Information Security Innovators

The Grimbaldus Blog and News

This page is the home of the Grimbaldus blog and interesting snippets of news.

News snippets

13 November 2009

Conficker is still spreading. The latest (end October 2009) results show more than 6 million infected IPs, up from 4 million in June 2009.

However, in July 2009 its overall growth slowed as a result of some smart action taken Felix Leder and Tillman Werner, two German security researchers from the University of Bonn used a quirk of Conficker.A to neutralize the variant and stop it from spreading, as this graph shows:

On startup, Conficker.A consults a GeoIP database through the Internet, and if the IP address of the infected machine is located in the Ukraine, then Conficker simply shuts down.

The original GeoIP service being accessed had since decommissioned the URL used by Conficker (owing to too much and all nonproductive traffic) and was willing to forward all requests to the University of Bonn, where Tillman and Felix started to serve a one-line version of the GeoIP database ... putting all IPs in the Ukraine. This slowed the spread of Conficker significantly as the difference in slope indicates. Very simple, smart, and effective.

However, as can be seen from the graph, Conficker's spread appears to be trending upwards again.

Read more at:


13 November 2009

I see that Total UK has pleaded guilty at the Old Bailey to charges relating to the Buncefield oil depot explosion in December 2005:

Re Buncefield, Total UK pleads guilty at Old Bailey (BBC website)

The explosion registered 2.4 on the Richter Scale and followed the spillage of some 300 gallons of petrol (gasoline). Buildings up to three miles away suffered severe structural damage.

One thing that has always amazed me is that at least two companies had chosen to locate their IT disaster recovery management sites (aka "bridges") in the industrial estate that was so badly damaged.

A selection of postings on LinkedIn

Commenting on “Certifying Hardware as PCI DSS compliant”, Michael said:

In Malta last year I was a member of a Round Table discussion on PCI DSS. The majority of my companions were from security technology companies.

The debate turned to the potential for the PCI Standards Council to issue certificates to DSS compliant technologies.

My contribution was that, even if you could certify all the technology in a network this was no better than the cars running around the Maltese roads with every component stamped with an "E" kitemark indicating compliance with EU construction regulations. The issue remained that the one vital component that was not certified was the nut behind the wheel.

Nevertheless, is there value in certifying technology as DSS compliant? What happens when its plugged in to other, non-certified technology? Does the certificate stand or lapse?

I think that omits the primary element that drives so many of the issues the InfoSec community has with the concept ... that the service is provided by a third-party. Further, that third-party might only be fronting the service, with the storage and processing provided by unknown and unverifiable companies behind them. The servers could be anywhere in the world, including countries where the "export" or processing of the data is illegal under domestic legislation/regulation.

Put simply, the data owner should be able to say, "My data, my rules." and have the custodian comply. This is the case with in-house IT. "Cloud computing" necessarily adopts the position of, "Our servers, our rules." That presents a raft of problems.

I would also comment that so-called cloud computing includes document (i.e. information/data) storage 'in the cloud' ... a service that is often offered free of charge. I have seen people within organisations move sensitive corporate and information and 'Personal Data' onto popular 'cloud' services, "Because it's easier for me to access it outside the office." And their management supports them. That's the sort of attitude that grows ulcers on my ulcers.

As you can see, increased penalties have been mooted and discussed for some time, so I don't think that an accusation of a "knee-jerk" reaction could be justifiably laid.

And without a mandated reporting regime - which the ICO has spoken against ... although the EU might introduce one - the chances of increased penalties bringing data protection into greater focus for C-level business managers is less than it could be.

The fear of prison does concentrate the CEO's mind when Health & Safety is discussed, but reporting is mandated under that legislation. If the Board think that they can "hush up" a data leak or loss, they will not be so scared. And anyway, they can always blame the Data Protection Officer.

If two-factor authentication is used (e.g. RSA token) over an SSL tunnel, the level is security should be acceptable for most corporate and personal information.

A personal firewall is a good idea too, but few companies will go to the expense of buying a specialised one when their OS or AV program offers one for nothing.

As ever, you need to assess the risk. Just as not everyone is a baby-snatcher, not every WiFi hot-spot has a hacker sipping an ever-cooling skinny latte in the corner. Figures suggest that it's more likely that the laptop will be stolen ... or accidentally left behind than the WiFi link be intercepted - so investing in a HD encryption program may be more worthwhile than installing a personal firewall.

