Friday, 30 April 2010

InfoSecurity Europe 2010

Once again InfoSecurity Europe was an interesting place to visit. Lots of good sessions and interesting people to talk to. Most of the usual protagonists were there and the organisers have increased the educational part of the exhibition as well, which is good.

I thought I would put down a few things that I thought were noteworthy from the exhibition. I've already blogged about the GrIDsure anti-phishing sender verification and the new 3M mobile phone privacy filters, but there were a few other things I want to mention.

The first one is Panda Security's new Panda Cloud Internet Protection. This is a cloud-based service that provides consistent security and access policies to all machines within an organisation. The key thing is that it will protect mobile machines that are outside the corporate network with the same policies as those within the network. Protecting corporate machines when mobile is a big concern and a good way to reduce malware or hacking problems on the main network.

The usual problem is that mobile devices connect to public, unsecured (or badly secured) networks and either pick up some malware that they bring back with them, or they connect back remotely and open a soft doorway into the corporate network. By securing machines with this cloud service, it should stop them from being a soft target and weak link in your security chain. If you already do something similar by allowing VPN access into the corporate network and allowing them to create connections out, you are using additional bandwidth for this traffic and having to open a VPN connection, which isn't always wise.

Another topic talked about (mainly by Sophos) was the security, or lack thereof, when using social media. Graham Cluley gave a really good talk on the subject on the Sophos stand including the use of SPAM avatars on sites such as Twitter. The attack is centred around the fact that anti-SPAM filtering finds it hard to scan the content of images, e.g. by doing Optical Character Recognition (OCR). So, people have been putting written messages in their ID picture to get past any filtering. You can find out more from his blog.

The final mention has to go to Ian Mann from ECSC. He, once again, talked about several Social Engineering techniques to get past security. He stated that he always likes to see security guards when trying to gain unauthorised access, as it usually makes the system much less secure. He gave a talk in one of the main theatres as well as several talks on the ECSC stand, all of which were interesting. He has written a book called Hacking the Human, which is worth a read if you want to find out more.

Beyond that, most of the usual suspects were there and many things were as before with incremental changes and updates. There didn't seem to be a central theme or message from all the vendors or industry in general. Everyone seemed to be concentrating on their own topics and products. One new addition to the exhibition was the University Pavilion. I think this could be put to good use to show people what's coming over the horizon or how these technologies that the vendors are pushing actually work.

3M's Mobile Phone Privacy Filter

At this year's InfoSecurity Europe I visited the 3M stand again to see what developments they had for their privacy filters. They had their excellent Gold filter there of course, which is now properly on sale in the UK and the best on the market in my opinion. I previously blogged about this filter in my post "Why do I need a privacy filter? (3M's new Vikuiti Gold Privacy Filter)".

So what's this blog post about? Well, they have now produced privacy filters for mobile phones. Let's add a bit of context to this decision. How many businesses provide mobile devices to their employees that are connected to the corporate network with access to email, contacts, calendars and corporate documents? If you were reading an email from a client or reviewing a sensitive document would you be happy for someone to peer over your shoulder? Maybe you're paranoid like me and try to avoid reading emails in public places and stand with your back to the wall, shielding the screen when you have to read something urgently (Note: you shouldn't really store sensitive documents on a mobile phone in the first place, but that's another topic). However, 3M have made the whole thing a bit easier and allowed people to look a bit more normal than I do when using email in a public place.

I had a bunch of questions that I wanted to ask 3M about this new filter and I got some answers that I will share with you here. Firstly, I'll give you a brief introduction to their product, which can be seen in the image below. This is basically a screen protector with the privacy filter combined. It uses the standard matte grey louvered filter that gives privacy in one plane (I'll explain this in a bit and the problem with it). It uses the matte film as reflective films would get scratched with the type of use that a mobile gets according to the guys on the stand. The film is self-adhesive, using 3M's Post-It note glue, so it should come off with no residue and be easy to fit. This is effectively a replacement for your standard screen protector with the added benefit of including the privacy filter.

3M's new mobile privacy filter

Now to some of the questions I had:
  • Does it work with touch screens? - Yes it does. They had an iPhone there and it worked perfectly.
  • Does it work with a stylus? - Yes it does. They had an Windows Mobile-based XDA there, which also worked with no problems.
  • Does it make the mobile hard to use? - No, the dimming of the screen caused by the filter is not too much of a problem. With the backlight off you pretty much can't read the screen, but how many people use their mobile with the backlight off? There is some drop in brightness, but you can increase the brightness of the screen to compensate. However, this does have the big side-effect of reducing battery life - a major problem on smartphones.
  • What if I have a mobile that I can use in landscape as well as portrait, like an HTC or iPhone? - Well, you have a problem. It comes back to what I said above: the filter only works in one plane. The filter has vertical louvres so that as you move to the side they overlap and block out the screen, like vertical blinds. However, vertical movement doesn't change the overlap of the louvres, so there is no blocking of the screen in this plane. So, you have to decide which way you want the filter, portrait or landscape - it will only provide privacy in one plane. Now, this isn't a problem for a lot of phones, particularly the majority of Blackberries, which are still the preferred business machine by many organisations. It is a problem, however, for iPhones (which aren't business phones in my opinion) and many Windows Mobile phones with the iPhone-esque interface.
  • Couldn't we have the Gold filter on a mobile to sort this problem? - Unfortunately, not yet, but they are working on it. There are a few technical difficulties apparently. Firstly, there is the point I made earlier, that mirror finished filters would scratch too readily on a mobile device that is thrown in a bag or stuffed into a pocket with other things. Apparently, they have a matte version of the Gold Filter in the lab, but it isn't available yet or in the near future. There is a second problem. Apparently, the Gold Filter doesn't take to being glued so easily as the grey filter. However, they are working on this as well and hope to have a solution soon.
  • Do they come pre-cut to my mobile? - Yes and no. If you have a Blackberry or iPhone then yes, otherwise no. You buy a sheet and cut it yourself. I believe that there are other companies, such as wrappz.com, that will be able to cut one for your device in the future. I think this is a must for the uptake of the filter. How many business executives are going to sit down with a craft knife and straight-edge to cut their filter to the exact shape and size of their phone as well as the holes for the buttons, cameras, speakers, microphones, etc.? The problem for 3M is that mobiles come in all shapes and sizes, with absolutely no standardisation. Laptops and monitors, on the other hand, do have standard sizes.
What's my verdict? Another good product from 3M. I think this would be very good for executives with the Blackberry-type device and still help those with touchy-feely, accelerometer-driven interfaces, as long as they remember to only access sensitive information in one plane. They will have a great product when they get the matte Gold filter stuck to the mobile.

Surveys or Phishing Emails?

I was recently sent a survey from a well-known survey company (actually, on second thoughts, I'll name them: Capita) and it made me very cross. Why so cross? Well, I spend a considerable amount of time trying to educate people about their role in the security of the network and about phishing/social engineering. This is all undone by survey companies such as the one in question. See for yourself the email sent and use it as a template for future 'white-hat' testing.

Have your Say! Fill in your Staff Survey today!

Dear Colleague

It’s important to complete the Staff Survey to ensure your voice is heard! The purpose of the survey is to make further improvements to staffs’ working lives at Target Organisation.

Your responses will come direct to Capita Surveys & Research Unit, and will be totally anonymous. No one outside the research team – and certainly no one at Target Organisation – will know who has responded or be able to identify individual responses. The survey findings will be analysed by Capita Surveys & Research Unit and only aggregate results will be reported.

To ensure that you have adequate opportunity to participate, the survey closure date is date month year.

In order to participate in the survey visit:

https://sas.capitasurveys.co.uk/targetorganisation

and enter your password: AAdddd

If you have any queries or require support completing the survey please contact us at Capita Surveys & Research Unit on 0800 587 3115.

Yours sincerely

Cheryl Kershaw
Director of Surveys and Research
Capita Surveys & Research Unit

What's wrong with this? Many things! Phishing scams are on the increase and are one of the biggest threats to security at the moment. Targeted phishing, or spear phishing, is also on the increase and these surveys could easily fall foul of this type of attack. The survey emails are in a standard format with no personalisation. It appears as a classic phishing email, albeit with better grammar. It would be easy to exploit this 'legitimate' survey to ask for additional personal details. Points to consider:

  1. There is no personalisation – ‘Dear Colleague’
  2. The email doesn’t come from the organisation in question – staffsurveys@Capita.co.uk
  3. The URL does not point to the organisation in question – https://sas.capitasurveys.co.uk/organisationname
  4. There is no contact within the organisation presented in the email for confirmation – contact Capita Surveys & Research Unit on 0800 587 3115
  5. They do not use an EV SSL certificate on their site, only DV – QuoVadis Global SSL ICA certifying that this is sas.capitasurveys.co.uk, which could be a phishing site for all a user knows, as it isn’t certified to be Capita or Capita Surveys & Research Unit (see post on EV versus DV certificates)
This would be very easy for someone to impersonate, particularly if they register a similar URL, such as https://sas.crapitasurveys.co.uk/organisationname and then use masking as well. Users are being conditioned into clicking on links without questioning their validity. All I would have to do is know (or guess) that this organisation conducts surveys of this type from an organisation like this. OK, Capita suggests that organisations publicise the survey, but this isn't always done well and can be used to produce a fake version before the real one goes live.

It gets worse though. When I phoned Capita Surveys, a nice helpful lady called Liz told me who they were currently providing surveys for (I won't give out the organisation names here as that would be irresponsible, but if Capita would like to check with me I can prove this). It would be very easy to quickly knock up a copy of their site with a similar URL and registered SSL Certificate, add in a few extra questions, send those emails and wait for the information to roll in. Well done Capita! They say they take people's security seriously and that answers are secure because they use SSL. However, I would beg to differ.

Capita aren't the only culprit though; I was also recently sent a survey for Microsoft from Mori, which was just as bad. They have to take steps to ensure that their surveys can't be hijacked for targeted attacks. There are anti-phishing technologies and techniques available that, whilst not infallible, would help, so why aren't they used?

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust