More on the Tech-Management awareness gap…

I was reading an article from Dan Dieterle on InfoSecIsland last night about wardriving that had some great (and recent) stats on it that were collected first hand by the author, not cited from somewhere else.  I like those.  Anyway, I do both executive (in person) training and teach via CBT for our enterprise customers’ non-tech employees on Cyber safety and security, and I can say with absolute certainty that one snippet of this article highlights the huge blind spot in this discussion. Dan says:

“I was actually shocked at the high percentage of unsecure Wi-Fi systems. With the dangers of Wi-Fi so well-known, it just doesn’t make sense.”

Sure, it’s well known among us – that is, the kind of people who read articles on InfoSecIsland.com. It’s NOT well known among all the people who use and set up WiFi networks, which now include my mom, my grandmother and my 12 year old neice, or people who are (we nerds need to keep this in mind) perfectly competent professionals, they’re just not in our field.

As inconceivable as it is to we digerati, Dan’s topic is as foreign as the inner workings of a Honda’s engine is to most Honda owners. I actually used a wardriving map in a presentation I gave at CeBIT (where people generally are among the more digitally-savvy.)

Courtesy of https://i2.wp.com/www.home-network-help.com/images/wardriving-map.jpg

Courtesy of home-network-help.com/images/wardriving-map.jpg

The looks of bewilderment that such a sport even exists far outweighed the nodding heads familiar with the stats I showed (which roughly mirror those in Dan’s article.)

I’ve found again and again that this gulf has serious implications for enterprise and information security. Employees think that Cyber security and InfoSec is something that resides with the geeks in the basement.

The problem is that, as systems become more and more hardened, the ever-increasing trend is toward the path of least resistance, the employees themselves. I’m not a hardcore programmer, I know relatively little about hacking systems. I know a lot about hacking people.  It is this gulf between what the tech-savvy opponent or social engineering expert knows and the networked employee doesn’t that open major enterprises to all kinds of threats they’ve never thought of. (A couple of my favorite examples.)

http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/

http://www.nowpublic.com/world/fake-facebook-profile-scotiabank-ceo-sparks-investigation

Is hijacking of unused social media space, or researching an executive online really that hard?  Not at all.  And as McAfee discussed in the aftermath of the Aurora attack on Google and others, traditional IT security offer no aid to social engineering attacks.  The real “vulnerability” here is not one of code but one of awareness.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Advertisements

No honor (or pricing power) among thieves…

A member of one of my linkedin groups posted a story about Chinese hackers offering “Change your grade for a price” services.

What I find interesting (what can I say, I was an numbers nerd before was a tech nerd) is how economical this at least appears to be thanks to global wage differences and geo-arbitrage. It took me less than three minutes to find half a dozen online offers like this one:

http://cheatingnetwork.net/forums/services/28565-grade-hacking-service.html

A base price starting around fifty bucks and you don’t pay until they succeed? Friedman was right, the world IS flat, and it seems there is neither honor, nor pricing pricing power, among thieves.

If I were the CISO of a major university, I might well spend a few thousand dollars hiring a series of these guys.  Cheaper than pen testing from a high end vendor and the vulnerabilities (or lack thereof) would be proven, not hypothetical.


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Bogus Amazon Malicious eMail campaign resurfaces

Just a quick note, this is NNNH (no new news here) –  the malicious Amazon  “order shipped” campaign has been around for quite a while, but it’s surfacing again in volume this week, and with “beach reading” orders for vacation probably peaking about now this seemed a good thing to pass along.

Also, since I now have a blog that’s probably the only security related thing my Mom every reads, I’m re-posting the heads-up here in case it keeps someone I care about from getting suckered.   Mom, if you get email from amazon about an order you don’t remember making, don’t click on anything.  🙂

That’s all.  Have a good weekend everybody.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Internet “Street Crime”

Last month at CeBIT in Sydney I was speaking about the Cybercrime implications of ubiquitous broadband and increased general ‘Net use.  While both a lot of my work and my reading has to do with big, global, far reaching Cyber crime and Cyber attack issues, one of the things I pointed out was that increased uptake of ‘Net use, especially public and wireless, would be an inevitable increase in what I call “Cyber Street Crime”, i.e. locally committed crimes where attacker and victim are brought together by physical proximity as opposed to the hacker or organized crime actor who might be continents away from their victim or target.

Sitting in a Cybercafe with a packet sniffer eavesdropping on unsecured wireless data, or perhaps working in that cafe and installing keyloggers on the machines are the kinds of ultra-simple but lucrative and hard to track “street crimes” that I think will be particularly high-growth in emerging and increasing-penetration markets for broadband and wireless.

An article today from the Times of India bears out this hypothesis, and is the first place I’ve happened to read since giving the speech that puts numbers to just the predicted (and predictable) phenomenon I’m talking about.

Cyber crime in the city shows upward trend

PUNE, INDIA: Increased internet transactions have led to a rise in cyber crime in the city. Till June this year, 240 cases have been registered with the cyber cell of the police as against 281 cases registered during the whole of 2009. These facts were presented by deputy commissioner of police (DCP) Rajendra Dahale at the launch of a cyber awareness programme on Wednesday. Dahale added that in 2006 there were just 79 complaints lodged at the cyber cell….

