Knocked into a cocked (Panama) hat

11 04 2016

Unless you’ve been living under a rock for the past week you can’t have failed to be aware of the ‘Panama Papers’. 2.6Tb of data, 11.5m documents, 30,000 lorries worth if you printed then out and so on and so forth.

Information relating to offshore companies, tax avoidance and (possibly) tax evasion, dodgy art deals, alleged money laundering activities, corrupt country leaders and multi millionaires.

So what has this to do with my reader base? Well unless you’ve been keeping something from me and you’re actually an international bad guy, up there with Scaramanga and Blofeld, not a lot on the face of it.

But, let’s just take a step back and look at this from a slightly different angle.

Here we have a law firm, Mossack Fonseca, who prided themselves on guaranteeing confidentiality, indeed on their web site under data security they say “Your information has never been safer than with Mossack Fonseca’s secure Client Portal”. The people they dealt with chose them because they didn’t want their activities to be under public scrutiny, they designed company structures to be obscure and obtuse, everything was geared towards secrecy.

And yet, based on reviews carried out by various security firms, they were running software that was not only out of date, but which had well publicised (and exploited) vulnerabilities. Their servers were not protected by firewalls, the secret data was unencrypted, and it appears their monitoring was so poor (or maybe non-existent) that they failed to notice the exfiltration of vast amounts of data over many months.

So, just to repeat, this company existed in a world where secrecy and confidentiality was everything. Where their customers made fundamental assumptions that their activities would remain hidden from public gaze, and that they could trust their lawyers to protect their interests at all times.

Despite all of that, this organisation appears to have disregarded pretty much every rule of information security.

So if a firm operating in that environment could be so bad at looking after their customer’s data, what about the thousands of other companies with an internet presence who are holding YOUR data. The small (and not so small) organisations you share your details with on a daily basis, the ones you order from online, send emails to with personal details included, upload files of photos, documents or whatever. How confident can you be that they are any better prepared than Mossack Fonseca?

And that’s why this story is relevant to my readers. Poor information security practices are endemic across all industries and all sizes of organisation. We put up with it because we are not big enough to make the difference on our own, and not rich enough to organise the campaigns necessary to force changes through.

Mossack Fonseca is the 4th biggest player in this field, you can bet the clients of numbers 1,2 and 3 have been asking some very pointed questions over the past few days.

Maybe, just maybe, the exposure of the personal details of the richest, most powerful (and let’s be honest, most scary) people on the planet might be the trigger that pushes achieving real information security to the forefront of the thinking of governments and other influential bodies. Could this incident be the tipping point that’s always eluded us, because as sure as eggs are eggs the hundreds of millions of personal records of ‘ordinary’ people that have been leaked over the past year were not seen as important enough.

Fingers crossed.

David

 

Advertisements




Have we lost the war? Or are we just fighting the wrong battles?

24 10 2014

It’s October, and so far this year the ‘bad guys’ have obtained well over 100 million customer records and a similar number of credit card details from a variety of organisations ranging from banks to hardware stores. Every day it seems another bad news story appears in The Register or even on the BBC informing us of yet another breach of security, software vulnerability, internet scam or infected cat video on You Tube.

Each news story prompts the rolling out of the same faces, making the same statements and wringing the same hands AND NOTHING CHANGES.

Whilst those who have been paying attention understand that we are no longer up against spotty faced kids in their bedrooms who switch between Doom (showing my age here) and hacking a web site for their entertainment, the wider community does not seem to have caught on.

Our adversaries are running multi million dollar, global enterprises with levels of organisational sophistication and technical expertise that many of their target companies could only dream of. They don’t have to worry about setting up committees and focus groups before deciding whether to raise a project to scope out the work necessary to request a budget to carry out a feasibility study into the value of implementing a new product. They just get on and do it, and in many cases do it extremely well.

That means that we’re always going to be behind the curve playing catchup, and with the pace of technology change we’re dropping behind.

So what do I think we should be doing? Well to use Tony Blair’s famous phrase from 2001 “Education, education education”, but not just in schools and universities.

People write poor code that can be exploited, people click on links in emails and download viruses, people give away their security information to anyone who offers them a free app, people decide on what budgets should be spent on security improvements and only people can make the changes necessary to give us half a chance.

Until most people ‘get it’ then the few of us in the security world who already ‘get it’ are just lone voices in the wilderness, seen as a bunch of geeks wheeled out for soundbites that are forgotten as soon as the next celeb leaves Big Brother.

