Please feel free to comment http://www.secuobs.com/revue/news/192920.shtmlhttp://www.secuobs.com/revue/news/192920.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - This news post was brought to my attention, showing a steel-woven wallet to keep RFID credit cards safe To some this may sound a bit far fetched and to others nothing new or to worry about, but hear me out With new contactless credit cards you can make small purchases without resorting to the Chip-and-PIN transaction that is most common Instead, you just 'touch' your card on the reader and away you go The problem with this is that you cannot turn your card off I can bring the reader to you I just need proximity These readers are small and pocketable, and I can read your card without you taking it out of your pocket The more high-powered my reader, the further away from you I can be to read your card Initially, the cards gave out the name on the card, the card number and the expiration date After people showed that it was easy to skim this information off the card, most have removed the cardholder's name from this list They have also introduced transaction IDs to help protect the cards from being cloned However, as the introduction of RFID identity cards increases, we will be giving the cardholder's name out again on those It has been argued that it is more productive to attack the databases of card details, and still far too easy, so people won't bother trying to read the cards in your wallet However, I can still obtain a legitimate payment reader and just read your details off and collect your money directly, even if I can't clone the card In the UK, these contactless transactions are for small amounts of money 5- 10 typically , but I can collect that from you without your knowledge in a variety of ways I can use a small pocket device to take a payment from your card directly, but this has to be one at a time and, in some countries, only for small amounts of money See the video below for a mobile phone that can process contactless credit card transactions Maybe this isn't worth it to anyone but a petty criminal, but it is relatively easy and cheap Another way would be to go to a crowded area public celebrations or gatherings of tens or hundreds of thousands of people for example and use a high-powered reader to read lots of cards at once If I can steal 10 from 100,000 people, that's 1m in an afternoon Somewhere in the region of half a million people gather in Trafalgar Square, and environ, for the New Year celebrations and similar numbers for the Chinese New Year celebrations a little while later RFID readers are all over the place and we don't pay them any mind Shops use RFID readers to catch shoplifters at the entrances Do you categorically know that they aren't reading your cards instead of catching shoplifters Would you notice an extra 10 transaction in a shop that you did buy something in All of our buses and tube stations in London use RFID readers for ticketing A vast number of commuters will have their Oyster card in their wallet or purse along with their other cards They don't remove the Oyster card to touch it, they just touch the whole wallet I could read the other card information at the same time In fact, do we know that these details aren't logged and just ignored If they are logged, then maybe we could attack Transport for London's computer system and extract people's credit card details Maybe people won't do this with credit cards What about large banks or other companies that use RFID door entry cards and ID cards I could read their ID and possibly gain access to their building Will the ID give me a username to work with If I can gain physical access to a bank building then I have a huge array of attack vectors at my disposal it is critical to keep the hackers out Even if a hacker can't clone these types of cards, they can still collect information about people and about companies It is perfectly possible to identify all the employees of a company using RFID cards for door entry, as you can have a high-powered reader near their entrance or at public transport stations This now gives a social engineer a target and some information to use Maybe we should all be holding our wallets over the top of shop gates and away from other readers or buy one of the shielded wallets from people like ID Stronghold or Herrington http://www.secuobs.com/revue/news/192919.shtmlhttp://www.secuobs.com/revue/news/192919.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - When dealing with security, we must be pragmatic The resources that an organisation can dedicate to security are limited in terms of time, staff, budget, expertise, etc Also, perfectly secure systems do not exist - accidents, attacks and penetrations will happen in the end, so plan to deal with them at the outset Recovery after a breech must be just as much of the planning as the mitigation of the breech in the first place We all insure our cars, hoping never to call on it, and then try desperately to avoid having any accidents, getting the car stolen or vandalized However, in the end, a lot of us will end up claiming on the insurance at some point, no matter how careful we are The same is true of security We have to see the bigger picture and align the use of resources with the company's mission There comes a point when a small amount more security costs a lot more money, time, management effort and is much less user-friendly Wouldn't it impact the business less if we take the hit and recover quickly and smoothly Often the answer is yes We have to find the optimal solution for that particular organisation The graph above shows that as we increase the security of our system the cost associated with breaches of security comes down, as we have fewer breaches However, this cost will never be zero, as we will always have breaches Indeed, breaches may still cost a lot of money but, hopefully they will be few and far between Conversely, as our security increases, the cost of our countermeasures goes up Therefore, the total cost will decrease with more security initially, then increase again as the countermeasures become increasingly expensive for less and less improvement to security These curves and the overall graph will be different for each organisation The point I'm trying to make is that we should accept that there is no perfect security, do the best job we can, given the resources allocated, and plan for how we will recover from any breaches in security, be they minor or major The problem comes when deciding what assets should be given priority and what is the best allocation of resources for a specific organisation This is where security risk assessments come in For more about security assessments and risks, see my previous post http://www.secuobs.com/revue/news/192918.shtmlhttp://www.secuobs.com/revue/news/192918.