You receive spam by SMS (or via email) in Belgium, you can report it online to the authorities!

A while ago I posted an article stating that there was no way to report SMS spam online in Belgium. Guess what, I was wrong!

First, I was wondering if it was really illegal to send unsollicited commercial message by SMS in Belgium. I found this really nice flyer from the federal public service of economy (http://economie.fgov.be/fr/binaries/spamming_brochure_fr_tcm326-31741.pdf) explaining that the global definition of spam applies also to SMS or chat systems.

In the flyer, there was a link to a page to report such kind of behaviour to the authorities. The document being a bit old (2005), the link was outdated but our friend Google found me the new one: https://pointdecontact.belgique.be/meldpunt/en/welcome

On this official website, you can report SMS Spam (or other similar illegal activities) using the « New complain » button and the  « SPAM from unidentified party » type of report.

I’m not sure it will be quite efficient to stop rapidly the Spam SMS from coming (most smartphone allow you to block senders for a while) but it will be the start of it. And if more and more people stat to report such behaviour, it will likely have an impact.

Notice you can also report spam or harassement coming from outside the country.

The scope is quite clear from the 1st page:

« Are you the victim of misleading practices, fraud or swindle? Or have your rights as a consumer or enterprise not been respected?
Then choose the scenario that matches your problem and follow the various steps to report your problem to the competent services.
You will always receive a reply in which we will try to provide an answer to your questions.
The competent services will analyse your report and may carry out an investigation. They do not take any action in your individual dispute, nor do they provide any information concerning the investigation. For your individual problem, we exclusively refer to the reply that will be sent to you »

Now you know what to do.

Are you prepared to face a TDOS?

Recently, DHS (US Department of Homeland Security) announced they are developing with private partners a solution to mitigate Telephony Denial of Services (TDOS) against emergency numbers and other critical phone numbers.

For the past years TDOS attacks seems to have flourish in the US. They are often used to claim a ransom to the targeted number owner.

If you have already made a Business Impact Analysis on your telephony system, your probably know how much one day of downtime might cost you. You probably have some solutions in place but, do they protect you against a TDOS?

Don’t forget to add TDOS to your list of threats if it is relevant for your business.

Further readings:

StartSSL is blocked by Chrome & Firefox and they didn’t notified their customers

The SSL certificates issued by Israel based Certificate Authority StartSSL (https://www.startssl.com/) are blocked by Google Chrome and Mozilla Firefox since March 2017. Behind what could be just a technical issue, there is some disturbing facts:

First, the reason why Google and Mozilla have decided to progressively block StartSSL (and more importantly WoSign) is the issuance by WoSign, a chinese Certificate Autority,  of multiple SSL certificate for Domains for which they didn’t received any mandate and didn’t validate the ownership of the domain by the requester. The first case to be reported to Google was GitHub, the famous Source Code repository. As WoSign had « secretely » bought StartSSL and integrated its infrastructure in its own, StartSSL has been « sentenced » to the similar distrust by most browser than its owning company.

As DNS CAA records are not used by browsers to check if the Certificate Authority of an SSL certificate for a domain is the correct one, it could have allowed someone to impersonate GitHub or at least to lure some users to a fake GitHub site (anyway, GitHub didn’t set his CAA record). Such behavior is unacceptable for any certificate issuer as trust is the cornerstone of the entire SSL certificate paradigm. Google and Mozilla’s reaction seems then proportionate. However, you can imagine the impact of such sentence. For any CA, being withdraw from the list of trusted certificates of the two main browsers is like a death penalty for the CA.

The second disturbing fact is that StartSSL failed (or decided not) to properly inform its customers. Worse, it continues to sell its Class 1 certificate despite the fact they are basically useless. That’s not the kind of commercial decision that will help restore the trust to the Israeli company, even if WoSign has defined a remediation plan aiming at giving more autonomy to StartSSL (see below).

Customers who had paid for the Enterprise Validation have lost their money and are now using blocking certificates. The only cheap and rapid solution to restore access to their website (and keeping the SSL/TLS active) is likely to use LetsEncrypt free certificates.

I don’t know what the future is but I wouldn’t recommend StartSSL to anyone anymore and I doubt any security aware person would. That’s not a good indicator for a bright future.

References:

Your security maturity is low? Are you using your people the best way you can?

One famous saying attributed to Steve Jobs must be: « it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do. »

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see http://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html).

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. « Failure is not an option » is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.

 

Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.