Sure there are glimpses of change, initiatives such as the UK Governments Cyber Streetwise and Get Safe online (incidentally did you know that 20-26 October 2014 is Get safe online week? No, me neither), are baby steps in the right direction, as are moves by e-Skills UK to promote cyber security training, but none of them are really joined up, and very few make it into the public consciousness.

So how could we achieve effective education of those who really matter?

There is no magic bullet, no one panacea for all our ills, but one thing we do know about the western world is that if something has a celebrity angle, involves reality TV or appears in a soap opera, boy does it get discussed around the coffee machine. If people feel they are directly affected by something (even if they aren’t) then there is a clamour to ‘get something done’ about it. So if we can pique their interest about something that they are affected by then who knows what might happen.

Maybe, just maybe, if we were able to get the conversation going at the soap opera level, that would get the message to the masses. If the scripts were written in an interesting and accurate manner with real human interest about the victims, maybe that would provoke a reaction. If real solutions and suggestions were offered in a joined up way, maybe that would encourage people to find out more and create a demand for change, and change themselves.

We know that simple things like running an up to date operating system and browser, thinking before clicking, not sharing your personal information with the world at large will all help make you less of a target. The other 99% of the population don’t, and most of them don’t even know they don’t know. Until that changes no amount of firewalls, IDS, IPS, anti-malware or any other technical security will win the war for us. No burglar will waste their time picking the locks of the back door when the front door is wide open and the burglar alarm is turned off.

As a start we need to remind people why they have a lock on their front door, and that leaving the key on the doormat or not locking it at all is plain stupid. Once we get that message understood then we can start with the more sophisticated stuff.

That’s my two-penneth worth. Maybe you agree or maybe you think I’m being too simplistic, not clever enough or just dumb? Either way, I’d love to hear what you think so please leave me some comments and if you are a script writer on Coronation Street or Hollyoaks let me know and we can have a chat.

Keep safe

David





Of Passwords and PINS (3)

8 02 2013

In the final part of this series I’ll look at PINs and what you can do to make them easier to remember.

PIN numbers, generally 4 digits, and used to validate debit and credit cards, lock your i-phone, access buildings, secure safes and all manner of  other things have become one of those things we all have to remember. The 4 digit card PIN only offers 10,000 possible combinations, so it’s not really that secure, which is why so many systems operate the ‘3-strikes and you’re out’ control. But why only 4 digits? For the answer you have to ask John Shepherd-Barron the inventor of the ATM. It seems that Mr Shepherd-Barron favoured using 6 digits, but his wife preferred 4!

In the same way as there are commonly used passwords (see the previous post for more details), there are some PINs which appear on an all too frequent basis. A recent analysis by Data Genetics revealed how unimaginative people are.  Over 10% of the PIN codes analysed were 1234, and 6% were 1111. The least common PIN was 8068, but probably best not to use that now as the bad guys can also read the reports.

Maybe you need a different approach. In the same way as you can have a memorable password, why not have memorable PINs? No! Not your birthday, or your partners birthday, or your house number, too many people already know them. But why not use the letters A through J to reflect the numbers 1 to 0, and create a combination that is meaningful to you? First four words of a favourite tune, initials of four family members, first four letters of you home town.

Most organisations which require you to have a PIN allow you to change them, usually on-line or at the ATM, so that’s not much of a chore, BUT, don’t change them all to the same value. Like passwords, it makes sense to have a variety of PINs, and to he honest you’re unlikely to have as many PINs as you have passwords (unless you collect credit cards as a hobby).

The standard instruction (as with passwords) is not to write them down, but again, as with passwords, there are variations on a theme. Clearly no-one would write in their diary: Barclaycard 1234; Amex 3456; M&S 4567 would they (pause whilst some readers tear page out of diary), but it is possible to be more discreet and still record those which you use less often in the same way as you can record passwords.

The frequently used ones you will remember because you use them everyday, especially if you have made the memorable in the first place.

Anyway, that’s enough on Passwords and PINs, next time I’m going to start on Social Engineering and how the bad guys WILL obtain those carefully protected pieces of information you have created.

Until then, keep safe and keep aware

David





Welcome

12 07 2012

Welcome to the first post on Information Security Made Easy, your window into the world of InfoSec and the simple steps you can take to help protect yourself from the bad guys.

This is not going to be a mega-technical geek haven, I want it to accesible to those who know enough to get themselves into trouble, but not enough to get themselves out.

Silver surfers are more than welcome, as are the newbies who are just getting online.

To get you started, here’s a useful link:

http://www.getsafeonline.org/

I’ll be adding more info over the coming weeks, so please come back and see what I have to say.








%d bloggers like this: