Sunday, August 14, 2011

Etymologically Speaking: Cracking or hacking, mobile phones or voicemail?

In the wake of the News of The World (NOTW) scandal in which "journalists" are alleged to have listened to, and sometimes erased, messages left on phones that did not belong to said journalists, the term phone hacking has shot up the charts of widely misused phrases.

As this very helpful article on Geek News Central points out, the NOTW scandal is not really about phone hacking, it is about voicemail hacking, which the article's title tries to make clear: How To Hack Mobile Phone Voicemail.

Like the proverbial Trojan Horse, which was really neither horse nor Trojan, we are probably stuck with phone hacking as a phrase hacked together by hacks to describe some types of phone system manipulation and/or phone user duping. Such subtle distinctions may not matter to some people, but I think they matter to information security professionals. Why? Because part of our role in society, one that I personally take very seriously, is trying to bring clarity to matters involving the theft of information, unwarranted invasions of privacy through the abuse of information systems, use of computer systems to commit fraud, and so on.

And perhaps no word in recent memory has been more abused and hacked than hackers. As Steven Levy firmly established more than 25 years ago in his book, Hackers: Heroes of the Computer Revolution, the word started out with a positive connotation, a subject he addressed at the recent DefCon hacker conference in Las Vegas.

For almost as many years, my good friend Dr. Mich Kabay has tried to maintain a consistent distinction between hackers and criminal hackers. In his copious writings and teachings on information assurance, Mich diligently avoids omitting the word criminal from the phrase, either for convenience or brevity (see these Google results for examples).

(In the 1990s, some people tried to get criminal hackers shortened to crackers but that was doomed by ambiguity, between the decidedly non-technical use of the term cracker in the Southern states and people who specialize in cracking encryption codes.)

While criminal hackers are generally to be reviled for the mess they are making of otherwise beneficial technology, some hackers may be deserving of praise. You can get a personal perspective on this distinction by watching the excellent documentary made by another good friend, Ashley Schwartau, titled "Hackers Are People Too."

All of which underlines the ambiguity--some might say neutrality--of information technology, and the need to use care, as well as clear and specific language, when discussing its use or abuse. Voicemail can be incredibly useful, but it can be abused and cause pain when "hacked" by people of questionable ethics. Encryption can protect your private information from prying eyes, or allow a criminal hacker to hold your data for ransom. Cracking encryption can save lives or expose people to their enemies.

You might say that the problem with technology is the people who abuse it. We need to distinguish them from the people who try to improve it. And choosing our words wisely is one way of making that distinction.

Footnote: I will have a lot more to say about this and other aspects of information security after September 1, which is when I transition to a new position: Security Evangelist for ESET.

Wednesday, July 13, 2011

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:
Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."
Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Tuesday, July 12, 2011

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:
  • BSkyB is British Sky Broadcasting, a satellite TV company 
  • BSkyB is like DirecTV only bigger (based on Market Cap), 
  • the Guardian is a very reputable British newspaper,
  • one British pound is worth about $1.6,
  • that share drop erased $2.88 billion from the company's value.
What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.) 

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.

Saturday, June 18, 2011

CIA Website Hack Recalls Early Days of eCommerce

Recent hacking of the CIA website brings back memories of the earliest days of eCommerce on the Web and the first wave of website hacking. The first defacing of the CIA website was carried out in September 1996. For those too young to remember, here's what it looked like:
The hacking was done by Swedish hackers using the name "Group Power Through Resistance" and their goals went beyond embarrassing the CIA. According to TechWorld Sweden:

"The attack messages were primarily intended for the then Swedish state prosecutor [Bo Skarinder] who accused members of the Swedish Hackers Association of hacking. The sentence "Stop lying Bo Skarinder!" is remembered to this day."

The most recent CIA website hack, as of this post, was the following effort by an Indian hacker who goes by “lionaneesh":

Lionaneesh claims to have gained access by exploiting an XSS or cross-site scripting vulnerability (here's a detailed explanation of XSS written by my brother Mike).

