(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.

Luckily, the certainty that the NSA listens to our conversations, reads our emails, spies our activity on social networks and basically knows everything we do has not generated any notable movement at the political or social level, because they do it for our own good (now that I write down it, I clearly remember hearing that in more than one time in my childhood). It would not be desirable that the lust of justice and freedom of a few (literally) we are doomed to hell and existential chaos.

Probably in short they will awarded with the Nobel Peace Prize.

A few good men. (Vía wikiquote).

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)

The documents leaked by Edward Snowden to The Guardian on a sophisticated global intelligence are, in essence, nothing new. For years has been known that the U.S. and some partners share the ECHELON spy network, involved in the past in several trade scandals. However, we should not underestimated Snowden contribution. While so far the details of the spy system of the National Security Agency (NSA, for short) were based on experts research, we know now not only that this program (PRISM) is larger, intelligent and more ambitious than anything we thought in the past, but that many countries have their own surveillance systems.

Perhaps due to films or literature we have always been accustomed to the fact that espionage is made between States, with objectives and specific actors under certain rules. However, it has now taken a step forward, with the monitoring and recording of any information that could be virtually recorded of millions of individuals around the planet: a system without control or limit that breaks with total impunity and the cooperation of the Internet corporations any idea of freedom, privacy and justice we might have. States have come to spy on its citizens in a move more typical of dictatorships than democracies.

However, despite the seriousness of the matter, no one seems very concerned; do not expect a massive desertion from social network and if we look at the press, Snowden is famous for not having disclosed a large number of documents classified about a global and massive surveillance program, but by the geopolitical tensions that his flight and persecution have created between the U.S. and China and Russia mostly.

Says one of the quotes attributed to Benjamin Franklin that those willing to sacrifice some of their essential liberty for some security deserve neither one nor the other. This seems to be our case. It’s been a long time ago since —despite the great efforts (maybe not always so great, ok) of the data protection agencies both national and transnational— we decided that our privacy had not, at last and after all, the importance they wanted us to think. Made that decision, the transition of our information to a digital world controlled by multinational corporations outside national and European requirements posed no trauma at all.

At first glance there is a big difference between your messages being scrutinized by a nest of spies like the NSA, an opaque entity key in the American intelligence, and knowing that Google scans your emails to position relevant ads. However, there is no such difference: (almost) no one cares about we being spied upon; that is a simple inconvenience that we have taken as inherent of the digital age and something makes me think that we do not even needed the Damocles Sword of terrorism. The saying that goes that if you have nothing to hide, you have nothing to fear, has been assumed almost by obligation with few complains.

We can draw one last thought. Edward Snowden was not 007; he had no license to kill and it was not (that we know) a double agent. It was ‘only’ a system administrator working for a NSA provider, one of the world’s safest organizations. From there he had access to a huge volume of classified documents that James Bond would not even have heard of. In light of this, do we really know who access our information?

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.

In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.

1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.

2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.

3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.

4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.

5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.

6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.

7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).

8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.

9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.

10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.

This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.

A few days ago, following the well-known Mandiant Report “APT1”, we published a small post where we made some assessments about the alleged Chinese attacks on various public and private organizations. We made public a set of Snort rules that could be used to detect —provided that the information from the report Mandiant is true— if an organization had been infected. Obviously, if you receive an alert that should raise some suspicions, but the opposite should not make you assume you are not infected. The resources used for infection are certainly very dynamic and after the report many of them may have been replaced or eliminated.

But this is not what I wanted to talk about. The truth is that I wrote the post with some urgency because we wanted to publish the rules the same day, and I didn’t had the time to think about the complexity of the Chinese attack, its implications, origins and specificities. So I was surprised that none of our readers (you) pointed to some obvious errors in the post that I thought after a while, but I resisted to correct. The entry stated:

The question here is, as pointed accurately by Securosis in their blog, that the difference is not that China has a cyber espionage program, but that its objectives and beneficiaries are both the public and private sectors. From an economic standpoint it makes sense. In an economy largely state-operated and conducted as China, it seems normal that such government “initiatives” benefit economic areas that are in many cases and at least partially, also state. At the end everything remains at home.

The fact is that this is not cyber espionage is not in the sense in which we are accustomed to think about it. This is “something else” and the reason why many people should start to be concerned. Not “classic” or industrial espionage. There is no one to prosecute or to send to the WTO. This is not a criminal action as we understand it. Because it’s more than “simple” military information or technology what is at stake. Is the entire Western economic and social model. It is said that China is a giant that is waking up, but in the light of such reports, may be the Western powers who are sleeping.

One last note. It is true that there is something called Echelon and occasionally this or that power get into suspicious activity (industrial espionage, bribery, etc.) through which they try to favor their national companies in contracts worth millions (see eg , vs. Boeing case. Airbus), but it is conceivable that the volume and size of these bad practices is not even remotely the same as the Chinese (although that is something that we really do not know). There isn’t, to our knowledge, anything like a program of intellectual property stealing coordinated and led by the states (in the political sense, not the U.S.). Such practices belong, in any case, to the private sector, which is subject to the laws and legislations of such states.

This is an approach somewhat underdeveloped and certainly simplistic, but the actions contained in the Mandiant report are not actions of espionage or data theft. These are actions of a political nature that are part of a much broader geopolitical strategy. Carl Von Clausewitz said that war is the continuation of politics by other means. The updated version of the XXI century is clear: cyberwar is nothing more than a tool of politics, with the difference that while the war is legally illegal, there is no such consideration for cyberwar.

Summarizing. This is not about computers anymore. It’s politics. We can “play” hackers meanwhile.

(Update 20/feb/2013: New signatures added)

As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.

The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.

Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.

Snort signatures from the Mandiant report: apt1-unit68398.rar

The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at admin@securityartwork.es.

Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

[Read more…]