Information Risk Blog

Potential Information Security Threats (Funny video)

ENISA’s Report

The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.

Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.

Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.

If you are standardizing your Log Management program, its worth to check out the security log review checklist created by Anton and Lenny.

The algorithm that prevents the interception of radio signals between cell phone and operators’ base stations was cracked by a cryptographer -

The channel-hopping crack comes as the collective is completing the compilation of a rainbow table that allows them to decrypt calls as they happen. The table works because GSM encryption uses A5/1, a decades-old algorithm with known weaknesses. The table – a 2-terabyte list of known results that allows cryptographers to deduce the unique key that encrypts a given conversation – was developed by volunteers around the globe using giant clusters of computers and gaming consoles.

RAM scrapers are scouring the RAM of point-of-sale (POS) terminals, where PINs and other credit card data is stored in clear.

Verizon employees recently found the malware on the POS server of an unnamed resort and casino that had an unusually high number of customers who had suffered credit card fraud. The malware was sophisticated enough to log only payment card data rather than dumping the entire contents of memory. That was crucial to ensuring the malware didn’t create server slowdowns that would tip off administrators.

The RAM scraper dumped the data onto the server’s hard drive. The perpetrators visited at regular intervals through a backdoor on the machine to collect the booty.

Its not a new attack but rapidly getting on top of the hackers’ chart.

Blippy is pushing the limits of privacy and proposing social netizens to push their credit card purchases to public networks.

Imagine being able to see everything your friends buy with a credit card as they do it. This not only tells you what kind of things they’re actually into (rather than someone just saying they like something), but also other information like how cheap they are, as well as where they actually are at a given time. There is actually a lot of data tied into the transactions we make, and Blippy takes that and makes it social.

Hope the folks in security world concur that this will result in more identify theft cases than ever before.

After NSA’s marriage with Microsoft with a commitment to enhance Windows 7 security w/o constraining the user to perform their everyday tasks, Northrop Grumman Corp is partnering with CERIAS, CMU and MIT to advance research and address the nation’s most pressing cyber threats.

Northrop is a major provider of cybersecurity support for U.S. defense and intelligence, and to civil governments in the U.S. and elsewhere. Brammer said the collaboration will speed up research with ideas that can be incorporated in contracts coming up soon as well as explore pro-active ways to protect information in the public and private sectors.

Worms kill but Ants save! Researchers at WFU are deploying a new defense modeled after one of nature’s hardiest creatures — the ant. Why ant? Per researchers: 

Our idea is to deploy 3,000 different types of digital ants, each looking for evidence of a threat. As they move about the network, they leave digital trails modeled after the scent trails ants in nature use to guide other ants. Each time a digital ant identifies some evidence, it is programmed to leave behind a stronger scent. Stronger scent trails attract more ants, producing the swarm that marks a potential computer infection.

Good direction but not sure if 3000 ants will be sufficient to crawl 1 trillion URLs on the web in near future.

This is not the first time Artificial Intelligence is used for monitoring or processing public information. In past researchers have suggested design for a smart computer that they believe will be able to detect insider trading fraud within the stock exchange almost instantly. Now EU has funded a five-year research program, called Project Indect, aims to develop computer programs which act as “agents” to monitor and process information.

According to the official website for Project Indect, which began this year, its main objectives include “to develop a platform for the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence”.

It talks of the “construction of agents assigned to continuous and automatic monitoring of public resources such as: web sites, discussion forums, usenet groups, file servers, p2p [peer-to-peer] networks as well as individual computer systems, building an internet-based intelligence gathering system, both active and passive”.

Phishers never stop innovating – after Vishing (voice phishing) and Smishing (SMS phishing), phishers are strengthening their phish by showing a bogus live chat support window to obtain more credentials via a live chat session initiated by fraudsters.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank’s fraud department and attempts to dupe customers who are online into divulging sensitive information – such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.

According to a recent Consumer Report study, Car dealers have the technological ability to unlock test drivers credit report using only the info on the driver’s license. The report states that under FCRA, they must get driver’s permission but the verbiage is a little ambiguous -

Under the federal Fair Credit Reporting Act, a car dealer must always get your permission to look at your credit report. He or she can get that permission in writing—when you sign a release or a loan application—or by implication, without your signature, if there is a “legitimate business need.” 

Now, it further states that test drives do not constitute a legitimate business need but only when consumer is actually initiating the purchase or lease of a vehicle qualify as business that possibly involves a need to check credit but since technological solution is available, hope someone reviews metrics such as how many reports were pulled vs. how many vehicles were sold by a dealership.

