“Gauss What!?” – Another CyberWeapon Discovered August 14, 2012Posted by Chris Mark in cyberespionage, Risk & Risk Management, terrorism.
Tags: cyber espionage, cybersecurity, data breach, Flame, Gauss, information security, Kaspersky, mark consulting group, Stuxnet
add a comment
According to Kaspersky labs, yet another cyberweapon was discovered last week. On August 9, 2012 Kaspersky labs released a press release stating that they had identified another cyber-weapon dubbed Gauss. According to the press release:
“…‘Gauss’, a new cyber-threat targeting users in the Middle East. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.” (more…)
Tags: cybersecurity, information security, ISMS, ISO 27000, mark consulting group, PCI DSS, policies, risk, security
add a comment
I was speaking with a client yesterday about policies and auditing. He asked me a question and it reminded me of what I told my clients for years regarding policies. First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management. Simply having a written document does not mean you have a policy. The policy must be approved, documented, disseminated, and enforced. Second, it is important to remember that writing and approving a policy is the easy part. Ensuring adherence with the policy and enforcing the policy is the difficult part. Make no mistake. A policy that is not enforced will not be followed for very long. People are inherently lazy (this writer included). We take the path of least resistance. Policies require difficult, often inefficient methods. Without enforcement, they will fall by the wayside. Third;writting, approving and documenting a policy is often much easier than implementing the policy. Consider the following example. Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model). This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities. Then each role would need to have access levels documented and assigned. As you can see, a simple one line policy statement may have deep implications. Finally, it is important to ensure that your company adheres to the documented policies. This is a three step process I describe as “tell me, show me, convince me”
1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.
2) demonstrate to the auditor that you are currently in compliance with the policy.
3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).
By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.
Tags: AML, HSBC, mark consulting group, PATRIOT, risk, security, senate, terrorism
add a comment
According to a US Senate Report issued today and major news outlets including MSNBC, Europe’s largest bank, HSBC, has “A “pervasively polluted” culture at HSBC allowed the bank to act as financier to clients moving shadowy funds from the world’s most dangerous and secretive corners, including Mexico, Iran, Saudi Arabia and Syria, according to a scathing U.S. Senate report issued on Monday.” The report, titled: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History “…examines the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. affiliate to provide U.S. dollars, U.S dollar services, and access to the U.S. financial system to high risk affiliates, high risk correspondent banks, and high risk clients.” The US Enacted stronger Anti Money Laundering laws as a part of the PATRIOT act passed in the wake of 9/11. These AML laws were designed to cut of the flow of money to terrorists. In the case of HSBC it appears many of the rules were ignored potentially allowing drug cartels and terrorist to move and launder money.
In a statement emailed to NBCNews.com, the bank said:
We will apologize, acknowledge these mistakes, answer for our actions and give our absolute commitment to fixing what went wrong. We believe that this case history will provide important lessons for the whole industry in seeking to prevent illicit actors entering the global financial system.
Tags: data breach, encryption, hash, InfoSec, markconsultinggroup.com, password, risk, security, yahoo
add a comment
A story today on MSNBC says that Yahoo Voices was compromised and 450,000 usernames/password posted online. Not surprisingly, the passwords were not hashed or otherwise protected using encryption. While the posting of passwords is nothing new what is interesting is what the researchers found when looking at user generated passwords. The most common passwords were ‘123456’ followed by ‘password’ and ‘welcome’. Fully 1/3 of the passwords used lower case letters only. Here is where I get on my soapbox. According to the story:
“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”
First, strong passwords would not have helped because YAHOO WAS STORING THEM IN CLEARTEXT!..and they were stolen! Second, the company should enforce strong passwords. While all users should use strong passwords, when dealing with 450K users it is prudent to understand that either some users aht a will not understand what a strong password is or will simply ignore the directions. Yahoo should have forced strong passwords…