Online rental scam

I recently moved to Hong Kong and was the mark of a scammer who tried to cheat me of rental deposit. I lost no money, just a bit of time that I could have used to view other properties and get settled in earlier.

The scam is simple. The scammer shows the victim a rental unit that looks very attractive and good for the price. The victim is interested. The scammer explains that he/she wants someone of the right character to stay in the house. The victim has to write about himself/herself and gets more committed to getting the unit on the way. Once the “landlady” decides to go with this tenant, he asks for money to be wire-transferred because for some reason he is not on location and will fly over to meet the tenant and pass him the keys or mail the keys over. If the victim pays the money, the scam is successful. He finds out that the house is occupied.

I have often wondered how stupid a person has to be to lose money in this manner. I got my answer. The money is not brought up at the start. A number of messages are initially exchanged between scammer and mark making the mark more and more committed to the place. By the time the mark realises that the “landlady” is not in town and will not be able to open the door for him to view the place, he has already spent some effort to prove himself “worthy” of the unit and is committed to it. In the email exchanges, the scammer identifies minor problems with the house making the house seem all the more real. And the scammer sends a scan of his photo ID – that of a real person. It is all very convincing.

Being an information security professional helped me to not lose money in this case. I knew that a scan of the ID did not prove that the sender was the owner of that ID. My telephone company, bank and various other organisations probably have scans of my ID. I asked for a video chat over Whatsapp. This is harder to fake and I received no effective reply.

Edit (added 31 Jan 2017): The scam works for three reasons. It works because:
1) humans are inherently trustful,
2) the scammers are clever enough to make us commit our efforts to make us want it to be real &
3) we rationalise our suspicions with reasonable-sounding explanations and allow ourselves to be victimised.

How to not be scammed that easily:

  1. Be on the alert if it looks too good to be true.
  2. If you get suspicious, ask the internet and people who may have done the same thing before (e.g. people who looked for units to rent in Hong Kong).
  3. Do not send over money by bank transfer to anyone whom you have not seen. Online selling sites such as eBay use Paypal which provides the buyer with some protection.
  4. Note that a scan of an ID card (or even the ID card itself) is useless unless you can verify the picture against a live (not recorded!) video or against the actual person. ID cards can be faked or stolen. Lots of people can have scans.
  5. The scammer may get indignant (my scammer did) if asked for proof, but this is a ploy to bring down your defences. It is the obligation of the person at the other end to verify that he/she is who he/she claims to be. This is essential to establishing the trust that you need to conduct your transaction.
  6. In the event that you have seen the person online or in person, you still need to authenticate their identity with an ID card or have some address to lock them down to if you need to dispute something with them in court. Anyone can chat with you using a fake name. You might also need to consider whether the police has jurisdiction over them to redress any claims that you have against them. The Hong Kong cops probably can do little to someone in London.
  7. Edit (31 Jan 2017): You can reverse-lookup photos on Google Images (images.google.com) to see if they appear in any other websites (that depict rooms in other countries, for instance).

This is the gist of my experience. I have put things down in greater detail below for those who are interested:

 

=============

 

Note: I am going to name names. The names will be of real, likely innocent people. I put in the names in so that others who are in a similar situation to me may get a clue and stay away from the scammer. Also, as far as I know, the people who own the names and the people who may have falsely used them have not been convicted of crimes in any court of law.

I started my house-hunt a few days prior to arriving in Hong Kong. Hong Kong is one of the most (if not the most) expensive housing markets in the world. Many contacts and friends advised me to budget HKD 15,000 per month (~USD 1,930 at time of writing) for a room in the city. After browsing through a bunch of rental websites I was confident of finding something under HKD 10,000. I set my primary requirements as: must have an attached bathroom, enough space for a small table in the bedroom and close to the city centre. There were many lacklustre options but one stood out: a post on easyroommate.com.hk that displayed gleaming clean rooms with a massive bedroom that housed two beds and a fireplace for just HKD 6,500/month. The description stated that it was built with luxury in mind and that the owner wanted someone with whom she would get along nicely more than anything else. It looked too good to be true. I contacted the owner, Bianca, who responded the next day.

Here is her actual introduction: This is just to let you know few things about myself and the apartment.My name is Hais Bianca, I am 26 years of age,easy going, tidy and non smoker female.I am glad that you are interested in renting my apartment and I will be looking forward to having a wonderful stay with you should you succeed in reserving it for yourself.

I love meeting new people and also a like having a time-out with relatives and friends whenever I am less busy.My father and mother used to live in the apartment before my father’s demise which has led to my mother’s relocation.

Since I am currently on an internship attached to my late father’s company in the United Kingdom,I will be resuming for my masters in Hong Kong soonest once the internship program has been concluded but I will be available at anytime for you to move into the apartment on the specified date as long as I am sure of your interest.

The most important thing is that,I am looking for someone to share daily life and common value with. so the ideal person i will like to share my apartment with must be a neat, trust worthy person and the person must be capable of paying the rent on a consistent basis as long as he/she continues to stay in the apartment.

There are Three bedrooms in the apartment, One is for me, the room in the picture is about to be reserved for 1 person(which has it’s toilet and bath en-suite and the last one which is reserved for guests is also for rent as well,since my parents are no longer occupying the apartment(that is why it is no longer available for guest because they used to be my parent’s guest)may be the other person can manage this room(but it will have it’s toilet and bath shared).So the only thing we will have to share together in the apartment is the kitchen and the living room.

