The InfoSec Blog

Online Ad Industry Threatened by Security Issues

Posted by Anton Aylward

http://www.databreachtoday.com/online-ad-industry-threatened-by-security-issues-a-9488

Most people use ad blockers because they're irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from malvertisements.

The social media site Reddit, which can be a rich traffic source for publishers, warns users of links to content that demand people to disable their ad blockers, including publishers such as Forbes and Wired.

"Warning! Disabling your ad blocker may open you up to malware infections, malicious cookies and can expose you to unwanted tracker networks," Reddit's warning says. "Proceed with caution."

I don't know whether to be glad or worried by this.
It may be considered unsocial of me, but I use adblockers.

UN privacy head slams ‘worse than scary’ UK surveillance bill

Posted by antonaylward

http://www.theregister.co.uk/2015/11/10/un_privacy_head_slams_uk_surveillance_bill/

Two points in this caught my attention.

Cannataci also argued forcefully that mass surveillance was not the way to
handle the threat from terrorism and pointed to a report by the Dutch
intelligence services that argues that point. "To get real terrorists, you have
to go for good old-fashioned infiltration," he argued, wishing that the security
services would spend less money on computers and more on real people who go out
and get real, actionable intelligence on what people are up to. "It's time to be
realistic and actually examine what evidence shows."

Where have I heard that before?
Oh, wait:

If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology
-- Bruce Schneier

Essentially what he's saying is summed up by another Schneier quote:

People often represent the weakest link in the security chain and are
chronically responsible for the failure of security systems
-- Bruce Schneier, Secrets and Lies

Some thoughts on the performance of SSD RAID 0 arrays

Posted by Anton Aylward

My Friend Alan Rocker and I often discuss ideas about technology and tradeoffs.  Alan asked about SSDs for Linux:

> I haven't been following hardware developments very closely for a while, so I
> find it hard to judge the arguments. What's important?

Ultimately what's important is the management software, the layer above the drivers, off to one side. That applies regardless of the media and means that the view the applications take of storage is preserved regardless of changes in the physical media.

> The first question is, what areas are currently the bottlenecks and
> constraints, at what orders of magnitude?

The simple answer is 'channels'.

Everything old is new again

Posted by Anton Aylward

http://www.databreachtoday.com/whitepapers/seven-reasons-micro-segmentation-powerful-to-have-painless-to-add-w-2704

What's the saying "Those who forget history are doomed to repeat it over again"?

Weren't we doing this with routers and ... well if not firewalls as such then certainly filtering rules in the routers, way back in the 1980s?

Jon Postel, c. 1994

Jon Postel, c. 1994 (Photo credit: Wikipedia)

I recall attending a luncheon put on by Dell about "Software Defined networking". Basically it was having routers that were 'agile' enough to change routing and implement tactical policy by load, demand and new devices or devices making processing demands.

Again we were doing that in the 1980s. Working with ANS as they cut over the academic internet to the commercial internet with their "CO+RE" pseudo-product. basically it was that they had been supporting the academic internet and were not selling commercial services using the same backbones, trunks and "outlets" (sometimes known as 'point of presence'). This 'policy based routing' was carried out by custom built routers; they were IBM AIX desktop boxes -- the kind I'd used to implement an Oracle based time management/billing system for at Public Works Ottawa a few years earlier, along with some custom built T3 interface cards.

Everybody wants in on ‘Cybersecurity”

Posted by Anton Aylward

Intel Sets McAfee Free ...

http://www.databreachtoday.com/blogs/intel-sets-mcafee-free-p-2244?

... becoming what Intel bills as one of the world's biggest "pure-play cybersecurity companies."

When I graduated the hot topic was then chemistry, mostly organic but anything to do with chemistry was IN. Engineering was considered ho-hum, aviation was in the doldrums especially in Europe, and electronics & computing -- nobody blathered on about 'cybernetics' or 'cybersecurity' in public back then -- held no potential. The future was chemistry.

The Hidden Curriculum of Work

Posted by Anton Aylward

http://www.strategy-business.com/blog/The-Hidden-Curriculum-of-Work

I think part of the problem I have in dealing with the current generation of head-hunters and corporate recruiters is that they focus on the job description, the check-list. They focus on it two ways: the first is demanding it of the hiring managers, who are often ill equipped to write one. Many jobs are not circumscribed, especially in a field like IT which is dynamic and about continuous learning and adaption to changing circumstances. All to often the most valuable question I've been able to ask of a manager in a hiring situation amounts to "what do you need done?".
Their description of the work - the WORK not the JOB - only makes sense in context, a context that another practitioner understands, but someone in HR would hear as the gobbledygook of technology-talk. How can you base a bullet-list Job Description on that? Trying to translate it into a vernacular that allows the HR-droid to ask appraisal questions of candidates that the HR-droid can make sense of removes it from what the work is about.

Which leads to the second point.

Nobody wants to pay for security, including security companies

Posted by Anton Aylward

https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire

In theory, consumers and businesses could punish Symantec for these
oversights by contracting with other security vendors. In practice, there’s
no guarantee that products from other vendors are well-secured,
either
— and there is no clearway to determine how secure a given security
product actually is.

Too many firms take an "appliance" or "product" (aka 'technology") approach to security. There's a saying that's been attributed to many security specialists over the years but is quite true:

If you think technology can solve your security problems,
then you don't understand the problems and you don't
understand the technology.

Its still true today.

Brexit: What’s Next for Privacy, Policing, Surveillance?

Posted by Anton Aylward

http://www.databreachtoday.com/brexit-whats-next-for-privacy-policing-surveillance-a-9225

Now we're getting over the "how could that do THAT!" shock stage and starting to think what the operational, rather than just the financial, implications are.

Cyber risk in the business

Posted by Anton Aylward

https://normanmarks.wordpress.com/2015/06/05/cyber-risk-and-the-boardroom/

The take-away that is relevant :

Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.

Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.

Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Posted by Anton Aylward

Tim cook says Apple will fight a federal order to help the FBI hack an iPhone.  

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find on Farook's work phone or why the information would not be available from third-party service providers, such as Google or Facebook, though investigators think the device may hold clues about whom the couple communicated with and where they might have travelled.

Is that "Whom" grammatically correct?

This does raise a 'why' in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the 'traffic analysis of who they communicated with? Isn't this the sort of "metadata" that the government spies are supposed to be collecting?

Opening the phone won't give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I'm not sure how helpful that will be and its likely to cast suspicion on innocent parties.

We’re mobile addicts but we just don’t want new smartphones

Posted by Anton Aylward

http://www.zdnet.com/article/research-were-mobile-addicts-but-we-just-dont-want-new-smartphones/

For whatever value of "Mobile" is applicable in context, yes.
A lot of what I see is students in the library with their laptops or large tablets_keyboards with paper and books beside. Perhaps if students had the multi-screen displays like the one in the movie "Swordfish" AND there were more books on-line at low cost and multi-access (which isn't how many libraries work, sadly) then the marketers dream of students with ebooks rather than a knapsack of books would happen. As it is, with only one viewer, books and papers are still needed.

The fatal flaw in IT Risk management

Posted by antonaylward

Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:

In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the 'Net and adopting question lists from there is using a solution to someone else's
problem. If that.

Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.

Gary recommends "open ended questions" during the interview rather than ones that require a yes/no answer. That's good, but I see problems with that. I prefer to ask "Tell me about your job" rather than "Tell me how your job ... can be made more efficient".

My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don't know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA - failure Mode Effect Analysis. Some people think of this in terms of "impact", but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, "Root Cause Analysis" no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure - the 'tree' fans both ways!

Yes, FMEA can't be dome blindly, but failure modes that pertain to the business - which is what really counts -- and the fan-in/out trees can be worked out even without the technical details. Rating the "risk": is what requires the drill-down.

Which gets back to Donn Parker's point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.

All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.

 

The 11 tiniest, most powerful computers your money can buy

Posted by Anton Aylward

http://www.geek.com/chips/the-11-tiniest-most-powerful-computers-your-money-can-buy-1627324/

I have my doubts about many things and the arguments here and in the comments section loom large.

Yes, I can see that business sees no need for an 'arms race' escalation of desktops once the basics are there. A few people, gamers, developers, might want personal workstations that they can load up with memory and high performance graphics engines, but for the rest of us, its ho-hum. That Intel and AMD are producing chips with more cores, more cache, integrated graphics and more, well Moore's Law applies to transistor density, doesn't it, and they have to do something to soak up all those extra transistors on the chips.

As for smaller packaging, what do these people think smart phones and tablets and watches are?

Gimme a brake!
My phone has more computing power than was used by the Manhattan project to develop the first nuclear bomb.

These are interesting, but the real application of chip density is going to have to be doing other things serving the desktop. its going to be

1. IoT
2. Servers
3. backbone/communications

And for #1 & #3 Windows will become if not an impediment, then irrelevant.
Its possible a very stripped down Linux can serve for #1 & #3, but somewhere along the line I suspect people might wake up and adopt a proper RTOS such as QNX much in the same way that Linux has come to dominate #2. It is, however, possible, the Microsoft will, not that Gates and Balmer are out of the scene, adopt something Linux like or
work with Linux so as to stay relevant in new markets. The Windows tablet isn't the success they hoped for and the buyout of Nokia seemed more to take Nokia out of the market than become an asset for Microsoft to enter the phone market and compete with Apple and Samsung. many big forms that do have lots of Windows workstations are turning to running
SAMBA on Big Iron because (a) its cheaper than a huge array of Windows Servers that present reliability and administrative overhead, and (b) its scalable. Linux isn't the 'rough beast' that Balmer made out and Microsoft's 'center cannot hold' the way it has in the past.

