Monthly Archive

Terra Security closes all operations. So what, you may say, who are they?

Since you most likely do not know Norway and things going on here, a quick update is on its place. 

### 

A couple of weeks back, the news broke that four small municipalities had invested in a hedge fund brokered by a Norwegian investment broker, Terra Securities. Not only had they spent their cash on the investment, they had borrowed a large amount of cash to do so (10MUS$). 

Why? The Terra Security sales guy had showed they the prospect of a USA based high-risk investment opportunity. However, the translation removed some of the information - leaving high profit, not discussing high risk. So the municipalities claims that they only saw a great opportunity, not risky or even shady business.

So lets review this. A bank approaches you with a highly profitable investment opportunity. DING-DING! High profit means high risk. So be careful, right?

Next, the bank tells you that this opportunity is so good, and offers you a huge loan so that you can make a big investment. DING-DING!!! How is the bank making money? By lending money. By charging fees. By skimming your investment interests.

So - unless you are a vivid investor, and knows your way around gearing and other financial tools, you would back down and walk away, right? Most of us would.

But as always, some of us are dumber than others.  

And it may seems like the more stupid amongst the Norwegian population are located in the North. In four small municipalities who have lost some 100 M US$. And the number might double according to some reports. A large amount of cash. For most of us, and certainly for these municipalities. 

I am amazed. Ok, the bank most likely did break the law when marketing the hedge funds (as marketing hedge funds are illegal in Norway). And the sales guy most likely did push harder than he should have. But still, I bet the bell was ringing long and hard, and that he was the sales hero that year!

### 

So - for Terra Securities, this has gone from bad to worse.

What started as a pushy sale, has evolved into a nightmare. During the couple of weeks this has gone on in the media, the not so smart politicians turned the table and collected support from the media. You know:

"How could we know? We are poor, normal people. We do not know anything about investments!"

And media bought it. And kicked Terra Securities. And again, I am amused. The politicians clearly admits their error - making a stupid investment using borrowed cash. Still, they blame everything in Terra. 

"They should have known. They should have told us!"

Wrong. They are about making money. Not by making you a profit, but by making you buy their products. Which you did - both their lending services AND their investment services. A great sale, I would argue. 

You see, being a municipality means that you are responsible for your actions. It means you must accept that responsibility. You cannot invest millions of dollars one day, and then cry and blame your partner when you loose your money. That is just wrong. Stupid. Childish! 

One of the first principles of investment is to never invest more than you are willing to (or can afford to) loose. That is your responsibility - not your banks.

If I had done the same type of investment, I would have to accept the loss and move on. So should you.

###

This is it for now - I will keep sharing my opinion on this stupidity.

 

 

 

NSB - the Norwegian State Railway company - somehow managed to run their signaling central without redundancy.

So - why care?

The signaling central is where all track signaling and train signaling is collected, analyzed and controlled. I.e. where the red and green lights are managed. You know, the lights that tell the train driver if he can move or halt his train. In order to avoid crashing.

So you would think that the signaling central is a key element to keep the trains running securely. You might even think that the signaling central is business critical. And I would agree fully.

But NSB do not agree. Or their security people lack fantasy enough to imagine the signaling central to fail. Or - the money people decided that the costs of setting up a redundant solution is way too high compared to the risk.

We will certainly know during the next few weeks.

Because last night, the main communication cable systems caught fire, and the signaling central lost communication. At the current moment, we do not know if this was an accident, or on purpose as in France. But there is no strikes going on here in Norway, so it might be accidentally.

The fire have caused all trains to a full stop, creating a chaos in the Oslo region. Still, the NSB representative do not think they need a redundant solution.

I am surprised. I would expect that a business critical system like this would have its backups, redundancy and contingency systems.  That it would not be possible for one small fire to shut down all operations of the company.

I mean, that is simply plain stupidity. 

What you can learn from this?

Accidents DO happen. Secure your business critical systems adequately.  

