InfoSec for the Fourth Estate - Free eBook

Snowden revelations made quite clear the need to protect the source of information as well as the information itself.

For the first time journalists are now aware that virtually every electronic communication we make or receive is being recorded, stored and subject to analysis and action. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, the sources, the stories and journalism work itself is under threat.

Silkie Carlo and Arjen Kamphuis have compiled a book, distributed under creative commons license, that is titled "Information Security for Journalists".

The book is  written  in  the  plainest terms  possible,  with  comprehensive instructions,  sharing  a shortcut to  this learning  process  – without compromising  knowledge, teaching  or security.  The best  way  to  learn is by doing  –  so  we  strongly  advise  that you  use  this  handbook  whilst  also tooling  up  for  infosec, and  follow instructions  as  you  go  along.  

You can download the book here.

They have published their work under Creative Commons (CC BY-NC-SA 4.0). Licence Terms

Read More

European Data Authorities vs. Google

In order for Google to comply with European Union law, EU privacy regulators recommended to the company to make its privacy policies easier to find and understand, by publishing exhaustive lists of what data it holds and processes.

On September 23rd, EU addressed a letter  to Larry Page where asks Google to determine the means to achieve these legal requirements: "Google must meet its obligations with respect to the European and national data protection legal frameworks..."

Google received the package of recommendations from the Article 29 Working Party (WP29), a group of European data protection authorities. While WP29 has no power to sanction the company, its members have imposed fines in a number of cases following Google's 2012 changes to its privacy policy, which several national privacy regulators found breached EU rules.

The guidelines are just one way the company could comply with the law, and are not compulsory, but neither do they pre-empt enforcement actions by national authorities, the WP29 said, adding that it remains open to discussing any other measures that Google would propose to address the legal requirements.

The privacy policy should have clear, unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of personal data processed. In case that should prove too much information for some, WP29 also suggested personalizing the privacy policy for authenticated users, showing them only the data processing it is performing on their data.

Google must also provide users with more elaborate tools to manage their personal data and to control the usage of their personal data between all Google services, WP29 said. This could be done by making the current dashboard more accessible and including all Google services in that dashboard, in order to allow users to control the use of their personal data.

There is no deadline set for Google to respond to the suggestions of the group. The WP29 is considering issuing guidance on specific issues to the entire industry at a later stage.

Read More

Privacy is in the eye of the beholder

Recent articles - like this and this - state that FBI and NSA are greatly concerned about the new encryption algorithm that the latest iPhone models use.

Apple has tried hard to persuade iPhone users, by also updating their policy, that their privacy is well guarded and that even government authorities have a hard time breaking the encryption of their devices. The phone encrypts emails, photos and contacts based on a complex mathematical algorithm that uses a code created by, and unique to, the phone’s user — and that Apple says it will not possess.

As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security. Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license. Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits". In addition, other items require a one-time review by or notification to BIS prior to export to most countries. For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required. Export regulations have been relaxed from pre-1996 standards, but are still complex. Other countries, notably those participating in the Wassenaar Arrangement, have similar restrictions.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Participating States seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities. Category 5 - Part 2 of Wassenaar Arrangement is titled Information Security and states the rules that govern 'The status of "information security" equipment, "software", systems, application specific "electronic assemblies", modules, integrated circuits, components or functions is determined in Category 5, Part 2 even if they are components or "electronic assemblies" of other equipment'. 

Though I am not a lawyer, and I also hate conspiracy theories, I cannot but deduce that government authorities in the US are fully aware of the encryption technology that is exported. This does not automatically solve their problem to eavesdrop encrypted data, but it gives them a good head start.

According to an Apple technical guide, breaking the code could take “more than 5 1/2 years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers". This statement made me use the passfault password analyzer, a free tool offered by OWASP.

The scenario is simple, a 6 character alphanumeric password that follows simple password complexity rules.

Under the best encryption algorithm provided by the tool (Unix BCrypt Hash), it takes from 3 days to 1 year and 9 months to break the password, depending on the equipment used. And yes, the 3 days corresponds to government-level equipment.

The choice is yours...

