Corporate Security

“Poor” decisions in management?

I started reading this article just for the social significance.  You’ve probably seen reports of it: it’s been much in the media.

However, I wasn’t very far in before I came across a statement that seems to have a direct implication to all business management, and, in particular, the CISSP:

“The authors gathered evidence … and found that just contemplating a projected financial decision impacted performance on … reasoning tests.”

As soon as I read that, I flashed on the huge stress we place on cost/benefit analysis in the CISSP exam.  And, of course, that extends to all business decisions: everything is based on “the bottom line.”  Which would seem to imply that hugely important corporate and public policy decisions are made on the worst possible basis and in the worst possible situation.

(That *would* explain a lot about modern business, policy, and economics.  And maybe the recent insanity in the US Congress.)

Other results seem to temper that statement, and, unfortunately, seem to support wage inequality and the practice of paying obscene wages to CEOs and directors: “… low-income people asked to ponder an expensive car repair did worse on cognitive-function tests than low-income people asked to consider cheaper repairs or than higher-income people faced with either scenario.”

But it does make you think …

Google’s “Shared Endorsements”

A lot of people are concerned about Google’s new “Shared Endorsements” scheme.

However, one should give credit where credit is due.  This is not one of Facebook’s functions, where, regardless of what you’ve set or unset in the past, every time they add a new feature it defaults to “wide open.”  If you have been careful with your Google account in the past, you will probably find yourself still protected.  I’m pretty paranoid, but when I checked the Shared Endorsements setting page on my accounts, and the “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads” box is unchecked on all of them.  I can only assume that it is because I’ve been circumspect in my settings in the past.

The Common Vulnerability Scoring System

Introduction

This article presents the Common Vulnerability Scoring System (CVSS) Version 2.0, an open framework for scoring IT vulnerabilities. It introduces metric groups, describes base metrics, vector, and scoring. Finally, an example is provided to understand how it works in practice. For a more in depth look into scoring vulnerabilities, check out the ethical hacking course offered by the InfoSec Institute.

Metric groups

There are three metric groups:

I. Base (used to describe the fundamental information about the vulnerability—its exploitability and impact).
II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example, the severity decreases when the official patch is available).
III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example, the more systems affected by the vulnerability, the higher severity).

This article is focused on base metrics. Please read A Complete Guide to the Common Vulnerability Scoring System Version 2.0 if you are interested in temporal and environmental metrics.

Base metrics

There are exploitability and impact metrics:

I. Exploitability

a) Access Vector (AV) describes how the vulnerability is exploited:
– Local (L)—exploited only locally
– Adjacent Network (A)—adjacent network access is required to exploit the vulnerability
– Network (N)—remotely exploitable

The more remote the attack, the more severe the vulnerability.

b) Access Complexity (AC) describes how complex the attack is:
– High (H)—a series of steps needed to exploit the vulnerability
– Medium (M)—neither complicated nor easily exploitable
– Low (L)—easily exploitable

The lower the access complexity, the more severe the vulnerability.

c) Authentication (Au) describes the authentication needed to exploit the vulnerability:
– Multiple (M)—the attacker needs to authenticate at least two times
– Single (S)—one-time authentication
– None (N)—no authentication

The lower the number of authentication instances, the more severe the vulnerability.

II. Impact

a) Confidentiality (C) describes the impact of the vulnerability on the confidentiality of the system:
– None (N)—no impact
– Partial (P)—data can be partially read
– Complete (C)—all data can be read

The more affected the confidentiality of the system is, the more severe the vulnerability.

+b) Integrity (I) describes an impact of the vulnerability on integrity of the system:
– None (N)—no impact
– Partial (P)—data can be partially modified
– Complete (C)—all data can be modified

The more affected the integrity of the system is, the more severe the vulnerability.

c) Availability (A) describes an impact of the vulnerability on availability of the system:
– None (N)—no impact
– Partial (P)—interruptions in system’s availability or reduced performance
– Complete (C)—system is completely unavailable

The more affected availability of the system is, the more severe the vulnerability.

Please note the abbreviated metric names and values in parentheses. They are used in base vector description of the vulnerability (explained in the next section).