 

Will IoT kill us someday?

herzschrittmacher_auf_roentgenbildWhen you’re working in the security industry, being paranoid is kind of natural (or is it the other way around?). So, when you see how easy people, processes and technologies can be hacked, you become rapidly suspicious of anything. We all know bad things can happen and most of the time we try to mitigate the risks (without even thinking too much about it). Business as usual, so to speak. However, while I have a good idea of the risks our future is bringing to us (what makes me even less worried about my business’ future), it seems that most people don’t imagine how much danger Internet will bring to them. So here are some clues.

The new buzzword that has a lot of attention in the media lately is probably IoT: The Internet of things. According to the media, it’s IoT who allowed hackers to put websites like Amazon and Netflix on their knee for a few hours on October 21st. But that’s a mistake. Although IoT has led to some specific new technologies like Bluetooth 4.1 or ZigBee to accommodate the low consumption and the low cost requirement necessary to embed technologies in nearly all objects, it is probably a mistake to see IoT like something new or something different. As Bruce Schneier said recently in front of the US congress, we should not see this has objects with computers in it (and an Internet connection) but rather see it as computer that do things. A Tesla is a computer with wheels (and when you see how Tesla manage its updates and is manufacturing process, it is closer to the Software industry than to the car industry way of working), a smartphone is a computer with a microphone and a 4G connection, a connected fridge is a computer with an extra cooling system, and so on.

Bottom line, these connected objects are all computers and we must treat them like it. So, like for all computers when it comes to managing security, we should think about patch management, access control, hardening, change management, release management, network segregation, encryption, key management, user awareness and training and all these processes and best practices. Unfortunately, the issue is that most connected object manufacturers didn’t spend enough time and money in designing secure objects, easily upgradable, with strong and secure communication protocols. Consequently, the future is now… and we are not ready for it.

But what is our future? Let’s get a glimpse at it. In the tenth episode of the second season of “Homeland”, Nicholas Brody help terrorists to kill a political figure by giving them his pacemaker serial number, allowing them to hack it and induce a heart attack.

In another TV show, “Blacklist”, a computer genius triggers remotely the airbag of a car while driving, causing the car to crash and the death of its driver.

Is this Science-Fiction? Unfortunately, not anymore! Exploits on « smart » cars become more and more frequent. More recently, a British and a Belgian researcher have devised a wireless wounding attack on pacemakers (1). While the latter exploit need specific and rather costly hardware (3 to 4.000€), we are just one step away of having a ZigBee or BT 4.2 interface. Do you wanna kill someone with your smartphone? Don’t worry, you won’t have to wait too long.

At the same time, as other device with less deadly capabilities are spreading over the world, they provide a potential army of unsecure devices that can be used for Distributed Deny of Service attacks, like it was seen recently, but, why not, to perform parallel tasking, helping to brute force passwords, crack cryptographic keys or hide communication sources by bouncing thousand of times on these little soldiers that we provide to these hackers. Nice isn’t it? We purchase the devices that will be used against us in the near future. To be honest, for most people, including for a lot of security specialist, it is not easy to make the difference between a secure IP camera and an insecure one, simply because we don’t have time to test everything and there is no useful and relevant certification for that. So think about the number of « computers » you have at home: Your internet router, you tablet, your PC or your Mac, your smartphones, your videosurveillance camera, your printer, your TV box, your Bluray player, your « smart » TV, your alarm, your new « connected » fridge, your smart thermostat, the PSP of your kids, the IP doorbell and so on… Think about it, in your home alone, you may have more than 10 little future soldiers for the next hacker’s army. Android, iOS or IP cameras, they nearly all have exploitable vulnerabilities.

So, we have an army and we have soon legion of potential targets for the new kind of attack: DoL attacks (Denial of Life). Imagine ransomware targetting your pacemaker, large scale attack on cars to cause traffic jams or worse, new hitmans (version 3.0) changing the medication of patients in hospital, overdosing people. Just watch any episode of « Person of Interest », they were just a few inches away from the actual reality… and we are getting there.

It sounds crazy, isn’t it? As bruce Scheneier said, Internet is not that fun anymore. It’s not a game anymore. Things are getting serious and we should act accordingly. Not only at government level but also in industries and in the civilian world. We should ask our suppliers, our manufacturers to secure their devices, to make them safe AND easy to control.

To be continued…

For more details…

 

Should companies create Bitcoin accounts to be ready to pay ransoms?