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - We all use or at least we should all use an Anti-Virus AV product on our computer to protect it from malware yes, that includes you Mac and Linux users as well Rogue Anti-Malware is on the increase and users should be wary of what they install, but if we do choose a big vendor and pay money for it, does it protect our machine from all threats Well the answer is no No security product can be 100pourcents secure, but how secure are they actually There have been a number of recent surveys and their results show that things are probably improving, but there's still a significant gap AV-Comparativesorg showed that in their tests, G Data was the best with a 998pourcents detection rate of known malware, with Norman being the worst of the 16 at 848pourcents Known malware was taken to be malware from a period of one year that ended 8 months prior to the test This is important to stress these weren't new malware instances, these were old known malware that all vendors will have seen and had time to develop their product to combat There's another potential issue as well What settings do you use on your AV product Do you use the default settings Several products do come with the highest protection set as default, but not all Kaspersky, Symantec and Sophos, for example, don't have the highest security settings by default although Sophos, to their credit, asked AV-Comparatives to test them with default settings, unlike the other two who asked to be tested with settings changed to high security McAfee use a cloud-based technology called Artemis, which is on by default, but requires an internet connection Their test scores come down from 987pourcents detection rate when online to 926pourcents when offline So be wary about the settings that you use and the mode of use as well, as it can make a big difference AV-Testorg also performed similar tests with more current malware, with similar results In their tests, Symantec came out top with a score of 98pourcents malware detected and Trend Micro with 833pourcents I'll pick out a few big names so that I can give you average figures from both testing labs Detection Blocking Rates for some Major AV Products Product Existing Detection Blocking Live Detection Symantec 982pourcents 928pourcents 355pourcents Kaspersky 961pourcents 899pourcents 410pourcents McAfee 930pourcents 867pourcents 455pourcents AVG 931pourcents 842pourcents 400pourcents F-Secure 919pourcents 802pourcents 420pourcents This isn't the full story though The above tests are detected existing malware There are two other metrics that we need to look at The first of these is the removal or blocking rate This is the percentage of malware instances that were blocked or removed by the AV product The others will have infected the machine AV-Testorg correctly point out that this is a much more important metric than detected malware, as if an AV product detects it but still allows it to install, then you are only marginally better off than if you didn't know about it at all - your machine is still infected Their tests show that the blocking rates are a chunk down from the detection rates, with the best now being PC Tools at 948pourcents and the worst being CA Internet Security at 735pourcents Blocking rate figures for the set of AV products are also given in the table above The final thing to consider is the detection rate of new malware that hasn't been seen before, ie from live attacks Cyveillance performed a set of tests sending live attack malware through a set of the top AV products on a daily basis to see how they performed In their tests, cloud-based McAfee came out top at 44pourcents and VirusBuster bottom on 16pourcents AV-Comparatives performed a similar test and came out with slightly better results, ranging from AVIRA on 74pourcents down to Norman on 32pourcents Again, I have averaged their figures to include in the table above Conclusion you could use more than one AV product as long as they don't conflict However, it is essential that you keep the product up-to-date at all times and configure it for maximum protection http://www.secuobs.com/revue/news/192917.shtmlhttp://www.secuobs.com/revue/news/192917.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - We all know about tracking cookies and privacy However, according to EFF it isn't necessary to use cookies to do a fair job of tracking your browser activities According to their research browsers give 105 bits of identifying information in the userAgent string, which is supplied to the web server with every request This is around a third of the information required to uniquely identify you They have set up a website to gather more data and give you a 'uniqueness' indicator for your browser, which you can find here This data set is growing quite rapidly and will tell you how many of the userAgent strings they have received that are the same as yours I managed to find a machine to test that was unique amongst the 195,000 machines they have tested This means that someone could potentially track that machine even if cookies are disabled Even if you come out with the same userAgent string as others, you can be narrowed down by using geolocation of your IP, browser plugins, installed fonts, screen resolution, etc This isn't a new idea and others have tried it, like browserrecon Of course if you have a static IP address then you are fairly easy to track anyway Various suggestions are made to help protect yourself, such as don't allow scripts to run on untrusted websites, which is fairly obvious However, although this may reduce the amount of data given out from highs of 155 bits on a Blackberry or 153 bits on Debian, this won't stop the whole problem It seems like the worst devices for giving out identifying information are Blackberry and Android phones, with minimum figures of over 12 bits The best combination would seem to be FireFox running on Windows, which can be controlled down to only 46 bits although highs are