Δευτέρα 29 Δεκεμβρίου 2014

The Seven Deadly Sins in an Information Security Context

Hieronymus Bosch-The Seven Deadly Sins,
created cr. 1500-1525,
www.museodelprado.es

The seven deadly sins (a.k.a cardinal sins) is a classification of vices as part of Christian ethics, used to educate and instruct believers since early christian times. In the film Seven (1995), two detectives, a rookie and a veteran, hunt a serial killer who uses the seven deadly sins as his modus operandi. In this post, I will try to map the original seven deadly sins in the context of Information Security.

Lust
Defined as an intense desire. Is the power that mostly drives the actions of the attackers. Desire for money, fame and power are the most common urges of the bad guys. Clearly a threat in Information Security context. Lust can be a powerful driver for illicit activities on the web and also a sin that cannot be easily suppressed. The lust to know was the impulse that lead the first hackers/crackers in the ‘80s and ‘90s to break into computer networks in order to satisfy this need.

Gluttony
Every day we are recipients of vast amounts of data. In our turn we contribute data for others to consume. Information addiction is a condition whereby the diagnosed is addicted to the hit of pleasure and stimulation from information. It has been referred to as "pseudo-attention deficit disorder" because it tends to cause somewhat ADD-like symptoms. This addiction usually begins with continuously using an Information streaming service, like Television, YouTube, Facebook, Twitter, etc, which gets the brain unaccustomed to idleness, always watching/reading/listening something. Then it spreads onto other Information retrieval activities.
This flooding of information leads to information overload, which refers to the difficulty a person can have understanding an issue and making decisions, that can be caused by the presence of too much information. In recent years, the term information overload, has evolved into phrases such as "information glut" and "data smog" (Shenk, 1997). What was once a term grounded in cognitive psychology has evolved into a rich metaphor used outside the world of academia. In many ways, the advent of information technology has increased the focus on information overload: information technology may be a primary reason for information overload due to its ability to produce more information more quickly and to disseminate this information to a wider audience than ever before (Evaristo, Adams, & Curley, 1995; Hiltz & Turoff, 1985).

Greed
Click here for some free stuff!. Did you click? You did it because greed is applied to a very excessive or rapacious desire and pursuit of material possessions. Faster download, free trips, opening an attachment from an unknown sender are all signs of greed. It is exactly that kind of behavior that cyber criminals want from you. You are classified as an easy victim for cyber scams, or as an information junkie (see gluttony above). Obviously a threat. Differs from lust, in a way that it is a passive sin that exists in the target side.

Sloth
Major target vulnerability. Derives from the fact that information security is something boring. Have you ever postponed to change your password and use the old one "just for this transaction"? When was the last time you pressed the "Remind me later" button when an update was available? Most infosec professionals, though fully aware of the risks, they do not follow a process because it takes too much time. All these are types of Information Security sloth. I would really love to learn a metric: Percent-of-accounts-changing-password after a successful data breach has gone public.

Wrath
Another threat, of the worst kind, the internal ones. Internal attacks are far more difficult to predict and prevent. These threats come from all parts of the company and no organization is immune to this. Wrath may be described as inordinate and uncontrolled feelings of hatred and anger. In its purest form, presents with self-destructiveness, violence, and hate. But there are more subtle facets of wrath and revenge. Think again before you fire your DBA because his last statement might be: DROP * COMMIT.

Envy
Now that was a tough one. Comes from Latin invidia and is defined as an emotion which "occurs when a person lacks another's superior quality, achievement, or possession and either desires it or wishes that the other lacked it". I could not match envidia into InfoSec context so I searched the net about it. And I found some interesting statements of C-level executives envying other companies about their security infrastructure, but when their own CISO comes and asks for some budget they whistle indifferently. I would classify it in the vulnerabilities, since it is part of the organization’s culture.

Pride
Often referenced as the deadliest of all sins. In information security pride is shown in various ways. "I have a very strong password...", "Our system is the most secure one...", "A hacker will never attack me...". Vain statements like these pose a grave danger for any individual or organization. Risk assessment professionals are commonly mocked for their risk scenarios, as they are considered “impossible to happen”. Pride rides side-by-side with vanity. The term vanity originates from the Latin word "vanitas" meaning emptiness, untruthfulness, futility, foolishness and empty pride. In this context empty pride means a fake pride, in the sense of vainglory, unjustified by one's own achievements and actions, but sought by pretense and appeals to superficial characteristics. Vanity comes into play during control performance evaluation. Eric Ries talks about vanity metrics a lot as part of "The Lean Startup":

Actionable metrics can lead to informed business decisions and subsequent action. These are in contrast to “vanity metrics” – measurements that give “the rosiest picture possible” but do not accurately reflect the key drivers of a business. Vanity metrics for one company may be actionable metrics for another. For example, a company specializing in creating web-based dashboards for financial markets might view the number of web page views per person as a vanity metric as their revenue is not based on number of page views. However, an online magazine with advertising would view web page views as a key metric as page views as directly correlated to revenue.
This is what we must have in mind when designing and evaluating controls to mitigate risk.

