Security Watch

Anonymous Attacks Irish Government Websites

This evening I was putting together my slide deck for an upcoming presentation at the next IISF meeting on my information security predictions for 2012.  One of the topics I am going to discuss is the rise of hacktivism and the impact that can have on an organisation.  Ironically, as I was writing my slides Anonymous announced operation OpIreland in which they are targeting Irish government websites.  OpIreland is in protest against a law the Irish government is planning to introduce to allow copyright holders get access to websites blocked that they claim are hosting pirated material.

According to The Journal.ie, the websites of the Department of Justice and Finance have been impacted by the attack.  From watching various updates on Twitter other government websites seem to be also impacted, but as yet it is not clear whether or not this is a direct result of the OpIreland attack or if these sites share or are hosted on the same infrastructure as the targeted sites. 

It also appears the the mobile phone numbers and email addresses of all the TDs have been published, information that was publicly available in the first place anyway.

While these attacks appear to have happened at an unusual time, midnight on a Tuesday night, and have had minimal impact on the general population, they could simply be a “warning shot” from Anonymous highlighting the campaign has started.  Over the coming days we may see these attacks intensify, especially as more people are recruited into the operation. Typically these attacks will eventually fade away as those taking part in the attack lose interest and move onto other items.

Many will see this as a way to draw government’s attention to the concerns many have with the proposed new law.  However, I believe that this action will simply divert the attention of the media and elected officials away from the core issue at heart and focus instead on Ireland been subjected to these attacks.  TJ McIntyre argues this case more eloquently that I can on his blog post Anonymous attacks on Ireland will hurt, not help the case against blocking.

If you want to register your protest against the proposed changes in the law then you should consider taking what I believe to be the more constructive and democratic option of signing the StopSOPAIreland petition rather than taking part in the OpIreland attacks.

If you are a system adminsitrator based in Ireland and responsible for managing your organisation’s websites and systems, then you should do a risk profile of your organisation to determine will it be a potential target of OpIreland.  If so then you should take some proactive measures to ensure the security of your systems;

• Ensure your systems are fully patched, this includes your firewalls, your operating systems, web server software and the web application software on your site.
• Review all your firewall rules and ensure they are up to date and correct.
• Ensure your log files are turned on, that they are recording key events and that you are actively monitoring them for suspicious activity
• Look at deploying DDOS mitigation tools
• Ensure all your passwords are secure passwords and are not re-used across multiple systems.
• If you have Intrusion Detection Systems (IDS) in place, ensure they are configured and working properly and are being monitored.
• Have your incident response plan close by in the event that you are impacted.

Posted in InfoSec | 2 Comments »

So You Want to Write a Book On Information Security?

This blog post is in response to a number of people who have approached me looking for advice on how to write and get a book on information security published.  Having got my own book published, ISO 27001 In a Windows Environment and co-authored The Cloud Security Rules I was only too happy to share my experiences with them.  It also led me to create this blog post in the hope that it may be of some help to others thinking the same thing.

So You want to write a book?  Its great that you want to share your knowledge with others.  I am a firm believer that sharing information and knowledge is one of the key weapons we as information security professionals have in our armoury to fight the criminals who are targeting and attacking our systems.   It can be also be a great way to promote your expertise and experience.

However, before going down this route you need to ask yourself one question.  Why do you want to write a book?  If it is purely for the money then you shouldn’t bother.  The royalties you get from a book, unless it takes off like a Bruce Schneier book, will be very low and the money you get won’t fully compensate you for the time spent writing your book.  Typically, as an unknown author going though a publisher you will get around 10% of the price of the book as a royalty.  To be frank if you work out the time and effort taken to write a book on an hourly basis you will most likely earn more money working in a fast food restaurant. 

However, writing a book has other non-fiscal advantages such as you will be a published author, not a bad thing to have on your profile or CV.  This can help when looking for jobs, consulting gigs, writing gigs with publications or speaking at conferences.