The from portion of the email said ‘bianca hais’ (uncapitalised first letters). I obviously had to do a good job to win this one. I put on my best interview face and wrote up a nice piece about how awesome a flatmate I was. At the very end I asked:

If this is an interview… what languages do you speak? 🙂

Bianca said that she was OK to be my roommate. She spoke German and English and was also learning Mandarin. She provided me with all the photos of the unit that I asked for and welcomed me to check out the locality myself. She had wasted a lot of time and money the last time, so she wanted me to reserve it before she came over. “That’s why it is so cheap – because people do not want to accept an apartment that they can’t see for real,” I told myself. I told B that I would confirm once I checked out the area. We sent each other a few more emails. I sent her one saying:

Und Ich spreche ein bißchen Deutsch. (translation: And I speak a little German.)  You could help me practise. 🙂

She did not reply to that one, but sent over the information that she required before she could come up with the lease document. I sent her over a scanned copy of my passport and details such as full name, age, occupation, moving-in date, how many months I wanted to stay, etc. I arrived in Hong Kong and saw the locality, a vibrant place with lots going on. There was a guard at the gate and I did not go in. I emailed B that I was OK to go ahead. She sent me the rental agreement and a scanned copy of her Hong Kong ID (HKID) card. It was a very nice looking tenancy agreement including the below generous clause:

(e) The tenant is privileged to get a refund of his/her money if he/she is not satisfied with the apartment after viewing it or should there be any contradiction from what was being displayed in the picture compared to what is seen on viewing.

At this point, the fact that she had mentioned that I had to reserve the room before she would come over had finally filtered into my consciousness. I had to pay this woman before I saw her? “But she has sent me a scan of her HKID, so I know that she is who she claims to be,” That’s when the security professional took over. The HKID scan only proved that she had a scan of Bianca Hais’ HKID; it did not prove that the person who sent it was indeed Bianca; it did not even prove that she had Bianca’s HKID card. I had not yet authenticated Bianca Hais.

I looked for the advertisement on easyroommate to see if I could find any more details. The ad had been removed. “She must have removed the ad when I expressed interest in it. There must be lots of people who want it at that price.” I looked through my emails. Why was the room that cheap? Bianca’s email mentioned no lift to the room. Could that be a reason? I shot her an email asking about it and about what happened that caused her to lose money the last time. I looked her up on social media. There was one LinkedIn profile that fitted. She looked slightly different from the HKID picture, but there was evidence of living in Germany, Hong Kong and China. That would explain the languages that she spoke. I could not send her a message, but I was able to send a connection invite with a short message about me being contacted by a Bianca Hais in Hong Kong, asking her to reply. Separately I asked her over email to connect with me over LinkedIn.

She had said nothing for two days and I wanted to be done with my househunt. I realised that asking to connect over LinkedIn was unnecessary: we could just do a video chat over Whatsapp and I could see her face. I sent a message suggesting that. Then I checked the building again and confirmed that there was indeed a lift. There was a lift, so I was not being given a cheap apartment on that account. There was no reply the next day, so I sent her the signed tenancy agreement. I could authenticate her later, before I sent the money, but I had to secure the room soon. When I scanned in the signed sheets, an error on my part had caused it to attempt to scan an extra page. The tenancy agreement that I sent had an extra blank page at the end, five pages instead of four. Also, it scanned the pages in sideways instead of straight.

Bianca finally replied, a bit annoyed that I had made it so confusing with all my requests. I apologised, but insisted that we have the Whatsapp video chat. I had sent her my phone numbers multiple times, but she had not yet used them. Her preferred mode of communication was email. Now I started to get suspicious. She sent me back the signed agreement on her part. This is where it got really funny. It still had the same number of pages that I scanned in – five pages. I would have expected one page less if she had printed it out, signed and scanned it. Most interesting, she had put her signature vertically. More likely, I realised, she had pasted in a digital copy of her signature over the existing document.

Last page of the rental agreement (signatures masked). Note the odd alignment.

I had a bad feeling in my gut all along about this place. Little pieces were falling together that suggested things were not as they appeared to be. I searched for “Hong Kong rental scams” and came across this site: https://xingledout.wordpress.com/2014/02/01/beware-the-rental-scams-in-hong-kong/

The writer had experienced something quite similar to what I was going through with Bianca. This was not good. Now I had to start looking at my backup options. I really wanted it to be real, but how do I get out of it? And what if B was indeed real?

The next day solved the problem for me. I had looked up other rooms in easyroommate. There was a fantastic looking studio right at Central going for just HKD 10,000. I had contacted the owner when my suspicions about B started growing. I got this message from her:

Thank you for taking the time to look at my property.

My name is Luzia and I am a civil engineer, originally from UK. I used to work in Hong Kong, but the problem is that I had to move with my job bak to London, UK, where I am now. During my stay in Hong Kong I bought this apartment but I don’t want to sell it, so that’s why I decided to rent it.

I am looking for a responsible person that can take a very good care of my apartment. I am not after the money for the rent but want it to be clean all the time and the possible tenant will see the apartment as his or her own and I hope that you can send me some personal information about yourself. The apartment is fully furnished with all necessary amenities (exactly like in the pictures). It has dishwasher, washing machine and clothes dryer. There is a storage unit where you can deposit my furniture (if you don’t like it and you want to use your furniture) and AC. Pets allowed. Cooking allowed. This is not a shared rental with the owner.

The monthly rent for the entire apartment is HKD$ 10,000 and also includes monthly utilities bill (electricity, water, heat, cable, gas, internet connection+wifi), so there is nothing else to be paid on top of that. I am looking for someone to rent anywhere from 1 month to 5 years or more. Also the apartment is available immediately!

Sadly I do not have anyone there, so the property is being managed by Airbnb (no agency fees) and they will handle the whole rental process. If you want to know more about the rental process please get back to me and I will send you the step by step procedure.

There was a pattern here. The name in her email said Leslie Andree, not Luzia. There were too many similarities with Bianca Hais. The London connection, the verbosity and the fact that all these people were willing to part with so much personal information about themselves, the fact that the place looked just too good to be true (HKD 10,000 for the kind of room Leslie/Luzia advertised was a steal) and that they would not be able to open the door for me themselves if I wanted to view the place. A normal person would use an agent.

I finally stopped wanting it to be real and went to the police. A nice gentleman named Toby listened to my story with interest, viewed the pictures and the emails and informed me that no crime had been committed. I had not lost any money to the scammers and while the places did look too good to be true (he was amazed at the fireplace in B’s master bedroom), I could not prove that they were indeed fake. I asked him if he could at least not check with the real Bianca whose HKID I had a scan of. She was probably a victim of identity theft. He said that he did not have the justification to look it up in his system. It was slightly disappointing but consistent with my experience with the police elsewhere in the world. At least he was very polite. Toby advised me to inform the website administrators. “They would know about the people who posted the rooms.” I laughed. Easyroommate.com.hk did not even secure their login page. They only require an email when registering as a client. It was then that I realised that easyroommate had done something. They had removed Bianca Hais’ post.

I started evaluating the damage to me. I lost a lot of time that I could have used to productively house-hunt. I had some suspicions and I did not want to put all my eggs in one basket, so I had viewed a few units. Worse was the fact that the scammer now had a copy of my passport and a nice little piece that I wrote myself about my character. They could try to use that to spoof my identity for the same purposes.

I sent B an email saying that her post for the rental unit was very similar to many rental scams taking place in Hong Kong and that I was not proceeding with it. “Good bye.” I then told an agent for another room I’d viewed that I was willing to take a room of his that I’d viewed. He asked me for one crucial detail that B had not asked for: my employment contract, to ensure that I could pay for the room.

I was thinking that this business was settled when I got some Whatsapp messages from a London number. It had Bianca’s picture, as seen in her LinkedIn profile. “What is your problem? I have not started living with you and you have been making everything complicated. Do you think everyone will think the way you think? Now it is a crime for me to rent out my apartment because I needed a flatmate. If you have trust issues you can as well buy your own house. Stop disrespecting people. My apartment is not a scam and I owe you no explanation.

I was in shock for a minute and almost sent a message of apology. Then I got over it. The picture was publicly available. In the extremely unlikely event that I had been communicating with the real Bianca, she would have to be quite stupid to not simply use an agent to hand over the keys. Who wants to fly all the way from London to Hong Kong just to hand someone their keys? I doubted that a real Bianca would want to live with me at this point or would give me her phone number after I had called her a scammer. I asked B for a video chat. There has been no more contact since.

I wrote to easyroommate. They got back to me stating that both posts (Bianca’s and Leslie’s) had already been taken down by their moderators. That had not helped the people whom the scammers had already contacted, had it? I advised them to make it a policy to inform all people who had been in touch with the scammers (or who had contacted the scammers) so that the users who had been reached before the posts were taken down would also benefit. Easyroommate said they would consider my suggestions. Hopefully they will implement them.

Edit (31 Jan 2017): I eventually learned that the pictures were from apartments in France by reverse-looking them in Google Images.

Review: The Cuckoo’s Egg by Cliff Stoll

The Cuckoo’s Egg (1989) is probably THE classic true computer security incident response story. Cliff Stoll, a man with a doctorate in astronomy, gets a job maintaining the computer systems at an astronomy lab. He is charged with explaining a 75-cent discrepancy in the accounts and finds that someone has broken into the network. The intruder jumps from the lab computer to military computers around the United States and turns out to be a foreign spy.

The year was 1986. Computer firewalls had not yet been invented. Laws barely existed that covered computer crime. People who hacked unauthorised into computer networks had been charged with “stealing electricity”. The three-letter agencies in the United States had not yet figured out the scale of computer insecurity or the possibilities and were not interested to investigate cases. This backdrop makes The Cuckoo’s Egg fascinating.

If the book were written today, it would not be called The Cuckoo’s Egg. Today we would just call it a backdoor into the system. Information security was such a new discipline in the ’80s that Cliff got to invent his own phrase to describe what is standard terminology known to the layman today. (Unfortunately we do not use Cliff’s choice of words today.)

Cliff painstakingly sets up a monitoring mechanism to detect the intruder and track his activities in a manner that the intruder will not recognise. The intruder uses dictionary words such as “Hunter” and “Hedges” for his passwords. Cliff’s monitoring system calls him at all sorts of hours to watch the intruder in action. Cliff makes contact with people all over the US to trace the intruder. Only after months of monitoring and meetings with the agencies do they finally get around to moving to catch the perpetrator.

Throughout, Cliff struggles with his politics. As a long-haired hippie, he probably has more in common with the hacker than with the suited g-men of the agencies. Cliff’s interaction with the spooks and character such as Robert “Bob” Morris of the cybersecurity command make for good reading. Along with his investigation, he finds that his politics also change as he realises that the intruder is destroying the trust needed for the internet to be the medium for sharing information that he expects it to be. An astronomer, Cliff is an unlikely person to be considered a computer expert. He was in the right place at the right time and he made the most of his opportunity, leading to arrests in an international investigation. A bonus is thrown in at the end: Cliff is one of the experts called in to deal with the Morris Worm – a computer worm that brought down a large number of internet-connected UNIX servers.

The book is written with a great sense of humour. Cliff, despite being a PhD, successfully plays the ‘little guy’ making his little dent in the information security universe, in fact making it profoundly better. It is a nice read for the layman about information security (or cybersecurity) as a discipline finding its feet and making baby steps. We all use computers and we need to know what can be done with them. Importantly, the book describes the ‘security guys’ as ordinary, relatable human beings with ordinary lives and ordinary motivations.

The Cuckoo’s Egg is a must read for information security practitioners, especially incident responders. The trade craft and dedication shown by Cliff and the initially surprising revelation about the hacker being a spy should motivate incident responders and other security professionals in their jobs.

Securing yourself online

My blog has been slightly inactive on account of my travels. Here is a little Christmas gift. This article contains points that I have distilled from a presentation that I have made for the same purpose, i.e. educating people about what they can do to make their online lives more secure.

