CISO – Enterprise Information Security

Private emails, why is it a bad decision?

March 7, 2015 by binoy Leave a Comment

Last week New York Times revealed that former USA state secretary Hillary Clinton used a private email account instead of official email address for communications while serving the State department. It is reported that Clinton used a private email server, not the likes of Gmail or Yahoo, but a hosted email server at the domain Clintonemail.com and was hosted at her home.

As a security professional, I wouldn’t be talking about the potential violation of the federal government rules. Instead, I would be worried about the security of the server and the emails in that server. in the age of cyber espionage, countries around the world are in look out for important information assets and Mrs. Clinton’s email is nothing less than a very high value asset. A private server, without the security protections of a federal system / corporate controls would have become an easy victim of attacks from spy agencies and hackers.

In 2009-2010, one of the Banks in the Gulf region hired a new CEO. Though the bank had its own email server with best security available at the time, the CEO decided host another email for his communications. With the help of a 3rd party service provider, he hosted a domain *team.* and issued email addresses to his inner circle team. The inner circle used this email for all critical communications which include, M&A,internal appraisals, Financial reports etc. The inner circle had people from the Bank, 3rd party advisors and even 3rd party advisor’s secretaries.

We were contracted to perform security assessments of this mail server. It was no surprise that we were able to filter out confidential emails from the server. The key findings of our assessment were:

Vulnerable Operating System
Never patched after the installation
No perimeter protection
Weak Passwords
No security controls such as Firewall / IPS
Lack of encryption

The CEO and his banking advisers always thought its safe to run email servers in the internet. With the kind of information we have provided, they have taken steps to improve the security and then eventually moved to Google Apps

Gulf Countries and Data Security Breaches

March 6, 2015 by binoy Leave a Comment

It is a no brainer to mention that cyber crime is increasing and today, the focus is more on money & cyber war than anything else. We see a lot of such incidents these days including the hacking and data breach at Target, Sony, Anthem to name a few.

What about information security in the other parts of the world? Are we secure enough? Or better, did we have any breaches in the recent past?

I see that a number of organizations were hacked in the recent past in all of the GCC countries. Saudi Aramco cyber incident was a major one in the last 2 years. There were a number of political influenced security incidents in the past

Dubai Police Social Media Accounts Hacked (comments about it)
Insider Threat – Employee hacks internal server and gets himself a promotion (Abu Dhabi)
Etisalat website and payment service were hacked
Cyber mafias strike at leading Omani bank
Ministry of Internal Affairs of Kuwait was hacked
428 bank accounts hacked in Kuwait

The list above is just a few among a large number of such incidents in the region. Now, lets see how serious are Gulf Countries in terms of Information Security?

UAE emirates Dubai and Abu Dhabi has set up security standards (ISR & ADSIC respectively) that should be implemented within the government sector. Other countries such as in the GCC (Kuwait, Bahrain, Oman) are still weighing their options in terms of developing country security standards.

What about the companies? How serious are they about cyber security? Information Security is still considered as a cost component and regulatory requirement by most of the companies in GCC and not as a better business practice.

Do we have to wait till a major security incident happen in the middle east to make it a better business practice?

Microsoft patches Zero Day vulnerability

October 15, 2014 by binoy Leave a Comment

In its latest Patch Tuesday releases, Microsoft pushed patches to fix about 20+ vulnerabilities in various MS products includes servers & desktops, Office, IE and .NET.

One of the update is specifically in addressing the zero-day flaw that is reportedly is already being exploited by Russion hacking groups. The vulnerability could have been used by attackers since early September, if not earlier than that, where the attackers infect victims with malicious attachments primarily PowerPoint files.

While the attack vector is PowerPoint, the vulnerability targets the OLE package manager in Microsoft Windows Desktops and Servers. The OLE packager (packager .dll) is able to download and execute external files like INF, allowing the attacker to execute commands.

Sandworm, the Russian Cybor Espionage group, is behind the attacks and the initial targets of the attack were:

NATO
Ukrainian government organizations
Western European government organization
Energy Sector firms (specifically in Poland)
European telecommunications firms
United States academic organizations

Currently, exploiting the zero-day vulnerability requires the execution of attachments such as PowerPoint. Attackers use social engineering tactics to engage victims to execute the malicious code thus resulting in an attack

Another set of Celeb Leaks

October 8, 2014 by binoy Leave a Comment

After Jennifer Lawrence it is now time to see what hackers have about Kim Kardashian. Private photographs of Kim Kardashian and Vanessa Hudgens, which appears to be naked, are publicly leaked and shared on the social network. As usual, Reddit and 4Chan were the sites used by the hackers to release the photos publicly.

