Nov 15th, 2013 by Jesper Kråkhede
As you may have noticed you can´t register as a new user on my blog. This is due to a large wave of spam attacks. I hope this to end in a few weeks so that I could open up for automatic registration again. Until then please drop a mail to crowmoor a t crowmoor dot se and I´ll make sure to register you.
Nov 15th, 2013 by Jesper Kråkhede
All those having a smart phone raise your hands! I´m one of those and I thought I had a rather good grasp of the smart phone security, the do´s and don´ts etc. but apparently I was mistaken. Do you know there is a second operating system running on your smart phone that has a large number of bugs and vulnerabilities, low to none patch management and was written during the 90´s when security was ‘optional’?
I just read an article where the second OS is outlined with a number of ways to exploit it outlined. It is not for the ordinary hacker but setting up a fraudulent base station is possible and with that they have total control of your smart phone.
So when you investigate your smart phone security you thought you were covered when you installed an anti-malware, encrypted your files and used https for web browsing or fetching your mails. Everything was covered and suddenly…a new threat emerges that been there since the 90´s that no one ever told you about.
Is this something to worry about? All risk are to worry about but as long as you are not communicating trade secrets, proposals, issues of national security or other stuff that could interest someone else you are home free. But it sure brings trust into the equation. You trust the phone developer to produce a secure phone or at least patch it to an acceptable level but do you demand this from your base station supplier? When you create the Trusted Computing Base take real care that you have included those that your trustees trust.
Oct 16th, 2013 by Jesper Kråkhede
If you are a proud owner of a D-link your best bet today is to hide in a dark place in shame. At least if you trusted D-Link to make a solid and secure product that is also cheap to purchase. Reading the link it is pretty obvious that D-link wanted to provide a simple auto update functionality for its customers but sadly failed miserably. With the external management interface enabled you have let your D-Link totally open for external control due to Joels backdoor.
So, in order to create a low-cost product, D-Link obviously has cut down on security testing. This sadly goes for most within IT. If it is cheap chances are that there are a number of security vulnerabilities and bugs.
Oct 15th, 2013 by Jesper Kråkhede
As some of you may know, at least those of you that have read my CV, I´m a trained social worker and have a keen interest in psychology. I always find it interesting to understand why some organisations manage to protect their information and why some fails.
I recently came across a report describing why users protect their information:
• They have a personal connection to it
• They truly understand the risk that exposure of the information poses
• The impact of such an exposure affects them directly
What does this mean when you try to educate your users? First of all you need to include your users in the security work and have them understand the information they are working with. It is not only numbers; the information is what makes them have a living.
Second: Include them in the risk analysis so that they understand the risks that are involved. In my models I work with micro risks, a tool that captures the small risks that every user perceive in their daily work.
Third: When making the asset valuation make sure to have them understand the consequences for them if there actually is a breach. Have them understand that a breach means that there is a huge cost and a potential loss of their jobs.
Aug 15th, 2013 by Jesper Kråkhede
If you think that internet fraud, hacking and so forth has gone done because Anonymous has been crippled and that NSA has 100% control of who does what on internet you need to think again.
To be able to commit cybercrime you need a computer, internet access and a set of tools. In short this means that anyone could start committing crime and with the use of proxies or anonymisers, lack of logging or other investigative tools and a shortage of low-cost fast investigators we are bound to have a few 100 million wannabe hackers wreaking havoc everywhere.
It is quite interesting to read the summary of the research from PwC that shows that cybercrime is on the rise.
What does this mean? When cybercrime tools becomes a commodity that you could download for a few bucks those with the lowest security baseline, that is a bit slow to patch or configure will fall prey to the one-dollar-cybercrime. Who will you be?
Jul 30th, 2013 by Jesper Kråkhede
Is there any company of size that hasn´t got an ERP system today (Enterprise Resource Planning)? During my many years working in the field of security I have seen and participated in many analysis, checks, test, investigations and whatnots and in many cases we were instructed to not touch the ERP. It was way to mission critical for them. This is a HUGE indicator that security is not taken seriously. But it gets worse!
I suppose you have read about encrypting medical databases in Australia? With the move to ERP in many companies and with the integration of many systems into the ERP a simple restore of the database in often not even possible.
