National E-security Awareness Week 2009

It seems last week was National E-security Awareness Week. Oops. Not alot of publicity it seems, but still a worthwhile initiative from our government and a nice change to see Senator Conroy trying to do something useful instead of trying to censor the internet country-wide.

National 'change your password day' was June 5th, and the Senator was encouraging all Australians to get a "better, stronger password and most importantly updating it regularly."

"Don't just choose a password with your birthday or the name of your favourite football team. Get security software and update it regularly," he said.

Hopefully next year it will be better publicized. Maybe get Hallmark on board and we could celebrate with cards and gifts of candy RSA tokens!

3G, Public Transport and Information Security

This is a post I have been meaning to write for a while and it seems a worthy distraction from the Ethics essay I am currently supposed to be writing (read: Richard is procrastinating).

Something which I think is often underestimated is the risk to corporate data when it leaves the building, be it on backup tapes, other removable media or in a slightly different sense on the screens of employees who catch up on work during their trip to and from the office. Ease of access to the internet afforded by technologies such as 3G mean that people are more and more using their daily commute to carry on business activities. The benefit of dedicated office space, even open plan, is that it affords a level of physical security for an organisation’s information; it is much harder for an outsider to read over someone’s shoulder in the office than on the train. This situation is not limited to public transport, cafes and fast food outlets with wireless access points are subject to this weakness too. It is amazing the information that one can glean sitting next to someone naively tapping away at an email on their laptop, I have seen people reading marketing and sales reports (the most recent example was a survey post a product recall) as well as business email and other documents that their employer would probably regard as sensitive. If you watch carefully you will be able to observe addresses for SSL VPNs, Outlook Web Access and other webmail pages, usernames and internal software in use, even source code for internal applications and web pages, all useful to an attacker in one way or another.

Obtaining information in this way can be of use to both the opportunistic attacker, casually observing that company X is about to launch an advertising campaign to pre-empt some negative publicity or is using an out-dated version of a particular piece of software, and the attacker with a specific target in mind tasked with obtaining information about a competing company. The approach each takes will be somewhat different but the end result is the leakage of information from a company’s network that Data Loss Prevention systems are currently unable to protect against and which the target may never be aware of.

This lack of physical security facilitates compromises which require no technical hacking skills (after all, the target is doing the hard work of gaining access to the network for you, though granted, you are limited to what they are accessing at the time), are very difficult to detect and have the potential to be extremely damaging. This type of compromise is in fact a form of social engineering attack and while there is a certain amount of subtlety required, it is surprisingly little in most cases. As with any social engineering the best form of defence is awareness and education, you are not going to stop people from working on the way home (it’s much more appealing that doing it when you get home) but if they are aware of the possibility perhaps they will think twice before opening that strategy email.

I’m sure that this kind of surveillance is nothing new but it is, perhaps, something which is underestimated when considering the protection of sensitive information.

PIN Numbers

Recently I bought a new phone. I stayed on the same carrier, so it was just an upgrade of my call plan and a new piece of hardware. As part of the identity verfication process in the phone store, I was asked my name, the phone number and the PIN number I had provided the company with when I first signed up for my previous phone. This PIN number was also used in the past to verify my identity over the phone when I had a mobile phone stolen and needed it call blocked. It is essentially a shared secret to identify me as me.
It's little different than the password I get asked for at the local video store when I rent a dvd, although they also require I provide then with my membership card (multifactor authentication!)
Back to the phone, I dutifully provided the PIN number and began the process of filling out forms and signing my life away on a new phone contract. While filling in details I noticed at the top of the form there was a box (filled in by the sales clerk) for my PIN. He had dutifully written my PIN in the box as part of application.
I asked him if this was the norm, if this 'secret' number was commonly written in large friendly digits on the applcation forms and he applied in the affirmative.

I did ask his opinion on writing this 'secret' number on a form that is kept in triplicate (one copy to me, one for the store and one sent off to a central office) but he didn't seem interested in discussing the ins and outs of how they secure their data or prevent impersonation.

I guess in the end I got my phone and have to hope one of the three copies of the form with my name, address, date of birth and PIN number don't fall into the wrong hands and someone decides to cancel my account or report my phone as stolen. Although thinking about it, I imagine with a name, address and date of birth alone you could use some social engineering to effective DoS someone's phone. Hmmmm. When is Richard's birthday?

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme