Sunday, April 06, 2014

Doing business in Asia: five etiquette tips

I contributed a piece in Australian BRW late last month that had nothing to do with IT Security, but I thought this may be of interest to those of you out there new to doing business with Asia and would like somewhere to start.

It's quite general, but large mainstream publications want content that will appeal to the masses, not niche pieces that few people will care about. So, if you're an expert on Asia, none of what I've written will be new.

Here's a teaser:
"Business etiquette in western countries is similar enough that we get away with most things. The little quirks are normally overlooked or forgiven, using the “not from around here” explanation. Asia however, is a slightly different animal."
Check out the full article on BRW. 

Monday, March 17, 2014

RSA Conference 2014 redux


If you follow me on Twitter, you probably noticed a heightened volume of Tweets from me during the RSA Conference in San Francisco. It was great catching up with many of you based stateside that I rarely get to see in person. I was also fortunate enough to be allowed to attend sessions and live-Tweeted the ones that were interesting. Therefore, I'm not going to regurgitate/organise my Tweets into thoughts here. I will however, highlight a few key points that I felt were important.

NSA, NSA, Snowden, NSA

This was an RSA conference where everyone was talking about the NSA. First, there were the well-publicised boycotts from speakers. Then came the competing conference. Then there were the protesters. RSA Chairman Art Coviello opened the conference and addressed it up front (right after William Shatner's song and dance). Stephen Colbert closed the conference with an NSA-heavy keynote (incidentally, he was hilarious). And in a show of courage or stupidity depending on your perspective, the NSA even had a booth on the expo floor.

There were many stories written about this during the conference, so just use your search engine of choice. But if you don't feel like searching, check out the New York Times' Nicole Perlroth and her blog post detailing some of the NSA-focused activities. My Tweet stream was also relatively NSA-heavy, so go check that out too.

Damage control

There were many US Government speakers from various departments and they all had one thing in common: they were in damage control mode. Essentially, it boiled down to these points:

  1. We assumed everyone knew we do the whole electronic surveillance thing. We didn't know it would be such a big deal and we're sorry, but we have to do it. And by the way, better it be the US Government than some foreign hostile nation. They're all just pissed that we're so much better at it than everyone else.
  2. We must work on collecting only what we need instead of absolutely everything. But if you've ever tried to do this, you know it's easier to collect everything instead of being selective.
  3. We, the US Government, want to work more closely and cooperatively with US companies on making the Internet, technology and the real world safer for all.

Encryption

How do we make life more difficult for governments to spy on us? Encryption. Sure, governments have quantum computers working at cracking encryption measures, but they really don't like having to do it. It was a topic of discussion during the cryptographer's panel and made in relation to the NSA. Bruce Schneier has mentioned it on many occasions and reiterated his sentiments during his session at the conference.


I said it in my IT security predictions for 2014 and I've mentioned it on television.
Start with encryption. It won't fix all your security issues, but it's a good start and a good countermeasure for issues beyond the NSA and government spying.

Privileged user controls

Despite the fact that Snowden's been the poster child for the fact that privileged users can do a lot of damage, there wasn't a great deal of noise (compared to the NSA and government spying), except in sessions relating to industrial control systems. In every session I attended where industrial control systems were a topic of interest, privileged users came up as a primary focus area. Often, industrial control systems are tied to users directories (usually Active Directory) and most attacks simply aim to compromise an account within the directory. Once compromised, an attacker will escalate privileges until they have sufficient access. In other words, the more "administrative" the account, the quicker the compromise. In short, at the very least, organisations must secure and monitor privileged accounts in directories and operating systems.

Internet of Things (IoT)

You didn't need to attend the conference to know IoT is big in 2014. While I don't believe many are doing anything in terms of IoT, I don't discount the fact everyone wants to talk about it. It became clear in listening to some IoT-focused sessions that the biggest challenge in securing the IoT at the moment lies with the ignorance and complacency in the manufacturing process, particularly with device manufacturers.

Far too many do not implement (or care about) basic security practices in delivering a product. Many use default settings, which are often insecure. In addition, they often reuse the same insecure software components in updated versions. Beyond this, there is difficulty patching existing devices, particularly in trying to figure out how to do this without user intervention. We can't even get this right for existing computing devices. How are we expected to get it right for devices with in-built computers most are not aware of and cannot access easily through a usable interface? This is why it's relatively easy to hack cars.

Wednesday, March 12, 2014

Australia's new Privacy Principles - things to consider

Effective today (12th March 2014), Australia's Information Privacy Principles and National Privacy Principles will be replaced by 13 Australian Privacy Principles (APPs). Here are the important points to note:

  • Applies to all organisations that turn over more than $3 million per year and collect personal data.
  • Fines up to $1.7 million for breaches.
  • Organisations must be transparent about how they collect, use and store personal data.
  • Organisations cannot collect data “just in case they need it”.
  • If personal data is disclosed to a 3rd party, the organisation disclosing the data is responsible for ensuring the 3rd party understands their obligation and that the consumer knows about the disclosure.
This effectively gives the Office of the Australian Information Commissioner (OAIC) teeth as the fines are now significant when compared to previous legislation. For example, Australian Telecommunications giant Telstra has only been fined a measly $10,200 AUD for their recent violation.

Mindful collection and sharing

The days of "we'll ask for the information in case we need it" are gone. Organisations need to think about what they really need to achieve the task at hand and collect only what they need. As consumers, we should be able to sign up for online services in a shorter amount of time instead of frustratingly getting stuck on a submission form which constantly complains we haven't filled in certain fields.

Marketing programs and processes need to be reviewed to ensure personal data is not being inappropriately shared with 3rd parties. Many companies disregard the flow of information and the lack of visibility & understanding around how this is done, sometimes through no fault of their own. The number of technology integration points involved is challenging, but as privacy is now tied to financial penalties, this is a huge risk to businesses and should be addressed urgently through the involvement of IT departments and potentially external assistance.

If information is justifiably shared outside of the organisation, they will need to have the ability to determine if an overseas 3rd party they are disclosing personal information to also complies with the privacy act. This is a function many organisations will not have and will need to be included as part of their risk management program.

Personal information

In all things privacy-related, things tend to be up for debate, none more so than the term "personal information". The safest way for organisations to tackle this ambiguity is to assume data can be tied together from various sources, even when not immediately obvious as to how, to form context that can be tied to an individual. For example, an IP address is a potential identifier of an individual when combined with information from the relevant Internet service provider.

Personal data can also be stored in unexpected locations that organisations may be unaware of, the most obvious being application logs. IT departments need to perform an internal audit of the information applications use and ensure they are not subject to inadvertent personal data leakage through logs as a result of log file settings.

There is also additional administrative overhead in dealing with personal information and its access. The right technologies and a properly implemented reliance on external information providers can help. For example, power can be given to individuals to have complete control over the information stored about them through self-service portals. In addition, there may not be a need to store certain pieces of information. Standards exist (e.g. pick your favourite federated identity standard) that allow a relying party requiring information about an individual to ask for it from an identity (or attribute) provider and use it in flight without having to store the information on disk.

Beyond the more mature federated identity standards, there are emerging ones such as User Managed Access (UMA) that place more power in the hands of consumers (i.e. the rightful owners of the data). While not yet supported in many technology stacks, the concepts are sound and organisations would do well to adopt the thinking behind what UMA is attempting to achieve in the longer run.

Summary

Australian organisations need to treat personal data like they would financial information. For example, there are a raft of measures dictated by the PCI-DSS standard regarding the storage and usage of credit card numbers. While the number of credit card data breaches have proven PCI-DSS alone does not prevent breaches, existing data protection standards are a good start for organisation struggling to deal with the implications of the new privacy principles. Organisations would do well to adopt many of the same measures dictated by security standards in protecting personal data as a start. As they understand the requirements and data flows over time, more sophisticated security and access management measures can be implemented to round out an evolving security program.

Thursday, January 09, 2014

Moving beyond incident identification

I made a few IT security predictions for 2014 last last year, but I want to highlight item number 3 as it's become particularly relevant:
"Security departments will shift their focus from incident identification to incident reaction and management"
We're only a week into 2014 and the two highest profile IT security stories so far are related to incident reaction and management (a.k.a. response).

While the acquisition of Mandiant by FireEye technically completed in 2013, it was only announced in 2014. To quote the New York Times article:
"Mandiant is best known for sending in emergency teams to root out attackers who have implanted software into corporate computer systems."
The other piece of news was that Bruce Schneier has joined Co3 systems. In his own post on the matter, he states:
"...there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now, it's time for response."
The true value in security monitoring, and by association Security Information and Event Management (SIEM), lies in moving beyond incident identification/detection. SIEM technologies have become much better over the past few years at using data analysis techniques to translate raw data and events into useful information that security departments can understand and hopefully act on.

Unfortunately, few organisations have the resources available to react to incidents adequately and in a timely manner let alone attempt to manage them. Incident identification/detection without the ability to respond is akin to having an alarm on your house go off that only your neighbours can hear. Even if they are around, how many actually care enough to do something about it?

The best alarms don't make any noise, but lock the house down so that no one can leave while simultaneously sending an alert to have a professional incident response team dispatched to the premises to deal with the threat while the incident is in-progress. Of course, it would have been better if they hadn't been able to enter in the first place, but we'll leave access management discussions for another day. Security departments need to work on the presumption that bad guys will get in somehow.

While the latter option sounds more like a military operation, it's how organisations need to be thinking about security incidents in 2014. At the very least, security departments need to have properly thought out, documented incident reaction and management procedures that anyone can follow with minimal training. While not every incident response person can be the IT security equivalent of a Navy SEAL, at least have a security guard on staff and augment with external assistance by using tools or service providers.

As I said in my predictions article:
"The focus when dealing with threats up to this point has been on the identification of them. Vendors spend large sums of money expounding the wonders of their tool’s collection and analytical abilities. It has become a game of “my feature is better than your feature” and “my analytics are better than your analytics”. Ultimately, it is pointless identifying a threat when there is no path forward to manage the incident, deploy the appropriate responses and counter the threat through remediation."

Monday, January 06, 2014

Why crooks love gift cards and how retailers are to blame

It’s the holiday season and there are those that don’t feel like thinking about particular gifts can cop out by gifting a gift card. For those that have never used one, it’s relatively simple. The card number combined with an access code is usually enough information for a gift card to be used for a purchase. This is how it usually works when making online purchases. At the actual physical store, the use of a gift card typically requires the user to also be in possession of it.

Fraud liability lies with the purchaser

Gift cards are designed with convenience in mind with no regard to security or indemnity. If your bank issued a card with the PIN printed on it, you would immediately cut it up, cancel it and change banks. Unfortunately, this is exactly what most retailers do with gift cards.

Both the number and the access code are displayed on the actual card (both physical and virtual versions). This is all one needs to make a purchase using the card. The anonymous nature of gift cards is just as much of a problem. Crooks love anonymity because at no point can a transaction be linked back to them.

To add to the mess, most retailers have a statement in the fine print to “treat the card like cash as we cannot process refunds in the event of theft or loss”. We would not tolerate this type of behaviour from financial institutions, yet that’s exactly what we do each time we buy a gift card. At least financial institutions will indemnify cardholders from loss or theft. Retailers simply say “too bad, your loss, not our problem”.

Because retailers do not care enough to accept responsibility, at no point will they ever attempt to investigate the crime and the criminals that stole your gift card details get away scot-free.

Digital gift cards are less secure than physical ones

While gift cards are not secure for the reasons already mentioned, digitally-delivered cards are worse. With physical gift cards, the most blatant, practical example of fraud involves crooks cloning inactive cards from stores and subsequently waiting for them to be activated through a legitimate purchase.

The best way around this particular method of fraud is to cover the access code on each card with a layer that can be scratched off, which many retailers have implemented. This is a simple, yet effective way to reduce the risk because if a card has a visible access code, you know it’s been compromised. Unfortunately, the digital version of this “scratch layer” is often non-existent.

The most common method of retrieving a digital gift card involves accessing a URL. To understand why this is a problem, consider the fact that often, the URL to retrieve a gift card is derivable, even if encryption is used in the actual URL pattern. It is not too difficult for a skilled attacker to get the standard URL pattern by legitimately ordering a card and subsequently performing a brute-force attack, similar to how passwords are cracked, on the parts of the URL that change to retrieve other gift cards.

The digital equivalent of a “scratch layer” would be to make the retrieval URL accessible exactly once. This way, one would know upon an attempt to retrieve the card if it has already been compromised through its URL and contact the retailer to report the issue immediately instead of finding out after the card has already been used. Once a card has been used by the fraudster, it is too late and there is no recourse for the victim.

No protection against insiders

As is the case in many organisations, the insider with access is a huge risk in this particular context. Credit card numbers are partially protected through PCI-DSS requirements that mandate encryption of stored card details and audit of access. Gift card details however are not subjected to the same rules and thus can be stored in clear text and not be monitored when accessed without regulatory consequences for the retailer.

Organisations tend to ignore security when they are not liable in the event of a security incident. In the case of gift cards, no liability lies with the retailer. This means employees of a retailer storing gift card details in the clear have relatively easy access. In addition, even if the retailer happens to have audit mechanisms tracking access to databases storing gift card details, the fact that consumers are expected to “treat gift cards as cash” is a sure sign that a retailer will not spend precious dollars to investigate any potential internal fraud with gift cards.

Too many third parties involved

Another trend that contributes to the problem is the use of third parties to administrate and issue gift cards. For example, many large retailers in Australia use the same third party company to do this. The problem with third parties is that access to data is now expanded to people not directly associated with the responsible retail organisations.

As gift cards are not subjected to the same standards as credit card information, employees of the third party company potentially have full access to gift card details of multiple retailers and can exploit this access for personal profit much more easily than if they were attempting to steal credit card numbers.

No regulation, no deal

Gift cards are effectively cash cards. Retailers have said so themselves in an attempt to indemnify themselves from liability in the event of fraud. The problem is that they are indemnifying themselves at the expense of fraud victims, also known as customers. The relationship in this instance is completely one-sided in favour of retailers.

Financial institutions dealing with credit card details are not afforded the same cop-out liability statement. In fact, it is the opposite. Financial institutions are held liable in the event of fraud and we as consumers are protected.

Imagine if we were told that whenever we use a credit card, we assume all the risk? Mastercard, Visa and American Express would go out of business very quickly. Why are retailers not subjected to the same rules?

It is time we woke up and realised exactly how unprotected we as consumers are when we buy gift cards. If you feel the need to buy a gift card for someone else, do what Asians do instead and put cash in a red packet.

In Asia, giving a red packet to someone implies you are wishing them good fortune. Giving someone a gift card however, means you couldn’t be bothered. You may also have just gifted them a worthless piece of plastic which they will resent you for when they try to use it.

Friday, December 20, 2013

IT security predictions 2014

It's prediction season again and I've written a piece for CSO Australia.

Here's how it starts...
"2013 was the year of Edward Snowden and the NSA spying revelations. We also faced a deluge of data breaches with an increasingly large amount of information compromised. The emerging trends that appeared on the radar in 2012 such as Cloud, Mobility, Social and Big Data became key challenges for organisations in 2013. These will continue to be important in 2014, but what will they evolve into? What other things do we need to consider?"

Click through to the article for the predictions. Got an opinion? Comment or Tweet me.

Monday, November 18, 2013

Social identities are becoming our online driver’s licence

Note: This is a companion blog post to an article I wrote earlier this year for CSO Australia. The original essay was too long for an online publication, so I split it up into 2 related, but independent pieces.

For the generation that assumes a priori that the Internet is a tangible, more-essential-than-oxygen component of the air, social networks have become the digital manifestation of their identities as people. Most use each social network for a specific purpose. For example, Facebook content is typically personal and LinkedIn content is almost always professional. Where possible, we try to confine their use within our subconscious boundaries, but they invariably bleed into each other through porous walls. Nevertheless, each is a persona; a one dimensional representation of our real selves.

While online, much of our significant actions require some form of identification: a licence that says enough about us as unique individuals. While we don’t need a driver’s licence to walk along a road, we do need one to drive along it. Similarly, to do anything of significance online, we need to prove who we are to varying degrees; we need a licence that says enough about ourselves to be allowed to perform certain activities.

A majority of our individual activities both online and off can be divided into two categories: transactions and interactions. We transact with retailers, financial institutions and governments. We interact with friends, family, colleagues, employers and government institutions. There are exceptions to these, but a majority of what we do conforms to this model.

The word “transact” in this sense is not always tied to financial activities. Anything that has a negative real-life impact when fraud is committed can be deemed as transactional. In life, our identity matters when we transact and interact with retailers, financial institutions, governments and other people. There is however, a distinct difference in the acceptable forms of identity when comparing transactional activities and interactions which is tied to risk. It is why certain organisations will accept your Facebook account as proof of identity, but others will not.

Appropriate use of social identities

The key to understanding appropriate use for social identities is context. In real life, activities that require proper identification such as a passport or driver’s licence are transactional.

If you analyse the scenarios you are familiar with in dealing with retailers, financial institutions and governments, you will quickly realise that for anything we classify as an interaction, using social identifiers for access is sufficient. For transactions, they are not.

In the Information Security world, this is known as using the appropriate Level of Assurance (LOA) for the appropriate context. A higher LOA is required for transactions than interactions. The progression to a higher LOA is typically achieved using multi-factor authentication. If you’ve ever received a code on your mobile phone immediately after your username and password has been accepted and asked to enter it into a site before it allows you access, you have used multi-factor authentication. The SMS code sent to your mobile phone increases your LOA.

In situations where social identities play a part in the authentication process, they are best used as first level of authentication. As a “lightweight” identity, this provides the personalisation we psychologically crave and the added usability organisations would like to provide. The fact that personalisation provides additional insight to organisations is a bonus for them. When the interactions verge on being transactional, the LOA needs to be raised using either a second factor or a stronger form of identification. In real life, this is best demonstrated by the fact that a driver’s licence is sufficient for entry to a bar but a passport is required to cross international borders.

Excessive collection of personal information

A major concern regarding the use of social identities as a login mechanism relates to the amount of sensitive personal information stored within social networks. Using your Facebook account to login to another site does not necessarily give it access to your Facebook account (e.g. to make updates). More commonly, the login process involves sharing an amount of information about yourself that the site requires.

The word “requires” is used loosely here. Far too often sites ask for more information than they actually need because they can. We have become so accustomed that we accept it as the norm. Bad data collection practices have trained us into accepting additional risk as a condition for using the Internet. In reality, most sites really only need a way to contact you (e.g. email) and perhaps your name. Put simply, a site should only ask for the information it needs for you to complete your tasks.

The breach the Australian Broadcasting Corporation’s website suffered earlier this year is a perfect recent example of data collection misuse. The information stolen included easily cracked hashed passwords and personal details about each person that the website did not need. When we give up our information to an organisation, we almost never have control over anything that happens to it after the fact.

This is something that the Kantara Initiative is attempting to address through its User Managed Access (UMA) work group and the associated UMA protocol. But until this or something like it is mandated across sites that store information about individuals, it is extremely difficult to address the lack of control we have over our personal details and their proliferation.

Note (not part of original blog post): I strongly suggest checking out Ian Glazer's "Big P Privacy in the Era of Small Things" video if you are interested in exploring and understanding this topic in more depth.

Potential benefit of social identities

Social networks have the potential to reduce the number of places that our information is stored. In addition, they can potentially become the gatekeepers to our information. Imagine if the interaction between a social network and another site included the obligation to delete our information upon request by the social network using a protocol like UMA? Better still, what if it required that the information used be transient and disappears when our session with the site in question ends? Nothing actually gets stored.

In fact, some social networks enforce this today, although this is used more as a defensive tactic to reduce the likelihood that a partner site becomes a competitor by replicating all their user data than a way to protect the information for the benefit of users. Sites that do not conform to the policy are unceremoniously prevented from being able to interact with the social network in any way.

There are benefits to be had for the sites accepting social identities as logins too. Studies have shown that user drop-off rates decrease because users no longer have to fill in forms to access the site. Data storage costs drop as a result and for organisations that do not want to be front page news for losing user data, this risk is no longer present.

A driver’s licence is not a passport

We began by referencing the generation of digital natives driving the assimilation of our digital and physical lives. They influence online innovation today through their demands and expectations. They are the demographic many businesses target. As a result, their behaviour shapes the evolution of the online world and by extension, the real world.

The rest of us have to begrudgingly adapt to a reality being built for them. Like it or not, social identities are becoming the Internet’s driver’s licence of choice. However, social identities are not our online passports. The world is not ready for that reality. And unless social networks start vetting people like banks do, that reality is unlikely to ever be achieved.