Looking back over two and a half "recessions", I believe that companies economise on security too easily [well, I would say that, wouldn't I?] The CISO's budget has been one of the first to feel pain, with new investment stiffled and staff economies made. Threats are continually evolving and new vulnerabilities are discovered almost weekly, but the CISO is still expected to "carry the can" when - note, "when", not "if" - something goes wrong.

As a consequence, if Quan Tran's thesis is correct, it is possible CISOs might be leaving sooner for pastures new as a means of reducing their potential exposure to criticism.

I'm reminded of a comment by Prof Gene Spafford, that the only truly secure system is one that is, "powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."

"Airtightness" means that no air can get in or out. In our context, "airtight" means "datatight", and a datatight system is no use to anyone.

Besides which, practically every "secure" system is compromised as soon as it is connected to any other system and switched on.

In a fast-moving pandemic exercise set in the harshest UK winter for 30 years, I introduced the additional issue that a burst water pipe was flooding the basement of one building. This was largely ignored until it was too late to take effective action to save firstly the vital records stored there and subsequently the building when the water froze solid. When the participants belatedly realised the seriousness of the position, their responses were all predicated upon the ready availability of third-party services ... forgetting that in a major pandemic these would likely be less responsive and might even be denied them.

Table-top exercises are vital.

This is perhaps the most significant difference between the radical Islamic and an other terrorist (although I prefer the term "mass-murderer"); the former is ready to die as an integral part of their operation, the latter merely suffers the occasional "own goal".

And later, said:

… "... who is more likely to notice the activity of a terrorist cell, the police, or a civilian, whether the civilian is an employee or an employer?" The UK police have an awareness course called "Project Griffin" which is run for front-of-house and other security personnel. Part of the syllabus deals with recognising "hostile recognisance". By and large it appears to be successful, reportedly resulting (within the City of London policing area at least) in fewer challenges of the innocent by police than seem to occur with other forces when acting on their own initiative.

Tony Goring's comments on PIRA operations in Belfast (and Ulster generally) are spot on ... and those types of operations continue today (also conducted by RIRA and CIRA), albeit to a more limited degree.

Michael Agee refers to the Una-bomber having explosives in his shoe and that this resulted in a change of tactics at airport security. I believe it was Richard Reid not Theodore Kaczynski who concealed explosives in his shoes on board AA63 from CDG to MIA. Perhaps there is some confusion with the Adio Impact "Unabomber Shoe".

BTW, to put my comments on this topic in perspective; I have (a) been the victim of a terrorist (FARC) bomb, (b) dealt with the aftermath of three IRA attacks in London, "7/7" and several false alarms, and (c) implemented security measures for companies in countries where "terrorism" / "mass-murder" is practically a way of life (or death).

And later, said:

Police forces record incidents according to current government requirements. Thus, if the government wishes to play up a particular angle or play down a particular type of crime, the recording criteria are adjusted to reflect those wishes.

Subjectively, the figure of 10,946 strikes me as too high, and I suspect that incidents that one (national) police force would record as "terrorism" another would record as (say) "murder by persons unknown".

And, as Sir Winston Churchill might have said, "History is re-written by the victors." In a few years time (the process started some years ago), the PIRA's actions will no longer be "terrorist" ... just as in Israel, Likud does not see the Irgun activities as "terrorism".

Paradoxically in a way, the fact that everything passed off OK is a metric I place in the "measuring negatives" box.

For years I have been spreading lion dung all along the boundary of my garden as I was reliably informed on a trip to Africa, that it keeps elephants away. And it works! I have never been troubled by elephants.

Despite the claim that they could have detected the package - assuming it was at the time strapped to his thigh - and that they can replace the current scanning technologies, the use of the latter systems cannot be terminated in the UK because of EU requirements. Queues will be longer ... exacerbated by a "pat-down" in the boarding jetway and a swab test for explosives. As I have found previously, this will detect that the person recently fired a shotgun ... grouse shooting in the Highlands of Scotland is likely to lead to a number of people missing their flights home from Turnhouse!

