Source: http://it.slashdot.org/story/10/07/16/122259/Millions-of-Home-Routers-Are-Hackable

Article: http://www.nytimes.com/2010/07/06/business/06road.html?_r=1&src=busln

Presentation will be in french.

Date of event: March 31st at 7:30 a.m.
Location: CRIM’s offices, 405, avenue Ogilvy, office 101.

The cost is $35, breakfast is included…

Hope to see you there…

François Meehan

The Art Of Deception (ISBN-13: 978-0764542800), the first Kevin D. Mitnick’s book is another type of Information Security lecture. Kevin was for a long time the FBI most wanted computer hacker. Now a security contractor, he shares with us in this book, his acquired experiences over the years. Instead of going in details on how to break firewalls and code, Kevin wrote about his specialty: Social Engineering.

I first decided to buy this book to learn more about Social Engineering, and I must say that Kevin’s mission was successful, I learned a lot. Going through the chapters, you discover a whole new way to attack networks, through the weakest link: people controlling and using it.

As I’ve been working in Information Security for a few years, I often hear that “a secretary wouldn’t give away her password” either because she is smart or because she knows not to do so. That being said, this book makes you realize how easy it can be to fool that “smart” secretary into giving away her password to an attacker that uses Social Engineering, not because she is not smart, but because Social Engineering is all about using influence and persuasion to get to the goal: information gathering. That information can be in different form, be it a username, a password, a merchant ID or a PIN, etc. Several techniques can be learned throughout this book, where most of them are build on Trust an employee may have to a manager, service provider or law officer. By impersonating those roles, an attacker can play the game with his own rules and exploit that trust.

The book gives you a lot of phone call examples (maybe a bit too many as it becomes redundant near the end), to makes you think about ways information leakage can happen. Examples range from one simple call to multiple, more complex, phone calls. If you are already a Social Engineering expert, you can benefit from those examples by improving your skills and techniques.

While phone calls are mostly used in Part one and two of the book, Part three goes more in depth by using physical and computer related attack. Stories are written to keep your mind busy with questions like “what would I do in that situation?”, “would I fall for this?” or “Do I verify guest identity properly?”. On their side, computer attacks are going where most of us, security professional, are more comfortable. Phishing, dictionary and Trojan horse attack are all used in conjunction with Social Engineering to gather information.

The last chapter, “Chapter 16 – Recommended Corporate Information Security Policies”, can be very useful to someone writing policies for an enterprise. Kevin did a nice job to include often forgotten policies related to the main topic. Each of them has a short explanation that was proven useful to me.

If you are looking for easy and entertaining reading as well as a way to learn about Social Engineering, I encourage you to buy that book. Even if some parts starts to be redundant near the end, it is definitely a must have on that topic.

As part of security best practice, we would like to remember you to verify that your anti-virus signatures are updated daily.

Article: http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm

Read more:  http://news.techworld.com/security/3209606/malware-strains-bust-25-million-barrier/?cmpid=TD1N8&no1×1

Read more:   http://news.techworld.com/security/3208789/hackers-getting-to-grips-with-secure-authentication-warns-gartner/?pn=1

Read more:   http://news.techworld.com/virtualisation/3206980/cloud-computing-brings-security-risks-says-report/?cmpid=TD1N4

Cedval Info is now a supplier in IT security services, for “Filière PME” of the Information Security Institute of Québec (ISIQ).

We are extremely happy to bring our contribution to ISIQ, who promotes the culture of IT security among Quebec’s Enterprises and Organizations.

For more info:

https://www.isiq.ca/en/entreprise/filiere_pme/Fiches_renseignements/fiche_0031.html

François Meehan
President, Cedval Info inc.

 If you scan the white papers and articles going around these days, all the computer security items seem to be dealing with the ease with which encryption algorithms can be broken, the simplicity of a man-in-the-middle attack on https, cloud computing risks and so on.  Now all of these are very good, very interesting, and very pertinent, but to me there is a basic item that is always overlooked when it comes to computer security.  Specifically, the most simple, most elementary, most rudimentary aspect of any security system – lock things up !

 You may now ask yourself, what is he talking about, and why should I worry about things like that.  I have a lock on my door, and besides, hackers are much more likely to come into my systems and steal my data.  Well, yes, a hacker might indeed break into your systems and cause you damage, but the facts are that someone is far more likely to just up and walk away with your entire computer than hack into it.  Let’s face it, hacking is a very advanced skill that is actually possessed by few individuals.  Chances are, unless you are a defence contractor, some form of military establishment, a bank, or other high profile organization that would attract real hackers (and I mean real hackers, not script kiddies out for a lark with downloaded tools and exploits), no-one is really going to target you for a dedicated hacking attempt.  However, there is a really good chance of a robbery. Think of it in simple terms, there are just a lot more thieves around than there are hackers and their motivation is usually on a much lower scale than that of a hacker. The worst thing about that is that although a thief may not be specifically targeting your data, once your computer has been stolen, there is a pretty good chance your data may end up in the public domain.  The thief steals your computer then sells it to a fence or a pawn shop who in turn sells it to a buyer.  In this particular chain, I don’t think that there will be a lot of interest in data scrubbing of the hard disk.  So all of a sudden you are in a situation where all of the data residing on that computer is now in the hands of user unknown.  Hopefully everything is encrypted so that the average user won’t bother going through the drive and will just reinstall an OS on top, but, frankly, I am willing to bet your data was not encrypted…..

 So, lesson one in the art of computer security is to lock up your computers, be it a laptop (a locking cable only costs a few dollars and normally prevents a laptop from taking a walk while you are at lunch), or your most valuable server.  Lock them up, and do it properly; a regular household lock (like the one on your front door) will take an inexperienced lock-picker less than 3 minutes (yes, 3 minutes) to pick, and most locks can actually be picked by the same inexperienced person in under 10 minutes……Just because we live in a high tech world does not mean that the old smash and grab world has disappeared.  In fact, with the economy the way it is, it is fairly safe to bet that this particular type of enterprise is an ever expanding field……

 To be continued….