Norton has developed a tool for evaluating your risk level, which provide an estimated value of your personal data to thieves in the criminal underground. The tool, which is built for raising consumer awareness on Cybercrime, can calculate your net worth on the black market using an algorithm and generates a report on cost of on line assets, value of on line identity on the black market, and risk of becoming a victim of identity theft.

I tried the tool when I was initially briefed on it a few months ago and was surveyed about my gender and age range; online assets (including credit card and bank account data, brokerage accounts, e-mail accounts, and social network accounts) and an estimated value of all that information; whether I use security software; how cautious I am when online; and how much I think my information is worth.

Can one calculate how much “risk” is added (or net worth increased on black market) in the process of gathering Users’ financial (credit card and bank and brokerage accounts) and personal (e-mail and social network accounts) info. For a User, if it throws a low number ($10), would it mean that the probability of his/her identity theft is low?

Stanford’s Center for Computers and Law is organizing the Intelligent Information Privacy Management Symposium on March 23 – 25, 2010.

This symposium takes a transdisciplinary approach in its exploration of privacy management by drawing from the key areas of Law, Computer Science, Artificial Intelligence, and Business. It will focus on the need to develop effective information privacy management frameworks, tools and techniques by addressing the underlying tension between transparency and disclosure in the privacy versus business strategy arenas.

The organizing committee is seeking three kinds of contributions: Issues papers, Position papers, and Technical papers. If anyone interested in coauthoring, please contact me. (The deadline seems tight though — October 2, 2009).

SQL injection, cross-site scripting, and cross-request forgery attacks are rated the most common high risk vulnerabilities. Not only that, NTA found that 27% of all applications contained at least one high risk issue — most dramatic change seen within charity and not-for-profit clients. See proposed suggestions, though I don’t agree that they provide protection for all of the noted attacks -

• Make sure all user-supplied data is properly sanitised before returning it to the browser or storing it in a database.
• Organisations should switch from a persistent authentication method to a transient authentication method to help prevent cross-request forgery attacks.
• An account lockout mechanism should be in place, to lock out accounts permanently or temporarily, to help prevent attackers from being able to brute force user accounts.

A coalition of consumer organizations is urging Congress to adopt new legislation for behavioral tracking and ad targeting.

Many Web users are unaware of all the information that’s being collected about them, especially by ad networks engaged in targeted or behavioral advertising.

—

The groups recommended that consumers should be able to obtain the information collected by behavioral advertising vendors, and should be able to challenge the data held about them.

Don’t take me wrong – I respect consumers’ privacy – but how big the threat is if the data is used for analysis only and not disclosed to or read by a human. Forcing Web sites to get opt-in permission before tracking user behavior would definitely help but as a consumer, how many of us pay attention to what we are opting in before clicking the check box.

Jon presents good logic for using IT Risk Management for competitive advantage. He argues by investing in infrastructure improvement, embedding IT risk awareness and management in every business process, empowering IT management with proactive business leadership support, considering risk in terms of access, accuracy, and agility, and raising awareness of and embrace upside risks enterprise-wide, companies can make balanced trade-offs that positively differentiate them from the competition.

Wherever risks arise from, we can all agree there are a plethora of risks already present and more apparently forthcoming. Effective leadership requires choreographing change to address the upside and downside risks and the vulnerabilities inherent to both. This is especially true around IT risks since companies are ever more dependent upon the lift IT brings via automation of key business processes, linking to customers and suppliers, and ever-increasing, mandated compliance reporting.

I recently saw a post on Mark’s blog – difference between IT Risk and Information Risk – which caught my attention. Mark has provided a good explanation of both – associating IT Risk with asset and Information Risk with Information itself.

IT Risks should have a focus on technology, while Information Risks should not.  By clearly positioning the two as different, it is easier to delineate responsibilities when partnering with the business on managing risks.  Knowing who owns what always increases your chances of being successful.  IT risks given their technology orientation, will rightfully so land more on the plate of IT professionals plate to manage vs. the business.  Information Risks should accordingly land more so on the business side.

I, being an Information Risk evangelist, would like to add a few points to Mark’s well defined theory. Since IT started evolving, the focus had been on protecting the infrastruture, application, and other assets that store company’s information. It was the era, when the term IT Risk Management was in very common and popular use. But as Information Governance started to get recognition as the subset of Corporate Governance, Board started to pay attention to Information Risk. In reality, the Board is accountable for ensuring that Businesses protect the Information and this shift in accountability has given rise to Information Risk (a subset of Operational Risk), which encompasses all the controls a company needs to implement to protect its information.