When Lionaneesh tweeted about his exploits on a Twitter account his name was listed as Aneesh Dogra (that name has since been removed, but the Twitter account is still active). Posting a "follow me" message on a hacked CIA web page is one of the more interesting ways to gain followers (of which @lionaneesh now has 206).

Via Twitter, Aneesh expressed affinity with LulzSec, the hacker group that claimed responsibility for an attack on the CIA earlier in the week.The page defaced by Mr. Dogra was taken down quite quickly, but a screenshot of it was posted on The Hacker News (as reported on GMA NEWS, the Filipino news site).

That first round of government agency website hacks in 1996 served as a wakeup call to eCommerce sites which were starting to come on line at that time (a time when I was providing consulting services to such companies, via the NCSA that later became ICSA Labs, and the Miora Systems Consulting company that later became InfoSec Labs, founded by Michael Miora, Vincent Schiavone, David Brussin, and of course me).

When I was writing my first paper on the topic of Internet Commerce, delivered at a conference in Hong Kong in early 1996, I struggled to find examples of website defacing. The one that does stick with me is a fur dealer who was targeted by animal rights activists. That sent a strong message about brand-tarnishing and activist-hacking, which became known as hacktivism. It also alerted companies to the truly global nature of the world wide web. you might write your website content for your customers, but the entire world can read it if they choose to do so.

To this day I would advise companies against publishing content on their websites that advocates an unpopular point-of-view or employs insensitive language, unless they are well-prepared to repel attacks from people who do not share that point of view. An example I used to cite was a timber industry website that was thinking of putting its newsletters online, the content of which was standard stuff within the industry, but a red flag to environmental extremists (who would be able to find it much more easily on the web than by getting a copy of the printed edition.)

A quick read of the Wikipedia page on hactivism will tell you the term is still emotion-laden because both hacking and activism remain ambiguous terms, seen as the illegal actions of bad actors by those on the receiving end, and the right thing, done for good reason, by the doers. The issue is not made any easier by the pugnacious "shoot-the-messenger" reaction of many organizations to news that their systems are vulnerable.

My wife encountered this when she questioned a suspicious network connection at a government facility containing highly sensitive classified data. She was angrily asked: "What do you think you're doing probing this network?" As a graduate of the Stephen Cobb School of Tact and Diplomacy she avoided snapping back with the obvious: "My job!" Instead, she calmly explained that her boss had asked her to create a map of the network for which he was responsible and, in doing so, she had found an undocumented connection to an insecure network. Thanks to a boss who stood by his employee [my wife] the issue was resolved, but not before the threat of prosecution was raised by the "offended" party who owned the insecure network (and who chose to remain in denial of its insecurity).

Many such stories are documented on the web and one can imagine a hacker finding a flaw in the CIA website wondering what to do about it. Tell the CIA? Who may come looking for you because they can't accept that a. their site is insecure, b. your intentions are honorable. Clearly this is a dilemma. When you exploit the vulnerability that you have found you create an example that can be used to remind governments and companies that web security is not a fix-and-forget challenge but an ongoing effort. Nevertheless, the right thing to do is NOT hack the site. And hacking it for personal glory does nothing to help your claim that you were trying to do the right thing.

Finally, it has to be said that if any federal government agency ought to be a showcase of website security best practices it is the CIA. I'm NOT saying they deserved to be hacked, but they deserve to be on the receiving end of probing questions. As do other government entities. For example, the method that Private Bradley Manning used to remove copies of classified government documents from SIPRNET, the ones that ended up on Wikileaks, was clearly a violation of policies and procedures that my wife laid down over ten years ago to address such problems. It is hard to argue that the people who chose not to enforce such policies are entirely blameless for what their actions, or inaction, allowed to transpire.

