Wednesday 17 December 2008

Even Phishing Emails warn of Phishing Emails

I received a Phishing Email targeting customers of a UK bank just moments ago. I wouldn't normal post such things up, but I found this one particularly amusing and a bit of a phishing Email first, because the email actually warns of suspicious Emails and phishing! I thought the phrase "A new Second Level Password" particularly funny. The scam email finishes with another warning about "suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank - please ignore it and contact us now", it all rather like a 1970s Monty Python sketch!

Phishing Emails always target one of two human emotions, Fear or Greed. This one is targeting Fear; its objective is to scare the receiver into thinking their bank account security (their money) has been compromised, so encouraging the user to click the link through to a bogus website impersonating the bank site, where the users banking credentials are harvested unknowingly.  "Greed" based phishing Emails usually offer free prizes, free holidays or just straight up cash, for example telling the receiver they have won the European Lottery, or that Nigeria millionaire who needs you to pay the bank transfer fees in order to send that a large oil inheritance you have due, not that the user has ever entered any lottery nor has any connection with Nigeria what-so-ever.

Perhaps I shouldn't be making light of these scam Emails, as even though most people are aware of these types phishing email scams today, there are always one or two who do get sucked in and caught out.  This is why these scam emails are still common place in our mailboxes, it is simply because they do work
(I have removed the bogus website links)
"Dear Customer,

Latest News


Please be informed that currently fraud e-mails are sent to customers and non - customers of Alliance & Leicester Commercial Bank requesting to provide their online banking details.

In any case you should not provide any of your personal information or banking details.

A new Second Level Password has been sent to all our Retail customers in your online

Please activate the new one.

Start now the Alliance & Leicester Commercial Bank authentication process.

When you log onto the service we will ask you to accept the updated Terms and Conditions.

Once you have accepted these, you will be able to access your accounts in the usual way.

Alliance & Leicester Commercial Bank would never ask you to give through e-mail or any other mean any private and confidential information.

If you receive in your mailbox a suspicious e-mail appearing to be sent by Alliance & Leicester Commercial Bank,

please ignore it and contact us now.

Alliance & Leicester Commercial Bank Online Billing Department."

Tuesday 16 December 2008

No such thing as a Secure Web Browser

The big security story in the main stream news today, has of course been the security vulnerability with Microsoft's Internet Explorer web browser (Serious security flaw found in IE) The vulnerability can be exploited by deliberately engineered or compromised regular websites, allowing the attacker to invisibly access the host PC system, from which point a whole series of further possible attacks can be run, such as stealing website usernames and passwords. At this time Microsoft aren't saying when they will be releasing a patch to fix this issue, which is really unfortunate, as this vulnerability has been known about for at least week from my own knowledge.

The solution to problem being eagerly suggested on TV and radio news, is to download, install and then use different web browser, as they are not affected by this flaw (which is completely true), and are safe & secure. I have problem with the latter, which I heard said and implied on several occasions today, this is a highly misleading statement, as there is no such thing as a "secure web browser".

A couple of weeks ago I spoke with some nice chaps from OWASP (Open Web Application Security Project), a non-profit making and "The" world recognised authority on web application / website security. At the time I was taken back and found it astonishing that at their last OWASP "brain storming" event, which was attended by some of the world's leading web (site) application experts, not one of the web browser companies or organisations sent a representative, despite them all being "VIP" invite to the event. OWASP rightly recognise the architects and developers of web browsers play a key role with the overall security of web sites (web applications) on the internet, and the big flaw discovered with IE really highlights this.

The leading used alternative web browser on Windows systems at this moment is Mozilla Firefox (click here to download it), which is completely free to download and pretty easy for any novice to install and start using. Personally I switched from using Internet Explorer (IE) to Firefox several few months back, mainly because I found it was generally a better web browser to use than IE, and I particularly found the array of security related browser plug-ins extremely useful. So I'm a Firefox convert, but I think it would be a completely wrong and dangerous statement for anyone to state or suggest Firefox is more secure an Internet Explorer, all web browsers by their nature, open source or not, are bound to have vulnerabilities present which are currently unknown and are yet to be exploited. You cannot ever get 100% security, and this law especially applies to software applications.

So what's my advice to IE users? Well I'm not quite going to be a sheep and bleat what I've heard others are advising the masses today, which was to just switch to another web browser application, and hey I'm certainly neither pro nor anti Microsoft either...

My advice is if you are using Internet Explorer, make sure you have "PROTECTED MODE" ENABLED (IE7 or 8 with Vista) and set the Security Zone to "HIGH".

And then make sure you are taking the usual security measures on your PC, such as enabling the local (Windows) firewall, applying all Windows patches & updates, and installing and keeping up-to-date anti-virus / anti-spyware software. Until a patch is released, be especially cautious when browsing "dodgy" type websites, setting the security zone to high, allows you to accept or deny any scripts being executed through the web browser, which is how this and other vulnerabilities are exploited.

Sure, this could an opportunity to give Firefox or another web browsers such as Safari, Opera, Chrome a try out. Using a different web browser will fully protect from this particular flaw, but do not assume your new web browser is any more secure than using Internet Explorer. We tend to know a great deal about the security issues and weakness with IE, mainly due to it being the worlds most popular, therefore the most attacked web browser. Firefox has also had (no doubt will have further) it's fair share of serious security vulnerabilities too - Mozilla Foundation Security Advisories, but these tend not to get same level media coverage, and to be fair here Firefox vulnerabilties have tended not to be exploited to the same high degree as IE vulnerabilties at present, but if everyone switched to Firefox and it became the worlds most popular browser...

So if you are Firefox user (like me), make sure you exercise all the usual security precautions on your PC, firewall, patches, security software etc. And for any techie who is truly paranoid, you could do what I do when researching the real dodgy websites, which is to run your web browser in a Virtual Session.

Finally I have no doubt Microsoft will release a patch for this issue in the next few days anyway, it's just a real disappointment they couldn't of patched the problem last week as part of the usual security patch release cycle.

EDIT 17-Dec-08: Since the original post, Microsoft has released a patch for this vulnerability -

Tuesday 9 December 2008

Recommended Business WiFi Encryption

I was forwarded an interesting wifi security tech question yesterday which resulted in a debate about whether hiding a WiFi SSID made you secure. I just couldn't resist answering the question, and as usual went off on a security mission with my answer. Lots of positive comments on my answers and my general advice around home and enterprise wifi security, so I'd thought I'd post it up on my blog for all to see. 

Original Q. "I've been having an ongoing debate about the the practice of hiding SSIDs in a corporate environment.  I'm curious to know if hiding SSIDs is widely (emphasis on widely) considered a best practice or whether there are equal arguments on both sides.  My thoughts are that if you couple high grade encryption (WPA2) with some form of authentication (802.1x?) then hiding the SSID is unnecessary - and in fact makes it harder for valid users to find the network."

"Hiding the SSID can keep out the casual WiFi browsing neighbour, but will not prevent the “school boy” level of WiFi broadband thieves from finding out details of your WiFi network, you know those guys who steal WiFi for downloading illegal games, music and other unsavourily whatnot…

The SSID name plays an important part of the WPA-PSK encryption process, as the name is used to uniquely create (or salt as it is referred to) the hash of the WPA passphrase in order to protect against bruteforce attacks, as each bruteforce attempt needs to be hashed 4096 times, meaning it takes ages to try combinations for the passphrases, although it is doable if you have power and time on your hands.  I have rainbow tables (like a hash answer cheat sheet) for top most popularly used SSID names against pre-computed hash values, which allows me to bruteforce passphrases extremely quick, so I can quickly crack poor WPA-PSK passphrases for the most commonly used SSIDs like “NetGear”.  

So therefore my advice, for commercial companies using WiFi always goes with the enterprise WPA encryption options instead of using WPA-PSK (static key/passphrass). At home, go with a long and unique SSID name and decent random passphrase which will prevent rainbow table hash bruteforce. If you are super paranoid at home, go with 20 char+ random SSID name, hiding it doesn’t make any difference to those with the capability of breaking in.

Another point already made, do not name the SSID after your family name or company/department, you shouldn’t advertise what it is to the world, unless you are offering a guest WiFi network.

And yes, we all know WEP is has been broken for 6 years, any WEP key can be cracked in a couple of minutes no matter length and complicity of password and SSID name you used.

Also in the corporate environment, best practice is to scan for WiFi rogue access points at least once a quarter, or even buy a device with continually scans if you have a particularly sensitive site to protect, this is regardless of whether you use WiFi or not at the site.

Oh MAC address filtering is a waste of time too, MAC addresses can be easily spoof (in fact they are impossible to prevent from being sniff), applying a sniffed MAC address to a network card within any OS is easy." 
Response - "Thank you for your informative response.  While I’m quite knowledgeable of Microsoft’s products (AD, Exchange, etc.), I’d consider myself an intermediate when it comes to wireless security.  When setting up WAPs, I’ve always used WPA-PSK because that’s what I know to do.  I assume that Enterprise WPA is more secure, but I don’t know what it is.  Is there a website that you could point me to help learn more about this?  I understand that there’s a thing called 802.1x authentication that, for example, would let me require authentication against my Active Directory.  I envision a wireless user establishing the connection, and being prompted to enter their AD credentials, or perhaps it takes what’s cached from when you login to the computer.  Again, any good concise references to this stuff would be greatly appreciated."

"To recap, WPA-PSK (Pre-Share Key) is a personal mode designed for home and small office users who basically do not have any authentication servers available, i.e. Active Directory. WPA-PSK operates in an unmanaged mode using a pre-shared key (PSK), and uses a passphrase to create the encryption key, this the big weakness, as it’s vulnerable to bruteforce attacks. If you have to use this mode within the business setting, I recommend a passphrase of at least 13 characters and regularly changing of that passphrase. BTW the passphrase can be up to 95 characters in length.

By Enterprise modes, I was referring to WPA & WPA2 with IEEE 802.1X and EAP, which operates the WLAN in a managed mode. It uses IEEE 802.1 authentication framework and EAP (Extensible Authentication Protocol) to provide authentication between the client and authentication server. In this mode each user is assigned a unique key to access the WLAN. In answering your question, it uses single-sign on with AD or it can prompt, or it can be setup to use certicates.

Something else I should mention about enterprise modes is WPA-TKIP.  TKIP encrypts each data packet for each individual user at a time, making the encryption extremely difficult to break.  WPA uses the RC4 encryption cipher, where as WPA2 uses the AES encryption cipher, which provides a stronger degree of encryption than RC4. Recently TKIP was proven to have several minor weaknesses with it, in that it’s possible in inject a few packets, and decrypt ARP frames in around 15 minutes, although this is not over concerning and a major flaw, however in my view it is always best to completely avoid such potential issues and go with WPA2 AES option given a choice.

You can use digital certificates with WPA-EAP-TLS, and there’s PEAP authentication as well; all have single sign on capabilities with Active Directory, LDAP, NDS and even with NT Domains."

Friday 14 November 2008

Reason to Secure your Home WiFi

Just the other week I saw “Which? Computing” report which highlighted complaints against video games companies who were going around accusing innocent of people of being file-sharing pirates. In one case Atari accused a couple in Scotland of file sharing the game Race07. The couple were aged 54 and 66, and unsurprisingly had never played a computer game in their entire life, yet they received a threatening letter care of Atari’s lawyers, instructing them to pay a £500 fine or face court action.
In due course the fine and case was rightly dropped, however there were 70 other similar cases dropped, often involving senior citizens who have never heard of peer-to-peer file sharing.
But what caught my attention was the law firm’s response in making these accusations, according to Michael Coyle, an intellectual property solicitor with law firm Lawdit, “more and more people are being wrongly identified as file-sharers. Most commonly problems arise when a pirate steals someone else's network connection by "piggybacking" on their unsecured wireless network” While prosecutors argue that users are legally required to secure their network, Mr Coyle dismisses this. "There is no section of the Copyright Act which makes you secure your network although it is commonsense to do so" he said.
For some time now I have been warning home users about the consequences of not securing their home WiFi properly, or even purposely sharing WiFi Internet access with anyone in range. In this case it was a computer game being shared without the WiFi network owners knowledge, which resulted in a scary letter from a law firm. But what if their neighbours or a complete stranger was using the Internet connection to file sharing illegal pornography, it would probably result in a knock on the door by the police, subsequent removal of all computer equipment from the address and an arrest. Interestingly the lawyers were certainly thinking about blaming the wifi networks owner, I wonder if the network was intentionally by the owner shared whether they could be found liable, regardless of that I don't think it's the smartest move to purposely share your home WiFi network outside your home..
Opening wireless network access up or not ensuring the WiFi is properly secured, opens up many other concerns. For one it’s possible for someone to listen in (snoop) your Internet traffic, learn what websites you visit and in some cases steal personal information. Unless you encrypt your Email, the bad guys can intercept and read your Email, and even adjust the Email contains without your knowledge. And by attacking the wireless router from inside WiFi network, they can even redirect you invisibly to fake websites. For instance it's possible to snoop which bank website you use, adjust the DNS on the wifi router, so the next time you visit your bank website have your computer sends you to fake bank site which has the correct URL in the address bar, in doing this the bad guys could harvest your bank account website logon credentials without your knowledge.
All food for though, whether stealing your personal information, or your neighbours are committing file sharing piracy or worst, you should make sure your home WiFi is secured for just your own usage, and avoid all the inconvenience and hassle.

Tuesday 11 November 2008

Web Application Security with HP's Billy Hoffman

The increasing shift in Internet hacking attacks against the (web) application layer is leaving many end customers as victims. Recently I met up with the head of HP Security Labs and Web application Security researcher Billy Hoffman, and discussed why this attack vector is on the rise, and solutions to the problems.

In recent years there has been an explosion in the number of web applications on the Internet, the so called “Web 2.0”. Web applications are becoming more complex, whether they are social networking sites, e-commerce sites or banking sites, the new breed of web applications are increasingly handling high amounts of consumer financial data and personal details. Such information is of commercial value and targeted by cyber-criminals. Many web applications are simply not developed as secure as they ought to be, and as a result are vulnerable to web application hacking and attacks. The bad guys are taking advantage on this situation, with recent research showing 75% of cyber attacks are now carried out at the web application level. So the stakes are high for the end consumers of these web site applications, and the rewards are high for the cyber-criminal, who exploits poorly written web application code to steal data. In essence if the application doesn’t have proper security checks written in the code, the hacker can take advantage and make the web application do something it wasn’t designed to do, this can result in large amounts of consumer information being harvested by cyber criminals. One of the most common attacks is a SQL Injection, which can literally return the whole chunks of the database within the webpage, while another common attack is know as a Cross-Site Script (XSS), which allows the attack to inject malicious code into the webpage, which in turn could steal user login sessions and deliver malware to user desktops, amongst things.

Firewalls do not protect Web Applications
What’s even more worrying about web application attacks is such attacks are often not even being monitored and therefore are going unnoticed by the website administrators. A web application (layer 7) attack completely bypasses the security and monitoring provided by devices such as network Firewalls, Intrusion Detection and Protection Systems and website encryption (SSL/TLS - that golden padlock on the browser). Even network level penetration tests resulting in “not hackable” seals of approval offer no guarantee against a web app hack. So when you see that webpage stating it’s a “secure website”, using encryption (“https”) and displaying an up-to-date anti-hack testing seal of approval by a well known security company, it all has no consequence to the security of the web application, which could be full major security issues despite all those security measures which only operate at the network layer.