Base vector

Let’s discuss the base vector. It is presented in the following form:

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

This is an abbreviated description of the vulnerability that brings information about its base metrics together with metric values. The brackets include possible metric values for given base metrics. The evaluator chooses one metric value for every base metric.

Scoring

The formulas for base score, exploitability, and impact subscores are given in A complete Guide to the Common Vulnerability Scoring System Version 2.0 [1]. However, there in no need to do the calculations manually. There is a Common Vulnerability Scoring System Version 2 Calculator available. The only thing the evaluator has to do is assign metric values to metric names.

Severity level

The base score is dependent on exploitability and impact subscores; it ranges from 0 to 10, where 10 means the highest severity. However, CVSS v2 doesn’t transform the score into a severity level. One can use, for example, the FortiGuard severity level to obtain this information:

FortiGuard severity level CVSS v2 score
Critical 9 – 10
High 7 – 8.9
Medium 4 – 6.9
Low 0.1 – 3.9
Info 0

Putting the pieces together

An exemplary vulnerability in web application is provided to better understand how Common Vulnerability Scoring System Version 2.0 works in practice. Please keep in mind that this framework is not limited to web application vulnerabilities.

Cross-site request forgery in admin panel allows adding a new user and deleting an existing user or all users.

Let’s analyze first the base metrics together with the resulting base vector:

Access Vector (AV): Network (N)
Access Complexity (AC): Medium (M)
Authentication (Au): None (N)

Confidentiality (C): None (N)
Integrity (I): Partial (P)
Availability (A): Complete (C)

Base vector: (AV:N/AC:M/Au:N/C:N/I:P/A:C)

Explanation: The admin has to visit the attacker’s website for the vulnerability to be exploited. That’s why the access complexity is medium. The website of the attacker is somewhere on the Internet. Thus the access vector is network. No authentication is required to exploit this vulnerability (the admin only has to visit the attacker’s website). The attacker can delete all users, making the system unavailable for them. That’s why the impact of the vulnerability on the system’s availability is complete. Deleting all users doesn’t delete all data in the system. Thus the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system provided that added user doesn’t have read permissions on default.

Let’s use the Common Vulnerability Scoring System Version 2 Calculator to obtain the subscores (exploitability and impact) and base score:

Exploitability subscore: 8.6
Impact subscore: 7.8
Base score: 7.8

Let’s transform the score into a severity level according to FortiGuard severity levels:

FortiGuard severity level: High

Summary

This article described an open framework for scoring IT vulnerabilities—Common Vulnerability Scoring System (CVSS) Version 2.0. Base metrics, vector and scoring were presented. An exemplary way of transforming CVSS v2 scores into severity levels was described (FortiGuard severity levels). Finally, an example was discussed to see how all these pieces work in practice.

Dawid Czagan is a security researcher for the InfoSec Institute and the Head of Security Consulting at Future Processing.

Bank of Montreal online banking insecurity

I’ve had an account with the Bank of Montreal for almost 50 years.

I’m thinking that I may have to give it up.

BMO’s online banking is horrendously insecure.  The password is restricted to six characters.  It is tied to telephone banking, which means that the password is actually the telephone pad numeric equivalent of your password.  You can use that numeric equivalent or any password you like that fits the same numeric equivalent.  (Case is, of course, completely irrelevant.)

My online access to the accounts has suddenly stopped working.  At various times, over the years, I have had problems with the access and had to go to the bank to find out why.  The reasons have always been weird, and the process of getting access again convoluted.  At present I am using, for access, the number of a bank debit card that I never use as a debit card.  (Or even an ATM card.)  The card remains in the file with the printed account statements.

Today when I called about the latest problem, I had to run through the usual series of inane questions.  Yes, I knew how long my password had to be.  Yes, I knew my password.  Yes, it was working until recently.  No, it didn’t work on online banking.  No, it didn’t work on telephone banking.

The agent (no, sorry, “service manager,” these days) was careful to point out that he was *not* going to ask me for my password.  Then he set up a conference call with the online banking system, and had me key in my password over the phone.

(OK, it’s unlikely that even a trained musician could catch all six digits from the DTMF tones on one try.  But a machine could do it easily.)

