InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Awareness’ Category

(ISC)² Philippines is Now Official

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 1, 2012

The Philippines finally has an official (ISC)² Chapter. Thanks mostly to the determination of Mr. Dan Vizcayno and its first Chapter Officers.

Who can be part of the (ISC)² Philippines Chapter you may ask? Basically anyone interested in the Information Security field who has been actively involved in any aspect of Information Security work for at least one year.

Member Classification are as follows:
Active Member – (ISC)² International members interested in the purpose and aspirations of the Chapter. An Active member in good standing shall be entitled to vote and be an officer in both the affairs of (ISC)² International and (ISC)² Philippines Chapter.

Associate Member – Non-(ISC)² International members (i.e., non-(ISC)² certification holders) interested in the purpose and aspirations of the Chapter. An Associate member in good standing shall be entitled to vote on any Chapter affairs and be an officer of the Chapter, except for the positions of President, Secretary, Treasurer and Membership. Holding these particular positions require (ISC)² International member status or an (ISC)² certification (like CISSP).

Organization Member – Corporations that are interested in the purpose and aspirations of the Chapter. An Organization member in good standing shall be entitled to vote through its representative on any Chapter affairs and be an officer of the Chapter except for the positions of President, Secretary, Treasurer and Membership as they would require (ISC)² International member status.

Student Member – Full time student currently enrolled in a degree program of an accredited college or university. Proof of enrollment shall be submitted annually. Student members in good standing shall not be entitled to vote and be an officer at the Chapter level.

For more information, please contact Mr. Danielito Vizcayno, CISA, CISM, CISSP at daniel.vizcayno@gmail.com

Posted in (ISC)², Awareness, Certification, Philippines | Leave a Comment »

Opinion: Philippine Cybercrime Bill, wherefore art thou?

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 12, 2009

For around two years now, Information Security Professionals have been saying that cybercrime is on the rise because of the change from ego-centric (i.e. malware that begs for attention) to financial motivation (i.e. malware that accumulates/sends data, silently evading detection). This financial motivation has led to cyber markets/exchanges wherein hackers and their cohorts transact, and in a more recent development, now specialize on a certain aspect of their trade, which in turn has increased efficiency. For example, some specialize on retrieving credit card numbers and other personal information, others specialize on printing the fake cards, while others use the cards, whether they be an ATM (Citibank hack in NYC) or a credit card (Malaysian’s arrested in Australia for fake credit card use). The current worldwide economic environment has only made matters worse.

The question here is, where is the Philippine version of the Cybercrime bill? Around two months ago, it was still on its second reading in Congress. It’s already taken more than eight years, I could be wrong, but I doubt its finally passed.

From what I’ve seen and experienced, I find it hard to believe that barely any cybercrime happens here. There are far too many good Filipino hackers and scammers, for nothing to be happening. Maybe audit logs aren’t turned on, maybe no one regularly checks the logs, maybe when people get scammed, they just let it go (feel free to blame the culture). UK’s BERR and PWC InfoSec Breaches Survey of 2008 states that there are fewer incidents reported in 2008 than 2004, however it may be because they’ve been understated since they found out that “companies that carry out risk assessment are four times as likely to detect identity theft as those that do not.” Which begs the question, do Philippine organizations with confidential information actually undertake risk assessments and take appropriate actions and implement controls to protect their assets? Just because an organization doesn’t have “incidents” doesn’t mean that confidential information doesn’t leak. How does one report an information security incident when one isn’t aware on how to identify it? Secondly, would the company in question have a process in place to accommodate what an employee finds suspicious? Third, would that company then have a process and resources (i.e. competence in IT Forensics) to investigate the report? I’m sure that if it happens to more security conscious countries, it must be happening here, we just aren’t aware of it or it isn’t reported… especially with all the useless WEP encryption found in coffee shops, keyloggers found in internet cafes, surreptitious card reader machines used to read credit card information, to stories of scammers at Philippine online auction sites.

Maybe it will take a high profile hacking on one of our few promising industries that is heavily dependent on IT: one of our BPOs. Or maybe even the hacking of private files of one of our lawmakers (Obama, Palin, and McCain got hacked last year) for there to be any progress on this bill. Whether that happens or not, I find it indefensible to wait for something bad to happen to impel lawmakers to do what’s right, and give the country and its people what there’s obviously a need for.

References:
(InfoSec Philippines) Nov 11, 2008 (note: has links to Philippine Cybercime bill news articles)
(TechRepublic, Sep 2007) Cybercrime tools market maturing, and crimes are on the rise
(Newsweek, Dec 2008) The Rise of Black Market Data
(Univ of Mannheim, Germany, Dec 2008) Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
(Wired, Oct 2008) Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm
(Symantec, Nov 2008) New Symantec Report Reveals Booming Underground Economy
(ihotdesk Outsourcing News, Dec 2007) Cyber crime market threatens data
(ContactCenterWorld.com, Feb 2009) Japanese Cybercrime at Record Levels as Hackers Crack Web sites
(Computer Crime Research Center, Oct 2008) Recent Stock Market Decline Causes Economic Cybercrime to Hit All Time High
(CBCNews Canada, Mar 2009) Fraud artists, security experts fight sophisticated battle
(ArticSoft, 2004) How Do You Deal With Internet Fraud
(Credit Cards Web UK, Mar 2009) Card fraud refunds being refused by more banks

Posted in Awareness, Compliance, ISMS, Legal, Opinion, Philippines | Tagged: , , , , , , , , | Leave a Comment »

GMA Fake Site and Tricks Scammers Use

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 25, 2009

GMA News warned the public last week regarding a fake site that reports fake news, which has fortunately been taken down as of press time. This reminds me of the recent fake news item about Megan Fox being a man. If anyone actually checked that site’s menu, they’d see links to a “Mutants” section and an “Aliens” section, which should readily warn anyone about the veracity of news on that site. Unfortunately some educated people believed that piece of news, which is really quite sad.

CSOOnline came out with an article detailing the Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines, which are divided as Social Networking Scams, Office Offenses and Phishing Lures:

    Social Networking Scams
    “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
    “Someone has a secret crush on you! Download this application to find who it is!”
    “Did you see this video of you? Check out this link!”
    Office Offenses
    “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
    “This is Chris from tech services. I’ve been notified of an infection on your computer.”
    “Can you hold the door for me? I don’t have my key/access card on me.”
    Phishing Lures
    “You have not paid for the item you recently won on eBay. Please click here to pay.”
    “You’ve been let go. Click here to register for severance pay. “

Check out the site link above for more details.

The same author, Joan Goodchild, also wrote about Social Engineering:8 Common Tactics, and 3 Ways a Twitter Hack can Hurt You, which might interest you if you want to learn more about Social Engineering.


Tips
If in case you aren’t using encryption yet and want an easy and free encryption solution, you may want to check out TrueCrypt. Tom’s Hardware has published a how to and review to start you out.


Auditing
A consortium of US agencies and organizations released a draft of the Consensus Audit Guidelines that define the 20 most critical security controls to protect federal and contractor information systems.
The press release states that: “The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.”


Other Security News
(The Register) New OS X research warns of stealthier Mac attacks
(The Register) Banking app vuln surfaces 18 months after discovery
(The Register) Hacker pokes new hole in secure sockets layer
(PCWorld) New Attacks Target IE7 Flaw
(PCWorld) IE8 Focuses on Improved Security and Privacy
(PCWorld) Microsoft Adds Clickjacking Protection to IE8 RC1
(PCWorld) Downloads for Hard Economic Times

Posted in Awareness, News, Philippines, social engineering, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Mostly Browser News, Dec 16, 2008

Posted by Jaime Raphael Licauco, CISSP, GSEC on December 16, 2008

A couple of news items regarding browser security have been cropping up these days, mostly about Internet Explorer vulnerabilities.

