Monday, February 4, 2013

Why it is crucial to perform IT or computer forensic in a forensically sound manner?


One does not need to be a CSI fan to know that before a search can be performed, a warrant is required for the law enforcement to enter a premise. In a crime scene, it is crucial for the law enforcement to properly handle the evidence to avoid tampering or contamination. The same principles apply when it comes to IT/Computer forensic. This story will show you why....

They story begins like this: Information security chap was invited to an emergency meeting to discuss about a potential dismissal  of an employee that was suspected of breaching the company's policy. The meeting was called by a senior manager who was the department head of the suspected employee.  

Mr. Senior Manager:  Ladies and gentlemen, thank you for coming to this meeting. I'm sorry for the short notice, but let me assured you that this can't no longer wait. Let me bring you up to the speed. Two weeks ago, we suspected that Mr. White was involved in a fraud. Upon our investigation,, we managed to find evidence that linked him to the fraud. I would like to thank our Miss System Admin here. Great job!. Now we shall discuss how can we proceed to dismiss this employee as soon as possible.

Information Security chap: Thank you for the letting me know now. Before we proceed, may I ask Miss System Admin, how did you perform the investigation and how did you gather those evidence?

Miss System Admin: I was approached by Mr. Senior Manager here couple of weeks ago. He asked if I can connect to Mr. White's PC, access his file remotely, copy out all the files and perform analysis. Of course I can do that. I'm the system admin right? I have admin right that allows me to connect to everywhere. So, I did exactly what was asked. I copied all his files and emails to my laptop, then I went through them on my laptop.

Information Security chap: I see. And I assume that you got all the approvals to do so.....

Miss System Admin: I think so. It was Mr. Senior Manager who asked me to do it, since he is the boss of the suspect. Therefore, there is no problem right?

Mr. Senior Manager: Yes, I asked her to do it.

Information Security chap: < * starting to worry...* > Mr. Senior Manager, you did check with HR, legal, data protection etc before you proceed right?

Mr. Senior Manager: Nope. Should I? I'm his boss, I think I have the right to do so.

Information Security chap: Hmm... now things just get very complex. We may not be able to dismiss that employee. Not before fighting a tricky legal battle. I'm not a legal expert, should Mr. White decide to take this to the court, I'm pretty sure we would lose the lawsuit on technical grounds. Not only that, you and Miss System Admin her might be incriminated as well.

Mr. Senior Manager: What are you saying exactly?
Read more »
Posted by at No comments:
Labels: , ,

Tuesday, January 8, 2013

Yahoo Mail is now fully HTTPS. This is how to turn it on.



Good news to loyal Yahoo Mail users like me, as of 2013 you can have full HTTPS session when using Yahoo Mail.

Some would argue that Gmail has it implemented since the day it was launched years ago. Anyway, it's still a good news to us. Yahoo is doing all the right things after they recruited their new CEO Marissa Mayer from Google. In case you missed it, the recently updated Yahoo Mail interface is also better, faster and simpler to use.

Why https? In layman term, to protect your email session from malicious eyes. It's the same reason why you want your internet banking to be in https. Want to know more about https? Check out the wiki  :)

So, how do you turn on the https in Yahoo Mail? It's pretty simple actually. Go to Mail Options, scroll down and tick the box. See below:


Posted by at No comments:
Labels: , ,

Friday, December 7, 2012

Counter CyberCrime - Do not challenge the hackers



I'm pretty sure many organisations had faced cyber-attacks before. Some organisation might think of getting a "revenge" at the attacker. It could be a good idea, but it could also be a bad idea totally, depending on how you do it.

This is a story about why it's a bad idea, if you do it this way......

Few months ago, in that XYZ company.....

Business Owner guy: How come my users can't access this application at all? I have got emails, phone calls from everywhere, complaining!

IT Supplier chap: Mr. Business Owner sir, our Network Operation Center (NOC) just confirmed that the application is currently under DDoS attack. Our ISP and NOC is trying their best to mitigate the attack.

Business Owner guy: What? How dare they attack us. Do we have any information who is doing this to us? Can we track them?

Information Security lad: Not easy to trace. As most certainly those machines or IP addresses that we seen attacking us are zombies or compromised machines part of a botnet. I'm afraid the real attacker is a few more layers behind those compromised machines.

