What they know about you

What do they know about you - a lot.

It is difficult to understand how much digital signatures you leave on your computer even though you turn off cookies. I found this sction in Wall Street Journal that is dedicated to many ways that you can be tracked in cyberspace. http://online.wsj.com/public/page/what-they-know-digital-privacy.html

The section on digital fingerprinting is http://online.wsj.com/video/what-they-know-your-digital-fingerprint/49B4A220-88A5-4F53-BA89-20BBB0A83CB2.html  

Should we be worried? Just like in the real (non cyber) world, one has to be careful.

• You don't visit irreputable stores online or in real life.
• You don't talk to strangers online or in real life, unless they are introduced by a friend that you know. 
• You check out the person or the company before you interact with the person or company. There are many ways you can find out.

We are in the cyber world. There is no turning back. We just have to learn to live in it safely.

Are there other best pratices you can share?

Bike Theft - there is always a lesson that can be learned

Cable lock that's been cut.

Bike Theft - living in a city with the reputation of being bike friendly, it should be of no surprise that bike thieves love the city as well.

So what does a bike theft got to do with cyber security? Bear with me, and I hope to draw some parallels.

Yes, couple of years ago, I had my new bike stolen, on a Saturday afternoon, from a busy street that I thought no thief will be brave enough to take. I just thought I was unlucky. Not until a couple of weeks ago after I actually witnessed a bike theft first hand that I realized that it was my stupidity instead.

Then, yesterday, I was in some email exchanges that discussed whether an End of Life security device has any value. It dawn on me that bike theft and security theft have analogies.

Let me first relay to you my first hand experience of the bike theft. It was also on a Saturday afternoon but only 2 weeks ago, in front of a theatre, with packed crowd on the sidewalk. This guy walked up to the line of locked bikes. Most of the bikes used the U type lock but one used the cable lock. The thief took out the bolt cutter from his draw string backpack, clip the cable lock - all within half second and not more than 5 feet from me. I yield at him, challenging him. He replied with some stupid answer, got on the bike and took off.  This all happened within 5 seconds. I dialed 911 and reported it . The reporting took me 5 minutes.

These incidences taught me a few lessons.

1) Bike thieves have lots of practice. They think like thieves, not like good guys. Stealing a bike in a busy street is no worse than in a quiet street.

Analogy - Cyber thieves are the same. They think like bad people. They don't care if you use the internet a lot or just occasionally, you are the same victim.

2) After my personal bike was stolen, I've learned that cable locks are useless. This is a widely known fact and well published. So, why are bikers still using cable locks? The bike thief took the easiest prey.

Analogy - an End of Life security appliance means no more support, patches. This also is a widely known fact and well published. Bad guys know it too. So why are we using outdated security appliances? The bike thief can identify a security device and take his easiest prey.

3) Even though I reported the bike theft, do you think the thief will ever be caught? Even if caught, do you think he will go to court? Highly doubt it.

Analogy - cyber thieves stealing a couple of thousands dollars from our bank or credit card. You reported it, do you think he will be caught? Stealing smaller amounts from lots of people is much less noticeable than stealing a large amount from a big company.

The bike thief was clean cut and looked just like any other tourist. Lessons learned, you don't know what a bad guy looks like.

Any other lessons learned? Please share with me.
 

The lazy days of Summer

Summer are lazy days. Kids are on break. Families are thinking about vacation. Office is quiet and spam traffic is down. So life is good!

I only wish hackers look at summer the same way we do. Seeing the activities behind the scene, hackers are not taking a break. CRN released this report .

Just because you don't see it, doesn't mean it went away. The hidden ones are worse than the ones you know.

So make sure you delegate the vigilance of data security to someone before you take off on your vacation.

Lessons learned from the Space Shuttle Program

As I sit watching the final landing of Space Shuttle Atlantis, 18 minutes from the final touchdown, I come to reflect on what the space shuttle program has taught us.

Yes, it is the end of an era. The end of a glorious era that started 30+ years ago. We have gained tremendous knowledge from the space program. Hubble Space Telescope is not possible without the Space Shuttle.

How the world has changed! Collaboration is the future.
When the program was started, America was the undisputed leader in space exploration. It took bold steps to put man on the moon. It took bold steps to bring the Space Shuttle, which is the size of 2 semi trucks end to end, into orbit. America was able to do this alone 30 years ago. Now, America depends on its one time rival Russia to reach the Space Station.

The international collaboration on space program started when the International Space Station program was started. Many countries contributed to complete the construction of the ISS. Modules from different countries are interconnected and functional as one.

I am sure when first started, America had doubt whether other countries can produce a space module that is up to its standard, we had doubt if the modules can connect. Yet, upon completion, there is a connected ISS and it is airtight!

Collaboration and exchange of information is what made this possible. NASA and America decided that the cost of doing this alone is too high, that co-orporation and collaboration can achieve the mutual goal faster and less expensive.

If NASA can do it, will large corporations learn from this? Especially in the cyber security world, can we react fast enough alone to counter the attacks?

I am starting to see companies reselling each other's products. That's a good sign, but is this good enough? Until we can mimic the ISS where astronauts can pass freely from one module to the other modules, we are not functioning efficiently. Image if they have to put on a space suit each time they go from one module to the next. That's what reselling other products are like. Until we can pass from one module to the next freely, we are still not utilising each others strength to its full potential.

With the end to the Space Shuttle, some people will retire and some will carry on to accomplish new goals. Either way, it is the future and it is collaboration!

The NASA commentator's remark on Atlantis touchdown was "Its voyage at an end". But I would add that "it is the beginning of a new era". 

Epsilon 3rd party email company got hacked.

