Wednesday, 29 August 2012

World of Warcraft: Does the Internet have controllable Borders?

World of Warcraft is an online game played by millions of players around the globe since Blizzard launched it in 2004. All you need is a computer, internet connection and a subscription, you play in a fantasy virtual world long with hundreds of other players at the same. This game is fun and highly social, but very addictive with typical players logging hundreds of hours play over a span of years. Players regard their online accounts and characters as very 'precious' due to the number of hours building character skills and abilities, and time acquiring in-game items.
Last week (22nd Aug 2012) Iranian players started to complain on a Blizzard forum that they couldn't access the World of Warcraft servers, unless they went through a proxy server outside of their country.  After many more complaints from Iranian players and several days had past, Blizzard explained they had to take action to block all Iranian World of Warcraft players to due the US's economic sanctions against the country.

What we can tell you is that United States trade restrictions and economic sanction laws prohibit Blizzard from doing business with residents of certain nations, including Iran. Several of you have seen and cited the text in the Terms of Use which relates to these government-imposed sanctions. This week, Blizzard tightened up its procedures to ensure compliance with these laws, and players connecting from the affected nations are restricted from access to Blizzard games and services. - Blizzard

Another report claims that Iranian government may have had Warcraft blocked due to it's promotion of "superstition and mythology", either way a lot of Iranian players were peeved.

What does this ban tell us?
Attempting to impose physical world rules against the Internet, which is a virtual world, is an imposition which is always doomed to failure. Iranian World of Warcraft gamers are still playing World of Warcraft today despite this ban, the first player making the complaint on the forum managed to circumnavigate the Iranian barred access to the World of Warcraft game servers by accessing the servers via Internet proxy server.
In the World of Information Security, we operate increasingly more in the virtual than the physical, more so as outsourcing to the cloud is coming to the fore. You may have your server surrounded by waves of attack dogs and under 50 feet of steel enforced concrete within a bunker, but interconnectivity to the server brings it and it's data into the virtual world, where different thinking about threats and different counter measures are required. 

Thursday, 23 August 2012

RSA Conference Europe 2012 Keynote Line-up

The Premier League Champions of Information Security Conferences, RSA Conference Europe 2012 is just less than two months away. The keynote line-up has been confirmed and it is looking finger licking good with an Advanced Persistent Threat (APT) flavour to it.
  • Jimmy Donal Wales, Founder of Wikipedia
  • Art. Coviello (RSA) Intelligence-Driven Security: The New Model
  • Francis deSouza (Symantec) The Art of Cyber War: Know Thy Enemy, Know Thyself
  • Adrienne Hall (Microsoft) Risks and Rewards in Cloud Adoption
  • Herbert 'Hugh' Thompson Securing the Human: Our Industry’s Greatest Challenge
  • Philippe Courtot (Qualys) Big Data: Big Threat or Big Opportunity for Security?
  • Bruce Schneier (BT) Trust, Security, and Society
  • Joshua Corman "Are We Getting Better?" Why We Don't Know. What We Can Do About It.
  • Misha Glenny The Struggle for Control of the Internet
I always recommend information security professionals, whether new to the profession or industry veterans, attend the #RSA conference. Unlike the majority of security conferences it is not sales focused but educationally focused, so the conference is crammed with countless sessions presented by the best speakers which instil new security thinking and knowledge. The RSA conference is not just a fantastic educational opportunity, it's friendly atmosphere provides the ideal platform to network with peers and world experts, so you can really find out what's happening behind the scenes in the industry, which can be a real eye opener.

Me at RSA Conference Europe 2008

I have presented and attended the RSA Conference Europe for many years and plan to be there this year.  If you are attending and want to talk security over a beer or two, and meet a few of the individuals on the above list, just tweet me @securityexpert during the conference week (9th to 11th October 2012). 

Wednesday, 22 August 2012

Security is a Contraceptive, but Ribbed!

During a recent conference presentation, I heard a speaker proclaim 'IT Security is a Contraceptive, it does nothing to improve performance', much to the amusement of the audience.

