2011 – the year the cyber security fightback began

Have just put the finishing touches to V3’s information security round-up/predictions piece so thought I’d share a few of the headlines with you here.

First the bad news – 2011 witnessed an unprecedented number of security incidents, with attacks launched by the usual suspects including state-sponsored hackers and cyber criminals as well as hacktivists such as the Anonymous online collective.

This new breed of hacker caused organisations from a wide variety of industries some serious problems throughout the year, launching denial of service attacks, harvesting and posting sensitive information online and even hacking the web site of The Sun to post a fake story.

Mobile became a big focus for attack in 2011 too, as the perfect storm of powerful consumer devices and the trend towards consumerisation in the workplace made them an attractive target for cyber criminals. All the major platforms have found to contain security weaknesses, but Android is still by far the worst, given its open ecosystem which allows fake malicious apps to be uploaded and sold on the official application store with disturbing ease.

The fall-out from the infamous Stuxnet worm also continued apace in 2011, as huge numbers of flaws were revealed in Scada and other industrial control systems which operate everything from nuclear power plants to sewage works. We can expect these vulnerabilities and as yet undiscovered ones to be exploited in earnest by hacktivists, state-sponsored hackers and cyber criminals in earnest in 2012.

And now for the good news. The past 12 months have seen some spectacular wins for law enforcement and industry players like Microsoft and Trend Micro in working together to take down big name botnets including Rustock, Coreflood and Esthost. These botnets are the root cause of most global cyber threats and if we can get a little better at cross-border, cross-industry co-operation, things may not be as bad as all that in 2012 after all.

Cloud computing not for everyone

Just got off the phone after a conversation with Dilbagh Virdee, an IT manager at Lord’s cricket ground, which threw up some rather interesting insights about the disconnect between vendors/analysts/journalists and the actual customers.

Ostensibly we were there to talk about his implementation of Trend Micro’s Enterprise Security Suite – which went very well by the way, thanks for asking. What soon became clear though is that some companies are just not jumping on board with the whole cloud computing thing.

Now, Virdee said that Lord’s, despite being the home of cricket and one of the world’s most famous sporting grounds, is not actually all that different to manage than any other organisation. If anything, he said, the single site set-up makes it more straightforward to manage than many organisations which have to deal with clusters of Exchange servers, WANs and the rest over multiple locations.

Just an average company then, but not a huge desire to go cloud, he said:

“I don’t know if we want to go to the cloud. It has been around for many years and all that’s happened is it has been rebranded. Unless we feel it’s the right fit we’ll be leaving it alone.”

Now I’m not saying Virdee is representative here, and in fact maybe this conversation stood out in my mind by virtue of its being so unusual, but it is interesting what you hear when you speak to real IT practitioners.

While vendors, analysts and journalists seem intent on hyping up the cloud to the max, most IT managers are taking a rightly more pragmatic approach. Virdee is absolutely correct to be cautious about jumping on board the cloud bandwagon, whether he’s thinking public, private or hybrid.

As with all new technologies – and as he alluded, there is a case for saying that the cloud is more of a new marketing term than a new technology platform – the key is to do your due diligence, ask the right questions then take stock.

Knowing the right questions to ask, of course, can be the tricky bit.

China does it again with crack down on web rumours

The Chinese government came good this week on its promise to come down hard on anyone it suspects of spreading ‘harmful’ rumours on the world wide web.

It’s yet another example of the increasingly uncompromising stance adopted by China in the face of what it sees as a huge threat to the Communist Party’s control and power – social media.

Where it will end no-one knows, but as high profile politicians such as William Hague and Joe Biden said at the recent London Conference on Cyberspace I reported from, any country deliberately blocking the free flow of information in such a way will eventually come unstuck.

Famous for its hard-line approach to internet expression and the free flow of expression, the authorities had already forced over 30 major technology companies in the country, including Baidu, Lenovo and China Telecom to agree to tighter censorship to control the spread of rumours.

China Daily reported this week that two men had been arrested in Changsha, Hunan after suggesting that a huge police escort had been spotted guarding a wedding in the city last week. The authorities denied this, and didn’t take kindly to the clip of the wedding escort which the men posted online.

They were apparently detained for four days.

Things are likely to get worse than they get better for the people of China, and for businesses trying to navigate local laws as well as the various cultural roadblocks in their way, it seems that a local partner is still a must-have for success.

ID fraud and LinkedIn: a marriage made in heaven?

Have just written a pretty extensive blog on identity fraud, off the back of an interview I had with Jason Hart, managing director of authentication firm CryptoCard.

Aside from his current role, Jason has an impressive 17+ year history in the information security business, many of those years spent as an ethical hacker where he tried, and succeeded in most cases, to crack password systems.

As a former ethical hacker, Jason is the perfect person to articulate exactly how easy it is for cyber criminals to obtain the information they need to either socially engineer a cyber attack, crack an account password or commit some other kind of ID fraud. To put it simply: it’s incredibly easy. LinkedIn was highlighted as a particularly rich source of personal information for hackers, and given the social network’s professional slant, this could be a particular concern for IT managers if cyber crims see it as an easy way to compromise an employee’s PC.

The example he gave was of a fraudster trawling the network for any professionals who had just started a new role. They could email the victim pretending to be from HR, or IT requesting certain information or encouraging the user to click on a malicious link. Most would not even query whether this email or the sender was legitimate or not, he claimed.

It’s a simple technique made possible by virtue of the fact far too much info is being posted on these sites and is publicly available when it shouldn’t be. So whose fault is it? Facebook has been criticised in the past for the complexity of its privacy settings, while LinkedIn sent me a fairly unequivocal statement about where it expects the balance of responsibility to lie:

“As a member of LinkedIn, you have full control over what information you share with your connections and beyond.  Privacy settings allow you to control what information you make available to search engines through your public profile, and to control the messages you receive from LinkedIn and other users. The privacy settings also allow you to control visibility and accessibility throughout the web site.”

The problem here is visibility. LinkedIn’s fabled privacy settings are not the easiest to find, and, while certainly more simple to get to grips with than Facebook’s, may still cause some people issues. As with all security and privacy arguments, if usability is compromised too much, it renders any security obsolete. This is, after all, why so many sites still only offer static passwords to authenticate users rather than two-factor systems.

Ultimately though, the rather unsatisfying answer is probably that users will just have to get more savvy, and for savvy read disciplined, at screening their emails.

Visa and the woes of 3D Secure

Trend Micro’s Rik Ferguson alerted me on Friday to a persistent problem with the credit card authentication system Verified by Visa relating to the password reset.

Basically, this ongoing problem, which I think The Register covered about three years ago, could allow a fraudster to reset the VbyV password and start using a stolen card.

Now, this isn’t exhaustive research and the exact implementation of the 3D Secure system, which is designed to make transactions more secure, probably changes from card provider to card provider.

However, in certain instances it asks for three pieces of info obtainable from the card and a fourth (birth date) which is obtainable from just about anywhere online.

Ferguson suggested, very sensibly, that birth date should never be used as a secret question. Instead a one-time password reset URL should be delivered to a registered email address.

Most disappointing in all of this was a very lengthy but ultimately unsatisfying response from Visa which basically amounted to “VbyV does a good job of cutting fraud and any further tweaks to it would tip the anti-fraud/convenience balance dangerously the wrong way for users, retailers and card providers”.

I guess we’ll have to wait until that tipping point when it becomes a tried and tested method of bypassing 3DS, then the card giants will have to sit up and listen.

Link to my original story is here.