Sunday, May 08, 2011

Internet Security and Satellite Internet: A gap that needs to be patched?

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link. (You can also read more about this research in this blog post.)

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.

Sunday, May 01, 2011

Twitter Spam Getting Bad, Now Poisoning Health-Related Search Results

What is Twitter spam? A whole bunch of "people" tweeting the same thing from accounts that are likely automated. These bogus accounts have a human name followed by a number, like Colettaj339. When you check out the profile you see this person has:
  • Sent many tweets (all pushing links), 
  • Not followed anyone (Following=0). 
In other words, the account merely exists to direct clicks to a promotion in return for money. Following the pattern of previous forms of spam this Twitter-spam is growing fast and targeting vulnerable people.

For example, I have been encountering more and more of this stuff when searching Twitter for the term "hemochromatosis" which is a scary and potentially fatal genetic condition that causes iron overload, a toxic buildup of iron in joints and organs like the liver, heart, brain, thyroid and so on.

Given the pathetically poor level of knowledge about this condition that exists in the general medical population it is very common for people who find they have hemochromatosis to turn to various channels on the Internet for information, including Twitter.

My hemochromatosis search on Twitter today found a bunch of tweeted links leading to a pitch page for an eBook on Iron Overload priced at $37. Bear in mind that the highly regarded and medically reviewed Iron Disorders Institute Guide to Hemochromatosis can be purchased in paperback on for a lot less than half that price, and can be had as an eBook on Kindle for $9.89.

Maybe the tweet-spammed book is brilliant and worth $37 but the large number of spam Tweets makes me doubtful. And this is by no means the first targeting of hemochromatosis sufferers on Twitter. Tweet spam leading people to an article site has also used this hook. In fact, I'm willing to bet that whenever you search a nasty disease, for example multiple sclerosis, you will see this Tweet spam. Here are some observations about this depressing phenomenon:
  1. Cobb's First Law of Communications Technology: Every new communications technology will quickly be abused, most likely by people lying in the hopes of making money.
  2. Twitter has not done enough to make sure new accounts are opened by real people.
  3. Twitter is not doing enough to remove blatant spam accounts (email me as scobb[at]scobb[dot]net for the algorithm to identify these accounts guys, it's not that complicated)
  4. A depressingly large number of people need to ask themselves whether what they are doing with their computers is helping or hurting their fellow man, woman, or child.
  5. Until the median level of morality among computer literate humans starts to rise, we will see spam, scams, fraud, and the like continuing to poison the technology and waste precious resources (like the energy that email spam wastes, enough to power millions of homes).
BTW, if you want solid information about hemochromatosis, visit The Iron Disorders Institute. If you want Twitter to do more to stop Twitter-spam contact the company. I find that a fax to the CEO is a good communications channel to use: Mr. Evan Williams, CEO, Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, fax 415-222-0922.

Saturday, April 30, 2011

Cost of a data breach climbs higher

Well worth paying attention, whether you are in privacy or security, in business or investing in businesses, CIPP or CISSP:

Cost of a data breach climbs higher - Dr. Ponemon's blog

"The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends."

