Tech-2 Security

Many companies have little to no email retention policies in place.  The idea here is to ensure that if a business related email is required, it can be recovered for up to a 6 year period. However it has also been raised  that 6 years may not actually be sufficient when projects which are completed over a long period of time are concerned.  Therefore 6 yrs from time of project completion should be the consideration.  In some cases financial data may need a slightly longer period of retention to match other financial requirements. The question is how do you manage this type of thing.  Users have the ability to delete their emails etc and therefore relying on users to manage their own mailboxes completely may not be the best option. Many companies opt for an email archiving solution which provides a copy of every email in and out to be stored safely and all access to these stored messages audited for compliance. With the adoption of cloud email services thi...

What is it ? Put simply it is a set of new policies adding to the current Data Protection Laws in the EU. Companies will be required to respect "the right to be forgotten". This means that you must be fully in control of your data in such a way that all digital traces pertaining to any individual must be fully deleted should the request be made. Whats is in scope ? Basically all of your data must be cleansed of any identifying data if requested.  This will include all past and present data including archives and backups. What if I dont comply with a request ? Penalties will be imposed of up to 4 percent of worldwide turnover. How should this be implemented ? You will need to be able to demonstrate a process which is implemented and fully documented which complies with each request. What problems need to be overcome ? The biggest issue is knowing your data.  In other words having fully indexed data and systems which will ensure this can be conducted in a tho...

 Re: The FBI and Apple story involving the FBI trying to force Apple to unencrypt an IPhone in their possession. The FBI have now reportedly withdrawn their court battle with Apple after a third party has given the FBI  the ability to access the phone without Apple assistance. Based on this new information, there is likely a lesser known vulnerability in the IOS which is now known to the FBI.  The question is whether Apple know of its existence and will they release a patch. Also what are the implications of this being known to the FBI.  More questions are raised.

To be honest I havent posted anything for absolutely ages. It was getting difficult to find something newsworthy which wasn't already in thousands of other places already.  So I decided that this blog should contain the following: My views on security issues Highlighting key security issues and news Product reviews A large dose or sarcasm........

It's been quite a while since a vulnerability like this has been uncovered.  There is no doubt that this is a serious one and it affects many products.  What makes this a problem is not only that it has serious consequences, but also that it isn't that hard to exploit.  Affected versions of OpenSSL have also been around for a long time since around April 2012 meaning the impact up to now is unknown. Recommendations are to patch the affected products, renew certificates and ensure users change their passwords. OpenSSL versions 1.0.1 - 1.0.2.  OpenSSL advise Affected users should upgrade to OpenSSL 1.0.1g and users unable to immediately upgrade can opt to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.  1.0.2 will be fixed in 1.0.2-beta2. The list below are links to some of the affected products.  There are many more. VMWare http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225 Fortinet http:...

As we know, many home users and businesses are still running Windows XP as their Desktop Operating System. With support for Service Pack 3 ending in April this year (2014), the likelihood of increased malware and virus' is very high on these systems. This information should not be taken lightly, due to the very real threat which will continue to rise the older the Operating System gets. If a vulnerability is found and remains un-patched then businesses will be taking unnecessary risks. When support is discontinued there will be no patches so the security holes will remain open waiting to be exploited. Contrary to what many believe, this isn't Microsoft looking for ways to make more money. XP is three generations old if you count Vista, Windows 7 and now Windows 8. It's time to upgrade Windows or Migrate to a different OS completely.

I received a voicemail, then text then a call to my home phone from the bank to call them. I verified the number was legit and contacted the bank. They didn't ask any questions but were able to verify my recent transactions so were genuine. However twenty minutes prior to the call someone had placed an order on Play.com for £500 using my details. Luckily for me the bank had the sense to block the transaction and contact me. I had to cancel my card. I decided to contact Play.com to tell them what had happened and after some cross referencing they could see that an order had been placed on a very recently created account using my bank details, but a different delivery address. The customer services lady was a bit shocked when she then cross referenced the delivery address to find that six other orders using other peoples details had also been placed today for delivery to that address. Unfortunately for those people it looks as if the transactions had at that point completed. ...

