Monday, 30 July 2007

Fake Caller ID

How to authenticate the caller and how to make sure he is the legitimate person who we know?

SpoofCard allows you to make calls and display any number on the caller ID and change your voice also to be male or female in the real time of the conversation and record your call.

Wow…

It is really amazing. Imagine you could call any one and change your called ID to any numbers you like and your voice also. I can’t understand how this service is legal, Legal !!, Yep..

So, how could you protect yourself from this hack?

Well, I don’t know. Really it is very hard. The only advice here is never ever give personal information on the phone,like your credit number,.

I imagine if some one used me number and my voice also to make fake calls and illegal activities and at the end I’m who will charge.

The question here. How could we differentiate between real numbers and fake one?

As I know the mobile application will retrieve the name of the number appears on the screen from the address book because it use index to refer to name the number.

For example:

Number: 0102655411

Index: 1

Name: Ayman M. Galal

Number: 0100000000

Index:2

Name: Teto Feto

So, when some one call you and the number your mobile received is: 0102655411. It searchs the address book for any match number and it will retrieve the name of Index =1
A lot of threats from this service which already appears. Some banks lost a lot of money because some hackers used the services and made calls to the bank customers' and obtain their credit card and private information with a peace of cake.

It is like old days for open relay on the mail systems. Their should be connection between the number appears on the screen and the caller SIM card.

Reference: SpoofCard

Posted by at No comments:

Honeytokens

It is like the Honeypots with a distinguished difference which is no need to the computer. A honeytoken can be a credit card number, Excel spreadsheet, PowerPoint presentation, a database entry, or even a bogus login.

The concept of honeytokens is not new. In Cliff Stoll's book "The Cuckoo's Egg," he explains how he traps the German attacker. A honeytoken is just like a honeypot, you put it out there and no one should interact with it. Any interaction with a honeytoken most likely represents unauthorized or malicious activity.

How do you detect the unauthorized access to a database when that database has thousands of records, with hundreds of authorized users? Maintaining who is authorized to what can be complex, with false positives becoming a huge problem. Honeytokens can be used to solve and simplify this problem.

By simply you insert bogus information like credit card number in your Database for example and monitor if some one access this number which he shouldn’t it gives you indication that you have an intruder and more attention should be taken.

It is advisable to be used with the current existing Information Security tools. Also, it could good tools to catch misbehavior from the internal employees. For example, we could plant honeytokens in senior management's email. The plan being, an internal employee may be reading management's email to gain access to privileged information. To track such unauthorized activity we create a bogus email, or honeytoken, and plant that in management's email. The email could look like this: 

To: Chief Financial Officer
From: Security help desk
Subject: Access to financial database
Sir,
We have updated your access to the company's financial records. Your new login and password to the system can be found below. If you need any help or assistance, do not hesitate to contact us.
https://finances.ourcompany.com
login:ayman.galal
password: AyMaN@GaLaL
Security Help Desk

If an attacker is cruising through emails and comes across this, he most likely will attempt to access the financial server thinking he could retrieve highly confidential information. The web site of ‘finances.ourcompany.com’ is really a honeypot watching the network for unauthorized activity. The moment someone try to access this site he actually accessing your honeypot server. Once he starts to use the login in the email you have just sent. You know you have someone reading senior management's email. The moment such a connection happens; you immediately initiate a trace back to identify the attacker’s computer.

Reference: Security Focus

Posted by at No comments:

Sunday, 22 July 2007

The IT Audit Process

Before we start talking about IT Auditing we need to clarify some information about types of the internal controls and implementation types.

Types of Internal Controls:

  • Preventive Control
  • Detective Control
  • Corrective Control (Reactive Control)

Type of implementation of Internal Control:

  • Administrative implementation
  • Technical Implementation
  • Physical Implementation

We need to answer these questions: what to Audit? , what type of Audit? And how to implement it?

What to audit?

This point is very important because it will determine the consequence steps in your audit process.

What is the type of audit?

The type of Audit:

  • Centralized IT functions
  • Decentralized IT functions
  • Business applications
  • Regulatory compliance

After determine what to audit and the type of the audit you need to rank our audits, which one is most important, frequency for doing it and the rotation of our audits.

How to implement it?