Conclusion: We are all sinners in a way. Amend for your sins before it is too late, a self atonement process can help us become more secure and more aware of the dangers that lurk in cyberspace.

Δευτέρα 22 Δεκεμβρίου 2014

Bureau-121

Bureau 121 (Unit 121 of the North Korean General Bureau of Reconnaissance) is the name of a secret cyberwarfare agency belonging to the military of North Korea. It is one of two such cyberwarfare units in the General Bureau of Reconnaissance, the other being No. 91 Office.

The activity of the agency came into public limelight in December 2014 when Sony Pictures canceled the opening of its movie The Interview after its computers had been hacked. Bureau 121 has been blamed for the cyber breach. North Korea has rejected this accusation. 

According to a report by Reuters, Bureau 121, also known as the DarkSeoul Gang is staffed by some of North Korea's most talented computer experts and is run by the Korean military.
According to Jang Se-yul, a computer expert who defected in 2007, about 1800 cyber warriors are located throughout the world. Other sources, including Prof. Kim Heung Kwang estimations vary on Unit 121's size. In 2012, South Korea asserted 3000 people belonged to Unit 121 and earlier this year predicted an increase to 5900. Many hackers of the bureau are hand-picked graduates of the University of Automation, Pyongyang. While these specialists are scattered around the world, their families benefit from special privileges at home

Much of the agency’s activity has been directed at South Korea. Prior to the attack at Sony, the agency was said to have attacked more than 30.000 PCs in South Korea affecting banks and broadcasting companies as well as a website of South Korean President Park Geun-Hye. The malicious code used in a 2012 attack on a South Korean media organization appears to be similar to the code used in the Sony hack, according to Choi Sang-myung, a senior online security researcher and adviser to Seoul's cyber warfare command. "I noticed the similarities as soon as I saw it." 

It are also has been thought to have been responsible for infecting thousands of South Korean smartphones in 2013 with a malicious gaming app. 

According to Jang Se-Yul, another North Korean defector, North Korea is very active in cyberwarfare and its capabilities have been underestimated. North Korea has sophisticated cyber warfare capabilities with cells from Bureau 121 operating around the world. One of the suspected locations of a cell is the Chilbosan Hotel in Shenyang, China.

The FBI and Justice Department's National Security Division are still investigating the "sophisticated actor" behind it. When asked how the U.S. planned to respond, White House Press Secretary, said the president's national security team was considering "a range of available responses" but did not elaborate on what that response might be.

Παρασκευή 19 Δεκεμβρίου 2014

Thank You, truly

New Year, new logo – InfoSecLeague has a brand new logo created by Truly Creatives.
The new logo has some unique characteristics. Strong as a steel chain yet flexible. Strict yet symmetrical. With individual shapes yet in a context. All these are just different aspects of Information Security that are represented in a unified way.

The new logo will gradually replace the old one in the blog and social media of ISL.

Thank you truly Dimitris & Katerina!

Πέμπτη 18 Δεκεμβρίου 2014

ENISA CERT training

ENISA has launched a new section on its website introducing the ENISA CERT training program. In the new section, you can find all the publicly available training resources and the training courses currently provided by ENISA.
The material has been categorized into 4 main topics:
  • Technical,
  • Operational,
  • Setting up a CERT, and
  • Legal and cooperation.
Additionally, various tools for hands-on training (such as Virtual Machines) are provided. In 2014 training scenarios were added covering various topics in the area of artifact handling and analysis. Artifact analysis involves receiving information about artifacts that are used in attacks, reconnaissance, and other unauthorized or disruptive activities. The created course covers the topics of building an artifact handling and analysis environment, the fundamentals for artifact analysis, as well as advanced artifact analysis and a common framework for artifact analysis activities.

Visit the new page and material here.

Topics

Technical
  • Building artifact handling and analysis environment
  • Processing and storing artifacts
  • Artifact analysis fundamentals
  • Advanced artifact handling
  • Developing Countermeasures
  • Common framework for artifact analysis activities
  • Identification and handling of electronic evidence
  • Digital forensics
  • Mobile threats indident handling
  • Proactive incident detection
  • Automation in incident handling
  • Network forensics
  • Honeypots
  • Vulnerability handling
  • Presenting, correlating and filtering various feeds
Operational
  • Incident handling during an attack on Critical Information Infrastructure
  • Advanced Persistent Threat incident handling
  • Social networks used as an attack vector for targeted attacks
  • Writing Security Advisories
  • Cost of ICT incident
  • Incident handling in live role playing
  • Incident handling in the cloud
  • Large scale incident handling
Setting Up a CERT
  • Triage & Basic Incident Handling
  • Incident handling procedure testing
  • Recruitment of CERT staff
  • Developing CERT infrastructure
Legal and Cooperation
  • Establishing external contacts
  • Cooperation with law enforcement
  • Assessing and Testing Communication Channels with CERTs and all their stakeholders
  • Identifying and handling cyber-crime traces
  • Incident handling and cooperation during phishing campaign
  • Cooperation in the Area of Cybercrime
  • CERT participation in incident handling related to the Article 13a obligations
  • CERT participation in incident handling related to the Article 4 obligations

