ePrivacy Directive: EU to tighten up on Data Breach Notifications

You may be aware that the EU recently put into force the updated ePrivacy Directive (2002/58/EC).  As of May 2011, the use of cookies to track website visitor information is now strictly prohibited.  Cookies which were previously used to track visitor behaviour and personal details may now only be used with the express permission of the visitor. Interesting website based outside of the EU, do not have to operate with the same constraints.  The enforcement and technical implementation of the directive may take some time to filter through to every cookie using site on the web, and penalties for not doing so are yet to be seen.

Work continues on the ePrivacy Directive in the coming months. One InfoSec concept which the EU are looking to tighten up control of through the directive is “disclosure”.  Whereas in the past, companies or organisations may have been a little shy about publicising their information security breaches, it’s soon going to be come a strictly enforced legal requirement to do so. Under the ePrivacy Directive disclosure requirements will be covered under Data Breach Notification rules.  A public consultation is currently underway and is sue to conclude in September:

ePrivacy Consultation

The consultation will cover the mechanisms for categorising. assessing and reporting breaches.

The hacker groups Anonymous and Lulzsec have made a mockery of the security controls of some major organisations in recent months.  Data loss and it’s prevention continues to be a major challenge for infromation security managers.  It’s time for organisations of all sizes to get serious about InfoSec, and this legislation could help push for that.

Theory of Gravitational Information Security – Making Security Policy Implementation A Reality

This article draws on elements of gravity theory to help visualise information security concepts and to describe how to practically implement security policy objectives. It describes a metaphorical model where gravitational forces are analogous to the level of security controls we apply to an organisation’s information. Be warned, this will quite possibly be the nerdiest article I have written, but will be simple enough.. no degree in particle physics required to grasp it.

What is Gravity?

Gravity is a force which attracts and pulls physical objects towards each other. All objects are known to be affected by gravity, from the smallest atom to the largest star in the night sky. A general rule for gravity is, that the greater the mass of an object, the more gravitational force it will exert on the other objects around it. The sun, for instance, pulls the earth towards it in the same way that the earth pulls the moon ever closer as time passes.

At an atomic level, the closer to the center of an object we get, the greater the gravitational force is. As density increases, the movement of those central atoms is more restricted whereas the outer atoms are often able to move more freely.

The Analogy

In the same way as gravity applies force to those atoms drawing them towards the center, we can secure information by applying varying levels of enforcement based on sensitivity. If we imagine the sum of our organisation’s information as a spherical object made up of thousands of information atoms, we can start to visualize the relationship. Our most sensitive information is at the core of our infosphere (information sphere) and we must apply more force to protect it. As we move further towards the surface of our infosphere, the controls we will want to apply will be less restrictive and we will let those less sensitive information atoms move more freely.

Continue reading

Web 2.0 – Why the internet got better, why security got worse.

Web 2.0 was recently crowned the one millionth word of the English language.  This is perhaps just one indicator of the impact that Web 2.0 has had on our everyday lives. Why?  In this blog, I’m going to go into what Web 2.0 actually is, some of the underlying technologies and what challenges these bring for security. Continue reading

Data Loss Prevention – Content Awareness: Human vs Computer Classification

Data Loss Prevention (DLP) is a newer area of information security and assurance  which has arrived in recent years.  There are a host of software products, controls and solutions which have found there way onto the market to help facilitate DLP, whether those losses be malicious or inadvertent.  This market seems fledgling but is maturing as time goes on.  People are just starting to understand the effects of losing data, most of which is lost by mistake. Around 77% of data loss is “inadvertent” and unintended. Basically, people make mistakes. A much lower percentage of data loss is malicious.  Compliance seems to be a major driver for the implementation of the solutions and many key security players are positioning DLP as a core element of ongoing strategy.  The question I have is, at this stage is are we ready to effectively apply AI(Artificial Intelligence) based systems, where the intended objective is for those AI systems to scan, analyse and more important classify information as sensitive or unimportant?

The DLP market does seem to be a slow starter with a very small percentage of companies intending to deploy, with a further fraction of that minority actually having a deployed system.  The bulk of these solutions are what Gartner terms “content aware”.  They generally monitor network/email traffic and at the same time deploy agents which can scan internal network resources (file shares, etc) for sensitive data which is available where it shouldn’t be.  The idea is, that when sensitive information is located, it should be either removed, quarantined, blocked in transit or authorised to remain in place or be distributed.  The problem is, that while it is easy enough to recognize information like credit card numbers, it becomes exponentially more difficult for these systems to understand more qualitative content. Qualitative content (e.g. information that is expressed in verbose literal wording and not distinctive formats or patterns) is difficult for an AI system match up against a particular pattern or template for it to effectively classify the information.  Examples of this type of information may include, a new product idea for an investment bank, a ground breaking formula for a new medicine in a pharmaceutical company or perhaps even a world cup winning team strategy for a national football team.  Information of this nature is usually specific on a company-by-company basis and also a case-by-case basis. One sports team strategy may not look anything like another.

