Tuesday, July 21, 2015

A New Proactive Responsibility For Bankers in the Face of Cross Border Frauds

Let's face it - no one,, (whether an individual, a government or an organization)  is immune to or safe from a breach, an attack, a scam, a rootkit or a virus / APT or whatever you may call it. 
A crack is a crack is a crack is a crack (calling it a hack is sacrilege) 
And this is a global problem which is growing (exponentially) by the day, by the hour, minute, second and even nanosecond. Everyone has to face the threat, directly or indirectly, and no one ever knows when he/she will fall victim to an attack or an incident, and it really does not matter whether you are hyper intelligent or live inside Fort Knox. 
We do not have to go too far into history to see institutions like OPM, SONY, White House; global security organizations like RSA, The Hacking Team, HB Gary, NSA etc - the list is really big and includes banks etc.
In this global cybersecurity threat and crime maelstrom the Law Enforcement Agencies (LEA), Intelligence and Defense Agencies are first and foremost affected. They have a responsibility to investigate cybercrimes perpetrated across international borders, using sophisticated attack techniques or compromising insiders into malicious acts, voluntarily or involuntarily. Invariably while following cross-border leads, the LEA meets with insurmountable challenges and lengthy procedures (or red-tape even non-cooperation). And, if the request is to an unfriendly nation, the case might as well be closed and filed away!
Example challenges faced by LEA are in (1) following a money trail, (2) getting source IP information, (3) user name and address, etc. 
We will only look at "following the money trail" - in this case the victim may know the name of the bank where the funds were fraudulently transferred. However, when the bank is advised about the same they may not take any action until there is an order for the same in compliance with their locally applicable laws and regulations.  
However it is time for these officials, across the world, to raise a red flag at their end when they receive a communication directly from the victim (or victim country LEA).
Imagine if a bank manager gets a mail from a victim who informs about a fraud which has been perpetrated and where the funds have been transferred to that particular branch of the bank. The branch Manager may not be able to stop the account from operating but he/she can inform the local LEA about the suspect transaction. In addition, he/she can proactively guide the foreign victim and LEA about the quickest procedure to get the legally appropriate instructions for necessary action. 
The only (simple) reason why this bank manager in a foreign country should stand up and raise a red flag on the account, on the account holder and the transaction(s) is .... it can happen to him/her too. 
Yes, there is no guarantee that this bank branch, anyplace in the world, may fall victim to a fraud or a bank client may fall victim - then this manager will be running the same hoops as the victim / LEA who had connected earlier. 
This is not a call to disclose information, neither a call to work against the law or invade the account holder's privacy. It is not an aggressive look into transactions which is done through Risk Management and AML practices. In these changing times, it is an acceptance of responsibility by the banking professionals to set up a simple deterrent control. Criminals will slow down on using accounts in foreign lands once they are aware that ANY transaction can be notified to LEA proactively. 

Saturday, July 11, 2015

What I Learned when Hacking Team became Hacked Team

There are many takeaways from this hack which has effectively named and shamed many and (possibly) relegated Hacking Team to history (good riddance to an arrogant lot). I am sharing some lessons which I have learned as a security practitioner and will touch upon some issues (e.g. NDAs are worthless and a waste of time; they can't cover gossip, resumes et al) 
(my apologies for the flowery language which is prompted by my glee at the fall of this organization for personal reasons of my own)
Security bloopers courtesy the hacking team (RIP)
Learning # 1 -  If you are in the security business (or any unsavory business) and you are dealing in sh**, crack, LSD, heroin, 0-day, malware or any such crap ...make sure your emails and data is encrypted - saves your clients the embarrassment of dealing with a debauched organization 
Learning # 2 -  Remember your underpants always smell but you will never know how bad; once put out in public and you will know how bad it stinks ... and you will also learn you have holes in the wrong places wink emoticon
Learning # 3 - Once your privates are exposed be prepared for ridicule about your size, morals, hygeine, etc... and don't be surprised if the guys at Daesh / ISIS / Al Qaeda are leading the criticism - just goes to show how low you are in the reputation index
Learning # 4 - Just because you have all the 0-days in the world in your kitty OR all the kings of the world at your doorstep wanting to buy your wares.... this does not mean someone 'cannot' screw you because arrogance rising from your mal-knowledge and a big order book corrupts you as bad as power in hand (remember to respect the forces of humanity and nature)
Learning # 5 - You think you know the world and it's underbelly but then it brings you into the gutter yourself.... and then it is survival you against the real shi****s and they will always win because you are a wannabe shi****
Learning # 6 - When the sh** hits the ceiling you can be kicked off the throne without the opportunity to wipe your ass ... and we all know what happens when you are soiled
Learning # 7 - When underground stay there and make sure everything you own is also there... air gap, pgp, whatever
Learning # 8 - We all know doctors do not follow their own advise... as security guys we do not indulge in data classification, encryption, backup, etc... that sermon is for our clients
Learning # 9 - What goes round comes round... if you sell cyber weapons or surveillance stuff and think it cannot come back and hit you... you do not even deserve to live in Wonderland too as Alice will be scandalized
Learning # 10 - An intelligence agency is not setup to be ethical or maintain loyalties to anyone except their government... if HT expected their tools will not be used on them by every buyer they needed a reality check
Learning # 11 - You are never "there" in security even if you are the cat's whiskers so stay grounded, say your prayers diligently and make sure you ask your God to keep you safe from the omissions and commissions of your vendors and other malicious trespassers !
If there are any learning you can add to my list please be my guest and help the community!