Τρίτη 16 Δεκεμβρίου 2014

Cyber Warfare: The Modern Theater of Operations

A great deal of debate circles around the concept of cyberwarfare – and definitions are rarely agreed upon. While some claim that cyberwarfare is the fifth domain of warfare (after land, sea, air and space) others simply claim that the term is an attempt at sensationalism. The increasing importance of cyberspace for military operations has led to the United States Department of Defense classifying it as the Fifth Domain of Warfare. However, cyberspace lacks the explicit physical properties of land, sea, air and space, and as a consequence its classification as a warfighting domain is controversial. The cyber debate is replete with hyperbole and ambiguous terminology and there are calls to limit the militarization of cyberspace. The critical dependence of Western military forces on microprocessor technology inevitably means that exploiting this domain is viewed from the dual perspectives of opportunity and vulnerability. From a more specific perspective, cyberwarfare refers to any action by a nation-state to penetrate another state’s computer networks for the purpose of causing some sort of damage. However, broader definitions claim that cyberwarfare also includes acts of "cyberhooliganism", "cybervandalism" or "cyberterrorism".

Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation's computers or information networks through, for example, computer viruses or denial-of-service attacks.

The Internet security company McAfee stated in their 2007 annual report that approximately 120 countries have been developing ways to use the Internet as a weapon and target financial markets, government computer systems and utilities.

Cyberwarfare can consist of many threats, namely:

Online acts of espionage and security breaches – done to obtain national material and information of a sensitive or classified nature through the exploitation of the internet (e.g. exploitation of network flaws through malicious software).

Sabotage – the use of the internet by one nation state to disrupt online communications systems of another nation state (e.g. military communication networks) with the intent to cause damage and disadvantage.

Attacks on SCADA networks and Nuclear Control Institutes (NCIs).
SCADA networks are national industrial control systems – computer systems (consisting of hardware, software and communication components) designed to monitor and control various critical infrastructures or facility-based processes. They include the computer-based systems that run such critical infrastructure as power generation plants and transmission networks, refinery plants, oil and gas pipelines, and transport and communication systems.

In the past, such SCADA networks operated in isolated environments – with different points communicating to each other within segregated networks, and rarely sharing information with any system outside a specific network. With the advent of internet-based systems however, these SCADA networks have gradually become more and more interconnected with the outside world and integrated into larger global networks. Consequently, their vulnerability to cyber attacks has increased drastically. SCADA networks perform centralized monitoring for wide-ranging networks, which can be spread over long distances. The systems send supervisory commands to field devices based on information they receive from the remote field sites in which these devices are located. For instance, a central SCADA system can control the opening and closing of valves in power plants located hundreds of kilometers away. Consequently, if such a centralized system is compromised by a cyber attack, the attacker could potentially have control over the valve systems of those particular power plants – and may choose to use that control to cause widespread damage. Alternatively, the networks may be infected unintentionally by viruses or worms causing massive and widespread damage.

An example of an intentional cyber attack on a SCADA system was in January 2000 in Queensland Australia, when a disgruntled ex-employee of a sewerage plant covertly took control of the plant’s operating systems – opening and closing valves and disrupting communications systems. The attack resulted in 264,000 gallons of raw sewerage flooding a nearby river. Another more recent example is the 2010 Stuxnet virus, which was allegedly designed to specifically infect the SCADA networks of Iran’s nuclear infrastructures.
SCADA networks are the vital underpinnings of our society and lifestyle; yet, they are notoriously difficult to secure due to the increasing complexity of their system architectures. There is a general lack of discussion on issues related to SCADA vulnerabilities, and it is important that effective strategies and measures are developed to greatly improve the resilience of these vital assets before they become victim to either intentional or unintentional cyber attacks.

In 2011, The White House published an "International Strategy for Cyberspace" that reserved the right to use military force in response to a cyber attack:

When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means — diplomatic, informational, military, and economic — as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.
-- International Strategy for Cyberspace, The White House, 2011

In 2013, the Defense Science Board, went further, stating that "The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War," and recommending, in response to the "most extreme case" (described as a "catastrophic full spectrum cyber attack"), that "Nuclear weapons would remain the ultimate response and anchor the deterrence ladder." In a full-scale attack, the report warns of the following scenario:

Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.
The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack's effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation.
-- Resilient Military Systems and the Advanced Cyber Threat, Defense Science Board, 2013
Although the risk of a debilitating cyber attack is real, the perception of that risk is far greater than it actually is. No person has ever died from a cyber attack, and only one alleged cyber attack has ever crippled a piece of critical infrastructure, causing a series of local power outages in Brazil. In fact, a major cyber attack of the kind intelligence officials fear has not taken place in the 21 years since the Internet became accessible to the public.