I completely disagree with that statement and regard it as an uninformed viewpoint by those who generally do IT and IT Security poorly, as in my experience I have seen how good IT security practises can have many positive effects on business performance. 
Consider one of the holy information security trinity (CIA Triad), "availability", which is all about "business availability", and tied to business performance.  When comes to availability security measures is very much part of the performance equation, the threat of malware and denial of service attacks should be assessed along with the threat of power outages and hardware failure. For example business critical web services which has not been built with a capacity to withstand denial of service attacks can cause business performance problems much worst than any random IT hardware failure or freak weather incident.

I have witnessed on countless occasions business IT department reluctantly introduce 'Change Control' against critical IT infrastructural to meet information security regulation. Every time this resulted in major shifts in stabilising the IT infrastructure, previously the business had just accepted it was normal practice for IT infrastructure to be unreliable like British trains. This IT stabilisation led to improved overall business performance, efficiency gains and ultimately more profits. 

But the final business benefit to performance is completely invisible, it is very hard to measure and can be near impossible to demonstrate to board members, that is the avoidance of data breaches. A data breach can have a serious negative impact on business performance, with breach investigations and remediation actions hitting hard on human resources across the business, especially within management. Breaches hit the margins too, can incur many short term costs hurting business budgets and projects, from large fines to drop in share prices, contract cancellations and contract penalties, and the loss of new business due to reputational damage.

So IT Security may well be a Contraceptive, but remember it is ribbed to increase performance.

Friday, 17 August 2012

The Hotel with Assumed Security

It is fair to say most people will automatically place a certain amount of trust in hotel they never have visited before, especially those hotels with a decent star rating. Sure you might read a few reviews on the internet about the quality of the services and standard of the facilities at the hotel, but you would have the hotel complete a self costumed questionnaire before you booked. The type of security a hotel has is rarely considered by guests, instead most would blindly trust the hotel provides adequate enough security which protects their possessions, and themselves. Yet making assumptions that someone else's values will be the same as yours is a dangerous thought of complacency. Think about how a hotel's physical security measures up to your home security, and now consider the additional threats staying at a hotel has compared to your home.

This week I checked into a Best Western Hotel in the North East of England. The receptionist duly handed me a room key and I went up to my designated room on the third floor, opened the door and I saw someone else's stuff scattered across the hotel room. I was then it dawned on me that I had misheard my room number due to the thick local accent of the receptionist, so I shut the door and used the same room key to open the correct room door just down the corridor. But how come my room key opened another person's hotel room door?

I inspected the key and my room's door lock, you didn't have to be a master locksmith to see they were very poor and outdated (see pics). So I called the hotel management, who initially had their doubts, that is until I used my room key to instantly open half dozen other hotel room doors, including rooms on different floors of the hotel.
My Room Key

Could I have been given a master key in error? Well I quickly dispelled this thought when I encountered a colleague who had just checked in, I grasped his key I used it open a bunch more hotel room doors!

I'm a 'White Hat' kind of person, so as will as informing the local management of the hotel, I informed the management at the hotel chain about this serious security issue. Just imagine what a bad guy could have stolen if he figured it out? Certainly very concerning for ladies staying alone at such a hotel.

The lesson here is implicitly trusting and making security assumptions with third parties is a dangerous game to play. The reason why a hotel doesn't match up to your home security is because the hotel does not share the same values as you. In business the same applies with third parties you trust to press and store your data. The problem with the hotel room locks will have been there for years, the hotel staff and management may well have known about the problem, or at least understood the locks were substandard and needed replacing, yet they have done nothing to resolve it, as it is not their possessions and persons at risk.

Video: Opening my Hotel Room Door with another Room key

I have written to both the local hotel manager and hotel chain director about this issue, they both have  acknowledged the issue and stated they urgency intend to resolve it, however at time of this posting the door locks have not been replaced.

