Posts Tagged ‘Internet Security’
Wednesday, June 9th, 2010
NERC’s June 2, 2010 report identifies potential paths to destruction of our North American Electrical Grid (www.ere-security.ca and http://www.nerc.com/ ). These paths include co-ordinated cyber / physical / blended attacks, pandemic illness, geomagnetic disturbances and electromagnetic pulses.
In my opinion, while NERC (North American Electric Reliability Corporation, www.nerc.org ) has managed to accurately identify real security risks it has missed the main point.
Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005 ( http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003 ). And yes the NERC CIP 01 – 09 security standard (http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html and http://www.nerc.com/page.php?cid=2|20 ) for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.
However, the fundamental recommendation of the report calls for better co-ordination between US power-grid providers and the government. To me, government co-ordination is an oxymoron. We can all see how well government co-ordination is working on the Gulf Oil Spill.
To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.
I think the path to grid deliverance is for the government to substitute co-ordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.
Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the “here and now” concerns expressed by their own SCADA IT security staff. We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.
So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty. Then executives can re-evaluate their security ROI business cases to include the new downside penalty.
In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means. Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses. Somebody with a six foot ladder and a laptop could potentially do just as much damage.
The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).
While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.
Maybe it’s time to think again.
Have a secure week.
Ron Lepofsky, CISSP, B.A.SC. (mech eng)
President,
ERE Information Security and Privacy Auditors
Tags: Energy Grid, Information Security, Internet Security, IT Security, NERC, Power Grid, Security Risks
Posted in Security Postings | 6 Comments »
Wednesday, June 2nd, 2010
Here’s a glaring example of how recreational online gaming of any sort can lead to unintentional expense and headache.
On May 27, Angela Moscaritolo at SC Magazine wrote an article about Symantec having discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites. You can see the article on the ERE RSS feed or at http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/e.
Online gamers own virtual assets within their games. These assets can be bought and sold for real dollars, up to thousands of dollars. An individual who steals and uses a gamer’s identity will gain access to the gamer’s assets which they can then use, sell and vandalize.
In any instance, where a gaming siter has access to their gaming membership’s credit card and banking information, the potential for identity theft and credit theft is escalated if a gamer’s credentials are already stolen.
Online gamblers face similar risks as online gamers whose credentials are stolen, with the added grief of facing a foreign jurisdiction when attempting to claim for losses against the gaming site. This is because most gaming sites, for reasons of US law, reside outside of the jurisdiction of the USA.
The same problem is faced by members of online transaction sites, where the members’ authentication credentials are stored by the transaction site. If a member’s user name and password are stolen, the member faces exactly the same potential risks as the online gamer, and is exacerbated if the member’s credit information is also electronically stored with the site.
While credit companies are implementing multi-factor authentication in order to mitigate potential fraudulent transactions, electronically stored credit card information is still a potential security and theft vulnerability. In these critical situations, my preference is to err on the side of conservatism; if anyone has access to electronic information, than potentially anybody has electronic access to that same information.
So the question is “What should gamers and transaction site members do to protect their electronic identities?”
The answers are pedantic but effective:
- Regularly change passwords. Chances are that a stolen old password will be used by a theft and, of course, will be useless.
- Use groups of passwords, prioritized by importance, for different uses. The best advice, of course, is to use a different password for every single use, including logon to your home and work computers, online banking, transaction sites, etc. This is not practical for most folks, so a tradeoff is to have a few different passwords but never use the same password for both critical and less critical applications.
- Consider storing (new!) passwords in an encrypted file or an electronic vault. Various programs and utilities are available for assisting with this process. The immediate two benefits are that people do not store their passwords in an unencrypted state and that the stress of remembering all the passwords and their use immediately disappears.
- Store the password for your “password vault” in a secure, non-electronic format or encrypt it with your own personal encryption system. For instance – add a suffix and prefix that are meaningful only to you and which are not composed of any personal information.
- Do not log onto any system over Wi-Fi or cellular network without the logon sequence being encrypted. Otherwise the logon credentials are easy prey for “man in the middle” attacks.
- Do not share passwords with anyone. Ever.
Have a secure week.
Ron Lepofsky, CISSP, B. A. SC. (Mech Engineering)
Tags: Games Online, Gaming Websites, Identity Theft, Internet Security, IT Security
Posted in Security Postings | 5 Comments »
Wednesday, May 26th, 2010
A deluge of compliance requirements have inundated organizations, which obligate information security officers to protect; sensitive personal and corporate data from theft; critical data from theft and corruption; medical and health data from theft, surveillance, and destruction.
