Hey Security Guy! People are not ignorant, lazy, evil or stupid.

While researching security awareness programmes recently I came across this paper in the SANS Institute Infosec Reading Room. The author Chris Garrett shares his ideas about improving security decision making and how this is fundamental to the creation of security aware corporate cultures.

Garrett references many academic papers from various fields including business, economics, psychology and of course information technology. The paper is well worth reading all the way through but for me, the epiphany came only about a third of the way into it. To quote directly from the text:

As the research indicates, the vast majority of security breaches originate from human actions. There are a number of potential reasons for this:

• People are poorly trained and have poor security awareness
• People are not motivated to perform at the required level
• People are malicious and deliberately expose the organization to risk
• People are aware of the problem of security but as managers and employees make poor decisions

Try to ignore the fact that Garrett gives no actual evidence to back this assertion up (because we know this is how security people think anyway) and step back to think about what is actually being said.

I read it as this: Most security breaches occur because people are ignorant, lazy, evil or stupid.

Now it may be okay for programmers and service desk operators to have a view that users are the only thing that gets in the way of a perfect IT operation, but security professionals are paddling up the wrong creek if they think this way.

Setting aside the lack of academic rigor (which died with web 1.0) Garrett has presented one of the big problems facing information security professionals. People are not dumb, or lazy, or even naturally defiant. It’s us who make security too hard. We write overblown policies full of technical jargon which tell people not to do things they never thought of anyway, we confront them with confusing technical controls that require superhuman memory skills or saintlike patience, and we poo poo any attempts to ‘get the job done’ any other way than our own outdated, poorly researched, non user-tested policies allow. And then we accuse them of sabotage when they say ’stuff this’ and find a better, more efficient way which actually works.

To be fair Garrett goes on to make a very good case for training people to be better decision makers, but all the while I was finishing the paper I had this feeling like poor old user x was staggering around still recovering from the sucker punch back on page 4. And maybe this is how our users feel, like they’ve been ambushed by the security guys.

For anyone out there who runs an awareness programme for their organisation, from now on try to avoid patronizing staff or treating them like naughty children. They are not ignorant, lazy, stupid, malicious or even misguided regardless of what ‘conventional’ information security wisdom says. For surely if it were true, we would have found a reliable way to mitigate those threats by now?

Lazy identity thieves have just got an early Christmas present – Google Dashboard

Google have launched ‘Dashboard‘ to address privacy concerns.  It lets you see the data Google holds on you. The idea is you can then manage your data and more importantly that which Google holds.

I’m not a huge user of Google services other than the web search, and I try not to be logged in when using that.  But I do use Gmail for one off registrations and so on, and I have tried out a number of their services out of curiosity.

So it was interesting to log in and visit my dashboard.  I saw:

• long forgotten docs,
• emails (including spam),
• a couple of calendar appointments from three years ago,
• old web searches (I used to work for an agency that dealt with people worried about kids viewing porn so there some interesting ‘research’ searches there)
• chat histories
• tasks
• gadgets I created
• contacts and more

It was quite an education but once the dust settled not particularly surprising and probably not that useful to a malicious user.

But it did strike me that if I were a more dedicated member of the Google fan club then Dashboard would hold a hell of a lot of quite sensitive information, made more so by the fact that it is displayed on one a single web page.

Building a full identity on someone might be quite a laborious task, but it’s just been made a damn sight easier, so long as you have a person’s Google account credentials.  And as we know these are two-a-penny if you know where to look.

Lazy identity thieves have just got an early Christmas present.

Overall I think it’s a good move by Google and a great way to educate users on just how much of their information is out there.  But if there has ever been a good reason to immediately change your Google password to a really strong one, often, then this is it.

Google Dashboard - you is here

Teen Shows up Government Spam Filter for Blunt Instrument

So the Social Development Ministry is blocking any emails with the word ‘teen’ from getting through.

From the point of view of a mail administrator it might seem reasonable to block the word ‘teen’. After all it is commonly associated with pornography.  In fact I bet the views for this post will be the highest I’ve seen for a while simply because it contains the words ‘teen’ and ‘pornography’ together on the same page.

Of course blocking the word teen from the in-boxes of a government organisation which oversees the welfare of young people is ridiculous and shows that little or no risk assessment was applied.  Yes the odd bit of spam might get through if the word is whitelisted, but surely even government employees are capable of exercising a little judgment and deleting any offending emails.  Isn’t that better than potentially serious email being blocked?

Imagine if banks started blocking ‘mortgage’ or ‘withdrawal’.  Or health care providers blocked ‘pill’ or ‘medication’.

This is a clear cut case of applying the wrong controls, technology rather than people.

Wall of Sheep Only Proves Acceptance of Risk

Participants at the SecTor security conference had their traffic sniffed in a kind of ‘Wall of Sheep’ stunt according to this article in the Register.

So the organisers have shown up some attendees to be security noobs or worse still completely ignorant, or have they?

Apparently users of the conference wireless network were informed that the network was being sniffed, but only by announcements between talks, which is probably when people were chatting or had their snouts in the buffet.

There was no notification given upon connection, and users were required to get a shared key from one of the conference booths so they could log on to the WPA protected network. Finally, the SSID was ‘Sector2009Secured’.  Of course it may as well have been ‘ThisIsCompletelySafe’ because it makes no difference what the network is called.

So all the indications were that the network was not being monitored/sniffed/hacked/exploited or whatever else perpetrators of such stunts may call it.

Now sure, security bods should know better than to completely trust a wireless network (even though this particular network was sniffed once the traffic was on the wire and not in the airwaves).  And some are quite rightly pissed off now that they know what the conference organisers were up to. But to expose those who still used the network as ’sheep’ is a bit premature.

Remarkably, one of those to have his credentials exposed was actually the conference organiser Brian Bourne of Black Arts Illuminated. His Twitter credentials were sniffed and here is the point.  Participating in Web 2.0 comes with some inherent risks. Your personal info, your opinions, your very thoughts can all be exposed and your reputation put on the line. Most tech savvy people are aware of this, but they accept the risks because they are outweighed by the benefits.

So sure, the bods at the conference should have known the wireless network came with no guarantees of security, but maybe they did, and they used it anyway. Yes, those whose credit card details were sniffed should have known better, but those whose Tweets or email addresses got out were just getting on with it.  They were ‘fooled’ by the confidence tricksters who were running the network.  All this dirty little exercise proves is that even amongst security professionals the simplest attack vector is still through the user rather than the technology.

VeriSign Phishing Awareness Site Starts Well then Misses Point

A tweet from @Allen L. Kelly pointed me to a nice bit of phishing education from VeriSign.  www.phish-no-phish.com runs you through a challenging quiz where you are presented with two ‘identical’ screenshots and have to identify which is the phishing site.

Some of the sites were very difficult to differentiate and I even got one wrong because I was perhaps in too much of a hurry and didn’t spot a couple of minor spelling mistakes.  This though would reflect real life for most people so was an excellent way of demonstrating just how careful you need to be.

I got about half way through and was considering posting a link to the site on the corporate intranet as an awareness exercise for staff.

Then I was hit by the sales pitch.

After the fifth question a screen appeared explaining how Extended Validation (EV) SSL, triggers modern web browsers to display a green address bar when a genuine site is viewed.  Fair enough I thought. Users should be taught about this technology as it can help them identify genuine sites.

I was invited to continue the quiz to “see how easy it is to choose the correct site. Just choose the site that displays the green address bar.“

And yes it was easy after that. No more needing to look for dodgy addresses, missing padlocks or poor spelling and grammar.  As the tips pointed out:

The green address bar is a surefire way to identify the genuine Web site.

When you see the green address bar, there’s no need to scan for typo’s and misspellings.

Criminals can’t fake the green address bar.

Cool! No more need to take care, just watch for the green address bar and any site that doesn’t display it must be fake! And I know I can trust any site with a green address bar because criminals can’t fake it – yet.

You’ll have to indulge me here for while I believe technical solutions can help, I don’t believe they solve the problem.  As Mr Schneier says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

It’s a shame the VeriSign site lets itself down on this point. I know they’re trying to sell a technology solution but there should be a stronger emphasis on EV SSL being only part of an overall solution.  After all it’s not going to help users who are taken to a fake site from an email link – unless of course they’ve bought into the technology so completely that they only trust sites with green address bars. This is after all how the final five questions in the quiz run. You just click on the sites with green address bars.

But then you’d be missing out on all the fun on Facebook, Twitter, Gmail (Thawte i.e. Blue) etc.

Air New Zealand email: When it works it leaks

Shouldn’t Rob Fyfe be just as concerned that when his email finally works again it leaks like a sieve?

Yes ok it’s inexcusable that IBM left our national carrier without IT services for two hours or so.  And I’m sure that somewhere along the line human fallibility is at fault.  But if I worked in IT or HR at AirNZ I’d be trying to track down how the email got out.

Or maybe it was IBM that leaked that too? Disgruntled employee perhaps? You’d have to be either brave or stupid to be taking risks like that in this economic climate.

Are Bad Passwords Really Less Secure?

