ePrivacy Directive: EU to tighten up on Data Breach Notifications

You may be aware that the EU recently put into force the updated ePrivacy Directive (2002/58/EC).  As of May 2011, the use of cookies to track website visitor information is now strictly prohibited.  Cookies which were previously used to track visitor behaviour and personal details may now only be used with the express permission of the visitor. Interesting website based outside of the EU, do not have to operate with the same constraints.  The enforcement and technical implementation of the directive may take some time to filter through to every cookie using site on the web, and penalties for not doing so are yet to be seen.

Work continues on the ePrivacy Directive in the coming months. One InfoSec concept which the EU are looking to tighten up control of through the directive is “disclosure”.  Whereas in the past, companies or organisations may have been a little shy about publicising their information security breaches, it’s soon going to be come a strictly enforced legal requirement to do so. Under the ePrivacy Directive disclosure requirements will be covered under Data Breach Notification rules.  A public consultation is currently underway and is sue to conclude in September:

ePrivacy Consultation

The consultation will cover the mechanisms for categorising. assessing and reporting breaches.

The hacker groups Anonymous and Lulzsec have made a mockery of the security controls of some major organisations in recent months.  Data loss and it’s prevention continues to be a major challenge for infromation security managers.  It’s time for organisations of all sizes to get serious about InfoSec, and this legislation could help push for that.

Phone Hacking How To: Hacking Voicemail

I’ve been asked in recent weeks how the News of the World private investigators were able to hack into the voicemail of the alleged 4,000 victims of the phone hacking scandal.  While the details of all that activity are something for the police to worry about, we can explain the basic methodology of a simple attack to do this. The one probably used in the majority of cases.

In the world of Infosec there is such a thing called a spoofing attack. A spoofing attack is where you have your device (whether that be a phone, pc or laptop) send out network packets with the identity of someone else.  In the IP world, communications are broken down into thousands of small packets of data. Each packet has a destination address and a source address. When we’re trying to use a spoofing attack, we can use specialised software to send out packets, with someone else’s source address.

With the convergence of data and voice networks over the last 10 years, there’s been a proliferation of technologies that allow data networks to connect to older technologies traditionally used to provide voice services. This has come in the form of VoIP, technologies that provide Voice Over IP data network. This has brought voice communications into the realm of the computing community, and also into the hands of the bad guys in that community.. hackers.  Hackers have produced software tools, that allow them to control the data sent out over VoIP data connections, where calls are made and received.

Continue reading

Microsoft AD RMS: User Adoption Made Simple

What is Rights Management?

Rights management pertains directly to managing permissions for individuals to access specific information. Our two jargon busting acronyms for this area are DRM (Digital Rights Management) and IRM (Information Rights Management). For the purposes of this article we will consider both DRM and IRM one in the same.

Development of this area of technology primarily driven by Copyright. Publishers of books, music and films have in recent years been more and more motivated to try to protect their material, in the face of the proliferation of internet use. The Internet has been it exponentially more possible to share copyrighted materials with the click of a button, and not to just one person, but hundreds of people, even one’s that the sharer has never even met.  The need to control who has the right to access, read, modify or even delete information and also become prominent in both government and commercial organisations.

Microsoft AD RMS – Active Directory Rights Management Services

Controlling content is at the heart of fulfilling those requirements, and Microsoft provides an Active Directory integrated service ADRMS, to do exactly that.  The basis of the AD RMS service is that each document is automatically encrypted by an RMS client, at the point of creation (the desktop). It is then, by default, protected from unauthorised individuals trying to access it.  When created, the creator is able to apply a list of permissions to the document, to specify who have what level of access to read or change it.  These permissions are stored in the central AD RMS server, so at the time any other client tries to access the document, the server can be queried to see if the requested access should be permitted. Simple enough? Continue reading

Eco-Labelling – The Green Argument For Information Classification

It seems that if you are promoting a product or service these days, it’s mandatory to have an associated “Green Story” to back up your proposition. Earning cold hard cash for the benefit of both you and your customer is in some circumstances frowned upon, if there isn’t an ethical eco-friendly angle to your pitch.  While I support green initiatives and do what I can to help with moves to improve the sustainability of the planet, hasn’t it all gone a bit eco-mad.

