The InfoSec Blog

This is not the IoT you want.

Posted by Anton Aylward

http://www.cnet.com/products/quirky-outlink/

If I plug in an IDE drive or a SATA drive or a USB drive or device my mobo or system recognizes what it is. The connection protocol tell the mobo or system.

My digital camera uses exif to convey a vast amount of contextual information and imprint it on each photo: date, time, the camera, shutter, aperture, flash. I have GPS in the camera so it can tell the location, elevation. The exif protocol also allows for vendor specific information and is extensible and customizable.

Unless and until we have an 'exif' for IoT its going to be lame and useless.

What is plugged in to that socket? A fan, a PC, a refrigerator, a charger for your cell phone? What's the rating of the device? How is it used? What functions other than on/off can be controlled?

Lame lame lame lame.
Unimaginative.

Tagged as: , , , , 1 Comment

14 antivirus apps found to have security problems

Posted by Anton Aylward

http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die

Let us pass over the "All A are B" illogic in this and consider what we've known all along. AV doesn't really work; it never did.
Signature based AV, the whole "I'm better than you cos I have more signatures in my database" approach to AV and AV marketing that so bedazzled the journalists ("Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the 'human firewall' or whatever the buzz-word is that appears in this month's geek-Vogue magazines, whatever the latest fashion is. What's that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they've tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven - yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn't convinced and didn't buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by 'lines of code per day' metrics, feature driven popularity and the 'first to market' imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I'm not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a 'risk-based' approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. "It was too expensive" - until it was more expensive not to have implemented it.

 

OpenBSD forks, prunes, fixes OpenSSL

Posted by Anton Aylward

http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/#ftag=RSS86a1aa4

Interesting, eh?

At the very least, this will apply a 'many eyes' to some of the SSL code and so long as the ssh pruning isn't wholesale slash-and-burn that cutting it back may prove efficacious for two reasons.

Less code can be simpler code, with decreased likelihood of there being a bug due to complexity and interaction.

Getting rid of the special cases such as VMS and Windows also reduces the complexity.

POSIX I'm not sure about; in many ways POSIX has become a dinosaur. Quite a number of Linux authors have observed that if you stop being anal about POSIX you can gt code that works and a simple #ifdef can take care of portability. In the 90% case there isn't a lot of divergence between the flavours and in the 99% case the #ifdef can take care of that.

Whether SSH fits into the 90% or the 99% I don't know. The APIs for 'random' and 'crypto' are in the grey areas where implementations differ but also one where POSIX seems to be the most anal and 'lowest common denominator'. I suspect that this is one where the #ifdef route will allow more effective implementations.

We shall see what emerges, but on the whole the BSD team have a reputation for good security practices so I'm hopeful about the quality.

I'd be interested to see their testing approach.

 

Film or digital?

Posted by Anton Aylward

Do you recall Alan Cooper's book "The Inmates are running the Asylum"?

He makes the case that once you put a computer in something it stops being that something and becomes a computer.

Camera + computer => computer

What Applicants Should Ask When Interviewing For An InfoSecurity Position

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/applicants-ask-interviewing-information-security-role/

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.

 

Data on a Train

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/daily-commute-mean-data/

The latest intelligence on Al-Qaeda, a high profile Child Protection
report and plans for policing the London 2012 Olympics; three very
different documents with two things in common: firstly, they all
contained highly confidential information and secondly, they were all
left on a train.

Or maybe "Strangers on a Train"

Our latest research reveals that two thirds of Europe’s office commuters
have no qualms about peering across to see what the person sitting next
to them is working on; and more than one in ten (14 per cent) has
spotted confidential or highly sensitive information.

Most CEOs clueless about cyberattacks

Posted by Anton Aylward

http://www.zdnet.com/most-ceos-clueless-about-cyberattacks-and-their-response-to-incidents-proves-it-7000025396/#%21
Perhaps that's cynical and pessimistic and a headline grabber, but then that's what makes news.

What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don't need to be better than the herd.

 

 

Tagged as: No Comments

Former Head Of Airport Security: ‘The TSA Couldn’t Save You From

Posted by Anton Aylward

http://www.businessinsider.com/problems-with-tsa-2013-12

Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.

His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.

Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/

Tagged as: , , , , No Comments

Canada’s counter terrorism strategy

Posted by Anton Aylward

https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/trrrst-thrt-cnd/index-eng.aspx

Here in Kanukistaniland, Vic Toews (remember him? Check back to February of last year to see an example of him being idiotic in his role as Minister of Pubic Safety) has published a "2013 Public Report on the Terrorist Threat to Canada"

You can read it at the above URL.
I ask you, would you buy a used Huawei router from someone who looks like that?

