worst practices

Jul 10

who’s watching the watchers? in this case, nobody

By alberg CSO, worst practices Comments Off

Friday’s Wall Street Journal featured a page 1 article (unfortunately behind a subscription paywall – less detailed but free coverage here, but you can get the full WSJ article by searching Google News for “HSBC data theft”) on a massive theft of private banking client data from HSBC. The thief was… wait for it… an HSBC infosec employee whose job it was to improve the security of the systems and databases holding that data. Said employee then shopped the data around to a number of European tax authorities as well as to competing banks. When the French police raided his parents’ home in France as part of the investigation into the theft, the data was turned over to the French tax people, resulting in collection of 1 billion euros from les tax evadeurs. Now the French tax people are sharing this treasure trove of data with their colleagues in other countries, who also expect to collect lots of back taxes.

Of course, the guy at the center of this claims he was not in it for the money – he wanted to point out flaws in HSBC security or help catch tax evaders or was working for intelligence services. (He can’t seem to decide on which story to go with…) In any event, he denies any illegal activity and stated that he copied the data to his personal computers and offsite servers as part of his normal work. HSBC states that it is against company policy to copy such data to non HSBC computers.

The story is quite interesting and raises a number of questions for security pros, organizations and law enforcement (as well as folks who like to stash their cash out of sight of the tax man).

Is France’s use of the ill gotten data and it’s further distribution of what is in effect stolen property a legitimate tool for government authorities? While there is a social good in collecting these taxes from the rich tax evaders, is this benefit outweighed by the message it sends vis a vis the rule of law?

Why was this very sensitive data not protected by some sort of DLP solution or even just old fashioned auditing and log review on the database server? Someone looking at a log and seeing this guy perform SELECT * on a sensitive database was all that would have been needed to detect this crime.

Why did this employee even have access to this data? I can’t see how his job function (in a properly designed technical and procedural environment) required the ability to view and copy database information. Changes and testing of security for that database should have been done in a separate QA environment using test data and then staged to production by another party.

My final question is one for the security community… Where does our fiduciary duty to our employers end and our responsibility as citizens start? In this case, I think that the HSBC employee was clearly in the wrong. HSBC was offering a service to it’s clients which is perfectly legal under Swiss law. The users of the service had a responsibility to report their income to their taxation authorities under the current regime. If the employee had a problem with the world of private banking, he should have gotten into a new line of work rather than resorting to theft. As for his claimed pure motives, I would have a lot less trouble believing him had he not shopped the data to competing banks. I’d also point out that it would have been reasonable for him to expect some sort of renumeration from the tax authorities for his “aid” in collecting lost revenue. His stories just don’t seem to add up.

It is important to note that this is not a problem unique to HSBC – the lapses that led to this data theft are extremely common across all industries. Heck, even the US military has data stolen through loopholes in data protection policies (and Lady Gaga).

This case is a great learning opportunity for security and risk professionals – organizations need to remember that security personnel are human and need to have appropriate controls placed on their systems access as well. In most organizations, the Internal Audit group can provide this oversight. Smaller organizations may need to resort to periodic reviews of internal security by an external consultant. In any case, make sure someone is watching the watchers!

Update 2010-07-10 2010 – Just noticed that US tax authorities are “ramping up” their investigation into whether HSBC marketed tax evasion services to US clients. Now, if they did engage in this activity, shame on them. However, if the allegations are found to be true, it still does not transform a data theft by a person in a position of trust. Had the employee involved simply contacted authorities with his concerns, the data could have been gotten by the authorities. And his shopping the data to competitors still sticks in my craw.

Jul 08

robin sage ain’t your friend…

By alberg best practices, online security, worst practices Comments Off

Wanna be friends?

You can never have too many friends – or CAN you? (Hint: you can). A recent social engineering experiment conducted by Thomas Martin of Provide Security showed the dangers of blindly accepting connection requests from people on social networks. Martin set up multiple social network profiles for a fictitious person named Robin Sage who supposedly worked in US military intelligence circles. “Robin” then sent connection requests to a variety of people in the security and intel communities (people who should know better, in other words). The result? In an interview with CSO Magazine, he stated that:

By the end of the 28-day experiment, Robin finished the month having accumulated hundreds of connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences, said Ryan.