There are a number of things that we can do to keep our valuable data private and available to us when we need it. Here are a bunch of them that I apply in my personal life. They start from the simple and free and go towards the technically complex and paid. Note that I have avoided putting in details on how to do each item as the article is already long. Doing a search on Google (or DuckDuckGo) with the heading should provide you with more details on each item.

Caveat: none of the advice below guarantees your security. If the NSA wants to see what you’re doing, they probably will. Security requires ‘defence in depth’. If one measure is surmountable, it helps to have another measure to back you up. If a malicious entity somehow breaks the security of your VPN, they may be set back by your HTTPS connections; if they sniff/steal your password, they may be set back by your 2FA token. Those of us in the information security industry hope for (and work toward) a future where the layman does not need to have sophisticated IT knowledge in order to secure their lives. Read on!

Backups
Some stuff is too valuable to have only one copy of. In the event that a hard disk fails, you will want to have a backup in another hard disk or on the cloud. Every article that I write is initially typed up on my computer / online storage before it is copied into my website. Additional hard disks for storing large volumes of photos and videos is now cheap.

Password locking & password managers
If your computer connects to the internet, it can be easily accessed remotely and it needs a password. Make it at least 15 characters and do not reuse the same password anywhere else. Read this series of posts aboutpassword management and stop trying to memorise all your passwords. Get a password manager to remember passwords for you. Make your passwords totally random, long, distinct (do not use the same one in two places) and unmemorable. One password for your computer, one for your phone and one for the password manager should be all you need to remember. I have also come across recommendations (there is no consensus) to not use  security questions that allow you to recover your account if you should forget your password. They fill the security question field with gibberish. Security questions to help reset passwords are a weakness that allows people to access accounts without cracking their passwords.

Windows update (and other autoupdates)
This is a critical and fundamental security measure. Ensure that automatic updates are turned on by default for your Windows and other software on your computer. The browsers that you use and MS Office are critical. Java and Flash are notorious for their vulnerabilities and need frequent updates. Any time a vulnerability is found, there is a race between manufacturers trying to push updates to users and malicious actors attempting to exploit the vulnerability. Enabling auto updates keeps you on the safer side of the curve.

Windows firewall
The default firewall on your computer should be enabled. More precisely, do not disable it.

Antivirus
This is something fundamental. It should not give you a sense of security, but having antivirus or antimalware software is a minimum security requirement. Plenty of free and paid antivirus software are available. The fact that you pay for it does not necessarily make it better.

Pirated software and jailbroken devices
Using pirated software is a good way to introduce malware into your computer yourself. The act of jailbreaking a device to give it features that the manufacturers did not intend it to have necessarily requires breaking the security of the device. Avoid doing these things. Get software that is free to use or buy commercial software.

Mobile phones
If your phone allows biometric authentication, enable it and use it. Your secondary authentication mechanism must be a long PIN / password (10+ characters minimum, 14+ optimal). The PIN might be slightly easier to use on account of the bigger size of the buttons. Drawing patterns and 6-digit PINs are easily observed by shoulder surfing and easily broken by technical means. Do not leave the phone where others can physically access it.

Laptops and other portables
These devices should not be left in places where other people can access them. It is possible for someone malicious to fry your computer by plugging something nasty into its USB drive in seconds (see USBKILL) and walk away. It is also possible for someone to gain control of a locked computer, again by sticking something into the USB port, in seconds. The cost of gaining access? A $5 device (see PoisonTap). The previously mentioned advice about HTTPS also helps with the last item.

Encrypt the hard disks of devices (including phones) to protect data from theft in the event that the device is physically taken. Encryption is not a panacea. It is effective if the device is switched off, but it might be possible for a skilled attacker to extract data from a powered – on device.

Connecting to WIFI
Never connect to free insecure WIFI is the general security advice. Some people go further, choosing to always carry their personal WIFI router with them when they travel. Having a VPN connection enabled by defaultmay be a mitigating measure to connect to insecure WIFI (see below).

Email
Avoid clicking on links on opening attachments sent to you by email. This is the easiest way people get hacked – not through fancy technical mumbo-jumbo, but though stuff sent to you by email. Avoid forwarding any email that asks you to forward it.

USB drives
USB is infamous for being fundamentally insecure. At a basic level, never plug in an unknown USB stick into your computer, especially if you find it in the car park or on your desk. This includes iPads and phones that need to be charged – i.e. anything that has a hard disk. Don’t do it as a favour to someone that you do not know (some of us would not do it as a favour to people whom we do know). Disable autorunning of USB devices. You can find a number of articles explaining how to do this for your operating system. Also recollect the two items (USBKill and PoisonTap) mentioned in the section about keeping portable devices physically secure.

Software and apps
In general, install software and apps only from trusted parties. Do not install mobile apps from outside the standard app stores. For mobile phones, be wary of apps that ask for many permissions to function. The newest versions of IOS and Android allow users to give the app permissions only when it actually needs them.

Browser & websites


Any site that you login to must use HTTPS. Do not enter credentials or personal information such as date of birth, credit card information or ID information into a site that has no HTTPS. Add on the HTTPS Everywhere free plugin to your browser to force all sites that have more secure encrypted versions to provide you with the encrypted version of the site. Using HTTPS does not ensure security (it requires a slightly technical and much longer article), but without it one can not expect web browsing security.

Automatically clear your cache when you close the browser. This may be hard to get used to, but it makes it significantly harder for third parties (and first party sites) to track you. This can prevent websites from showing you the inflated prices that they showed you the first time you visited – since they no longer know that you had already visited. Enable the do not track feature. Use an ad blocker to block advertisements. Advertisements are a way for malware to spread through web browsers and to slow down your browsing. The site owner usually has no control over what content is provided to you in advertisements. A year ago, Forbes spread malware to its readers through advertisements.