Adding those up and you suddenly have a volatile situation. You have a mission critical system that you are not allowed to secure. If this is not an invitation to a criminal to break in and encrypt your database for ransom it is at least a save-the-date for a later event.
Jul 20th, 2013 by Jesper Kråkhede
Security architecture is sometimes just a number of words glued together with some pictures or to be more explicit the power of security architecture lies in the visualisation of fully defined words.
Some words that commonly need both definition and explanations are: Threat, Vulnerability and Risk.
1. An expression of an intention to inflict pain, injury, evil, or punishment.
2. An indication of impending danger or harm.
3. One that is regarded as a possible danger; a menace.
1. Susceptible to physical or emotional injury.
2. Susceptible to attack
3. Open to censure or criticism; assailable.
1. The possibility of suffering harm or loss; danger.
2. A factor, thing, element, or course involving uncertain danger; a hazard.
Sadly it is very common that those words are interchanged leading to misunderstandings and therefor mistakes.
In short a threat could arise if someone or something intentionally or unintentionally could harm you. A vulnerability means that a threat has a chance to succeed in inflicting harm. Calculating this chance is to calculate the risk. A risk is dependent on an identified attacker and a vulnerability. If there is a threat but no vulnerability there is no risk.
In conjunction a vulnerability analysis and a risk analysis are two different things. Finding vulnerabilities is not the same thing as calculating the possibility of it happening. The latter is a risk analysis.
Have you got it straight now?
Jun 30th, 2013 by Jesper Kråkhede
One of the good things of growing up is that you now and then are allowed to visit a pharmacy and get prescription drugs…or should it be considered a bad thing? In any case I noticed that the username and password for the computer was posted on a note on the screen, same username and password btw. I also noted that when the clerk needed to authorise an action on the screen she leant forward and let a barcode scanner read a barcode she had on a card. Being the person I am I silently awaited her to finalise my order and during the meantime I played with my phone…or more exact struggled to get a good picture of the barcode. I managed to do that and when she was done I innocently asked how secure the system was if anyone wanted to enter the system and view the information. She bragged a bit of the security measures their department had taken to ensure the security of the system. I nodded and showed her the picture I´ve taken of both the username/password and the barcode. “Could we just test it, just for fun?”, I asked. She just nodded and as expected the barcode logged me into the system. I, of course, deleted the pictures but it shows that security systems that once were regarded as safe with the evolvement of new technology are rendered unsafe.
Jun 20th, 2013 by Jesper Kråkhede
Being a diver since a few years I tend to take my own personal security quite seriously. Out-of-air at 20 m is not a pleasant experience, I´ve heard. One of the things I enjoy doing when diving is taking photos. This summer I bought a new underwater house for my compact and as I take security of my possessions seriously as well I decided to take the house for a test run without the camera, just to make sure it didn’t leak. Any diver more experienced than me can stop laughing now. Of course it all went wrong! No, it didn´t leak but instead of having a slightly negative buoyancy it instead was distinct positive making it hit me in my face, being in the way and all in all making the dive just a terrible experience.
So, what did I do wrong? I didn´t take the weight of the camera into account making the test, even if successful, a bad experience. Did my test succeed? Yes and no. The test as defined in my test case was successful but my confidence in the product became much lower.
When implementing security services you implement a safe guard that you need to trust. Whenever you need to test things first, make sure to include as much as possible so that confidence in the product is kept even during tests.
May 30th, 2013 by Jesper Kråkhede
Not being an expert in the inner details of SCADA systems I still encounter them in different assignments. As many know SCADA systems are certified to carry out a specific task with a specific configuration that you seldom or never could change. This makes the task of protecting SCADA a tough one as the ordinary changes is not possible to conduct. Most of the time, however, the SCADA systems is not publicly or internally accessible and hence the problem is far less severe. Still we humans are lazy, why go out to a computer when we could connect to it remotely, and so the problems start to multiply.
Is it possible to create a security architecture that is able to manage this in a connected mobile world? I´ll have to say yes to this question. It is not that you will be able to manage your SCADA system through you mobile device but at least you will be able to manage it remotely.
The cornerstones for sound security architecture for SCADA systems are compartmentalisation, dual authentication at borders, administrators’ access only and frequent upgrades, if possible).