Σάββατο 13 Δεκεμβρίου 2014

POODLE Strikes Back

Recently surfaced a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.
Some Transport Layer Security (TLS) implementations are also vulnerable to the POODLE attack.

While SSL 3.0 is an obsolete and insecure protocol and for most practical purposes it has been replaced by its successors TLS 1.0, TLS 1.1, and TLS 1.2, many TLS implementations remain backwards­compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience.
The protocol handshake provides for authenticated version negotiation, so normally the latest protocol version common to the client and the server will be used.

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack.

Two other conditions must be met to successfully execute the POODLE attack:
  1. the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 
  2. the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.
These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.

On December 8, 2014, it was publicly reported that some TLS implementations are also vulnerable to the POODLE attack.

Removal of SSLv3 in favour of TLS because TLS fully specifies the contents of the padding bytes and thus stops the attack. However, TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections.

Impact
The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).

Mitigation
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.
Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades:
  • OpenSSL 1.0.1 users should upgrade to 1.0.1j.
  • OpenSSL 1.0.0 users should upgrade to 1.0.0o.
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Παρασκευή 12 Δεκεμβρίου 2014

Diceware: Random Passphrase Generator


You hear all the time that it is crucial for your online security to build a strong password. We have previously outlined the guidelines for a "good" password but sometimes this is not enough. Applications such as e-mail and data encryption, bitcoin wallets and password managers require a grater degree of protection. Securing such applications with a long complex password might just not be enough. Hardly anyone can remember such a password and most of us will write it down to a piece of paper, compromising the entire effort.

Passphrases can be an alternative to this. A passphrase is a bunch of words and characters that you type in to your computer to let it know for sure that the person typing is you. Most newer security programs allow you to enter a passphrase instead of just a short password for added protection against attackers. Some programs also use your passphrase to form a cryptographic key to encrypt your data. Passphrases differ from passwords only in length. Pass words are usually short - six to ten characters. Their greater length makes passphrases more secure. Modern passphrases were invented by Sigmund N. Porter in 1982.

Picking a good passphrase is one of the most important things you can do to preserve the privacy of your computer data and e-mail messages. A passphrase should be:

  • Known only to you
  • Long enough to be secure
  • Hard to guess - even by someone who knows you well
  • Easy for you to remember
  • Easy for you to type accurately
Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select one unique word from the list. The complete list contains 7776 short English words, abbreviations and easy-to-remember character strings. The average length of each word is about 4.2 characters. The biggest words are six characters long.

There are though some important steps to follow before using this method to create a strong passphrase.

  1. You need a regular six-sided dice
  2. You should download the Diceware word list in English or any other language of your choice. Diceware lists are available for Chinese, German, Esperanto, Spanish, Finnish, French, Italian, Japanese, Dutch, Polish, Russian, Swedish and Turkish
  3. Decide how many words you want in your passphrase. A five word passphrase provides a level of security much higher than the simple passwords most people use. We recommend a minimum of six words for use with Hushmail, wireless security and file encryption programs. A seven or eight word pass phrase is recommended for high value uses such as BitCoin, and the like.
  4. For each word in your passphrase roll five times the die. (ex. for a six words long passphrase you need to roll 30 times).
  5. Look up each five digit number in the Diceware list and find the word next to it. (ex. 54321 is word slain).
  6. Once done you should have a list of words that correspond to your passphrase. Memorize them and destroy any evidence of creation.
Recommendations
Because some words on the diceware list are two characters or less, you can get a very short passphrase. If your passphrase, including the spaces between the words, is less than 17 characters long, it is highly advised that you start over and create a new passphrase. You should also start over if your passphrase is a recognizable sentence or phrase. (These situations are very rare.)
Do not use a random number generator! Such utilities are rarely truly random. Just roll the dice.

Extra Option
For extra security without adding another word, insert one special character or digit chosen at random into your passphrase. Here is how to do this securely (example given for a 6-word long passphrase): Roll one die to choose a word in your passphrase, roll again to choose a letter in that word. Roll a third and fourth time to pick the added character from the following table:

Dice rolls 1 2 3 4 5 6
1 ~ ! # $ % ^
2 & * ( ) - =
3 + [ ] \ { }
4 : ; " ' < >
5 ? / 1 2 3 4
6 5 6 7 8 9 0




Some math: (click to expand) It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker's task twice as difficult. On average, an attacker will have to try half of the possible passwords before finding the correct one.

Each word created with the Diceware™ method has 12.9 bits of entropy (log2(7776)), thus a 6-word passphrase yields 77.5 bits of entropy and a 7-word passphrase a 90.4 bits, and so on...
A 16-character long random password [a-z][A-Z] yields 5.7 (log2(52)) bits per character, thus 91.2 bits, slightly more than a 7-word long passphrase. Inserting a letter at random adds about 10 bits of entropy.
Axiom
Passwords of equal entropy are considered equally secure.