Tech-2 are currently in the process of investigating another potential online scam which dupes the user into making a booking through what appears to be a valid website. Infact it would appear that the booking money is taken, yet the user never receives what they have paid for. More details will be posted on this investigation including the offending website URL if proven true. Watch this space.

I was lucky enough to attend the Fortinet Global Partner Conference in Miami this month. The conference took place on a cruise ship which traveled around the Bahamas from Monday-Friday. There was a good mixture of Fortinet presentations and technical training which took place on the ship as well as off ship excursions to several Islands. The focus of the conference was the release of FortiOS Version 5. Once again Fortinet have produced a significant release with a great set of enhancements and new features including endpoint device recognition which can be used in firewall policies, Wireless improvements, advanced anti-malware detection, Anti-Virus, IPS and client reputation. The number of features is too great to include in this post but a quick check on the Fortinet website will give more information. http://www.fortinet.com/solutions/os5.html All in all the conference seemed like a great success and the attendance was high at around 1700 people.

Well it has been a while since the last post. I haven't really got too excited about anything in the news over the past few months, or had many new toys to play with until recently. Just to get things started I did find the story below quite interesting. Chinese Android handset,ZTE Score M has been found to have an application installed which acts as a backdoor to the operating system. The application has a hard coded password which gives root level access to the device. The password and instructions are readily available online. As of yet there is no proof of a remote exploit being possible, but it is very likely that software downloaded by the user could be coded in such a way to exploit the issue and give attackers access to your device. Still, so far not a big issue for the UK as it is only linked to handsets which were supplied by China to the US !!

This phishing scam has been widely reported from as far back as Feb 2011. Today I received the email myself. The first warning sign was that there were approximately twenty other email addresses CC'd on the same email all supposedly having the same failed transaction number. Obviously a mistake on the part of the sender. Also the from address didn't bear much relation to the supposed sender. *thi***@sui****.com Opening the email on a "safe" machine I took a look through the source and there was a significant amount of javascript. along with a link to a website in South Africa which is accessed once the "view report" link is clicked. The site is a company site and therefore has likely been compromised and the offending link hidden with a numeric directory name. NACHA have reported this scam and users should not open the link due to it's likelihood to infect the machine. To protect identities, the CC'd addresses, website link and from address have...

It would be fair to say that many companies assume they have secure systems because they implement strict security measures. The problem is how do we know that our security is working. Does never getting hit by a virus mean that our anti-virus software is doing it's job or have we just been lucky ? It usually takes an incident to focus awareness on system or procedural failings. The benefits of regular Penetration Tests are well understood in the industry, however taking more time to frequesntly examine and understand log files will pinpoint areas of concern a lot sooner if they are being exploited. The problem with log files typically falls into a few categories. 1) The number of devices which require management. 2) The quality and retention period of the logs produces. 3) Undestanding the meaning of the files themselves. Even the simplest of networks will have one or more servers, a firewall, a router and wireless access points to name a few. Firstly enable logging on each devic...

Similar to the windows fake AV alerts, MAC users have now been targeted with a fake AV scam. After visiting an infected site, the software scans the users hard disk and reports on viruses found. Users are then given the opportunity to purchase remedial AV software, thus parting with credit card information. The trick here is that is can masqurade as the legitimate MAC Defender application making the users less suspicious about the warnings. Apple Mac users have been adviced to disable a setting in the Safari browser that allows "safe" files to be automatically installed. Full details on removing and preventing this malware can be found here. Apple MAC Malware Removal

The Playstation network has been down since about 20th April now. The full consequences of the attack may take some time to manifest, however the commitment to ensuring security since the attack has been foremost in Sony's agenda. The difficulty here is that although what has happened may be relatively clear, the how and who may be less obvious and because of this Sony need to take extra care when restoring the services as they cannot afford another similar incident. The fact that they may be offering a reward for information relating to the identity of the attackers proves that whoever did this were skilled enough to hide their tracks well. With enough digging, many clever breaches can be traced due to the smallest fragment of information in the logs or other data leading to clues. There is claim that information pertaining to the group Anonymous has been located on the systems, however Anonymous have denied the incident and apparently say they may have been framed. If the o...