The network layer security really does lull some organisations into a real false sense of security. A specific web application layer penetration test can be used to test for web application vulnerabilities; however these are still rarely regularly carried out by medium to small sized organisations, and even some large organisations, mainly because it costs too much to get one done, or the organisation just isn’t aware of the problem.

The Reality of Web App Hacks
A recent UK example highlights the problem, a few months ago Manchester based online clothing outlet, Cotton Traders, disclosed their website users were victim of an web application attack, namely a SQL Injection attack in early 2008. They had firewalls, a “secure” encrypted website and a seal of approval, yet their customers had credit card details stolen through a web application attack. And just last week NetCraft found a cross-site script vulnerability on Yahoo -Netcraft

Why are these Web Application Attacks possible?
It’s quite simple, the developers writing the web application code, either do not know how to code a web application to be secure, such as using proper field validation, or the developers are skipping proper code techniques in a bid to have the application ready and released due to commercial pressures on time. Either way these are needless flaws and yet are too common place, with 8 out 10 web applications on the Internet having a high to medium web application vulnerability going unchecked.

How to combat Web Application Security?
Some vendors will state their or their client’s reputation on installing Web Application Firewall (WAF); however WAFs are still a relative new technology. I have to say I am sceptical about any vendor who says such a product is the silver bullet which will plug all possible web application layer vulnerabilities. The other big problem with a WAF, is throughput, as every packet has to be inspected at the top layer of protocol stack (layer 7), so data packets need to dissembled and analysed, which takes time and results in a performance hit. The answer to the performance hit is to have a large or many WAF devices inline, which can really rack up the cost. I am not dismissing using a WAF, but for me it needs to be a “belt and braces” security approach, which means ensuring the code is developed and tested for web application vulnerabilities prior to release, which for me is the first and key battleground to win ahead of the installing a WAF.

How to Secure the Development of Web Applications
To do this, developers need to be properly and regularly trained to code web applications securely. In addition other controls within the development process are needed to ensure corners are not cut, security coding is not being missed, or mistakes being made. It is surprisingly easy to miss validation on that one field, the more complex the application, the more likely security vulnerabilities tend to slip in. The answer to this problem is to use a web application vulnerability scanning tool as part of the development process, and for testing within live environments.

One of the leading commercial web application vulnerabilities scanning suite of tools is Hewlett-Packard Security Labs’ DevInspect, WebInspect & QAInspect, which was formally under the umbrella of SPI Dynamics, which were acquired by HP in 2007. For further details about these tools and what they can do click here

Billy Hoffman (HP Security Labs)
I managed to spend quality time with web application expert Billy Hoffman, Head of HP Security Labs. I use the phrase “quality time”, because Billy Hoffman is just one of those guys who I could talk techie security all day long, and I count myself lucky to have spent several hours chatting about web application security with Billy, as well as listening to several fascinating “hacking” stories, which I can’t publicly repeat!

Billy is just one of those inquisitive out of the box thinkers, which makes you thankful he is one of the good guys, alas a white hat. However Billy became well known as a bit of a grey hat hacker, known as Acidus. While he was studying at Georgia Tech he famously hacked the university swipe card system, finding a fault with the magnetic stripe data, and it’s fair to say his resulting exposure of the flaw wasn’t fully appreciated by the system owners. Billy went on to graduate from Georgia Tech and joined Atlanta start-up company SPI Dynamics, becoming their Lead Security Researcher. Billy and SPI Dynamics specialised in web application security and web app vulnerabilities scanning products. So Billy is a real web application subject matter expert and is a frequent speaker on the subject at many of the top security conference events around the world. In fact I think the term “Web Application Security Guru” is the more fitting description to use when describing Billy Hoffman.

In late 2007 Billy released his first and in my view a much needed book on Ajax Security, appropriately called “Ajax Security”. Today many Web Application are being re-written in Ajax, which gives an application that “real desktop application” feel within the web browser. However poorly written Ajax code produced by developers is introducing a new frontier of web application security vulnerabilities problems which the bad guys are taking advantage of.

Prajakta Jagdale (HP Security Labs) on Flash Security
Also in attendance at the met up was HP Security Labs Security Researcher Prajakta Jagdale, who highlighted issues with Flash application security. In recent times malware has targeted poorly secure Flash web applications, and there have been several cases of successful exploitation of premium website Flash applications by malware and hackers. A common example of such an exploitation is specific malware which automatically embeds advertisements within the application, which known by the term “Malvertisement”. The bottom line is secure Flash application development is really not too different to traditional secure web application development, developers need to code the application so it fit for the purpose of being public facing. We all agreed writing a secure web application isn’t rocket science; most of it is just common scene, such as adding proper validation checks on entry fields, by white listing acceptable characters instead of trying black list. However the “secure” development of Flash application still tends to be overlooked by many organisations, perhaps because Flash applications are more difficult to scan than traditional web applications and perhaps there are less people with the expertise to code review and test them, or perhaps Flash application aren’t on radar with security testers and professionals. Whatever the reason, Prajakta’s research and findings with Flash application security is very interesting, leads me to believe there are many Flash applications on the Internet today which are vulnerable to attack.

In summary, in the security industry today it is generally accepted the web application security problem is increasing, with the bad guys going after this layer more. It’s not hard to learn how to attack at web application layer either, anyone can do it, and interesting it is not particularly difficult to fix. Speaking with application security experts like Billy Hoffman and Prajakta Jagdale, really underlines the importance of web application security, and the role of the HP Security Labs Dev\Web\QAInspect web application vulnerability tools in tactically the problems. It is clear that the HP Security Labs suite of web app security tools are helping many responsible organisations develop and deliver public facing web applications much securely, which in end protects those organisations end consumers.

If you have any interest in testing your web application, check out the HP Security Labs website and download a 15 day free trial of their tools.

Wednesday 29 October 2008

RSA Europe 2008 Review

RSA Europe is said to be the most comprehensive information security forum held in Europe, with world leading expert speakers from the information security industry discussing and debating the hottest topics in security.
It was great to see this year's conference being themed on British cryptographer Alan Turing. Turing was part of a team of code breakers working at Bletchley Park during World War II, whom in complete secrecy quite literally saved thousands of lives by breaking encrypted messages. Today Bletchley Park is a museum open to the public, completely privately funded and yet a vital part of the security industry heritage. So it was really good to see Alan Turing being highlighted by the event, but I will save my thoughts on Bletchley Park for another post, although I do urge anyone interested in general information security, cryptography or history, who has the chance to visit Bletchley Park and/or donate to the cause.

For me the biggest highlight of the RSA Europe event this year was the Tuesday trio of keynote speakers. First up was Bruce Schneier’s, who spoke about The Future of Privacy.
I make no secret of the fact that I am a big Bruce Schneier fan, each time I have the privilege to attend one his talks or discussions, I am always left with at least one profound thought provoking or even view changing moment, which tends to stick with me, and the security guru's talk on privacy was no different. Bruce liken "data" as the industrial pollution of the information age, and rejected the “Security vs. Privacy” argument, citing the improvement in aircraft security since 911 as an example. He said we were simply safer on airplanes today because of two simple security improvements, namely locks on flight cockpit doors, and the fact passengers are now inclined to fight back. All the new privacy eroding so called security measures we have all come to accept at airports since 911, are not really a factor in improving security and safety. Bruce went on to describe the future of privacy, saying we live at a time where we all can see the thousands of cameras and ID checks as we go about our lives, but over the coming 5 to 10 years the cameras will get smaller and become invisible, while ID checks will occur in the background without our direct knowledge, thanks to technologies such as face recognition. Personally I have been debating the “Is privacy dead” issue, as famously coined by Scott McNealy (Sun) in the late nineties, with fellow security professionals for some time, but Bruce’s view is that privacy can be and must be saved. Privacy protection requires much better laws, of the same kind which prevents us today from living in a police state. As we get to grips with the evolution of the information age, new laws should and must follow to protect every one's privacy, we must think of it as a "Liberty versus Control" argument rather than "Privacy Vs Security". Bruce concluded by challenging everyone in the auditorium to not blur Privacy and Security, saying it is our responsibility as security professionals to safeguard privacy, and that generations from now, history will judge whether we were successful or not at this unique early juncture in the information age.