So why use the Diceware™ method? The answer is that it is far more easy to remember six (or more) lowercase common words than to remember a 16-character long stream of random characters.

A large number of password generator programs and websites are available on the Internet. Their quality varies and can be hard to assess if there is no clear description of the source of randomness that is used, and if source code is not provided to allow claims to be checked. Furthermore, and probably most importantly, transmitting candidate passwords over the Internet raises obvious security concerns, particularly if the connection to the password generation site's program is not properly secured or if the site is compromised in some way. Without a secure channel, it is not possible to prevent eavesdropping, especially over public networks such as the Internet. A possible solution to this issue is to generate the password using a client side programming language such as JavaScript. The advantage of this approach is that the generated password stays in the client computer and is not transmitted to or from an external server. JavaScript Password Generator is an example of such a site.

Δευτέρα 8 Δεκεμβρίου 2014

Fraud, Corruption and Corporate Governance

Fraud and Corruption are like radiation. There are all around us, invisible, subtle and we usually aware of them, when irrevocable damage and sometimes total destruction arise. They use the “spider method”: Attract, Entrap, Devour.

In their essence are “asymmetric”. They exist in every socio-economic context, every evolutionary step of Mankind, all eras, people and Gods (in mythology); uncontained by any means, political system or leader. Perhaps they are unstoppable. Nevertheless, there are control measures to contain them, at least in an enterprise level, and one of them is “Corporate Governance”.

Though semantically fraud and corruption are used interchangeably they have different definitions. Fraud is the intentional deception made for personal gain or to damage other individuals and/or entities.
Corruption is, in a sense, a more general phenomenon, as expansion and consolidation of fraudulent practices, and is not defined uniquely, but depending on the country and the political and socio-economic situation that surrounds it. This is because it is really difficult to make a clear, unambiguous and commonly accepted distinction between legality and illegality, between corruption and reward, resulting in "gray areas" larger than the intervals distinctly black or white; thus leading everyone, to interpret and to assess corruption in his/her own unique way, depending on the environment in which he/she lives and moves.

However, it is commonly accepted that the corruption is associated with the use of one's official position for personal and/or group profit and making immoral/non-ethical actions. Indications of fraud are the: bribery, "kickbacks" suspicious transactions/exchanges of “favors”, “interlocking” interests, abuse of power, "protection", "black" labor, abuse/theft of public resources, money squandering, over invoicing/under invoicing, inventory notional costs, abuse, embezzlement, fraud, extortion, forgery, falsification of documents, nepotism, manipulation/deception (people, Authorities, Press), unfair competition, exploitation of "gray zones" and/or bureaucratic details ("loopholes") to cover illegalities.

In any case, corruption is in the orbit of a vicious cycle, which starts from corruption itself, which -due to the high spread degree- leads (up to “forcing” one could say) businesses to engage in unfair practices (e.g. corruption), expands itself, is strengthened by the prevailing perception of size, range and “necessity” corruption, swells -due to the aforementioned perception- and finally is fed back, making unfair practices even more uncontrollable. Corporate Governance could be a catalyst to break this vicious circle.
In general, Corporate Governance is a set of mechanisms and rules, which defines the relationship between all the stakeholders in a company, namely: Management, Directors, Shareholders, and other relevant parties (e.g. staff, providers, suppliers, business partners, customers, consumers, consultants, etc., including the Government, independent and Supervisory Authorities and the Public Administration of the country of operation).  More specifically:

  • Describes and defines their relationships,
  • Specifies the distribution of rights and responsibilities among them,
  • Identifies Principles, Methodologies and Procedures, needed to make corporate decisions,
  • Defines the way (framework and structure; organizational, administrative, etc.), through which the company objectives are set,
  • Describes the acceptable means, to be used both for the achievement of corporate goals and for monitoring of their effectiveness,
  • Specifies control mechanisms/measures to ensure transparency and accountability.
In conclusion, Corporate Governance is a "tool" for better allocation of resources and better enterprise management, ultimately improving business performance, in terms of efficiency and effectiveness, and this is "rewarding".

In fact, as shown by studies (e.g. McKinsey) international investors (institutional or not) prefer to invest more money in companies that have developed a good Corporate Governance framework, as they have higher value in the Market, which leads to higher growth prospects. This involves increasing the access of firms to external finance, and therefore lower capital costs. This may, in turn, lead to improved competitiveness in even greater investment, higher growth and more jobs. This whole "chain" creates "wealth" and closes the circle by “returning” this wealth to the society, since it contributes to reduce the risk of financial crises and the huge economic and social costs that result, the improvement of social and labor relations, as well as development in areas of "corporate social responsibility", such as protecting the environment, supporting common social needs (health, education, sports) through sponsorships, grants, etc.