What I thought was interesting was that the city of Pune (3.5 million) has a dedicated “Cyber Cell” and they are tracking statistics on these kinds of Internet crimes as far back as 2006.  Many municipalities, some of them in supposedly more “developed” nations lag far behind Pune in their thinking and awareness from a law enforcement, governance and/or policy standpoint. The cops may not have the technical skills to investigate or track these crimes, the businesses and users may not be aware of the risks and dangers that go along with the wondrous benefits of easy Internet and wireless access, and in some cases we see that at a policy and legislative level some crimes aren’t even defined as crimes unless they have a “traditionally illegal” offline analog.

It’s important for governments, especially those like Australia’s, which are aggressively pushing broadband penetration (with the non-mandated but inevitable explosion in hardware upgrades and public wireless that inevitably follow) to note that there is a dark lining in the economic silver cloud.  By no means should this be a deterrent from proceeding, but from policy, governance and legislation to the law enforcement block-and-tackle of proper investigative procedures, there’s a lot of groundwork that is better laid early and proactively than reactively after the problems arise.

From Cyber street crime to crime in virtual worlds (look for a future post on ‘gold farming’ and coercion), there are a host of legal, policy and political issues that digital native populations and their leaders have to wrestle with and many of them aren’t tackling those concerns.  Kudos to Pune – I’ve seen jurisdictions and talked to both police and politicians in both America and Australia who are less attuned, less equipped and less resourced than this Indian city.


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Reports of Senator Leahy’s Death Exaggerated…

WTOP news is reporting that a fraudulent email reporting the death of Senator Patrick Leahy did in fact originate from the Senator’s office but was not sent by the person from whose account the email was received by WTOP, PBS and others.  I’m looking forward to seeing the eventual diagnosis.  Straw poll – do you think it will prove to be:

a) Insider Mischief (someone in the office did it)?

b) On-site Mischief (someone else physically got on the staffer’s computer)?

c) Remote email access with stolen credentials?

d) Infected/pwned PC?

e) Other

I’m gonna say D, but I have a built in bias – I stare at malware data all day.   I’m a little surprised the statement from the Senator’s office wasn’t an attachment (at least according to the WTOP report.)  I would have assumed it was a malicious attachment meant to infect the news organizations.

At least I have a fun new slide for the next time I’m teaching my training course…


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Staying Safe on Public Wifi

When I was prepping my slides to speak at CeBIT in Sydney last month, one of my visuals was a picture of a guy in a Starbucks, overlaid with a Youtube video title “Fun with Ettercap” (a free packet sniffer).  The storyline was about how easy it is to sit in on a public wifi and intercept all kinds of fun and interesting stuff.

As Starbucks rolls out free Wifi for all, I was thinking about how to summarize (in less than an hour) the things to do for using public Wifi safely, especially if you know you’re going to be transmitting something sensitive.  Not surprisingly, the nerds at LifeHacker beat me to it.  Great post if you want to take the time to go through the details. My work is done here!

Have a great Fourth of July everybody.


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Just how wide is the digital-native divide?

I’ve used this story so many times in the courses I teach, and so many people have asked for a reference to it, so I reproduce the details here – you simply can’t make this stuff up.

In training senior corporate executives, I try to convey the depth to which social networking, texting, ubiquitous connectivity and technology are interwoven into the lives, work, thinking and attitudes of the digital native generation i.e. the ones who have grown up with the information revolution since birth, who have never known a world without the Internet, or texting, or mobile phones/email/browsing etc.

Here‘s an example of how differently (for better or worse) the workings of the digital native brain really is.  Two girls in Australia, aged ten and twelve – under the official age limit for Facebook BTW – got stuck in a storm drain.  How did they reach out to the world for help?  They took out a smartphone and updated their facebook status, saying they were lost in a drain on Honeypot Road, then waited for one of their friends to call the rescue brigade.

Let me just make sure you caught that – they took out a PHONE, and used it to update Facebook.  They were holding a phone, but never thought to dial 000 (Australian 911).

When I say “they see the world differently than we do”, I’m not talking the usual generation gap between tweens or teens and their parents.  I mean they see the entire world through the lens of technology.  For those of us over 40, technology is a distinct subject, a topic, a tool, a discipline.  For many under 20, it’s like running water or electricity. There is simply no conception of technology as distinct from daily existence, nor a comprehension of living, working, playing or socializing without it.

When I’m training corporate executives, this is how wide the gulf is I am trying to cross, to educate on the physical and information security implications of their employees, their spouses and their children Facebooking, Tweeting, Plurking, Foursqaure-ing and Flickr-ing through their days.

Soldiers uploading cell-phone photos of them standing on a tank, not realizing the photo is geotagged and they just placed their unit down to the LAT/LONG on some enemy map?  Seen it.

CEOs who have been threatened by activists, disgruntled ex-employees or the simply deranged whose future whereabouts are disclosed to the minute by a child tweeting from the family vacation? Happens all the time.

Are these technologies all bad?  Of course not.  But do business people, family members, USG personnel etc. need to understand the implications of their online activities and footprint?  I guess my feeling on that question is obvious…

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: