U.S. Air Force Phishing Exercise went Rogue

U.S. Air Force phishing test transforms into a problem

A cyber-wellness exercise on phishing fraud conducted by the U.S. Air Force went out too well. Robert McMillan reported on NetworkWorld, “The e-mail said that crews were going to start filming ‘Transformers 3’ on Guam and invited airmen to fill out applications on a Web site if they wanted to work the shoot. The Web site then asked them for sensitive information.” The exercise went rogue when the information leaked out from their network to the public via e-mails and the like of Transformers fan sites. U.S. Air Force issued a statement to account for the incident, “Unfortunately, many of Andersen’s personnel responded to this inject and submitted their personal information to the Web site, and forwarded the information outside of Andersen.”

It is interesting to see how victims not only not realised they have fallen into the scam. Furthermore, helped in propagating it. It is interesting to see how trust are established among human (on the cyber space).Yet saddening to witness how scammers are exploiting such vulnerabilities of us.

Let see what we can learn from this incident… If I’m a scammer…

• Spoofed e-mail address from an looks-like legitimate source

The first step of every phishing attacks. Social engineer the victim to believe it is neither a spam nor scam. E.g. admin1@emilonsecurity.com

• I would use some catchy theme

I’m impress with the designer of the U.S. Air Force phishing exercise. Transformer sure is catchy, getting the victim excited and catch him/her off-guard. It is also proven that they will propagate the scam for you too! 😀

• Have my victim create an account with me

Single-username/single-password syndrome. If I have these information, most probably I can access most of your accounts. According to the case study, most likely I would also get information like their name, address, date-of-birth, etc. I would also ask for their e-mail addresses (I could help myself to their e-mail account and propagate the scam if they don’t do it for me 😛 Mutual trust are already established between them isn’t it?), and two set of “secret questions” (a backup if my single-password syndrome attack fails). In addition, I could make full use of all these information gathered and conduct a spear-phishing attack, drastically improve the success rate.

Security-Functionality-Usability Trade-Off

The S.F.U (Security. Functionality. Usability/Ease of Use) is a security triad widely used.

Image Referenced from [1]

In any implementation of security controls, all three factors – Security, Functionality, and Ease of Use, have to be considered carefully, searched for the balanced trade-off for all stakeholders.

Using the S.F.U Security Triads

Simply focusing on any one individual factor will severely impaired the others.

• Increased in Security will impair Functionality and Usability
• Increased in Functionality will cause vitiation of Security and Usability
• Increased in Usability reduce Security and Functionality

Hacking Functionality/Usability

Security are usually the one being undermine by many corporations. Simply because it is not something that generate income for the organization. Although not included in the S.F.U security triad, an increase in Functionality and Usability means increase in work efficiency.

Adversaries would love to see companies heading towards that direction. Undermining security concerns, they could exploit the huge of pool of vulnerabilities opened to them.

Other Write-up on S.F.U Security Triads

[1] Andrew Waite. InfoSec Triads: Security/Functionality/Ease-of-Use. June 12, 2010.

Security is only as Strong as its Weakest Link

A team of researchers from Norwegian University of Science and Technology and National University of Singapore pushed the envelope and discovered a method to intercept data by tapping on an optical fibre cable. They designed an apparatus that is able to sniff data by reading small light pulse transmitting in the cable. Hoi-Kwong Lo from University of Toronto, too, unveiled an optical fibre hack by determining how sender polarised their photons. Tricking the sender in sending tweaked photons, he will be able to study the error rate, and leveraging tweaks to compensate for the disturbances created from photon interception.

As how [1] put it:

Neither of these techniques actually breaks the fundamental principles on which quantum cryptography is based. They simply exploit loopholes introduced when it is reduced to practice.

Security will never be a fair play. The blue team will have to defend every single aspect of the infrastructure – Applications, Networks, and Operations. In contrast, the red team simply needs to discover a single vulnerability each times for them compromise you.

Recalling a project I did on circumventing Microsoft Windows Encrypting File System (EFS) a year ago, I too, tried to achieve my goal exploiting implementation faults. Cryptography is a big field of studies in mathematical science. Yet no matter what encryption one uses, the message will definitely be decrypted when it reaches the intended recipient. In computing, looting information out from end-points is so much easier than intercepting encrypted messages and trying to decrypt it.

Security is only as strong as its weakest link. As a country you need to defend all domains of land, sea, and air. Singaporean will not forget how the Japanese exploited our weak border defence up north that separates us from Malaysia when we placed most of our defences at Sentosa waiting for them to attack us from the south.

People, Process, Technology

The three basic domains of information security – has to be considered when implementing security strategies.

Image Extracted from TechNet

Weakest Link – Exploiting the CIA Triad

CIA – Confidentiality, Integrity, and Availability – is the three core components of security. This triad will always appear in every corner of security. An absence of any component would cripples security. We will have to ensure that the data are protected (C) and trustworthy (I), as well as (A)vailable.

Image Extracted from Wikipedia

It is straight forward to security practitioners when we talk about Confidentiality and Integrity. But many confused (A)vailability being (A)uthenticity as the CIA triad. The latter sounds more coherent when we think about security. Authenticity is more likely a supporting feature than a core component itself. Availability is a core not just in security but also your business.

When you are unable to download your files or play your games when your security suite is in your way, you switch it off. When your firewall is interrupting your business service, you switch it off. How much discipline do you think the government bodies or military have, when their telecommunication is not audible due the installation of encryption devices?  How likely than will security works when there is no availability?

Security is only as strong as its weakest link – all security considerations (CIA) has to be though through and integrated in every single domain (People, process, and technology) of your business.

[1] The Economist. Light Fantastic. 2010, 26 July

Security Professionals should Broaden Perspective

Ross Anderson & Tyler Moore, 2008

The economics of information security has recently become a thriving and fast-moving discipline. … The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability, and policy. … has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and social sciences. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition… … Game theory and microeconomic theory has becoming important to the security engineer…

Information security is never a business on its own. It is an entity that is spawned in the presence of others. The field of information includes security, economics, social science, psychology, etc. Each of them correlates closely with each other.

No longer can security professionals be narrow minded in their own technological fantasy. Studies of human cognitive model, social science, microeconomics, politics and international relations are necessary for us to create an impact and make the infocomm world a better place.

Spycams

A German was caught invading the privacy of 150 youngsters, using malware to manipulate webcams and spy on schoolgirls (German Webcam Hack Perv Suspect Cuffed).

I’ve also found a number of similar past incidents from The Register:

• Researchers expose privacy flaws in Chatroulette (15 July 2010)
• Child abusers adopt blackmail tactics (12 September 2008)
• Webcam hacker-ogler jailed for four years (5 August 2008)
• Spyware mum foils pervert (1 June 2007)
• Peeping Tom Trojan suspect cuffed in Cyprus (21 April 2005)
• Webcam Trojan perv gets slapped wrist (28 February 2005)
• Webcam Trojan suspect arrested in Spain (20 January 2005)
• Meet the Peeping Tom worm (23 August 2004)

Judging trustworthiness: Mortal v. Virtual World

Judging trustworthiness is an activity taken place almost in every part of our life. In every conversation we made with each other, news we read from the media, to hiring new employee to your organization. It has always been a best practice for the Human Resource (HR) to assess their target before coming to a decision whether to hire him/her; taking precautions on if they are introducing new risk to, for example, the organisation’s intellectual property. Such event, especially in sensitive genre such as the military and intelligence agencies, could even to to the extent of performing a polygraph test on their potential employees.

The case study of Brian P. Regan [1, 2] and Bradley Manning [2] perfectly illustrates the declination of accuracy on such assessment. Things will just get to get worst over time in the information age we are living in.

Famously quoted from Dr. Joseph Krofcheck:
"Judging trustworthiness is currently geared only to evaluating behavior in the Brick and Mortar world."

The instinct that we are born with to judge worthiness only allow us to perform so accurately in this brick and mortal world which our species have been living for centuries. Our sense has yet to adapt to the young and neutral virtual world.

