Wednesday, January 30, 2008

Identity Theft Slidecast

Identity Theft continuous to become an increase threat to security and must be address by using regular awareness sessions with end-users.
The following is an identity theft slidecast and podcast which is simultaneously published on slideshare (slides and audio) and mypodcast (audit only)
...

Labels: , , , ,

Tuesday, January 29, 2008

Are you ready for Cyberwar?

Last year I wrote about the events of cyberwar between Estonia and Russia. Other ones have happened recently as well such as:
  • between USA and China, (more covert activities and experimentation)
  • between AlQaeda and USA
  • between North and South Korea
  • between India and Pakistan
  • ....
In any cyberwar there are: "cyberwarriors", targets (key infrastructure such as financial institutions, government, utilities) and collateral damage (potentially your innocent business). So are we ready? Do we understand the dangers? A recent story in CSO magazine highlight the threat level and readiness of given countries as they focus resources for cyberwar.
Country Est Mil Budget Status Est Threat
China $56B complex 4.78
Russia$44Bcomplex4.39
Iran$9.7Badvanced3.79
N Korea $5.2B advanced 3.03
Libya$1.3Badvanced2.86
from this table we notice both China and Russia devoting a substantial military budget and having acquired a complex infrastructure with associated Threat level (ranked from 1 to 5, 5 being highest)
More details on this story can be found here.

Saturday, January 26, 2008

UK government mandates encrypted Laptops

In response to the one of the largest disclosures of information in history the UK government responds with policy which mandates the usage of encryption on laptops and media devices when taken away from the offices.
An email was sent to all UK civil servants (government employees) which informs them of the new policy--"prohibts laptops and hard drives containing sensitive data from being taken out of the government buildings unless the devices are encrypted.
More details on this story are contained here:
- Vunet News
- MOD information Security
This is good news for organization like Secude which offer advanced solutions for hard disk encryption and laptop encryption.

Tuesday, January 22, 2008

Largest Bank Fraud $ 7 Billion dollars

French bank SOCGEN, Societe General is the victim of the largest bank fraud of the year total amount $7Billion (over €5billion Euros). A junior trader Jerome Kerviel makes trades that cause the bank substantial losses. Jerome is capable of hidding is actions by modifying the information in the Banks computers.

The trader was able to create fictitious accounts to hide is actions; and support this with falsified documents. In short massive risk, massive losses and total lack of appropriate controls.

In security there is a simple concept known as dual control; under this control critical system transactions of system information can not be updated by a single individual but requires approval and verification from another party or employee in the organization (these controls are contained in the most basic and simple accounting systems). Why were such controls absent or ignored, I am sure the investigations and postmortem analysis will provide plenty of reading....
D.K. Matai good friend and Chairman of Asymmetric Threats also discusses the topic in MI2G press release postings.
Some more recent updates on the story are contained here:
- Reuters Time Line
- Telegraph UK
- the company explanation
- Financial Times

Thursday, January 17, 2008

Security for the iPod generation


The iPod generation likes to stay informed while on the move by downloading music, book, news, podcasts to their portable device. The following Podcast on security gives you a good source to stay in tune with security while on the move "Security Now!". The example of this podcast, talks about:
  • latest virus and trojans
  • corporate security
  • security policies
The text transcript Security Now Jan 17 oryou can listen by clicking/higlight icon...


Security now full site can be found here...

Labels: , , , ,

Bruce Schneier on Security And Psychology

Bruce Schneier visited the Kingdom of Bahrain for the first time in 2005 for the conference HITB 2005 organized by E-Security Gulf Group - eSgulf. It was Bruce first visit to Middle East, we also toke the time to visit Riyadh in the Kingdom of Saudi Arabia as well. During this he presented security in a practical in modern way. He also authored the book beyond fear distributed during the conference. In security Psychology plays an important part to achieve the objectives of success.
At Penguicon 2007 during last year Bruce addresses Security And Psychology the podcast of this talk can be listened here...

Labels: , , ,

Tuesday, January 15, 2008

Are you the passenger or the pilot

When you get in the seat of your airplane today you have a complete entertainment and communication system which gives you more then you expected. According to FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack
According to the FAA document published in the Federal Register. Vulnerability exists because the plane's computer systems is connected to the passenger network with the flight-safety, control and navigation network. It also connects to the airline's business and administrative-support network, which communicates maintenance issues to ground crews.
The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."
The information is published in a "special conditions" document that the FAA produces when it encounters new aircraft designs and technologies that aren't addressed by existing regulations and standards. Also more details here...