Brown also says that "profiling" - at least to the level of noting payment by cash, purchase of only a one-way ticket, the checking-in or carrying of little or no baggage - will be utilised. It was my understanding that these were individually and collectively "triggers" already ... and that they failed!

Whatever measures are put in place, the would-be bomber(s) will adapt. As Abdullah Asieri recently demonstrated (as alleged by some), inserting a pound of high explosives plus a detonator in your rectum avoids detection by security. That he failed to kill Prince Mohammed Bin Nayef (head of Saudi Arabia counter terrorism ops) appears to owe a lot to an imperfect detonation. Other reports indicate that the explosive might have been instead in Asieri's underwear and that a chemical fuse was used - as per Matallab's airborne attempt. Regardless of the precise location and completeness of detonation, crime scene photographs show that the explosion destroyed the lower part of his body. A Europol report after that attack indicated that a rectally-inserted IED was practical, likely with a remote trigger.

In the future, bomb teams will take steps to ensure that their devices cannot be detected by the new technologies. They will take care that only the bomb-maker fits the bomb and that the bomb-carrier does not touch it or other explosives beforehand. They will make sure that the bomb-carrier has sufficient luggage; they will purchase a round ticket; and they will use a credit/debit card issued to the bomb-carrier.

As Mir-Hossein Mousavi - the last Prime Minister of Iran - said, "There is no defence against a dedicated individual seeking martyrdom."

And, as the IRA said to Margaret Thatcher on 12 October 1984, "We only have to be lucky once, you have to be lucky all the time."

Taken separately and together, these two statements illustrate the futility of much current and proposed security regarding passenger air travel.


I forgot to add in my comments above that, in the UK, the Protection of Children Act 1978, as amended by the Criminal Justice and Public Order Act 1994, makes it an offence "to take, permit to be taken, or to make any indecent ... pseudo-photograph of a child". That includes "an image, whether made by computer graphics or otherwise, which appears to be a photograph."

The "whole body scanners" fall foul of this legislation and therefore cannot be used to scan the bodies of those under 18 years of age. A recent trial of such scanners at Manchester Airport had to be halted until arrangements were made not to scan the under-18s.

But, of course, no terrorist is going to use a child as the bomb-carrier, so that's OK!

This is triable; i.e. in the event of a dispute or breach you would have to prove in Court that there is no better practice available ... and that's not easy to do.

Following an internationally recognised standard (e.g. ISO 2700x, PCI DSS) is likely to be held to be "best practice" (even though it might not be, but don't let's get into that again). Following your own creed is fraught with danger, especially if other people's data would be at risk.

As to "worst practice", well, I've amassed an un-indexed library of horror stories ... some of which I feature in. We CISOs can be our own worst enemies.

Commenting on “Bomb threat incident management”, Michael said:

I am probably one of very few people posting here to have been through a major VBIED incident (Occidental Oil offices in Bogota, 5 February 1988, ELN). I also have experience in dealing with suspect devices and packages (from previous lives).

As Arturo Montalva says above, size is important. Clearly if there is a telephoned threat it is vital to try to obtain location and size (if necessary, relative: package, car, lorry) and nature (fertiliser-based, industrial fertiliser, military, incendiary, CBRN, etc.) of the IED. Failing this information a decision must be made regarding the wisdom of locating the device. It is, of course, best to obtain professional advice from the police (in most major cities, the police have experience or training in dealing with IEDs). In London, the EXPOs (the most senior is a Sergeant) are part of the Metropolitan Police and in the event of an IED report have total authority (even to order the Chief Commissioner around). For a large VBIED (e.g. lorry) they will likely consider an evacuation of 1,000 metre radius (that, BTW, covers the entire "Square Mile" of the City of London ... hundreds of thousands of people), reducing to around 200 metres for a PBIED (e.g. suicide bomber). Removing people from the direct line and nearby windows is a priority.

In one suspect VBIED incident very close to my building, we invoked our "retreat to core" approach, moving people to harder areas of the building (stairwells, windowless rooms, basements) out of the direct line (the police found no trace of explosives). In a small suspect IED (anonymous and unclaimed suitcase left in visitors' area) we isolated the area, rolled down the (fortunately located) fire curtain and diverted pedestrian passage away from the possible blast zone (assuming industrial explosive) until it was declared safe by the police (no explosives found). In one incident involving suspect material (white powder in a lift) we isolated the lift in the basement and called for assistance (it turned out to be peppermint sweets crushed underfoot).