Use a different browser for stuff like your email and social media that require you to log in and another browser for all other browsing. This can prevent Facebook from knowing that you’re planning a vacation to Iceland and providing you with ads. It can also prevent a malicious site that you happen to be on from reading information that you provide another site.

Control what is on your social media
Periodically check privacy settings on social media to understand how the content that belongs to you is used by companies such as Facebook, LinkedIn and Twitter. Tagging your face on pictures makes it easy for software to identify your face resulting in consequences that may be positive or negative. In general, do not post things on social media that you may regret if someone reads it out of context. It is easy for someone to screenshot your post and paste it elsewhere, minus the context. Avoid giving out information such as your date of birth and family members as this information may be used by your bank or a government to authenticate you. (When was the last time you had to tell someone on the phone your birth date or your mother’s maiden name to convince them that you were you? It can’t have been very long ago.)

Home router
Critical: change the default username and password for the WIFI router. This is typically something like ‘admin’ for username and password. In many cases you can reach the settings page by typing in “192.168.0.1” or “192.168.1.1” into your browser. Change the SSID (i.e. the WIFI name) and if possible disable access point broadcasting. Default SSIDs make it trivial to find the kind of WIFI router and makes it that much easier to attack. I have known wireless printers to be unable to connect if you disable AP broadcasting, so it might not always be possible. Use WPA2-PSK security with a long password for connecting to the WIFI (note that this is different from the router admin password). Periodically update the router software (every half year is a good bet for the layman).

SMS and phone calls
Understand that the providers of your mobile connection have all information about the numbers that you dial and the contents of the SMSs that you send. They can also listen to your calls. If this concerns you, you might want to use encrypted messaging (see ‘different providers’ section) and encrypted calling services. They function in a foolproof manner only when both people use the service and the encryption is end to end, but encrypting content to the service provider gives some amount of privacy as well.

Use a VPN
Virtual private networks (VPNs) are commonly used to create an encrypted remote connection between a person and his office environment when he is not on site. This technology can be used to protect your internet browsing data as well. VPNs can be used to protect your browsing if you need to connect to weakly protected WIFI networks and to mask your location from thisa  parties. VPN software typically require payment, but can be cheap.

Edit 2 (31 Jan 2017): I have removed this recommendation altogether because using the wrong VPN provider can cause greater risk to the user than not using a VPN at all. Too high a proportion of VPNs are implemented insecurely / have a shady business model for this recommendation to stand [research paper].
Edit: VPN caveats: Not all VPNs are created equal. Understand their business model and whether they do actually value your privacy. Obviously, the VPN provider has the ability to read data when it enters and leaves the tunnel (prior to any VPN encryption) unless the traffic is encrypted even before it goes into the VPN (e.g. all your Facebook and Gmail traffic). If the VPN is available for free, ask why. Does their business model depend upon selling user information?

 

Use different providers altogether
Use providers of services who respect your privacy and do not use your information for their own benefit. Try DuckDuckGo for search instead of Google; secure email services instead of Gmail (which reads your mail) or Live mail / Outlook (which can read your mail). If you are still using Yahoo!, please stop now! (right now!) The same goes for messaging tools and VOIP. See the Electronic Frontier Foundation’s (EFF) secure messaging scorecard regarding security and privacy. You may be pleased to know that the most common messaging application, Whatsapp, is quite good at the moment.

Using the Gartner magic quadrant when buying security products

The Gartner magic quadrant is ubiquitous at security sales presentations. Being featured in the quadrant, the leaders quadrant in particular, is a part of the vendor pitch and the recognition that it provides may have an impact on the purchasing decision. Is it of such significance and should it impact your purchase decision?

Gartner does provide useful analysis of security products, their penetration into markets and their product maturity. I occasionally check out Anton Chuvakin’s blog on SIEM as I find it a useful resource in my own specialisation. Knowing the quality of the output (at least in the SIEM blog), I have some faith that the MQ delivers what it promises to deliver. This is what one needs to note: is the MQ’s judgement criteria relevant to your purchase decision?

In very few sales presentations that I have attended have I seen an actual quote from Gartner’s analysis provided by the vendor. They have contented themselves to put up the MQ itself to allow potential clients to assume that that means it is a fantastic product or, if the product is the highest and rightmost on the chart, the best product. The clients for their part appear to fall for the assumption. This is not what the MQ is meant for. While the MQ does say something about the market penetration, the vision and coverage of the product and vendor, it says very little about whether the product fits your business. Users look for products in the top-right quadrant, when in fact a product in the top-left may be a much better fit for your environment.

Gartner explains their methodology for the magic quadrants here.

Gartner is very open in stating that the quadrants talk about the capabilities of the technology providers in executing and envisioning the future for the type of product. It says nothing about the technology solution on offer and does not pretend to. Gartner’s critical capabilities articles are much more useful when considering products provided by the vendor. More importantly, use this as no more than as a starting point when considering dealing with a vendor / product. There might even be a chance that the best-fitting product is not there in the quadrant or that there is no quadrant for the kind of product that will fit your requirement.

Gartner’s analysis is inadequate to inform you as to whether the product will work for you. Get your vendors to come up with a proposal to fit your requirements and perform a proof of concept with a few vendors and with you security team to really understand the product for your decision making.

You might also find these articles interesting:
The horror of the security product presentation
Comparing SIEMs for your environment

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Comparing available SIEMs

This is an article of a series on a group of security products known as SIEM: security information and event management. This article introduces SIEM.

You have decided to get a SIEM since you need it in your environment. Vendors will soon present to you on the merits of their SIEM and how their product is superior to the competitions. How do you cut through the jargon and understand whether the product fits your needs? Here are some of the things that different SIEM products perform differently.

User-friendliness
This might be harder to measure than you think. Note that there are different types of users in every environment. “Using” the SIEM (i.e. running reports and searches and looking at dashboards requires one level of user). With some SIEMs, the user can simply type in a keyword or an IP address and instantly get query results from days of logs. With others, they may need to learn the syntax of a search query. In some cases the search query syntax can be learned in minutes. In other cases, a really good query may require knowledge of regular expressions which require analysts with technical talent.

Administering the SIEM and creating reports and rules typically requires users with a higher degree of technical knowledge. They also need to find the SIEM friendly to use. In some cases, it is very easy to extract out the results of a search as a report and save the format for later use. In others, it is more complex, with multiple modules needing to be created prior to arriving at the final output. Likewise some SIEMs allow correlation rules to be created with just a series of mouse-clicks from a search output. Some others may not have this functionality.

User-friendliness should be a key criteria when there are no dedicated personnel handling the SIEM. If you have a small security team (or worse, if you have no dedicated security team, this will be a significant criteria).

Setup time
Some vendors advertise ‘turn-key’ products that can get up and running in minutes. Always take with a pinch of salt any promise of instant security. What these provide are a check in the “do we have a SIEM?” checkbox for people with compliance requirements. Given that, setup time still varies among products. Some vendors will have multiple types of products with differing setup times that are worth considering.

Why do these setup times vary? Often the products may be a ‘starter pack’ with a small subset of features or they may turn out to be not very customisable or extensible. Consider whether the product will also fit your needs a few years on when purchasing something that has a short setup time.

Extensibility
Depending upon the environment and the your initial motivations behind getting a SIEM, your need for storage space may change slightly or drastically over the life of the product. Enterprise-grade products ought to be extensible, either by adding storage to the existing setup or by having another instance of the product software running that can be integrated into the current setup. In some architectures it is possible to run a search from one component on all components in the infrastructure. In some other architectures, a selection of events flow up to a higher level manager where these key events are analysed.

Customisability
Customisability, along with extensibility, are occasionally antithetical to user-friendliness and setup time. Some products come with a large number of use cases that are effective out of the box, but are not customisable or are hard to customise. Others are used best when they are heavily tailored to the environment and allow a great deal of customisability.

Environments with fewer analysts (or no analysts) may not need the customisability option so much. Security operation centres and large environments will work best when the use cases are tailored. These environments are also more likely to have dedicated personnel who can learn the SIEM thoroughly such that the user-friendliness and intuitiveness of the SIEM is less likely to be a problem.

The above four are criteria that help with evaluating traditional SIEM. The below capabilities are now becoming more relevant and useful in improving the effectiveness of SIEMs.

User behavior analytics
While dealing with ‘events’ generated by devices is key to SIEM functionality, attaching those events to actual flesh and blood users performing actions, legitimate and illegitimate, is of considerable value. Today’s SIEMs either have this capability built in or can add in this capability as an extra module. This should be a part of your consideration especially if you look into insider threat (you absolutely should)!

Artificial intelligence / machine learning / anomaly detection
Different companies will call it by different names. The crux is to go beyond pre-built rules to let the machine analyse normal patterns of behavior and inform the analyst of anomalies. The technology is not foolproof, but this is the future.

Get your vendors to do a proof of concept (POC) so that the SIEM demonstrates its value. Have your technical staff evaluate the product based on the criteria for your environment before you make your decision.

Also check out these resources:
My previous article introducing SIEM
Anton Chuvakin’s blog at Gartner is a great SIEM resource 

I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html

SIEM: Security information and event management

This is the first article of a series on a group of security products known as SIEM: security information and event management.

You are probably familiar with the fact that most computing devices log a number of events that happen on their systems, e.g. a user logs into Windows; an antivirus scanner detects a virus; a switch port is disabled; etc. As in a plane’s black box or a written log of events, the events happening inside computer systems have value: an administrator can understand what caused a user to get locked out of his computer; why the web server is no longer receiving traffic; where the origin of a worm is; etc. Since the logs are available, it will be of much more use if they can be readily accessed from a purpose-built system than if we had to go to each individual machine to retrieve them. Log management systems (LMS) were born out of this requirement.

A log management system collects logs in a central repository. This can be useful for after-the-fact reviews of incidents. What if you want to know in close to real-time what is going on in your computer infrastructure? This is where the SIEM comes in. SIEMs have considerably enhanced capabilities over LMS, but usually may not retain the logs for as long as purpose-built LMS.

SIEMs perform a few functions: they normalise, aggregate and correlate the logs. They present the logs in an easy to understand GUI. They are able to provide trending and analysis.

Normalisation: Logs come in various formats. It can require a bit of an effort to understand what logs from different products/manufacturers are trying to say. SIEMs simplify this by standardising the log content into fields that are common to the SIEM. The analyst has to understand the field within the SIEM. This is adequate to comprehend the logs.

Aggregation: There are some devices that send hundreds, perhaps thousands of similar events with just a few parameters including the timestamp differentiating between them. In the event that the distinctions are not relevant, a number of events within a short timeframe can be aggregated into one event, along with the total number of events represented in a field. This reduces the number of lines than an analyst has to look at.

Correlation: This is the key strength of the SIEM. Correlation is the ability to see relationships between distinct events that happen in the infrastructure. The events may originate from distinct products and can sometimes be separated by hours. If such relationships can be automatically found, it drastically reduces human effort in analysis. If a person’s remote login account is used and within a few minutes, their door card is used to access an office building, this might be something that security has an interest in. A SIEM can detect this sort of correlations.

Alerting:
The obvious next thing to do after detecting a correlation that is security-critical would be to notify the analysts of the event. This can be done via email, SMS, popups on their console, etc. SIEMs have the ability to send alerts close to real-time once an event or a correlation occurs.