Whether you are a small or enterprise size business, controlling internet application usage can become a major productivity not to mention security issue. With the ever growing number of applications available to users the problems escalate. Facebook, Instant Messenger and online gaming to name a few are difficult to manage with traditional Firewalls. Typically, for example Port 80 may be allowed for users to access the internet, howvever many of these applications use Port 80 to "get out" on. Also most applications are able to port hop and find open ports to use, making allowing or blocking a difficult if not impossible task. Fortinet offer a solution to this by integrating Application Control into their UTM appliances. Regardless of the Application or Port Fortinet are able to inspect the traffic and pinpoint applications being used. Depending on the application type there are several actions which can be taken with multiple levels of configuration and granularity. A...

Out of the blue I received the famous UPS delivery emails. Dear customer. The parcel was sent your home address. And it will arrive within 7 business day. More information and the tracking number are attached in document below. Thank you. © 1994-2011 United Parcel Service of America, Inc. Attached was a rar file pertaining to be the delivery information. Knowing of the scam and also that I had not ordered anything I saved the rar file into a virtual machine and took a peek with notepad. Pretty much all of it was random ASCII except for the legible text "United Parcel Service document.exe". Knowing this was a virus I submitted it to an online virus scanner to verify the content. The abrieviated version of the output is outlined as follows. W32/Agent.OUH!tr It displays the following fake warning message: Danger! Harmful viruses detected on your computer... It deletes the following various registry keys It creates the following new registry entries It tries to download files f...

A colleague of mine called me this week to report he had received a call from a foreign sounding gentleman from Microsoft. The man seemed to have a fair bit of information about my colleague and was reporting that Microsoft had flagged his PC as being infected with a known virus. At this point my colleague was suspicious and started to ask a few questions to which the bogus Microsoft teccy tried to answer with various cover up tactics. Asking my colleague to run a few commands on his PC etc.... This was when my colleague insisted that the bogus Microsoft person sent a letter to him stating exactly what was being asked so he could show it to the technical team at work (us). To this the Microsoft teccy replied an email would be quicker but my colleague insisted on a letter. I am sure a letter which will never arrive and if indeed it did, it certainly woulnn't be from Microsoft. click here for a story from 2010. Further Reading

Surprisingly the UK Government has made recent press releases about the possibility of cyber attacks against their systems. I have worked in the IT Security space for 16 years and the possibility of attacks and espionage have always been a very real threeat. Indeed I have been called in to investigate many instances of such threats. Whether it be a virus, direct attack or intrusion they have all been very real for many years. Vigilant and responsible companies have consistently carried out the necessary measures to at least protect themselves from the majority of the well known exploits and deploy other systems to alert for suspicious network activity. They train staff and continue to review their policies on a regular basis. Standards have been implemented to enforce and to some degree, force companies and institutions to fall in line with specific levels of security, so why should the Government assume that they were somehow immune from such attacks. This is nothing new, althou...

Been doing a lot of work around password security lately and I think it is fair to say that given enough time any password can be cracked. The time could be hundreds or thousands of years in some cases when using brute force methods . In reality though this time is likely to be a lot shorter than we think due to end users only being able to cope with relatively short passwords. Using various tools on windows XP and Vista and 7 machines it was surprising to see just how many passwords were recovered in a matter of minutes and not hours or years even. Passwords on Windows machines can be local or cached Domain credentials. Password attacks can be classified into two main categories: Online: Where the attacker is physically on the PC or network in question and is either actively trying tools against the host pc or attempting to sniff the traffic to and from that machine for hashes on the wire(Later take offline). An important note here is that we do not need administrative credent...

Its been a while since I last posted.  Been pretty busy with work which is good.  I've been playing around with a lot of new products and thought I would write this quick update. Back in the day when the only options were to configure systems via command line your average generalist would leave this type of thing to the "experts".  Now with the number of servers and workstations growing, the generalists have become more multitasking, bringing knowledge from home to the workplace and vice versa.  So what about security ?  Well this is an area in which a lot of people dabble without understanding the complexities of the task.  Just getting something working may be acceptable to get a result but not fully understanding the how and why poses the risk in security.  A GUI somewhat simplifies most tasks but an "invisible" command entered at the CLI of the same device will likely go unoticed. Everyday admins make changes to make their job easier, and often tak...