The IT Audit stages consist of:

  • Planning, the goal here is to determine the objectives and the audit scope. We could determine that by using
  1. Hand-off from the audit manager
  2. Preliminary survey
  3. Customer requests
  4. Standard checklists
  5. Research
  • Fieldwork and documentation, it is very important to document all your process and look for ways to independently validate the information given and the effectiveness of the controls.
  • Issue discovery and validation, you should discuss your findings with them the customer before raise or report it. That makes your findings more accurate and effective.
  • Solution development,
  1. The recommendation approach (risky approach)
  2. The management-response approach (fighting approach )
  3. The solution approach (recommended one because the customer get involved on it)
  • Report drafting and issuance, it should includes

o Statement of the audit scope

o Executive summary

o List of issues, along with action plans for resolving them

  • Issue tracking

Reference:

McGraw-Hill, IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller and Kevin Wheeler

Posted by at 1 comment:

Saturday, 21 July 2007

Cyber Insurance in Information Security

To be honest once I saw the title of this article I ignored in the beginning but I got surprised when I tried to look in the figures represented in the article. The annual gross premium revenue for cyber insurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006 (The Reference). The author of the article claims by expanding the market the Insurance companies could drive the Information Security industry and make it more sustainable and controlled. I followed one of his reference which is “Computer Security: It’s the Economics, Stupid,” by B. Schneier.

Mr. Schneier explained well some facts regard the investment in information security from software vendors and private sector. He said:

most organizations don’t spend a lot of money on network security. Why? Because the costs are significant: time, expense, reduced functionality, frustrated end users. On the other hand, the costs of ignoring security and getting hacked are small: the possibility of bad press and angry customers, maybe some network downtime, none of which is permanent. And there’s some regulatory pressure, from audits or lawsuits, that add additional costs. The result: a smart organization does what everyone else does, and no more.

And he added also:

The same economic reasoning explains why software vendors don’t spend a lot of effort securing their products. The costs of adding good security are significant—large expenses, reduced functionality, delayed product releases, annoyed users—while the costs of ignoring security are minor: occasional bad press, and maybe some users switching to competitors’ products. Any smart software vendor will talk big about security, but do as little as possible.

Mr. Schneier said a very good statement that is

Network security is a business problem, and the only way to fix it is to concentrate on the business motivations. We need to change the costs; security needs to affect an organization’s bottom line in an obvious way. In order to improve computer security, the CEO must care.

He is absolutely right. I consider Information Security should be business enabler and be aligned with the organization business objectives and the business strategic. But because his paper is very old since 2002 in Workshop on the Economics of Information Security (WEIS). Nowadays the new regulation targeting the liability as he suggested in his paper. Also, COBIT 4.1 or ITIL v3 all of these frame work have the same objective which is the Information Security should be aligned with over all organization business objectives and strategy.

Reference: IEEE Security & Privacy magazine, (Vol. 5, No. 3)

Posted by at No comments:

SELinux & Access Controls - 2

A role is chiefly a semantic construct forming the basis of access control policy. With RBAC, system administrators create roles according to the job functions performed in a company or organization, grant permissions (access authorization) to those roles, and then assign users to the roles on the basis of their specific job responsibilities and qualifications. which means you could you reflect your organisation structure to Roles. For example, an operator role might access all computer resources but not change access permissions; a security-officer role might change permissions but have no access to resources; and an auditor role might access only audit trails.

The standard “ANSI/INCITS 359-2004” consist of two parts:
  • Reference Model
  • Functional Specification of the model components
The reference models are:
    1. Core RBAC defines a minimum collection of RBAC elements, element sets, and relations in order to completely achieve a Role-Based Access Control system. This includes user-role assignment and permission-role assignment relations, considered fundamental in any RBAC system. In addition Core RBAC introduces the concept of role activation as part of a user’s session within a computer system. Core RBAC is required in any RBAC system, but the other components are independent of each other and may be implemented separately.
    2. Hierarchical RBAC adds relations for supporting role hierarchies. Hierarchical RBAC goes beyond simple user and permission role assignment by introducing the concept of a role’s set of authorized users and authorized permissions.
    3. Static Separation of Duty Relations adds relations among roles with respect to user assignments. Because of the potential for inconsistencies with respect to static separation of duty relations and inheritance relations of a role hierarchy, the SSD relations model component defines relations in both the presence and absence of role hierarchies.
    4. The fourth model component, Dynamic Separation of Duty Relations, defines relations with respect to roles activated as part of a user’s session.
RBAC verses MAC & DAC:
Some says it is adjunct of them and some says it replacement of them.

RBAC & Groups:
When we create groups in Microsoft Windows 2000 for example, we could easily add users to these groups. So, we consider the groups as collection of users. Also, as when assign permission we grant it to groups or individual users. But we face a big challenge when we need to specify where exactly certain group have been granted permissions but if we use RBAC it will be extremely easy task. As we mentioned before Role is a collection of users and permissions so determine which user and permission granted specified role become easier task across the enterprise. Also, Role consider as a policy component which regardless the implementation will have the same rule set. But, on the other hand group as implementation specified.