In the past months, the press made public different security incidents involving companies being victims of ransomware (1)(2). Most of the time, a ransom had to be paid in Bitcoins. It’s logical as Bitcoins are much easier and cheaper to launder the money and hide the recipient than traditional money laundering circuits.

You may decide that dealing with cyber criminals is unacceptable (like for terrorists or kidnappers) but if you don’t have such policies and the amount of the ransom is lower than the overall cost of restoring your services by yourself (including manpower, business losses, public image), you may decide to pay the price. In such case, time is of the essence. In order to limit the impact and to comply with criminal’s conditions, you might have no more than 48 or even just 24 hours to pay your “lack-of-sufficient-security fine”.

But, how do you pay in Bitcoins and keep it under the radar in such a short amount of time. Imagining the time spent debating the question “do we pay or not”, the time left to actually pay will likely be very short. So, you better have your Bitcoin wallet ready and loaded or some agreement with a trusted Bitcoin exchange platform to guarantee the required discretion.  Bottom line, nowadays, it might become wise to include a Bitcoin wallet in your Disaster Recovery Plan.

Whatever you’ll decide, decide now and be prepared.

Your phishing awareness campaign may do more harm than good

Phishing and spear phishing campaigns become more and more elaborate, hence more difficult to identify and consequently more successful. Crelan’s 70 million € loss, early 2016 is a good example of the potential impact of such a successful social engineering attack.

As automated security systems are unlikely to detect and block the most elaborate and targeted attacks (as they need a significant number of similar emails to trigger their alerts), security officers are left with security awareness campaign focusing on developing skills to detect (spear) fishing attacks to try to mitigate this risk. It’s logical, it’s what security standards advise you to do but watch out you may be doing more harm than good!

One of the first mistakes in this approach is to consider awareness (or communication) as a goal. Any communication is aimed at instilling a change in its recipient(s). The aim of an awareness campaign is likely to change people’s behaviour and attitude so they pay more attention to the source of their emails, their contents and the rightfulness of what is asked to them. So basically, we should first have a measure of the current situation and aimed at a certain improvement in our “smart” metrics. The most obvious and significant one being: How many people will fall for a (spear) phishing email.

How do we usually do that? Often by a combination of training, online training, posters and “homemade” phishing campaigns to measure the exposure of the company and tickles our employees. In such case, we appeal on fear. Fear to contribute to a security incident, to a fraud, to a loss of money, fear to get fired.

Fear appeal is used to leverage behavioural changes as one believe the emotional reaction caused by fear will increase the likelihood of the occurrence of the appropriate, secure, behaviour. You better think twice as, like it is often the case, devil is in the details.

Fear appeal effectiveness is still a debatable question (that’s the principle of science) but mainly because it might works under some conditions. In their “Appealing to Fear: A Meta-Analysis of Fear Appeal Effectiveness and Theories” article, Tannenbaum et al. (2015) have analysed 217 articles on the subject and found few conditions making fear appeal ineffective while effects seem most apparent in women and for one-time behaviours.

However, in a review of 60 years of studies on fear appeal, Ruiter et al. (2014) concluded that coping information aimed at increasing perceptions of response effectiveness and especially self-efficacy is more important in promoting protective action than presenting threatening health information aimed at increasing risk perceptions and fear arousal”. A 2014 study of Kessels et al. using event-related brain and reaction times found that health information arousing fear causes more avoidance responses among those for whom the health threat is relevant for them.

Still, it seems there is some consensus regarding some specific conditions to be met by such communication: the communication must provide, just after the fear arousal, a solution to allow the audience to reduce this fear with a sense of self-efficacy, or, to say it simply, we must provide a simple way for our audience to fix the issue, being an easy to follow behaviour (one that doesn’t require too much psychological and physical energy). If our solution is so complex that it will (or the thought of using it) generate more stress than the feared event, our brain will likely avoid this behaviour and deny the reality of the risk (and the fear).

Latest researches in neurosciences (and more specifically in the field of neuroergonomy) provide some guidance to shape our message and solution in order to allow our audience to easily grab our communication and adopt the desired behaviour.

Like for most communication, we must avoid to saturate the working memory. What does it means? If we receive too many information at once, our brain is not able to process it at once. It is like for a lift. If there is more people trying to enter than the lift capacity, the lift is not going to move and will be stuck. It is the same for our brain. If we saturate the place where the information is stored in order to be processed (what we call the working memory).

The average span of the human’s working memory is 5 objects or, if we use Husserl’s terminology, noema. For most people, this span is between 3 and 7 objects.

But, what is an object (or noema) in that context? If I give you a phone number digit per digit (let say: 1,5,5,5,1,2,3,4,4,6,9), it will be hard for you to memorize the 11 digits of this number, each digit being an object. But, if we combine some digits together in small numbers (1, 555, 123, 44, 69), it will be easier to remember. The reason behind it being that these small numbers are also objects (noema) for our working memory and in that case, we don’t saturate it as there is only 5 objects (so, within the average memory span).

Why are the small numbers an object and not the large one? Simply because we are used to them. If you are bone in 1980, this number can become an object (as you are quite well acquainted with it) while 1256 could require 2 noema (12 and 56).

The same is true with words. Well known words (and their associated concepts) are easier to process. It is why I put multiple time the word “noema” (likely to be a new name for most readers) with the word “object” (a quite common word and clear concept) so it can be used as an “handle” to better “grasp” the new concept of “noema”. Similarly, using the metaphor of the “handle” to “grasp” a concept ease the understanding (the grasp) of the concept.

To summarize, our solutions, our expected new behaviours, must be as close as possible to something we already know in order to make it easier to grasp.

As a concrete example, if you want your user to check the validity of an email sender’s domain name (just that concept is not that easy to understand for a lot of people, so what’s on the right of the @ in an email address), you should provide a tool available in the first level of the menu or a link in the favourites website. The best thing would be to have the information integrated in the email or at a click from it.

E-commerce websites have already well integrated such concepts. They understood long ago that if you want to have a client ordering something, he must find it and be able to order it with 3 clicks or less. You maybe know the saying: “the best place to hide a body is on the second page of a Google search”. Meaning? Most people don’t go to the second page, it is a click too far.

kittenUsing pictures, drawings (simple one, keep the 3 to 7 objects rules in mind), stories, jokes help memorizing. Anything that might be relevant to the concept or totally outstanding might help too. Emotions help to memorize. If you scare people first, making them laugh or smile with your “solution” might allow memorizing it. Go kittens! (see https://www.ezonomics.com/stories/how-pictures-of-kittens-can-help-you-manage-money/).

Also, do not forget a basic principle of behaviourism… the sooner the better. If you want to foster an action, the reward must come very soon, ideally immediately, after the action. So, if you have people clicking on a link in a “test” phishing email, you may scare them by pointing their mistake but you should also immediately provide a way to avoid this experience the next time by providing a few quick tips on what they did wrong and how they should do it the next time.

Here is a nice example of a video playing just a bit on the fear and providing advices in a non-threatening, aesthetic (it matters too) and very simple way (by http://www.nomagnolia.tv/).

So, you know (a bit more) what to do now!

Is Cybersecurity a good buzzword?

For years now, Information security is a fast growing market. At least for a couple of years, the cyber security market is growing fast. Even in these times of budget cut in many sectors, quite often the cyber security department manages to negotiate an increase of its operational budget. That’s significant, isn’t it? Moreover, nowadays it becomes nearly impossible to ignore the wave of “cyber-“ words: cybercrime, cyberterrorism, cybersex or cyberbullying.

You could not have missed also the news about the CERT.be, the federal cyber emergency team (CERT used to be the Computer Emergency response team, likely less “sexy” than Cyber emergency Team) which is, according to its website, “a neutral specialist in Internet and network security” (So Cyber security is Internet and Network Security?). With the CERT.BE, you probably also read about the Belgian Center for Cyber-security (CCB). Neither could you haven’t noticed the buzz around the new Belgian Cyber Security Coallition or the 1.8 billion € allocated by the European Commission to a private-public partnership made to increase Cyber Security. In the latter, the private sector is being represented by the newly born European Cyber Security Organisation (ECSO). That’s a lot of Cyber-related news, isn’t it? Does Azimov’s vision become a reality? It sure sounds like we are in one of his Robots series book.

But what does Cyber mean? How is Cyber Security different from Information security or IT security? Which one of both is it?

According to the NIST, Cybersecurity is “The process of protecting information by preventing, detecting, and responding to attacks”. So, is it Information Security? But according to the new worldwide reference, Wikipedia, Cyber is « part of the “Internet-related prefixes added to a wide range of existing words to describe new, Internet- or computer-related flavors of existing concepts, often electronic products and services that already have a non-electronic counterpart”. So, Cyber Security should be the Internet or Computer related flavor of information security that we used to call IT security. But is it?

Because lately I’ve heard the “cyber-buzzwords” used in so many different contexts by so many person (including some executive clearly not knowing what they were talking about), I have difficulties to understand what we are talking about exactly.

Understand me well, I like the fact that our country’s leaders finally decided to address the increase of the Internet related threats more seriously. As our risk surface is drastically expanding, it is more than time to address those risks at a more global level (but we are still far from a clearly necessary worldwide cybersecurity agency, for a lot of obvious political reasons). I also like the fact that my clients’ board of directors give more focus to “cybersecurity”, whatever they think it is. At last, it provides us a momentum to raise awareness and improve the governance maturity to the necessary level.

What I don’t like in the “Cyber” fashion, is having a so important subject becoming more and more vague and focused, again, on the technological aspects. With the new buzzword came a lot of new supposed-to-be-panacea products claiming they will solve all the problems overnight (or in a few months, but at our timescale, it is the same). I heard of CISO (Chief Information Security Officer) being rebranded CCSO (Chief Cyber Security Officer).

Is it really a progress? For years we fought to have the CISO positions created at a board level in order to get out of the IT ghetto. The aim was to be also present where information security belongs: in the organizations processes and workforce. In 2016, the latest IBM security survey still attributes 60% of attacks to inside jobs. 1 employee out of 5 is ready to sell his corporate’s network credentials. The biggest weaknesses are still in the business processes and in the human being behind them. Most ethical hackers and red team members know that they don’t need a zero-day exploit to get into a target’s systems, they just need a charming smile and a couple of beer to get what they need to get in. With all the good this new Cyber buzzword brings, there is an evil: we are going back to a computer and technologically focused perception of corporate security issues. Human, processes and facilities are relegated to the second position while they still represent more than 70% of the risks. Does it make sense? Is Cyber Security an evil buzzword after all?

Few will share this article as a lot of cyber security professionnal won’t dare to challenge the marketing machine that is actually feeding them. And as I wrote, there was some good coming out of this, but it is necessary to see all the side impacts and ensure marketing people are not the one deciding where you should put your focus.

Improve and speed up your Firewall Change Requests management for free

Should you be working for a small or a very large organisation, you probably have one or many firewall to manage. If you have half a decent security governance, you probably have someone reviewing and approving any request to update rules on the firewall(s).

If you have a lot of requests to process and a complex network architecture, you might be lucky to use an automated system like Fireflow to process these change requests. if you don’t, you might struggle a bit with this process and with the enforcement of somewhat complex network security rules related to data flows between different subnets.

So, if you don’t have much money to spend in a quite expensive solution, today is your lucky day as we give you one for free (at least if you already have a Microsoft Office license).

These last months, we have developped a set of Visual Basic functions for Microsoft Excel in order to help our customers deal with the management of IP networks, FQDN, URLs, DNS and so on.

Recently, we have used these functions to create an excell sheet meant to be a form to request Firewall Change Requests (FCR) and to provide automaticaly a compliance advice with some rules of data flows exchange between subnet and some IP ports uses.

This form and the VBA functions (or the Excel function library) are available on our public GitHub repository: https://github.com/Apalala-sprl/Excel-Functions

It is quite simple to use, the only thing you need to do is to fill the two sheet with the list of your subnet and the related Network addresses (in CIDR format) and to fill the access matrix defining what is allowed from one subnet to another (see picture below). Once it is done, you can hide these sheets and give the form to any person in your organisation wanting to change or add a firewall rule.

flow-matrix
When the requestor will encode its request in the form by giving the source and destination IP addresses, the field will automatically detrmine to which subnets the addresses belongs. Also, it will provide you the default treatment of such workflow. As the requestor will see the result as he types the request in, he will be rapidly notfied if his request is somewhat unusual or against the rules. it might reduce your workload and speed up the processing of the remaining requests.

If you have some trouble using it, don’t hesitate to contact us. If you improved it in any way, feel free to share your work with us and the rest of the community.

Ooops, they did it again! Was my password compromised, again?

Your probably read that 68 648 009 dropbox accounts have been recently compromised. In the past years, companies like Linkedin, Adobe, Tumblr, Fling or MySpace were hacked and it is likely that your credentials were stolen by hackers if you had an account on one of these sites. It’s even possible that your credentials (Name, email and passwords) have been published on the web.

If you don’t remember if you were one of the victims of any of these breach, there is a very useful website that allows you to check if your email address can be found in one of these leaked list of credentials: haveibeenpwned.com.

You just need to enter your email address and press enter. Then, you’ll know.

But, as you don’t always use the same password on all the sites you use and as you change them quite often, you’re probably safe!