Odds of losing confidential personal data is increasing

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.

Posted via email from Ramki's posterous

Hacking thoughts - Insecure ATM port

Warning:  These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.

I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could

a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network

Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...

Requirements:

• HUB & Pocket wireless AP, Laptop…
• Tools (NMAP, Cain and Abel, Wireshark,…)
• A quiet day, companion, crutches,…

Steps:

1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday. 

2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.

3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)

4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…

4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…

4b) Or simply capture packets from the ATM interface to check for valuable information

Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon.

I plan to inform the bank about this weakness let me see how they view it.

Posted via email from Ramki's posterous

Automated tool assisted vulnerability assessments

ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"

Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"

ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.

This makes them comply but Is this enough? NO

This post was triggered by thoughts after

> Reading  Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.

> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?

Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings

Posted via email from Ramki's posterous

CISO and/with IT roles; few thoughts...

CISO reporting to board of directors: Myth or for real? Has some quite interesting views on the role of CISO; certainly worth reading and discussing.

“… four aspects to be kept in mind, while deciding a CISO's reporting pattern:
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”

While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage.

“When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”

One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state.

“if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”

I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements.

I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. 

Finally it all depends on the organization dynamics no standardizations can be applied.

Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.

Posted via email from Ramki's posterous

Do certification audits also suck?

This post why do pen-tests suck? triggered my thoughts I started thinking about the certification audits.

I have personal experiences of dealing with ISO27001 auditors from certifying companies with very limited knowledge in IT infrastructure & technical areas and some of them are even from non-it backgrounds (I have seen audit findings in all CAPS :-) ). Without this crucial knowledge they will not be able to find any gaps hence the audit will be ineffective. I am also aware of the option/process of having a domain expert during an audit; perhaps this is not practiced as it might uncover too many gaps that may be expensive to fix.

If certifying company auditors do comprehensive job I am sure things would change…

Posted via email from Ramki's posterous

NIST Small Business InfoSec document - a guide for small and medium business

NIST has released Small Business Information Security: The Fundamentals a best practice guide for small business, this is certainly a good step forward. Threats for this segment are no different from large enterprices; even PCI council's recommendations Skimming Prevention: Best Practices for Merchants can be used by companies including small shops.

"PCI's Russo says the guidelines are for all sizes of retailers, but are especially geared for helping mom-and-pop retailers: "A small merchant that makes pizza isn't going to know much when someone with a terminal shows up with a business card and says he's there to put in a replacement, but is doing something [malicious] with it and leaving it there,"

Source: PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

However most of these threats can be easily mitigated by adopting some basic systems and NIST document is a excelent place to start.

Posted via email from Ramki's posterous

Botnets targeting enterprises and they are lean & mean

This post at Damballa Botnet Size within the Enterprise highlights few important points about botnets in the enterprise

- Less than 100 member botnets are 57% of botnet population & these may be targeting specific enterprises or verticals

- Probably more professionally managed specifically targeting corporate systems & data within the target enterprise.

- Maybe the work of employees backdooring critical systems for comforts of remote management bypassing security policies but these are made out DIY malware construction kits.Hence providing a parallel path for the DIY kit providers to access those critical systems.

Posted via email from Ramki's posterous

Few interesting things observed this week -wk-39

Security stuff:

Damballa says that botnet infections in enterprises have increased and these could be custom made for the targeted organisation 

"The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine"

These botnets are very intelligent

"they are typically more automated than bots in the big botnets" and "are also increasingly using more and different types of malware rather than one particular family in order to evade detection"

Source article: Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected -Most are members of tiny, unknown botnets built for targeting victim organizations

Security monkey has has posted What Does The Internet Know About You? providing good advice & tips for protecting your privacy on the Internet

Looks like the state of affairs with merchants/retailers are so bad that this post on darkreading hints cash: Debit Or Credit? Neither

Neat post providing information about malware  characteristic Categories of Common Malware Traits

This white paper is a must read for any one thinking about NAC and of course users also; A technical exploration of why NAC is failing

PCI Virtualization Special Interest Group (SIG) is addressing the PCI DSS virtualization compliance questions in the next update due next year

General stuff: 

This writeup has some good pointers for those CCNA's wondering what next after CCNA?

Cyborg's could become a reality Pentagon has developed a cyborg beetle... hope my son will see a real terminator kind of cyborg :-)

MIT has conceptualised and is developing a camera-glasses & implantable microchip that could help blind gain some amount of vision. Though this is ground breaking stuff the article also cites couple of other similar efforts in progress as early as 2002. 