Monday, 13 August 2012

Olympic Games Security has lessons for Airport Security

The London 2012 Olympics Games were a tremendous success, I know I thoroughly enjoyed the games, and as a Brit I was extremely impressed, moved and inspired by the performances of Team GB, and how well the games were organised.

Not being jingoistic, but what a Fantastic Olympics Games

I was fortunate enough to attend a few London 2012 events, I can report from the spectator's point of view, the security checks were pretty much on par with what you would expect from passing through airport security, except the staff asking you to remove belts and place loose change into clear plastic bags before being walked through metal detectors and being searched, were way, way more friendlier and civil.

Thorough Security with Tiny Queues & Friendly Service

Such was the organisation and capacity of the security check points, I witness no queues, this despite tens of thousands of fans passing through at a similar time.  Definitely lessons here for airport security. Why is it paying passengers at airports are treated like prisoners by security staff and security processes, the Olympic security checks proves it doesn't have to and shouldn't be that way.

Plan B!

Thursday, 9 August 2012

Cyber-warfare rumbles on with Gauss

Hot on the heals of Stuxnet, Duqu and Flame comes another highly sophisticated "nation state" sponsored malware dubbed "Gauss".  Analysts at Kaspersky Labs de-engineering Gauss are saying it shares many elements of the same source code of the Stuxnet Worm and Flame, therefore have concluded it could only have been made by the same people, and given this new malware's specific purpose, underlines the link to another state sponsored cyber attack within the middle east.

I posted who was behind Flame in flame-culprit-fingered, no doubt it's the same folk behind Gauss.

At present Gauss is specifically targeting financial users in Lebanon, stealing web browser history, browser passwords and host system configuration details. However the main purpose of Gauss appears to be that it steals account credentials from specific Lebanese online banks, and from PayPal and CitiBank, probably to monitor and collect details from financial transactions rather than steal money like traditional criminally focused malware. Like Flame, Gauss is very stealthy in nature and has the ability to delete itself once the malware has completed it's seemingly recognisance task.

For more info on Gauss visit

Wednesday, 8 August 2012

94.5% of Business Overlook Third Party Data Security

egress, specialists in data security and have their very own email and data encryption software, surveyed businesses about data security and have provided the following snapshot of their survey results to share on this blog.
You need to Love yourself before you can Love Others
This survey echoes the same old information security issues, businesses do not fully grasp and value the confidential information to which they process and store. This leads to a lack of expertise, capability and will to protect such data adequately within the business. It is not surprising then to learn such business are blindly trusting third parties to which they share their most important data, to protect their data sufficiently. They say you need to love yourself before you can love others, same applies to information security and assuring third parties protect business data properly.

Monday, 6 August 2012

Mars Curiosity Communication Security

Curiosity successfully landed on Mars today, and an amazing feat of engineering, many congratulations to all the engineers and scientists involved at NASA for what could prove to be one of the most ground breaking space missions in human history.

Curiosity is the latest, biggest and most sophisticated NASA rover to make it to the read planet, and like it's predecessors is controlled from the Jet Propulsion Laboratory (JPL) in California. NASA JPL sends instructions and receiving communications to the Curiosity Rover using either X band (radio waves), and also by relaying communication through one of the two spacecraft in orbit around Mars, the Mars Reconnaissance Orbiter and the Odyssey Orbiter, using UHF Electra-Lite. NASA JPL use the Deep Space Network (DSN), a series of large antenna dishes across the Earth, to send and receive these communications directly with Curiosity and with the two spacecraft in martian orbit.

The availability of the communication channel to the Curiosity Rover are critical to the £1.6billion mission, hence the resilience with the communication channels.
Curiosity on Mars; it's wheels & shadow, & Sharp Mountain
Data Rates
The data rates directly from Earth to Curiosity goes between 500bps 32kbps, remember the very early days of connecting to the Internet with a telephone modem?  While the data rate relayed via the Mars Reconnaissance Orbiter is can be as high as 2Mbps, basic broadband speed. The data rate to the Odyssey orbiter is between 128kbps to 259kbps, think ISDN for this one. However there will be considerable and changing latency (lag) given the distance between Earth and Mars, which are both in motion.

