Sunday, February 24, 2008

Failures of Disk Encryption

"Security is not a product but a skilled continuous process which requires thought..." Jorge Sebastiao, 1999.

Even for the best technologies there is always a weak point which must be addressed, in this case Disk Encryption as its weakness. The weakness is that even in memory the keys exist in some readable format, if we can get to it, then it is game over:

posted by JS @ 7:56 AM  0 comments

Sunday, February 10, 2008

Social engineering targets jobseekers

Social engineering for profit see no limits. This time the social engineer aka Hackers are targeting the job seekers by creating a fake web site which is collecting:
- personal data
- CV information
- fees for visa processing (profit motive)

Please find the links to the original site:
- Real Ministry of Labor http://www.mol.gov.ae/
and the fake site
- Fake Ministry of Labor http://www.uaeministryoflabour.tk/

Real site and Fake site are mirror copies of each other as pictured below.
More details about the story can also be found here.

posted by JS @ 11:16 PM  0 comments

Tuesday, February 05, 2008

Security Issues with social networks

I have been using heavily social networks for the past 3 years, started with linkedin can now reach over 7,000,000 persons online. So the power of the technology is really incredible. Theses are some of the top ones I use:
  • linkedin
  • xing
  • ecademy
  • plaxo
  • youtube
  • slideshare
  • twitter
  • mypodcast
  • lastfm
  • myspace
  • face book
  • ...
But these social networks practical experiences are bring in some important questions (which will try to address over this year posts). Some of the main security issues I see are:
  • propagation of malware (virus, trojans, keyloggers)
  • defacement of profile, impact in public image
  • who owns the data? some networks make it easy to get the data in but very difficult out (usage of images to protect contact information)
  • how to archive and backup this data? who is responsible?
  • how to delete the data permanently if required?
  • predator attacks against minors and kids (parents must learn new ropes)
  • identity theft, impersonation
  • how to maintain so many user IDs (opendID is trying to address this)
  • how to move data from one site, application to the other (open social is work on this), some users have seen this usage blocked after using automated conversion, migration tools
  • how to do investigations, forensics on so many sites to track down criminals effectively
  • how to separate between business, and personal lives?
  • effects on corporate information
  • leakages
  • effects on corporate productivity
In short network, do business, have fun, but becarefull out-there.

More details on:

Labels: , , ,

posted by JS @ 10:18 PM  0 comments

Friday, February 01, 2008

2008 Security Priorities

Just finished conducting a poll with the help of Plaxo on security priorities of 2008. About 9% of the persons requested replied (from a poll size of approximately 2000 persons 183 replied).

The top 3 areas of focus are therefore:
- Governance and compliance
- Infrastructure security
- Business Continuity and Disaster Recovery (as mentioned by some in the survey comments, the BCP, DRP issue is much bigger then being just part of security, we all agreed on this ...)

So what are your plans for security for 2008... Be ready as this year will be full of events.

posted by JS @ 8:54 PM  0 comments

Wednesday, January 30, 2008

Identity Theft Slidecast

Identity Theft continuous to become an increase threat to security and must be address by using regular awareness sessions with end-users.
The following is an identity theft slidecast and podcast which is simultaneously published on slideshare (slides and audio) and mypodcast (audit only)
...

Labels: , , , ,

posted by JS @ 8:18 PM  0 comments

Tuesday, January 29, 2008

Are you ready for Cyberwar?

Last year I wrote about the events of cyberwar between Estonia and Russia. Other ones have happened recently as well such as:
  • between USA and China, (more covert activities and experimentation)
  • between AlQaeda and USA
  • between North and South Korea
  • between India and Pakistan
  • ....
In any cyberwar there are: "cyberwarriors", targets (key infrastructure such as financial institutions, government, utilities) and collateral damage (potentially your innocent business). So are we ready? Do we understand the dangers? A recent story in CSO magazine highlight the threat level and readiness of given countries as they focus resources for cyberwar.
Country Est Mil Budget Status Est Threat
China $56B complex 4.78
Russia$44Bcomplex4.39
Iran$9.7Badvanced3.79
N Korea $5.2B advanced 3.03
Libya$1.3Badvanced2.86
from this table we notice both China and Russia devoting a substantial military budget and having acquired a complex infrastructure with associated Threat level (ranked from 1 to 5, 5 being highest)
More details on this story can be found here.

posted by JS @ 6:27 PM  0 comments

Saturday, January 26, 2008

UK government mandates encrypted Laptops

In response to the one of the largest disclosures of information in history the UK government responds with policy which mandates the usage of encryption on laptops and media devices when taken away from the offices.
An email was sent to all UK civil servants (government employees) which informs them of the new policy--"prohibts laptops and hard drives containing sensitive data from being taken out of the government buildings unless the devices are encrypted.
More details on this story are contained here:
- Vunet News
- MOD information Security
This is good news for organization like Secude which offer advanced solutions for hard disk encryption and laptop encryption.

posted by JS @ 2:01 AM  0 comments