IT Supplier chap: We do have a solution to mitigate this attack. There is this Company P that provides protection against DDoS. It would cost us 10K EUR to use their service. From what we are seeing now, the attacks are not going to stop anytime soon and it will only get worse. Hence, it just a matter of time that our whole network would be completely brought down by it. We should engage this DDoS protection service immediately.

Business Owner guy: Ok. Let's do it. You have my approval to proceed.

2 hours later. After the solution has been implemented....

IT Supplier chap: Good news folks. The attacks have subsided. It is a right call to engage that company.

 Business Owner guy: Great! But I'm still not very happy. I want whoever behind this attack punished. I want them to know that they are messing with the wrong guy. I have contacted my friend in the law enforcement and opened an official case. Not only that, I will call a press conference to tell whoever behind this that we are coming after them and that they are messing with the wrong people.

Read more »
Posted by at No comments:
Labels: , ,

Tuesday, November 20, 2012

Counter Cybercrime - Turn insiders(employees) into assets

Security Awareness and Education

Darkreading has a very good article today - Four Ways to Turn Insiders into Assets

In general, I like the idea as I'm a believer of putting more effort on security awareness and education.

Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.  

Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen, while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employee phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.  

Read more »
Posted by at No comments:
Labels: ,

Have a fun information security story to share?


Information Security folks,

I'm sure you have some fun stories to tell as well. Why don't you share them? If you like, I can put it on my blog as well. Of course, all credits go to you :)

Think about it ;) . Just drop me a message on my Google plus or Facebook page.
Posted by at No comments:
Labels:

Wednesday, November 14, 2012

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by Thelocal.de:

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."

Read more »
Posted by at No comments:
Labels: ,

Friday, November 2, 2012

Counter cybercrime - avoiding cyber espionage attacks


I have come across this article today - 4 factors for avoiding cyber espionage attacks. Good points... but I do have a few comments.


1. Data Policy
Yes. Define your data policy and its classification. Most of the time, the Business is the one accountable to set it, and (unsurprisingly) most of the time they failed to do so. Hence, it is our job as a information security professional to do due diligence to help them set one.  

2. Bring Your Own Device (BYOD)

Need me say more? I had written a few pieces about the risks of BYOD. Go check it out :)

3. Protect your critical infrastructure
Separation of network with the intellectual property from the rest of the network is like security 101. However, to do so, you'll need to know what you want to protect first. So the question is - how do you know? See point number 1. It's all starting with data classification - I will say it is security 100. Do a risk assessment on your data, then you'll know what to do with the risk. To mitigate or to accept.    

4. Monitor for unexpected behavior
Right. Not an easy one. You'll need to know what to look for. One might say Data Leakage Prevention (DLP) is the answer but I have yet to see a real return of investment on DLP solution. It's a pain in the XXX to get it implemented. Too many false alarms. Need full time resources to monitor etc.....

Monitoring is only effective if you know what you want to monitor. Perhaps, you'll need a holistic and overarching (my auditor friends love this sentence, like it is crafted in their gene or super-glued to their head. Stuck there forever, like a BFF ) monitoring in place (See the tongue in my cheek?). In a lay man term, that would mean having the right people, process and technology in place...

Before I keep my fingers off the keyboard. I have another point to add:

5. Awareness

Educate you employees (not just those IT folks, but all employees, including your cleaners) on how to spot someone potentially casting a cyber-espionage spell or charm on them. Educate them how to react, what to do not, who to report the suspicion to etc.... The people is always the weakest link. 


Acknowledgement - photo taken from http://en.wikipedia.org/wiki/Spy_vs._Spy

Posted by at No comments:
Labels:

Tuesday, October 16, 2012

BYOD - only allow what you can manage


I have to say I can't agree more with what have been stipulated in this article. I agree 100% with Steve Damadeo:

"You need to be selective about what you do allow," he says. "We block all Android devices for now because of some of the security concerns that have come up and ease of management."


As what I had shared in my previous stories, there might be bad consequences if enterprises do not properly manage BYOD.


Acknowledgement: picture taken from http://www.victoriaexpert.com/blog/149-mdm-mobile-device-management-and-byod-bring-your-own-disaster.html 
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)