Thursday, January 1, 2015

Hopes for 2015

This was first published on Linked in https://www.linkedin.com/pulse/hopes-2015-dinesh-o-bareja
My prescription is for awareness and common sense! Both practices need guts and will guarantee glory.
The experts, oracles, analysts, market-leaders, gurus have spoken - forecasts for 2015 have been made, published, read, publicized, devoured and digested by all across the world (and I am talking only in the Information Security and Technology space). These soothsayers have already told you how accurate they were in 2014, and I do not dispute anyone of their position as a cool guy or where he/she makes magic. My quadrant is nowhere near any so I am not worried. 
As an aside - have you realized the only people in the world who really do not worry about opinions are the very rich and the very poor. The rich cares a F for what the world or people think about him and lives, dances, splurges in a cocoon - they set the opinion! The poor cares a F because if things are anyway shi* in life what more can go wrong. That's where I am with my opinion ;-)
I see some gaps (from my perspective) in all the forecasts and analyst opinion floating around that I decided to start the year by enlightening my small band of friends and followers. While this list of mine may not cover "everything" it will be inline with that of the big brand forecasters because none of them are complete
1. Awareness - The one thing missing in EVERY forecast is the highly critical need for user awareness and as an appendix to this is the need to use awareness content which is prepared by some good experts and not by a newbie sysadmin who is has skills to do 'blind-ctrl-c-v".  
There is a lot of talk about malware, spear phishing, cloud insecurities and more.. but who is aware of the risks that these things carry? Has anyone told anyone using gmail carries a risk and that spear phishing is used to catch people and not fishes in the backwaters of Australia! Has anyone in your organization EVER explained that malicious code can be come into the organization embedded in a document or an image and can then steal stuff or wreak havoc?
I am sure even the CEO or Board has never been told the sh***y side of technology.
So this is the most important missing link - ensure regular awareness programs, demonstrate risks and threats, show videos, play games and relate everything to the life and work of the participants. Do not run a presentation and mark attendance for your compliance report but make sure you run awareness to actually achieve the objective of making  your company users aware!
2. Common Sense: Don't laugh. This is the one item missing in most portfolios and plans and it is not easy to have. Everyone thinks he / she has it and this is the first gross error - it may be there but may not be in abundance and may be highly unused. In other words you have it or not and even if you have it, you need guts to use it and stand by your conviction. 
CS is not applied in any security implementation or purchase. Corporations pay top dollars to consultants to devise the most convoluted RFPs designed to keep the beggars out. None of them provide the actual "sense" of using the product or service being purchased!
OK so you are implementing SIEM or DLP - you purchased it as per your RFP with 5 standard rules out-of-the-box. What did you get - a hahahah roll in the hay! One year or more later you realize you have been taken for a ride and you cannot tell your wife/husband/gf for fear of being kicked with an incompetent tag. 
Or you are implementing ISO27001 or any of the other ISO flavors, and what did you do - make a full library of documents and templates but do you really need this? At the end of the day everyone is following the book but if you actually read the change management log you can make a funny movie. You are a 20 person organization and you have an encryption policy... hey hey can you spell encryption for me let alone use it in your day to day work. 
I have been working in IS for a number of years and yet to happily use encrypted emails (who will I send these mails to!). And not to speak of the many password protected files which are on my machine and the password has passed away into the sands of time and memory!
The one thing that was not applied is common sense because the consultant never mentioned it. And the CEO or CISO did not speak the troubles in his / her mind because he/she was busy playing to the gallery (during sales pitch and PoC) trying to pick holes in the presentation and throwing his/her knowledge in the air!
Oh oh oh,, if only you had asked the silliest question that came to your mind because that was most relevant. For example - you asked about references and they connected you with their friendliest neighborhoodest buyer but after the spiel did you ask the reference about the time it took for the deployment, did you ask about the challenges and who sorted them, did you ask about the number of functional meetings in which the consultant participated, did you ask how was the feedback from the operations team... and much more. 
So yes, it is simple common sense that if you are purchasing cloud services, you must check the infra, SLA, client history, uptime etc but did you ask about portability and ease of the same? What if you want a divorce - do you have a pre-nup in place? 
There are many more scenarios which you can envision to apply this theory of CS and Awareness and take a lead over your peers.
These are two things I find missing in all the 2015 forecasts and I sincerely believe that if you dump all the advise given by every guru and soothsayer and just use your common sense you are bound to find awesome success. Add to this a highly aware user community in your organization and you have a strong mix of resilience and proactive security!
But, yes, you need to have the guts to drive this thought and if your management supports you, you are home with a tremendous amount of saving. 
So, good luck and best wishes for 2015 - may the most sensible thought win!
Some Self Promotion: Information Strategy and Policy development or advisory services for states /national bodies and large enterprises is my forte. If you want practical, meaningful and usable advice, KPIs, etc connect with the author on twitter (@bizsprite) or Linked-IN or Facebook (dineshobareja).