So the most common password in the now infamous 10,000 was 123456 followed closely by 123456789 (Kudos to Acunetix for the statistical analysis.)

The analyst, Bogdin Calin says in his post that:

a big majority of users still use very poor passwords

and a number of reporters have echoed this assertion, take Computerworld for example:

1234567 may not be a very secure password, but it’s popular on Hotmail

But hold on. Hotmail, Gmail etc have said that the breach was due to phishing, not hacking and so far I haven’t seen anyone saying anything to the contrary.

So really all we know is that people who are likely to fall for a phishing attack are also likely to have weak passwords. But even then there will be exceptions, like the person whose password was lafaroleratropezoooooooooooooo.

Hardly headline stuff.

Stop the Presses

Looks like there is a debate going on. Perhaps it was keylogging that got the passwords.  This seems more credible.

Using a command line to escape Firefox hijacking

Yesterday clicking on a Google search result landed me on a compromised website.  I’m usually fairly careful about following links from search results but this one looked okay. There were no meaningless phrases in the Google summary and the domain looked reasonable enough.

It became fairly obvious however that I had been duped when the site I went to quickly changed to one of those fake malware scanner websites. The browser page changed to look like a folder window displaying my various drives (which of course weren’t mine at all) and a message box appeared saying my computer was ’stongly’ [sic] infected.

Oh no! I've been STONGLY infected!!!

Not wanting to click anywhere on the box I decided to ctrl-alt-delete my way out of the predicament. This worked fine except that when I restarted Firefox the page appeared again straight away.  At first I thought Firefox had been hijacked.  Then I realised it was actually a feature.

Firefox helpfully restores browser windows to what you were looking at when there is a crash, which under normal circumstances (I consider crashes normal) is fine.  However this time the message box blocked access to Firefox so there was no way to get into it and tell it not to restore the page on startup. Alt-F4 and Ctrl-w were also blocked.

The solution was fairly simple and came to me quickly (which isn’t always the case. The other day I fiddled around trying to get internet access through my Linux box for 30 minutes before simply restarting the router).  I started firefox from a command line and used the <url> option to tell it to go straight to Google.

For anyone not familiar with command lines here was the process:

1. Make sure Firefox is closed
2. Click Start then Run and enter the letters cmd in the little window. This will start a shell (the black window with white text that looks like computers used to look like)
3. Navigate to the Mozilla Firefox folder by typing cd program files\mozilla firefox\ (this should work on most Windows computers unless you’ve got Firefox installed somewhere else)
4. Type firefox.exe “www.google.com” (you can substitute Google for any website you wish)
5. Firefox should open at the site you chose.

Now I know there will be other ways to do this but I’ve posted this more in the hope that it might help some frustrated soul who switched to Firefox because it was supposed to be safer…

Of course if they do find this then they are either on a different computer or using a different browser – which might become their new browser of choice – because people are fickle like that.

Note to Firefox developers – perhaps Firefox should ask if the user wants a session restored following a crash, by default upon restarting.

419 Scammers Get Lazy

Today I received yet another 419 scam in my inbox.  To be fair I don’t get very much spam at all considering I’ve had my Hotmail account for well over a decade and in the early days wasn’t too worried about using ‘one time’ email accounts to sign up for web services.  I like to think that maybe it’s just really well tuned now – but could be wrong.

Anyway this one was a truly pathetic attempt. Take a look at the screenshot. Come on Miss Pamela am I not even worth the effort?

Perhaps though this is a reflection of web users getting stupider? Maybe the scammers don’t have to try so hard anymore.  Or maybe they’ve got so many spam bots under their control they can be this lazy and still get results.

Something smells fishy at the Wing lung bank and it’s not the staff canteen.

To be fair of course the Wing Lung Bank have nothing to do with this and in fact have a very good security education resource on their site (if you can get over the porn music in the background…) Check it out below:

http://www.winglungbank.com/download/hkma_game/XxCoElbHkmaGame.html

Twit DDOS’s Cyxymu

So the Twitter outage that had tens of New Yorkers wandering the internet for cupcakes was all about a DDOS attack on a Georgian blogger (tweeter).

DOS attacks are among the least sophisticated and easiest to perform hacks. Anyone can rent a botnet and order it to target a website.  This perhaps shows that the attack was not the doing of some Russian mastermind high up in the Politburo.

What is more ironic however is that Cyxymu will now go down in the annals of internet history instead of remaining an obscure tweet stream from the eastern bloc.

I for one had never heard of Cyxymu but now I’ll be going to have a look.

So if anyone really cares about finding the culprits, I’d start looking for some pubescent tractor driving marxist rather than Medvedev and his cronies.

And I’d start looking in a gulag.