May 2nd, 2013 by Jesper Kråkhede
Everyone that´s been around for some time in this industry has Melissa and Love letter fresh in mind. How many similar outbreaks have you had the last years? I expect you to say none. Does this mean that there are no malware running around anymore? Of course not. There are even more today than there used to be. But the goal of malware today is not to get a widespread infection anymore but to get hold of vital information or to kidnap your infrastructure for others to use.
During my last four years in the business I have encountered a large botnet running in a large financial institution, they had the most ultimate security (they thought); I identified a large scale espionage operation in the manufacturing business where they had full access to the research department; I identified the source of a performance problem to be a large scale DDOS directed towards my client.
Threats today are sneakier in nature and are aimed either towards company that has something to steal (money or inventions) or something to kidnap (databases). This means that you need to update your risk-list and actually allow yourself to be seen as a target. Following You3 you exist and therefor are a target, you have something in common with a group and therefor are a target or you are you and therefor are a target. Identifying which target you are will help you determine the protection you need and if you have something unique or something hard to copy without the drawings you sure are a prime target.
Apr 4th, 2013 by Jesper Kråkhede
A lot of public and financial services in Sweden utilise e-identity for authentication of users. In a newspaper in Sweden today there was an article (in Swedish) about a new way of committing fraud using this. In short fraudsters have managed to acquire an e-identity by applying for a bank account, possibly using false ID. After getting the account they have waited at their victims home grabbing the mail in the unlocked mailbox after the mailman arrived and got all the information needed to create an e-identity (fx BankID) and applied for loans in the victim’s name.
The article sadly focuses on the wrong vulnerabilities. There are two major vulnerabilities here: the banks (possible) lack of identification of the customer or at least less stringent identification; the second one is as old as the post office: your unlocked and unmonitored mailbox. A lot of the frauds currently going on in Sweden depends on this specific vulnerability.
How should you mitigate this? Get a lockable mailbox or have your mail sent to the post office for later collection. Very easy and saves you a lot of hassle!
Apr 2nd, 2013 by Jesper Kråkhede
Sometimes you are just amazed what is happening in the world of security. Almost everyone is aware of that when you put a device on internet it is scanned within a matter of minutes. A group of researchers wrote a paper about an experiment where they used unprotected devises on internet as bots to scan other devices. If they chose an aggressive approach they could scan whole of IPv4 of internet in about an hour!
This means that the need for security scanners to make sure you are protected has increased a lot. As many devices are published over internet the vulnerabilities need to be found quickly. So get a tool and get ready for some patching and don´t forget to change the default login, ok?
Mar 20th, 2013 by Jesper Kråkhede
ATMs are wonderful machines! You insert a plastic card and it returns your card and a bunch on money. As they today are pressure sensitive you could also access internet and play games on it as shown in this video. About two years ago I was involved in creating a PCI DSS compliant security architecture for a rather big ATM structure. Sadly Angry Birds was not part of that architecture.
On a more serious note the video points in a clear direction; without a security architecture secure templates becomes a lot harder to create and without those you are in the hands of the whims of the one responsible for the security at the ATM. But at least you can throw a few angry birds in their direction.
Mar 20th, 2013 by Jesper Kråkhede
The average time to spot a breach is 210 days. That is a terrible high number as the damage to an organisation probably is a lot higher. A hacker having 210 days to walk around inside the digital vaults in any company surely opens up for tremendous losses of information and assets. One of the main reasons that admins don´t identify a breach is the logging. Some companies have complex log gathering systems that collect logs from all servers but still fail to identify a breach.
Why is that?
Most commonly this is due to two major reasons: No risk analysis based logging and lack of secure coding practise.
Collecting all logs and not knowing what to look for means that you spend a lot of time chasing red herrings while the hacker walks around undisturbed. Once in my career I penetrated a company, registered myself as a trusted visitor, took my laptop including my tools, walked to the CIOs office and said: ‘Let´s see if the security staffs are alert!’ I fired away a large scanning and after a minute the CSO was on the phone more or less yelling: ‘We have a hacker in our network!’ ‘The CIO calmly replied: Yes, he breached us a week ago, printed a pass and is currently in my office making fun of you.’ Needless to say there where huge changes in how the approached security after that.
Lack of secure coding practices means that not only are you opening up for direct attacks; you also have no clue what is happening inside your application as nothing is logged.
One of the first rules of security is to have knowledge of what is happening.
Feb 21st, 2013 by Jesper Kråkhede
During my life as a security specialist I have encountered several situations, one trickier than the other. One of those is security competence or to be more specific: How could a company keep their security staff?
The security market is rather immature and there is a big need everywhere for experienced personnel. As a hired CSO or CIO I have helped many companies to recruit staff just to see them leave one year after, not because they don’t like the work but because they need more challenges. Gladly most companies rather seldom experiences any attacks or incidents making the standard work day rather dull. As a security consultant you see more and experience more and after a while people tends to look for the challenges outside the company walls.
One way to manage this is either to have a mix of sec consultants and own staff where part of the consultants work is to challenge the own staff with new problems making the work a lot more interesting. Another method is to work closely with another company and let the staff rotate.
Keeping the staff happy is the prime concern in any service based company.
Feb 20th, 2013 by Jesper Kråkhede
One of the more common questions I get is if their security is enough. In conjunction with that I get a perfectly matched risk analysis and a bunch of defined security mechanisms. Still, my answer quite often is: No, sadly it isn´t.
It is quite easy to create good security for a single entity but creating an overall working security strategy is something else. As many of you certainly know security architecture is my gambit (yes, I used to be a rather good chess player when I was young). Sound security architecture will give you more than a nice view of your security landscape; it will give you some degree of control of where you have assets that needs protection, where those assets normally move and a dashboard of your current security situation.
The trick is, as always, to gather all those security islands you have in your environment and get them to work as part of bigger machinery. First step is to identify them, second to eliminate or replace them and third to move everything together into an easy administration system.
Sounds easy enough for you?
Well, add Jericho 2.0 on top of this and sprinkle with a global market and mobile workforce and you have a bigger, but solvable challenge.
Jan 29th, 2013 by Jesper Kråkhede
I found a Swedish article today regarding how easy it is to put someone in personal bankruptcy in Sweden. As you may know Sweden is an open country where information is easy to find. To file an application for personal bankruptcy the only thing you need is to personally leave a birth certificate to the court and file the application. There is no need for any type of ID Card. As you probably understand the consequences are quite devastating for the affected individual. The birth certificate is very easy to order from the Tax authorities and then you only need access to the victims mailbox and you are set to wreak havoc.
So the problem here is twofold: First that you don´t need to show ID with this type of application and second the trust in a mailbox as I have written about before.
Taking a step back we see a clash between a new electronic society where acts of terror against the individual is common and the old paper based society where you trusted a person’s signature. You could as well apply Jericho 2.0 principles here and looking at the authentication at the perimeter. Are you authenticated for life at birth with your birth certificate or do you need to re-authenticate every time you want access to information?
Jan 28th, 2013 by Jesper Kråkhede
It may come to a bit of a chock for you but internet is hostile! Yes, just put an unprotected server out there and it will be scanned within minutes and hacked quite soon afterwards. Still, this does not stop Barracuda Networks to include unprotected backdoors into their hardware. Using the account ‘product’ it was possible to logon to any appliance as long as you are within a specific IP-range. Sadly, not all of those IPs are owned by Barracuda Networks allowing third parties to have the ability to login to all appliances that is accessible on internet. Adding the risk of IP-spoofing and you are into a world of pain. Barracuda Networks currently recommends all customers to update the Security Definitions or disable remote support. Still. My recommendation would be to question the security services from Barracuda Networks. If they think a specific IP-range is a good security mechanism they lack basic security skills.
Jan 15th, 2013 by Jesper Kråkhede
There is an interesting story going around the news in Sweden today. A train was stolen by a young janitor. She drove it rather fast into a house. No one was hurt and now the security routines are to be updated. It puts a finger right on a rather important spot in the field of security: Why would one attack us?
Who in Sweden would ever come up with the idea to steal a train? There is no way you could get away with it, you can´t sell it, take it home or in any other way use it. So why would anyone attack you? I´m rather certain that this train theft will show that she either was under influence of drugs or that is just a case of joyriding that went terribly wrong and here is also the reason why you could be attacked: You exist and have something that could be attacked just because it exists. It is so easy to download a hacking kit and start running scripts and if you don’t use secure coding, patch management etc. you could become a target for a script kiddie just as the janitor stole the train. Most attacks are an effect of a random encounter on the web, still the attack could be as devastating as smashing a train into a house!
Just recently the investigation showed that the janitor had accidently started the train due to the fact that several security mechanisms where bypassed. Still the original story is interesting even if it in this case was an accident.