A person’s characteristic in this “real” world does not exactly reflect who they are when are acting in a virtual one. Here an interesting example from Michael Theis in the Security Directions virtual conference: Envisage I’m your potential employer performing an assessment on you. I questioned if you’ve committed petty crime as such stealing. You think about it for a moment… you could have probably stolen some sweets or stationery when you were young… or maybe not… Probably I got my polygraph machine attached onto you, and would not reflect you are lying. You would most likely to protest because you are telling the truth! What about illegally downloading of MP3 music on the Internet? Does not that consider stealing? Fair enough… you were not lying. 😉

Reference

1. Michael C. Theis. Security Directions: A Virtual Conference – Meeting the Challenges of the Trusted Insider Threat. http://events.unisfair.com/rt/secdir~april10
2. Wikipedia – Brain Patrick Regan. http://en.wikipedia.org/wiki/Brian_Patrick_Regan
3. Kevin Poulsen & Kim Zetter. U.S. Intelligence Analyst Arrested in Wikileaks Video Probe. http://www.wired.com/threatlevel/2010/06/leak/

The Secret Question

Security Question

Just want to share some interesting articles on secret questions highlighted by Bruce Schneier in his recent Crypto-Gram:

1. Evaluating Statistical Attacks on Personal Knowledge Questions (http://www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/)
2. The Curse of the Secret Question (http://www.schneier.com/essay-081.html)

The New Koobface Malware?

I received quite a number of malicious emails from a friend of mine via the Facebook Messenger this morning. It’s rather easy to tell that it’s a malware.

• The email that display the message provides a link (screenshot 1), whereas, viewing the message via Facebook does not (screenshot 2).

Screenshot 1

Screenshot 2

• My email address is part of the parameter in the URL (screenshot 1); a generic characteristic of a malicious link.
• Looking at the target recipient of the message (screenshot 2), it’s suspicious that all the names beginning in J and K.
• The message is sent from a friend of mine whom I rarely contact.

It’s something similar to the faced out Koobface malware (2008). I’m not very sure if this malware is a new version of Koobface malware, but it does have similar behaviors.

Security message (Quoted from ESET on the Koobface malware): “Don’t trust this new message or any like it sent to you via social network like Facebook. And of course, make sure your antivirus software is always up-to-date.”

To read more about Koobface Malware: Koobface Malware makes a Comeback (http://news.cnet.com/8301-1009_3-20002112-83.html)

CSIT Experience IT

Last Saturday, I had a remarkable experience at a roadshow organised by the Centre for Strategic Infocomm Technologies (CSIT). The objective for the roadshow was tuned towards recruitment; to get some talented folks who are graduating from universities to join them. So I went with a few of my friends who will soon graduate from NUS (National University of Singapore).

Interestingly, CSIT organised a mini-capture-the-flag competition. There’s an attacking server that will attack the participants’ Web server every 5 minutes (points will be deducted if successful). One of the objective is to secure the Web server. In the network, there’s also a vulnerable server which you can break in and capture the flag. Each flag captured will increase your points.

The competition only lasted for 30 minutes. Unfortunately, there’s no prize for the winning team. 😦 Good fun though. 🙂

It’s not the Technology… It’s the Assets!

Information security is no longer a “good to have”, but a “need to have”. Security mechanisms have become vital members of companies’ system architecture as more and more data are being digitalised, and business workflows and transactions are carried out on the network backbone. Moreover, users are becoming more and more concern with security threats. Information is the greatest assets to any organizations, those whom fail to secure their information won’t expect anything less than failing in their business.

Does simply introducing security mechanism to organizations’ system architecture really improve security?

Certainly, it helps the business reputation to shows that they take security matters seriously by implementing security mechanisms in their system. But, is it equivalent to taking assets security seriously?

The underline of security is asking yourselves: what are you defending from and against? In most cases, you implement security mechanisms to protect your assets. It has been the principle of security since many centuries ago. Defining your goals/objectives, set your priorities, and addressing your assets is vital. You do not want to allocate huge amount of resources to protect your secondary assets, and pay little attention to your primary assets. Having your primary assets less secured that your secondary’s one is a great treat to your adversaries.