Posted via email from Ramki's posterous

BHO dropping Monkif is growing & delivering specialized payloads

"Trojans such as Monkif often deliver a specialized payloads comprised of predetermined malicious code and wait to engage in more generic activity"

"Due to their unrestricted access in browsers such as the Internet Explorer event model, malware such as that downloaded and executed by Monkif has been created as BHOs.  In many instances, such code is capable of detecting secure HTTP sessions between a financial institution and the compromised host, and subsequently setting in motion a series of events that capture all information associated with a given users key strokes"

I wouldn't say things like change to non-windows, dont use IE, etc. Its highly critial to have systems fully patched (means applications also), a/v updated, run periodic maintenance such as adware/spyware scans... this should help in reducing your exposure.

Source article is here Monkif’s Metamorphosis to Full Blown Botnet

Posted via email from Ramki's posterous

DLP is not only the tool...

Lot of IT managers i meet think DLP is just a software that you deploy on the network this results in ineffective controls. SANS critical control 15 has a neat definition of DLP

"The phrase “Data Loss Prevention” (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework."

Source: SANS Critical Control 15: Data Loss Prevention

Few thoughts and links from the past few days (July 25 –27)

Remote IT support tool hijacks customer web server:

Couple of things I noticed Team viewer (or any remote support tool vendor) shouldn't be doing

a) Monitor http requests without specific disclosure of the details of the feature.

b) Start a web server and show an advertisement without providing any additional/alternate information about the main site being down (I would appreciate if they show a custom message maybe with ad's)

c) Not providing the workaround solution on receipt of the incident.

Source article: Remote IT support tool hijacks customer webserver

Exchange 2010 Archiving:

Microsoft Exchange 2010 has enhanced archival features that may reduce .pst management complexities; also Multi Mailbox Search & Legal Hold appear to be interesting features.

A potential downside i can think of is management of the secondary mailbox quota.

Technet blog: Exchange 2010 Archiving... Why to Archive???

Home page: Microsoft Exchange Server 2010 Archiving and Retention

I found these points very important for any leader to ask himself…:

When a meeting feels flat and perfunctory, what’s going on? What’s on people minds that they are not saying?

What’s possible now that was not possible last year/month?

Of course others are also valid; see the source article : Ten questions every leader ought to be asking

I thought pickpocket's were low-tech criminals till i read this:

Ringleader of High-Tech Pickpocket Gang Pleads Guilty

A Managed network solution for SMB

Being from the frontline IT support i often receive calls from my friends, acquaintances, friends of friends, etc. asking technical advice; the recent one was from a small business owner (a friend of friend). They wanted to get their business ISO27001 certified and hired a consultant. The consultant  did a preliminary assessment of their IT including technical areas and provided a report of gaps.

The owner checked around and called me; they were basically looking at a managed network where there were policies, procedures, Management/monitoring, controls like internet browsing restrictions, Firewall/IDS, system/network logs, etc. While the policy, procedures part were handled by the consultant he wanted  advise on technical stuff.

And they wanted all these at the lowest possible cost.

About the Infrastructure; a switched network, broadband ISP, 2 servers, 45 desktops, 6 notebooks. All OS were windows, router was basic ISP provided, centrally managed antivirus running in all boxes, MS patches using WSUS, Other software patched manually on monthly basis; in total it was a averagely managed environment.  

I said i will revert in a day and gave this list: Firewall = Cisco ASA 5505 Base with security plus bundle, Proxy = Squid, IDS = Snort with Aanval free license, S/NMS = Nagios, SYSLOG – Kiwi (now Solarwinds), Log analysis = Splunk:free version.

All the above are planned to be configured on a Dell Poweredge server running VMware ESXi. The real challenge is in the solution integration; so i also gave them few references (mentioning them here would be promotion) for implementation and management of these.

I shall of course follow-up and update if anything interesting comes up.

IT support friendly features in Windows 7…

Integrated Power shell

Unlike XP and Vista PowerShell 2.0 is built-in. After all systems administration is all about scripting and automation.

AppLocker

Software Restriction Policy is replaced by this. We can create rules to specify which files are allowed to run and unspecified files are not allowed to run by default. There is a log only option called “Audit mode” which allows unspecified apps to run but logs an event (there is an AppLocker event log).

Other features i liked would be Windows XP mode and native support for VHD's.