Τετάρτη 28 Ιανουαρίου 2015

ENISA Threat Landscape 2014


ENISA published the third yearly report in sequence Threat Landscape 2014 (ETL 2014), consolidating and analyzing the top cyber threats and the evolution, encountered in 2014. ENISA Threat Landscape 2014, an activity contributing towards achieving the objectives formulated in the Cyber Security Strategy for the EU, stresses the importance of threat analysis and the identification of emerging trends in cyber security.

No previous threat landscape document published by ENISA has shown such a wide range of change as the one of the year 2014. We were able to see impressive changes in top threats, increased complexity of attacks, successful internationally coordinated operations of law enforcement and security vendors, but also successful attacks on vital security functions of the internet.
Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilization of the cyber-security community:

  • The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
  • Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
  • NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
  • SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
  • Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.
But there is a dark side of the threat landscape of 2014:

  • SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation.
  • 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
  • A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
  • Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
  • Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.
In the ETL 2014, details of these developments are consolidated by means of top cyber threats and emerging threat trends in various technological and application areas. References to over 400 relevant sources on threats will help decision makers, security experts and interested individuals to navigate through the threat landscape.

Δευτέρα 26 Ιανουαρίου 2015

Privacy on the Web


1. Use Common Sense
This is pretty self-explanatory: don't go to places on the web that you would be embarrassed to have your wife, husband, children, or employer see. This is a very low-tech way to protect your Web privacy, and yet, out of all the methods on this list, might be the one that is most effective.

2.  Guard Your Private Information 
Before sharing anything online - on a blog, website, message board, or social networking site - be sure it's not something you would mind sharing in real life, off the web. Do not share information that could identify you in public, especially if you are a minor. Keep identifying details, like user names, passwords, first and last names, addresses, and phone numbers, to yourself. Your email address should be kept as private as possible, because an email address can be used to track other identifying information. There is a useful service called Paranoid Paul to track major sites for updates in their privacy policy.

3.  Log Out Of Search Engines 
Most search engines these days require you to create an account and log in to access the full array of their services, including search results. In order to best protect your privacy, it's always a good idea to log out of your account after executing your Web searches. In addition, many browsers and search engines have an auto-complete feature that suggests endings for whatever word you might be typing in. This is a very convenient feature, however, if you're looking for privacy it's something you'll want to get rid of.

4.  Watch Your Downloads 
Be extremely cautious when downloading anything (software, books, music, videos, etc.) from the web. This is a good idea for privacy advocates, but it is also a great way to keep your computer from freezing up and malfunctioning. Be very cautious when choosing what to download from the Web; some programs include adware that will report your surfing habits back to a third-party company that will then use that information to send you ads and unwanted emails, otherwise known as spam.

5.  Avoid Unnecessary Forms 
A good Web safety rule of thumb is to avoid filling out forms that require personal information in order to keep anything from being entered into public, searchable record, aka Web results. You can use BugMeNot to avoid filling out unnecessary forms that ask for too much personal information.

6.  Clean Your Search History 
Most web browsers keep track of every single web site you type into the address bar. This web history should be periodically cleared out not only for privacy's sake, but also to keep your computer system running at top speed. In Internet Explorer, you can delete your search history by clicking on Tools, then Internet Options. In Firefox, all you need to do is go to Tools, then Options, then Privacy. You can also clear your Google searches very easily. A simple search will return numerous step-by-step tutorials.

7.  Use Caution When Using Social Media 
Social networking sites such as Facebook are extremely popular, and for good reason: they make it possible for people to connect with each other all over the world. It's important to make sure that your privacy settings are set appropriately and that what you share on social networking sites would not reveal anything of a personal or financial nature. For more on how to keep yourself safe on Facebook, try reading a post from AVG on the subject.

8.  Watch Out For Scams 
If it seems too good to be true, than it probably is - and this especially applies on the web. Emails promising free computers, links from friends that seem legit but lead to virus-laden websites, and all sorts of other web scams can make your online life quite unpleasant, not to mention add all sorts of nasty viruses to your computer system. Think carefully before following links, opening files, or watching videos sent to you by friends or organizations. Watch for signs that these might not be for real: these include misspellings, lack of secure encryption (no https in the URL), and improper grammar.