Read More

Protect business information outside your organisation

European Cyber Security Month is at the gates. Follow some simple steps to protect the privacy and security of corporate information.
Ensure you keep sensitive information secure: When you are outside your organisation, ensure you keep sensitive information and equipment secure at all times to prevent theft or loss. In particular when you are in public places, handle information with care

Keep business information confidential: Be aware that someone can overhear your conversation. Don’t make your organisation’s confidential information available to everyone

Be aware of shoulder surfing: When travelling or working from a remote place protect yourself against shoulder surfing

Use webmail wisely: Using an internet browser to read your mail needs the same caution as a desktop mail system and it has a few security risks of its own.

Read More

Information Security Strategy

An information security strategy is a plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.  Typical steps to building a strategy include the definition of control objectives, the identification and assessment of approaches to meet the objectives, the selection of controls, the establishment of benchmarks and metrics, and the preparation of implementation and testing plans.

The selection of controls is typically grounded in a cost comparison of different strategic approaches to risk mitigation.  The cost comparison typically contrasts the costs of various approaches with the potential gains a financial institution could realize in terms of increased confidentiality, availability, or integrity of systems and data.  Those gains could include reduced financial losses, increased customer confidence, positive audit findings, and regulatory compliance.  Any particular approach should consider:

1. policies, standards, and procedures; 
2. technology design; 
3. resource dedication; 
4. training; 
5. testing.

For example, an institution's management may be assessing the proper strategic approach to the security monitoring of activities for an Internet environment.  Two potential approaches are identified for evaluation.  The first approach uses a combination of network and host sensors with a staffed monitoring center.  The second approach consists of daily access log review.  The former alternative is judged much more capable of detecting an attack in time to minimize any damage to the institution and its data, albeit at a much greater cost.  The added cost is entirely appropriate when customer data and institution processing capabilities are exposed to an attack, such as in an Internet banking environment.  The latter approach may be appropriate when the primary risk is reputational damage, such as when the only information being protected is an information-only Web site, and the Web site is not connected to other financial institution systems.

Governance

Governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, monitoring, and accountability. Governance is required to ensure that tasks are completed appropriately, that accountability is maintained, and that risk is managed for the entire enterprise.  Although all aspects of institutional governance are important to the maintenance of a secure environment, this booklet will speak to those aspects that are unique to information security.  This section will address the management structure, responsibilities, and accountability.

Responsibility and Accountability

The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program, and making senior management accountable for its actions. Oversight requires the board to provide management with guidance; approve information security plans, policies and programs; and review reports on the effectiveness of the information security program. The board should provide management with its expectations and requirements and hold management accountable for

• Central oversight and coordination,
• Assignment of responsibility,
• Risk assessment and measurement,
• Monitoring and testing,
• Reporting, and
• Acceptable residual risk.

The board should approve written information security policies and the written report on the effectiveness of the information security program at least annually.  A written report to the board should describe the overall status of the information security program.  At a minimum, the report should address the results of the risk assessment process; risk management and control decisions; service provider arrangements; results of security monitoring and testing; security breaches or violations and management's responses; and recommendations for changes to the information security program. The annual approval should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls.

Senior management's attitude towards security affects the entire organization's commitment to security.  For example, the failure of a financial institution president to comply with security policies could undermine the entire organization's commitment to security.

Senior management should

• Clearly support all aspects of the information security program;
• Implement the information security program as approved by the board of directors;
• Establish appropriate policies, procedures, and controls;
• Participate in assessing the effect of security issues on the financial institution and its business lines and processes;
• Delineate clear lines of responsibility and accountability for information security risk management decisions;
• Define risk measurement definitions and criteria;
• Establish acceptable levels of information security risks; and
• Oversee risk mitigation activities.

Senior management should designate one or more individuals as information security officers. Security officers should be responsible and accountable for administration of the security program. At a minimum, they should directly manage or oversee the risk assessment process, development of policies, standards, and procedures, testing, and security reporting processes.  To ensure appropriate segregation of duties, the information security officers should report directly to the board or to senior management and have sufficient independence to perform their assigned tasks.  Typically, the security officers should be risk managers and not a production resource assigned to the information technology department.