Security Blogger, Graham Cluley, suggests that these images could be leaked much earlier and many years old. Online accounts of these celebs might have compromised much earlier but the compromised photos found their space in the internet just recently.

From a security standpoint, it shows the importance of protecting your accounts at various providers. In most of these events, it is not the cloud service providers who are affected. Instead, it is the individual accounts of these celebrities got hacked, data stolen and eventually published / leaked in the internet.

Today, many of the popular service providers offer better authentication methods. It is up to the subscribers to use these added security features and many of us failed to use these security features such as two factor authentication. The common reason we talk about are the convenience vs security and most of the time, easiness or convenience takes the precedence. It eventually ends up in incidents like this.

Key take away for individuals are :

Think before taking nude photo’s. In today’s world of “Internet of Things” it is not difficult for these photos to end up in the internet
Store the private information, private. Most of the websites are not really private. You should not assume that these photos are going to be private forever at these website providers custody
Once stored, even if you delete those files, it will remain in some storage location of these sites. Which could eventually lead to resurrection
Keep strong passwords and enable 2 factor authentication
Monitor your account activities so that you would come to know about potential access to your account by others.

Google Hacking – FBI warns public

September 13, 2014 by binoy Leave a Comment

Google Dorking, Also known as “Google hacking,” involves using specialized search parameters to locate very specific information. Examples include:

» (U) Site: Searches and lists all the results for that particular site.
» (U) Intext: Searches for the occurrences of keywords all at once or one at a time.
» (U) Inurl: Searches for a URL matching one of the keywords

check the document at https://info.publicintelligence.net/DHS-FBI-NCTC-GoogleDorking.pdf

OWASP AppSec Tutorial Series

August 6, 2014 by binoy Leave a Comment

Here is a list of videos published in YouTube about application security. It is a great compilation of video and a must to watch for the application developers and application security professionals alike.

All these videos are great tutorials for any AppSec enthusiast.

Note: The music is bit louder and might be annoying.

OWASP – Application Security Basics

OWASP – SQL Injections

OWASP – Cross Site Scripting (XSS)

OWASP – Strict Transport Security

Identity Protection Services

July 30, 2014 by binoy Leave a Comment

Identity theft is on the increase. Everyday we hear stories about identity theft by hackers and millions of identifies are on sale after such security incidents. When looking for a Identity Protection company, it is important to check out the services offered by them. Some of the key identity protection services offered by these companies are:

Fraud Monitoring : Monitoring the internet, internet underground, dangerous websites to check if your information is listed fraudulently. The fraud monitoring also looks for the illegal exchange of personal information. Most of the identity protection companies offer’s this service
Fraud Alerts : When these identity protection companies detect fraudulent activity, if the “Fraud Alerts” service is included, they notify the major credit bureaus that is attached to your credit report. Fraud alert with a credit bureau means, they will have to call you and take your approval before a line of credit is opened. Fraud alerts are valid for 90 days and should be updated.
Resolution Services : Most of the identity protection companies provides recovery assistance for stolen identities. They contact the required authorities and credit bureaus when a data breach occurs. Many times, this includes the legal and/or monetary assistance
Stolen Wallet Assistance : It is not so common to lose your wallet. However, in such an event, many of the identity protection companies offers help in contacting the banks or credit card issuers to cancel your accounts
Additionally, look for the Service Guarantee (which is the maximum amount of money the identity protection service will spend to help you in case of failures or defects from the company) and the insurance coverage you might get as part of the identity protection service offered.

It is also important to understand and analyse the types of identities protected by these identity protection services. A key set of identity records are listed below:

Social Security Number (SSN)
Full Name
Street Address
Email Address
Telephone
Credit Card Numbers
Bank Account information
Financial loans/lease information
Drivers License

You might need to consider the option to include / extend the service to Family Members including children. Consider the Identity Protection service provider who offers credit monitoring and provides credit history reports.

Cloud Security Report–Spring 2014

July 18, 2014 by binoy Leave a Comment

The Cloud Security Report Spring 2014 edition from Alert Logic is available for public download. This report is based on the analysis of data from its customer base of around 2200 active customers. A key finding is that the increase in cloud & hosting environment attacks. Bruteforce attacks have grown up from 30 percent to 44 percent and vulnerability scans increased from 27 percent to 44 percent. They also indicates the increase of Malware/botnet attacks in the cloud environment. One of the key observation by the report authors

“ Cloud environments require more sophisticated security programs than in prior years”

To implement a useful Cloud Security service, the overall solution should address:

Network: Firewall, Intrusion Detection, and Vulnerability Scanning provide detection and protection, while also lending visibility into security health.
Compute: Anti-Virus, Log Management and File Integrity Management protect against known attacks, provide compliance and security visibility into activity within an environment, and understand when files have been altered—maliciously or accidentally.
Application: A Web Application Firewall will protect against the largest threat vector in the cloud: web application attacks. Encryption technologies are ubiquitous for data in-flight protection, and some companies select encryption for data-at-rest when necessary, assuming applications can support it.
Application Stack: Security Information Event Management (SIEM) can address the big data security challenge by collecting and analyzing all data sets. When deployed with the right correlation and analytics, this can deliver real-time insight into events, incidents, and threats across a cloud environment.

Download the report from the Alert Logic site

Whitelisting in Java

June 11, 2014 by binoy Leave a Comment

Java vulnerabilities and zero day exploits are very common these days. It has take to the extend that security experts start recommending disabling the Java whenever possible.

Now Java has come up with the option for whitelisting so that you can run Java in a safer condition in your corporate environments. This action from Oracle could gain some confidence in Java. Checkout the details here

“The reason people are recommending that Java be removed is because they have very low confidence that Oracle is going to change their approach to security,” said Chet Wisniewski, senior security advisor at Sophos.

Java exploits are available in the Internet undergrounds. BlackHole exploit kit is such a crimeware (read more about it at Krebs). The biggest challenge for corporates is that their inability to upgrade the Java virtual machine due to the compatibility issues which increases the risk at organizations.

A recent study by security firm Bit9 showed that over 80 percent of Java-enabled enterprise computers run Java 6, with the most widely deployed version being Java 6 Update 20.

Now Oracle added a feature in Java that lets companies control what specific Java applets are allowed to run on their endpoint computers, which could help them better manage Java security risks. The new feature is called the “Deployment Rule Set” and was added in Java 7 Update 40 (Java 7u40) that was released Tuesday.

Deployment Rule Set helps administrators fine-grained control over the execution of applets by allowing them to create an XML file with rules for how known applets should be handled by the Java plug-in. The rule set works just like a Firewall rule set. Rules added to the XML file are tested sequentially, so they can be used to create a white list and then add a general rule at the end of the file to block all applications that don’t match the first rules.

The rule set file needs to be digitally signed with a digital certificate issued by a trusted certificate authority, packaged as a Java archive (JAR) and placed in a specific directory inside the Java installation on all computers where those rules are to be applied.

Can this new change help Oracle gain the confidence of the customers? What are the challenges anticipated in implementing these changes?

Encryption and Security, think again

May 5, 2014 by binoy Leave a Comment

NSA is accused to be spying on the people for years. In a recent article, NewYork Times describes the strategies by NSA on the exploitation of the implementation flaws in some of the popular crypto products. It also discusses about the cases of NSA made companies to insert backdoors into the products and thus weakening the public encryption standards.

It might be right from a national security perspective, but not from a people perspective. Now that it is disclosed, I am sure that we will see a number of encryption algorithms resurrect in the coming months and years. Every country might end up having their own encryption methods and products to protect the data eventually leading to lack of interoperability and ensuring security.

Who else knew about it other than NSA

The most important question now is “Who else knew about the weaknesses in the crypto products?” Like NSA, have they used it as well? What about the producers of these products? How did these vendors ensured that their employees who knew about the requirements did not sell this to the Chinese and Russian hackers?

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.

The NSA is created to intercept communications and it appears that a large amount of budget is allocated for their efforts. As part of this, it is only common sense to assume that they do all possible acts to intercept communications, whether encrypted or not.

The spys (of others) within NSA, if any, might also have had access to this information. If you the world knows that there are weaknesses in the crypto products, nations will spend a lot to find it. Who knows, by now powers like China and Russia might have already built capabilities to use the backdoors setup by NSA?