There are two main ways you can get your book published;

Self-publish, is where you write the book and publish it yourself.  This method keeps the costs down and you get all the profits.  The downside is that you will also have to market and promote the book.  you will have to, or pay someone else to, design, layout and do all the graphics etc. for the book which takes time and is a skill in itself.  You will also have to get someone to edit the book for you. This may involve more that one editor.  For example, you may need an editor to edit and critique your writing style.  You may also need a technical editor to ensure any technical content you include is accurate.  Your editors need to also ensure that any material you include in your book is your own original material and not plagiarised from any other publications.  They should also ensure that you properly credit any sources of material you include in your book.  Note, as the writer it is your responsibility to ensure the content is original, your editors are there to act as a checkpoint to ensure that is the case and highlight any mistakes or oversights you may have made. You may be lucky and have friends with the skills and time who can do this for you at no cost or alternatively you will have to hire someone to assist you.  You need to also consider how you will get your self-published book distributed, it may not be possible to get your book sold  through traditional channels such as book stores, Amazon etc.  You also need to consider how you can market your book and set aside a marketing budget.
The other route is to go through a publisher.  Publishers have the necessary resources to publish your book and have all the editors etc. required to ensure the quality of the book is at an acceptable level.  But this comes as a cost as you will  get a smaller slice of the pie.  Also, by going with a known publisher the book will hopefully reach a wider audience and will have better promotion.  This in turn raises your profile, which is one of the main reasons people write books. However, working with a publisher is a more structured and formalised process.  The publisher will require you to commit to writing the content by certain dates.  This can put a lot of stress on you, your family and friends, as the various deadlines come rushing towards you. You also need to factor in that even after those deadlines you may still have to do extra work if there are any edits or changes required.

To get a publisher you should check which publishers specialise in the area that your are thinking of writing in.  For example, I would focus on those publishers that specialise in the area of IT security rather than say on programming or project management.   Once you identity a publisher you will need to submit the idea to them and to also include an overview as to how popular the book will be and who will be likely to buy it.  This is so they can make a judgement as to whether or not to support your project, after all they want to make money and a profit from your book.

The publisher should have a submission form or application that you will need to fill in.  This usually entails;

• Outlining the topic of the book
• Giving an overview of the structure of the book, e.g. what each chapter will be about.
• Providing an overview of each chapter
• What the goals of the book are, i.e. what will the reader get out of reading the book?
• Who is the target audience for the book?  IT managers, consultants, programmers, business people etc.
• What is the potential market for the book?  What geographic locations will the book target (or be restricted to based on its content e.g. a book on Data Protection will be mostly confined to the EU market
• What is the your background and is it suitable for the book?  If you have no relevant  experience in the area you are writing on then why would someone want to buy a book from you?
• When will be book be completed?  This is important, not just as a line in the sand for you to meet but it is important for the publisher to know so you can line up editors, designers, printers and marketing people to launch the book.  If the deadline is not realistic or achievable then the publisher will not take it on-board
• How will the book be promoted?  Will you be willing to promote it at conferences, trade shows, blog posts, in trade publications etc.

Once you have decided which route to take then you need to plan how you are going to write the book.  This can be tough if you already have a day job and any personal commitments.  Writing a book can take up a lot of time so you need to factor that in and plan for evenings and perhaps weekends where you will have to put work and personal items aside so you can meet your deadlines.  I know a number people who addressed this challenge by posting a series of posts on their blog and then collating them into a book.

I hope this post has been of some help if you are thinking about writing a book and if you decide to go ahead I wish you the best of luck with it.

Posted in InfoSec | No Comments »

Merry Christmas to All

Recession has hit and times are hard,
So this year there will be no Christmas card.
Instead of gifts to spread Christmas glee,
We Sponsored a star on Focus Ireland’s Christmas tree.

May your Christmas be filled with happiness and joy,
May Santa visit every good girl and boy.
It looks like 2012 will be bumpy for sure
But we wish you a New Year that is happy, prosperous and secure.

Posted in InfoSec | No Comments »

Not A Ghost Click Of A Chance

Late yesterday it was announced that the largest cybercrime takedown, dubbed Operation Ghost Click, had been carried out.  A gang of 6 people were arrested in a joint operation by the FBI and Estonian police.  The six people were arrested in Estonia while the FBI raided a number of datacentres within the US and seized equipment allegedly used by those arrested.  The six people arrested are alleged to have participated in a scheme which saw over 4 million computers worldwide infected with a computer virus that made those computers part of a botnet and generate more than $14 million for the criminals.