Cyber, Ciber or Syber?

Posted by Anton Aylward

Occasionally, people do ask:

What exactly do you mean by “cyber security”?
Or “cyber” for that matter. Please explain.

"Steersman Security"?

It seems to be one of those Humpty-dumpty words that the media, the government and others use with -- what's the current politically correct phrase to use now when one would, 50 years ago have said 'gay abandon'? -- because its current;y "in"?

I see it used to mean "computer" and "network" in the specific and "computers" and "networks" in the general, as well as specific functions such as e-banking, & other e-commerce, "Big Data", SCADA, POTS and its replacements.

I see it used in place of "Information" in contexts like "information Security" becoming, as above, "Cyber Security". But you don't know that it means that.

Are we here to protect the data? Or just the network? or just the computer?

Until a few years ago "Cyber" still did mean "steersman", even if that was automated rather than a human presence. No-one would call the POTUS a "Cyber-man' in the sense of being a steersman for the republic.

Perhaps we should start a movement to ban the use of "Cyber-" from use by the media.

Perhaps we might try to get some establishments to stop abusing the term.
I doubt very much we could do that with media such as SCMagazine but perhaps we could get the Estate of the Late Norbert Weiner to threaten some high profile entities like the State Department for the mis-use of the term?

 

Another reason to have a policy not to eat at your operations

Posted by antonaylward

I've worked in places where the policy was that you're not allowed to bring a camera in; that was before cell phones, I admit, but I imagine there are places where such is enforced today. My current cell phone doesn't have the resolution of a spy-era Minox, but there are better available, and a phone has a lot more storage and fair bit of image processing power.

Another reason to have a policy not to eat at your desk

Posted by antonaylward

Hackers Can Use Pita Bread to Steal Laptop Encryption Keys, Say Researchers

Embedding such devices in something edible only means it will end up in the stomach of the targeted user. Perhaps that is intentional, but I suspect not.  Better to put the device in the base of the coffee cup.

 

Why Silicon Valley Will Continue to Rule

Posted by Anton Aylward

https://medium.com/backchannel/why-silicon-valley-will-continue-to-rule-c0cbb441e22f

The historical, cultural and economic context described here sums up why
efforts to replicate 'the valley' in other countries, other places,
according to governmental whims, never happens, never works, never will.

People around the world have tried to reproduce Silicon Valley. No one
has succeeded.

And no one will succeed because no place else — including Silicon Valley
itself in its 2015 incarnation — could ever reproduce the unique
concoction of academic research, technology, countercultural ideals and
a California-specific type of Gold Rush reputation that attracts people
with a high tolerance for risk and very little to lose. Partially
through the passage of time, partially through deliberate effort by some
entrepreneurs who tried to “give back” and others who tried to make a
buck, this culture has become self-perpetuating.

See also

http://www.slate.com/articles/technology/the_next_silicon_valley/2013/12/all_the_next_silicon_valleys_a_world_map_of_aspiring_tech_hubs.html

and

http://www.theglobeandmail.com/news/toronto/torontos-transformation-to-silicon-valley-north/article1211610/

 

Tracking kids via microchip ‘can’t be far off,’ says expert

Posted by Anton Aylward

http://www.kens5.com/story/news/2015/05/07/tracking-kids-via-microchip-cant-be-far-off-says-expert/70986060/

Dickerson said she though one day, "I microchip my dog, why couldn't I
microchip my son?"

I think there's something despicable about treating a human being the same way you would treat a dog or your keys.

Its one thing to chip your keys or have one of those devices that when you whistle the keyring goes bleep-bleep to help you find it. I can imagine extending that to people who let their dogs (or cats) roam and need/want to have them in at night. Domesticated pets might not be able to cope with even urban predators such as badgers and grizzly raccoons.
If, that is, the animals aren't smart though to come in when you call them.

But treating a human as you would a dog?

Can We Secure the ‘Internet of Other People’s Things’?

Posted by Anton Aylward

http://www.eweek.com/security/can-we-secure-the-internet-of-other-peoples-things.html

I think that title expresses the problem very well.

There are a few generalizations and 'skating on thin ice' in the article, never the less. Linux itself is not a lightweight OS, though there are stripped down and altered versions, such as Android. Other competing RTOS exist. Some like QNX are much more suited to small embedded devices that don't have a GPU/GUI and comprehensive set of commands/applications.

The reality is that the inherent model of Linux is NOT real-time, it cannot guarantee a real time response that many embedded systems such as TVs and some classes of network devices demand, especially in a small controller, limited CPU, limited memory configuration.

But yes, the Internet has already shown the problems lie with "Other People".

 

Cyber general: US satellite networks hit by ‘millions’

Posted by antonaylward

http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many 'real' hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these 'repulsed' probes really 'need to know'? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, "precursor probes".

Can we live without this?