Those fabled 3 letters, E C O , are being used and abused by all and sundry to get that green tickbox filled. Whether a product in environmentally friendly or not, the ECO label gets thrown around like confetti at a wedding. We have Eco-Homes, Eco-Heaters, Eco-Computers, Eco-Laptops, Eco-Cars, Eco-Trucks… you name it we have it. In a shameless attempt to look more trendy, I’d like to throw my hat in the ring and talk briefly about how appropriate labelling of documents and emails can help save the planet. Eco-Labelling for short.

Continue reading

UK: What is the GCSx Code of Connection (CoCo)?

A code of connection (CoCo) is a mutually agreed set of rules used by two parties to allow the Exchange of information between their systems.  The UK government has pursued several initiatives in recent years to connect all government organisations into the secure networks of the central government intranet.

GCSx stands for Government Connect Secure Extranet.  This is the network which will specifically connect Local Authorities (LAs) to the central government intranet (GSI – Government Secure Intranet). GCSx relates only to LAs in England and Wales. Scottish LAs will connect through GSX (Government Secure Extranet). Local Authorities must achieve CoCo compliance in order to be access access to the Government Secure networks. Confused yet? Being driven CoCo.Nuts?

Here’s a diagram to help see how it all fits together:

There are jut under 100 controls and measures that a Local Authority needs to put in place in order to be CoCo compliant. The most prominent of these are listed here: Continue reading

Phone Hacking, Corporate Responsibility and Employee Accountability

The UK has been awash with scandal upon scandal in recent months. Individuals and organisations who we are supposed to trust have abuse their positions and the circumstances available to them. Is this to be the century of corruption? The politicians led the way with the expenses scandal,  immediately followed by questionable banking practices which brought the world to the brink of bankruptcy. Now in our latest installment of the “people doing what they really shouldn’t” saga, we have once reputable press organisations hacking into the phones of, well, pretty much everyone.

The world needs a double dose of the medicine that is corporate responsibility and employee accountability.   Whether or not the chiefs at the head of these corporate tribes were aware of the activities of their employees, ultimately they have a duty of care to take reasonable measures to prevent this kind of unacceptable behaviour occurring. Failure to do so is a slippery slope which rapidly evolves from the occasional cheeky rogue, to an inherent culture of wide spread wrong doing. Individuals should not be given a shield of plausible deniability or proclamation of ignorance. Each and every individual should be liable to take responsibility for their actions.  Chiefs have a responsibility to foster and enforce an ethical culture through the correct provision of training and providing the right tools for employees to adopt that ethical behaviour.

Just this week we have learned that News International were in fact in possession of emails which were withheld from the police in an attempt to control possible damage from implication of law breaking. Although possible, it’s difficult to release information in  an email without actually thinking about it’s content before clicking send. Much more difficult than giving the go ahead to do something in the spur of the moment over the phone. Information created or received by an organisation should be treated with the respect it deserves, but with the casual use of email in day to day life, it’s easy for the lines to blur. People generally use their work email accounts for general informal internal communications, even external at times.  When wrong doing is suspected, the legal defence of “that email was sent in this context” is used all to often.

As an organisation, one line of defence to this legal minefield is.. yes.. you have guessed it.. email labelling.  Forcing users (whether employees, directors or other execs) to select an appropriate label before sending an email builds not only awareness of company policies, but also re-enforces a culture of employee accountability.  Investment in an email labelling tool, could in the long run save your organisation millions or may even save it from the recently bloodied axe, which took out News of the World in one fell swoop. Furthermore, there are no longer any excuses on cost. You can do this for free.  Although you don’t get all the benefits of the paid version of Boldon James’ Email Classifier, the FreeMark version of Classifier allows you to do exactly that, label emails. ITS FREE,  the clue is in the name – FreeMark.  If you want to learn more about the FreeMark initiative, please visit www.freemarkinitiative.com

Theory of Gravitational Information Security – Making Security Policy Implementation A Reality

This article draws on elements of gravity theory to help visualise information security concepts and to describe how to practically implement security policy objectives. It describes a metaphorical model where gravitational forces are analogous to the level of security controls we apply to an organisation’s information. Be warned, this will quite possibly be the nerdiest article I have written, but will be simple enough.. no degree in particle physics required to grasp it.

What is Gravity?