RBAC & Access Control List (ACL):
In ACL the access rights of the object is stored with in the object itself, which made weakness in the access control system and complicate the access management. Suppose you granted access rights to some individual uses and groups, and these access rights stored with the object, and later on you revoked these rights from group. You may find the security assurance here become difficult to achieve especially when your systems getting bigger and bigger because you may left some individual users have access rights.
References:
  1. IEEE Computer magazine, February 1996(Vol.29,No.2)pp.38-47
  2. NIST - Role Based Access Control
  3. Information Security Management Handbook, Chapter 61 by Ian Clark.
  4. OASIS eXtensible Access Control Markup Language (XACML) TC
Posted by at No comments:

Wednesday, 18 July 2007

Information Security & ROI debate

I red for three days ago what Richard Bejtlich wrote on his blog. Before this blog I refused his idea and put my reply with a little bit explanation. But, really I became confused. Richard said it is wealth saving instead of wealth return. But, What is the difference as long as this will keep your initial investment and your revenue secure. I mean you may earn £500 by investing £1000 but you could lose this revenue if you didn't secure it. The other point is Information Technology as a whole increase the ROI by reducing(saving) the operations cost. I may agree on the regulation certifications' aren't ROSI because it mandatory by LAW and we should consider it in the operation cost.
Now, Where is what I got. Kenneth F. Belva sent Dr. Lawrence Gordon and Dr. Martin Loeb asking their opinion and here what they sent to him: ' Dear Ken:
Thanks for your e-mail message concerning the question: Does Information Security have an ROI? It is important to realize that there is a very large body of academic and practitioner oriented literature in accounting and economics (going back to at least the early 1900s) that addresses the more fundamental issues of:
(1) ROI vs. a real economic rate of return (usually called the IRR), and (2) maximizing the ROI (or IRR) is, in general, not an appropriate economic objective.
The above noted, it is conceptually possible to compute the ROI for information security investments, but there are significant measurement problems with such a metric. Accordingly, those who argue that you can compute an ROI for information security investments are technically correct. However, those who argue that an ROI for information security investments has significant measurement problems and therefore should not be computed, certainly raise a valid concern.
Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper,goto (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm).
Sincerely, Larry ' I think this answer will close this debate.
Posted by at 1 comment:

Tuesday, 17 July 2007

SELinux & Access Controls - 1














There are two types of Access Control which are:

  • Discretionary Access Control (DAC)
In the DAC systems every object in the system has an owner who initially created the object. The access policy for the object is determined by its owner. The owner decides who is allowed access to the object and what privileges they have.
  • MAC - Mandatory Access Control
In this access control type the policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

The Access Control Models which could be used are :
  • Lattice Models
  • Bell-LaPadula Model
  • Biba Model
  • Take-Grant Model
  • Clark-Wilson Model
Well, what is the objective from this talking. It is introductory to SELinux (RBAC) . Today I faced a big problem when I tried to load module in the kernel and when I rebooted the machine it didn't start-up. I solved the problem by disabling SELinux from the kernel and the machine started up again. So, decided to understand SELinux well. I used to work with it with the default setting and policy but today I found it is very important to understand it more and give it more attention. I collected good materials and I hope within this week I could put what I got in a simple way in this blog.

Reference: Wikipedia
Posted by at 1 comment:

Sunday, 15 July 2007

Long-Term Archive and Notary Services (ltans)









Description of Working Group:

In many scenarios, users need to be able to ensure and prove the existence and validity of data, especially digitally signed data, in a common and reproducible way over a long and possibly undetermined period of time.

Cryptographic means are useful, but they do not provide the whole solution. For example, digital signatures (generated with a particular key size) might become weak over time due to improved computational capabilities, new cryptanalytic attacks might "break" a digital signature algorithm, public key certificates might be revoked or expire, and so on. Complementary methods covering potential weaknesses are necessary.

Long-term non-repudiation of digitally signed data is an important aspect of PKI-related standards. Standard mechanisms are needed to handle routine events, such as expiry of signer's public key certificate and expiry of trusted time stamp authority certificate. A single timestamp is not sufficient for this purpose. Additionally, the reliable preservation of content across change of formats, application of electronic notarizations, and subsequent notary services require
standard solutions.

The objective of the LTANS working group is to define requirements, data structures and protocols for the secure usage of the necessary archive and notary services. First, the requirements for the long-term archive will be collected. Based on that information we will develop a protocol to access archive services supplying long-term non-repudiation for signed documents and define common data structures and formats. Upon completion of the archive-related specifications, we will address 'notary services' in a similar way. The term 'notary services' is not clearly defined. The working group will determine which functions need standards, including transformation of documents from one format to another without losing the value of evidence, electronic notarization,and further verification of legal validity of signed documents. We will determine the needs via the requirements paper and act upon the results accordingly. Work done by the IETF Working Groups PKIX, S/MIME and XMLDSIG will be used as the basis to define those structures and protocols. For example, the Internet-Drafts "Archive Time-Stamps Syntax (ATS)" and "Trusted Archive Protocol (TAP)" and RFC 3029, "Data Validation and Certificate Server Protocols (DVCS)", contain applicable concepts.

Long-term Archive Protocol (LTAP)
Posted by at 1 comment:
Subscribe to: Posts (Atom)