Outsourcing, and rebranding, (national) security

I was thinking about the recent trend, in the US, for “outsourcing” and “privatization” of security functions, in order to reduce (government) costs.  For example, we know, from the Snowden debacle, that material he, ummm, “obtained,” was accessed while he was working for a contractor that was working for the NSA.  The debacle also figured in my thinking, particularly the PR fall-out and disaster.

Considering both these trends; outsourcing and PR, I see an opportunity here.  The government needs to reduce costs (or increase revenue).  At the same time, there needs to be a rebranding effort, in order to restore tarnished images.

Sports teams looking for revenue (or cost offsets) have been allowing corporate sponsors to rename, or “rebrand,” arenas.  Why not allow corporations to sponsor national security programs, and rebrand them?

For example: PRISM has become a catch-phrase for all that is wrong with surveillance of the general public.  Why not allow someone like, say, DeBeers to step in.  For a price (which would offset the millions being paid to various tech companies for “compliance”) it could be rebranded as DIAMOND, possibly with a new slogan like “A database is forever!”

(DeBeers is an obvious sponsor, given the activities of NSA personnel in regard to love interests.)

I think the possibilities are endless, and should be explored.

Share

Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

*Hello,*
*
How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://tinyurl.com/o2vlrxx>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               ”Microsoft HelpDesk” <microsoft@helpdesk.com>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://dktxxxkgek.webs.com/

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.

Share

Click on everything?

You clicked on that link, didn’t you?  I’m writing a posting about malicious links in postings and email, and you click on a link in my posting.  How silly is that?

(No, it wouldn’t have been dangerous, in this case.  I disabled the URL by “x”ing out the “tt” in http;” (which is pretty standard practice in malware circles), and further “x”ed out a couple of the letters in the URL.)

Share

Thoughts at the library drop slot

A couple of days ago, I happened to walk over to the library in order to return some items.  When I got there, as all too often is the case, a parent was allowing two of his children to put their returns back into the (single) drop slot.  He noticed me, and offered to take my stuff and return it when they were done.  (Parenthetically [as it were], I should note that, in the five years since the new system was put in place, this is only the second time that a parent, in such a situation, has taken any notice of the fact that they were delaying matters.  The previous one, about a year ago, asked her children to stand aside and let me through.  I digress, but not completely.)

I immediately handed over my pile (which included a recent bestseller, and a recent movie).  (We are all creatures of social convention, and social engineering is a powerful force.)  But, being a professional paranoid, as soon as I walked away I started berating myself for being so trusting.

I was also thinking that his actions were pedagogically unsound.  While he was, at least, assisting me in avoiding delay, he was, just as much as the majority of the parents at that slot, teaching his children that they need have no regard for anyone else.

(And, yes, before I left the library, I checked my account, and determined that he had, in fact, returned my items.  Auditing, you know.)

Share

Western society is WEIRD [1]

(We have the OT indicator to say that something is off topic.  This isn’t, because ethics and sociology is part of our profession, but it is a fairly narrow area of interest for most.  We don’t have a subject-line indicator for that  :-)

This article, and the associated paper, are extremely interesting in many respects.  The challenge to whole fields of social factors (which are vital to proper management of security) has to be addressed.  We are undoubtedly designing systems based on a fundamentally flawed understanding of the one constant factor in our systems: people.

(I suppose that, as long as the only people we interact with are WEIRD [1] westerners, we are OK.  Maybe this is why we are flipping out at the thought of China?)

(I was particularly interested in the effects of culture on actual physical perception, which we have been taught is hard wired.)

[1] – WEIRD, in the context of the paper, stands for Western, Educated, Industrialized, Rich, and Democratic societies

Share

Online forum rule haikus

On the CISSPforum we were discussing precepts for getting along and keeping the discussions meaningful.  Somebody started listing rules, so I started casting them as haikus.  That prompted a few more.

I wondered if these were only for that group, but then realized most of them were applicable to online discussions of whatever type.  So, herewith:

 

Create your own space
Meaningful content only
Comes to those who post.

Silence calls silence
Lurkers don’t disturb quiet
Sleep beckons as well.

The posts are boring?
Raise topic of interest
Thread starter lauded.

Forum like sewer:
What you get out of forum
Depends on input.

Being creative
Is much better than being
Tagged as complainer.

These are your colleagues.
Why are you so much  better
That they must start first?

The forum that is
Is not what must always be.
Build a better world.

Friday is not for
Building new realities.
Your colleagues would sleep.

 

Then some other chimed in:

I remember trust
It disappeared so quickly
I guess we were fools

Pointing to resource
Always appreciated
Who can search the whole?