(Heise) Zero day exploit for Internet Explorer is spreading
(Heise) Internet Explorer 6 and 8 also affected by zero-day vulnerability
(SC Mag US) Internet Explorer zero-day infection rates grow
(SC Mag US) New zero-day Internet Explorer exploit uncovered

One of the ways this risk can be mitigated (aside from not using IE) is removing Admin rights. Beyondtrust gives a webinar on how to eliminate Admin rights using their Privilege Manger here. For typical SOHO users, just make a limited user account and as much as possible, try not to use your Admin account.

For people that aren’t paranoid enough surfing the web and having the appropriate controls while doing so, this article on Heise Security online talks about the Fiesta exploit pack (yes the name is correct) which costs $850 and contains 25 different exploits designed to infect users when they VISIT a webpage.

A different article on the same website talks about Chrome being at the bottom in terms of password management. I personally do not recommend allowing your browser to remember passwords. Google Chrome fans might want to check out the Iron Browser which is a more secure version of Chrome. Speaking of Chrome being the most insecure browser for password management… Google has released a browser security handbook which talks about the security features of browsers and issues that could lead to weaknesses. The current version of the handbook covers IE 6, IE 7, Firefox 2, Firefox 3, Safari 3.2, Opera 9.62, Google Chrome 1.0.154.36 and the Android embedded browser.


Other InfoSec News:
(Times Online UK Blog) This woman sent Nigerian scam artists $400,000 – a fool or a victim?
(Computerworld) Apple patches 21 Mac OS X Vulnerabilities
(BBC) Inmate escapes German jail in box
(Wall Street Journal March 10, 2008 article) NSA’s Domestic Spying
(SC Mag US) Forecast: Security threats for 2009
(SC Mag US) The five myths of two-factor authentication


Posted in Awareness, News, social engineering | Tagged: , , | Leave a Comment »

Getting funding for Security Initiatives by ENISA

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 8, 2008

In my last seminar for ISACA Manila on Introduction to ISMS, I was asked a question on how to get approval for funding for security projects. I answered that Awareness was key. Upper level management have to have an idea what the risks are to their organization, and the possible consequences. Because coming up with the solution would not matter if there doesn’t seem to be a problem. I then said that a report by ENISA (European Network and Information Security Agency) might help. The report I was talking about was, “Obtaining support and funding from senior management.”

The report talks about five areas identified as being crucial in obtaining corporate security investments:

  1. Define the investment rationale and the stakeholders.
  2. Build a persuasive business case to make senior management better understand the value of the investment.
  3. Estimation of costs: allows organisations to identify the most common expenses which they may incur and make rough estimates.
  4. Linking business benefits to information security initiative, define and calculate performance metrics.
  5. Detail a typical path to face a corporate executive in a senior management briefing. Effective communication is critical: the right information should be delivered at the right time, in the right manner, preferably 6-12 months ahead the project.

For more information and where you can download the report, click here. And since we’re talking about awareness and awareness is the best control for social engineering, ENISA also has a whitepaper on “How to avoid on-line manipulation.”

Another good article that talks about different approaches that can help influence management for their approval is, ISMS Implementation – The bottom-Up approach.


Updated Links

I updated the Security Awareness and Training Links to include Microsoft’s Technet on Security Awareness. The free 120 MB zip file includes, Security Awareness Program Development Guidance, Sample Awareness Materials, Sample Training Materials, and the following sample templates:
* Brochure Templates
* E-Mail Invite Template
* Fact Sheet Templates
* FAQs
* Newsletter Template
* Poster Templates
* PowerPoint Templates
* Quick Reference Card

I also added a Philippine Tech Blogs links page.

Posted in Awareness, ISMS, Whitepapers | Tagged: , , , , , , , | 1 Comment »