WRT Puneet Gupta's comment about filmed glass, I direct his (and others') attention to the photographs in the presentation downloadable from my Profile. With a large overpressure outside, the filmed glass tends to enter the building and wrap itself around things inside. Internal glass partitions that are not filmed can be shattered. Following the 1 ton fertiliser VBIED (Bishopsgate, London 24 April 1993, PIRA) I saw a 3' long shard of 1/2" thick plate glass from an internal partition that had penetrated the front of a metal filing cabinet full of papers and embedded itself some 2" into the concrete wall behind. During recovery work following a VBIED (London Docklands, 9 February 1996, PIRA) I recovered a large piece of the lotty's chassis from the third floor of one building. In the Bishopsgate bombing, the gearbox from the lorry was found on the 8th floor of the NatWest Tower (now "Tower 42").

The massive damage done to the Baltic Exchange by a 1 ton fertiliser VBIED (St Mary Axe in the City of London, 10 April 1992, PIRA) was largely the result of the building's design and size. The blast passed through the front of the building and across the trading floor to rebound off the rear wall. The rebound arrived back at the front wall as the implosion occurred outside, pushing and sucking the wall into the street.

I have seen an shocking film of a (possibly time-triggered) parcel bomb exploding in a government office in Thailand (Nakhon Pathom Social Security Office, 21 October 2002, unknown, possibly personal vendetta). The police had been called and one decided to try to open the parcel whilst his colleague held it steady. As you do!

Also as you do (!), the police had invited a number of journalists and TV cameramen into the room - one of them captured the explosion and filmed the bodies of the two policemen lying on the floor together with several injured colleagues. When a senior officer arrived, he contented himself with yelling at his officers and ignored his dead and injured men.

It occurs to me that many people will have absolutely no concept of what happens in an explosion other than what they have seen on the TV and in the cinema. That it to say: you can largely outrun the blast; most of the effect is flame and smoke; and if you do get caught you are thrown a few feet, then get up uninjured and can speak and hear at normal volumes!

The realities are that:

* even Ursain Bolt cannot outrun a nearby explosion;

* most of the effect is overpressure (i.e. "blast wave") combined with high velocity debris, plus intense but short-lived heat close to the source;

* the bodies of people close to the blast are largely fragmented by blast and debris;

* the vital organs of people further away but still within the zone of high overpressure are jellified;

* anyone hit by the blast wave is very likely to suffer broken bones when they stop or when they are hit by projected or falling debris;

* after the explosion you will be gasping for air and will be largely deaf for a good while afterwards.

And later, said:

… those (sort of) questions are SOP for a telephone threat. And why not? Any information given can be useful in determining the threat level. Q4 is particularly relevant in this context.

If the caller is the actual "bomber" (i.e. part of the team that planted the device, or even the bomb-maker) they will likely be under considerable stress themselves and give away true details, especially if this is their first-time.

When you call the switchboard at most offices, the operator will generally ask, "Who shall I say is calling?" It is an everyday question that might well elicit a true response. I have heard of one caller (albeit a hoax) giving the number of the call-box he was using ... after being assisted in locating it by the operator handling his call! The police arrived as he was leaving. Another instinctively gave his own cell-phone number (although they were using an anonymous pay-as-you-go 'phone to make the call)!The demeanour of the caller can be often be better ascertained by their responses to commonplace questions and it can start a dialogue.

Background noises are important to, and the longer the caller is held on the line, the more information can be gleaned. Of course, it is best if telephone operators are able to record such calls at the press of a button. It's surprising that some bombers call whilst on their way to place the device, but perhaps excitement plays a part. Of course, using a cell-phone in close proximity to an IED can lead to an "own-goal".

The questions might appear silly out of context, but they can serve a purpose. Their phrasing needs to be carefully considered and the switchboard operators need to be trained to handle such calls appropriately. Unfortunately, such training (along with related training for reception and mailroom staff) has fallen away in recent years.

And later, said:

… with DDI and 'group pickup' being commonplace, it's very possible that a threat call will not be dealt with by the switchboard operator or receptionist (although still highly likely for large companies). It could end up with Fred or Freda on the receiveing end of the call.

So it is important to educate everyone.

Sod's Law holds that if a threat call does come to Fred/Freda they will be unable to locate the checklist they were given months ago, so 'refreshers' are important on a frequent basis (e.g. as part of team meetings), with the frequency determined by the continually assessed threat level.

For those in the front line, training and rehearsals should be held with similar frequency.

(O/T) Re Mathew's propane gas cylinders, I recall a site with an underground carpark approached via an unprotected slope at the top of which was the filling point for the building oil supply. Whilst such fuel oil is hard to ignite, there was an obvious risk. And one day during a delivery the hose split whilst the driver was having a comfort break, and roughly 1,000 gallons of fuel oil spilled down the slope ... providing an entirely different set of problems!

Another (offshore) site kept diesel fuel for their stand-by generators (which were in use many times each day) in 50 gallon drums in an unbunded area ... together with the empty drums (which pose more of an explosion risk). The fuel was pumped by hand into the generators' header tanks . There were hand-held (only) fire extinguishers, but located on the far side of the storage area and inaccessible in the event of a fire. Words of advice were given. On a return visit a couple of months later, I saw how my advice had been put into practice. The drums now had labels which read "Full" or "Empty" as appropriate attached with wire around their filler caps. The drums were still in an unbunded area and still kept together; and the "Full" and "Empty" were printed on alternate side of the labels! The fire-extinguishers hadn't been relocated.

And later, said:

One of the problems with evacuations is that, despite notices and drills, people tend to do what they want to do and go where they feel like going. Their behaviour is affected by circumstances such as the time of day and the weather: lunchtime = go to the pub; going home time = go home (BTW, that means they stop to collect their personal things); raining = don't go too far, pop into a shop, cafe, etc. (it also means they stop to put on a coat).

Another is that if the police become involved, they will likely want people to go where *they* want them to go, not necessarily where the company expects them to go. This is particulary the case when the threat is more widespread than a single office.

For example, practically all the medium and large companies in the City of London have evacuation plans, but very few are "coordinated" with other companies in the immediate vicinity. My conversations with the City of London Police Anti-Terrorist Liaison guys in the past has shown that (a) they know there are conflicts between various companies' plans; (b) their attempts to coordinate and reconcile these have proved pointless; (c) the number of muster points in the City are very few and none can accommodate more than a few hundred people; (d) these areas are easy to identify and therefore highly vulnerable to a secondary IED; (d) in the event of an incident or a threat to more than one premise the police will direct people out of the area by any available route and not care where they go ... except in the case of a detonated NRBC when they will attempt to corral people for decontamination.

I suspect that the EU Data Protection legislation is a factor, as companies cannot transfer responsibility for compliance to a third-party.

For service companies, their provision of security services could be enshrined in contracts with their clients ... leading to concerns over undoing these and what the clients' perceptions will be of outsourcing security.

Speaking personally, I see many benefits in outsourcing the provision of security services, but I also see a great many concerns. I do not believe that many European companies are sufficiently mature in their existing practices to accept that they could outsource security. I further do not believe that the providers of managed security services are themselves sufficiently mature to cope with managing a wide diversity of client requirements and issues.

When it looked as though the trucks would stop moving, we'd start stocking up our larders. By the end of Day One, if there was still no petrol, the shelves would be looking pretty thin. On Day Two - i.e. the fourth, fifth and sixth meals - we'd start to panic.

On Day Three, with still no petrol and no notion of how long it might take for the supermarkets to restock and hunger pangs kicking in, ask yourself how long before those who hadn't stocked up began stealing from their neighbours, or simply looting what they could get their hands on?

There are some 11 million gardeners in Britain, but their crops won't go far when the kids are hungry and the baked beans have run out. And if the neighbours have been peering over the fence, the runner beans and cabbages will be history.

It was Lord Cameron's estimation that it would take just nine meals - three days without food on supermarket shelves - before law and order started to break down, and British streets descended into chaos.

And that chaos would be a real challenge to police, with a goodly chunk of the military engaged overseas and the babies of police officers crying the night away with empty stomachs.

And that's hardly a far-fetched warning. Look what happened in the aftermath of Hurricane Katrina.

© 2010 Grimbaldus Limited     Built using: CoffeeCup Software