Gravity is a force which attracts and pulls physical objects towards each other. All objects are known to be affected by gravity, from the smallest atom to the largest star in the night sky. A general rule for gravity is, that the greater the mass of an object, the more gravitational force it will exert on the other objects around it. The sun, for instance, pulls the earth towards it in the same way that the earth pulls the moon ever closer as time passes.

At an atomic level, the closer to the center of an object we get, the greater the gravitational force is. As density increases, the movement of those central atoms is more restricted whereas the outer atoms are often able to move more freely.

The Analogy

In the same way as gravity applies force to those atoms drawing them towards the center, we can secure information by applying varying levels of enforcement based on sensitivity. If we imagine the sum of our organisation’s information as a spherical object made up of thousands of information atoms, we can start to visualize the relationship. Our most sensitive information is at the core of our infosphere (information sphere) and we must apply more force to protect it. As we move further towards the surface of our infosphere, the controls we will want to apply will be less restrictive and we will let those less sensitive information atoms move more freely.

Continue reading

Web 2.0 – Why the internet got better, why security got worse.

Web 2.0 was recently crowned the one millionth word of the English language.  This is perhaps just one indicator of the impact that Web 2.0 has had on our everyday lives. Why?  In this blog, I’m going to go into what Web 2.0 actually is, some of the underlying technologies and what challenges these bring for security. Continue reading

Google Sniff-View Cars?

Probably one of the more interesting news stories this month is the revelation of Google admitting that it packet sniffed on unsecured public Wi-fi networks. Read news here.

It appears that Google Street View cars were driving around taking pictures of various locations, but were also kitted out with network sniffers that could connect to unsecured public wi-fi access points, monitor and record data transmissions across those networks. Naughty stuff Google.  This went on for a total of 3 years and accordingly to Google the activity was a “simple mistake”.  This continues to re-affirm beliefs that public Wi-fi networks are serious security risks for both individuals and companies. If one of the world’s largest IT monopolies can do this by accident, cough, what could a determined plan of attack achieve.

So how did they do it? The answer is, without rocket science. It’s easy enough to connect a laptop to an unsecured wi-fi network as no passwords are required. Once connected, you can run a network sniffer to see what’s going on. Why not try it yourself on your own network? Try Wireshark, or perhaps Cain and Abel if you want a little more security analysis.

For an intro to packet capture and analysis using Wireshark, spend a couple of minutes watching this video:

How secure is my wireless network? Four Tips to bump up security.

Do you think your wireless network is secure?

If the answer is yes. The BackTrack (BackTrack 4 – www.backtrack-linux.org) pentration testing OS would beg to differ.

BackTrack 4 manifests itself in an entirely customised distribution of Linux.  The underlying Linux distro is Ubuntu, but has been specifically enhanced, configured and packaged for the purposes of penetration testing.  Within the package you receive a wide variety of wireless cracking, network scanning and password breaking tools.

There are several options you can select for running BackTrack to start your activities. You can install it as an OS on your harddrive, you can install it and run it from a USB stick and you can even run the entire OS from CD. The latter option requires no installation at all. You simply select a machine, boot from the CD and then remove the CD when finished.  I chose the latter option for running my tests to see if it really worked.

I started by booting the OS and starting x windows. Most work is doen from the Konsole terminals.  In short there are 4 key utilities you can use to crack WEP and WPA keys. These are:

airmon-ng: Used to put your own wirless card into monitor mode.

airodump-ng : Used to collect wireless packets and save them to disk.

aireplay-ng: Used to implement a number of replay attacks on the Wireless Access Point(AP).  In our scenario this is useful to make the AP accept or generate more packets. Cracking wireless is generally about getting enough packets (100k-500k) to derive keys.

aircrack-ng: Used on the collected packets to find the keys.

Check out these videos for a step by step example.

Part 1:

Part 2:

Disclaimer: You should be aware that is illegal to hack into a wireless network that you do not own.  This example is for test and education purposes only.

Any determined attacker can usually find away to get access to your networks, but here are four tips to make it much more difficult:

  1. Use WPA encryption – its more difficult to crack than WEP.
  2. Restrict network access to known MAC addresses – MACs can be spoofed but it’s another hurdle to delay.
  3. Switch it off when you are not using it – If there is nothing in the air, there is nothing to analyse. The information an attacker requires to crack the keys is simply not there.
  4. Change the Key.. Regularly.