Image from Philo Nordlund's Flickr stream under creative commons

• 1 – Familiarise yourself with both the privacy settings and the security policy of any social and professional networking sites you use. If you’re not happy with them, stop using the site.

 

• 2 – When you create your profile consider each piece of information that you share and whether if it is necessary or even relevant to that site. Do you need to share telephone numbers for example, maybe if your mail or direct messages come direct to your phone that is enough. Think practically don’t complete a form just because it is in front of you.

 

• 3 – When you share content, chat, mail or comment on other people’s posts or profiles never consider your communication to be personal or private. Even if you have made full use of the privacy settings available to you, you cannot be sure your content won’t be copy/pasted, downloaded or otherwise shared more widely without your knowledge.

 

• 4 – Most sites offer a means to reset your password should you forget it. This is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

 

• 5 – Do not use a single password for multiple different sites, that way if one is compromised you don’t have to worry about the others. Create complex passwords using upper and lower case letters, numbers and special characters such as $%&!. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your complex password. (Tip: the character £ does not feature in some automated tools for brute forcing passwords so it can be a good one to use.  To get that character on a non UK keyboard, hold down the Alt key and tap 0163).

 

• 6 – If you receive a friend request from someone you don’t know or recognise, contact them directly before you make the decision to add them to your circle of trust. Ask how they know you, and check they are legitimate. It’s not only your own privacy you are protecting, it’s also that of all your friends.

 

• 7 – Consider sorting your friends into groups, in many cases this will allow you to share specific content with specific groups only.

 

• 8 – Try to minimise the number of third party apps and services that you install or allow to access your account, learn how to remove or disallow them and get rid of any that you no longer use. Don’t forget even on Twitter once you authorise a service to access your account, that permission remains unless you manually remove it and it also persists through password changes.

 

• 9 – Don’t click links in messages or wall posts, even links sent to you by friends without checking first if the person intended to send it to you. The few moments it takes to check could save you from falling for a phishing scam or worse, infecting your computer. You could also be doing your friend a favour if you are letting them know their account is compromised and sending out links.

 

Image courtesy of alexkerhead's Flickr photostream

The helpful caller identified himself as working for a company called My PC Care and explained that he was a Microsoft Certified Professional. According to this bogus technician there are some pretty nasty files “more dangerous than viruses” doing the rounds, these files were so dangerous, he explained, that some 40% of Microsoft Windows users had “lost their computers”. As a result they were calling “all users of Microsoft Windows” (an ambitious task) to repair the damage before all was lost.
  
I played along with them and expressed concern that my computer might also fall victim, so the helpful technician began taking me through some entirely bogus “troubleshooting”. In brief I was asked to open the windows Event Viewer.  The scammer encouraged me first to look in the Application Log where he was sure I would find several Errors and Warnings. Lo and behold, he was correct. To be honest in all the years I have been involved in IT I have yet to see a Windows PC without errors and warnings in the Event Viewer, but of course these scammers are relying on the unfamiliarity of their victims and hope to scare them and add the same time gain credibility.
  
The engineer was very insistent that I should not click on or open any of these Error messages because “they are the malicious infections” warning in doom-laden tones that after about two weeks this would “crash my hard drive”. I was then asked to repeat this charade looking through various other Event Viewer logs, each time the dire predictions of impending disaster got worse.
  
My ever helpful technician-scammer guy suggested that now would be a good time to transfer me to his supervisor so that they could clean up these dangerous files once and for all and I agreed, anxious of course that my computer might be on the edge of silicon Armageddon. Unfortunately my fun was coming to an end, the supervisor wanted me to use the (entirely legitimate and very helpful) service LogMeIn.com  to permit their technicians remote access to my computer, at which point they would have been free to do whatever they liked. Of course I had to decline and hang up at that point.
  
So what is the point of this kind of scam you might ask? Well once you have granted remote access to your computer to a complete stranger, really they are free to do whatever they want install malicious software to steal information, look through modify or copy your personal files or in this case simply pretend to fix some non-existent problem charge you for the pleasure and then sell you a subscription to their services.
  