Sunday, January 30, 2011

Mobile Payments: One Trillion More Reasons to Think About Mobile Security

It is hard to think of anything more attractive to hackers than a widely-deployed digital payment system. And the world is now witnessing the fastest rollout of a digital payment system ever, to your mobile phone, a.k.a. smartphone, cellphone, iPhone, tablet/slate, i-device. Consider just two stories that appeared one day last week:
"With corporate behemoths such as Starbucks Coffee Co. and McDonald's Corp. leading the way, 50 percent of consumers will have made a mobile payment of some kind by 2014, according to Juniper Research."
And "according to this report, U.S. mobile payments could reach $1 trillion by 2015."
That's one trillion dollars with a "T' headed to a bunch of devices that are, from an historical IT perspective, barely out of beta testing. Consider a couple of random stories I found hanging around in my browser cache when I sat down to write this post:
November, 2, 2010: An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.
December 29, 2010: Mobile security firm Lookout is sounding the alarm about a Trojan targeting Android devices that, while confined to China so far, represents one of the most sophisticated pieces of malware it has seen to date. The malware, named “Geinimi” is the first Trojan to display botnet-like capabilities, allowing it to receive remote commands...
And don't think that using an iPhone or Blackberry will eliminate security risks. Just check out this page of stories about password cracking software available from Russia. Something to bear in mind when you read that "MasterCard's PayPass wallet application can be password-protected so that a lost or stolen handset cannot be used to make payments"
But let's get back to what I meant when I said it's hard to think of anything more attractive to hackers than a widely-deployed digital payment system. Notice I didn't qualify "hacker" in this context. That's because hackers of all stripes find computerized payment technology fascinating. Back in 1995, when I spoke for the first time at DefCon, the now legendary annual hacker convention in Las Vegas, the speaker ahead of me presented a detailed explanation of just how easy it was to make fake credit cards that worked.

When I cited that presentation as an example of the damage that hacking could do, the response was vociferous and articulate and could be summed up like this: The banks are to blame for using such lame technology when a few tweaks to the system and a little more effort could actually make it a lot more secure, as shown in the presentation.

That was a valuable lesson for me. Not everyone who hacks payment systems is out to steal your money. Hence the useful qualifier "criminal" as used by my friend and colleague Mich Kabay who is always careful to say criminal hackers when that is the type of hackers to whom he is referring. A lot of people see a spectrum of hackers. One can describe it, if you leave out the nuances, like this: black hat hackers who are criminally-minded, gray hat hackers who may hack for profit, and white hat hackers who are trying to find solutions to hacks before the hacks are widely exploited (and may profit professionally for so doing).

What I'm saying is that every shade of hacker is likely to look long and hard at hacking mobile payment systems, from those who want to hack the system for illegal gain to those who seek to gain fame for finding the holes. The question is: Can the systems now being rolled out withstand the scrutiny? History gives me a clear answer: No.

Unless some fundamental changes have occurred in the technology and banking industries, changes of which I am unaware, that negative answer has a high probability of being right. I predict holes will be found and some of those holes will be exploited for illegal gain before they are plugged. I also predict that:
  • Mobile payment systems will still be rolled out, and 
  • Companies that already have a good track record in mobile security will do very well this decade.

Wednesday, January 26, 2011

One to Watch: MAD's MECS is mobile security made real

There is no doubt in my mind that the new information security frontier is mobile, as in mobile phones and mobile pads/slates/tablets. More and more data is going to be processed by, stored on, and accessed from mobile devices. You can see this very clearly if you spend any time in the world of consumer marketing where the biggest buzzword right now is "mobile" as in mobile advertising, mobile shopping, and mobile payments.

And where the money goes, criminal hacking is sure to follow, along with scams, spammers, phishing and fraud. Which is why I've been very interested for a while now in a mobile security company called MAD, a company of which my good friend Winn Schwartau is Chairman.

MAD's flagship product has already won several awards like this. And I can assure you that awards like these don't grow on trees. Industry analysts don't like to get burned by endorsing flash-in-the-pan products that leave them looking all egg-faced in 12 months if the product peters out. Bear that in mind when you read this assessment:
“The Mobile Enterprise Compliance and Security Server (MECS) innovative solution focuses primarily on delivering a new dimension of security, management and compliance to enterprises. Compared to standard mobile device management (MDM) solutions, which are not regarded to be viable security platforms, M.A.D.’s offering promises to provide the utmost protection for mobile enterprise devices.” and goes on to state that “Owing to the extensive capacity offered by M.A.D.’s solution, Frost & Sullivan feels that the company has gained a significant advantage compared to its competitors...”
Pretty impressive! MAD's MECS  is definitely one to watch as the struggle to secure the mobile frontier heats up in 2011.