Encrypted Comms? Not likely
Well I don't know whether the communications to the Curiosity rover are encrypted or not, and I'm trying to find out. But I very doubt if the communications would be encrypted given 'availability' to communicate with the rover is much more critical than any risks from potential threats to communication's confidentiality. By encrypting communications it presents increased risk to the rovers communications availability, should something go wrong with the rover comms, the encryption could be a mission killer. While threat wise against confidentiality; firstly nothing secret is being sent (so they tell us), and it's not as though hackers seeking to take control would have access to arrays of the largest communications antennas on earth, nor is it likely other nation states with the capability would have any motive to disrupt the mission. So NASA would have got their risk assessment right if encryption wasn't used in my view.

If any science boffins would like to shed more light with Curiosity communications and their security, please post a comment, I would be interested to learn more.

Sunday, 5 August 2012

Implicit Trust of The Cloud & Third Parties

I find 'Implicit trust' fascinating to observe, equally within business information security and within society. 'Implicit trust" can be defined as having no doubts or reservations, being unquestioning.  For example most people implicitly trust their doctor, just because the doctor wears a white coat, exudes authority and has 'Dr' in front of their name. No one ever asks the doctor to validate their medical credentials. Perhaps we should.
Implicit trust can be lost and gained, a decade ago most people would implicitly trust bankers, having someone from the banking profession witnessing legal documents and signing passport applications would be seen as a highly thought of and credible witnesses within society, not so these days, and we all know why.

Police is another profession which has very interesting polarisations to observe, implicitly trusted by some and implicitlydistrusted by others.
Then there is paradox of politicians, nearly everyone distrusts politicians while at the same time trusting them to run the country.
In the world of information security, businesses which implicitly trust third parties with their information is a hallmark of either complacency or lack of an ability or expertise to properly vet and question. Trust must not be implicitly made but must be earned based on prior vetting and building a trusted relationship through experience. Just because your cloud service provider wears the doctors white coat of Amazon, Google or Microsoft, does not mean they should be implicitly trusted with your business's information and critical IT services.

Saturday, 4 August 2012

UK InfoSec Overview for July 2012

Microsoft patch two critical remote execution vulnerabilities in Internet Explorer

Yahoo investigating exposure of 400,000 passwords
  • Hacking Group D33DS are said to be behind the attack.
  • Hacking Groups continue to target big business websites, this attack demonstrates even hi-tec companies which have a high focus on IT security can be vulnerable to major data thefts.
Patient Data incorrectly placed on Facebook by Northern Ireland’s Health Trusts.
  • Serious lapses in data protection and confidentiality procedures saw highly sensitive information lost, disclosed to the wrong people and even published on the internet.
  • In one alarming case a client’s referral details were revealed on Facebook after a staff member dialled the wrong number and left a message on an answering machine. It was among almost 100 serious data breaches reported by the region’s five health trusts in recent years
Anti-Phishing Working Group (APWG) reports for the first quarter of 2012,

  • 56,859 unique phishing sites were detected in February, while between 25,000 and 30,000 unique phishing email campaigns are detected each month.
  • There has been a number of major data compromised due to phishing attacks, most notable is the RSA data breach of last year.
Hacking Group Anonymous steals 40GB user data from ISP in Australia and brings down 10 Australian government websites
  • Despite a number of arrests, Anonymous remains very active
Two researchers demonstrated how they were able to push a malicious information-stealing app onto Google Play, even while Google's Bouncer custom malware scanner was watching

Tesco has come under fire for emailing users passwords in plain text
  • Tesco received consider negative publicity for not protecting their user’s passwords adequately and in line with best practices. Passwords must never be Emailed in plain text!