More alarmingly, according to an article from DarkReading,

Robin actually duped an Army Ranger into friending her. The Ranger then inadvertently exposed information about his coordinates in Afghanistan to Robin with his uploaded photos from the field that contained GeoIP data from the camera.

Can you spell “bad operational security?”

Martin will be revealing all of his findings from the Robin Sage experiment in a talk at Black Hat later this month – should be quite entertaining for most and deeply embarrassing for a few.

There are some lessons learned to be learned from this incident for those of us who are not part of the military:

If you get a friend/connection request from someone you don’t know, don’t blindly accept it. When you bring someone into your online network, you are also granting them access to information about you (contact information, status updates, photos, etc.) as well as your organization (in the case of professional networking sites like LinkedIn)

Just because a “new friend” is already connected to some of your current friends does not mean that you should connect to them. All it takes is one careless connection to start an “avalanche of (misplaced) trust” and give an evildoer lots of information about yourself and your organization. Trust me – I have seen this happen. You know who you are.

Review the privacy settings for your social networking accounts and be sure that you are aware of and comfortable with the information that is shared with the public at large and with your “friends.” The privacy settings in Facebook and Linked In are rather complex. I recommend using a privacy scanner tool to keep an eye on who can see what on your profiles… I really like one called Privacy Defender for Facebook, which allows you to easily see and modify who can and cannot see your info. For LinkedIn, it seems like the only way to manage your privacy is manually via the Settings menu; it is sort of a pain, but the explanations provided by the site are pretty good.

And Robin Sage ain’t your friend.

PS – “Robin Sage” is the code name for the last training exercise that Army Rangers must complete before they are truly “Green Berets” – and none of the military folks (including at least one Ranger) caught on. Sigh…

Jul 05

photo kiosks dispense prints and extra bonus virii

By alberg best practices, worst practices Comments Off

Watch where you stick your thumb (drive)

From Risky.Biz… Customers at some convenience stores got a bit more than they bargained for when they used photo printing kiosks. It seems that some kiosks at “Big W” stores run Windows. And they don’t run anti virus. And everyone and their brother brings their USB sticks (some infected with virii) to the stores to print. You can see where this is going… the infected Fuji kiosks have been dispensing viruses to the USB sticks of customers. The company is aware of the issue and is “currently testing” installing anti virus on the kiosks. Hel-ll0 – the 1980s called and asked for their security policy back!

If you are partaking of the photo printing goodness of any of such kiosks, or sticking your USB drive into strange ports (I don’t judge…), make sure that you are running the very latest anti malware software on any of your own computers where you use said storage peripheral.

Jun 29

babies – can’t trust them

By alberg worst practices Comments Off

Got my nose? Well give it back, punk!

Anyone who knows me knows that I am not a “kid person.” To me, all babies (except for YOURS, of course) look like the offspring of Winston Churchill and a lizard. And they all (except YOURS) seem to emit a plethora of unpleasant sounds, odors, and substances. My wife reminds me every once in a while, that I, too entered the world as a baby, but I am becoming more and more convinced of the impossibility of this.

Well, it seems that my antipathy towards babies has been vindicated, folks – it turns out that today’s babies could grow up to be next generation of terrorists! According to Rep. Louie Gohmert (R, TX), those wily terrorists have been sending women to the US in order to have babies, which are then whisked back to Al Qaeda run Gymborees (complete with US citizenship) where they would be trained to wreak terroristic havoc on their (legal) return to the US in oh, 20 years and destroy our way of life. I knew it! I’m glad that there are courageous Americans like Rep. Gohmert who understand where the real threat to our nation lies – in cribs!

Jun 03

iFail – Apple drops the security ball – again

By alberg hacks, worst practices Comments Off

Apple, you're killing me!

If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices. Well, my stubborness has been vindicated twice over…

First a security researcher found that connecting a stock iPhone 3GS to a system running Ubuntu Linux provides access to get read and write access to much of the content on the phone without having to enter the 4 digit phone PIN.

Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users. I guess that the Apple version of AES just happens to replave every character with the same exact character…

This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system. The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself. When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device. Not good.

May 31

is your browser going to rat you out?

