The Two Biggest Lies Told During an Audit… Part Deux

I wrote this original post over four years ago before I was hired for my current position at Peerless; you can find the link to the posts HERE and below. Having completed a recent, now called ITGC for SOX, audit, the content is as relevent today as it was then.

I find it facinating at how increasingly prescritive the PCAOB (Public Company Accounting Oversight Board) is becoming in the assessment over internal controls. If you were to read over the AS5 guidance, there is a fair amount of flexibility built in to an auditors ability to make judgements on their client's engagements.

But over the last several years, I'm finding that internal controls audits are becoming increasingly more about form over substance. I'm not being critical of any one professional services firms, I'm making my judgements as a matter of general observation…

That said, it's interesting that Grant Thorton published a survey early in 2013 of 243 Corporate General Counsels, that specifically citing increasing pressures of regulatory compliance and corresponding litigation, rather than competition, are the biggest threats to growth in US companies.

Here's a link to the survey:

In house counsels more concerned with regulators than competitors.

Link to the original post:

The Two Biggest Lies Told During an Audit…

 

NSA’s Domestic Spying Grows As Agency Sweeps Up Data – WSJ.com

Quoted from http://online.wsj.com/article/SB120511973377523845.html?mod=hps_us_whats_news:

NSA’s Domestic Spying Grows As Agency Sweeps Up Data – WSJ.com

NSA’s Domestic Spying Grows
As Agency Sweeps Up Data

From the “The price of freedom is eternal vigilance” department, come this article from the front page of today’s Wall Street Journal. This is interesting for me on a number of levels; not only am I responsible for the management of my company’s information assets, and having a master’s degree in information assurance. I find this truly disturbing. The fourth amendment of the constitution prevents the illegal search and seizure of our property, but in the interest of “national security” the NSA seem to find this notion… inconvenient. Now, honestly, this isn’t anything that hasn’t been happening since before the days of J. Edgar ran the FBI, but this move of “openness”? The NSA effectively states “yeah, we’re monitoring you, and you should probably be careful.” Interesting… I could rave on about this being a fascist plot to oppress the populous by “the man,” but they’re probably already monitoring this blog.

 

FBI Prepares Vast Database of Biometrics – washingtonpost.com

Link: FBI Prepares Vast Database Of Biometrics – washingtonpost.com.

Under the title of "The Price of Freedom Requires Eternal Vigilance," this article in today’s Washington Post caught my eye. We’ve been facing the issues of personal privacy for some time; the notion that the FBI is spending $1 billion to build a database of personal biometrics is, in a word, frightening.

Ostensibly, the intent of this massive effort is to assist in the identification and capture of criminals, but this also provides the US government unprecedented ability to identify individuals in the United States and abroad.

Opponents of the initiative cite the fact that the increasing use of biometrics raises worry that such measures become a "de-facto" national identity card, thus making more and more difficult for citizens to avoid unwanted scrutiny.

This biometric information includes not only finger/palm prints, but irises, faces, and soon DNA. DHS, the Department of Homeland Security, has been using iris recognition to verify identity of persons wanting to move quickly through lines at some airports.

Though this information is currently being collected through direct interaction of the individuals from whom the data are collected, researchers at the FBI’s biometric facility are working on capturing this biometric information covertly. Though several years away, this ability is of great interest to government agencies.

One of the biggest concerns made by skeptics is that such projects are proceeding before there is reliability in matching suspects against the enormous amount of data collected. In one of the world’s first large-scale study on the reliability of this technology, the German government used face recognition to identify people between October 2006 and January 2007. The technology proved reliable 60% of the time under the best daylight conditions but fell to between 10 and 20% at night.

The long term goal is "ubiquitous use" of this recognition technology, where individuals will have biometrics captured without ever having to step up to a kiosk and looking in to a camera.

I’m ready for my close up Mr. Demille…


 
 

*** Google Password Attack Update ***

I didn’t quite get to finish my post yesterday, so I took a few
moments to do a bit of homework; here’s what I found, I decided to do a
real world test, and attempt to look up a few commonly occurring
passwords I’ve seen here in my organization; so I took ten proper names
and words and used them as reference material (I won’t list all of them
here, but as examples here are three):

– 72a97fb793d496318518aebc7e9298b2 -> the "serial" number for "cowboys" (I’m a Dallas Cowboys fan).

– dfeaf10390e560aea745ccba53e044ed -> "cisco"

– 9924a057edc46fa6c7ac87a7b1771d4f -> "altoids"

I generated the hash values, entered each of the values into Google
search, and the all knowing google returned the password for each. In
fact, out of the 10 "serial" numbers I entered, I found *7* passwords,
including at least 2 I wasn’t expecting to find because of uniqueness!

I don’t mind saying that this was a little frightening. Now here’s a
tip that will help at least minimize the probability of finding the
passwords in Google.

All of the words I used were proper names or words right out of the
dictionary (randomly selected). When I added a random number or
character, e.g. I added 20071001 to cowboys to come up with
cowboys20071001, (that hash value is 2810ea90c3101fadbaba8748f5b34902,
btw), I didn’t find the password, in fact, when I added random number
numbers or characters to any of the passwords, I didn’t find *ANY* of
them.

Adding randomness to passwords is a technique called "salting," and
is used to strengthen the security of passwords. Typically "salting"
occurs on the system side after the password is stored on the host
system, but you as a user cannot guarantee that the system "salts"
passwords prior to hashing them. Adding the randomness to your
passwords on your own, while not a panacea, goes a long way to
eliminating the risk of the kinds attacks listed in yesterday’s post.

— Excuse me, my password tastes a bit bland, would please pass the salt? —

Light Blue Touchpaper » Blog Archive » Google as a password cracker

Link: Light Blue Touchpaper » Blog Archive » Google as a password cracker.

Just when you think it’s safe to go back in to the water… here’s an post I ran across via Slashdot, about using Google as a password cracker.

The Slashdot writer posts "A security researcher at Cambridge, trying to figure out the password
used by somebody who had hacked his website, ran a dictionary through
the encryption hash function. No dice. Then he pasted the hacker’s
encrypted password into Google, and Shazzam — the all-knowing Google
delivered his answer. Conclusion? Use no password any other human being
is ever likely to use for any purpose, I think."

So let me take a couple of minutes to talk about why this is important, and maybe decrypt (no pun untended) the geek speak.

Ok, so we use passwords to authenticate to systems of all sorts, right? You have ATM PINs, passwords for your Email, passwords for your online banking, right? So how do you know if those passwords are secure, and not stored somewhere where someone can get keys to your kingdom? Well, this is traditionally done like this; the passwords themselves aren’t stored on a typical system, but the "fingerprint" of the password is.

The way this works is through something called a one-way hash routine. This basically is a mathematical formula that creates a unique "serial number" from the text that was given to the formula, something like this:

(My Password as Text) -> (Magical Mathematical Hash Formula) -> (Unique Serial Number)

This is important because there is mathematically very little chance that the password text can be "guessed" from the number produced by the formula. And when I mean "very little chance" it means a 1 in the total number of stars in the universe chance of guessing the password, the formula is THAT secure. That’s why it’s called a one-way hash function, because as a practical matter, it can’t be reversed.

Okey dokey, so what does this mean in terms of this article? Well, we know that this formula is secure, so the only way to "guess" your password is through something called a "brute-force" attack, that basically means that I as a hacker will assume that you’re using a weak password; maybe a word in the dictionary, maybe your child’s name, maybe the name of your favorite football team, anything that can be easily guessed; then I just run through EVERY COMBINATION of EVERY WORD until I get a hit, and the system I’m hacking "unlocks."

Going through this process of guessing passwords can take a VERY LONG time (obviously). But what if I had a database of the most commonly occurring "serial" numbers and a cross-reference of the passwords that belong to them? Well, then I don’t have to try to reverse-engineer the password from the serial number using the hash formula, AND I don’t have to GUESS passwords until I "unlock" the system. I can just look up the "serial" number in a database and viola! suddenly I have the password.

"Wow," you might say, "that’s got to be a REALLY big database to contain the serial numbers and passwords for EVERY combination of common words, names, and phrases." That’s absolutely true, and who would have a collaborative database THAT large? Enter Google. Google is essentially the "Encyclopedia Gallactica" of the ENTIRE Internet web space. If it’s on the web, it’s in Google’s database, including the websites of hackers with this type of published information. The thing that makes Google such a powerful tool for you (presumably the good guys), is the very thing that makes it a powerful tool for the hackers (presumably the bad guys).

This is an interesting point, because the Google database is neutral, it really is, it isn’t "good" or "bad," it’s amoral. And it’s for THAT very reason, that YOUR password security is YOUR responsibility! Just like the FLICKR photos of your drunken adventure from college, Google probably has the serial number for the password you’re using for online banking at Citibank.

So how do we combat this? Well, there are a couple of things we can do:

First, use reasonably complicated passwords, I won’t go in to details here because I don’t want to give anybody any ideas, but using both letters and numbers are key.

Second, use passwords that are the maximum length available, if it’s 10 characters, use 10 characters, if it’s 50, use 50.

Third, change your passwords regularly.

Finally, use different passwords for different systems, this doesn’t eliminate the problem, but if your password is compromised it can help minimize the impact.

I know all of this sounds like a lot of work, but cyber-theft and identity theft is a real threat, and you’re really just protecting yourself. Can we eliminate the threat? No, not really, but with some amount of work, and a little diligence, you can minimize the risk.

"The price of freedom is eternal vigilance." -Thomas Jefferson.

Home Depot and Iron Mountain report missing data

Link: Home Depot and Iron Mountain report missing data.

Ok, I was
looking in to
Iron Mountain’s Live Vault online backup service when I ran across this story from searchsecurity.com.

Apparently,
in two separate incidents, home improvement Goliath Home Depot has lost
information, including social security numbers, on some 10,000 employees when
the notebook computer was stolen from the car of a company manager. 

Then in a
separate incident, data protection megalith
Iron Mountain lost a decade worth of data from the state of Louisiana,
including social security numbers, of almost every state college applicant for
the last decade.

In both
incidents, lax security practices were to blame including the lack of
encryption of the data lost. This brings us to the whole point of this post;
with the capacity of media (tapes, disk, USB drives, etc.) becoming almost
cavernous, the ability to transport multi-gigabytes of personal information for
entire organizations becomes trivial. I personally have a USB drive on my key
chain that has a capacity of 16GB.  

This
entire large capacity media presents an enormous security risk for information
theft of people and organizations. The need for data encryption of media is
critically important. We can no longer rely on information being secure within
the organizational perimeter; the simple loss of a laptop, the loss of a USB
drive or backup tapes creates an opportunity for theft of identity and loss of
confidentiality.

This isn’t
about garrisoning the organization either; management of a PKI in most
organizations is difficult to manage. Pareto was right, and the 80/20 rule goes
a long way to mitigating risk. Solutions for removable media include simple
open source applications like TrueCrypt
(an great open source tool) that provides 256 bit AES
encryption, this application can be used for creating secured virtual disks on laptop
drives and USB drives.  

For other
types of removable media, tapes and so forth, most backup tools, ArcServe, etc.
provide means of encryption of tapes.

You can
find more information of commercial and open source encryption software at this
Wikipedia
article.

Storm worm strikes back at security pros – Network World

Link: Storm worm strikes back at security pros – Network World.

Ok, you saw me post an
article earlier that compute cycles on the Storm
Worm botnet network
appear to be for sale. Now it appears that Storm Worm
network is fighting back against attempts to do reconnaissance on its internal
architecture.

In an article today posted
both on Slashdot
and Network
World
, the worm can “figure out which users are trying to probe
its command-and-control servers,
and it retaliates by launching DDoS attacks
against them” notes Network World senior editor and story author Tim Greene.

 

When I read the story the
first time through, I got a cold chill down my spine. It’s not that things like
this haven’t happened before, but honestly, this is the first time I’ve seen
something as wide spread as a malicious botnet retaliating against users.
Flashes of Skynet from the Terminator
movies and Colossus: the Forbin Project
immediately came to mind.

This has more to do with what’s
next? Is it possible that we are too clever for our own good? I hate fear
mongering, I really do. We look around at the amount of state sponsored
terrorism in the world, and yes don’t be naïve, we do it too, building
technological infrastructures such as what we’ve been reading about here is positively
chilling.