Over the weekend, many people got notices from their banks and retailers informing them that their 3rd party email company has been hacked by outsiders. Texas based Epsilon, the 3rd party company in this case, issued a brief statement warning that hackers had stolen customer email addresses and names from its database.  Krebs on security article.

Companies impacted includes Chase, Kroeger, LL Beans and Target. And this list of companies is quite long. Visit the link above to see the list.
 
So someone out there got your email address. What's the big deal? It's a big deal because it probably is the same address that you use to sign onto your bank, log into your frequent buyer program and so on.

It's amazing how email addresses are now so widely used as identifiers. Even if I have multiple email addresses, how many can I remember any way. So, it is even more important to use a good secured password.

There had got to be better ways to identify an individual. There are other methods, 2 factor identification - but SecurID announced they were hacked the previous week. Biometric identification - but they are clumsy and not always accurate.

Have you heard of other ways? I'd like to know.

In the mean time, security experts warned us to be extra careful with regard to email spammers and scams in the next weeks and months.


  

Follow up on RSA incidence

NSS lab has released their analysis of the incidence.

NSS lab is a well known security research lab testing and verifying claims made by security hardware and software vendors.

RSA information stolen

RSA has announced this past Thursday that certain information about the SecurID technology has been stolen. RSA is best known for providing the hardware key device that many used for 2 factor authentication. At this time, RSA has not announced what is impacted. But there are certain steps you can take if you are using RSA for your authentication.  Network World published an article with 4 steps that you can take now.

RSA has been a trusted source for years, and many have taken it for granted. This latest episode again reminds us that security needs more than just trusting in a single device or technology.  If we use more than a single lock on the door at our house, why do we think a single device can serve our security needs for system access?

Yes, there are other devices or technology that performs similar functions as SecurID, such as phone based systems. But no matter how good or robust the technology, someone might be able to compromise it by sheer luck and persistent.

Defense in depth is the way to go. Diligent monitoring of access log can also help. It is good security practice.

Firesale at the Cyber Criminal shopping mall.

This month special:  
    $2 each -  a legitimate but unverified bank account or credit card number,

         with guarantee for the available credit line or bank balance, add $70.

According to a just released report from Panda Security, the cyber criminal are facing competition like we all are.  So price is dropping. 


Panda Security 2011 January The-Cyber-Crime-Black-Market.pdf
In this article, Panda Security has done a great job explaining how this illegal underground business operates. There are the manufacturers - ones who actually does the stealing, distributors - aggregaters of illicit information, bankers - mules who handle the money laundering and, of course, source - the victims. The report even include screenshots of a transaction.


In any economy, supply and demand hold true. If the price drops, it can either be that the demand has dropped or the source is getting plentiful. I don't think anyone believes that the demand has dropped, so the source must be getting plentiful. In other words, if you are not a victim today, you soon will be!


With malware generating tools like Zeus freely available, it will be foolhardy for us not to recognize the need for cyber security vigilance at office and at home.






    

Can Service Provider Take You Down - Part 2 another first hand experience

Just received my Visa billing and I saw a line item for $1100 from a well know Fortune 100 software company. I had bought from them before, but I just cannot remember what it was for. So naturally, I called up the number on the line item right next to the company name and amount:  xyzcompany 617-xxx-xxxx  $1100.

The person answering was pleasant, she asks for my name and credit card info. Which I provided.

Then she said "Oh, I cannot access your account information and I have to transfer you". It is obvious she had no access to any account information let alone mine. I said "OK, but now that you have my credit card information, what are you going to do with it?" Silence - no reply. I then asked for her name and the name of the company she is employed at, knowing full well, it can be an outsourced answering service. She reluctantly did give me her name but she didn't provide the company".

My point to this whole encounter is that over the phone, we are used to the idea that these calls can be taken by 3rd party contractors. Phone calls can be transferred all over the world. And I have no idea who these 3rd party companies are and if they are PCI certified!

At this time, I still don't know if my credit card information is stored in a computer or just a piece of paper laying in the wastebasket waiting for malicious harvesting.

Contractors, whose work are related to handling credit card information, must be able to articulate security compliance policies just like they were working within one's company.  These security procedures must be entrenched into these operators' minds regardless of whether they are internal employees or 3rd party contractors. They must be able to show their understanding of the policies to me - the customer.

I, as a customer, need to be assured that my credit card information is handled with care!

 

How secure are your service providers?

To follow up on the previous post on how service providers can get a company into trouble, I just read Richard Bejtlich's blog article regarding plausible links between information leaks at suppliers' information system to the development of the new J-20 Stealth fighter from China. While I am not saying that this is what happened, it certainly brings up a scenario that we should be aware of.

Let's take a look at how this might happen...

In working with our large and small business partners, information has to be passed back and forth. With advanced persistent threat (APT) implanted at these partners' information systems, it is possible to gather a company's intellectual property without ever breaching the security of the original company.

Internal emails or documents can be copied from these partners and deposited into bigdata systems like Hadoop. Hadoop is an open source Apache project and can be obtained by simple web download. Companies like Google and Yahoo provided the initial research so that they can have an efficient web search on hundreds of millions of web articles.
 
With these technologies in hand, an attacker can gather relevant and non-relevant messages from multitude of sources large and small into bigdata systems and sieve for the good information that they are interested in.

So taking the attacker's viewpoint, it does not matter whether the stolen information comes from large or small partners. It is usually easier to attack smaller companies because they are not as dedicated to the protection of their information. The value of getting information from tens of sources versus from only one gives the same ultimate result. Because an email has a sender and one or more receivers, when any party gets compromised, this email is compromised.

What can we do?

The credit card industry imposed PCI-DSS security compliance on any company dealing with credit card transactions. The medical industry imposed HIPAA security compliance on doctors and its service providers. It is high time industries like engineering and manufacturing start issuing security guidelines to its tiered suppliers and make sure they are understood and adhered to.