(ISC)² Philippines is Now Official

The Philippines finally has an official (ISC)² Chapter. Thanks mostly to the determination of Mr. Dan Vizcayno and its first Chapter Officers.

Who can be part of the (ISC)² Philippines Chapter you may ask? Basically anyone interested in the Information Security field who has been actively involved in any aspect of Information Security work for at least one year.

Member Classification are as follows:
Active Member – (ISC)² International members interested in the purpose and aspirations of the Chapter. An Active member in good standing shall be entitled to vote and be an officer in both the affairs of (ISC)² International and (ISC)² Philippines Chapter.

Associate Member – Non-(ISC)² International members (i.e., non-(ISC)² certification holders) interested in the purpose and aspirations of the Chapter. An Associate member in good standing shall be entitled to vote on any Chapter affairs and be an officer of the Chapter, except for the positions of President, Secretary, Treasurer and Membership. Holding these particular positions require (ISC)² International member status or an (ISC)² certification (like CISSP).

Organization Member – Corporations that are interested in the purpose and aspirations of the Chapter. An Organization member in good standing shall be entitled to vote through its representative on any Chapter affairs and be an officer of the Chapter except for the positions of President, Secretary, Treasurer and Membership as they would require (ISC)² International member status.

Student Member – Full time student currently enrolled in a degree program of an accredited college or university. Proof of enrollment shall be submitted annually. Student members in good standing shall not be entitled to vote and be an officer at the Chapter level.

For more information, please contact Mr. Danielito Vizcayno, CISA, CISM, CISSP at daniel.vizcayno@gmail.com

Advertisement

ROOTCON 6 is gearing up

ROOTCON, one of the country’s biggest security gatherings is gearing up and its call for papers will be closing in less than a week. Check out the tracks here.

The upcoming 6th iteration will be held at the Cebu Parklane International Hotel on September 7 and 8, 2012. Early registration ends on June 30, 2012.

In my opinion, ROOTCON is one of the best conferences in the country where you can learn more about network security. So what are you waiting for? Sign-up to learn and meet your fellow network security aficionados. 🙂

For more details you can call their local hotline at +63917.766.2849 or check out their page here.

Seminar on Information Security within Firms

The Ministry of Economy, Trade, and Industry of Japan (METI) will hold a free, half-day, “Seminar on Information Security within Firms”. The seminar is being held to emphasize the importance of information security measures in increasing business, especially within Japanese firms. The intended audience is government personnel, personnel from local business, and personnel from Japanese firms operating in the Philippines.

Event Title: Seminar on Information Security within Firms
Venue: EDSA Shangri-La
Date: January 26, 2011 (Wednesday)
Time: 2PM to 6PM
Organizers: Ministry of Economy, Trade, and Industry of Japan, Mitsubishi Research Institute
Coordinator: Philippine Computer Emergency Response Team

For more information, kindly e-mail:litoa@phcert.org with the following info:
– Name
– Title
– Company

Attendees will be accepted on a first-come, first-served basis, and seats are limited.

The Philippine Data Privacy Act

The Philippine Data Privacy Act is apparently stuck in Congress. They adjourned on June 5 and started again on July 27.

In the same vein that the country currently has no Anti-Cybercrime legislation, the Philippines has no specific Data Privacy Act. One of the best sources of information regarding the current state of legislation is Mr. Philip Varilla’s presentation on “Privacy Framework in the Philippines“, which if one Googles for “Philippine Privacy Law”, can be found in the website of the Office of the Privacy Commissioner for Personal Data… of Hong Kong.

The presentation states that privacy is a basic right bestowed by the Constitution’s Bill of Rights Section 2, “The right of the people to be secure in their persons, houses, papers,”; and Section 3, “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law….”

It also states that the following Philippine laws are relevant:
– REPUBLIC ACT (RA) 8505 (An Act providing Assistance and Protection for Rape Victims…) SECTION 5. Protective measures.
– RA 8369 (An Act Establishing Family Courts, granting them Exclusive Original Jurisdiction over Child and Family Cases…) SECTION 12. Privacy and Confidentiality of Proceedings.
– Law on Secrecy of Bank Deposits Republic Act No.1405, as amended
– E-COMMERCE ACT (ECA) RA 8792

If one wants to understand the current state of data privacy in the Philippines, I suggest downloading the above presentation. Reading it made me wonder why the Philippines doesn’t seem to have HIPAA like legislation specific to HMO’s making them liable in case they do not protect your medical information.

The Philippines, being a member of APEC, will be aligning its Data Privacy legislation with the APEC Framework.
The APEC Framework can be downloaded here.