9.  Protect Your System 
Keeping your computer safe from harmful content on the web is simple with a few precautions, such as a firewall, appropriate updates to your existing software programs (this ensures that all security protocols are kept up to date), and antivirus programs. 

10.  Monitor Your Online Reputation 
Have you ever googled yourself? You might be surprised to see what is out there on the web. You can control much of what is out there on the web with the precautions laid out in this article, as well as keeping track of what is found about you in at least three different search engines on a regular basis (you can accomplish this process on auto-pilot using news alerts or RSS). 

Πέμπτη 15 Ιανουαρίου 2015

Storage Security

Many organizations face the challenge of implementing data protection and security measures to meet a wide range of requirements, including statutory and regulatory compliance. Too often the security associated with storage systems and infrastructure has been missed because of misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts. The net result of this situation is that digital assets are needlessly placed at risk of compromise due to data breaches, intentional corruption, being held hostage, or other malicious events.

Data storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, specialized technologies, and the physical security of data centers. Even as storage connectivity evolved to use technologies such as storage protocols over Transmission Control Protocol/Internet Protocol (TCP/IP), few users took advantage of either the inherent security mechanisms or the recommended security measures.

ISO/IEC 27040:2015 provides detailed technical guidance on how organizations can define an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection (security) of information where it is stored and to the security of the information being transferred across the communication links associated with storage. Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and media and after end of use.

Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security.

ISO/IEC 27040:2015 provides an overview of storage security concepts and related definitions. It includes guidance on the threat, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other International Standards and technical reports that address existing practices and techniques that can be applied to storage security.

Who's the BOSS in Android Privacy

An Unlocked Android Phone with Tor included that does everything you need it to & more.
BOSS phone is the first of its kind. It has the size, power, and versatility capable of replacing your laptop, tablet, and current phone, while keeping your data incredibly private and secure. BOSS Phone can hold multiple SIM cards at the same time, while it’s equipped with expandable memory and unlocked for global GSM.

The creators of BOSS ask for financial support through a popular crowd-funding site. Just before I posted this, they had collected marginally over 20000 USD, about 14% percent of what they ask until 02MAR2015. We wish them good luck!

Specs (as provided by the manufacturer)

  • Super HD resolution (1200x1920 on a vast 7" display) 
  • Full access to Millions of Apps in the Play Store
  • Cutting edge Android 5.0 Lollipop Operating System
  • Bluetooth enabled for all accessories (ie. headsets, speakers)
  • Mediatek Octacore Cortex A7 chipset (top of the line with higher benchmarks, better power consumption, and lower temperatures)
  • Fully compatible Global 4G LTE and 3G for when you need it
  • Full compatibility with all Apple music and Apple TV using included apps right out of box
  • Lightning fast gaming and graphics supported by one of the fastest processors on the market 
  • Durable form factor that looks and feels great

BOSS Phone was developed by David Briggs and Nick Spriggs, Co-Founders of Briggs & Spriggs, beginning in May of 2014, after David was unable to upload a video to YouTube while attending his brother’s wedding in Turkey, due to the government’s Internet filters. Briggs began researching a geographically anonymous operating system that could easily integrate with a new kind of cellular device: the result was The Onion Router, also known as Tor. Tor was originally designed for and deployed by the U.S. Navy to improve Internet privacy via a network of virtual tunnels that prevents third party surveillance of your Internet connection, geographic location, and sites visited.

In addition to its unrivaled security features, built on top of Android’s latest Lollipop OS, BOSS Phone’s Dual SIM capability supports two different phone numbers, from the same or two different countries/carriers, with endless customization in terms of text, talk, and data plans. Boss Phone’s 7” design and Wi-Fi connectivity makes it the ideal device for watching videos, using social media, reading emails, and browsing the web. 

BOSS Phone is the first phone of its kind on the market. Unlocked for multiple carriers, while featuring a huge, stunning display that is easy to see and type on, dual SIM capabilities (for those who require 2 phone numbers or travel globally), and some of the most secure network-based privacy available on the market!  

BOSS Phone is being manufactured with user privacy as a focus. The devices will be tested by Tor/Guardian project to determine that the included software is configured correctly. 