After all that, the apparent reason for the online banking not working is that the government has mandated that all bank cards now be chipped.  So, without informing me, and without sending me a new card, the bank has cancelled my access.  ( I suppose that is secure.  If you are not counting on availability, or access to audit information.)

(I also wonder, if that was the reason, why the “service manager” couldn’t just look up the card number and determine that the access had been cancelled, rather than having me try to sign in.)

I’ll probably go and close my account this afternoon.

Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

*Hello,*
*
How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://tinyurl.com/o2vlrxx>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               “Microsoft HelpDesk” <microsoft@helpdesk.com>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://dktxxxkgek.webs.com/

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.

(Photo) Copyist’s error?

Students of the classics and ancient documents are used to checking for copyist errors, but a photocopier?

And, of course, you can’t trust the machine to check the copy against the original, since it will probably make the same mistake every time.

Actually, with absolutely everything in the world going digital, this type of problem is becoming inevitable, and endemic.  Analogue systems have problems, but digital systems are subject to catastrophic collapse.

REVIEW: “Intelligent Internal Control and Risk Management”, Matthew Leitch

BKIICARM.RVW   20121210

“Intelligent Internal Control and Risk Management”, Matthew Leitch, 2008, 978-0-566-08799-8, U$144.95
%A   Matthew Leitch
%C   Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%D   2008
%G   978-0-566-08799-8 0-566-08799-5
%I   Gower Publishing Limited
%O   U$114.95 www.gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566087995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0566087995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566087995/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   253 p.
%T   “Intelligent Internal Control and Risk Management”

The introduction indicates that this book is written from the risk management perspective of the financial services industry, with a concentration on Sarbanes-Oxley, COSO, and related frameworks.  There is an implication that the emphasis is on designing new controls.

Part one, “The Bigger Picture,” provides a history of risk management and internal controls.  Chapter one asks how much improvement is possible through additional controls.  The author’s statement that “[w]hen an auditor, especially an external auditor, recommends an improvement control it is usually with little concern for the cost of implementing or operating that control [or improved value].  The auditor wants to feel `covered’ by having recommended something in the face of a risk that exists, at least in theory” is one that is familiar to anyone in the security field.  Leitch goes on to note that there is a disparity between providing real value and revenue assurance, and the intent of this work is increasing the value of business risk controls.  The benefits of trying quality management techniques, as well as those of quantitative risk management, are promoted in chapter two.   Chapter three appears to be a collection of somewhat random thoughts on risk.  Psychological factors in assessing risk, and the fact that controls have to be stark enough to make people aware of upcoming dangers, are discussed in chapter four.

Part two turns to a large set of controls, and examines when to use, and not to use, them.  Chapter five introduces the list, arrangement, and structure.  Controls that generate other controls (frequently management processes) are reviewed in chapter six.  For each control there is a title, example, statement of need, opening thesis, discussion, closing recommendation, and summary relating to other controls.  Most are one to three pages in length.  Audit and monitoring controls are dealt with in chapter seven.  Adaptation is the topic of chapter eight.  (There is a longer lead-in discussion to these controls, since, inherently, they deal with change, to which people, business, and control processes are highly resistant.)  Chapter nine notes issues of protection and reliability.  The corrective controls in chapter ten are conceptually related to those in chapter seven.

Part three looks at change for improvement, rather than just for the sake of change.  Chapter eleven suggests means of promoting good behaviours.  A Risk and Uncertainty Management Assessment (RUMA) tool is presented in chapter twelve, but, frankly, I can’t see that it goes beyond thinking out alternative courses of action.  Barriers to improvement are noted in chapter thirteen.  Roles in the organization, and their relation to risk management, are outlined in chapter fourteen.  Chapter fifteen examines the special needs for innovative projects.  Ways to address restrictive ideology are mentioned in chapter sixteen.  Seven areas that Leitch advises should be explored conclude the book in chapter seventeen.

A number of interesting ideas are presented for consideration in regard to the choice and design of controls.  However, the text is not a guidebook for producing actual control systems.

copyright, Robert M. Slade   2013   BKIICARM.RVW   20121210

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.

 

Lest you think I exaggerate any of this, you can read the actual report.