Wednesday, 30 May 2007

How Secure is your Bank's Call Centre?

I have long suspected Call Centres are one of the main places where Credit Card and Bank details are stolen. Today BBC Scotland will air a TV programme where they have uncovered this as a fact. The BBC sent in an undercover reporter into a Scottish Call Centre, operating on behalf of several financial sector organisations. The report showed how lacs the security training and security controls were, with the reporter easily able to write down and remove personal banking details at will. The programme also focuses on how organised gangs have infiltrated the Cal l Centre, and traces back a guy who had his account used for money laundering, by a gang operating out of the Call Centre.

UK Call Centres are renowned for having a high staff turnover and low paid staff, so it’s a no brainer that this is a recipe for a higher tendency and greater risk for internal fraud.

However my personal worry is with those "offshore" Call Centres in countries outside the European Union. I mean, if you take Health and Safety for example, it is fair to say the standards are no where near the UK standards in countries Asia, so just imagine how far behind they are in the Information Security field. In my view this is about cost savings and profit ahead of customer security.
More details http://news.bbc.co.uk/1/hi/scotland/6702469.stm

Thursday, 24 May 2007

Google – "Don’t be Evil" - My Arse!

I continue to worry about Google and where they are going, for company that has an informal motto of “Don't be evil”, they potentially are doing some evil things. Don’t get me wrong, I think Google is by far the best search engine there is, I have been using it as my default search engine since the late 90s, just after they went live. One of the reasons I preferred them over the dominate “Yahoo” search engine in the early days, was because Google was just a simple search engine, the search engine page didn’t have loads of crappy media bits and adverts around it, a huge plus in those low bandwidth modem days. These days Google are offering many extra services, and to be fair most are free to the user, but don’t worry they make plenty of money from advertisements. Some of these extra services are going to give Microsoft some decent competition for once, which is a big plus in my book.

So what are my concerns?

Well first of all, just in case you didn’t know, Google record every single search you type in. They know your IP address and whether you are on a specific computer. Why do they do this? Well they Google say they record this information for “research purposes”. It’s a bit too 1984 for me.

For example if I search for “IT Security Expert” on Google, the following is created and stored on the Google servers.

62.45.2.54 - 24/May/2007 13:24:34 - http://www.google.com/search?q=it+security+expertCEG3EAFOkAAAAB_zXe0WGUB32

As you can see, my IP Address (not my real IP address of course), the date and time of the search, what I searched for and a unique id for my computer, is all taken. It's easily possible to trace the IP addresses back to geographic areas, or even to specific users through ISPs, and they could go on to identify you by your specific PC.

The US Government have already tried to make Google had over this data without success, but who knows if that will change in the future, it’s pretty scary to consider what the US government might do with this info. Who knows what behind the scene deals have been done between Google and the US Security services. I suppose if it stopped terrorism it could be a good thing, I am not saying whether this is right or not, too many ethical issues for me, my beef is the fact this record keeping by Google doesn’t appear to be common knowledge with the masses.

Google say the collected search data is anonymised after 18 to 24 months, they delete the IP address and the computer id part. For me a statement of “18 to 24 months” sounds a bit wishy-washy and I can’t help but wonder if it actually happens, who’s there to make it or prove it, and what about data backup, do they wipe that as well?

The another aspect to Google is their increased use of censorship, the other day they censored essay writing websites, I certainly don’t believe in the practice of plagiarism, but should Google have the authority to ban any web site they see fit? It sets a dangerous precedent in my mind, as the Google China site blocks plenty of western and human rights content at the request of the Chinese government. I wonder how many hits a search for the “Dali Lama” would get on Google China for example. Sure there’s the Great Firewall of China that fits around Chinese Internet access, but for me practice with the China Google site represents an interesting examination of Google’s ethics as a company. Speaking of questioning Google's ethics, Google has bought a genetics company. And incidentally the owner of the genetics company just got married to a Google co-founder.