Bruce also announced his entry for a brand new hashing algorithm at the event, which I'll save talking about for another blog entry.

Next up on the podium was Ken Silva, the CTO of VeriSign, who painted a very interesting picture about the rapid expansion of the Internet, distributed denial of service attacks and the ways VeriSign are tackling the rapidly increasing bandwidth demand as result growth in both of these areas.

Ken highlighted not only were huge pools of brand new Internet users will be becoming online from areas such as Africa and India over the coming years, but there will be an explosion in direct Internet devices requiring high and fast bandwidth. For example Internet TVs are around the corner, which basically is a TV with an ethernet jack in back as opposed to an aerial or satellite dish, which will stream thousands of TV channels into the home from Internet. While “Voice Over IP” phones are expected to completely "take over" from traditional phones networks.

Ken produced some mind blowing stats, stating there are around 1.5 billion Internet users at present, which is expected to grow to around 2 billion users by 2011. In contrast to the security problem, there are around 300 million devices (PCs) attached to the Internet which have Spyware/Malware installed and operating. That's around 1 in 5 PCs, with around 150 million devices (and growing everyday) which have "bot" malware operating, a bot is an application controlled by cyber-criminals, which can be used to target unmanageable volumes of Internet traffic at specific websites, this attack is known as a Distributed Denial Of Service (ddos) attack and can shut down and crash web sites.

Finally Hugh Thompson, Chief Security Strategist at People Security, lit up the auditorium with his “Hackernomics” talk.

Hugh unearthed the changing economics of cybercriminal attacks and our security defence, underlining the general theme in the shift in attacks from the network to the application layer. Hugh is a world renowned figure in the world of application security, and I have to say I don’t think I have come across a more entertaining security speaker. I briefly spoke with Hugh offline, and I intend to feature more of him and "Hackernomics" in a separate blog entry.

This year at RSA Europe there was an overall focus on the rising threat trends within web applications and defending with good web application security. There was notable sessions by Fortify, who put together a professionally produced documentary film titled “The New Face of Cybercrime”, while the “Blinded by Flash” presentation by HP opened up the application security issues within Flash applications, which has been traditionally hard to test application security vulnerabilities against. Again I am intend to feature the latest threat within web applications in separate post in the coming days, as this post is getting rather long.

In all the RSA Eruope was as billed, the premier infosec event in Europe, and on personal level, I found the event great for "networking", meeting up and discussing security with new people, and some old faces from around the global with equal enthusiasm and passion about information security.

Thursday 23 October 2008

Credit Crunch causing CyberCrime Shift

The "Credit Crunch" is not only fuelling more cyber crime and online fraud, but the latest malware, phishing and fraud trends show the credit crunch is having an affect within the sinister cyber criminal underworld. It seems the bad guys are having trouble opening new fake accounts, obtaining credit cards with stolen identities, and are even having trouble getting store credit using fake identities.

Why? Well it is because the financial industry have been cracking down and fully vetting credit applications (about time). You really have to ask why it has taken the near collapse of the world's financial system to kick financial institutions into properly checking just who they are actually going to provide credit to, after all that’s what caused all this credit crunch mess in the first place, right?

So this is good news on the identity theft front, but as always in cyber fraud the bad guys just move onto the next lowest hanging fruit, and so are increasingly going after active bank accounts and active credit cards. Which in itself is kind of interesting due to the consumer credit crunch factor, as I guess everyone will be generally be a lot more careful with their money, and therefore will be checking through their bank and credit card statements more often. A lot fraud simply goes undetected due to a particular technique employed by the bad guys, where they embellish small amounts of cash on a monthly basis directly from people accounts. This goes unnoticed by the victims, simply because the victim isn’t scrutinising their statements. According to "ID Theft Protect (Aug07)", 90% of people never check all their transactions on their bank or credit card statements, which underlines why these types of fraud are so successful and can really add up over a long time period.

I mean there are even some legal companies which dupe people into adding a small monthly standing orders on their accounts and credit cards, usually within the small print, or even by illegal means! I had a very popular UK motoring recovery organisation charge a renewal against my credit card without any pre or prior notification recently, even though the account they charged against for was for my wife! I actually had a completely separate account setup with them, they linked the payment details from my account to the other.

So be extra vigilant with those statements, you never know what you might find and save!

Wednesday 1 October 2008

BackUpAnyTime's - Who's Who in Data

Last week BackUpAnyTime interviewed me as part of their "Who's Who in Data" feature. Being choosen for this interview was a real privilege and it was a pleasure to answer their questions. The interview Qs & As are now available.

"This has got to be one of the most enjoyable interviews we have conducted yet. To say that David Whitelegg is a data security expert is an understatement of significance and a clear example of stating the obvious. Davids’ answers range from short and witty to detailed and fascinating. Here is a man who can and will tell you how to best protect your data. Ask him about his family or car and he may consider you a bot seeking personally identifiable information. A riveting and educational read. Dave plans to write a book. Sold!"

Friday 19 September 2008

Eugene Kaspersky on the Latest Malware Trends

I was fortunate enough to catch up with the one and only Eugene Kaspersky this week. Eugene is one of the world's leading experts in the information security field, co-founder and CEO of Kaspersky Lab, the international information security software vendor and a technology leader in malware protection. (malware: malicious software such as trojans, viruses, keyloggers) protection.

It was a real privilege and honour to chat with the Moscow based Security Guru about the latest malware patterns, trends and threats being monitored by Kaspersky Lab. I do not use the term “Security Guru” lightly either, Eugene is a graduate of the Institute of Cryptography, Telecommunications and Computer Science and has conducted scientific research in these areas before entering the antivirus industry (before it was an industry) in 1991. This was after his interest in viruses was sparked when his own system was infected by the Cascade virus in 1989.

I remember my Commodore Amiga being infected by a boot sector virus around the same time, if only I had the same kind of vision back then. Actually one of the new trends being observed by Kaspersky Lab was the return of the old boot sector virus. The reason behind this trend is if the “bad guys” can load and execute the malware ahead of the loading of the operating system, OS security protection and antivirus, it makes it much easier to deliver the malware payload and avoid detection, and even actually prevent the security countermeasures from operating properly.

Kaspersky underlined a fact I myself have been preaching for a number of years now, in that the people behind these global malware attacks are becoming more professional, organised and are financially motivated, as opposed to being out to cause system crashes for kudos. The traditional idea of a teenage spotty faced kid sat in his bedroom bringing down TV networks for fun is a myth, these guys are in it for the easy money.

The evidence of this financial motivation can be clearly be seen in the Kaspersky Labs statistics, which shows 90% of Internet malware as being spyware trojans, designed to steal information, whether it be credit card details, login credentials or general personal details. No longer do cyber criminals have any interest in bringing down systems either, which is why only 5% of malware are the traditional “trouble making” viruses. These bad guys actually want their target systems to stay online for as long as possible, so they can be fully exploited. Such is the lucrative nature of these attacks and high rewards of this dark economy, the cyber criminals are even aggressively competing against each other, with malware actually attacking and "killing" other malware to gain supremacy. How much malware is out there to be protected against? Well today Kaspersky Labs are protecting against 1.250 million and rising, which shows the scale of the malware problem. I remember when my AV signature list had a couple of a hundred types of viruses listed in it, you could scroll through the list and look at the names and what they did!