Consider the issue in "economic" terms; that is "Supply" and "Demand": In the equation of "State- economic” Corruption, the "Demand" relates mainly to the ones "having any kind of relationship" with the State Sector, who endeavor to provide unfair advantages (e.g. “peculiar” rental arrangements) in exchange for" appropriate "payments” ("kickbacks" or “starters” in Greek”). The "Supply" refers to the ones "having any kind of relationship" with the Private Sector, who are looking for, and of course they are willing to pay, in order to get these benefits unduly from previous ones. In general, the Corporate Governance is one of the main tools for controlling the side of the "Supply" in the Corruption equation.
The "Private-economic" Corruption, on the other hand, is more complex and the two most common forms in which it can be found are: Bribery and Professional Fraud. These are located mainly in areas of significant business Functions, such as: Procurement (making contracts/arrangements), Budgeting/Accounting, Financial Transactions (mainly Treasury), Distribution chain, R & D (access to unique/proprietary technical/commercial data - industrial espionage), etc.

Corporate Governance aims to promote honest and responsible behavior to conduct a business, adopting practices that are consistent with the legislative and institutional framework of the country in which it operates, and applying commonly accepted social values. For this purpose, adopt best practices and mechanisms, such as: the International Accounting Standards, Regulations of the Financial Markets Operations, "Property" Audit Methodology, Corporate Disclosure Policy (e.g. for Financial data), Limited access to information, control of capital inflows, etc., so as to enhance the "transparency" and to fight corruption, while reducing negative impacts. The establishment of an independent, company-concerned, Control Council, is also important, so as to represent and genuinely interest of shareholders, anticipate and prevent potential opportunistic behavior of senior executives (and/or "internal" shareholders), who are theoretically more prone to be tempted by the immediate benefit of corruption practices, i.e. money (e.g. cash, bonus) that they bring.

In practice, the most successful way of implementing a sound Corporate Governance is to enhance Business Ethics, by consolidating strong corporate culture where corruption documented condemned as unacceptable moral behavior and not just another issue of Risk Management. In this way, the Corporate Governance marks the creation of a strategic corporate identity oriented to "moral values." In this context, it establishes robust "transparency of payments” mechanisms, so as any cause of corruption (such as bribery, extortion, unfair competition) is disclosed quickly, and becomes directly reprehensible, punishable (by activating mechanisms of accountability and transparency, and sanctions against "participants") and, therefore, "unsustainable".

The main problem in this approach is the universal social acceptance of the double game of risk factors, which may have two "persons", as Janus: to condemn corruption, on a personal level, for ethical reasons, but to supplant the "honor" and the moral, in business activity, justifying any practice for profit. This contributes to the creation of two new cross-powered vicious circles, which create alienation between Society and both Public and Private Sector as:

  1. The Society believes that most public functionaries participate in the dishonest practices of the private sector; mostly resulted from top-down pressures derived from common “understanding” between the heads of top management. This fosters corruption furthermore, since they all feel that the corrupt behavior ("all of them are bribed") is more or less given and any attempt to break this vicious cycle is impossible, "Don Quixotism" or "stupidity".
  2. The Society does not expect from a private company to be honest but just (dishonest) profit-oriented; mostly resulted from top-down pressures. Throughout this cycle, enterprises are trapped and multiply disadvantaged by being victims of a peculiar "double, two-way blackmailing"; both from Society (due to confidence loss, resulted by the expected corruption behavior) and the Company itself (mostly derived from heads of top management and/or powerful business associations, tapped in the “underground” aid of corruption).
All this contradictory nature of modular relations and interdependencies creates a dialectic, which not only causes corruption but also justifies it, deconstructing the moral-social identity business and neutralizing the effective participation of society, alienating it from the economic-social chain and alternating the scope and nature of its participation.
Of course, all these phenomena and behaviors are reinforced by impunity, which is the most common, in contrast to the occurrence of the related risk, i.e. the obvious economic and moral damage (up to destruction) of individuals and businesses involved in corruption practices compared with the benefits gained.
Could we ever break this perverse relationship between the Companies and the other sectors of the Society ???
The answer is "YES"; with the commitment of all institutional, social and economic factors, which could be performed in many alternative ways, such as:

