Monday, July 30, 2007

Rape and the importance of S.o.D

In Information Security it is drummed into us how important Separation of Duties is.

I investigate security methods, security matrices and inform the Operations teams one what to do. I also measure what is being done. But I don't do it and I don't ever measure myself.

According to this article in the Times online paper the police are playing with numbers:

" ‘We were told by police officers that there is a general belief that if there is a reduction in the number of rape cases reported, they stand in line for promotion'."

So hence, "an investigation by The Times into child abuse has uncovered claims that some police officers are not recording all rape cases — in the hope that keeping statistics on the crime down will fast-track their careers."

The article goes on to say that the police are refusing to record the crimes or are recording them as common assaults instead.

The problem is that the crime is not receiving the same attention that it would have, had it been logged as rape. The victim also does not get the right medical treatment such as HIV treatment.

How do we get around this? Separate the duties. The police who investigate crime after it has happened should be rewarded for the number of crimes investigated. The police who prevent crime should be rewarded for bringing down the crime. That way, we all win.

Wednesday, July 25, 2007

spamspamspamspam...pdfs..baked beans...spreadsheets and spam!

It seems that everyone is reporting on new spam techniques. But here goes anyhow:

Spammers are using pdfs and zipped up excel spreadsheets to send spam.

This is not really all that surprising because traditional spam checkers don't look inside these kind of documents or block based on whether a mail has one.

So, its back to the drawing board for spam blockers, they need to check pdfs.

The scary thing about this is that the risk for false positives is much higher with a pdf or office document (I doubt that excel will be the only spam transport chosen) because genuine business documents are usually in these formats.

If you are a broker and someone sends you an excel spreadsheet of their stock picks and you miss it because your spam checker thinks it may be "pump and dump" spam - you could end up in a lot of serious trouble.

Spam is horrible stuff but there obviously is a market for cheap Viagra with no prescription.

Monday, July 23, 2007

The Customer is Always Wrong [Part Two]

Just to be fair...

I have a doctor I go to regularly now but I tried a few of them for a while and there were some who were so clever but just didn't listen to what I had to say.

They were obviously the experts but I figure I know me better than anyone and had they listened to me I think we, together, would have been able to find solutions better than just me alone or the doctor alone.

I think that, in information security too, you are always fighting someone somewhere but the secret to a good relationship is to listen to what the other people in the organisation have to say.

But never forget that you are the expert.

[Note: I was going to use a plaster/bandage for the little post image but I used a stethoscope because the point of this post is listening]

The Customer is Always Wrong [Part One]

This little insight I worked out by myself with great difficulty.

My first IT job was probably the hardest I ever did.

It was working in a call centre at an ISP back in 1995 before most people had even heard of the Internet and email. Those that had were termed "early adopters" and it was "cool" to "surf the internet". Having played with Unix and Linux and TCP and configured modems to do interesting things I considered myself to be an expert in what I was doing which was helping people to connect to the Internet. And yet there were people who may well have been experts in what they did that would argue with me. The ones who were the most clueless but argued the most were usually doctors. I guess doctors are used to dispensing advice - not taking it.

I've seen from my wife's craft business that the same is true. Some people look to her for advice on techniques and then ignore the advice and get upset, some listen and are happy with the results. (She tries not to offer advice on the creative aspects, that has to come from within).

And now that I am in security I've seen how business can try to ignore security advice because they feel that they know better. Try to force them to accept what you are saying and you can overstep the "be nice to clients" boundary.

At the end of the day, the client has to accept that he is working with a professional and accept the advice as coming from an expert. Alternatively, if the client can do everything on his own, what does he need an expert for , anyhow?

Friday, July 20, 2007

Why the GPL sucks as a license...

The Security Blogger's Network has been debating the GPL recently but this is a debate that has been going for years..

The short version of the printer story: Richard Stallman worked for a company. They had a printer. They modified the printer driver's source to do stuff the printer makers didn't think of. They were happy. They upgraded the printer. The new printer driver worked but had no source so they couldn't modify it to do what the old printer did. Richard Stallman fell in love with the idea of having source code. He wrote the GPL to enable users to be able to manage their software.

It was later discovered that the GPL can help a company to expand their product for free and get community involvement. This was an unexpected bonus but not why the license was created in the first place. One of the shortcomings is that if you never redistribute the binary or don't redistribute it to the original author, you don't have to forward your source code changes. This could make coders upset but really - the GPL is designed to make users happy.

I've had a good think about companies changing the license from GPL to something else when their product becomes more successful and I think it is fine to do that.. it is their work but.. they must strip out all the bits and pieces that others have contributed to the product or inform them up front that their work may become part of a non GPL software offering.

I remember back when Netscape announced to great fan fare that they would be releasing an open source version of their browser it took a very long time for the source to actually be released because so much of it had to be stripped out because it was non-Netscape proprietary code.

I remember also when the CDDB went private taking all the hard work of their contributors along with them. I am not a lawyer but I know what is fair.

Wednesday, July 18, 2007

Harry Potter Escapes!

It had to happen. Unless Scholastic really had magic powers the Harry Potter book was not going to stay secret forever.

According to a news article on The Age, the new Harry Potter book has been leaked.

There have been a number of fake leaks: there are a number of people who write fan fiction and these have been used to trick people into clicking onto websites with worms and the like.

But this one is slightly different. It is not a pdf or text document; it is photographs of each page in the book.

Now that it has leaked the publishers are desperately trying to put the toothpaste back in the tube but with no luck.

On the other hand, reading a 700+ page book page by page from low quality photographs is not easy. It's just better to buy a copy or, at very least, visit the library.

You can bet that, like number 6, there will be pdf versions floating around the pirate sites within a few days.

The one thing to learn from this is that if you have information that is wanted by someone else, you will have a hard time protecting it and as close as Scholastic came to protecting the Harry Potter book from being released, there is no such thing as perfect security.

The other thing is that: with information it only takes one leak and the number of copies will expand until it is impossible to control.

Wednesday, July 11, 2007

Africa Part 2, Exploding ATMs

While the rest of the world debates the length of a pin number, we in South Africa have a different challenge. At least, the banks do - explosives.

According to this article at The Times: "security companies and banks have warned the public about unexploded bombs in and around ATMs."

Johan Burger, senior researcher at the Institute for Security Studies, said “Because of the increase in ATM bombings, the risk to the public has risen dramatically. ATM bombers are now hitting machines in business premises in metropolitan areas."

Also according to the article: "[First National Bank of South Africa has a] new security and monitoring system [that] will be introduced at 500 sites in areas considered to be at high risk.

Guards on 24-hour patrols will also keep watch over the cash machines."

I can't imagine that an ATM has terribly large amounts of cash and criminals will start to apply this modus operandi to other types of crime. As a risk, this is on the increase and security professionals should analyse if and how this would affect them.

It may be worth positioning your server room more to the middle of your offices rather than against a main wall so that a little explosion won't leave a gaping hole that PCs can be moved through.

Update: I just took a look at the video on the site and I would highly recommend anyone using an ATM to see video evidence of what criminals can try when you are using an ATM.

Monday, July 9, 2007

Welcome to March!

A large march of striking workers just marched past my office.

There has been some violence in the past few marches but these are usually on a small scale and directed at those workers who elected not to strike. Usually marches are fairly harmless, even if they look aggressive and scary.

The question for a security professional is - how does one deal with a march that impacts business. In my opinion, besides electricity rolling blackouts and the winter sickness cycle marches are the most likely threat to business continuity that Johannesburg faces.

If you are a small business based in Johannesburg or any city centre then you should at least make sure that you have a business continuity plan. Make sure that you have backups stored away from your offices, a way to restore them to a separate location and a safe separate location that you can work from. This may be a bit of an issue for a small business (in which case lots of planning is needed . And don't forget to think out of the box, too!) but for a micro or mini enterprise it may be worth working from home or for the more adventurous - a coffee shop for the time that the march is on.

This is not a complete solution; each business needs to assess business continuity for themselves. Just remember that the first rule of Business Continuity is that the safety of all the employees comes before the health of the business.

Friday, July 6, 2007

Department of Transport - ISO27001 will help you save face

Some free advice for the Department of Transport.