A quick update for the current situation in Lebanon arrived at my desk today:

### 

###

 

The last week, three cases of Information Security Professionals breaking the law has emerged. Two in the US, and one in Europe.

The European one, Roberto Preatoni, is surrounded with speculation. What we know is that he was arrested by Italian police in his association to an industrial spy case dating a couple of years back.

The US-cases include John Kenneth Schiefer, a 26 year old security pro. This guy has been convicted for hacking in the past, and lately he served as a network security pro in LA. This time, he is charge for installing and managing a bot net of aprox. 137 000 computers.

The question I pose is - can you really trust your security professional? How do you evaluate their work? Do you have means to control their actual doings? Or do you just close your eyes and believe that as the professionals they are, you can trust them blindly?

In New York, the Western Express International, a company ran by the Western Express Cybercrime group, is charge by money laundry and illegal money transaction. The company provided hackers and CC-fraudsters with a method to receive and clean their money stream. The company is not a security pro company, I agree - but as a legitime business, the case clearly shows that the business model of the cyber criminals is evolving.

It seems like the cyber criminals - being security professionals or not - have a complete infrastructure to follow their money through the vertical - from the fraud, through payment solutions, routing through laundry tools, and then into their legal accounts. Just like organized criminals have been doing for decades.

I do not believe many security pros have a leg on the other side. We do know that some do - and these are usually easy to spot and take out.

It surely do get easier by the day to get your hands on hacking tools, including full payment and laundry facilities. We need to focus more attention on this area of security. As long as it is easy to do, and get away with a profit, the problem will not go away.

Wow, this is crazy. This deputy director must be a lunatic. We are moving fast forward into a society where multicorporate companies safeguard my privacy data.

Because I should no longer expect anonymity.

All my personal secrets will be revealed and kept at safe storage at the local governmental office, and (notice - not OR) at any corporation that believes they need to cater my privacy.

"Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information."

And we all know just how safe corporations keeps my secrets. Like the TJX. And just about any other corporation out there.

I do not like it. I still want to keep my door closed when I go to the toilet. You see, I expect anonymity - even if you all know what I am doing in there. And I would like things to continue that way. So no thank you, Mr. Kerr, I will not leave my anonymity so you can control my privacy.

Thanks to Bruce who brought this news to my attention.

One of the first times I came about Andy was when I made a mistake. A huge one. And although the mistake was not about Andy, he reacted like a mad dog and told me exactly what he thought of me. In his own words:

“You are one cold hearted fellow.”

 

He got my attention right away! Then, since only a short time after that, he told me:

 

“Kai, I think you are confused.”

 

And these two episodes shows very well who Andy is; straight to the point; fearless if he thinks you are wrong, dishonest or evil; stands up for his friends and the weak. Andy speaks his mind, and I just love that!

 

In our later discussions and comments, it is pretty clear that Andy and I are much closer in our view of the world than at first glance. And the very fact that Andy accepted this Profiling of him tells a bit of him (no, not only that he is attracted to attention!).

 

He is able to walk the talk.

 

Andy’s blog was also noted as one of the most influential security blogs 2007 by IT-security. And true to himself, Andy is incredibly humble about it all (I know I would kick and scream and yell high and long if I was on such a list). But, equally true to him – he was the first commenter on the post – so I am not the only one running a searchbot for my name!

 

Unlike some of the previous Security Profiles, Andy is not able to identify the time he opened his eyes to security;

 

“I'm not sure I can pinpoint any one event. It just happened over time. As I learned more about computers and networks I saw things that people did that put the company at risk. It was also a time when the big name viruses were running rampant.

 

It amazed me how they worked and why they were successful on some systems and networks and why others kept them at bay. I started reading more about security and it really grabbed my interest. So I started focusing my career in that direction.”

 

Andy has a technological background like many security people I know. And he is focused on user awareness and training;

 

“Information Security is about much more than just technology and even about more than protecting your data and network. It is about changing the way people think. A program that focuses on technology will fail, just as one that focuses solely on people will fail. It takes a well balanced combination of focus on both.“

 

And have you found that balance yet?

 

“We know that technology will work to a certain level and then we can either ignore people and throw more technology at the problem; or we can strive to teach people how to be safe. When we are successful at training our employees then everybody wins. They work safer and smarter and when they go home they also live safer and smarter. “

 

Do you have any examples of how to approach this?

 

“We have to get across to them that security is about more than surfing the web and checking email in a safe manner. It's about who they interact with online, on the phone and in person. It's about learning when and where to talk about business related matters. On the phone while riding on a crowded bus isn't the time to do so.”

 

 

Business and management focus

 

On is LinkedIn profile, you can read that Andy is a CISSP. He is pursuing a CISM, and would like a PMP. It is safe to assume that Andy is not only the IT-security geek, but also a managerial guy. His interest in Project management gives that away pretty fast.

 

Andy, what is the impact security has on business?

 

“Security touches EVERY part of a business. If done properly it can really be an enabler but if done improperly it can cause major problems.

Since it does affect everything it's hard to narrow down the Key impacts. They vary from business to business and industry to industry. What is key is finding out what is needed and what works for your particular situation.

 

It is time to kick in the challenges! So let us hear what Andy considers challenges in the security sector!

 

• The first challenge is knowing what to do with security.
  Too many companies look at security as being the "necessary evil". They have security staff because it is required but they don't know how to really use them. They lack a plan for how to integrate security into the overall business plan. So therefore they throw technology at a problem without really considering the impact. Will it work as planned? Will it cause more problems than it solves? Will it be something that we have the time and expertise to maintain? What else do we currently have in use that may serve the same purpose? All of these need to be answered when looking at a security problem.
• The second challenge is developing a good User Awareness Program.
  Most of the ones out there are dull and boring. They also are "cookie cutter" one size fits all solutions. They don't take into account different learning styles and they don't give you good relevant information in a format that you can use throughout the year. Getting something every quarter isn't enough. It needs to come out at least monthly and it needs to be able to be delivered in a variety of formats. PDF, MP3, Video, email, etc...
• The third problem qualified security staff.
  There are too many people who really don't know what they are doing. They look for "best practices" and then that is what they do. Another of my pet peeves is the whole concept of best practices. Again, what works for you may not work for me. Companies need to hire and/or train their staff so that they understand security and how to make security work in their environment. You may be a great Cisco firewall engineer but if you don't know how to think outside of the sample configs that Cisco provides then you aren't the one I want managing my firewall.

 

Andy started blogging because he wanted to have a place to express his thoughts and opinions on security.

 

“Hopefully someone else will gain something from what I have to say.”

 

Andy, there is a hole bunch of people out there – including myself – who gain quite a lot from what you are saying!

Thank you for the profile!

 

Andy’s blog

 

The time has come to suspect any new hard disk you buy and install in your systems. According to this article, 1800 Maxtor disks of the size 500Gb comes with a bonus off the shelf.

If you install the disks, you get a virus too.  Actually, as soon as you pick it up in the store, you get the virus. It is already installed on the device.

According to the article, the virus will upload any and all data on the device to two online database.  Also according to the article, most disks of this size are bought by governmental agencies. And thus, the Chinese must have installed the virus. (The newspaper is in Taipei).

Obviously this kind of automatic back-up solution is not in the best interest of it's customers, so Seagate-Maxtor has pulled the disks from the market. 

The interesting part in my opinion is that this kind of virus is not getting caught by AV-scanners. One reason is the low volume (number of infected devices). Another reason is that the device is likely to be installed, presumed clean, and just kicked into action. Not until the server-install AV client starts its weekly scan, will the virus be detected - IF and only IF the signature of the virus is in the AV client.

What can you learn by this?