  • Institutionalism: By amplifying the relevant international legal, political, institutional and regulatory framework, including both international and national strategies related to anti-corruption activities.
  • Accountability: By increasing the control of Corporate Boards of Directors and its accountability to shareholders; e.g. by the mandatory establishment of an independent Corporate Control Council, in any enterprise, so as to address Fraud and Corruption issues, and by activation of whistle-blowing facilitation mechanisms (including prompt “cover” of internal whistle-blowers).
  • Sociability: By obligatory linking of each and every company and/or economic entity with a real and measurable (by using specific metrics) Social Identity, as a metric of enterprise honesty and law-abiding, which would be a KPI (Key Performance Indicator) for State/Government funding and sponsorship. This would facilitate activities related to Corporate Social Responsibility (e.g. charity, promotion of outstanding ethical behavior, enhancement of Corporate Governance and Business Ethics), as essential corporate components.
  • Scientific: By sponsorship (not only financial) of an extended professional research, with regards to Fraud and Corruption diagnosis, problems, consequences and solutions. The research should be held by scientific methods and with direct and universal participation of the both private and public/government sector, so as to create sound scientific data to demonstrate that corruption is really harmful to business and their competitiveness and to facilitate the design of optimal solutions (including implementation of efficient Corporate Governance mechanisms).
In any case, perhaps the most important thing to be done is the development of an appropriate corporate culture, which would make clear that: despite the fact that the Board of Directors of each company faces, each and every day, a plethora of risks, especially those associated with corruption and fraud and their potential effects, trying to do the best to prevent them, how they will really react in an actual crisis is the only thing that can either improve or devastated the reputation of the company, as well as the company itself.
Good Corporate Governance is a stable and infallible compass in this way and the critical/determining factor in the creation of sound socio-economic relations between business and society. Enabling sound coordination mechanisms of anti-fraud and anti-corruption campaigns gives the appropriate signal, both to the government and the private sector (companies, firms and/or competitors) that satisfying the demands of corrupted functionaries (government and others) is not a solution, so the best strategy is the de facto condemnation of unfair practices, the honest and clear entrepreneurship, as well as the healthy competition. Otherwise, companies will always be doomed to “star” in an endless “enterprise series” so called "the Mafia methods"...


Κυριακή 7 Δεκεμβρίου 2014

The Site's Security Certificate is not Trusted. Proceed?

When you visit a website whose web address starts with https, your communication with the site is encrypted to help ensure your privacy. When you navigate to a site that uses SSL to transmit data, the server which hosts that website presents your browser with a certificate to verify its identity. This certificate contains information such as the address of the website, which is confirmed by a third party organization that your browser trusts. By checking that the address in the certificate matches the address of the website, it's possible to verify that you're communicating with the website named on the certificate, and not someone pretending to be that website.

What Is an SSL Certificate? An SSL certificate is a digital computer file (or small piece of code) that has two specific functions:
  1. Authentication and Verification: The SSL certificate has information about the authenticity of certain details regarding the identity of a person, business or website, which it will display to visitors on your website when they click on the browser's padlock symbol or trust mark . The vetting criteria used by Certificate Authorities to determine if an SSL certificate should be issued is most stringent with an Extended Validation (EV) SSL certificate: making it the most trusted SSL certificate available. 
  2. Data Encryption: The SSL certificate also enables encryption, which means that the sensitive information exchanged via the website cannot be intercepted and read by anyone other than the intended recipient.
In the same way that a identity document or passport may only be issued by the country's government officials, an SSL certificate is most reliable when issued by a trusted Certificate Authority (CA). The CA has to follow very strict rules and policies about who may or may not receive an SSL certificate.When you have a valid SSL certificate from a trusted CA. there is a higher degree of trust by your customers, clients or partners.

How Does SSL Encryption Work? In the same way that you lock and unlock doors using a key, encryption makes use of keys to bck and unlock your information. Unless you have the right key, you will not be able to "open" the information. Each SSL session consists of two keys:
  • The public key is used to encrypt (scramble) the information.
  • The private key is used to decrypt (unscramble) the information and restore it to its original format so that it can be read.
The following warnings are presented by web browsers when you access a site that has a security certificate installed (for SSL/TLS data encryption) that cannot be verified by the browser.
  • Google Chrome: "The site's security certificate is not trusted!"
  • Internet Explorer: "There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority."
  • Firefox: "This Connection is Untrusted"
Browsers are made with a built-in list of trusted certificate providers. For some sites, the certificate provider is not on that list. If this is the case, the browser will warn you that the Certificate Authority (CA) who issued the certificate is not trusted. This issue can also occur if the site has a self-signed certificate. Self-signed certificates aren't trusted by browsers because they are generated by the server admin, not by a CA.

The most common cause of a "certificate not trusted" error is that the certificate installation was not properly completed on the server (or servers) hosting the site.

Seeing the alert does not necessarily mean that the website you're visiting is trying to trick you into believing it is a different website - it means that you browser is not able to verify the identity of the website, and that you should proceed carefully. The safest thing to do is to cancel your navigation to the site, or to go to a different one. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website. If possible, you should contact the owners of the website and inform them of the error.

Σάββατο 6 Δεκεμβρίου 2014

Practical Lollipop Security

Android 5 (a.k.a. Lollipop) introduced some really neat features that allow users to increase the level of security on their device. They include privacy, security and backup solutions for your device.

A new feature in Lollipop called Smart Lock allows the device holders use either a 'trusted device' or 'trusted face' to streamline how they lock their handset. 'Trusted devices' relies on either NFC or Bluetooth to function and promises that a phone stays unlocked when it's connected to things such as a smartwatch or a car's Bluetooth system. 'Trusted face' on the other hand is a more convenient way for all-purpose unlocking, and works after the user registers their face with the device. Android KitKat did have a feature called 'Face Unlock' but it often went unused due to the time it took for the unlock process to work. While the feature does reduce the number of times you need to type in your ode in any given day, it may make the device less secure since, as Google warns, someone who looks like the user may also be able to unlock the device.

