Mobile Computing: Securing your workforce

The following introduction was published as the foreword to the BCS eBook on Mobile Computing: Securing your workforce:

“It’s been less than 3 decades since the first commercial handheld cellular phone hit the market. Costing some $3,995, and likened to a brick, it immediately gained a long waiting list. Price and size has come down in the intervening years, and popularity has soared. The technology has moved from analogue to digital and the handsets can now do so much more than make and receive voice telephone calls.

We’ve seen the introduction of short message service (SMS), multi-media message service (MMS), PDA functions (address book, calendar, notes), email, browsing (WAP through to modern browsers), full Internet access and applications. Each new capability has opened up additional potential exposures for users.

Modern smartphones combine elements of mobile phone, personal digital assistants (PDA) and laptop into a small, easily lost or stolen, high value device. With e-wallets, NFC, tablets, etc. as well as storing more and more confidential information as storage capacity grows, its value – and impact when lost – increases even more.

Phones are not the only devices we’re mobile with either. PDAs, laptops, tablets all add to the complexity, as does the growth in employees using their own devices and bringing them into the enterprise. Organisations need to cope, educate and secure.

Although manufacturers, operators, OS/Application vendors and businesses try and control and/or secure their platforms, there are limits to what is technically possible and acceptable to users. Many people are no longer content with a device that cannot perform the functions or run the applications they see other do. Indeed, some will take exception to any level of control/security and ‘jailbreak’ or ‘unlock’ their devices so that they can run what they want on whatever network is available.

Whatever portable device you use, this eBook contains some useful advice to consider – to help improve your mobile security.”

The eBook is available online for preview and order via:

http://www.bcs.org/category/16307

ITNow – Secure Software

The following introduction was originally published in the Information Security section of the BCS ITNow Magazine, December 2011 issue (Volume 53, Issue 6), which was on the topic of Secure Software:

Welcome to Information Security Now (ISNOW) in its new home in ITNOW. Since security and IT are often inseparable neither should be ignored, says Gareth Niblett chair of BCS ISSG.

Some consider secure software an oxymoron, and history has many incidents that seem to support this position, writes Gareth Niblett, Chair of the ISSG.

Most of us depend on software in our work and lives, although we sometimes may not realise it, and secure, dependable and resilient software is required for many of the things we take for granted.

All too frequently we hear of major IT project failures, online services being unavailable, systems being configured incorrectly, crashing and so on. Sometimes it is simply an inconvenience; sometimes there are serious consequences. Loss of Facebook is (or should be) less disastrous than an incorrect radiation dosage.

With hundreds of thousands of apps out in the mobile marketplace, along with all the software (and malware) that can be installed on personal computers, what assurances do end users, and the organisations they might work in, have that the software is secure, respects their privacy and is available when needed?

Tier 1 risk
In 2010, the UK National Security Strategy identified 15 priority risks, including a Tier 1 risk of hostile attacks upon UK cyber space, potential shortcomings in the UK’s cyber infrastructure and the actions of cyber terrorists and criminals: reduction of this risk is inherently linked to improving software security, dependability and resilience.

The Software Security, Dependability and Resilience Initiative (SSDRI – http://www.ssdri.org.uk/), which is a UK public-private platform for making software better, may be one initiative that can help in this area.

The SSDRI evolved from a Technology Strategy Board and Centre for the Protection of National Infrastructure-sponsored Secure Software Development Partnership.

Secure software is a BCS Security Community of Expertise (SCoE) hot topic.

A PDF version of the magazine is available online to BCS members at:

https://wam.bcs.org/wam/sentinelcheck.exe?/20799/20802/20964/20967/pdf/dec11.pdf

Preventing Voicemail Hacking

The following article on preventing voicemail hacking was originally published on the BCS website:

Voicemail hacking is not new. The two main methods are guessing PINs or using spoofing to bypass caller ID-based access control.

For convenient remote access to voicemail, e.g. where caller ID is not available or when the user is calling from a different phone, service providers allow users to authenticate through the use of PINs. Invariably these are short, usually four digits, and often they are preset to a known default – making hacking a simple guessing game.

Where caller ID is available, service providers use it to automatically identify users and allow direct access into their voicemail boxes. Unfortunately, caller ID spoofing has been around, for legitimate reasons, as long as caller ID. This facility can be misused to falsely represent the Calling Party and bypass such access control.

Historically, unlike other forms of login, service providers have not put much effort into the prevention and detection of brute force PIN guessing or caller ID spoofing attacks. Some limit the number of attempts per call, say to three, but attackers can set up automated brute force attack systems to break even a four digit PIN over a weekend.