The map/infographic has, you will note, a large number of grey areas. There is no legend referring to that colour. Are we to take it that grey means 'zero'? In which case having Indonesia grey is very interesting. Of course China is grey, the authorities will not permit any terrorist activity since that would mean people are acting out grievances against the state. As opposed to, say, foreign cartels that are employing under-age workers, which is against Chinese law.

Do note that in Canada terrorist activity or affiliation is an offence under the CRIMINAL code. Unlike many InfoSec-bad-things.

 

Linux Archive file systems – ext3 vs reiser vs … ?

Posted by Anton Aylward

So what's the best file system to use for archiving and data storage rather than the normal usage?

Won't that depend on ...

a) the nature of the archive files

If this is simply to be a 'mirror' of the regular file system, a 1:1
file mapping then there is no need for some specific optimizations as there would be if, for example, each snapshot were to be a single large file, a TAR or CPIO image say. You then have to look at what you are archiving: small files, large files .... Archiving mail a mbox is going to be different from archiving as maildir. For example the later is going to consume a LOT of inodes and that affects how one would format a ext2, est3 r ext4 file system but not be relevant on a ReiserFS or BtrFS.

b) the demand for retrieval from the archive

This is actually a can of worms. You might not think so at first but I've seen businesses put out of service because their 'backup' indexing was inadequate when the time came to retrieve a specific archive file of a specific date, as oppose to restore the whole backup. You need to be driven by your business methods here and that in turn will determine your indexing and retrieval which will determine your storage format.

Its business drive, not technology driven. Why else would you be archiving?

Now while (b) is pretty much an 'absolute', (a) can end up being flexible. You HAVE to have a clear way of retrieval otherwise your
archive is just a 'junk room' into which your file system overflows.
That (a) can be flexible also means that the optimization curve is not clearly peaked. Why else would you be asking this question? What's the worst situation if you choose ReiserFS rather than extN? The size of the file system? The number of inodes?

But if your indexing broken or inadequate you've got a business problem.

 

On ‘paranoia’ – revisiting “Paid to be paraoid”

Posted by Anton Aylward

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

"We're paid to be paranoid" doesn't mean we're ill.
It's a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.

"We're paid to be paranoid"

Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.

The Truth About Best Practices

Posted by Anton Aylward

An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepricism and the observations of the autor of the article.
One asked

And Anton aren't the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

Confusion over Physical Assets, Information Assets – Part Two

Posted by Anton Aylward

So I need to compile a list of ALL assets, information or otherwise,

NO!
That leads to tables and chairs and powerbars.

OK so you can't work without those, but that's not what I meant.

InfoAssetsPhysical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it.  Don't confuse you DR/BC plan with your core ISMS statements.  ISO Standard 22301 addresses that.

This is, ultimately, about the business processes.

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

Does ISO 27001 compliance need a data leakage prevention policy?

Posted by Anton Aylward

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism.

The DLP Logo

I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply

 Anton
  Data Loss is something you prevent; you enforce controls to prevent data
  leakage, DLP can be a programme, but , I find very difficult to support
  with a policy.

Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?

Let me try again.

Fly Away

Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.

What is the goal behind calculating assets in ISO-27000?

Posted by Anton Aylward

My friend and colleague Gary Hinson said about asset valuation in ISO-27000

So, for instance, it’s hard to say exactly how much the HR database
is worth, but it’s a fair bet that it is less valuable to the
organization than the Sales and Marketing database containing
commercial details on customers and prospects. Therefore, it
probably makes commercial sense to put more effort and resources into
securing the S&M database against disclosure incidents, than for the
HR database.

While Gary is 'classically' right, there's a hidden gotcha in all that.

It is *YOU* that are assigning value, it is the value to YOU.
As Donn Parker points out, this may be quite different from the the value system of the attackers. You don't know their values, motivations, tools etc etc etc.

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Information Gathering and Risk Assessment

Posted by Anton Aylward

On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it all all, the assets, the threats and so forth, and trying to make it into a risk assessment.

It was easy for the more experienced of us to see what he was missing.

He was missing something very important -- a RISK MODEL
The model determines what you look for and how it is relevant.

The #1 Reason Leadership Development Fails

Posted by Anton Aylward

http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
Training
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.

But this does relate somewhat to security as awareness training, sort of ...

My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.