The scam seems to have started out in countries where English is a first language, but emboldened by their successes and perhaps hungry for more money it seems the scammers are constantly on the lookout for new targets, expect to see this showing up on a telephone near you soon.
  
Should you ever receive a call from anyone claiming to know that your PC is infected, or that you are having performance problems, just hang up; it’s a lot less painful than playing along. Remember also, just as a rule of thumb, never confirm anything, even your name, to anyone over the telephone until they have satisfied you of their integrity first.
 

picture from bradleygee's Flickr photostream under Creative Commons.

It means that if any user of Microsoft Windows opens a folder containing a shortcut which has been designed to exploit this vulnerability, they will be infected. No opening of files required, simple browsing is enough.

 
Although Microsoft have stated that “This vulnerability is most likely to be exploited through removable drives” users should be on their guard against all shortcut files whose authenticity they cannot guarantee. This same vulnerability could be exploited though contaminated file shares or something as simple as a malicious compressed archive such as a zip file.
 
Worryingly, the malware that was first exploiting this vulnerability appeared to be highly targeted, looking for Siemens WinCC SCADA systems, SCADA systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing. Siemens were warning their customers of this as early as July 14th.
 
The source code for this malware is now in open distribution, (and incorporated into the Metasploit framework) and we can expect to see widespread criminal adoption of this technique from this point.
 
For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service.
 
Further details on Trend Micro’s detection of the malware involved are available on the TrendLabs blog. Please be aware this is a breaking situation and further malware will take advantage of this same vulnerability.

• It’s not their speciality. They make widgets. And they have the staff they need to make, deliver, develop and support those widgets. Other people can do non-widget related activities better than they can;
• They don’t need the overhead, time commitment and complexity that employing all these extra people demands. Yes, they could hire their own cleaner, but it’s a lot simpler to get on the phone and let a cleaning agency take care of that;
• It’s a lot more cost-effective that way. Our widget company could invest in a worldwide fleet of planes, vans and delivery-people but that would be ludicrously expensive when they can phone a courier company and have them delivered for a few pounds a day.

 
So three very good reasons for outsourcing: better service, simplicity and cost. These lines of reasoning can easily be applied to IT. Outsourced IT can be better, simpler and cheaper. Yay, let’s go for it, say those hotheads in accounting.
 
Where this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If they don’t turn up on a regular basis, you fire the agency and get a new one. There might be a few more biscuit crumbs and sandwich remnants for the new cleaner to deal with, but no harm done, by and large.
 
If your outsourced IT services turn out to be useless, on the other hand, then the consequences could be pretty brutal. Your information could be exposed; you could lose access at a crucial moment or they could manage to lose the lot. You don’t want that to happen, because it could make you bankrupt or put you in prison.
 
But people don’t like risk-assessment, of course. It’s boring. It puts paid to a lot of exciting new things. It reminds you of your mum when you were five.
 
I hate to say it, though, but your mum was probably right.

Like all the big, crunchy questions, the answer is a lot more complex than initially seems possible.
 
You could take some sort of statistical approach – what proportion of businesses deploy antivirus software to their desktops? – and come up with a big number that implies ‘yes, it does’. (Or maybe not).
 
You could interview the CTOs of a representative sample of large organisations and ask them for more in-depth examples and views. Again, it’s pretty likely that you’ll come up with a positive picture.
 
However, those results are misleading in some respects. And I think that’s because the question involves two big abstract terms. ‘Business’ is an idea, not a person, so it doesn’t care about anything much. Security doesn’t appear on the mission statement, I’d be willing to wager. Nor would it be appropriate for it to be there. Alongside things like Health and Safety, environmentalism and equality of opportunities, it’s the sort of thing we expect businesses to care about, but we know it’s not their primary function. And does ‘business’ mean the board, the IT department or every single member of the organisation?
 
Similarly, ‘security’ is extremely slippery as an idea: we’re talking about systems, software, attitudes, processes and policy.
 
So to break it down: does Jon in logistics make sure his internet browser is patched* to the currently advised levels? No, he couldn’t care less. He’s got a big shipment that needs to be in Paris tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in trouble.
 
What we keep arguing for is an holistic approach to security. That doesn’t mean that we need to persuade Jon that his patch levels need to be up-to-date. That isn’t going to happen. Sorry.
 