Fundamental to these security and privacy imperatives is the ability of an organization to restrict control of access to only those individuals with the need and permission to see and change the data in question. Access should be predicated upon the ability to conclusively and positively identify an individual or entity requesting access to data, while being able to deny access to everyone and to everything else.
In my May 4 blog, Forensic Identification Using Skin Bacteria, I discussed this idea. This may or may not come to pass in the future, but it did emphasize the on-going, if somewhat imaginative research, in user identification. A more down to earth and currently available means of verifying identity is two-factor authentication or 2FA.
2FA has been around for a long time and has undergone major improvements. Now the banking industry has adopted it for the magnetic cards we use for credit and debit transactions – a pin number – which is something we know. Smart cards provide the ability to deny or permit the use of any transaction based upon the electronic identification of a card. The card is generically known as a token or something we have that is unique to us.
2FA is critical for some organizational applications and many organizations have the technical capability and financial resources to implement two-factor or even strong authentication.
However, in my opinion, the issue of 2FA is particularly important for individuals doing remote access to their business or personal computers, the reason being that individuals may not have the technical expertise or financial resources to ensure their remote communication sessions are indeed secure.
For example, I see many laptop users at public hot-spots hammering away, presumably over WiFi . (Or why else would they be at a hot-spot?) We know those networks are not secure and, therefore, the users are subject to any number of man-in-the-middle and covert surveillance attacks.
Users may think their sessions are safe as the WiFi access service announces that once a user has paid for the service, their sessions will be encrypted. However, the log-on portion of the payment transaction is wide open!
Or even worse. Many users implement all manner of RDP remote connections to their systems. I have seen numerable instances where identification and authentication by single password is done in the open. Even though the RDP session may be implemented via an unusual port number, there is still the possibility of monitoring the port activity and gaining access to the authentication data.
This problem is exacerbated by using the same user name and password for both an RDP session and for system login.
In my opinion, the bottom line is that all users of remote communication should implement some form of two-factor authentication, especially when using any or a combination of RDP, VPN, Bluetooth, WiFi, and wireless broadband.
My guiding principle for remote communication is that if I perform an unencrypted remote login to a system, then everybody on the Internet just saw my authentication credentials.
Have a secure week.
Ron Lepofsky, CISSP, B.A.SC. (mech eng)
President,
ERE Information Security and Privacy Auditors
http://www.ere-security.ca
Tags: Identity Theft, Information Security, Internet Security, IT Security, Privacy, Security
Posted in Internet Security | 1 Comment »
Tuesday, November 3rd, 2009
Last week I received a call from a lady requesting my assistance. Let’s call her Linda. Linda’s dilemma was that she purchased online an anti-virus package (from an unknown vendor) which delivered two surprises:
- It did not work.
- It crashed her computer. Linda was about to have her computer restored to a working order.
We reviewed the details of her transaction and her situation and I provided Linda with the following recommendations:
- I found the actual vendor’s web site and contact information for Linda (nothing whatsoever to do with our business), and suggested Linda contact them directly and ask for an immediate refund.
- We discussed the merits of her not doing anything to her computer until the issue of the refund was handled to her satisfaction. My reasoning was that a law enforcement agency may wish to do a forensic review of her computer.
- Further, based upon the outcome of the refund request, we discussed Linda contacting her local law enforcement and the FBI with regard to possible fraud.
- Next we discussed the merits of Linda immediately reporting this transaction to her credit card company and changing her credit card number.
- Finally we agreed that self destructive behavior such as dealing electronically with parties unknown is to be avoided.
A few days later Linda called me again, probably with a smile on her face. Apparently she got a full refund from the vendor, and her credit card company replaced her credit card. So for the time being, law enforcement is out of the loop, and Linda was off to restore her computer to its previous health.
You may be wondering how Linda, who is a resident of the USA, found my company, as was I. After doing some surfing I found a link from her vendor, which was in Europe, to a site with a somewhat similar name as our company. Only the company in question was apparently also in Europe, not Canada, and provided no contact information whatsoever. So Linda did a partial name search and found our company in Canada.
My last couple of blogs have dealt with the dangers of inappropriate trust on the web and how users can protect themselves. Just as you wouldn’t feel comfortable purchasing meat being sold from a strangers’ car, it seems reasonable to similarly not purchase anything from an unknown party on the web.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Anti-Virus, Internet Security, IT Security, Malware
Posted in Information Security, Internet Security | No Comments »
|
|