Other Related Links:
(Inquirer.net Feb 2009) RP joins APEC data privacy initiatives
The Electronic Commerce Act and its Implementing Rules and Regulations (40 page pdf)
(Out-law.com) Why the APEC Privacy Framework is unlikely to protect privacy [published Oct 2007]
Philippines Convenes Seminar to Explore New Privacy Legislation
(Inquirer.net Oct 2008)Senate must pass IP, data privacy laws
(Global Sky.com) Outsourcing in the Philippines: Is your privacy protected?
ARC Frequently Asked Questions
(Chan Robles) E-Commerce Act of 2000
(Scribed) Republic Act 8792
(GMA News Blog) Janette Toral’s Blog
(Digital Filipino) Salient Features of RA8792, The E-Commerce Law
(Wikipedia) Information privacy law
(Wikipedia) US Health Insurance Portability and Accountability Act
(Wikipedia) EU Data Protection Directive

Draft Philippine Cybercrime Prevention Act

In case you’d like to see the current draft bill being deliberated in Congress, you can find it here.

Articles in the end of May with relation to the Cybercrime bill:
(Newsbreak) Latest sex video scandal highlights need for cyber crime law
(Computerworld Philippines) National ICT Month

Password Tips for Websites

Revised 06/22/2009 (V1.1)

I’ve been thinking about passwords lately due to recent cybercrime that involved default passwords, and phishing attacks on Facebook which stole passwords from users.

Stronger passwords have been repeatedly talked about by InfoSec personnel since time immemorial.  We have repeatedly asked users to make stronger passwords, to the point that users are probably sick and tired of hearing the same thing. However, recent incidents show that we haven’t been effective enough since people still use simple or default passwords, probably because it’s thought to be inconvenient to make one — It isn’t — All it takes is a few extra minutes of your time and creativity.

Lockdown.co.uk** gives the following example of how long it takes to crack the following passwords using a dual processor PC:
darren = 30 seconds
Land3rz = 4 days
B33r&Mug = 23 years

Until two-factor authentication costs become less prohibitive — hopefully sooner than later (i.e. PhoneFactor is a new service which unfortunately charges $.14 per transaction for the Philippines) — we will have to rely on passwords for authentication.

I try not to rely on password programs which reside on my computer (i.e. Password Safe), but instead try to have strong passwords for each site.

Since the number one site in the Philippines is a Social Networking site, this will have a Social Networking slant (specifically Facebook).

Here are a couple of Tips:

First of all, DO NOT SHARE YOUR PASSWORDS, PUT IT ON A STICKY NOTE ON YOUR MONITOR (UNDER YOUR KEYBOARD, SEAT, ETC)

Now that the common sense ones are out of the way, on with the tips…

Use EV-SSL (Extended Validation SSL)

How: Mozilla Firefox address bar turns green on the left side. For IE, the whole address bar turns green.

Reason: Users who just click through warnings can actually be on a fake https site. EV-SSL makes it more difficult for phishers to fake a site. Also, the strongest passwords are useless if you’re already on a fake site.

Bookmark your favorite site, and use the keyword feature (for Firefox) or equivalent.

How: On your bookmark, right click on it and then left click on “Properties”. Type a few letters or a word in the “Keyword” category. For this example I used “fb” so that all I need type on the address bar are the letters “f” and “b” to access https://www.facebook.com.

Reason: This mitigates your risk of user error and saves you time. The 2nd reason stated for EV-SSL, also applies here.

Change some Browser Settings to not remember what are in forms, and not remember passwords for sites.

How: Mozilla Firefox: Go to Tools, Options, Privacy then uncheck, “Remember what I enter in forms and the search bar”; Go to Tools, Options, Security and uncheck, “Remember passwords for sites”. Additionally you might want to click on “Saved Passwords” in case there are already saved passwords in your browser that you may wish to delete.

Reason: Not showing your “Username” to any user on a particular computer is another layer of defense. There have also been some hacks in the past (though already mitigated) on how browsers store passwords.

Use Best Password Practice, which is typically composed of the following:

– Must be at least 8 characters.

– Must not be a dictionary word.

– Must be complex – (thank Microsoft for making this popular) at least 3 of 4 of the following: Uppercase character, lowercase character, number, special character)… my take is that use all 4.

– Change your password at least every 60 days.

– Do not re-use any of your passwords for at least a year.

– Do not have the same word or character/number order in your subsequent passwords.

– Use different passwords for different applications and different sites.

All of the above “Best Practices” can be a pain. Security Professionals are human and we also get annoyed by some or all of the above. So I’ll break this down on how this could be easier.

Must be at least 8 characters, Must not be a dictionary word*, Must be complex:

How: You can deliberately misspell words, or use a phrase then shortcut that phrase. For example, the sentence, “Jekyll is a big lying bastard with no integrity whatsoever” can become “jIaBlBwNiW”. Yes, I do realize that this is not complex, but bear with me. As you can see, uppercase and lowercase takes turns here so that it makes it easier for me to remember.

To include numbers, I will change “B” to “8” therefore making it, “jIa8l8wNiW”. You can also change numbers to letters (e.g. 06/19/2009 can be Og/Ip/Zoop) but of course you will have to come up with your own formula on what numbers and letters you can interchange.

And to put special characters in our shortened phrase, you can put a comma or a period somewhere there and you can make the big letter “I” to “!” to make it “j!a8l8,wNiW”. As with the above opinion on numbers and letters, you have to come up with your own formula for what special characters can be interchanged for letters and numbers (e.g. 06/19/2009 can be )^/!(/@))( which really looks nuts but that’s how it can look like).

I would personally not use the above examples since I don’t know a person named Jekyll, nor would I recommend leaving one finger pressed on the Shift key as one types what is essentially an all special character password that a shoulder surfer might easily be able to see — I have only given the above and below examples to show the thought process on how to make strong passwords.

Reasons: The unrelenting increases in processing power, also means it’s becoming faster and faster to break passwords. A PC Mag list from back in 2007 of the most common passwords are all woefully lacking in complexity. Aside from having a password that takes longer to break, being able to type complex passwords fast, with your fingers in the correct typing position and having to use the Shift key once every few characters, can actually mitigate the threat of shoulder surfing.

Change your password at least every 60 days, Do not re-use any of your passwords for at least a year, Do not have the same word or character/number order in your subsequent passwords:

How: Now this is definitely a bone-of-contention. To mitigate risk some Security Professionals would rather use long passphrases instead of passwords, than have to change their passwords every 60 days. I however, would rather change it. This totally depends on you because this is a much bigger pain that the one above. I would actually suggest writing down your password then putting it in a secure physical space, or if not, put a part of it in your phone or in your wallet. Emphasize on “a part” since if someone steals your phone or wallet, and knows your username, then bye bye to privacy in your account.

Use different passwords for different applications and different sites:

How: What some InfoSec people do, is use something site specific built into their password. For example one can use a complex iteration of their birthday (I’ll use Jose Rizal’s) “June 19, 1861” to “dYun!9,eS1”; and then append it to what one may change the word “Facebook” to, “p@c3sbuks” — to have the really long password of “dYun!9,eS1p@c3sbuks”. You could also of course put “p@c3sbuks” in the middle or in front of your password.

Reason: I included this because a Sophos report states that about 33 percent of people in their survey use one password for everything they have. A Gartner survey done in September 2008 says that 2/3 (66%) of their survey respondents use only 1 or 2 passwords for all the websites they use.

Other things NOT TO DO:

– Don’t use your name or part of your username in your password.

– Don’t use multiple spaces, multiple repeating characters or numbers that are beside each other

– Don’t use any information that is readily identifiable (i.e. name of kids, spouse, girlfriend, etc)

– Don’t use letters or numbers beside or near each other on the keyboard

So that does it for Passwords.

A note on Security Questions:

Deliberately give something false that you can always remember. One wouldn’t want to be the victim of a Sarah Palin like attack wherein the attacker just searched for publicly available information about her to answer the security question that enabled him to access her e-mail. An example would be, “What is your Mother’s Maiden Name?” Your answer could be, “Sorry but I don’t talk to strangers” or some other phrase or sentence that doesn’t make sense but you won’t easily forget.

So those are my tips. I’ll be the first to admit that I don’t know everything, so if you would happen to know any great password tips that I have failed to mention, please do share in the comments section or write me an e-mail if you would like to remain anonymous. Thanks in advance.

* Most Filipinos know at least two different languages/dialects (English-Tagalog, English-Bisaya, English-Waray, etc) so I won’t even tackle that here, just put a (your other language here)-English word together or if you’re Conyo, go put your complex iteration of the the word, “Pare” or “Tol” before, in the middle or after your English word, or put your iteration of “Dude” or “Bro” before, in the middle or after your Tagalog word. Peace to the Conyos out there 🙂

** Many many thanks to a Security Mentor of mine (who may wish to remain anonymous) for sending this link on passwords.