The company hopes that BOSS Phone will be the first device certified by the Anonymity experts at The Guardian Project. BOSS is the first phone to ever be manufactured with the inclusion of rooted TOR. BOSS Phone’s embedded privacy firmware will operate at the root level, providing unprecedented levels of privacy. This special network and browser are used by everyday people, the military, journalists, law enforcement, activists, and anyone who wants absolutely secure communications and Internet browsing. 
BOSS Phone will be fully certified by the Anonymity experts at The Guardian Project.

Δευτέρα 12 Ιανουαρίου 2015

"The Gold Bug", Poe on Encryption

Recognized today as the undisputed master of the American Gothic horror story, Edgar Allan Poe (1809–1949) revealed his genius in tales of death, terror, evil, and perversity. Highly skilled in achieving a calculated psychological effect, Poe created chilling fictional nightmares permeated by mysterious forces, grotesque creatures, and improbable hallucinations.

"The Gold-Bug" is a short story by Edgar Allan Poe. Set on Sullivan's Island, South Carolina, the plot follows William Legrand, who was recently bitten by a gold-colored bug. His servant, Jupiter, fears Legrand is going insane and goes to Legrand's friend, an unnamed narrator, who agrees to visit his old friend. Legrand pulls the other two into an adventure after deciphering a secret message that will lead to a buried treasure.

The story involves cryptography with a detailed description of a method for solving a simple substitution cipher using letter frequencies. The cryptogram is:
53‡‡†305))6*;4826)4‡.)4‡);806*;48†8
¶60))85;;]8*;:‡*8†83(88)5*†;46(;88*96
*?;8)*‡(;485);5*†2:*‡(;4956*2(5*—4)8
¶8*;4069285);)6†8)4‡‡;1(‡9;48081;8:8‡
1;48†85;4)485†528806*81(‡9;48;(88;4
(‡?34;48)4‡;161;:188;‡?;

The decoded message is:
A good glass in the bishop's hostel in the devil's seat
twenty-one degrees and thirteen minutes northeast and by north
main branch seventh limb east side shoot from the left eye of the death's-head
a bee line from the tree through the shot fifty feet out.

(The actual decoded message omits spaces and capitalization)

In cryptography, a substitution cipher is a method of encoding by which units of plaintext are replaced with ciphertext, according to a regular system; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. The receiver deciphers the text by performing an inverse substitution.
Traditionally, the ciphertext is written out in blocks of fixed length, omitting punctuation and spaces; this is done to help avoid transmission errors and to disguise word boundaries from the plaintext. These blocks are called "groups", and sometimes a "group count" (i.e., the number of groups) is given as an additional check. Five letter groups are traditional, dating from when messages used to be transmitted by telegraph.

Poe played a major role in popularizing cryptograms in newspapers and magazines in his time period and beyond. "The Gold-Bug" also includes the first use of the term "cryptograph" (as opposed to "cryptogram"). To most people in the 19th century, cryptography was mysterious and those able to break the codes were considered gifted with nearly supernatural ability. Poe had drawn attention to it as a novelty over four months in the Philadelphia publication Alexander's Weekly Messenger in 1840. He had asked readers to submit their own substitution ciphers, boasting he could solve all of them with little effort. The challenge brought about, as Poe wrote, "a very lively interest among the numerous readers of the journal. Letters poured in upon the editor from all parts of the country." In July 1841, Poe published "A Few Words on Secret Writing" and, realizing the interest in the topic, wrote "The Gold-Bug" as one of the few pieces of literature to incorporate ciphers as part of the story. Poe's character Legrand's explanation of his ability to solve the cipher is very like Poe's explanation in "A Few Words on Secret Writing". 

William F. Friedman, America's foremost cryptologist, initially became interested in cryptography after reading "The Gold-Bug" as a child—interest he later put to use in deciphering Japan's PURPLE code during World War II.

Δευτέρα 5 Ιανουαρίου 2015

COBIT5


COBIT is a framework served by ISACA for IT management and IT governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. The first release of COBIT dates back in 1996, then ISACA published the current version, COBIT 5.0, in 2012.

The business orientation of COBIT consists of aligning business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business along with IT process owners.