Security officers should have the authority to respond to a security eventA security event occurs when the confidentiality, integrity, availability, or accountability of an information system is compromised. by ordering emergency actions to protect the financial institution and its customers from an imminent loss of information or value.  They should have sufficient knowledge, background, and training, as well as an organizational position, to enable them to perform their assigned tasks.

Senior management should enforce its security program by clearly communicating responsibilities and holding appropriate individuals accountable for complying with these requirements.  A central authority should be responsible for establishing and monitoring the security program.  Security management responsibilities, however, may be distributed to various lines of business depending on the institution's size, complexity, culture, nature of operations, and other factors.  The distribution of duties should ensure an appropriate segregation of duties between individuals or organizational groups.

Senior management also has the responsibility to ensure integration of security controls throughout the organization.  To support integration, senior management should

• Ensure the security process is governed by organizational policies and practices that are consistently applied,
• Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,
• Enforce compliance with the security program in a balanced and consistent manner across the organization,
• Coordinate information security with physical security, and
• Ensure an effective information security awareness program has been implemented throughout the organization.

Senior management should make decisions regarding the acceptance of security risks and the performance of risk mitigation activities using guidance approved by the board of directors. Those decisions should be incorporated into the institution's policies, standards, and procedures.

Employees should know, understand, and be held accountable for fulfilling their security responsibilities. Institutions should define these responsibilities in their security policy. Job descriptions or contracts should specify any additional security responsibilities beyond the general policies.  Financial institutions can achieve effective employee awareness and understanding through security training and ongoing security-related communications, employee certifications of compliance, self-assessments, audits, and monitoring.

Internal auditors should pursue their risk-based audit program to ensure appropriate policies and procedures and the adequacy of implementation, and issue appropriate reports to the Board of Directors.

Management also should consider and monitor the roles and responsibilities of external parties.  The security responsibilities of technology service providers (TSPs), contractors, customers, and others who have access to the institution's systems and data should be clearly delineated and documented in contracts.  Appropriate reporting mechanisms should be in place to allow management to make judgments as to the fulfillment of those responsibilities.  Finally, sufficient controls should be included in the contract to enable management to enforce contractual requirements. 

Read More

iOS 8.0.1 #fail

On September 23rd according to Crittercism, iOS 8's crash rate was 3.3%, between September 17th and September 22nd, or about 65% higher than iOS 7 at the same point in its post-launch timeline.

Hopefully for Apple, released its first update for the new OS on Wednesday afternoon, just one week after the launch of iOS 8. It was meant to fix issues like "unexpected cellular data usage" when receiving text messages. Instead, after updating, users begun to report that iOS 8.0.1 has interfered with their cell signal and other features like Touch ID.  Most of the victims where proud owners of the new iPhone 6. Apple has published an official statement on the issue and withdraw the update.

"We apologize for the great inconvenience experienced by users, and are working around the clock to prepare iOS 8.0.2 with a fix for the issue, and will release it as soon as it is ready in the next few days."

Until then use the following steps to restore your phone.

Follow these steps to re-install iOS 8.0.

1. Make sure that you're using the latest version of iTunes.
2. Connect your iPhone to iTunes.
3. Back up your iPhone in iTunes on your Mac or PC. iCloud backups won't restore to earlier versions, including iOS 8.0.
4. Download the file below that corresponds to your device:
1. iPhone 6
2. iPhone 6 Plus
5. Select the file you just downloaded by doing one of these in iTunes:
1. Mac: Press the Option key and click Check for Update.
2. Windows: Press the Shift key and click Check for Update.
6. Press Update to install iOS 8 on your iPhone.

The Health app won't work in iOS 8 after these steps. It will be fixed in our upcoming iOS 8.0.2 software update.

Read More

Eiopa issues cyber warning

The European Insurance and Occupational Pensions Authority (Eiopa), one of EU financial regulator has called state regulators to check that insurance companies and other financial institutions devote sufficient resources to protect against growing IT risks. 