The criminals used the computer virus to change the DNS settings on the infected computers allowing the criminals to redirect the victims’ Internet traffic to Internet servers under the control of the criminals.  So if the people using an infected computer wanted to go to a certain website the criminals could point the DNS record to a fake replica site under their control and use that to scam money from the victims.

In order to ensure minimum impact on the infected computers the authorities, together with TrendMicro, were able to replace the DNS servers under the criminals’ control with legitimate servers.  While this ensures the affected users can continue to use the Internet their computers still remain infected with the computer virus.

The FBI have set up a page where you can check if your system is infected,  TrendMicro provide more details herewith links to their HouseCall software for a free scan and clean-up should your system be infected.

More details on the operation can be found in the FBI’s press release.  A very interesting thing to note that a number of Apple Mac computers were infected as part of this botnet.  Showing that no matter what operating system you use you still need to take precautions to ensure your system is secure.  Brian Kreb’s, as usual, has an excellent article on this operation.

Well done to TrendMicro, the FBI and the Estonian police for their work on this case.  A prime example of how sharing and working together we can eliminate threats.

Posted in InfoSec | No Comments »

BH Consulting Sponsors Best Technology Site for Irish Web Awards

The Realex Payments Irish Web Awards are happening this Saturday night in the Mansion House in Dublin.  Organised by the ever energetic Damien Mulley the Realex Payments Irish Web Awards aim to highlight the best of the Irish web space.

BH Consulting has been involved with the awards for a few years now and we are delighted to continue to be involved this year by sponsoring the award for the Best Technology Site.  There are some really interesting finalists this year.  They are:

Having won this category for the previous two years it will be interesting to see if SiliconRepublic.com stave off the competition this year.

Why not pay them a visit and see what the best technology sites in Ireland have to offer?

Posted in InfoSec | Comments Off

The Cloud Security Rules Launched Today !!

 Earlier this year I was approach by Kai Roer and asked to take part in a project he was putting together.  He was looking to publish a book on cloud security with insights from people involved in this field from around the world.  I was delighted when he asked me to contribute a number of chapters to the book “The Cloud Security Rules“.  The book looks at many aspects of cloud security which must be addressed when moving systems and data to the cloud.    After many long months of writing, editing and rewriting the book is now available and I am one of a number of security speciliasts from around the world to contribute to the book.  Due to the diverse range of authors the result is a very comprehensive and compelling resource for anyone interested in Cloud Security. 

The book “The Cloud Security Rules explains the different aspects of cloud security to business leaders, CxO’s, IT-managers and decision makers. The security principles are the same as before while the implementation and the risks involved are dramatically changed. The book is co-authored by some of the most recognized security specialists and bloggers in the world. The authors are gathered from USA, Europe and Africa, sharing their great knowledge of implementing and securing the cloud.

This book is made to help it easier for you to choose the right cloud supplier as well as setting up and running your critical services in the cloud.”

Other authors that I am honoured to have worked with were;

Kai Roer
Dr. Anton Chuvakin
Margaretha Eriksson
Alistair Forbes
Alex Hutton
Javvad Malik
Wendy Nather
Rob Newby
Kevin Riggins
Eric Schwab
R ‘Doc’ Vaidhyanathan
Lori Mac Vittie
Sanjay Vyas

The book was edited with lots of coaxing, coercion, bribery and infinite patience by Kai Roer and Mourad Ben Lakhoua.   The book is currently available from Clearspace for an excellent value US$24.90.  It will be available on Amazon next week and other outlets in the coming months. 

An interesting aspect to this bookis that all profits from it will be donated to the Open Security Foundation.  The Open Security Foundation run great infosec resources such as the Open Source Vulnerability Database (OSVDB) and the DataLossDB.

There is also a blog to support the book and it can be found here.

Posted in InfoSec | Comments Off

ISO 27001 Breakfast Seminar

Ensuring your systems remain secure is an ongoing challenge for every business, even more so in the current business climate where budgets have remained static or cut.  So how can you get more bang for your infosec euro?  BH Consulting and Certification Europe are partnering to host a breakfast seminar on November 22nd at 8:00 a.m. in the Conrad Hotel, Earlsfort Terrace, Dublin 2.

