Monday, 24 March 2014

Security Awareness Lesson on Loose Lips by Football Stars

Last week I was left rather concerned about the state of security awareness in the UK, after hearing various people in my train carriage rattle on loudly about information which was clearly meant to be kept confidential, a World War II awareness phrase comes to mind, Loose Lips sink Ships.  However my faith in personal security awareness has been somewhat been restored, as over the weekend I noticed many football superstars demonstrating a very simple security control, a control which I believe has been coached to them by their clubs, in other words information security awareness training. This simple tactic is to cover your month when speaking, a technique used to mitigate the risk of media, and perhaps opposition teams, from being able to eavesdrop what you are saying, namely by them using lip reading experts to interpret what is being said by watching TV or camera footage.

This practice was very evident in last night’s El Clasico, Real Madrid versus Barcelona, a match which fully lived up to the billing as the biggest club football match in the world. And what a match it was, some of the world’s best footballing talent on the pitch, playing amazing football, in a topsy-turvy match which was packed with controversy with three penalties, which saw Barca eventually run out 4-3 winners. Aside from the quality football, what I found particularly interesting, was an on the pitch conversation between Barca's Messi and Madrid's Pepe that was caught by the TV cameras, both demonstrated good security awareness by covering their mouth as they spoke to each other in conversation, see the pictures below.

 Messi & Pepe keeping their conversation private

On Saturday night I saw the same practice while watching Match of the Day. Wayne Rooney scored a goal from just inside the opponents half, mimicking David Beckham’s spectacular goal from his own half all those years ago. 

David Beckham and his family were actually in attendance, and sure enough a TV close up of David Beckham and his son Brooklyn followed Wayne Rooney’s goal celebration. Both David and young Brooklyn had their mouths covered with their hands while discussing Rooney’s goal. No doubt David was telling his son that his goal was better than Rooney’s goal. But the fact his son had his mouth covered with his hand suggests some sort of awareness training has occurred in my view, even if it was delivered by his security aware dad.
The Beckhams are Security Aware

My American friends will point out in US sports like American football, coaches on the sidelines have been hiding their mouth when barking out team instructions with a clipboard for years, but my point is this practice is relatively new to the UK sports, and I have observed it with English cricketers at the recent Ashes series, and with our Curling players at the recent Winter Olympics. But it is in football where it has become most prominent, you can spot the likes of Jose Mourinho using the mouth covering method all the time, especially after his private conversation about Samuel Eto'o and Fernando Torres was leaked to the media.

This makes me wonder what other security awareness training and practises have football clubs adopted in this technical age. These days at many Premier League clubs, players are handed iPads holding information about their gameplay and their opposition gameplay, especially so when used at half time. This information can be the difference between winning and losing a match, given the small margins involved in football,  and the vast amounts of money which can be gained or lost by success and failure, it means such information needs to be protected. The Manchester City reaction to their scouting database compromise is example of the importance of information security within the billion pound UK football industry.

Then there is social media awareness, a footballer’s comments on Twitter can land a football club in hot water with the FA and sponsors, resulting in fines and match bans for the player involved, for example Ashley Cole's £90,000 fine for a Twitter post or Jason Puncheon's recent fine for remarks on Twitter about a manager. So I think information security and the important awareness training that goes with it, is now being taken far more seriously by professional football clubs than it use to be a couple of years ago, the ultimate driver for this change is money.

Friday, 21 March 2014

Information Careless Great Britain: All Aboard the non-Privacy Train

This week I experienced a rather concerning two hour journey from London aboard a Virgin Pendolino train.
Might be the Age of the Train, but it's not the Age of Privacy Awareness

I had just taken my seat on board, and the train had just cleared the tunnel just north of Euston station. As I was settling in to the journey I noticed something through the gap of the two seats in front, like a magpie drawn to a sparkling object, something had caught my eye. I have spent years conducting security assessments, checking system logs and databases for the presence of credit card data. During this time I have unwittingly developed the canny knack of quickly spotting a 16 digit primary account number of a credit card, along with a expiry date and the 3 digit security code. My eyes were drawn to the laptop screen of the passenger in front, which had a webpage fully on show, which displayed his typed in credit card details, including the 3 digit security code, which was not obfuscated. In my disbelief I considered taking a picture with my phone, but then thought better of this, as it crosses an ethical boundary in my view. But if a more unscrupulous person than I did take a picture, then they could use the captured credit card details to easily commit credit card fraud, namely use it to buy items online.

The passenger is at fault on so many levels, obviously having your credit card details on open display within a public environment is not the greatest idea, a cheap laptop privacy filter could help reduce this risk, but not completely, I think my viewing angle would still have been good enough to observe his laptop screen. Then the website itself didn't look too secure in my view, in that the webpage didn't obscure the credit card information he had typed in, especially the 3 digit security code, which is not a good sign. Then there was the method of the internet access, I was pretty certain the laptop was connected with the train’s public WiFi. These days (hopefully) most people understand you should never enter credit card details to purchase anything over a public WiFi, as there is no way of telling if you are connected with a fake WiFi hotspot operated by data thieves, or whether someone is listening into (sniffing) all your web traffic, or even performing a man-in-the-middle attack, which is a method of defeating the encryption (https SSL) used by ‘secure’ websites.