The risks facing the EU financial system have not changed substantially since the previous Joint Committee Report on Risk and Vulnerabilities, but recent developments illustrate that a number of key risks continue to challenge the stability of the European financial system:

• prolonged period of low growth combined with high indebtedness  in private and public sectors; 
• search-for-yield behavior risks that could be exacerbated by potential snapbacks; 
• risks stemming from emerging market economies; 
• risks from the deteriorating conduct of business by financial institutions; 
• Increased concern about IT risks and cyber-attacks.

For more details you can read the full report

Read More

Protect your personal information and identity

Simple advice to protect your privacy and ensure that you will not be the next cyber-victim of an attack. Spread the ECSM message through your friends, colleagues, business and consumer channels.

Use a strong password: Your password is the equivalent of the lock and key to your house on the Internet. Passwords are a major defence, and developing good password practices will help keep your sensitive personal information and identity more secure. The password of your computer is the key to access all information — both corporate and personal — you have stored on your computer and online accounts. Use a strong password to protect your data: use a complex set of characters; combine letters (capital and lowercase), numbers and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Don’t use personal information — name, child’s name, birthdates, etc. — that someone might already know or easily obtain and try to avoid common words: some hackers use programs that try every word in the dictionary

Change your password regularly: If you believe your system has been compromised change passwords immediately

Keep your password secret: Your password is unique and must not be shared with anybody. Whenever possible, try to commit your passwords to memory. Have a strategy to memorize them. If you write your passwords down, be careful where you store them. Do not leave these records of your passwords anywhere that you would not leave the information that they protect

Unique account, unique password: Use different passwords for each online account you access (or at least a variety of passwords). If you use the same passwords on multiple accounts, an attacker who gains the access to one account will be able to access to all of your accounts

Secure your accounts: Many account providers offer additional ways to verify who you are before you conduct business on that site

Own your online presence: When available, set the privacy and security settings on websites to your comfort level of information sharing. It is preferable to limit who you share information with

Use social networking sites carefully: Be aware that social networking sites can bring together many of the risks associated with being online; online bullying, disclosure of private information, cyber-stalking, access to age-inappropriate content and, at the most extreme, online grooming and child abuse

Read More

Integrated Desktop & Mobile Device Management Software

Patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. Patch management tasks include: maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, ensuring that patches are installed properly, testing systems after installation, and documenting all associated procedures, such as specific configurations required.

I was browsing for a free solution to manage a friend's accounting office and out of pure serendipity I found Desktop Central by ManageEngine.

Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point.

It automates regular desktop management routines like installing patches, distributing software, IT assets management, software licenses management, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. It supports managing both Windows and Mac operating systems

It enables you to manage your mobile devices to deploy profiles and policies, configure devices for Wifi, VPN, Email accounts, etc., apply restrictions on using camera, browser, etc., and to secure your devices like enabling passcode, remote lock/wipe, etc. You can manage all your iOS and Android smartphones and tablets.

And the best of all is that it's free for for upto 25 computers and 5 mobile devices, perfect for a SME.

Read More

E-Payment: Vulnerable Terminal Devices

Serious safety issues faced by financial companies and companies engaged in e-commerce showed the survey conducted by Kaspersky Lab and B2B International. You can find the full report in pdf here. Specifically, only 52% of financial companies and 46% of businesses engaged in electronic commerce believes that they should take enhanced measures to protect financial transactions. Even fewer companies in this area provide protection for the devices of their customers.

The e-commerce companies are those that focus less on the protection of economic activities. 16% of companies in the industry declare they are not interested to proceed with the installation of specific security solutions against online fraud, while only 38% are willing to invest in such tools.

Overall, 30% of companies that work with online cash flows, is not planning to offer protection to the devices of the customer during a transaction, although it is the weakest point in the security chain, with potential impact the loss of money for customers, but also a blow to earnings and reputation of the company itself. 28% of businesses are not interested in installing anti-fraud software to mobile devices of customers, while 30% of businesses are not trying to protect its own information infrastructure from potential online fraud.

This attitude to protection payments can lead to negative comments from customers. According to the survey, three-quarters (3/4) of the users expect financial companies to take responsibility for the safeguarding of their devices. Also, 40% of respondents feel confident that the company will offer compensation for any money lost.

However, the statistics of Kaspersky Lab show that the number of digital threats targeting financial data of individual users increases constantly. For example, according to the Kaspersky Security Network, the attacks that used malicious software targeting the banking touched 1.4 million during the period May 19-June 19, an increase of 15% compared with the period April 19-May 19.

Read More

Simply Secure

New entry in the infosec world. Simply Secure is a brand new organization that aims to solve one of the greatest issues of information security, make it easy to use for the end user.

People tend to be indifferent το their security in the cyberspace and that because most of them do not fully, sometimes not even partially,  understand the complex processes they need to follow in order to stay safe.

Security industry must stay united and assist users by simplifying the entire security process. From identity management to zero-day attacks prevention, vendors, academic community and security experts must provide a concrete and easy to follow framework for the users. After all why are we apply all this effort to stay secure online, if not for the users. Remember that information in all its forms and aspects is nothing if it is not useful, so why to protect something of no value. From the ITIL framework point of view, if we suppose that security industry provides a service to the end user, the we must add value to our customers by creating effective and efficient processes.

The founding principles of Simply Secure are

1. The future of a positive, accessible, and people-­centered Internet requires trustworthy privacy and security.
2. If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.
3. Technology should respect the user’s desire for privacy and security.
4. Users should not have to choose between services they like and services that are secure; ­­they should be able to easily adopt privacy and security solutions for existing services.

Information Security League fully supports the mission of Simply Secure.

Read More

iPhone 6 Security Features

The first devices to support Apple Pay will be the iPhone 6 and iPhone 6 Plus that come with built-in NFC support and Touch ID fingerprint sensor, as well as the Apple Watch (in early 2015), at which point Apple Pay will also work on older iPhones that are compatible with the wearable device, including the iPhone 5, iPhone 5c and iPhone 5s.

James Anderson, Group Head of Mobile and Emerging Payments at MasterCard, says EMV technology is at the heart of each Apple Pay transaction. Apple Pay – the mobile payment system that will work on the company’s iPhone 6 and iPhone 6 Plus models – will enable users to store credit card information on their phone. “The number itself is bound to the device,” explains McCarthy, “so we know the token should be used by the device only.” In short, if someone hacks into the phone and successfully retrieves your 16-digit token, the hacker won’t be able to use that number to make purchases if they don’t have the phone itself. The other benefit of tokenization is that if you lose your iPhone, you don’t need to get a new credit card – you can simply turn off that token through the “Find My iPhone” tool, says Anderson. When an Apple Pay user taps their iPhone on the terminal, the phone generates a unique string of numbers called a cryptogram. Token Technology Visa’s Jim McCarthy, whose team led the development of the Apple Pay technology, says Apple Pay actually takes EMV one step further thanks to its “tokenization” technology.

How it works? In supporting stores, users will be able to wirelessly pay for goods by approaching their iPhone 6 model or Apple Watch to the payment terminal that supports NFC connectivity, at which point the default credit card will appear on the screen, though the user will be able to choose a different one if needed.

Furthermore, during transactions, instead of the device transmitting card numbers to the receiving terminal, it’ll only send over a Device Account Number for each card and a “transaction-specific dynamic security code.” Moreover, Apple will not store purchases history on any devices or in the cloud, and only provide the user with a recent transactions list for convenience purposes.

On the Apple Watch, a PIN number has to be entered every time the device is removed from the user’s hand – continuous skin contact means the device doesn’t have to be authorized a second time by the user via a PIN security code.

The iPhone and Apple Watch payment solution seems awfully easy to use, with Apple also focusing on shopping privacy and financial security in addition to stupid-simple functionality.

Read More

p≡p – pretty Easy privacy

Remove total surveillance from the Internet: European project “p≡p – pretty Easy privacy” is going to restore privacy for everyone.

pEp – pretty Easy privacy – is a bundle of solutions anyone can add to his or her communication tools. Instead of providing another crypto app it encrypts messages in those tools where people are creating them: SMS, Email, WhatsApp, Facebook, Jabber (and more). It will run on the devices people own, including Windows, MacOS X, Apple iOS, Android and GNU/Linux based devices. And it is all 100% Free Software and Open Source.

p≡p is peer-to-peer communication with end-to-end encryption and an unmatched meta-data level of privacy. It will synchronize keys and contacts between all devices and hence provides a back-up of your key chain and contacts. It also features integration with all Mail and Messaging services into one single mobile App and removes the complicated user driven key management through a zero-touch user experience. p≡p works on any communication channel like e-mail, Jabber, WhatsApp, Twitter,… and can integrate with any E-mail platform providing an API (Kolab, Gmail, ….). It implements OpenPGP, S/MIME, CMS among others and offers an automated key management solution for various key systems combined. The service avoids all central infrastructure - like servers, portals, directories - and the vulnerabilities related to such centralized setups. p≡p provides secure communication as-good-as-it-gets by  eliminating  the man-in-the-middle with a simple 'handshake' based on safe words in your own language. Interoperability at its best as it encrypts even without the same client on both sides. Finally, p≡p does not slow down your computer.

Surprising for a free software solution but fully aligned with this strategy, the first platform pEp is supporting is Microsoft Outlook. “We offer today what enterprises need to secure their communication without the users bailing out: a configuration free, zero touch application which just does the job. And it does it right.” The enterprise version has features like key escrow and is supporting fully automated software rollout tools.

As the team states in their blog post: “In these times we need a real privacy solution for all people. And the solution can't be that everyone has to drop what is connecting us to all of our friends.” says privacy evangelist Volker Birk. The German software architect, a known activist in the hacker community, wants to break with some dogma of the crypto community. “What we need is that technical stuff like picking keys, understanding cryptography algorithms and handling has to be the function of our computers, and the user just presses «send».”

In the first place, this just sounds like the dream of the Cypherpunk movement. In the cypherpunk manifesto they claim: “The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.”

“What good is having a private communication with your friend only after-hours? Companies have a need for privacy and security that at least equals – and probably exceeds - that of the private person” says Leon Schumacher, former Group CIO of two Fortune 100 companies, Co-Founder and CEO of the commercial arm of pEp, the pEp Security SA in Luxembourg. “It is essential for any successful solution to bring privacy and security in a simple way to both the consumer and the corporate world.”

Volker and Leon are convinced that pEp will spread globally. “We're working with one single goal: to help people and companies regain their privacy. And we implement all that as an invisible layer to accommodate how people are communicating already. It is not the task of us technicians to teach people what to do, how to do it or to force them to move to a software or platform they don't like. It is our task to secure and make private what they want to use – and actually are using already.”

Regarding the technology inside, the solution really is something new. “This is not a cryptography software at all.”, the activist explains. “Instead of inventing cryptography again, we integrate what is pretty good already: GnuPG as the most trustworthy crypto-solution, and NetPGP as an amazing project and perfect replacement for all platforms where GnuPG is not available, like for Apple iOS. We let these professional solutions do the encryption job correctly.

How could that work? “pEp is doing everything. You just press SEND, and pEp ensures that your message leaves your device in the most secure way. It is compatible to all established crypto standards, including OpenPGP, S/MIME and CMS. If you receive an encrypted message from anywhere, pEp can handle it and will answer it in the same encrypted way. You don't even notice that all is encrypted in between. If both sides are using pEp, it is getting even better: then we're using an anonymous transport called GnuNet. With that technology, meta data is no longer readable for an attacker. pEp is fully peer to peer itself. And only you have the keys.”

It takes an existing hard-to-use technology and makes it simple and easy for everyone to enjoy the benefits. Hard to believe? The proof of concept already exists: The implementation of the very first version of pEp engine, was tested and runs successfully on GNU/Linux, MacOS X and Microsoft Windows already and it is implemented in an Outlook plugin, where anyone can see show how it all comes together seamlessly. That is the prerelease we have today, and which is being tested by 3 Fortune 500 enterprises right now. Additionally, Georg Greve, founder of Free Software Foundation Europe is a member of the project. Georg also guarantees that pEp will be part of the standard deployment of the Free Software Kolab, a groupware solution for SMBs.” So on the business side, adoption is already growing. But what is with the consumers?

If you want support them take a look at their crowdfunding campaign on Indiegogo.