By alberg online security, worst practices Comments Off

Your browser is a dirty stinkin rat. There… I said it. According to research conducted by the Electronic Frontier Foundation (EFF), most browsers have telltale fingerprints which can be used by web site owners to uniquely identify visitors to their sites even if cookies are disabled, or the visitor is coming from behind a NATting firewall.

The Panopticlick software developed by the EFF researchers looks at a wide variety of information which a web site can gather from any visiting client. By combining a number of these seemingly innocuous pieces of information, a client fingerprint can be calculated:

Browser and plugin versions

Configuration options

ACCEPT headers

Screen resolution

Fonts

Time Zones

MIME types

The EFF collected its data via a website which it set up and publicized, so we can assume that the data they collected came from people who are interested in their privacy. Despite this self selected sample, the findings do not bode well for privacy on the Internet:

Overall, the browsers of 83.6% of all visitors to the test site had unique fingerprints.

If a browser has Adobe Flash or the Java Virtual Machine enabled, there was a 94.2% chance that its fingerprint was unique.

Since the fingerprints are based on browser configuration settings, they can change rapidly. However, the researchers were able to detect changed fingerprints and tie them back to the original fingerprint in 99.1% of cases via an algorithm.

Some good news for mobile device users – iPhone and Android based browsers had more uniform fingerprints and were harder to differentiate from one another due to the lack of plugins and options available. However, as mobile browsers become more sophisticated, this technique may become applicable to these browsers on the go. Also, it is important to note that the mobile browsers do not have good ways to control cookies, leaving them open to cookie based fingerprinting.

In related work, researchers from an Australian university have found that they were able to identify by name many users of Xing, a social networking site in Germany. The researchers first collected information on 6500 groups and their 1.8 million members. By simply analyzing the overlaps in group memberships, they were able to discern the identities of 42% of the users. They next created a web site which, when visited, examined the browser history of the visitor. Of the 26 test subjects they enlisted, the identities of 15% were revealed simply by visiting the site. Xing has updated their software to protect against these types of attacks, but other sites may still be vulnerable.

So… what does this all mean? Well, first of all, marketers and site owners have a new tool to track visitors, including those who have disabled cookies (in order to avoid such tracking). Second of all, these techniques provide scammers and malware authors with a way to track their victims’ web activity without leaving telltale traces. On the bright side, these fingerprinting techniques could also be used for good purposes, such as providing an additional level of authentication for banking and other sensitive web sites (and there is evidence that this is already being done, although mostly using cookies). Law enforcement could use these techniques during investigations, although given the politics of many nations, this could be a really bad thing as well. The EFF wants policymakers to expand their definition of personnally identifiable information to include fingerprintable records – I think that this is a topic worthy of discussion. I also think that browser designers need to work on this problem from a technical point of view.

Want to cover your tracks? Well, you could block Javascript – this provides pretty good protection against the techniques EFF used, but at a cost in terms of web site usability and functionality. You could start using TorButton to route your web traffic via anonymizing proxies. You could use your iPhone or Android phone to do all your web surfing. None of these solutions is ideal.

So… another nail in the coffin of privacy…

May 13

i’m invincible! (you’re a looney!)

By alberg best practices, online security, worst practices Comments Off

We security professionals tend to underestimate our own vulnerability to threats like phishing. Here is a really good article by Cory Doctorow, who is most definitely not an Internet novice explaining how all of the wrong stars came into alignment to make him fall for a phishing attempt. Worth reading, especially if you think you are “smart enough” to recognize and avoid phishers’ bait.

- Posted using BlogPress from my iPad

Apr 23

a data breach story with a twist…

By alberg best practices, worst practices Comments Off

Public enemy #1?

Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.

Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release.

The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ. The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info). However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.

Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.

These types of data breaches are eminently avoidable; Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents. By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.

So, what are the takeaways for security professionals?

First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.

Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.

Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.

Now, add these devices to the list of things with blinking lights that are examined during security assessments. While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities. Are you patching your multifunction devices?

Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.

As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers. As an infosec professional, they should be more interesting to you – before your organization makes the news.

Tagged with: copier assessments

Mar 25

a plea to security vendors…

By alberg CSO, worst practices Comments Off

Have I got a deal for you...