In the US it is not illegal, at the federal level, to offer a public caller ID spoofing service. In the UK, regulator Ofcom has wisely chosen to try and restrict such public services offerings. Unfortunately, access to the right switchboard software or network signalling can enable a caller to set whatever Caller ID they wish.

Caller ID spoofing services can help reduce this type of fraud by not allowing the spoofing of a calling ID where it is the same as the called party number, so that someone cannot masquerade as a mobile phone and be automatically admitted by the mobile operator’s filtering mechanism. Some already have this restriction.

Mobile operators could improve things by:

  1. requiring robust PIN numbers are set for all accounts with voicemail;
  2. notifying users of (repeated) failed attempts to login to accounts – not just with a voicemail (as one operator does), which a successful attacker would delete;
  3. only trusting calls, presenting caller IDs of their own customers, originating from their own and roaming partner networks;
  4. relying less on presentation ID (easily spoofed) than network ID (less easily spoofed) when automatically connecting a caller to voicemail.

Users could improve things by:

  1. regularly changing voicemail PIN to a non-predicable numbers, so that if you were compromised you lock out your attacker until they can break in again;
  2. listening out for old message they don’t recall hearing before;
  3. noticing when told of a voicemail being left that they did not receive;
  4. disabling voicemail where not required or concerned about intrusion.

Awareness is the name of the game and reporting suspected breaches to your service provider, police and the Information Commissioner’s Office will maintain focus on this continued area of weakness in personal communications.

Gareth Niblett is the chair of BCS ISSG and previously a CISO at a telecommunications group.

Edited from my submitted text, due to length, were the following paragraphs that you may also find useful:

“Business voicemail, as a feature of a private branch exchange (PBX) or automated call distribution (ACD) system, is also vulnerable to poorly set PINs – which are often the last digits of the direct dial in (DDI) number or the same as the extension or a common default – Caller ID spoofing or simply using the target’s handset.

Skype and VoIP services also provide a voicemail capability, and where software clients are used there is also the risk of malware that could allow an attacker to gain access to credentials or data enabling them to monitor calls or messages. Staying up-to-date with patches and anti-virus updates, as well as strong passwords, will help.”

The original version of this piece is available online at:

http://www.bcs.org/content/conWebDoc/41177

NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) – 3rd International Conference on Cyber Conflict (ICCC)

The following conference report was originally published in the BCS Information Security Now Magazine, Summer 2011 issue (Volume 5, Issue 4), which was on the topic of Cyber Warfare:

ISSG Chairman Gareth Niblett reports from the 3rd International Conference on Cyber Conflict (ICCC), organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia.

This conference rated as one of the best I have attended in the last 20 years – not having to speak or organise possibly helped. The first day opened with an introduction and scene setting by Col Ilmar Tamm, the NATO CCD COE Director followed by a keynote from the President of Estonia, Toomas Hendrik Ilves, who demonstrated both a deep understanding of cybersecurity issues and an ability to communicate them clearly, even to an expert audience. I’d be impressed if leaders of other countries could do even half as well.

Ilves told the audience to look past state-to-state for asymmetrical cyber attacks, and towards handling an increase in plausibly deniable online operations, subcontracted to the private sector, with official public statements of disbelief when accused of involvement. Cyber attacks can offer a negative take on public private partnerships (PPP), with botnet-herders and hackers implementing state desires without being part of the apparatus of government or military directly.

The president challenged governments to look beyond their fixation on military infrastructure (~2 per cent GDP) and towards protecting intellectual property. It is easier to steal than develop through investment and R&D (~3 per cent GDP) and arguably this could have a greater impact on a country. As part of a positive PPP, providing information sharing for mutual protection, Estonia has established a Cyber Defence League (CDL), weekend warriors with ponytails, to help protect its critical national infrastructures – much of which resides in the private sector, which is also where the otherwise unaffordable knowledge and expertise also lies.

Nation perspective
Major General Jonathan Shaw, UK MoD, followed with a talk covering cyber force from a nation state perspective, and a view that cyber warfare will not overtake kinetic, although the UK MoD has woken up to the threat and is addressing it in the Defence Review. Shaw expressed a position that cyber war is about people, not technology, and we should also start looking for the next thing beyond it. He stated that cyber war sits in a continuum of tools and must be integrated into training and operations, as well as a traditional defence capability of defend, detect and respond and it should be mainstream for defence in the UK by 2015.

Concepts and challenges
Apart from the keynotes, the days were split into two tracks – one covering concepts, strategy and law, which remains an emerging area, and the other covering technical challenges and solutions, which is a continual battle. All had an excellent array of speakers and topics but some of the highlights for me were:

Charlie Miller, Accuvant Labs, explaining the technical approaches to discovering unknown vulnerabilities in products, including Apple iPhones, and watching the media concentrate on slides about code disassembly and buffer overflows.