• Never trust ANY hardware you bring into your perimeter
• ALWAYS check EVERYTHING you install in your systems and network - in a safe environment. For hard drives, that means testing, low-level formating and signing them off in a secure, non-connected environment. You do have that, right?
• As security gets tighter, threats evolve and finds other ways to get to you. It is a long time since boot-virus traveled by floppies. But if slow distribution is the easiest, most cost efficient way to hit you, that is how it will be done.
  
• Targeted attacks are increasingly common. We are leaving the days where the goal was to hit as many as possible. The goal today is cash - not attention.
  

Technology gets increasingly more advanced. But the technical understanding seems to decrease. The result is companies investing large amounts in technology, without understanding the potential damage that very technology may impose when it is not doing what they expected, or open them to threats. 

Dark Reading has a good writeup on BotNets today - very descriptive, and written without all the technical blah-blah. If you ever wanted to understand the hows and the whys of BotNets, this is a very good place to start!

The Roberto Preatoni case is picking up speed around the world. This post is a quick update on the stories around, with links.

The background is found here. Short:

Roberto is a well known and respected security guy from Italy. He did a consulting job for the Telecom Italy, where he took part in the Tiger team back in 2003-2003. The Tiger Team where there to do pentesting. Some of the Tiger team members where arrested in January 2007, accused of spying. Now Roberto got arrested on the same charges.

This list is with newest first – as I have found them, or they have been reported to me. If you know other sources not yet covered, please add your comments! I will try to keep this list up to date.

Nov. 10: A Spannish (I guess) blog on security covers the news. Just a quick background on Roberto.
John Dunn blog offers some thoughts.

Nov. 6. - 9: 

Edit: A good quality Techworld update - still nothing new.

Edit: Microsoft want Roberto at Blue hat!
Italian version of same news. And at the TeckNudge.

Edit: A few more coverages:

• Matasano has some very relevant questions.
• From CSOOnline.
• Buzzworld-compliant offers a link to the eweek post (see below).
• The Register has a pasteup here.

/edit

 

• eWeek covers the case here. A nice article that gives some background.
• This blogpost from Spoonfork at security.org.my offers a couple of highly relevant questions on security in general. Nothing new about the case, though.
• Planet-Websecurity offer some details, but nothing new. The article is copied from Sunnet Beskerming.
• Techworld covers it (seems like cut’n’paste of the Computerworld story)
• Ryan Naraine at Zdnet.com did some more digging.
• Security.nl posted this article. Translation is needed, but it seems like it is just a summery of the same we know at this stage.
• Digi.no (Norwegian) with some more details.
  Including that Roberto was on his way to the Paranoia conference in Norway. I am posting an update on this after I have talked to Arnfinn Roland, the guy who had to step in for Roberto.
• Computerworld who brought the news to the world.
• Dave Lewis had a short cover of the same.
• The news was first broken (to me) by Alex Echelberry over at Sunbelt.

This is a post I made to a security group I am on. The topic is biometrics and the need for it in a business environment.

--- 

Usually today, the security issues are NOT with identification/authentication - it is the lack of completely understanding the technology - thus implementing a bioscanner to identify / authenticate a user, while sending the data itself over a non-encrypted line.

The biggest challenge with any security is the need for it. Do you REALLY need this kind of security? Will this technology make you are SECURE? Is there any other tool or solution that can achieve the level of security you need - at a lower price (monetary, user acceptability, support)? If you choose this particular technology - what parts will be secure, and what parts are not changed/adequately secured?

Another key challenge is lack of understanding. Business people care more about business - making the profit, ensuring the operations. Security people care more about adding security - less about the business impact. By the end of the day, these two parties have to work together to ensure an adequate level of security for that particular business. Unfortunately, what we see almost every day is the complete opposite scenario (particularly with ICT-security).

The Security guys tries to make a case about how important a new tool, technology or gadget is. And from a single, security minded point of view - they usually are right. BUT - the business do not invest in the tool - they choose to go "insecure" instead. What the security people do not get is that business people are usually equally good at risk assessment and risk management - some even better.