Dashboards and reporting:
SIEMs come with nice interfaces that provide snapshots or current states of security in one’s environment. These may be snapshots in the form of reports, presented as charts, tables or a combination or they may be dashboards that show current states, maxima, minima, averages, etc.

 

SIEMs have evolved over the last decade and they now come with even more features. The ability to do user behavior analysis and integrate threat and network models are features that you will see in today’s SIEMs.

The ubiquitous Gartner magic quadrant for SIEM will give you an idea of the major players in the SIEM market as Gartner sees it. Take care to actually read their analysis and to look beyond the picture when you consider buying a SIEM for your organisation.

I will make a few more posts on SIEM in the next few weeks. I am speaking at the CSX 2016 Asia Pacific conference (14-16th November 2016) on SIEM. Check it out: http://www.isaca.org/cyber-conference/csxasia.html
 

Review: No place to hide – Edward Snowden, the NSA, and the US surveillance state

Glenn Greenwald is the reporter who, along with Laura Poitras, broke Edward Snowden’s leaks about the NSA’s mass-surveillance program in 2013. In “No place to hide” Greenwald tells the story of how the leak happened, from the first contacts with Snowden to the aftermath in the next year. Greenwald also devotes a chapter to explaining why the ordinary person should care about mass government surveillance.

The big story is about the content of Snowden’s leaks, but the reader also gets to understand and appreciate Edward Snowden. Snowden’s motivations for putting his entire future at risk is probably the significant reveal of the book. Snowden has no significant character flaws that suggest that he might want to bring down the establishment. He is a person who might be considered to have a “decent middle-class” upbringing and was working highly-paid jobs when he stole the classified documents. He even created a manifesto that includes “While I pray that public awareness and debate will lead to reform, bear in mind that the policies of men change in time, and even the Constitution is subverted when the appetites of power demand it. In words from history: Let us speak no more of faith in man, but bind him down from mischief by the chains of cryptography.” – paraphrasing Thomas Jefferson who said “In questions of power then, let no more be heard of confidence in man, but bind him down from mischief by the chains of the Constitution.”

Many pages of the book are spent on the details, the illegality, the implications and the lack of necessity of the bulk data collection of the NSA. This data is collected from and shared with the partners in the five eyes: UK, Australia, New Zealand and Canada. Greenwald argues that targeted data collection of specific individuals is adequate and effective and that bulk data collection has been useless in preventing terrorist attacks. Also, despite the stated goal being terrorism prevention, surveillance has been put to use for economic and diplomatic advantage of the United States. This is precisely what the US has hypocritically asked China to stop doing. And “who watches the watchers?” The FISA court, created to oversee covert operations, is nothing more than a rubber stamp that has not denied a single surveillance request.

Most people who are habituated to living in the society where they think allowing the government to read their emails (or pancake recipes) is harmless. “I am too boring to be worth surveillance.” Greenwald has a reply to people holding these attitudes. He explains that most people who would do nothing to challenge the establishment would not feel threatened, but when something that the establishment prefers to keep hidden is in one’s possession, one becomes a target. This has nothing to do with threats to national security; just having opinions or publishing facts that disagree with the establishment can cause a person under such a government much difficulty. In a democracy the ability to criticise the establishment is a freedom that we have that is being eroded by having your privacy taken away from us. A response for the “boring” people who will never criticise the establishment: they will be impelled to change their normal behaviour if they felt that they were being watched. Our conversations and whom we talk to are being recorded. Does that not affect what we write about? Also: one closes one’s doors before having sex. This has nothing to do with sex being illegal or immoral and everything to do with humans needing privacy for some activities. We should expect privacy in what we write about in private communications.

The book’s last chapter describes how the American news media have become pliant – willing allies serving the needs of the political establishment instead of the public’s. It is a fascinating read and enlightens the reader to be more politically aware and aware of how precious one’s privacy is.

This book informs us that we need to take conscious political choices in order to protect personal privacy as a fundamental right. Snowden and other whistleblowers before and after him have faced prosecution from the “liberal” administration of Obama. The choice is between a world where no one has privacy and one where the NSA can abuse their surveillance powers at will. It is a must-read to understand the political and technological abuses of power that go on in our modern world and why conscious usage of technology such as encryption can be a political statement and not just a privacy tool.

Review: Ghost in the wires

‘Ghost in the wires’ is the autobiography of Kevin Mitnick, the “world’s most wanted hacker”. The book came out in 2011. Mitnick now claims to be reformed and has his own security consulting company.

Kevin Mitnick, as a teenager, was curious about breaking into computer systems. He did so, explains in the book how broke in mainly by using social engineering methods, and eventually got caught and was sent to a juvenile correctional facility. With this began a cycle that would repeat itself many times over the book.

The book is best in the early parts when Kevin describes one of his hacks. He understood that any system has weaknesses, technical or human. He would find a weakness and exploit it. He would persist if initially unsuccessful. The hacker mindset on display as he attempts to break into something just for the fun of it is something that people would do well to understand. Also, the ease with which systems built by hundreds of people can be subverted using very low-tech methods is something to know about.

As a person with some technical knowledge, I was able to follow a great deal of the technical hacking described in the book. A lot of what is described (“getting root”, “exploit [noun]”, etc.) is incomprehensible for the layman – my father gave the book a try. Surprisingly, the book gets boring after a while. Within the first hundred pages, one learns everything there is to know about Kevin’s non-technical social engineering skills. What follows is a repetition of what already happened: Kevin decides to break into something; he calls someone pretending to be someone else, elicits and easily gets required information from them; he breaks in; he learns that law enforcement may have gotten wind of it; he tries to cover his tracks and breaks into something else to get more information. The cycle continues, occasionally punctuated by visits from the police.

The discussion regarding law enforcement becomes complicated by the fact that they (and criminal prosecution) do not appear to have a good grasp on what Kevin has actually done (according to him), accuse him of crimes that he did not commit (according to Kevin) and prosecute him for the same. This is another interesting thing about the book that everyone trying to stay on the right side of the law in a fully internet-connected world should appreciate.

A serious problem with the book is Kevin’s lack of contrition. He is repeatedly sorry for the harm he did to his loved ones, but has no feelings whatsoever for the companies that he broke into, their employees, or for the people whom he insults with snide remarks in his book. His language, as a man in his forties (when the book was written), shows an immaturity that should have ended with teenage. Kevin repeatedly refers to the man who caught him, Tsutomu Shimomura, as “Shimmy”; he calls people “bastards”; he unnecessarily names and shames a colleague who may have wanted to have sex with him; etc.

The casual reader would learn much about the vulnerability of the devices and infrastructure that we use from going through about 100 pages of the book. 300+ pages is way too much to read about one egoistic hacker who may not have learned his lessons.

Feeling secure vs being secure

When talking security with individuals one often observes a distinction in language that completely changes the meaning of the topic: people talk about wanting to feel secure, which is a very different matter from actually being secure.

Humans are poor at understanding security and risk: they overestimate the danger from scary and infrequent events (such as terrorist attacks) and underestimate the dangers of common events (such as road accidents and nutrition-related illnesses).

Humans are also prone to live by the falsehood that “something needs to be done” to remedy real and perceived problems, when it might actually be more pragmatic to not do anything at the time. Security expert Bruce Schneier has written extensively about this, on how the TSA is a multi-billion dollar harm inflicted upon people travelling within the United States after the very successful terrorist attacks on September 11, 2001. The fact that they put travellers through a lot of misery gives people the impression that travel in the United States is safe, when in fact it is not proven to be any safer than it was before 9/11.

This false sense of security is a problem. It causes organisations to spend billions of dollars on security products that do not solve their problems. It causes people to go through unnecessary suffering at airports because they are trained to believe that it is “for their own safety”. At the same time, the companies and people remain vulnerable to the same problems that they believed they were protected from.

A false sense of security can make someone perform a riskier action than they would under normal circumstances – think of the American rules football players, heavily padded and helmeted, who would strike in a more dangerous fashion under the impression that their artificial paddings would protect them against injury. This is the biggest problem with feeling secure: it can actually cause you to be less secure.

How do we guard against responding poorly to perceived risks in these fashions? A measured and thoughtful approach to security that avoids knee-jerk measures helps. Education is key, as is the recognition that there is no silver bullet that rapidly provides security. Security requires a combination of people, processes and technology to function in harmony. All three must come in place and people must recognise that no system is perfectly secure. This is fine. It is not worth the trouble to make something perfectly secure. Live your lives.

Blocking internet access for cyber security: Will it work?

“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.” —Dennis Hughes, FBI [attributed]

From May 2017, the Singapore government intends to block internet connectivity for the work computers of its 100,000-strong force of public servants. The government has opted for the drastic measure on account of security concerns. Is it really necessary and is this the best way of keeping things safe?

A key principle that information security managers learn is that security must work to enable business and not prevent it. Attempts to add security that appear to work against the normal functioning of the business are doomed to fail. This will be critical to whether the Singapore government’s efforts succeed or fail. It is not only the technological aspect of this new setup that must be taken care of, but also the ‘people’ and ‘process’ aspects. The latter appear to be lacking, at least in what has been covered in the news.

Did the government get the technology aspect right? Among other things, companies that have information security-aware management perform a ‘blacklisting’: for instance file-sharing activity, chatting, pornography sites and known malware sites and activity may be blacklisted and cannot be accessed by employees. Some security experts recommend a tougher measure called ‘whitelisting’: only the specific sites in the whitelist may be accessed by employees. This list could contain the top 1000 sites on the internet known to be safe and, upon business justification, additional sites could be added to the list. Entirely blocking internet access is the toughest possible measure and might be a bit heavy-handed.

Disconnecting a computer from the internet is called air-gapping. It is a legitimate security measure for the very paranoid / persons under surveillance. Security expert Bruce Schneier explains here what he did to stay secure from the NSA while working on the Snowden documents. Air-gapping requires a huge amount of effort to get right, primarily because the information that you work with tends to come through the internet. Air-gapping will make life harder for an attacker who wishes to access information in/through your computer. Information on one’s computer may still be accessible in certain ways, but accessing the office network through that device does get considerably more difficult for an attacker.

Air-gapping is not foolproof. An air-gapped computer owned by a non-technical person is less likely to be updated with security patches than one that is connected to the internet. It may make the device more susceptible to attacks through vectors outside of the internet. Targeted attacks have been carried out against air-gapped devices as long ago as 2010 using USB drives. The Singapore government currently does allow its employees to use the USB ports on their devices. USB drives are well-known transmission vectors for malware and many companies prevent their usage by locking them down. This would be a pragmatic step to take before the more desperate measure of taking away internet access.

The initial announcement of the upcoming policy also stated that employees would be allowed access to the internet on their personal devices and devices kept specifically for internet use. The Infocomm Development Authority (IDA) clarified in a Facebook post that “only unclassified emails for purposes such as accessing URLs” could be forwarded to private email accounts. This is going to be tricky. An employee who has habituated himself to transferring emails between his work and personal emails is going to do more and more work when directly connected to the internet on their personal devices, especially when the work requires research or benefits from information found on the internet. This in turn could lead to the personal devices becoming targets of attack, reducing the need to attack the office-issued devices in the first place. Considerable effort will need to be made to ensure that employees are aware of what information may absolutely not be transferred to devices outside the office-issued computers. These are serious flaws in the ‘people’ and ‘process’ aspects of the new policy.

I have already encountered people discussing how to subvert this ‘problem’ of no internet access. Singaporeans are technically savvy enough to get the internet that they need. The government has to ensure that their work does not get too painful and that access is had where they require it or the subversion will eliminate the positive security effects of removing internet access.