Every day, I get at least 5 emails from vendors wanting to set up a meeting or web demo of their latest and greatest product as soon as possible. Of these, two or three will be totally unrelated to security. The rest are security related, but almost all of the messages are obviously canned (some with the wrong salutation as a result of mail merge errors). The vendors sending them have no idea what my company does (no, I don’t care about PCI compliance as we are an institutional brokerage) and tend to be from obscure companies. I usually ignore these messages, and block the sender from further contact.

Every once in a while, a vendor does something to distinguish themselves from the pack… the other day, a salesman for a vendor who shall remain nameless sent me a canned “I would like to arrange a meeting with you” message, which I opened, looked at and deleted. There must have been a web bug in the html, because this email was followed by a message which stated that the salesman “noticed I had read the email” and reiterated the request for a meeting. Bzzzzzt!

I find this kind of behavior invasive and creepy and that particular vendor will need to be offering a machine that turns water into gasoline before I will want to talk to them ever again – and I would insist on a different salesperson. It is one thing if I visit your web site, provide my contact information and give you permission to email me, but to spam me and then spy on me puts you and your company on the fast track to al-blivion as far as I am concerned.

Salespeople, I understand that you guys have a tough job and that recent economic conditions have made that job tougher. But please realize that sending spam (while quite effective for dodgy pharmaceutical sales, offers of great wealth from Nigerian princes and attempts to infect PCs with malware) is not how to sell enterprise security products that cost tens or hundreds of thousands of dollars. Want to sell to me? Get a good reputation and good PR – I will find you. If you are going to contact me, take a few minutes to learn something about my company before you email. And don’t cold call me – all I can think of when I get a cold call from a salesman is Jack Lemmon in Glengarry Glen Ross.

Rant over…

Mar 16

CSOs need to walk the walk before they talk the talk

By alberg CSO, online security, worst practices Comments Off

According to this article from CSO Magazine’s web site, “several security execs expressed surprise” over the CISO of the Commonwealth of Pennsylvania found himself unemployed after making a speech at the RSA Security Conference describing a cyber security incident at his state’s motor vehicle agency without getting prior approval. As a CSO myself, I don’t understand why anyone is surprised – I think that this firing was pretty easy to predict and, unfortunately, deserved.

Yes, the incident that the CSO talked about was pretty minor – it involved what sounds like an application error that allowed some people to jump the line when scheduling driving tests – but that is not the point. Like most organizations, Pennsylvania’s government has a policy requiring employees to get prior approval before disclosing official matters. I am sure that the CSO was aware of this policy and as a security professional and as a C level employee, he had a dual responsibility in this matter – to follow policies like any other employee and to set an example for others in his organization to follow in security matters. He also had a responsibility to protect the image of his organization… at the very least, before speaking about this kind of an incident in public, he should have made sure that management was on board and that there was a public relations plan for any negative blowback.

Could this incident have been discussed in public without the need for firing? I think so, although the final decision should have come from management. Had the CSO given them a chance to weigh in, his participation in the RSA panel could have been a positive event for the DMV – showing lessons learned and all that.

If this particular CSO reported to me, I would have some serious questions about their judgment and their ability to safeguard confidential information. I think it would be really difficult to regain that trust after this kind of incident.

Don’t get me wrong – I feel badly that this person was fired – this was probably one negative incident in a career filled with accomplishment and service. But in the end, he made the choice that ended his employment.

OK – I just can’t resist one thing… The Security on this site page of the DMV’s website recommends the use of Netscape Navigator 4.7 or IE 5.0 or greater as secure browsers and then goes on to tout the agency’s use of the “most recent versions of security software”… DOH!

Previous Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Microsoft to release LNK patch on Monday - The H Security: News and Features 2010/07/30
Over 1m Android Users' Details Were Compromised Thanks to a Malicious App 2010/07/29
Dell warns of malware on server motherboards 2010/07/21

Links

Wired: Threat Level

Twitter

what happens in vegas happens without me http://is.gd/dQJzeJuly 29, 2010 1:10
Never got to read this... Did civilization end? http://bit.ly/b6F1NdJuly 25, 2010 10:32
never gonna complain bout my ambulance again... http://bit.ly/aXTBtJJuly 21, 2010 11:33
playing in the sandbox for security http://is.gd/dA97JJuly 21, 2010 2:26
siemens to scada users - don't change that default password - yikes! http://is.gd/dzQZRJuly 20, 2010 9:04

FYI

Housekeeping

Tools

Links

Social Links