Putting platitudes
into pleasing haiku
removes sting of truth

Now you’re getting it.
Format is everything.  (Well,
And maybe context  :-)

friday gratitude
is here at last for resting
ignoring infosec

Friday at last! Time for
Bottles of overpriced wine.
Why’m I still at work???

Request not correct.
Reformat for this thread.
Please resubmit now.

UNSUBSCRPTION post
Jangles cosmic harmonies
Til balance achieved.

Share

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

Share

User interface

The food fair area of one of the local mall had a facelift recently.  Now, as you walk down the hall towards the washrooms, the first thing you see is a lighted sign stating “WOMEN” on the first hallway that takes off to the right.

Trouble is, that hallway is where the men’s washroom is located.  Unless you know the layout of the mall (and, in this season of the annual Northern-Hemisphere-Mid-Winter-Gift-and-Party-Period, there are lots of guys around who aren’t normally in the mall), you don’t really notice that the triangle next to the word “WOMEN” is actually an arrow, presumably directing you further down the hall, where the hallway to the women’s washroom is actually located.  You have to be closer, and still looking up high, to notice that the word “MEN” is printed above the word “WOMEN,” but is, for some weird design reason, right justified, so that it starts about a foot past the beginning of the word “WOMEN.”

This explains why there are lots of guys coming back up the hall looking for the men’s washroom that they passed on the way down.

User interface is important.

Share

What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.

 

Share

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

Share

This is [phishing] news?!?

We seem to be missing the boat on security awareness of phishing attacks: it’s not just for bank and credit card accounts anymore.  This article notes the “DHL,” “tax refund,” and similar queries.  I would have thought these were obvious, but they seem to be the most successful ways to get spear phishing and APT information.

Share

Security Transcends Slogans … or not …

I have just got off the phone with a marketroid.  In the course of our conversation (no, I usually don’t talk to them, but this turned our to be a special case), I was explaining to her about ISC2 and the CISSP.  She was puzzled by an annotation on my file with her company, and it wasn’t making sense in terms of what I did, and what their ERM/CRM system was saying about me.

When she looked at the ISC2 Website, during our conversation, she immediately noted the “Security Transcends Technology” slogan.  I dimly recall the great fanfare when this was introduced about 9 or ten years back: our (marketing department’s) proud statement that we were not mere technologists, but covered the whole realm of security.

Well, apparently that’s not what it says to some people.  The simple existence of the “technology” word in our slogan seems to trigger an immediate pegging of us as mere techies.  All of us CISSPs are just basic firewall admins.  We are not
transcendant.

Back to the marketing board … ?

Share

REVIEW: “Managing the Human Factor in Information Security”, David Lacey

BKMHFIIS.RVW   20120216

“Managing the Human Factor in Information Security”, David Lacey, 2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
%A   David Lacey
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2009
%G   978-0-470-72199-5 0-470-72199-5
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0470721995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   374 p.
%T   “Managing the Human Factor in Information Security”

The preface states that the intent of the book is to identify and explain the range of human, organizational, and social challenges when trying to manage security in the current information and communications environment.  It is hoped this material will help manage incidents, risks, and design, and assist with promoting security systems to employees and management.  A subsidiary aim is to leverage the use of social networking.

Some aspects of security are mentioned among the indiscriminate stories in chapter one.  Chapter two has more tales, with emphasis on risks, and different people you encounter.  Generic incident response and business continuity material is in chapter three.  When you know the risk management literature, you can see where the arguments in chapter four come from.  (Yes, Donn, we know quantitative risk analysis is impossible.)  The trouble is, Lacey makes all of them, and therefore comes to no conclusion.  Chapter five has some points to make about different types of people, and dealing with them.  Unfortunately, it’s hard to extract the useful bits from the larding of stories and verbiage.  (Given the haphazard nature of the content, making practical application would be even more difficult.)  Aspects of corporate culture are discussed, in an unstructured fashion, in chapter six.  Chapter seven notes a number of factors that have appeared in successful security awareness programs, but doesn’t fulfill the promise of helping the reader design them.  Chapter eight is about changing organizational attitudes, so it’s an (equally random) extension of chapter six.  It also adds some more items on training programs.  Chapter nine is about building business cases.  Generic advice on creating systems is provided in chapter ten.  Some even broader advice on management is in chapter eleven.  A collection of some points from throughout the book forms a “conclusion.”

