enicaise, Author at Apalala srl

How to detect fake or stolen IDs?

enicaise | 2016-08-11 | Corporate security, Information Security, Social Engineering

Identification is one of the big challenges faced by security managers. It is a challenge when it comes to IT systems but even before that, to identify people. Even with the rise of national electronic identity cards (like eID in Belgium), fake or stolen IDs are still possible.

Even better, you might just make a Google Image search using a picture of an eID (like the one below) and find some other pictures of legitimate ID available on the web (not to say it is a breach of the European Data Privacy regulation).

Sometimes, you might just receive a photograph of an eID or even just an ID card number or National Register number in a registration form or in a job application form. Shall it be for recruitment, background check or customer identification (like de KYC, Know your Customer, process for financial institutions), you might need to check, as much as possible, if the credential you have received are legit or not.

In Belgium, luckily for us, the ministry of interior provides a partial access to its database to validate an ID card number or an national register number. This application, Checkdoc, will just tell you if the number is still valid (No Hit) or if it is outdated or stolen (Hit).

You need to register first before being able to use Checkdoc (https://www.checkdoc.be/) .Also, notice you have to inform your customer or contacts that you will run their information through the database before doing it.

Additionally, you’ll find also pictures of every type of ID card being used at the moment and an explanation of the various security features you can use to spot a fake.

(Updated on 13/08/2016)

At the international level, Interpol provides the same kind of services to airlines operators through its Stolen and Lost Travel Documents (SLTD) database. Although there is plance to extend the access to this service to other industries, it is not the case yet.

Good hunting!

Blockbusters, a new risk to add to our threats’ list?

enicaise | 2016-07-29 | Information Security

On 20th of July, BBC News announced that “Businesses in southern India have given their employees the day off on Friday so they can attend screenings of a new film starring Tamil cinema superstar Rajinikanth“.

According to BBC News, this decision was made because companies where trying “to avoid people calling in sick, turning off their phones or simply failing to turn up for work“.

“Crazy indians” some might say! But, such behaviour already happened in the US or even, at a lesser scale, in Europe when the latest opus of the Star Wars sequel arrived in theaters. Some people where even sleeping in front of some theater to be sure to have their seats. In some places, the 4th of May, the Star Wars Day (“May The 4th be with you”), is also considered has a holiday. Of course, these are anecdotal but, they are growing in importance and frequences.

Although not frequent, likelihood of blockbusters seems to be higher than earthquake or tornados in some countries and a bit lower than flu epidemics. So, the probability of occurence is non neglectable. But, what could be the impact on your business?

Let’s see what the future will be 🙂

Are Red Team exercises close enough to reality?

enicaise | 2016-06-21 | Red team, Security Governance

A red team is a team of highly skilled professional with extended and varied skills (e.g. think about “Mission: Impossible”) acting has the opponents, challenging your plans, your controls, your security governance, your people. As a red team, we must think and behave as the “bad guys”. The goal is to emulate the critical thinking of your “official” security teams. To achieve that, we challenge all the false assumptions that makes you vulnerable. We spot all the weaknesses and find creative ways to exploit the slightest vulnerability. As will any skilled attacker do. (Luckily, they are not all that good)

The question that came to me while discussing a red team exercise with a customer was this one: Are red team exercise close enough to reality?

For sure, we are not as real as the criminal organization targeting you. We could be, as we have the skills, but we have something that makes a huge difference: ethics, rules. A red team as boundaries. Even if we take it to the most realistic level, a red team exercise will never lead us to threaten someone’s family, or its life or even to kill someone. We won’t blow a building to cover our tracks. We won’t release the ultimate virus to wipe all data. Unfortunately, criminals don’t have such boundaries.

Our client told me that the red team was not supposed to use information that would have been provided in confidence. While red teams exercises are often “black hat” exercises (meaning, we start with just a few information on the target), it is never impossible that attackers have an inside knowledge of your organization. Seriously, in real life, there is no rules. If there is enough return on investment, criminal organizations will spend a lot of money to get your crown jewels, lot of time and means. They will use any technique: blackmailing, kidnapping, bribery, infiltration. The colleague next to you could be working for a criminal organization, posing as a good guy, even as a security specialist. How would you know?

The latest incidents reported in the press involving banks or the SWIFT network mentioned takes in tens of millions: 21, 80 or even 120 millions Euro of booty for these heists. Quite a motivation isn’t it? How much will you be ready to invest to get such reward?

Cyber criminality generate approximately a trillion USD every year. 1000 billions! Law enforcements and security firms around the world reports that group of hackers and criminals are now working together to reach bigger targets with higher stakes. Imagine that an organization that get 1/1.000 of the worldwide revenue might have 1 billion USD of money for its operation. That’s a lot of cash. People get killed for less.

So, no, our red team exercises are not as real as they could be but it is likely close enough to achieve its primary goal: challenge your team and organization to make it better. Red team exercises won’t provide assurance nor will it cover all your weaknesses but it will for sure stimulate your teams to achieve their best.