More Cowbell!

Information Security Management

Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities (see also OECD Guidelines for the Security of Information Systems and Networks).

Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.

Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met such as online banking security. This should be done in conjunction with other business management processes.

ISO/IEC 27001 Information Security Management System (ISMS) is the only internationally recognised standard for information security management.  Since its inception in 1999 (as BS 7799-2), there has been a 20-fold increase in ISMS certification worldwide, notably in Asia and US.  Despite the increasing certification rate, the same cannot be said for the understanding of the fundamentals of ISMS. In fact, a large number of organisations still do not derive the most benefits from ISMS implementation, apart from getting the ISMS certificate, it helps promote understanding of the fundamentals of ISMS and understanding the process of getting the GLBA compliance and there so as to derive the greatest business benefits from its adoption.

Tumblr sends passwords in the clear.

paulitex:

I just sent this email to support@tumblr.com. I’m hoping by bringing a bit of attention to this fact the issue might get fixed a bit quicker.

Hey there,

First I want to thank you guys for making such an awesome blogging site. First web app I’ve been genuinely excited about discovering in a long time.

Secondly, I wanted to ask you if you are aware that you are sending your users’ password’s in the clear (I’m guessing so) and if you plan on fixing that? The issue is this, using a free program like Wireshark (http://www.wireshark.org/) I can ‘snoop’ packets and read http requests. Since you’re including passwords in the request unencrypted, I can easily look at the http layer of that packet and read tumblr passwords, plain as day.

Now this wouldn’t be such a big deal if I could only snoop my own packets, but that’s not the case - I can also snoop my neighbours. In fact, I can snoop anybody on the same wireless network as me. So imagine I’m at a coffee shop enjoying their free wifi with all the other laptop’d customers. I notice the person in front of me go to http://www.tumblr.com/login. I flip on Wireshark. They type in their email & password and click ‘log in’, all the while I’m capturing. I stop the capture, find their request and I now have their password. Not only is their tumblr account compromised, but since we all know people tend to use the same password for everything this could easily lead to major identify theft.

In any case, the solution is simple. Just post your login form to an https server. Here are snippets from facebook and twitter’s login pages to show you what I mean:

Facebook:

<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form"><input type="hidden" name="charset_test" value="&euro;,&acute;,€,´,水,Д,Є" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><input type="hidden" id="non_com_login" name="non_com_login" autocomplete="off" /><table cellpadding="0" cellspacing="0"><tr><td class="login_form_label_field login_form_label_remember"><input type="checkbox" class="inputcheckbox " id="persistent" name="persistent" value="1" /><label for="persistent" id="label_persistent">Keep me logged in</label></td><td class="login_form_label_field"><a href="http://www.facebook.com/reset.php" rel="nofollow">Forgot your password?</a></td><td class="login_form_last_field login_form_label_field"></td></tr><tr><td><input type="text" class="inputtext  DOMControl_placeholder" title="Email" placeholder="Email" id="email" name="email" value="Email" /></td><td><input type="password" class="inputpassword" id="pass" name="pass" value="" /

Twitter:

<form action="https://twitter.com/sessions" class="signin" method="post"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="83ded7fd9608acf581ac55f489c77cf3bc13cec7" /></div>  <input id="authenticity_token" name="authenticity_token" type="hidden" value="83ded7fd9608acf581ac55f489c77cf3bc13cec7" />  <fieldset class="common-form standard-form">

<table cellspacing="0">

<tr>

<th><label for="username_or_email">Username or email</label></th>

<td><input id="username_or_email" name="session[username_or_email]" type="text" value="" /></td>

</tr>

<tr>

<th><label for="password">Password</label></th>

<td><input id="session[password]" name="session[password]" type="password" /> <small><a href="/account/resend_password">Forgot?</a></small></td>

</tr>

By contrast, you post to “/login” which means the unencrypted http://www.tumblr.com/login. Here’s the equivalent tumblr html snippet:

<form action="/login" method="post" id="account_form">

<label for="email">Email address</label>

<div style="border: 1px solid #fff; margin-bottom: 20px;"><input type="text" name="email" id="email" class="text_field" value=""/></div>

<label for="password">Password</label>

<div style="border: 1px solid #fff; margin-bottom: 30px;"><input type="password" name="password" class="text_field"/></div>

To be certain I just logged into tumblr via the browser on my iphone (same wifi but otherwise not talking to my laptop) and can confirm that I was able to snoop and very easily see the password using my laptop. So I can assure you the issue is real.

Thanks again for making such a great site and I sincerely hope you make it even better (as soon as possible) by fixing this security hole.

Best,

Paul

MyNIC Internet and DNS Security Day 1

Today , me and my officemate attending the two day seminar by MyNIC - Internet and DNS Security held at the Ritz Carlton Hotel. Here are some of the summary that I can remember.

First speaker is Dr. Steve Crocker , who is the inventor of RFC , RFC1 written by him. He delivers the history of the internet during the arpanet. Now he is the CEO of Shinkuru, a research and development company. In his slides he explains the threats that could attack the DNS. Then the RFC4033, RFC4034 and RFC4045 is created for add data origin authentication and data integriti to DNS.

Second speaker is from MCMC, Abu Ubaisomething, I cant remember. His presentation is more and cyber security act, and trying to be one stop center for internet user in Malaysia to log a complaint.

The third speaker is from Internet Society, a nonprofit organisation founded in 1992 to provide leadership in Internet related standards, education, and policy around the world.

Overall its a good seminar, can wait for tomorrow. Will update on Day 2.