The purpose of the seminar is two-fold.  The first is to identify how to implement measures in a cost-effective way to improve your security, while the second is to highlight the business benefits and cost savings a structured Information Security Management System can bring.

The Agenda

08.00-08.30 Registration & Buffet Breakfast
08.30-08.40 Introduction & Welcome – Padraig White, Chairman, Certification Europe Ltd.
08.40-09.10 Implementing Information Security Best Practice’s in a Cost Effective Way – Brian Honan, CEO,  BH Consulting
09.10-09.40 Certification – The Benefits & Challenges – Han Van Thoor, MD, Jumper Consulting Ltd.
09.40-10.10 ISO 27001 Trends & Developments Internationally – Michael Brophy, CEO, Certification Europe Ltd.
10.10-10.30 Closing Remarks & Networking
Who Should Attend: 

• Anyone with responsibility for sensitive data 
• CEO’s & MD’s
• CTO’s
• Senior Management
• IT Managers
• Compliance Officers

There is a €50 fee to attend the seminar but if you Book Now you get €15 off!

Posted in InfoSec, ISO 27001 | Comments Off

A Layered Approach to Security

Recent headlines demonstrate that our computer systems are under constant attack and the threats facing our critical and sensitive information are growing.  In conjunction with Tripwire Inc. I produced a white paper outlining how employing a layered approach to information security can reduce the threat levels against your systems.

The white paper is called “Layered Security: Protecting Your Data in Today’s Threat Landscape” and is available for free download at Tripwire’s website.

In addition I will be giving a presentation on the same topic at the Brightalk Threat Management Summit.  The presentation will be given in the form of a webinar and you can sign up for it here.

Posted in InfoSec | Comments Off

Security Breach at MyJob.ie

Tonight I got an email from the online recruit arm of Bond Personnel, MyJob.ie, to inform me they recently suffered a security breach and were sending me a precautionary email to change my password. While there are no details as to what information the attackers accessed or how they manage to breach MyJob.ie’s security, there are two interesting points to note;

• MyJob.ie say they were not the primary source of the breach. This leads to the question which of their providers were breached?
• The attackers have already been arrested and a file sent to the DPP.  If this is the case, when did the breach originally occur and why did it take so long to notify those impacted?

The other question that is of interest is what is MyJob.ie’s data retention policy for holding client data? I have not used that website for well over 10 years,  so my data would be well out of date and no longer useful.  Indeed in the Data Protection Commissioner’s report for 2008 he mentions a security breach at jobs.ie and highlights they had retained personal data of clients for “an unnecessarily long period of time”. 

If you have been impacted by this breach I recommend that you

• You change your password for MyJob.ie
• Do not use the same password across different systems.  If you have used the same password on different systems then change them to an individual password on each system.
• Do not respond to any emails that may be phishing emails looking for your personal details

The text of the email is below;

Dear Honan,

I am writing to bring your attention to a recent security breach on the server hosting Myjob.ie. The breach was quickly identified, and the Gardai have apprehended two individuals who are now the subject of a file being compiled for the Director of Public Prosecutions. Although Myjob.ie was not the primary source of the breach, as a precautionary measure we would ask all users to immediately change their password. Furthermore we would ask you to observe best practice in choosing all internet passwords and do not use the same password for more than one internet service. If you do use the same password for multiple services we would strongly urge you to rectify this immediately by logging into those systems and choosing a new password. Also, please note that reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate.

• Never give out personal banking information
• Do not share your passwords with anyone
• Do not open email attachments if you are suspicious, especially .exe files.

Please accept our apologies for any inconvenience or distress caused by this precautionary email. Should you wish to contact us please send an email to security@myjob.ie

Yours sincerely,

John Doupe

Posted in Breaches, Data Protection and Privacy, InfoSec | 2 Comments »

Securing the Nut Between the Keyboard and the Screen

In April of this year the first Bsides London Security Event was held.  I was honoured to be one of those selected to present at the event.  The presentation “Layer 8 Security: Securing the Nut Between the Keyboard and the Screen” focuses on why security awareness programmes fail in many organisations and outlines how to better engage with users to protect systems.

The video of the presentation is now available. Enjoy.

Posted in Events, InfoSec | Comments Off