Google are now going into the area of offering online “office” applications, leading to users storing their personal data files online. Web Applications in general are full of security vulnerabilities, and they always probably will be, while storing your personal data online does not sound like good practice to me, I certainly wouldn't trust it to kept my files secure. If you take Google’s Online Mail application (GMail), which is basically an online version of Microsoft’s Outlook, it has a calendar functionality, which like the Outlook calendar you can share, make it public. Guess what, you can easily search all public calendars held by Google, and it’s astonishing what information you can find. Searching for “passcode” for example returns loads of company conference call details, with the conference call number, subject, the passcode, date & time, company name and conference topics, there is nothing to stop you sneakly joining the call! While checking this out, I even found one conference call for a major “Network level” change for a well known large organisaton. Hardly a good track record on protecting you personal data online by Google online, is it?

To finish on a positive note for Google, I really like Google search results are now flagging up websites which have potential malware embedded in them, warning the user before clicking through, it probably won’t be long before they start censoring those too. There’s a question why don’t they just ban them, arguable they are just as harmful and exam writing websites…

Tuesday, 22 May 2007

Wi-Fi Health Risks

Wi-Fi was in the news in relation to possible health risks associated with exposure, apparently they wi-fi devices and hotspots give off radiation beyond that given off by mobile phones, although you don't exactly put your wireless network cards to your head like with your phone. It's one of those grey areas where the technology hasn't been around long enough to make a health assessment based on prolonged use, as it might be years before health effects are known, I mean you don't exactly get lung cancer from cigarettes overnight do you. It's pretty much too late to stop the relentless roll out of wi-fi in the UK now, since there are wireless networks and wi-fi hotspots just about everywhere these days.

I must admin for many years when I have been configuring wi-fi access points, and I always get a headache, but then again I get a headache whenever I go near a power pylons too, perhaps I'm just sensitive like that or it's just psychological. Having said that, there's no way on earth I would I let my kids sit with a wireless enabled laptop on their knee, dam right I wouldn't!

Monday, 21 May 2007

New Podcast Released

I have just released IT Security Expert Podcast Episode 2, which focuses on Mobile Phone and Bluetooth Security. You can subscribe/download via iTunes or from the main site, www.itsecurityexpert.co.uk

Friday, 18 May 2007

BlueTooth Security

We all have mobile phones with a BlueTooth wireless capability these days, but what are the risks and the hacking techniques being used against?

Basic Phone Security
Always protect your mobile phone with a pin-lock password, think about the information you have stored on your phone, not just the phone contacts, but records of your calls, text messages and even voice mail, if it's not needed, delete them.

If you ever sell your phone, give it to charity or trade it in, make sure you delete all the information on the phone, there is always a "master reset" option someone within the menus. It's amazing how many second hand phones you can you buy off eBay will the information still intact, pretty scary stuff if it's your private information.

Make sure you do not use 0000 or 1234 as your Bluetooth pin code, it's the first pin codes any hacker will try, and they will get in no matter what phone firmware you are using.

BlueTooth Hacking
The big security weakness with PDAs and Mobiles Phones is from Bluetooth hacking. If you use Bluetooth devices, esp. if you have Bluetooth enabled all the time, you might be surprised about the types of attacks you could face as you walk down the street, drive in your car or while you are at home.

BlueTooth is a short range wireless protocol, therefore BlueTooth devices have a range of generally 10 metres, so you might think any potential BlueTooth hacker would have to be near by to hack in, well this is not necessarily true. Hackers are known to build customised BlueTooth scanners capable of scanning all BlueTooth devices in a range of up to a 1 mile radius.

So what are the types of hacking and jargon names for them.

BlueJacking
Sending anonymous business cards to your phone (SPAM). This attack does not access/change details. Usually the sort of thing School kids do to you while you are sharing a train or bus with them on the way to work. Messages can be fun, advertisement or offensive, either way all annoying and needles. To protect set device to non-discoverable mode.

Bluesnarfing
Hackers use a BlueTooth enabled laptop or sometimes a BlueTooth PDA to compromise your phone with an application call BlueSnarfer. This attack can result in Data Theft from the Phone Book, Calendar, Appointments and even Images, your PIN and other codes. To protect, ensure your phone is running latest firmware and switch off Bluetooth broadcast when not needed.

Bluebugging
Hackers comphrisme your phone, then secretly intial phone calls from it without your knowledge. Usually the phone calls are to premium rate lines which more often than not are international in nature, thus making money for the attacker. To protect, ensure your phone is running the latest firmware and switch off Bluetooth broadcast.

Car Whisper
My personal favourite type of BlueTooth attack involves cars, these days a lot of new cars have Bluetooth build in for phone use etc, more often than not their Bluetooth service is always broadcasted and the pair code is 0000 or 1234 as default. So it’s fairly easy get into a car's system via BlueTooth, and then use an application called “Car Whisper”, which is used to have the car “speak” any messages typed in by the hacker, which is playback through the car stero speakers to everyone within the car! I think you can see the funny side of this use, however, it might not be too clever if you are speeding down the motorway and you are distracted by your car speaking to you.

Word of Advice
1. Do not use enable bluetooth unless you need to use it
2. Do not use 0000 or 1234 as your BlueTooth pin code
3. Ensure you device (phone) is using the latest firmware (the phone operating system)
4. If you are Car has BlueTooth enabled, check the manual and with the car manufacturer to ensure BlueTooth is properly secured, otherwise one day your car might resemble Knight Rider!

Thursday, 17 May 2007

Wireless Networking

So I'm sat at home, I boot my laptop, and my wireless network card instantly detects 3 of my neighbour’s wireless networks. None of them I would consider as being secure.

Being a member of ISC2 and I have strict ethical code of practice to adhere to, so I would never dream of hacking any networks or PCs without the written permission of the owners. However without using any specialist software I can tell these networks are not secure. One of the networks even has zero security, meaning anyone with a Wi-Fi network card could attach to and use it, and getting free broadband access and possible access to files on any PCs in that household,very bad indeed.

The other two wireless networks my laptop picks up do have some security, but not enough. The fact I can see their SSID names is not a good sign, the broadcast of a SSID name is great starting point for any would be amateur hacker out there. Even worst, one of these networks is using the default wireless router name, which probably means they are using the default passwords, far too easy.

If I only knew who these people were, I would tell them, I think it could be any one of 12 houses around my house, I'll try asking around.

This sort of issue isn't uncommon, I often find businesses who don't secure their wireless networks, allowing easy access to their data, which in some business cases in terms of the data protection act, is illegal.

Words of advice

1. When picking an SSID, use letters and numbers, don't call it "My Network" or "Company Name WiFi"
2. Configure your Wireless Router to NOT broadbcast your SSID name.
3. Ensure you are using WPA encryption and use a non dictionary password word at least 12 charactors long. Don't ever use WEP, it's broken and can be compromised in less than minute.
4. If you really want to be secure (like me), configure access on your Wireless Router by filtering your WiFi devices using MAC address (network hardware address) access lists.

Tuesday, 15 May 2007

Home Network Security Scrutinised

I found the following article on the BBC news website, which happen to be exactly what I had been talking about in my presentations this week. None of the findings are surprising to me, but I find many people I talk with are in the dark about digital security. Anyway I thought I'd write this post about it and start my own blog.

Home computer users who leave default passwords on network hardware unchanged could be at risk from attack say security experts. Researchers created an attack that surreptitiously redirects a user to nefarious sites once they have visited a booby-trapped webpage.

The attack works by re-writing the address book in network hardware to point victims to the scam sites.

About 50% of users leave default passwords unchanged, suggests research.

The theoretical attack was explored in a paper written by researchers from the University of Indiana and security firm Symantec.

In the paper the authors detail how to compromise the routers many people use to share broadband connections between machines in their home.

Making changes to a routers set-up requires the use of an administrative password, but the researchers said informal studies suggest that about half of router owners never change the default.

Their paper shows how a booby-trapped webpage could use these default passwords and JavaScript - a technology enabled on 95% of computers - to change a router's DNS settings.

The Domain Name System (DNS) turns the web names that humans use into the numeric form that computers prefer. By compromising the router malicious hackers could make it direct people to fake address books.

Phish Pharming

These fake DNS servers could redirect users to counterfeit banking, e-mail, or government sites which then collect sensitive details like account numbers, usernames, and passwords.

Phishing attacks, where users believe they are on a legitimate site when actually connected to a bogus one, are not new. However, these schemes are usually limited to individual pages.

This method would let hackers do wholesale phishing, called pharming, by redirecting every web address to illegitimate servers that either collect information or attempt to install malicious software.

"Fortunately, this attack is easy to defend against," one of the paper's authors, Zulfikar Ramzan, said on his blog.

To protect from a pharming attack of this sort, the paper recommends that users change the default administrative password on their router.

Alternatively, they can put other DNS information into each computer on their network. Source

BBC News 16 Feb 2007