What it does mean is that the security and IT department are able to manage his security for him – all the time. It’s pretty much impossible for Jon to screw-up or for his machine to get compromised because the policies are baked into the processes and the technology.
 
What are your views on this? Voice your opinions on the Register’s Security That Fits Workshop before it closes later this month.
 

Bogus message from bogus app

Don't be tempted...

 

"Please click this link and make me some cold hard cash"

 
Unless of course you’re using Trend Micro, in which case you’ll see this…
 

Not on my watch, sonny Jim.

from zappowbang's photostream under creative commons

Data breach laws are starting to become a serious concern for businesses of all shapes and sizes. It’s already five years since California passed data breach disclosure laws, requiring companies to notify customers of security lapses. Since then almost all other US states have joined it, many opting for penalties that could potentially land companies with a likely loss of reputation and crippling fines if customer data is lost or stolen.

Ireland published proposed measures on the subject two weeks ago. Frankly, it’s only a matter of time before the UK follows suit either through its own legislation or that of the EU.
 
Over on the Register, we’ve been running a series of articles about what constitutes an appropriate level of security, with the impending arrival of data breach laws adding some urgency to the discussion.
 
A common reaction is to demand the encryption of backup files. This appeals to companies not only because it makes it a lot less likely that any lost information can be used – you could even argue that encrypted data doesn’t even count as ‘information’ at all, following the line that information is data you can act upon. But also, it’s especially appealing to companies because encrypted data is exempt from the disclosure requirements in many forms of this legislation. So the potential loss of reputation and customer trust is hopefully avoided.
 
Encryption is trickier than it looks, though. First of all, what kind of encryption are you going to use? Software encryption takes time – and for larger organisations, it’s possible that the rate of data production – the proliferation of stuff you’re supposed to be backing up – could quickly exceed the rate at which data can be encrypted. Hardware encryption of backups often looks more attractive as a result, but being tied to a particular vendor with no rescue plan for when they go under is a recipe for spectacular disaster. There’s some interesting advice on this topic in this post from Securosis.
 
Backup hardware on its own is already proving hard to manage when it comes to finding data from more than a couple of years ago. Have you still got a tape streamer that will fit the open-reel tapes and cartridges from the early noughties? Still got a computer with a SCSI card to fit the streamer onto? Still got the cable to put the two together? I’m sure sysadmins will be delighted when they’re told to add encryption to the mix.
 
Now let’s throw in key management. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? Once again, this needs a systematic approach. There needs to be a plan and a backup plan for when it all goes wrong. Needless to say, there are products that can help with this – but as always, they can only do so much if the strategy for their implementation and management is weak.
 
Anyway, El Reg is conducting a poll to detect current attitudes towards encrypting data. We’ll be really interested to see the results, so make sure you add your own voice over there – and let me know what you think here in the comments box, too.

Image from rednuht's Flickr photostream under Creative Commons

“With a push of a button the botmaster instructs all the computers to buy or sell the same shares at the same time.“

  
Of course the criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics.
  
Hein Lannoy from the Belgian Banking, Finance and Insurance Commission (CBFA) is quoted as stating, “After the hack in July 2007 no further similar incidents occurred in the country“. He goes on to say “In April 2009 we sent a circular regarding an improvement in the security standards of our financial institutions. Belgian online banking services are now very heavily protected. We have no jurisdiction to impose our standards on foreign banks in our country.”
  
However from conversations with a local journalist today it seems that many Belgian banks (in fact most banks globally) are still only offering classical two-factor authentication aimed at authenticating the user rather than the transaction. While this kind of technology would certainly thwart this bot in its current form it is not impossible to defeat. As I have previously blogged banking malware has already evolved to the stage where it can overcome multiple factor user authentication.
  
With this in mind it is vital that any improvment in online banking security should verify individual transactions rather than simply authenticate the user. The authentication token itself must be capable of accepting direct input relating to the content or the value of the transaction. This can then be verified by both parties and cannot be modified by the malicious “man in the browser”.
  
Belgian law enforcement are now working with their international counterparts to pursue the offenders.