The COBIT components include:
  • Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
  • Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
  • Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
  • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
  • Maturity models: Assess maturity and capability per process and helps to address gaps.
The Sarbanes-Oxley Act of 2002 (a.k.a SOX) strengthened COBIT’s presence in the enterprise. Prior to SOX, publicly traded organizations saw very little audit oversight of electronic data resource utilization and security. Security professionals instead relied heavily on standards of best practice, such as ISO 27002 and ITIL to safeguard resources. However, auditors chose to use the limited guidelines of COBIT 4 to govern SOX compliance. While COBIT 4 provided some guidance on information security, it lacked the comprehensive coverage of traditional standards. This changed with the release of COBIT 5.

With COBIT 5, ISACA introduced a framework for information security. It includes all aspects of ensuring reasonable and appropriate security for information resources. Its foundation is a set of principles upon which an organization should build and test security policies, standards, guidelines, processes, and controls.

Meeting stakeholder needs
A group of stakeholders includes any individual or group affected by the current state or future state of a process, system or policy. Failure to involve all stakeholders, including security and audit teams, usually results in less than optimum outcomes at best. Worst case outcomes include failed projects or material audit deficiencies.

Covering the enterprise end-to-end
General application of security and assurance best practices requires security reviews as part of all business processes and IT development and implementation activities. This is not just a horizontal integration. Rather, all levels of management must include information security in every business strategic and operational planning activity.

Applying a single integrated framework
Designing a complete framework includes all aspects of information storage, flow, and processing, providing a foundation for more efficient control implementation. A framework supports a holistic approach to securing an organization.

Enabling a holistic approach
As support for developing an integrated framework, it is important to see information security as a set of related components. Each component is driven by enablers and other factors affecting organization risk. COBIT 5 for Information Security provides a list of enablers and describes how they interrelate. Enablers help organizations integrate operations and security into the outcomes of all principles defined here. As always, this is done in a way to meet stakeholder requirements.

Separating governance from management
While governance and management are separate functions performed by designated teams, they must support each other. Governance defines outcomes and management implements technology and processes to meet those outcomes. Governance then determines if outcomes are met and provides feedback to help management make necessary adjustments.

The COBIT 5 processes are split into governance and management "areas". These two areas contain a total of five domains and 37 processes:
1. Governance of Enterprise IT
Evaluate, Direct and Monitor (EDM) – 5 processes
  • Ensure Governance Framework Setting and Maintenance
  • Ensure Benefits Delivery
  • Ensure Risk Optimization
  • Ensure Resource Optimization
  • Ensure Stakeholder Transparency
2. Management of Enterprise IT
Align, Plan and Organise (APO) – 13 processes
  • Manage the IT Management Framework
  • Manage Strategy
  • Manage Entreprise Architecture
  • Manage Innovation
  • Manage Portfolio
  • Manage Budget and Costs
  • Manage Human Relations
  • Manage Relationships
  • Manage Service Agreements
  • Manage Suppliers
  • Manage Quality
  • Manage Risk
  • Manage Security
Build, Acquire and Implement (BAI) – 10 processes
  • Manage Programs and Projects
  • Manage Requirements Definition
  • Manage Solutions Identification and Build
  • Manage Availability and Capacity
  • Manage Organisational Change Enablement
  • Manage Changes
  • Manage Changes Acceptance and Transitioning
  • Manage Knowledge
  • Manage Assets
  • Manage Configuration
Deliver, Service and Support (DSS) – 6 processes
  • Manage Operations
  • Manage Service Requests and Incidents
  • Manage Problems
  • Manage Continuity
  • Manage Security Services
  • Manage Business Process Controls
Monitor, Evaluate and Assess (MEA) - 3 processes
  • Monitor, Evaluate and Assess Performance and Conformance
  • Monitor, Evaluate and Asses the System of Internal Control
  • Evaluate and Assess Compliance with External Requirements
To summarize:
COBIT 5 for Information Security provides a comprehensive framework for integrating security into business processes.  It also provides a set of enablers that, when applied, help ensure stakeholder acceptance and efficient business operation.
Organizations must integrate security into every facet of management and operations. This begins with identifying all business processes and associated stakeholders, including audit and InfoSec teams.
Individual approaches to managing security will not achieve the best overall results. A holistic approach, one that defines a complete framework used to integrate new controls or vulnerability remediation, is necessary for both security and financial efficiency and effectiveness.