Monday, January 14, 2008

Top 10 Data Breaches of 2007

2007 was a year were several information records were broken for quantities of private information being leaked or hacked...
The Chief Security Officer - CSO magazine top 10 are:
1. TJX Credit cards
Victims: Millions of bargain shoppers worldwide
2. Her Majesty’s Revenue and Customs -- One Regrets the Error
Victims: 25 million
3. TSA, 2 of 2 - Thieves stole a computer hard drive
Victims: 100,000
4. The Nature Conservancy and Recycled Data
Victims: 14,000
5. Swedish Urology Group - Doctors lost 3 drives containing patients personal info
Victims: "Hundreds"
6. Shaw’s Supermarket -- Passwords
Victims: 472 store employees
7. TSA 1 of 2 Doing DHS Proud!
Victims: 3,930
8. Indianapolis Power and Light
Victims: 3,000
9. Commerce Bank of Wichita, Kansas
Victims: 20
10. Monster.com -- CISO looking for New Job
Victims: 1.3 million

Full details are here.... CSO site

Sunday, January 13, 2008

Fear as a tool

Fear can be used as a very effective tool for home land security. The biggest users of this tool are the politicians in every country. The media amplifies the news being broadcast and feeds it for public consumption; so always:
- beware
- ask, question
- investigate
- collaborate from multiple sources (eliminate duplicates)
- use common sense
- mis-information is used as a tool

Friday, January 11, 2008

Security Awareness Calendar 2008 on Slide Share

Added a security awareness calendar and introduction presentation(s) on slide share.
One security tip for each month of the year. You can download the PPT and custimize it for your own organization. Have a safe 2008.

Thursday, January 10, 2008

Is my LCD screen secure?

Can someone see your computer LCD screen, behind a wall?
The answer is yes, someone can recreate and see your screen information. If the person, company or government organization has the know how... The technology required to do it is freely available. This can be done yes... Because the technology we use today emits "wireless" waves which can then be amplified, captured, processed and enhanced to "reverse engineer" the original information.
This kind of research is not new, it was done a few years back under the names of "TEMPEST" and "Van Eck", for older CRT screens.
Markus Kuhn a researcher from Cambridge University, published a paper on this some time back. Reading your Screen through a Wall. The technology is low cost and could easily be put together.
A result sample of the screen can be seen here...

Technology, people and data sharing

The number of sites we use keeps growing. Many times we have to re-enter the same information again and again. So data portability, data harvesting, data sharing, data migration, date integration is important; what about security in privacy. Some web sites like face book have monitoring which identify automated tools and will try to stop them. The approach is good but it may turn some powerful users away. Check out this users experience with technology. Also discussed here.

Some important announcements about progress in this area are coming form Google, Facebook and data portability.org.

Wednesday, January 09, 2008

iPhone Virus - Trojan


The new iPhone is very tightly controlled by "Apple". Even this environment, virus are possible, no one is immune to all virus even the iPhone. The first virus for the iPhone is out.
The first warnings about this new virus were posted on on the iPhone modification forum ModMyiFone.com and then on Zdnet News.

Since this is a first, it is important for users to pay attention when installing new applications on the device. All applications must come from trusted sources.

Thursday, January 03, 2008

Human Element

The human element continues to lead the pace in security. There is a daily struggle towards more security and less risk...

1- Network diagram
2- pretty ? Beautiful?
3- Virtual machines accepting all the virus
4- Not a network diagram, but a displays of virus growing
5- Normal people look at aquariums ....

extracted from http://xkcd.com/350/

Wednesday, January 02, 2008

I am back and new website for 2008

After a long absence from blogging it is time to return. As part of the New Year resolution for 2008 I will try to post new blog entries more often. The objective is to bring more security awareness. I will just have to stay up a little longer at night...
Maybe also try and learn new techniques like mobile blogging, more videos, audio blog entries.

In 2008 it was also time to launch a new web site with a fresh look for
"E-Security Gulf Group" -"eSgulf" details can be found here... www.esgulf.com
eSgulf now has presence in European Union - EU, Middle East and Asia.

Labels:

Tuesday, January 01, 2008

Happy New Year 2008


Happy New Year 2008, all the best for the family, friends, colleagues, coworkers, business partners, social networkers.
Welcome to "flat world of 2008"... Be safe and secure.