General Security | InfoSec Perception

Recently I got an e-mail message from a naïve young person who was excited about the riches available through part-time work at home posting links to products on the Web. I hope that the approach to spotting fraud will be useful to other potential victims; please feel free to circulate it among your colleagues at work as part of any security-awareness program.

From:––– Date: Wednesday, May 23, 2012 15:11 To: – a bunch of people who don’t necessarily know each other –

Subject: I am my own boss try it out for yourself

How to Get Rich using your PC http://doctoraluisazitzer.com/disclog24.php?jID=7xovx

In late May, I received the following e-mail message from someone in Guangdong, China using an English name:

Hi,we are manufacturer specialized in producing&designing OEM portable speakers for mp3/mp4/notebook/ipod and other mobile device.

It also has a Mp3 player function,but more than that.Play mp3 format music from TF card or U-disk.also there’s FM radio function,you can share the news even in your trip or travel.

I found your company name&email address in E-market place.

I know you are selling brands in this field.but if you can put our products on your shelves,it will enlarge your products’ range,and it will attract more new clients and give your old clients more services.

With its reasonable price and multi-function features, it will be a very good choice for gift or accessories for ipod/iphone,it’s portable, with external rechargeable battery, you can take it anywhere anytime.

and I’m sure of that it will be fashion soon in your local market.

Your each enquiry will be appreciated very much and will be taken care very seriously.We believe the customers are our only lifeblood.

For more details of us,please visit our website.and we are gold supplier on Alibaba,please check the page.

Looking forward to hear from you soon.

My wife, Dr Deborah N. Black, MD, is an expert in neural feedback (NF) for improving the attention of patients with attention-deficit / hyperactivity disorder (ADHD). There’s an interesting news story about the technique on National Public Radio (NPR). This approach to retraining disorderly brains monitors electroencephalographic (EEG) data as the subjects learn to focus better by playing video games or controlling the visibility of a favourite movie being played on a special DVD player or computer. There are many sites in the United Kingdom which advertise NF treatments; try search string “neural feedback adhd uk” in a search engine. For example, “Learning with neural feedback” has useful information about the technique.

Today I increased my virtue coefficient by getting to the swimming pool up the road from where I live (well, 7 km from where I live in farming country) early in the morning. On my way out after a vigorous set of laps (I normally swim a “mile,” which is an ancient measure of distance still used in backwaters such as the USA), I stopped at the desk to tell the attendant that I would like to switch my automatic payments from my credit card to a direct withdrawal from my bank account (VISA charges are rough on the profits of this small business in the wilds of Vermont and I’d like to do my part to help these folks out).

Francis Cianfrocca, a leading expert on Advanced Persistent Threats, continues his overview of the issues following his first article on the topic in the InfoSec Perception blog. What follows is Mr Cianfrocca’s work with minor edits from M. E. Kabay.

Advanced persistent threats (APTs) attack with privilege escalation and operate through application accesses that, to network monitors, appear to be fully normal in terms of network source addresses, protocol syntax-correctness, and user authentication / authorization levels. Both detection and remediation of these attacks are critical business objectives; whether driven by regulatory or operational sensitivities, data privacy and application security must be maintained and the flow of data must continue without interruption.

Continue reading

Former student, good friend and brilliant colleague Jan Buitron, MSIA, CISSP, MCSE tells us a whimsical tale with lessons for us in the security field. Everything that follows is Jan’s work with minor edits by Mich.

It was a big project for a homeowner. My friend set out to design, dig and decorate a fish pond out in her back yard. She dug the pond by hand, with her mother directing her in how to construct up from the bottom depth and sculpt the sides of the pond. She went to local rock and building supply stores to find just the right rocks to decorate the pond’s margins. Careful planning went into designing the plant-scaping of the pond. Shorter plants were set around the pond’s edges and, since they wanted the pond to attract birds, they made especially sure that there was at least one shallow area where the local birds could bathe easily.

In business continuity planning (BCP) and disaster recovery planning (DRP), its commonplace to urge planners to create initial plans and then test them for ways to improve. This approach is parallel to the current standards of software development and risk management. In the 1960s and 1970s, the standard software development methodology was the system development life cycle (SDLC), in which analysis, design, and approvals of the complete design were so onerous that delivery of finished software could be delayed by years. Since the 1980s, a much more common methodology is spiral development, which was originally called rapid application development (RAD), joint application development (JAD), or iterative, agile and incremental development.

It’s a commonplace that information assurance suffers from two fundamental problems in information acquisition: failure of ascertainment (failing to realize that a breach of security has occurred) and failure of reporting (keeping apprehend breaches secret). In an overview of statistical methods in computer-crime reporting, I pointed out that one of the most striking research studies of ascertainment and reporting was carried out by the United States (US) Department of Defense:

In a landmark series of tests at the Department of Defense, the Defense Information Systems Agency found that very few of the penetrations it engineered against unclassified systems within the DoD seem to have been detected by system managers. These studies were carried out from 1994 through 1996 and attacked 68,000 systems. About two-thirds of the attacks succeeded; however, only 4% of these attacks were detected…. [O]f the few penetrations detected, only a fraction of 1% were reported to appropriate authorities.

Sometimes we lose sight of the wide reach of information assurance (IA). In class discussions in the Management of IA course at Norwich University, students recently discussed how software development and quality assurance play a role in IA.

One of the areas that our students study in their software engineering courses is development strategies. The traditional system development life cycle (SDLC) puts a great deal of time and effort into the project definition phases; systems analysts must interact with users, encourage them to define their needs, define functional requirements (these two phases can be called the requirements elicitation), get the functional specifications approved by the users, and then design and build the systems to meet those requirements. The SDLC includes system testing and system documentation.

Maria Dailey is a senior in the Bachelor of Science in Computer Security and Information Assurance (BSCSIA) in the School of Business at Norwich University. She recently submitted an interesting essay in the IS455 Strategic Applications of Information Technology course, and I suggested to her that we work together to edit and expand it for publication. The following is the result of a close collaboration between us and continues last week’s column about changing conceptions of privacy.

* * *

Social Network Sites and Privacy

Harvey Jones and José Hiram Soltren published an interesting early study of privacy practices on Facebook in 2005.[1] They wrote in their abstract, “Privacy on Facebook is undermined by three principal factors: users disclose too much, Facebook does not take adequate steps to protect user privacy, and third parties are actively seeking out end-user information using Facebook.” Key findings of the study (page 13) include the following (quoting, with bullets added):

Users put real time and effort into their profiles.
Students tend to join as soon as possible, often before arriving on campus.
Users share lots of information but do not guard it.
Users give imperfect explicit consent to the distribution and sharing of their information.
Privacy concerns differ across genders.