I asked Eugene one particular question which has being puzzling me with Antivirus protection for some time…given that most malware is targeted against Microsoft operating systems and applications, which these days tend to offer better protection (arguably), how come malware trends are not shifting to target the lower hanging fruit more, in non-Microsoft operating systems, especially given the recent popularity and rise of freeware (Linux) and Apple systems in recent years. Eugene pointed out there was an increasing trend in the number of malware specifically targeting Apple systems, while on the Linux front, he said with a big grin, that Linux users tended to be more skilled, security savvy and wise, therefore less prone to being successfully breached by malware. In my own summary, the successful malware attacks occur against the "dumb users", who tend to be a Microsoft system, or increasingly an Apple system. This makes perfect sense, as after all the biggest gap in security lies between the keyboard and the back of the chair.

Eugene went on to say there was a shift towards malware specifically aimed at mobile devices. These days there is a lot of valuable information held on mobile devices, while typically they tend not to have good protection against malware, which can be delivered to the device through the Internet connectivity. On top of this mobile devices are being increasingly used for making payment transactions, with payment card information being highly targeted by cyber fraudsters.

Kaspersky also highlighted another very interesting global malware trend, which is being driven through the deployment of cheap hardware and fast Internet access to the developing parts of the world, the $100 laptop for example. New malware threats are increasingly originating from places like Latin American and Africa. However over 50% of malware is still coming from out of China, but the overall problem is still rising. Kaspersky went on to describe a “division of labour” in the malware black market, with cyber criminal groups specialising in different areas and collaborating. Typically groups are dividing and specialising in areas such as writing the malware code, malware deployment, malware management (those bot-herders) and data hijacking/data mining, which really underlines how organised this black market is now becoming. Also Kaspersky Lab has observed general differences in the types of malware targets around the globe, with South East Asia specialising in online gaming fraud, Latin America developing banking Trojans, while Russia appears to be the place where a lot of malicious code is written and sold on.

Fascinating stuff and it goes to emphasize the importance of running antivirus or a complete security suite on your computer systems, and ensuring such systems are automatically kept up-to-date. So there you have it, Eugene Kaspersky, Security Guru and a great down to earth guy, I thoroughly recommend going to hear him speak if you get the opportunity.

You can obtain a Free Trial of the awarding winning Kaspersky Internet Security 2009

Sunday 7 September 2008

Credit Crunch to drive UK Cyber Crime

As the effects of the “global credit crunch” starts to take hold in the UK, it is evident to me that UK focused “Cyber Crime” will sharply increase as a result. Over the past ten years the UK economy has been in a honey-moon period, and doing relatively well, with the GDP growth out pacing the rest of EU. The good and steady economic environment has resulted in low unemployment figures for much of the last decade. You really have to go back to the late 1990’s since the last major loll in the UK economy.

In comparison, mass market cyber crime for financial gain hardily existed ten years ago, and certainly was not on the radar during the last major recession in 1990’s. Over the last decade Internet access and usage for the average UK person has radically changed, thanks to the explosion of broadband, which in turn has resulted in providing cyber crime opportunities around every corner.

Within the Security Industry it is commonly known hackers have been increasinly focusing their efforts on attacks which yield financial rewards as opposed to the traditional attacks for the challenge, fun, or kudos. For example the number of original viruses being created for the sake of causing disruption, which often has no financial benefit for the perpetrator has been dropping, while attacks for financial gain for the perpetrator, such web application attacks, phishing Emails and key loggers installations have been rapidly raising in the last few years. On the back of this, the amount of personal information being placed and made available on the internet is increasing, providing a rich gold mine for cyber fraudsters and identity thieves.

There are many analysts and reports stating economic slowdown and raising employment results in increases in crime, and in particularly fraud crime. Fraud crime fits cyber crime like a glove. Putting this economy and crime trends together with the trends in security and cyber crime with financial motivation (fraud), since the last major economic slow down in the UK, I can only conclude one obvious outcome, namely the credit crunch will drive a serious increase in cyber crime in the UK. It will be very interesting to see if the future official figures on UK online card fraud reflects this trend. Just about every person I have spoken to about cyber crime fraud in recent months has themselves, or knows a family member, friend, or work colleague, who has been "done" with credit card fraud as a result of something which occurred online during the last 12 months.

So I urge everyone in the UK to buckle up their anti-malware software, check their paper shredders, to be eagle-eyed reviewing credit card/bank statements and to keep extra vigilant when online as we sail through the choppy water of the credit crunch.

Wednesday 9 July 2008

Security is a Process, not a Product

Back in the year 2000, I remember reading an article by Bruce Schneier (a security hero of mine), he said "Security is a Process, not a Product". Bruce talked about whether this would be ever understood. It really struck a chord with me at the time and I've been quoting Bruce saying that ever since in my own presentations. Well 8 years have gone by since I first read it, and Information Security has certainly come to the fore in that time, but Bruce's statement rings truer than ever.

I don't want to come across as knocking the security industry because they do provide many great security products and services, but in the industry’s push to sell products and solutions, I think they are help driving the concept, that the answer to all information security problems is to simply buy a product off the shelf.

The number of times I've been at security events and conferences, where the “punters” are repeatedly told, “buy our product and your security problem will go away overnight, but if you don’t buy, something nasty will definitely happen”.
I have to say part of the problem is down to the punters going out impulse buying “off the peg security products” tend not to understand what information security is about in the first place. Often they are looking to the security industry, and those pesky sales guy for security advice. In fact the sales tactic is to often host a “free security advice/awareness” session, to draw in the punters. I show up to some of these events to gage where the market and how threats are perceived to be moving, but it really makes me cringe at times, especially as the message is increasingly to buy this and you will be secure! And it gets worst, as some companies are clearly jumping on the security bandwagon to make a quick buck. At InfoSec Europe this year, I heard one (so called) security organisation openly presenting about PCI Data Security Standard to a bunch folk who gauging from their questions really didn’t know anything about the standard, other than it effected their business. This company were out and out misleading those listening, and it was clear to me the presenter didn’t even know the proper facts about PCI DSS. In fact I was so outraged in what I overheard, I stopped, blended in with punters, and at the right moment asked a question about requirement 6.6 to deliberately trip them up, I asked “so which is best on requirement 6.6 in your expert opinon a code review or an application firewall? and why?” – they didn’t have a clue, anyone knowing and working with PCI DSS would instantly know and understand the issue around Req. 6.6 in mid 2008.
I think the answer is for the “punters”, namely the organisations which lets face, many of whom are just really waking up to the issue of information security, is to train and invest on security a department and personnel. So they are correctly advised on the proper solution processes from the ground up, as well as to understand when and where they should buy products off the shelf to help reduce security risk along the way.

Tuesday 1 July 2008

The NHS just doesn't "do" Information Security

I said this before, and I'll probably say it again a few more times, "The NHS just doesn't "do" Information Security".

The latest in a catalogue of NHS breaches involved a Senior Manager who had his laptop stolen, but the laptop held over 21000 records of Essex patients.

The same old problem with a laptop breach...

1. No Hard Disk Encryption - Password Protection is almost no protection, it's very easy to bypass Windows passwords, pretty much anyone who can type into Google can manage to achieve it.
2. Poor Information Management. We have a vast amount of Sensitive Data which has been allowed to be "copied" from a central IT system to a laptop.
Should the Manager have access to that much information? Should he be allowed to export that much information from the host system? Probably not. Who else can access and take a copy of this data? What's to stop someone putting it onto a £6 flash drive?

I have friends who work in the NHS, they tell me the NHS has no culture or awareness towards protecting the vast amount of personal and lets face it, highly sensitive information which the NHS holds and processes. I'm not saying keeping people alive is less important than investing in information security, but that's the problem, a lack of investment (money) and that's why there will continue to be serious data breaches involving the NHS . But consider this, soon the NHS will be storing our DNA profiles on their systems as well...

I'll finish on a positive note with this data breach, as I'm being far too negative lately, good for the NHS for disclosing and letting the people who are affected know in a decent time frame, well they had plenty of practice - right?

Thursday 19 June 2008

Mod Data Breaches & the Human Security Element

In the last few days we have seen a gulch of data breaches by the Ministry of Defence and the UK Government, all involving employees leaving highly sensitive and top secret documents on trains. These documents included details about terrorists, wars and organised crime. When analysing these separated cases it is clear the documents in each breach should not of been removed from their secure environments by the employees in the first place, let alone left in a public environment.

These breaches are the classic internal human data breach examples, and shows even the most security conscious bodies such as the Ministry of Defence are always struggling to deal and contain the human security factor. Sooner or later in the process security tends to be reliant on a human being, it is extremely difficult, expensive and can also introduce highly inconvenient trade offs to secure the human interaction, especially when it comes to preventing the removal of physical documents from a site. Even drilling in security awareness to staff offers little guarantee, as there are always individuals who either don't grasp the importance of the message or share the organisations appetite to taking risks. If you think about it, there are just some people in our society who are naturally big risk takers, I'm talking about those people who strap elastic bands to their feet and jump off cliffs, or that boy racer driving a Vauxhall Nova 1.0 who insists on barely over taking you on busy single carriage in the face of oncoming traffic, and pretty much anyone who rides 500cc+ motor cycle.

Part of the security defence against the human element is having a deterrent, so in each of these recent cases we know the employee in question has been suspended (likely pending firing), I'm sure the deterrent in these organisations are well know, if you work the Mod and responsible for a serious data breach, I know your MoD career is pretty much over. But this only goes to prove deterrent is not enough, as deterrent can't actually physically prevent someone from making the decision and physically walking off site with the secret docs.

There are always security measures that can be introduced to prevent these particular action, such as restricting sensitive documents to a need to know basis, but we must accept taking risks and bad judgement is just part of the human condition, and will always be an insolvable security problem facing any organisation, because you simply cannot take the human element out of the equation and there is always a point when apply security measures where cost and trades offs become too great.

Wednesday 11 June 2008

Cotton Traders: Where’s the PCI DSS Compliance?

A couple of days ago a Manchester online clothing business, Cotton Traders, announced a data breach, which was brought about by a web application level "hack" on of their website. The breach resulted in the compromise of customer personal details and credit card details. The Cotton Traders data breach underlines two significant issues in the UK, one is the lack of UK breach disclosure laws, and the other is that companies are still avoiding or ignoring PCI DSS Compliance.

Lack of Disclosure
Although the breach was announced yesterday, the breach actually occurred way back in January 2008, and was suppose to be fixed in a matter of hours, so there was no reason to keep it from the public right after the breach occurred. That’s 6 months after breach it was announced to the public, don't we have a right to know? What’s more there has been a lot of smoke and mirrors about this data breach, in one statement it’s 38,000 credit card details were stolen, in another statement it was just one credit card, then another it was only customer names and addresses, this is pretty bad considering they had six months to figure out what went on and how, why can't they provide the clear facts of the matter? The upshot is the public can’t be certain to what data (especially if is their own) was compromised.

Furthermore there are no actual details of the cause of the breach; although it does appear to be an attack at the web application layer, I'd wager it was an SQL Injection attack. Whatever the type of the successful web application attack was, the real cause of the breach is not just the hacker, but it was Cotton Trader’s bad web application (web site) code and/or poor web site hosting. Think about it, it you left your windows open on your house before going on a two week holiday and then returned to find it burgled, you’d rightly blame yourself for not taking the security of home serious enough, same applies to companies writing web application code and hosting web application.

Another example of the smoke and mirrors is Cotton Traders stating “all of its customers' credit card information was encrypted on the website”, which is misleading, as this web application breach is not about the web site using session encryption (https), but whether the card details are encrypted on the backend database, and the specific type of encryption employed on the card storage and process arround it (key managment). Far too often companies think they can use “it was encrypted” as kind of a get out of jail card, without telling the public what the actual details around the encryption used was. Encryption is not the magic security bullet! For example using an https (encrypted) web session offers very little protection against web application level attack which is against the web site code and the backend database.

PCI DSS Compliance
Cotton Traders have said nothing about whether they were/are Payment Card Industry Data Security Standard (PCI DSS) Compliant. Any company which takes card payments online in the way Cotton Traders do must be PCI DSS Compliant, which came into force from June 2007. I have to assume Cotton Traders were not compliant at the time of the attack. Why? Well if they were I'm sure they would have stated that fact, and in such circumstances they would rightly hided behind PCI DSS and blame the PCI standard. Also if Cotton Traders were PCI DSS compliant the chance of a web application attack being successful would be very small. Why? Well as part of the PCI DSS compliance requires an annual web application penetration test and web application code review/webapp firewall, which used and acted upon, significantly reduces the risk of hacking vulnerabilities at the web application layer.

I don't know the facts about this breach because they haven't been disclosed, but if Cotton Traders were not PCI DSS Compliant, then many PCI experts would say they were being negligent.

Hacking Trends
The major big ecommerce operators are fully wise to web application security and operate in a secure professional manner, and are PCI DSS compliant. Because of this the hackers are targeting the lower hanging fruit, which are the smaller ecommerce companies like Cotton Traders, some of these don't understand the importance of public facing web site security and the significance of PCI DSS, and will be subject to these types of attacks and breaches.

Monday 2 June 2008

Why UK Privacy is Dead

I can’t recall who originally coined the expression “Privacy is Dead”, but whoever it was, I have to say that I agree. A couple of months back I was speaking about companies and the UK government protecting personal data on BBC News 24, when in a typical BBC newsreader style I was put on the spot and asked “…but isn’t this information you say needs protecting available in the phone book anyway?” Which is true, even if you made the effort to go ex-directory and de-list from the public phone book, your name and address (given a rough geographic location), can still be easily found online, because Privacy in the UK is Dead, lets be honest it was never really alive in the first place.

Part of the problem is very simple, when it comes to personal privacy; generally the default stance and settings for privacy is to have it “disabled”. Why? Well the online world and the information age is all about sharing information, and these days many companies are making money out of this information sharing. So in today’s information world it is very much up to the individual to ensure their personal privacy is being protected, yet this in itself can be a real trauma, even banks don’t play ball, don’t believe me? Then close your bank account and try ensuring the bank removes all of your personal details from their systems, here's a tip, use the Freedom of Information Act to check what they are still holding about you post closure. And have you ever tried permanently removing your profile from social networking sites like Facebook?

Going back to the BBC Newsreader question, let’s take “going ex-directory” with British Telecom, which basically means BT will remove your name, address and phone number from the publicly printed and distributed phone book, as well as from their online phone book, called “The Phone Book”. Is there any information within BT’s “The Phone Book” web site or even within the BT web site’s privacy statement about how a member of the public can de-list their private detail? No! Even if you search the main BT website for the terms “ex-directory” or “x-directory”, no results are returned. To go ex-directory you have to phone BT through their general enquiry number, and then specifically ask to go ex-directory. Could it be it is not in BT’s interest to encourage private citizens to ensure their private details aren’t placed in the public domain, because BT make so much money out of the advertising on their phone book web site and within the publicly printed edition, which is circulated nationwide. Yet it is generally accepted unless you asked to opted out, your name, address and phone number will be in there. Make no mistake the BT Phone Book is one of a number of “free” online tools which UK and overseas identity thieves make use of today.

It’s not just private companies that are at fault either, take the UK government who are responsible for managing the country’s electoral roll, again the individual has to tick the box to ensure their full personal details aren’t placed online, these details include not only your name and full home address, but your children’s names as well, all are placed into a public accessible and unmonitored database, which is fully searchable online from anywhere on the planet, and is even printed and stored at your local library. Ever wondered how those marketing mail shots and Indian cold calls in the middle of the night are obtaining your details from? The online electoral role, yet another popular “free” tool used by identity thieves. Just in case you forgot or missed that tick box, I’ll provide full details on how to opt out at the bottom of this post. But even if you do tick that “privacy” box, guess what your personal details can still be easily found online for just a small fee.

Then there is the Social networking web sites, most of them have privacy switched off by default when you sign up, well that's how they make their money be exploiting personal information to direct marketing advertisements. Still too many users don't realise the information they are sharing to the world and to marketing groups, shouldn't they be protected from themselves by setting privacy on by default? Hell even Xbox Live has privacy settings now, again switched off by default.

The lack of privacy of personal information makes life so much easier for identity thieves and fraudsters. Lets say you dropped your bank debit card in the street, which often holds your bank account number and sort number as well as your name. A bad guy finds your card in a street in “X Town”; he can search the “X Town” electoral roll using your name as a guide, from which gain your full address and phone number. Then just a few more clicks away the bad guy can build up a frightening profile on you, all based on information which relatively easily to find. We are talking information like your mother’s maiden name, your date of birth, the place of your birth and even the schools you attended as a child. Why this sort of important? Well think about the typical security questions you are asked when accessing sensitive accounts, resetting passwords….”Can you confirm the first line of your address?”…”What’s you post code?”….”What’s the first school you attended?”…”What’s your place of birth?”…”What’s your mother’s maiden name?”…”What’s your date of birth?”…and it’s amazing how many people use their children’s names as a verbal password! Another even more sinister side of the coin is this information is enough to steal your identity, and to go on to obtain all sorts of credit and products in your name.

What’s worst, you don’t need to be hacker or some kind of fraud expert, it only takes a few minutes, as all this information can be effortlessly gained from the Internet. Furthermore once you have a profile, it’s very easy to obtain fake yet genuine looking documentation to back up the identity theft, from gas bills to fake drivers licenses complete with a picture, even passports and national insurance numbers, all can be purchased online. (Before anyone asks I’m not going to post how or any links). So small wonder Identity Theft is the UK’s fasting growing crime.

So that’s the problem, the answer is to secure all private information, but it’s too late, the horse has well and truly bolted, so privacy is indeed very dead. But surely more can do be done, so how about trying to turn the tide, but it’s down to the Information Commission and UK Government to tighten up in this area and perhaps pass a few laws and actually crack down. Never mind them complaining about the private sector, UK government departments should focus in getting their own house in order first, starting with properly protecting the electoral role information. Another such issue I haven't mentioned yet, is it fairly easy to "con" a full list of an area's electoral role through the proper channels, probably best not to elaborate too much about that one.

What can we do now apart from whinge at the powers that be, well there are some good services out there which can help reduce your "privacy footprint". These include the Mail Preference Service (MPS) to stop junk mail (mail shots) and the TPS (Telephone Preference Service). I have several friends use both these services, give them a month or two to kick in and they will reduce the amount of junk mail and cold calls, however in recent months I've noticed an increasing trend in the number of International (usually of an Indian origin) cold calls despite the TPS service.

To remove your records from all Direct Marketing databases and prevent companies sending unwanted mail or making unwanted telephone calls to you, you can register on with "MPS (Mail Preference Service) and TPS (Telephone Preference Service) database which is maintained by the DMA.

Once registered it is an offence for a company to contact you unsolicited (with a fine of £5,000).

Mailing Preference Service (MPS)

Mailing Preference Service (MPS)
DMA House
70 Margaret Street

MPS Registration line: 0845 703 4599 Tel: 020 7291 3310 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3327
Complaints Department: 020 7291 3321

Telephone Preference Service (TPS)

Telephone Preference Service (TPS)
DMA House
70 Margaret Street
London W1W 8SS

TPS Registration line : 0845 070 0707 Tel: 020 7291 3320 Fax: 020 7323 4226
E-mail: Web:
Licence Department: 020 7291 3326
Complaints Department: 020 7291 3323

Removal from (Online electoral role)
download a CO1 form or write to by post and request removal of your details:

The CO1 Requests Administrator
I-CD Publishing (UK) Limited
8-10 Quayside Lodge

By fax: 0906 34 34 192 (calls cost £1.50/ min)

Monday 12 May 2008

Web Application Security: AppScan Tutorial

Recently I was approached to write a security tutorial for the IBM developerWorks website, specifically about IBM Rational AppScan. AppScan is the leading commercial Web Application (and infrastructure) vulnerability scanning tool, which IBM acquired from WatchFire last year. I ended up writing a fairly lengthy tutorial, 7000 words plus, which goes to explain why my blog entries have been relative sparse in recent weeks.

The Tutorial is called; “Create secure Java applications productively, Part 2” has been uploaded on the IBM developerWorks website.

Or you may download a copy directly from here r-appscan2-pdf.pdf

The tutorial follows on from an initial tutorial, which involved the creation of an Internet facing Java Web Application using IBM Rational Application Developer and Data Studio. To briefly sum up my Tutorial there is a Web Application Security Overview, how to install AppScan, how to configure a scan, interrupting the scan results, fixing web vulnerabilities and producing reports.

The importance of using a tool like AppScan to test and check web applications becomes clear when you consider the increasing number of attacks and actual data breaches occurring at the web application layer, as opposed to the traditional attacks at the network layer. For instance today I find most people I speak with have now heard of Web Application vulnerability terms like Cross Site Scripting (XSS) and SQL Injection attacks, as opposed to the situation a couple of years back, yet still these sorts of issues aren't being testing or resolved by web app developers.

In recent times there has been an explosion of web applications (yes so the called web 2.0 - go on I said it!), with many organisations taking advantage of writing web applications not only to save a bundle on development cost, but so their applications can be placed on the Internet to meet an increased demand of sharing and accessing information.

If you are producing an Internet based web application which processes or holds sensitive information, you have a duty of care to ensure your web application is properly tested against as many security vulnerabilities as possible during the development cycle. Although a product like AppScan can never guarantee 100% security (BTW nothing can!), in my view it can significantly reduce the number of web application vulnerabilities within the final web application code and thus reduce the risk of the web application and its information being exploited.

If you are interested in Web Application Security, read the first section of the tutorial or visit websites sites such as or

Thursday 24 April 2008

The Day I met Bruce Schneier at InfoSecuity Europe ‘08

No matter the profession or walk of life we are all in, we all have our heroes and mentors, for some it is the likes of Einstein, Winston Churchill, Lance Armstrong, Tiger Woods or Richard Branson, for others it’s Elvis or Amy Winehouse. For me it’s Bruce Schneier, who first made a name for himself as a predominant cryptography expert in 1960s and in recent times has evolved into a fresh and forward thinking security guru. Sure this proves that I’m geek for sure, but for those who have ever read any of Schneier’s recent books, blog entries or heard him speak will understand where I coming from.

I can’t say I agree with absolutely everything Bruce says, but what grabs me is his unique approach, perspective and understanding of security and the information security industry. Bruce takes a large step back, then cuts out all the politics, security company marketing and associated sales hype, at which point you are left with the bare bones and the questions on what security is really suppose to be about. Which is, what do you want to protect, what are the risks, how will the security solution mitigate those risks, what risks does the security solution introduce and finally what are the costs, inconvenience and trade-offs around the security solution to mitigate the original risk.

As a security professional you have to careful not to fall into the trap and tunnel vision in chasing perfect security and zero risk, because there is simply no such thing as perfect security and zero risk! Then the other side of this coin is to ensure the security is appropriate for the risk, making sure the security cost and trade-offs are viable against mitigating the actual risk of attack. Let me take a “real world” UK example, I sure someone might of raised this one, but in order to reduce the risk another London Underground bombing, we could impose a security counter measure of searching all passengers and their bags prior to them entering the system, like we do at airports. It might reduce the risk of attack, but when thinking about the trade-offs, which is huge passenger inconvenience and high costs in employing extra staff to carry out all the searches, does this make it a worthwhile security solution in relation to the risk? The rational answer is clearly no, as it’s just not viable, and so we continue to accept this risk of terrorist attack. OK, let’s say we went with that security solution, at the end of the day, there still would be a risk of terrorist attack on the London Underground, and the only real way to completely mitigate that is to completely shutdown the underground system!
With business IT Security the same approach should apply, sure there are areas of Law and Industry compliance which must always be followed, but when dealing with security problems outside these areas, I always try to emulate that great Schneier vision, take that step back, making sure the business trades-offs and costs are balanced against the attack risk, it’s not always that easy, the real difficulty is in quantifying elements, especially the attack risk. Fortunately for me, I utilise some of my own methods and practices which I have built up over the years to mitigate typical business risks, while causing minimal security trade offs and cost.