Tom Wingfield, Marshall Centre, Germany, discussing the ongoing development of a manual of international law applicable for cyber conflict, which was explained with the use of onstage shrubbery during the media workshop prior to the conference.

Raoul Chiesa, United Nations, giving a overview of the long-term study on the underground hacking scene, with statistics from over 1,200 interview / profiles, along with an interesting view of five generations of hackers, from original to present.

Ralph Langner, who led the efforts in reverse engineering and analysing the StuxNet worm, which was referred to as the first actually deployed cyber weapon in history, covering its architecture, highly targeted nature and implications. Ralph was engaging and had an excellent appreciation of the cybersecurity world, having come from a control systems background – a boon in the SCADA world.

Sachin Deodhar, Cyberconflict Researcher, India, discussing the use of covert communications channels in VoIP and its possible uses in terrorist planning and co-ordination and the challenges it presents to investigators. This is a threat area that I warned lawful interception agencies of quite a few years ago, as certain types wish to evade both traffic and content analysis yet want near real-time communications.

Richard LaTulip, US Secret Service, on shedding the suit and growing long hair to infiltrate both the underground credit card fraud and surfer scene, winning the trust of criminals and, with Operation Carder Kaos, dismantling one of the leading online black market sites for stolen card details.

Iosif Androulidakis, Ionnina University, Greece talking about how the introduction of modern communications technology doesn’t address traditional issues of PBX security, interception and forensics; indeed adding IP can make things worse.

Mikko Hypponen, Chief Research Office of F-Secure, covering cyber espionage in practice, provided real world examples of spear-phishing emails and malicious files, which had been collected by anti- virus research organisations. Mikko’s constant research, targeting the criminal underworld, also makes him a target; shortly after the conference, a fake news story was released in an attempt at discrediting him.

Unfortunately, it was not possible to attend or cover all the talks, but it was obvious why people from all over the world keep coming back to Tallinn for this conference, beyond the local sights, food, drink and summer weather.

Estonia is known as e-Estonia (http://e-estonia.com/) due to its highly digital society, and this can only be sustained through constant vigilance and protection. As such, Estonia is working to be at the forefront of research and preparation.

No hype
Obviously, the infamous 2007 cyberattacks against Estonia were mentioned numerous times, but without much of the hype that the media heaped upon it. Most delegates recognised it as a minor annoyance – rather than a cyber war or cyber terrorism delivering widespread panic, real-life casualties, or significant infrastructure or economic damage – whilst cognisant that the next attack may go beyond mere inconvenience.

Co-operation and co-ordination was mentioned throughout the conference, but issues of trust and privacy, from both a organisational and legal standpoint, require continued efforts to address and that everyone plays a part in cyber defence: government, intelligence, law enforcement, military, public sector, private sector and even the citizen. The 4th conference is scheduled for Tallinn 2012 and I hope to attend again and see how efforts have continued and increased over 12 months.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer-2011.pdf

ISNow – Cyber Warfare

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2011 issue (Volume 5, Issue 4), which was on the topic of Cyber Warfare:

“One of the significant problems with cyber war, versus traditional kinetic warfare, is the lack of agreed definitions and rules.

Proposals are beginning to emerge, and the NATO Cooperative Cyber Defence Centre of Excellence (www.ccdcoe.org) based in Tallinn, Estonia, has produced a reference called ‘The 10 Rules of Behaviour for Cyber Security’, which I think provides an good starting point:

1. Territoriality. Information infrastructure located within a state’s territory is subject to that state’s territorial sovereignty. Using the concepts of property, sovereignty and jurisdiction, states can enforce cyber security from a national security perspective.
2. Responsibility. The fact that a cyber attack has been launched from an information system located in a state’s territory invokes the responsibility of that state for the attack.
3. Cooperation. The fact that a cyber attack has been conducted via the information system located in a state’s territory creates a duty to cooperate with the victim state.
4. Self-defence. Everyone has the right to self-defence when facing a clear and imminent danger.
5. Data exchange. Information infrastructure monitoring data is perceived personal unless provided for otherwise.
6. Duty of care. Everyone has the responsibility to implement a reasonable level of security in their information infrastructure.
7. Early warning. Everyone has to notify the potential victims about an upcoming cyber attack.
8. Access to information. The public has the right to be informed about threats to their life, security and well-being.
9. Criminality. Every nation has the responsibility to include the most common cyber offences in its substantive criminal law.
10. Mandate. An organisation’s capacity to act (and regulate) derives from its mandate.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-summer-2011.pdf

The Blog of Gareth Niblett