Why?

To successfully run a business - you handle risk and have to manage these on a large scale, continually. You make the decisions - to go or stop - usually with only little knowledge of the outcome. Some say you have to gamble, others prefer to call it risk management. Some don't even know that this is what they do. They will tell you that all they do is maximizing profit while reducing the costs - known and unknown.

So in this scenario, the business people usually win the game - because of their added perspective. They perfectly understand risk - and they are willing to some to gain some. It is a different mindset.

For the security industry, this means they dig up dangerous scenarios, construct hypothetical issues to sell you only parts of what you need. That would be fine - if they'd only tell you that the actual risk is usually much lower than the perceived risk (after their FUD), AND if they'd tell you that they are only part of the solution.

For the business people, a simple equation should be applied:

Value > security measures

Never spend more securing an object than the actual value of the object. Common sense, right? Yeap. But not commonly adopted unfortunately.

On biometrics - they will come. They are already here. A fingerprint scanner is implemented in most business laptops today. A camera is on some, and as mentioned in this thread - almost all laptops do have a mic. The challenges for biometrics, however, are more complex (list is not conclusive):

• local laws/regulation

EU has strong privacy regulations, that some of the countries use against the Biometrics.

• MITM/MITB

authentication / identification alone is not enough - you need secure communication too

• authentication vs. identification

should you authenticate only, identify only, or the both? At what stage? Using what technology and measures?

• the actual need

What is wrong with a username/password combo? Why do you really need a stronger method? When do you need it? Can you do without? Should you do without?

• usability

a tool can be as secure as it want, but if users do not like it, they WILL circumvent it. BUT - it may also be the killer app so in demand - use biometrics as a way to simplify the life of the users - no more need for usernames/passwords and devices up and down and back and forth.


This post is not only true about biometrics - this is true about all security. The challenge for the industry is to make relevant solutions, that are needed and that fix real issues. The challenge for the customers is to identify the solutions relevant for them - to fix issues they have. The challenge for (end)users is adopting new security solutions every other day.

In the end of the day - you can never be 100% secure. You can get very close if you really want to (and can afford it) - but fact of the matter is that your job is to secure your business - meaning you are there to make as much profit as possible, or if an NGO - to spend as much time as possible to do your thing. No matter if you are the CEO or the CSO - your job is NOT to invest in security - it is to work towards the business goals of your company. Period.

To many of us, hacking WEP encryption is yesterdays news. However, to those not so technical out there, I would like to show you how easy and quick it is to hack a WEP-enabled wireless access point. 

Do not worry if you do not understand what is going on - just take notice of how quickly it is done, and how confident the hacker is. That is all you need to know and care about. 

And of course - I no longer need to beat this old dog, now, do I? You do realize it is time to review and audit your wireless security, right?

Thought so.  

Calling all security bloggers! We need to look into the Roberto case! 

Background:

I read the news about Roberto Preatoni over at the Sunbelt blog today. And I just have to make some comments. 

Alex has a nice writeup on the background on Roberto. And he use the background as proof that Roberto is clean. 

Let us take a look at the news side of things:

• Roberto is arrested by Italian police on spy charges
  
• He was hired by Telecom Italy to test their security
  
• His team decided to sip from the bowl, and 4 where arrested and charged with spy charges in January 2007 (they intercepted and hacked into communication of some quite prominent people)
  
• Italy is a country where media, politics, power and criminals/mafia walks hand-in-hand

In other words, if you mess things up, or create enemies at the wrong places, you are likely to get arrested. And if arrested, your rights are not the best anymore.

Anyway. Even in Italy, the police do follow rules, and they are not likely to fabricate evidence. Thus, Roberto most likely made a mistake - or did what they are accusing him of.

The challenge for the rest of us now is to filter out the relevant information. And keep the good work of Roberto alive. And hope he is wrongly accused and soon to be released. 