Read More

InfoSec Essentials: SME Threats & Attack Vectors

SMEs usually do not pay much attention to their information security. This negligence pose a serius threat to business and attack vector analysis is an important part of vulnerability analysis. An attack vector is the method or means by which a vulnerability is exploited in order to perform a cyber attack. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.

Malware

Malware is a term that includes computer viruses, worms, trojans and any other kinds of malicious software. Sometimes, employees and end-users within an organization they might receive an email, with a worm or download spyware when visiting a website infected with malicious code. Alternatively, in order to get work done, employees may decide to install unlicenced - thus pirated - software. This practice, besides being illiegal, is also dangerus as it is a common method by malware writers to hide their code in pirated applications targeting the end-users’ computers. An organization that operates efficiently usually has established ways to share files and content across the organization. These methods can also be abused by worms to further infect computer systems on the network. Computer malware does not have to be introduced manually or consciously. Common software installed on desktop computers such as browsers, Adobe Acrobat Reader or Flash have their fair share of security weaknesses. These security vulnerabilities are exploited by malware programmers to automatically infect victims’ computers. This type of attack is known as drive-by download because the users do not have knowledge of malicious files being downloaded onto their computer.

Social engineering

Social engineering, refers to psychological manipulation of people into performing actions or divulging confidential information rather than flaws within the technology. It differs from a traditional fraud scheme as it is often more complex. A phishing attack is a type of social engineering attack that is normally opportunistic and targets a subset of society. The easiest way to perform a large scale phising attack is through fake e-mail messages claiming to originate from a trusted source. When the end-user follows the instructions in the email, he or she is directed to reveal sensitive or personal information such as passwords, PIN codes and credit card numbers. Spear-phishing is a very special phishing attack targeting individuals and key users.

Attacks on physical systems

Internet-borne attacks are not the only security issue that organizations face. Laptops and mobile devices are often hold sensitive of information about the organization. These devices, often contain company documents and are used to log on to the company network. Due to their nature, such devices have a high risk of physical theft. The first half of 2014, 290.651 thefts involving computer equipment reported by police forces across the entire UK.
Unprotected endpoints pose another threat affecting physical security. USB ports and CD/DVD drives can both be used to leak data and introduce malware on the network. A USB stick that is mainly used for work and may contain sensitive documents, becomes a security risk if it is taken home and left lying around and other members of the family use it on their personal PC. This is typically a case of negligence but it can also be the work of a targeted attack, where internal employees can take large amounts of information out of the company. The examples above are not a SciFi scenario, if incidets like these happen to governments and major hospitals that have standard operating procedures for handling such situations, why should it not happen to smaller enterprises? Small and medium-sized enterprises may overlook the importance of securing the physical network and server room to prevent unauthorized persons from gaining access. Open network points and unprotected server rooms can allow disgruntled employees and visitors to connect to the network and launch attacks such as ARP spoofing to capture network traffic with no encryption and steal passwords and content.

Authentication and privilege attacks

Passwords remain the number one vulnerability in many systems. Nowadays most people have to remember on average 17 passwords, according to a survey in 2012 in Norway. The the password used for company business should not be the same one used for webmail accounts, site memberships and so on. Password policies can go a long way to mitigate the risk, but if the password policy is too strict people will find ways and means to get around it. They will write the password on sticky notes, share them with their colleagues or simply find a keyboard pattern (1q2w3e4r5t) that is easy to remember, but also easy to guess. Most complex password policies can be easily rendered useless by non-technological means.

Read More

List of 5 Million 'Gmail Passwords' Leaked

A list of almost five million Gmail addresses and passwords culled from various websites was posted on a Russian online forum Tuesday.

Mashable and other technology news websites reported that the leaked passwords are not necessarily those used to access Gmail accounts but seem to have been compiled from other websites, including some where Gmail addresses were used to register.
Several internet security experts who examined the leaked list, which was posted as a text file to the Russian online forum Bitcoin Security, reported on Twitter that the passwords appear to be several years old. Danish cybercrime specialist Peter Kruse of the CSIS Security Group tweeted that the leak "likely originates from various sources" and that most of the leaked passwords are more than three years old. Even if this dump is simply a collection of old passwords belonging to minor sites, the issue is always the same: password reuse. If you tend to reuse your passwords, stop doing this.

Read More

InfoSec Essentials: Passwords

Passwords: Who needs them?

How many keys do you carry with you every day? Personally, I hold about 5-7 regularly, home, office, car not counting any remote controls such as garage or car alarm. Why is this? Why don’t we have a single key to have access in all locations? I believe that all of you can deduce the answer. The same is true about passwords. Passwords are the digital keys that allow us to access what is ours, our e-mail, our bank account, our files in the cloud.
Would you ever give the keys of your house to a stranger. If the obvious answer is no, then why write your password in your journal or even on a post-it on your monitor, it's like hidding your keys under the door carpet.

P4s$w0rd-c()Mp1exiTy

Why on Earth should I create a 10 characters long alphanumeric password? The key example also works here. How would you feel if the lock of your home could be picked with a screwdriver or even a hair pin? The key complexity is analogous to the password length and charachter composition, so stop whining when you read the password rules and build some strong passwords for your accounts.
Earlier this year SplashData, published a list of the 25 worst passwords of 2013. You should notice that out of the 25 entries, none fulfills the basic requirements of a strong password. I whould say that most of them don't even classify as weak.
Trivia: Back in the 90s the four most common passwords where sex, God, love and secret.

Multi Factor Authentication

Multi-factor authentication (MFA) is an approach to authentication which requires the presentation of two or more of the three independent authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur. The most common implementation of MFA, is two-factor authentication used by various services through the web, such as google services, apple services, ebay, evernote etc. There are various tutorials in the web to assist you enabling this feature, just use your favorite search engine.

Never take candies from strangers or “fear the Danaans, even those bearing gifts”

Do you remember your parents advise you not to take gifts from strangers? The same applies to cyberspace and is not restricted to children. Fake emails is the most common way of a type of attack called social engineering in order to collect information or an easy way to spread malware. The attacker sends bulk emails to the victims, commonly with an attachment that hides the true nature of the message. Most companies try to train their users not to trust emails that pretend to be from legit source and ask them to share personal/private information or PIN numbers but despite the awareness campaign, many users still fall victims of this malicious practice. So please stop opening these funny video links from unknown senders, the “!!!FREE GIFT!!!” that you have never asked for and stop providing your account number and e-banking password to the bank via email, no one but the attacker cares for this info. Sometimes, all the attacker seeks is just email addresses in order to lunch a spam campaign. By forwarding e-mails like "..mail this to all your friends to reach total happiness..." or "unless you forward this message bad luck will fall upon you..", collectively known as chain letters, you just help the attacker, so please stop forwarding these emails to your entire contact list.

Read More

Global State of Information Security© Survey 2014

Recently, PwC has published the latest Global State of Information Security© Survey 2014. Major key findings include:

• Despite an increase in security practices, the adversaries continue to have the initiative
• The number of detected security incidents has raised, followed by the cost of breaches
• Emerging technologies, such as BYOD and cloud computing, pose a significant risk and are implemented before being secured

Gary Loveland, a principal in PwC’s security practice, argues: “You can't fight today's threats with yesterday’s strategies”. His arguments sum up in“What’s needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries.”

You can find the original report here. Here are some charts presenting the findings of the survey.

The global cyber-defence race (values %)

The fundamental safeguards you’ll need for an effective security program.

1. A written security policy
2. Backup-Recovery plans / BCP
3. Minimum collection and retention of personal information, with physical access restrictions to records containing personal data
4. Strong technology safeguards for prevention, detection, encryption
5. Accurate inventory of where personal data of the employees and customers are collected, transmitted and stored, including third parties that handle that data
6. Internal and external risk assessments of privacy, security, confidentiality and integrity, of electronics and paper records
7. Ongoing monitoring of the data-privacy program
8. Personnel background checks
9. An employee security awareness training program
10. Require employees and third parties to comply with privacy policies

The fusion of cloud computing, mobility, personal devices, and social media is a challenge for all countries. (values %)

Legal notice:

All copyrighted material is property of their respected owners. If you feel that your intellectual property is violated, please contact us to resolve the issue.

Read More