Notifications in Lollipop can be viewed and acted on from a Lollipop device's lock screen — great for convenience, but less so for privacy, if your confidential messages can be viewed by anyone who access your phone. Luckily, it's truly simple to fine-tune how notifications appear on the lock screen — for example, by preventing them from appearing at all, or just showing which apps have notifications ready, and approving which apps can then display the content of notifications on the lock screen.
In 'Sound and Notifications Settings' under 'Notifications', you get three crude options for handling notifications when the device is locked: Show all notification content; Hide sensitive notification content — which removes the content of a message; and Don't show notifications at all.

Another feature — similar to Guided Access in iOS — is an accessibility element that is useful for retailers and businesses that want to restrict devices down to a single app, such as a menu or help guide. While the setup in iOS appears geared towards setting up access for a single, extended session, screen pinning in Android is geared towards every day use — such as handing a device to a friend or your child — by activating it once and leaving it available for the user to pin a particular app when they need to.

Another way to lock a device when sharing it with others is to use a guest profile, also a new feature in Lollipop. New accounts need to be set up for installed Google apps and key settings, such as Smart Lock, are disabled in this mode. The easiest way to activate a guest profile is to swipe down the Quick Settings in Lollipop and tap on the avatar. It is also possible to further restrict certain profiles from making phone calls.

Google has gone to some lengths to protect its users from potentially harmful apps with tools such as Verify Apps. Enabling the Verify Apps feature allows Google to scan the device for potentially harmful apps that are already installed, warn users against installing an app and to prevent an installation before it is completed. Other useful security features in Google Settings include Android device manager, which was introduced last year and supports remote device location, remote lock and erase.

Should you ever lose your device, you probably want to be able to restore key settings such as installed apps, WiFi passwords, and other information in an easy fashion. Enabling the restore feature it will require the user to set up a backup account. They will be prompted whether they want to restore backup settings and data. The data that is backed up and available for restore includes Google Calendar settings, WiFi networks and passwords, home screen wallpapers, gmail settings, and apps installed through Google Play.

Τετάρτη 3 Δεκεμβρίου 2014

The Time Is Now for Information Governance. But Do You Even Know What It Is?


Information governance covers the entire spectrum of information management, but most people have a fuzzy notion of what it is. This must change, because the real value of information can't be fully realized unless it is properly governed.

Information governance is fast becoming a required competence for IT -- even though we've barely become conscious of what it is.

At a series of university-based research initiatives and industry conferences, I presented executives with the following aural Rorschach test: When you hear the phrase "information governance," what is the first thing that leaps to mind? I was surprised at the diversity of responses: analytics, business intelligence, compliance, data governance, data hygiene, defensible disposal, document management, e-discovery, enterprise architecture, enterprise content management, information life cycle, information risk (the risks associated with how employees handle information), machine learning, master data management, metadata, model management, privacy, records management, regulations, risk, Edward Snowden, structured/unstructured data, and famously breached retailer Target.

As that list suggests, information governance covers a lot of ground -- the entire spectrum of information management, in fact.

The real value of information cannot be fully realized unless data is properly governed. And yet, in many organizations, information governance is an amorphous, undefined concept. It needn't be. Here are three perfectly practicable definitions:
  1. The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.
  2. The practice of identifying the electronic content to be managed and how that will be done.
  3. All the processes, policies, standards and tools that consistently define and manage the critical data of an organization.
But definitions don't drive behavior. And the existing frameworks, vocabulary and practices for information governance are tragically immature.

One challenge is that many organizations have erroneously framed information governance as a compliance issue, as if it were all about managing the information they're required to store and make available to regulatory agencies. A compliance mindset, driven by the fear of prosecution, results in reactive tactical programs that don't engage the hearts and minds of employees.
You can get on the path to effective information governance by answering four basic questions:
  1. Who is responsible for information governance?
  2. What are the economics of it?
  3. What is being stored?
  4. What should we be doing?
But answering those questions can be surprisingly complicated.

Take the third question, "What is being stored?" Information storage is a veritable gold mine of opportunity. IDC predicts that enterprise data growth will average around 50% per year through 2016, with storage costs consuming nearly 20% of the typical IT budget in 2014.

But the Compliance, Governance and Oversight Council has found that 69% of information in companies has no business, legal or regulatory value. Now consider that analysts estimate that every gigabyte of data that can be justifiably removed from corporate databases saves an average of $18,000. That gives you an idea of the magnitude of the information governance opportunity. And that is just on the savings side.

Information governance is important high ground that must be mapped, monitored and managed. IT leaders need to step up to this important undertaking.

Futurist Thornton A. May is a speaker, educator and adviser and the author of The New Know: Innovation Powered by Analytics. You can visit his website and contact him.

This story, "The Time Is Now for Information Governance. But Do You Even Know What It Is?" was originally published by Computerworld.