Frederick Giasson

New Canadian dollars
A possible psychological security treat

A month ago we got our new Canadian 20$. I just get my first some days ago. I was just checking it since then. This is a really beautiful piece of work. Many flashy features and probably one of the securest money on earth. While checking it, I had an interrogation by remembering what some peoples say about it. Check out his accessibility features. One of them consists of a series of symbols formed by raised dots separated by a smooth surface to help blind people. The problem is that many people think that this is a security feature.

To understand the treat you need to have in mind that people will usually rely on only one simple security feature to discover if the bank note is a real one or a counterfeit. It’s normal that they’ll not check every security measures. If they think that the raised dots is a security feature of the bank note, and also think that this is a simple feature to check, he’ll rely on it to discover the validity of the note.

The problem is that this feature is really easy to forge; anybody can do it. So, if you counterfeit money, add this ‘security feature’ and give it to seller that rely on this feature; you’ll be able to pass it for real money and your goal will be reached.

Another inconvenient is that these dots will eventually disappear. If you have a legitimate 20$ with erased dots and that the seller think that this is a false one because the dots are not present then you’ll have some inconvenience because he’ll not accept it as legitimate and he’ll possibly call the police.

Finally, another time, the only way to erase the treat is by educating people specially them who manipulate a great load of money in their work.

Urban Legends on security
What technology neophytes can think

Last week a came around an interesting “study” done by Secure Computing. What is interesting is to see what people can think about things that they don’t really understand. In many cases it’s probably the Arabic telephone effect that create such monstrosity. If I have one suggestion to say; it’s to read them and discuss about them with persons in your entourage that may think that these urban legends can be true. Remind that one of the best security practice is education; anybody can do it.
There is the list published by Secure Computing:

1. “Hackers can legally break into web sites that lack “warning” notices.”
2. “Some Windows system files are really malicious and should be deleted.”
3. “Hotel card keys secretly record personal information, which could be maliciously taken advantage of without the person knowing.”
4. “Including a fake entry in your e-mail address book will prevent e-mail Trojans.”
5. “A digital cell phone can be infected with a virus merely by answering a phone call.”
6. “Search engine “crawlers” perform security checks and notify you of vulnerabilities.”
7. “Thieves are using lists of “out of office” auto-replies to target homes for burglary.”
8. “Free patches e-mailed to you will protect your PC from the latest worm or viruses.”
9. “Signing up with a “Do Not Spam Registry” will stop you from getting spam.”
10. “Elf Bowling and Blue Mountain Greeting Cards contain viruses.”

Enjoy them, laugh at yourself and think that many people can think that they are real possible treats. Just keep in mind that the situation is normal, otherwise urban legend wouldn’t exists. Then if you’re not sure about a thing that a person tell you; just do some research on a trusted web site and you’ll be able to assess the treat by yourself.

What if?
The game to learn on yourself in special situations

A good way to learn things on yourself in special situation is by playing the “What if?” game. The purpose of the game is to imagine you in special life situations.

The first thing that you need to play at this game is a trigger event. This can be an event on the street that you see; a special scene in a movie; while discussing with another person; while watching news; etc. Then you ask yourself: what I had done in the same situation? Then you think of you in the same situation. What you can do in same the same hypothetical situation with your talents and abilities. You can think of many things, some wonderful, other surrealist. The important is that you think of yourself in the situation. Then you’ll play with your thoughts and learn by the process.

Why to play at this game? The answer is simple. Human learns by experience. He can get his experience by practice, reading, observation and in our present case by thinking. This is a really healthy exercise that can let you learn many things on your own personality. Plus it can help your to react more rapidly in certain special situations that can happen in you everyday life. Try it. It can be really funny. You can easily play at it anytime, alone or with a friend.

Do not give power to your foes
The principle of information pipeline

Many say that information is power. Then, why do you give power to your foes? Is that your wishes? There is the idea being this article: cut the information pipeline of to your enemy to prevent you greater harm.

Do not help your attackers gathering information about your network. The first step of an attack is the reconnaissance of the playground. It’s done by social engineering, physical site reconnaissance, internet search, network mapping and DNS reconnaissance. After they map their target by war dialling, network mapping (ICMP), port-scanning and vulnerability scanning.

If you cut their sources of information they’ll not easily be able to go through these first essential steps. The principle is the same as in personal self-defence, if you look self-confident, attentive and aware, most of your possible stalker will watch for another target; they don’t need to get in trouble with you; they need an easy pray; a pray that they can hunt easily. The same principle is present here; if the first steps of an attacker are hard to get troughs, most of the attackers will try to find another, more easily penetrable system. Sure that there are exception, if your attacker is searching challenge and not profit (money or peer acceptance), you’ll probably fit his prey pattern and get stock with him.

You need to always have in mind you goal. Your goal is to limit the information that attackers can gather from your organisation, his personal and your network. By remembering this goal, you’ll probably be able to find what your information leaks are and how to prevent them. There are some examples:

• Your attacker can bring much information by looking at your garbage containers.
o You can hire a specialised garbage collector that will destroy your garbage’s. (Just ensure that the company is trustable).

• Your attackers can bring information on your employees for further social engineering tricks.
o You can try to limit the information about your employees you put on the internet. (Example, by not putting your employees’ contact book.
o You can teach your employees to be aware of this situation; how attackers do this type of attack on them.

• Your attacker can map your network by ICMP querying.
o You can block the ICMP echoing of certain critical part of your network.

• Your attacker can do banner grabbing to try to know which program deliver a specific service (example sendmail for SMTP).
o You can choose a product where you can alter or delete the banner when a session is open (a banner is a signature sent by a software generally when a connection is attended).

• Your attacker can try to guess your firewall rules with a TCP ACK scan.
o You can also choose a firewall that store the stage of his connection to refuse the ACK response packet.

• Your attacker can use packet fragmentation options to do his scan to stealth the scan attempt toward the firewall and IDS (old ones)
o You can use a firewall or IDS that refragment packets before analysis.

These examples are obvious. However, the goal isn’t to do an exhaustive checklist of what to do, but to give you some example that will help you find information leaks about your company.

What’s important here is to always have the principle in mind. How to implement this principle in the everyday life of your enterprise is another question but you have some leads here.

Enjoy the principle, the lecture and feel free to add your stone to the foundation.