There are good points in the book.  There are points that would be good in one situation, and bad in another.  There is little structure in the work to help you find useful material.  There are stories about people, but not a survey of human factors.  Lacey uses lots of aphorisms throughout the text.  I am reminded of the proverb that if you can tell good advice from bad advice, you don’t need any advice.

copyright, Robert M. Slade   2012     BKMHFIIS.RVW   20120216

Share

Ignorance as a human (business?) right?

Rogers Communications Inc. is a company providing cable, cellular, and other services in Canada.

Rogers has a discount brand, Chatr, which they advertise as being “more reliable and less prone to dropped calls.”  Canada’s Competition Bureau, after what it called “an extensive review of technical data,” found no discernible difference in dropped-call rates between Rogers/Chatr and new entrants.

Apparently, Rogers will argue that the court should strike down a section in Canada’s Competition Act that requires companies to undergo “adequate and proper” tests of a product’s performance before making advertising claims about it.  In other words, Rogers is saying that forcing the company to find out if claims are true is unfair, because that means they can’t lie with a straight face.

Q: What is the difference between a computer salesman and a used-car salesman?

A: The used-car salesman knows when he’s lying to you …

Share

REVIEW: “Young People, Ethics, and the New Digital Media”

BKYPENDM.RVW   20120125

“Young People, Ethics, and the New Digital Media: A Synthesis from the
GoodPlay Project”, Carrie James et al, 2009, 978-0-262-51363-0
%A   Carrie James
%A   Katie Davis
%A   Andrea Flores
%A   John M. Francis
%A   Lindsay Pettingill
%A   Margaret Rundle
%A   Howard Gardner
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   2009
%G   978-0-262-51363-0 0-262-51363-3
%I   MIT Press
%O   +1-800-356-0343 fax: +1-617-625-6660 www-mitpress.mit.edu
%O  http://www.amazon.com/exec/obidos/ASIN/0262513633/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0262513633/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0262513633/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P
%T   “Young People, Ethics, and the New Digital Media”

It is not until more than a tenth of this book has passed before the authors admit that this is, in essence, only a proposal for a study which they hope will be carried out in future.  No actual research or interviews have been conducted, so there aren’t really any results to be reported.  The authors hypothesize that five factors are involved in “media-identity”: “privacy, ownership and authorship, credibility, and participation.”  (Yes, I agree that it looks like four factors, expressed that way.  But the authors repeatedly express it in exactly that way, and insist that it makes five.)

The authors note that social networking (or social media, or new digital media) is a frontier, and thus lacks comprehensive and well-enforced rules and regulations.  Social media permits and encourages “participatory cultures,” with relatively low barriers to artistic expression and “civic” engagement, strong support for creating and sharing creations, and some type of informal mentorship whereby what is  known by the most experienced is passed along to novices.  The goals of the project are to investigate the ethical values and structures of new media and to create entities to promote ethical thinking and conduct.

The project is also to focus on “play,” with a fairly broad definition of that term, including gaming, instant messaging, social networking, participation in fan fiction groups, blogging, and content creation including video sharing.  Some of these activities may lead to employment, but are undertaken without support, rewards, and constraints of adult supervisors, and without explicit standards of conduct and quality.  “Good play” is defined as online conduct that is both meaningful and engaging to the participant and responsible to others in the community in which it is carried out.

A number of questions are raised in this book, but few are answered in any way at all.  While there is some review of existing work in related areas, it is hardly comprehensive, convincing, or useful.  It is difficult to say what the intent of publishing this book was.

copyright, Robert M. Slade   2012     BKYPENDM.RVW   20120125

Share

Censorship with a broad brush

Just in case you have been hiding under a (Higgs or non-Higgs) rock for the past few weeks, TomKat is breaking up [1].  Tom Cruise is a highly visible Scientologist.  Many people have been commenting on possible Scientology aspects of the breakup.  Scientology seems to break out in a rash whenever anyone mentions the cult.

So, someone has provided a simple means for Scientologists to try and ensure that any mention of Scientology, or the event, or anything, is removed.

The main thrust of the instruction is that everybody will have a “code of conduct” on their Website, and every code of conduct will ban anything that “defames, degrades… an individual or group,” or something similar.  So, you just blanket object to everything on that basis.

I think it should work pretty well.  I’d say that, following Lord Northcliffe’s dictum that “News is what somebody, somewhere wants to suppress.  All the rest is advertising,” any interesting posting could be seen, by someone, as defaming or degrading some individual or group …

Of course, there are many other forms of censorship.  Here in Canada, the government is using funding cuts, threats of funding cuts, and even direct diplomatic office intervention, in order to to block theatrical performances it doesn’t like.

Share