I was still shaking my head and tutting to myself when the three ladies sat around the table seats to my left piped up. All three of them worked within the HR department of a UK footsie 100 company which I won't name, I know this because for most of the journey all they talked about was their work. First they spoke in detail about an individual which their company had recently fired. Stating this individual’s full name several times with the reason for the dismissal. They discussed how they would prepare for his employment tribunal in the following week. Next they started a real bitching session against their boss, again I'm naming no names. One of their boss’s emails was read out from a Smartphone and then ridiculed, along with further gossip...she said this, he said that, I said this. Their department restructuring is apparently a complete joke and a waste of time. Finally there were further and rather personal remarks about their boss and another individual working within their department, the irony of their HR role and the tribunal case they had been initially talking about, was not lost on me.

How many phone calls do you hear on trains?

While still doing my best to mind my own business, an annoying ring tone sounded from the seat behind me, and Mike X announced his presence to the rest of the coach, with a booming “Hello Mike X”.  He wasn't a relation to Malcolm X, I am using X to protect his real surname. We all learnt that Mike was quite the slick salesman, and how he was key to his company winning a £450K contract with a well known construction company. We also heard how he and his colleagues were going to provide the right kind of answers the construction company wanted to hear in their tender documentation, and that his company should not worry too much about details at this stage, unless it was something that was going to be clearly stipulated in the contract. Finally he told us all about his plans for the weekend, dinner with his wife on the Saturday, and golf with his chums on the Sunday.

You couldn't make this stuff up, for a moment I thought it was part of some elaborate prank, but Ant & Dec were nowhere to be seen, so I decided save myself from further annoyance by the passengers around me, I put on my headphones, pulled out my laptop, stuck on my privacy filter and wrote it up for this blog post.

Conclusion – Information Careless
I can't help but wonder whether this train carriage represents an average cross section on the level of security awareness in the UK in 2014?  No wonder cyber criminals target the UK, they know its citizen's are information careless, and are a cash rich soft touch. Information Security awareness by the UK government and companies is either proving to be not be very effective, or people already understand it well enough and are choosing not to give a dam.

Sunday, 16 March 2014

Was Flight MH370 Cyber Hijacked?

The disappearance of Flight MH370 is turning into one of the biggest mysteries of the age, the evidence is sketchy, everyone seems to have their theory, and the media are running riot with endless speculation. As a security professional I can’t help but wonder whether there was a cyber element to the incident, especially given the high amount of technology used in modern fly-by-wire jet planes like the Boeing 777-200ER.

Was Flight MH370 Cyber Jacked?

I have managed and consulted with many cyber security incidents over the years, but the following will be my own conjecture. When I usually deal cyber incidents, my golden rule is to only deal with the facts and the evidence, and saving any speculation for the Sherlock Holmes fan club. But with this incident I am allowing myself the luxury of exploring potential cyber attack possibilities with the MH370 flight disappearance, as over the week quite a few people have asked me whether the flight could have been hacked, the ‘cyber jacking’ speculation will only grow after today’s headlines in today's Sunday Newspapers.

So lets start with the facts, we now know flight MH370’s transponder and the Aircraft Communications Addressing and Reporting System (Acars) were both disabled while the aircraft was over the South China Sea, and after this the Boeing 777 changed direction, heading West.

Could the transponder and Acars been disabled by a Cyber attack?
It may well be possible to jam a transponder and Acars from within the aircraft cabin, preventing such devices from broadcasting by using fairly basic equipment to swamp these devices receiving and broadcasting frequencies with noise, a denial of service attack if you will. But I think such an attack could also interfere with other aircraft systems and jeopardise the likely objective of the hijack, which appears to be taking control of the aircraft. I believe it is far more rational that the transponder and Acars were disabled by human hand, as it is far simpler to do than a cyber attack, and it guarantees these systems are actually disabled, and then remain disabled indefinitely. The human disablement is given further credence when you consider control of the aircraft had been achieved by the attacker or attackers; as control of the aircraft is proven by the radical course change.

Could the aircraft be remote controlled due to a Cyber Attack?
A Boeing 777 cannot be remotely flown from the ground as far as anyone is aware, but we cannot rule out the possibility that someone sat in the cabin could use a laptop or mobile phone, to infiltrate the aircraft’s computer systems and take control of the aircraft.  A sophisticated fly-by-wire Boeing 777 is reliant on its computer systems to fly, and can fly completely unaided through the autopilot. Attacking the aircraft’s computer systems and changing the autopilot settings is a possibility, however the problem I have with this theory is that autopilot can be overridden by the pilot and co-pilot from within the cockpit. It is very unlikely a hack could lock out the pilot controls and prevent the pilot from radioing such a situation to air traffic controllers. The most plausible explanation is usually the simplest, namely the aircraft is physically controlled by whoever is sat in the cockpit. If you have technical theory on how such attacks could work, please post in the comments as I would be very interested to learn how it could be done, but please go beyond from just mentioning PlaneSploit, and describe how such tools could be used to lock the pilot out from the aircraft controls.

In my view based on the current evidence, I believe we are looking at a sophisticated plane hijack, by a person or persons who have a high degree of expertise in aviation, not cyber security. Although the investigation should not rule out a cyber attack element, I think it is far more plausible to switch off the aircraft tracking and to take control of the aircraft from sitting within the cockpit, than sitting in the cabin with a laptop or mobile phone. We’ll see if my speculation at this time of posting is correct or not over the coming days and weeks, or perhaps even months or years, but lets not give up hope for a positive outcome for the many involved.