around double this , but this could just be because it's the most common combination What can you do Don't visit untrusted sites Also, you could change your userAgent string It is just a text string stating the capabilities of your machine so that the web server can customise content to suit you However, there is no real harm in tweaking this to fall in line with more common strings so that you are harder to track You have to be careful here, because just removing most of the information will probably make your userAgent string unique Alternatively, you could regularly change the string Perhaps browsers should change the string with every connection Plugins could do this, like User Agent Switcher This would allow you to use different strings across different sites Maybe hiding certain activities by temporarily switching the userAgent string would be useful FireFox and Opera are both quite easy to configure - type about config or opera config in the address bar respectively and navigate to the userAgent options Internet Explorer is slightly more trickey, in that you have to make a registry change to alter the userAgent string Navigate to HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Internet Settings 50 User Agent in regedit Here you can create string values for 'Compatible', 'Version' and 'Platform' to control what is sent Under the 'Post Platform' key are a whole bunch of additional parameters that will be added to the string, so you can change or remove these http://www.secuobs.com/revue/news/192916.shtmlhttp://www.secuobs.com/revue/news/192916.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - I have recently come up against a problem with using the 'new' wireless network at work We are using Cisco kit and TACACS to interface onto Microsoft's AD in the back end Technically, usernames should be able to be up to 31 bytes long not a problem there and the password up to 254 bytes However, the web portal implementation that we are running has a problem with my password It would appear that passwords of up to 16 characters are fine, but passwords in excess of 16 characters don't work We are currently investigating this, as it seems like a real problem, especially as we are recommending that people switch to using longer pass phrases, in excess of 16 characters Hopefully vendors will catch up with this soon, as many still have problems with so-called 'special characters' such as punctuation and other common symbols http://www.secuobs.com/revue/news/192915.shtmlhttp://www.secuobs.com/revue/news/192915.shtml Secuobs.com : 2010-02-17 22:12:56 - RLR UK - I have been getting a lot of hits on this blog relating to Trusteer's Rapport, so I thought I would take a better look at the product During my investigations, I was able to log keystrokes on a Windows 7 machine whilst accessing NatWest However, the cause is as yet unknown as Rapport should be secure against this keylogger, so I'm not going to share the details here yet there will be a video once Trusteer are happy there is no further threat I have had quite a dialogue with Trusteer over this potential problem and can report that their guys are pretty switched on, they picked up on this very quickly and are taking it extremely seriously They are also realistic about all security products and have many layers of security in place within their own product No security product is 100pourcents secure - it can't be The best measure of a product, in my opinion, is the company's response to potential problems I have to admit that Trusteer have been exemplary here Why do I keep saying it's a potential problem when I have logged keystrokes Well, under normal operating conditions this isn't possible with the keylogger used Most home users won't have a machine set up like the test machine in this case Trusteer have also pointed out that keyloggers are not the main threat facing the banks at the moment and are of less use now than in the past Rapport has several layers of security protecting the machine beyond keyloggers and blocking screen capture One of he major plus points about Rapport is their anti-phishing and anti-pharming technologies Although, again, these aren't perfect, it's better than nothing I don't agree totally with Trusteer here though The problem with being able to log typed characters comes back to weak passwords and single-factor authentication In this case, NatWest seem to require a customer ID, consisting of the user's date of birth and a 4 digit ID in the format ddmmyyxxxx, a 4 digit PIN and only a short password Now, they will let any Customer ID through in this format whether it's valid or not good from a security point of view as you don't know if you've got a valid Customer ID or not However, clearly they allow 6 character passwords and then ask for three of them So with one capture I can have 3 out of 4 PIN digits and half the password We know people choose weak passwords that can be guessed This becomes a crossword puzzle to make a 6 character password given three known characters I would agree with Trusteer that keyloggers and screen capture shouldn't be a problem now, but it still is, as the banks cling onto simple username and password authentication, often with poor password policies If the banks move to 2-factor authentication and one-time passwords then most of this would be redundant, and Trusteer could concentrate on pushing us off to the correct site to avoid phishing and pharming attacks Of course, these will become even more prevelant and sophisticated Technology can't stop this alone, it has to be coupled with user education Screen capture can still cause problems with strong authentication solutions, such as those using images or on-screen grids to generate one-time passwords So, what's the bottom line Since my earlier posts, Rapport has come a long way with compatibility, etc The tone of the marketing has also changed for the better and is more realistic although some of the 44 partner banks could be doing more So Rapport could be an additional layer of security to protect you, but you will still have to be vigilant You must have an up-to-date, legitimate anti-virus anti-malware product, firewall protection, tight controls on your browser and a cautious and skeptical approach to all communiations and links Without these, Rapport isn't going to help you anyway http://www.secuobs.com/revue/news/192914.shtmlhttp://www.secuobs.com/revue/news/192914.shtml