We’ve all heard about the stories involving EIBKAC such as using the CD-ROM drive as a coffee mug holder, and erasing the C:\Windows folder to free up space on your hard drive. InfoWorld has an informative article which turns these stories on their head, and provides stories about stupid IT administrator actions.

The thing that struck me is that out of the six items they highlighted, four of them were directly security (or insecurity) related, and a fifth was related to disaster recovery, which is also a security concern.

• Preconfiguring PCs with stone-age malware
• Sending computers out from the factory with a virus circa 1994 which the built-in antivirus couldn’t repair
• Oh, you wanted to recover those backups?
• An entire issue of BusinessWeek was lost when a hard drive crashed
• Soup of the day: Social Security numbers
• A school’s database of folks to send the weekly cafeteria menu into was completely unprotected and contained SSNs
• The tool and the toolbar
• The Alexa toolbar was used to crawl and cache sensitive parts of a company website
• Paging Dr. Data Breach, please come to the IT morgue
• Company took down firewalls to ease (sensitive) data migration, and then inexplicably never turned them back on

Next time you blame users for lax security, remember that the IT staff can be brain-dead as well.

Information security implicitly goes against our evolutionary defenses. Humans, for much of their history have been concentrated in small groups and forced to defend external threats.

Disease, predators, other groups of people; internal threats were focused at the top. Leaders changed, but the pecking order or 20-50 hunter gatherers remained relatively constant.

A 13 year old couldn’t say, learn to wield a knife and kill the top guy simply by watching. Even if this were possible, it would be suicide for the individual and harm the groups chances of survival. Internal trust was built upon the fact that in order to survive, you had to trust one another…and carefully weigh your options.

All of this leads us to today, where we have several cyber users equivalent to God, who don’t even run the companies they reign over. A 13 year old can launch an attack capable of crippling an organization and without much personal risk.

So we approach our employees with cautious confidence. Most IT managers cite insider data leaks as their top fear. So why don’t companies perform more internal audits?

For starters it’s difficult – most people in positions of management have their own administrators perform internal audits. More importantly a poorly implemented audit can create their own trust issues.

You don’t want your administrators to feel untrusted, but you need to monitor what they are doing. A good way is through automation. Establishing a good log review policy and being transparent about the controls in place will help also.

In the end you want your administrators to establish a bond with your organization and ideals – not just your machines. Doing so leads to better security and efficiency and improves your external defenses at the same time.

Young Australians are learning about online security thanks to a new federal government program.

Under the program, e-security education modules aimed at students in years 3 and 9 that will address key aspects of safe online behaviour, as well as the use of appropriate computer defence systems.

As a network assistant in college, I was able to see just how little most people know about protecting themselves and being wary of what they are bringing onto their computers. Educating children on security will make things a little easier on the security experts of the future.

Recent trouble at the Sky News message board shows that a little common sense goes a long way in security development.

It seems Sky’s system had a simple defense mechanism against spam or DOS attacks. If it received a handful of invalid login attempts on an account within a short space of time, it suspended the account. Which was fine, until someone discovered this, and started using it to disable the accounts of active posters on the board. After someone posted how to do it on the board, others seem to have joined in the ‘fun’, and the social fabric of the board collapsed.

Sky News failed to inform their users as to why their accounts were suspended, and users began to wonder about the security of their account information. When a statement was finally released, Sky attempted to wash their hands of the mess.

But let’s be clear: it’s the troublemakers who are actually responsible for messing things up.

Sure, if there were no “troublemakers,” there would be no need for passwords, but there is a sort of Murphy’s Law of security. If you allow something to be misused, someone will misuse it.

Good blog post here about how to hack passwords. See if he mentions yours right-out.

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

He goes on to mention password crackers and how fast they do their jobs. A little scary, actually…

Dentists, doctors, lawyers and other professionals in the Pittsburgh area have been targeted by a “hit man” e-mail scheme, receiving messages that tell them to pay up to spare their lives, the FBI said.

No one has reportedly lost money or been harmed in the scam, but some recipients were unnerved by the messages, said Special Agent Bill Shore, who supervises the computer crime squad in the Pittsburgh FBI office.

“You think, ‘What did I get into? What do I gotta do to get out of this?’ “ Shore said.

Who worries about hit men ??

The more people learn not to click on links in emails, the more enticing spammers, phishers, and the like will have to make them.

Good article on SecurityFocus about the rise of targeted attacks with specially designed trojans. A similarly themed story is running on CNET news.com.com.
Bruce Schneier has posted about it on his blog as well.

“If you haven’t noticed these attacks and you are a big company, you have likely already been attacked,” [MessageLabs security researcher Alex] Shipp told attendees at the Virus Bulletin 2006 conference. “Your problem is no longer how do I avoid being attacked, but how do I find where I’ve been compromised.”

Scary but accurate. If one wanted infiltrate a network, a trojan specifically crafted for that purpose which had never been seen before would probably be your best bet. OK, maybe not as good as free USB drives but probably a good idea.

Via lifehacker, found these 10 Top Tips for Protecting Yourself at Hot Spots. Some good suggestions in there:

1. Disable Wi-Fi ad-hoc mode
2. Use a wireless Virtual Private Network (VPN)
4. Use a personal firewall
5. Turn off file sharing
6. Make sure the hotspot is a legitimate one
10. Don’t leave your laptop alone.

There are also some suggestions that will give you a false sense of security:

3. Use an encrypted USB flash drive
7. Disable or remove your wireless adapter if you’re working offline
8. Use email encryption
9. Look over your shoulder

An encrypted flash drive could help… if most flash drive encryption programs weren’t so dumb (once it’s unlocked, anyone on the system can read the drive.). Email encryption could help… but as I’ve mentioned before you are still likely going to give up a password due to an insecure protocol. Giving guidance to disable your wireless adapter makes no sense to me—to use the hot spot safely, don’t use it! And looking over your shoulder? That will just make you paranoid. I can happily hack your system from across the room without bothering to make eye contact or shoulder-surf for a password.

As Bruce Schneier points out in this blog post some “clever” folks decided to use an old phone scam to steal credit card numbers.

A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.

Pizza orders are thus routed by AT&T to the fraudster’s line. When a call comes in, the fraudster pretends to take the customer’s order but says payment must be made in advance by credit card.

Makes me think of something that happened to me last week –
I called our local cable company to get some Internet service set up for some relatives. I called from my cell, and all I had to do was give the first name of someone in the house and the address.

I was also able to cancel other services this way. Nice for me because it saved me some hassle getting the call done, but just imagine if I were in a grumpy mood and decided to do this to Uncle Joe I’m not fond of.

Or, cancel the cable, then call later on and say,

“Hi, I’m Cable Provider X. We put your account on hold because we were worried someone might be making fraudulent charges on the card you provided. Do you have another card we can use?…”

You get the idea. Old tricks still work – and old defenses against them do too. Don’t trust incoming calls, even caller IDs can be spoofed.

The Washington Post had an article in yesterday’s paper called E-Mail at Risk? Cover It With Encryption.

“Current e-mail technology does not provide any confidentiality,” said Peter Hesse, president of Gemini Security Solutions, a Chantilly-based firm specializing in security audits and installations. “In fact, the e-mail standards include routing messages between mail servers . . . each transmission and each server offer opportunities to read messages.”

Read the article for that and many other brilliant comments by yours truly!

Actually, the premise of the article is interesting. It’s in the Sunday paper, which means it’s going to be read by many average people over coffee and donuts. I wonder if it will lead to any more adoption of PGP or other email encryption technologies?