Anyway, yesterday I attended InfoSecurity Europe, and I was chuffed to pieces, as not only did I get to listen to Bruce Schneier talk about the Security Industry, but I got to briefly meet him and I got a signed copy of his latest book, Beyond Fear. Which is a must read not only for Security Professionals, but for anyone in general who wants to understand what security is about without knowing any of the technical jargon. I also recommend signing up to Crypto-Gram Newsletter run by Bruce at

After the doors shut at InfoSecurity (ISC)2 EMEA held an event which I attended. From my perspective as CISSP member, I have to say EMEA (ISC)2 is progressing well under the leadership of John Colley, the event itself is evidence of this. Amongst the (ISC)2 bigwigs at this event, was former White House Cyber Security Advisor and (ISC)2 Security Strategist for (ISC) Prof. Howard A. Schmidt, who was also a keynote speaker at InfoSecurity Europe, again another guy who I can listen to all day.

Finally I met several guys from the UK Chapter of ISSA (Information System Security Association), I promised that I would sign up and get involved after learning that whey were planning more events in northern England.

Tuesday 25 March 2008

Xbox Live Security Q&A

Online gaming is booming at the moment, and judging by the types and number of security related questions I am asked by online gamers, I think there may well be some issues to be raised and addressed. On the face of it, gamers’ accounts hold personal information, and often their payment details, such as bank or credit card details. And then there’s the odd mythical online object, which actually can have a real value in the real world, so the stakes are high enough for concern.

In this post I’ll focus on Microsoft’s Xbox Live service, I’ll deal with World of Warcraft security issues another time, believe me that could be an even longer post than this one. So I am often asked about the security of the Xbox 360 console and the Xbox Live (XBL) service. Typically whether XBL accounts and Gamertags can be hacked, what the privacy issues are, and one of the most common concerns involves the management of payment card details, especially when it comes to users trying to remove their payment card details held within their Xbox Live account.

Before I go into this answering some of the questions posed, let me make it clear, I do not work for Microsoft nor do I have any inside knowledge about Xbox Live.
Q. “Are my credit card details stored on the Xbox 360 console?” - The answer is no, credit card details aren’t held on the Xbox 360 hard disk nor on the memory card, they are actually held on the backend Microsoft Xbox Live Servers. The proof of this is you simply cannot access your Xbox Live account management screen without your console being signed into the Xbox Live Service, let alone manage your account payment card options.

Q. “I’ve sold my Xbox 360…”, “I’ve had my 360 stolen…”, “I’ve changed my credit card…”, “…How do I remove my credit card details from my Xbox Live account” – You cannot remove any credit card details associated with your Xbox Live account through using the console account management, or by signing into your XBL account management on, and in my view this is an utter disgrace, but more on than later. The only method where you can remove your payment card details is to phone Microsoft support, prove who you are, ironically probably by reading out your payment card details, and then waiting up to 30 days!!!

Q “What can happen if someone were to takeover my Xbox Live account?” “I’ve had my Xbox 360 stolen, and I had setup my credit card details to pay for my monthly subscription, so can they steal my card details as well?” - First let me provide an assurance over the credit card theft question, should your XBL account or Xbox 360 itself be stolen. Within the Xbox Live account management, your credit cards are displayed in a “Payment Card Industry” compliant manner, in that only the last four digits of the card number (aka the PAN) are ever displayed, there is no way of accessing the full number from the system, therefore your saved payment cards information cannot be stolen and used elsewhere. However it is possible to spend against your credit card, by purchasing Microsoft Points (XBL currency) and purchasing subscriptions to the Xbox Live service, so it is certainly an important aspect to be aware of, and I certainly recommend you ensure your payment card details removed should your circumstance dictate. Remember the only way to remove those card details is to phone Microsoft Xbox 360 Support, prove who you are and then wait.
Up to 30 Days to Remove Your Credit Card Details from Xbox Live!
On that, you can add full credit card details, in fact you can add as many credit cards as you like, either via the 360 console or through, so I do not see any security reason why Microsoft prevents users from removing “their own” credit cards using the same method. I have used many e-commerce websites which had retained my payment card details within an online account; every one of those online account management systems allowed me, the end user, to the remove my payment card details at will, directly, without the need to phone support up.

Q. “I've read reports about Xbox 360 accounts being hacked and stolen”, “I’ve been threaten to be hacked a couple of times while playing online, can my account be hacked?” I read the same reports as well; recently there was one about celebrity Xbox Live accounts being hacked and taken over.

I think "hacked" is probably the wrong term, as it would appear the attackers are probably just social engineering the Xbox Live Support staff, perhaps using a bit of "Google hacking" to build up a profile in order to impersonate the original account holder, in order to have the target XBL account password reset. Unfortunately if you are famous your address and date of birth etc are fairly easy to obtain, in fact there has been many cases of famous people being victims of identity theft. However I’m sure (hope) Microsoft would have tightened up their helpdesk security procedures, specifically where account holders need to prove their identity over the phone. Tightening of security processes tend to occur following high profile data breaches in similar circumstances, a part from within government departments of course.

The bad guys could also target the Xbox account holder directly and social engineer their password and account details. One such method would be to use a phishing Email, “This Xbox Live Security - please confirm your XBL password…”, or perhaps even using the Microsoft Passport to lure that id and password out of the target, as most 360 users link their Windows Live Messenger account to their XBL id.

Either way, I don’t think Xbox Live accounts are being hacked in the traditional sense of word, however if anyone knows different; I’d be very interested to hear it about.

Q. “Is it true I can get banned from Xbox Live if I "chip" my Xbox 360 to play “backed up” copies of games?” - Yes it’s true, chip your 360 and go online and you can expect to see the following message...
Q. "Is there a Security reason why Xbox Live doesn't have a web browser?" - Yes, I believe security is the reason Xbox Live doesn't have any web browsing capabilities, as Xbox Live is a fairly closed network from the Internet. Having a web browser leads to the possibility of malware being installed on Xbox 360 (which is basically a PC!), account detail being phished/stolen, even Xbox viruses, etc. Having said that I wouldn't be over surpised to see a web browser being released in the future, as competitor game consoles seem to be offering them.
Microsoft are making moves to open the service up more, as I think there is an agenda to make Xbox Live more like the social networking sites. At the end of day, most gamers don't care too much about where the service is going and web browsing capability, as long as all the extra interface software and other extras doesn't slow down their overal online gaming experience. As an online gaming platform, Xbox Live is second to none at the moment, and this is now it's main advantage in it's marketplace, so lets hope they steer well clear of messing it up too much, you what I always say, if it works, don't try to fix it!

Q “How come everyone can see my friends list, that’s an invasion of my privacy” – You are right, following a recent update to Xbox Live, the system by default now allows all XBL users to view your friends list, which concerns some people. You can disable this functionality and other XBL privacy issues by editing privacy settings either through the console or on the Xbox website. For instance you can set it so only your friends to see your friends list or no one at all.

It really bugs me the Microsoft are employing the same old social networking website tactic, in leaving privacy switched off by default, which is concerning as Xbox Live is going down the road of social networking more and more. In my view privacy settings must always be set to be fully enabled by default, so the user takes full ownership for disabling privacy settings and therefore acknowledges the settings and is ultimately responsible for any consequences that follow.