My last blog entry about eNatis seems to be exactly what the D.O.T is trying to tell everyone: "leave us alone, everything is fine except the website which is in no way linked to the personal data was hacked".

Hey, even uber-hacker (did I really use that term?!) Kevin Mitnick had his web site hacked. It happens, and what we should be worried about is not the website but the data in the database. Who cares if some kid scribbles junk on a website? You should care if he manages to get inside the data to your credit card details and personal information like name, address, ID number, car registration number and accesses it for himself to use elsewhere (loss of confidentiality), or changes the information (loss of integrity).

I do believe that the press is squeezing this story for more than it is worth because, well, they need news and this is an easy target. But its also easy news to print because of all the issues that eNatis has had in the past and the lingering doubt that the Auditor General's report brought about.

The department tried to stop the report from being made public but once it was made public because it said that the system was very insecure. The department followed up with a statement that the system had since been fixed which is quite an easy thing to say but not very convincing.

I think that we as the public who are forced to put our private information in this database (or alternatively don't have a vehicle or license to operate one) should insist that the system and processes around it be certified in some way. My choice would be ISO 27001 but there are other similar certifications and I'd be happy with any one of those.

But really, the D.O.T should be proactive on this and not wait for public backlash, they should investigate security measures now so that when the inevitable audit comes, they are ready.

And when the media jump on something silly like a minor website hack they would have their ducks in a row to argue back.

Thursday, July 5, 2007

eNatis: Nothing to see here, move along.

For those that read my column and are not from South Africa - eNatis is a new system that the Department of Transport (DOT) has implemented. It has a website portal and is the system used for registering cars, licenses, paying fines, etc. It has a lot of personal information. The website was hacked and the papers jumped on the story, though most calling it (correctly) a non-event.

Web hacks are (apparently) easy to do.

This is part of the reason why no company worth their salt (and some not even worth that) recommend that the webserver does not contain important information. That should be stored in a database and if the webserver needs to read the data, it should make a connection through a firewall. And the database should be closed up as tight as possible.

In fact, it is almost expected that the webserver will be hacked and the company (or government department) should have an incident response in place to deal with this minor breach.

I liken this hack to the real-life-equivalent of a criminal trying to break into an office of the D.O.T, not succeeding and spraying graffiti on their gate.

The media has jumped on this hack because of the issues eNatis has had in the past, but its the equivalent of reporting on a graffiti incident - the result of the attack is very embarrassing because of the fact everyone can see it but, no real loss occurred and once the mess is cleaned up there will be no further issue.

So, what sort of hack is news worthy? One that will not make it all the way into the papers! A newsworthy hack would be one where a criminal (or hacker..whatever terminology you choose) gets into the eNatis database, manages to manipulate the data for self gain or steal personal information from the database.

This will not get into the paper because:
  1. The user will not make it public that he has done anything wrong, it would make it easier for him to get caught.
  2. The D.O.T may not even know it has happened. Stealing information is not like other crime where if someone steals your stuff, you have no stuff left. Information can be stolen but a copy could be left in place.
  3. If the D.O.T finds that a hack has taken place in their database the last thing they will do is inform the press. (my guess)
  4. If information is stolen from the D.O.T, it may be used for identity theft purposes. (ie. pretending to be someone so you can get credit in their name or get access to their personal assets) and the investigation (if it gets that far) may not know the true source of the information used in identity theft.

That is not to say that I know of an instance where eNatis has had its database hacked, nor am I saying that it has been hacked or ever will be in the future. I'm saying that, if it were hacked in a way that was newsworthy, we probably would not be reading about it in the newspaper.

Wednesday, July 4, 2007

PCI Auditors selling stuff?!

In a really good blog entry, Mike Rothman talks about how PCI assessors (auditors) are pitching products and other solutions once the audit is done. He goes on further to talk about separation of duty and how the client should make it clear from the beginning that there will be no further business to be made after the audit.

I agree with Mike but I don't think he took it far enough. In an earlier blog entry of mine I discuss this very issue. Once the auditor has been too visit, it is too late. Have a good strategy and see it through long before you call in auditors. Then once they have arrived and start to sell you products and solutions that you don't need - you'll know that you don't need them.

Never use auditors to tell you what should be done.. use your security experts... use auditors to do the checking.