 It is for this reason, the term “False Positive” is becoming widely used in the market and anyone who’s worked with DLP systems (or tried to deploy one) will Continue reading

Google Sniff-View Cars?

Probably one of the more interesting news stories this month is the revelation of Google admitting that it packet sniffed on unsecured public Wi-fi networks. Read news here.

It appears that Google Street View cars were driving around taking pictures of various locations, but were also kitted out with network sniffers that could connect to unsecured public wi-fi access points, monitor and record data transmissions across those networks. Naughty stuff Google.  This went on for a total of 3 years and accordingly to Google the activity was a “simple mistake”.  This continues to re-affirm beliefs that public Wi-fi networks are serious security risks for both individuals and companies. If one of the world’s largest IT monopolies can do this by accident, cough, what could a determined plan of attack achieve.

So how did they do it? The answer is, without rocket science. It’s easy enough to connect a laptop to an unsecured wi-fi network as no passwords are required. Once connected, you can run a network sniffer to see what’s going on. Why not try it yourself on your own network? Try Wireshark, or perhaps Cain and Abel if you want a little more security analysis.

For an intro to packet capture and analysis using Wireshark, spend a couple of minutes watching this video:

How secure is my wireless network? Four Tips to bump up security.

Do you think your wireless network is secure?

If the answer is yes. The BackTrack (BackTrack 4 – www.backtrack-linux.org) pentration testing OS would beg to differ.

BackTrack 4 manifests itself in an entirely customised distribution of Linux.  The underlying Linux distro is Ubuntu, but has been specifically enhanced, configured and packaged for the purposes of penetration testing.  Within the package you receive a wide variety of wireless cracking, network scanning and password breaking tools.

There are several options you can select for running BackTrack to start your activities. You can install it as an OS on your harddrive, you can install it and run it from a USB stick and you can even run the entire OS from CD. The latter option requires no installation at all. You simply select a machine, boot from the CD and then remove the CD when finished.  I chose the latter option for running my tests to see if it really worked.

I started by booting the OS and starting x windows. Most work is doen from the Konsole terminals.  In short there are 4 key utilities you can use to crack WEP and WPA keys. These are:

airmon-ng: Used to put your own wirless card into monitor mode.

airodump-ng : Used to collect wireless packets and save them to disk.

aireplay-ng: Used to implement a number of replay attacks on the Wireless Access Point(AP).  In our scenario this is useful to make the AP accept or generate more packets. Cracking wireless is generally about getting enough packets (100k-500k) to derive keys.

aircrack-ng: Used on the collected packets to find the keys.

Check out these videos for a step by step example.

Part 1:

Part 2:

Disclaimer: You should be aware that is illegal to hack into a wireless network that you do not own.  This example is for test and education purposes only.

Any determined attacker can usually find away to get access to your networks, but here are four tips to make it much more difficult:

  1. Use WPA encryption – its more difficult to crack than WEP.
  2. Restrict network access to known MAC addresses – MACs can be spoofed but it’s another hurdle to delay.
  3. Switch it off when you are not using it – If there is nothing in the air, there is nothing to analyse. The information an attacker requires to crack the keys is simply not there.
  4. Change the Key.. Regularly.

Cryptography – Before & After Public Key.

What better way to kick off an Information Security blog than with a video from the computer history museum on Cryptography?  Whitefield Diffie is the speaker in this hour long presentation on cryptography history and is also one half of the Diffie Hellman duo who claim to have engineered this new approach.  The same claim comes from GCHQ in the United Kingdom and the two research finding were published a matter of months apart.

Public Key cryptography is implemented by generating a pair of keys (numbers) which are mathematically linked. One is deemed the “Public Key” which is available to all and the other is the “Private Key” which is held by the intended recipient of the information which will be encrypted.

The Public key is used to Encrypt and the Private Key is used to Decrypt. The Private Key can also be used in digital signing operations where the recipient can use the corresponding Public Key to verify the signature applied to a piece of information. Eloquently described by are long bearded and grey haired expert.

 

And if you would like to see a 3 minute summary of Public Key Cryptography at a high level, this video pretty much sums it up: