The InfoSec Blog

You do do backups don’t you?  Backups to DVD is easy, but what software to use?

Why not simply k3b ?

But if it some down to it, there’s a decision tree you can and should work though.

• Do you want the DVD backup ‘mountable’?
  If it is then you can see each file and selectively restore using the normal file management tools (cp, rsync etc)
  If you use some sort of ‘dump’ format (tar, cpio, zip or proprietary) then you will need the corresponding tool to access the backup

My choice, based upon both K.I.S.S. and bitter experience is to go with the mountable.

• - How are you ‘snapshoting’ your files?
  If you are backing up a live system[1] then there is the risk that the backup is out of phase with itself as files get changed during the time it takes to make the backup.

My solution to this is to use the snapshot mechanism of LVM.

• - How are you managing the backup archives?
  Do you need a specific dated version of a file or directory?
  Would a VCS be more appropriate than a backup system?

Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS – AND take periodic snapshots.

• Ultimately its not about making backups, even if that seems to be the
  most of the work, but the ability to restore.

A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.

• - How “automated” do you want this backup to be?
  Sometimes you’ll find the automation tail wags the normal operation dog.

My use of K3B means I do disk-to-disk-to-DVD. (Using LVM’s snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.

I realise this is going to be inappropriate for many sites and business functions.

This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.

Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.

[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.

 So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a  direct attack).

I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really “spies inside the defensive perimeter”.

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.

But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives
like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights … have computers  running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the ‘Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document.   And look at firewalls. Look at all the additional functions being
poured into them because of the “excess computing facility” – DNS, Squid-like caching, authentication …

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the “gateway” with the “firewall” function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I’m dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in “interesting security issue” times!

But in the long run of things the HP Printer Hack isn’t that serious.   After all, how many printers are exposed to the Internet.    We have to ask “how likely is that?”.
Too many places (and people) put undue emphasis on Risk Analysis and ask “show me the numbers” questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of “common sense” once you get to stop and think about it. Many protective controls are “umbrellas”, that its about how you configure your already paid-for-and-installed (you did install it, didn’t you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection — you do this with your car: air-bags, ABS and so on so why not with IT equipment? The “Baseline” is more often about proper decisions and proper configuration than “throwing money at it” the way governments and government agencies do.

McAfee has released a new study on malware in cars:
http://www.mcafee.com/autoreport

Now you may think that this is scaremongering on the part of McAfee because their traditional market is drying up. Not so, this is actually a threat we have been aware of or nearly half a century:

http://www.amazon.com/four-weekend-Belmont-Science-Fiction/dp/B0007FCDJY/ref=sr_1_8?s=books&ie=UTF8&qid=1315499979&sr=1-8

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.

Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded?  How much of the justification for the decisions?

Yes, you could have reviews and summaries of all meetings and email exchanges ..

But that is not and has nothing to do with the standard or its requirements.

The standard does NOT require a management review meeting.
Read the rest of this entry »

Read the rest of this entry »

I keep telling everybody that TV is injurious to your (mental) health, but does anyone listen?

Why should they?
They didn’t when Gerry Mander presented his Four Arguments for the Elimination of Television, and he was in a position to know. Read the rest of this entry »

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than “The Dog Ate My Homework”.

Keep taking the tablets, Mr Klatch!

Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this;  summing, summing many hundreds of fluctuating variables to one figure.

Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their “Top 100″ or “Top 50″ which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.

Treating big things like small things leads to another flaw in the ALE model.  (which is in turn  part of the fallacy of quantitative risk assessment)

The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)

A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as “dollar value” leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child’s ?

We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.

Right? NO! Read the rest of this entry »

http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html

A few alarming things here.
More nanny State :

In other words, the nanny state is forcing upon us expensive and insecure systems that aren’t as effective as a human being just doing what he’s supposed to, but we should just think of the children we’re “protecting” with this misguided effort.

Never mind the basic Orwellian aspects.

But the basic problem is the knee-jerk reaction of Congress combined with lack of understanding of science and technology and legislation that, by specifying method rather than objectives, plays, misguidedly, into the hands of one vendor.

They did this with emission control.
The Japanese could beat the original standard by engine design.
The did this with the old Honda CVXX.
GM wasn’t worried, they said it was a technique only for small engine cars. The Honda did it for larger engines. At the time GM had cornered the market in platinum, so they got Congress to write the law specifying the HOW in their favour. Of course that advantage no longer exists, but we still have the expense of the platinum ‘converters’.

Now we have more expense.

TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded
that they “do something!”

http://consumerist.com/2011/05/security-expert-sony-knew-its-software-was-obsolete-months-before-psn-breach.html

• Its not a camera, its computer that takes pictures
• Its not a car, its a computer that gets you from place to place
• Its not a watch, its a computer that tells you the time
• Its not a radio, tv, hi-fi, phone …. its a computer

Would you buy a computer from a company like this?

http://news.consumerreports.org/electronics/2011/05/data-security-expert-sony-knew-it-was-using-obsolete-software-months-in-advance.html

Image via Wikipedia

Via a LinkedIn posting in the Infosecurity magazine forum titled
“Internet Threats Posed By Mobile Devices: How Can We Prevent Them?”
I came to

http://www.mxsweep.com/blog/bid/65075/Internet-Threats-Posed-By-Mobile-Devices-How-Can-We-Prevent-Them

OUCH OUCH OUCH!

The mobile devices don’t pose threats.
The mobile devices represent risks.

Threats are external. They are not under your control.

The article title is clearly confusing THREATS with RISKS.

There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you – or more specifically your assets. In this case the mobile devices.

You can’t prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.

Mobile devices and the data on them are ASSETS, not threats.

Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.

Related articles

• The threat facing Android (Hint: It’s not Apple) – Fortune Tech (tech.fortune.cnn.com)
• Mobile threats increased during first half of 2011 (preternaturalpost.com)
• 5 Ways To Fight Mobile Malware (informationweek.com)
• Malware risk on Android devices growing, report says (sfgate.com)
• Mobile Device Security: Questions to Ask for Creating Policy (pcworld.com)
• Mobile app malware menace grows (go.theregister.com)
• Securing Mobile Devices (enhancedtech.wordpress.com)
• Cyber criminals targeting mobile devices (premierlinedirect.co.uk)

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves into all manner of imponderable … since this model hides essential details.

I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/

There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using “impact”.

Any asset is going to be affected by many

• threats
• vulnerabilities
• controls

Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.

Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.

As such, the CLASSICAL risk equation can then be viewed as addressing residual risk – the probability AFTER applying the controls. Read the rest of this entry »

Image via Wikipedia

Sometimes I wonder why we bother …

The Securities and Exchange Commission doesn’t just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules.

Related articles

• Recently Updated “Securities Law Deskbook” – A Resource to Help Achieve Compliance and Avoid Regulatory Problems, From Bradford Publishing Co. (prweb.com)
• SEC: Bigger potential payouts for whistleblowers (marketwatch.com)
• LATEST FEATURE: Compliance: A hybrid marital troika? (ecmplus.wordpress.com)

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

• preventative
• detective
• compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Related articles

• Sony backs U.S. cybersecurity legislation (canada.com)
• DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
• Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
• Obama to Introduce Cybersecurity Proposal (circleid.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)
• What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
• White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
• Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec’s nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? “One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish,” said the SANS Technology Institute’s Johannes B.
Ullrich in a blog post. “I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security.”

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I’m reminded of the IRA’s statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may – will? – introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS “certified” sites get hacked, and more, *DOES* at least _demonstrate_ “a large scale failure of information security“.

In case you’re not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 – The Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/

There’s an interesting segue to this at
https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html

Skip over his ranting about the definition of “hackers”

This is the meat:

Wewrote the OSSTMM 3 to address these things. We knew that penetration

OSSTMM Logo

testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn’t practical for some because it doesn’t
match the commercial industry security of today. But that’s because the
security model today is crazy! And you don’t test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it’s also perpetuating security through patchity, a process
that’s so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn’t scale at all with
complexity or size.

I’ve been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I’m sure I’ve upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.

I’ve seen to many “pen testers’ and demos of pen testing that are just plain … STUPID.  Unprofessional, unreasonable and pandering to the ignorance of managers.

In the long run the “drama-response” of the classical pen-test approach is unproductive. It teaches management the wrong thing – to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

And worse, it

• shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
• has no guarantees about what collateral damage the outsider had to do to gain root
• says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
• indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!

“Crazy” is a good description of that approach. Read the rest of this entry »

http://www.zdnet.com/blog/apple/congressman-blames-us-unemployment-crisis-on-ipad/9968?tag=nl.e539

In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find
jobs.

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board.  If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do.  If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will.   This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Image via Wikipedia

A people that values its privileges above its principles soon loses both.
– Dwight D. Eisenhower, Inaugural Address, January 20, 1953

Related articles

• The Biggest Problem With iPads (tomrippon.wordpress.com)
• The first restaurant to rely completely on iPads in New York City (thenextweb.com)
• Controversial Congressman Plays Outsized Role In 2012 Race (huffingtonpost.com)