Friday, 3 August 2012

UK Data Protection Overview for July 2012

ICO imposed a civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details.
  • WFSL’s Shopacheck business lost two backup tape.
  • The backup tapes contained the names, addresses, dates of birth, loan accounts and telephone numbers of approximately 510,000 of their customers in November 2011. The backup tapes also held personal information of 20,000 current and former employees of WFSL, and 8,000 agents. The backup tapes have not been recovered to date.
  • The lost backup tapes were not encrypted
  • The ICO deemed WFSL to have broken the 7th principle of Data Protection Act.
  • Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data
  • ICO stated Data Controller did not follow their own Information Security Policies.
  • Significant impact on reputation of the data controller (WFSL) as a result of this security breach which was publicised in national press.
The ICO issued a penalty of £60,000 to St George’s Healthcare NHS Trust in London after a vulnerable individual’s sensitive medical details were sent to the wrong address.
  •  Two letters were sent to the correct recipient old address in May 2011, however the address was incorrect, and was a property where the recipient hadn’t lived for over 5 years
  • The ICO’s investigation found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had setup a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
  • The ICO deemed the NHS to have broken the 7th principle of Data Protection Act.
  • Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data. There can be significant reputational impact for a data controller as a result of these security breaches. 
The ICO ordered Southampton City Council to stop the mandatory recording of passengers’ and drivers’ conversations in the city’s taxis.
  • Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers
  • The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until 1 November to comply
The ICO publically warn Google following their disclosure of not removing personal data from “Google Street View”.
“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern”

Thursday, 2 August 2012

Burgas Airport Bombing, CCTV does not React

I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.

On the entrance to terminal and within the airport, a Security Notice sign caught my eye and bothered me as I waited to check in.

It said "This Area is Protected by Video Surveillance". Now CCTV can act as a deterrent and is particularly useful for the purpose of recording events and working out the causes of incidents. But even with a team of operators vigilantly watching the CCTV screens in real time, I just don't see how this CCTV would "protect the area" I was entering, as within this crowded space everyone had large bags and many had hats and sunglasses concealing their identity as well. To assure myself I concluded the words on the sign had got lost in translation, as it is EU law to inform the public of the presence of CCTV cameras.

This is the reason the words on the sign was bothering me; below is a picture of the Burgas bombing suspect caught on the very same CCTV system, entering the very same area just a few days earlier, clearly the CCTV didn't protect the area nor act as a deterrent

Wednesday, 1 August 2012

Burgas Airport Bombing Data Breach Parallel

I passed through Burgas airport a couple of days before a suicide bomber killed 5 Israelis & 2 Bulgarians on 18th July 2012, and I then passed through the airport again a couple of weeks later, in between I knew some friends who went through the airport just a fews day after the incident. Burgas Airport is the smallest of passenger airports and is located on the Bulgarian Black Sea coast, and is used mainly in the summer by holiday makers, myself included.

Burgas Airport Bombing

A Side Point
Interestingly on way out from Manchester airport to Burgas, the Thomas Cook check in crew we're only focused on making money from excess badge amounts and things like extra leg room seats, it was the first time I've never been asked if I packed my bags myself and whether my bags had been out of my sight at a check-in desk. A sign of the tough financial times as Thomas Cook just posted a £26.5 Million quarter loss, or security complacency, I thought.

Airport Security Theatre
It would be extremely irresponsible to point out airport security flaws, but needles to say the amount of additional 'Security Theatre' at Burgas airport post bombing as expected was considerable, but only for about 10 days. I didn't coin the phrase 'Security Theatre', but it's a very apt phrase to what several friends were subjected to at the airport, because the additional security hoops passengers were put through did nothing to lessen the threats to the aircraft. Further these measures didn't do anything to make passengers feel safer, if anything it raised anxiety considerably. However a few days later the additional security measures were all dropped the airport returned to as as it was prior to the bombing.

Data Breach Parallel
My main point here is this very much the same as when a business suffers a major data breach and receives public and media criticism. Often a knee jerk response of security theatre is introduced which does nothing to combat the actual causes of the data breach, but makes good sounds bites within media interviews. Then once the media focused dissipates, the business returns to as it was prior to the breach, including keeping the security complacency and not correcting he existing flaws which led to the breach in the first place.