Just imagine how it would be to be in his shoes now. Working as he was for the good side (no evidence exists that he worked for the foes, as far as I know).

And suddenly he gets arrested. 

Let us help Roberto back out of jail. Together, there are many security bloggers out there - I bet some of you even know Roberto. Let us find out what is going on, and how we can help him!

If you ever wondered how computer hardware can be hacked, this blog is for you!

FlyLogic Engineering is a gang of hardware geeks (in the most positive sense of the word), that devotes themselves and their blog to hacking (security) hardware. Not only do they hack USB-tokens in to smithereens, they tell you how they do it, and why.

Most importantly, they show you in practice how secure some hardware is (or not, actually). Why is this important? Well, the human mind seems to find it easier to trust physical devices than logical ones. That means that you and your users will automatically trust a USB-smart card or any other hardware device easier than if you are given a software to do the exact same thing.

But as FlyLogic shows so clearly, hardware is not necessarily more secure - and even tamper proof hardware is not especially unavailable to the experts.

Since FlyLogic has this as a living, we can only assume that others do too.

So make sure you evaluate the risk of using hardware tokens for your security, and that you do your homework before selecting a vendor.

A couple of days back, the Debka.com claimed to have picked up an Osama Bin Laden message calling for an electronic Jihad against western and anti-Muslim websites.  

 

This so called news has caused a storm in the water glass as it passed around the news channels.

 

Personally, I find it highly unlikely that such a Jihad is on its way now. And I list several reasons (not conclusive list, feel free to add your own!):

• Debka.com is a military intelligence news website, which have a strange way of coming up with news no one else have heard about. True, they do have a (large) network, but equally true – they do have their own agenda.
• The so called cyber terrorism or cyber war has been going on for years. You may even download your own Jihad tool and start hammering away right now. It is nothing more than a hacking tool, branded as a weapon.
• It is highly unlikely that a publication like this is ONLY picked up by one source. In the past, when Osama has something to say, he calls Al Jazzera. Why not this time?

 

I call this to be a hoax – a poor attempt by war lovers and anti-Muslims to “prove” the dangers of the Muslims. A PR stunt.

Some links:

The original Debka story

Analysis by PC World

The Security Mentor begs people to stop buying from spam. And of course, I agree with the Security Mentor! Stop buy from spam! Do you hear me? Just stop!

Except - those who need to hear our call are not likely to read our blogs. And if they do - well, it is either by accident, or by interest. If the latter, well, then I am willing to bet a beer that they do not buy from spam. 

The rest of the people out there - and they are many! - will continue to receive and buy from spam. 

Why? They lack the necessary knowledge to recognize the spam in the first place. (and those who may recognize the spam, and still buy it, is probably to embarrased to buy Vi*gra over the desk anyway, and take the risk of buying from spam). 

Both groups needs education. But they need it where they can read it, perceive it and act on it.  And that is not in my blog, nor in the blog of the Security Mentor. We need to move the information to channels that these groups do read - newspapers, magazines, perhaps even the telly. Put the message into their marketing mix. 

And the message must be adopted to their level of education (not school - but understanding of the technology). My mother is not able to tell a legitimate e-mail from a spam.  So telling her not to buy from spam does no good. I have to teach her how to spot a spam, and how to act on it.

Of course technology can help in this work - but as we (the pros) know just too well - the technology is not good enough to evade all spam. 

And even though my mother loves me, she is not one of the readers of my blog. Thus, telling her not to buy from spam here is just a waste of time and effort.  

What the mentor and I can do is to move the message from our blogs, and bring it out to the community. We may write up articles to distribute to local media, we can talk to journalists, and we can develop training sessions. 

But most importantly, I think we need to realize that the group who needs the message is a very different group than our regular readers. Perhaps if we put our effort together, we could come up a short, 5-step guide of how to avoid the spam-trap?