The InfoSec Blog

Former Head Of Airport Security: ‘The TSA Couldn’t Save You From

Posted by Anton Aylward

http://www.businessinsider.com/problems-with-tsa-2013-12

Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.

His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.

Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/

Tagged as: , , , , No Comments

Canada’s counter terrorism strategy

Posted by Anton Aylward

https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/trrrst-thrt-cnd/index-eng.aspx

Here in Kanukistaniland, Vic Toews (remember him? Check back to February of last year to see an example of him being idiotic in his role as Minister of Pubic Safety) has published a "2013 Public Report on the Terrorist Threat to Canada"

You can read it at the above URL.
I ask you, would you buy a used Huawei router from someone who looks like that?

The map/infographic has, you will note, a large number of grey areas. There is no legend referring to that colour. Are we to take it that grey means 'zero'? In which case having Indonesia grey is very interesting. Of course China is grey, the authorities will not permit any terrorist activity since that would mean people are acting out grievances against the state. As opposed to, say, foreign cartels that are employing under-age workers, which is against Chinese law.

Do note that in Canada terrorist activity or affiliation is an offence under the CRIMINAL code. Unlike many InfoSec-bad-things.

 

On ‘paranoia’ – revisiting “Paid to be paraoid”

Posted by Anton Aylward

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

"We're paid to be paranoid" doesn't mean we're ill.
It's a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.

"We're paid to be paranoid"

Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.

Learning to Counter Threats – Skills or Ethics?

Posted by Anton Aylward

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,' etc.) by practising lying (conning, `social engineering', etc.) is logically identical to innumerable arguments about whether "good guys" (e.g. cops and security folk) should teach, learn, and practice

  •  writing viruses,
  •  picking locks,
  •   penetrating firewall-protected networks,
  •  cracking safes,
  •  initiating and exploiting buffer overflows, or
  •  engaging in any other practice that is useful to and used by the bad guys.

We can't build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects.

A cautionary tale about the dangers of keeping everything in the Cloud

Posted by Anton Aylward

http://www.brisbanetimes.com.au/digital-life/consumer-security/apple-cloud-burst-how-hacker-wiped-mats-life-20120806-23orv.html

"Once the hacker gained access to Honan's iCloud account, he or she
was
able to reset his password, before sending the confirmation email
to the
trash. Since Honan's Gmail is linked to his .mac email address,
the
hacker was also able to reset his Gmail password by sending a
password
recovery email to his .mac address.

Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad
and
Macbook Air remotely. Since the hacker had access to his email
accounts,
it was effortless to access Honan's other online accounts
such as Twitter."

Every new technology has people, the pioneers, who buy into the vendors hype ... and pay a price for that.

We should learn from them.

Computer Security

Enhanced by Zemanta

Identity Management in the extreme!

Posted by Anton Aylward

http://www.abcactionnews.com/dpp/news/region_pasco/fantasy-or-criminal-mind-police-find-stash-of-fake-ids-and-uniforms

Investigators say Antigua tried to pass himself off as an Air Force veteran, a member of NASA's Space Shuttle crew, even a doctor complete with hospital ID's and his own medical bag. He also had blue police-style flashing lights for his black Escalade

"We are going to go to whatever lengths that we need to travel to find out, is he really a threat or is he somebody living a very involved fantasy life," said Chief James Steffens.

Taking Cosplay too seriously?

 

Enhanced by Zemanta

An OP-ED by Richard Clarke on China

Posted by Anton Aylward

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most 'chicken little' pieces, but please can we have 'history' of how most nations, including the USA, have engages in 'industrial espionage'.

I recall a presentation by CSIS that was making the point that Canada's greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the "English Speaking World" for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don't forget that the "English Speaking World" stole such secrets from China as "Tea":

For centuries, the secret of growing tea was one of China's
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China's tea monopoly was broken.

Robert Fortune (1812-1880)

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune's explorations are detailed in a new book, For All
the Tea in China
, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage - which, of course, it was.

I'm not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I'm just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Enhanced by Zemanta

Naval War College uses Russian software for iPad course material

Posted by Anton Aylward

http://www.nextgov.com/nextgov/ng_20120305_6368.php

GoodReader

The Navy's premier institution for developing senior strategic and
operational leaders started issuing students Apple iPad tablet
computers equipped with GoodReader software in August 2010,
unaware that the mobile app was developed and maintained by
a Russian company, Good.iWare, until Nextgov reported it in February.

OK so its not news and OK I've posted about this before, but ...

Last week I was reading another report about malware and it stated that most malware yamma yamma yamma had it origins in the USA. No doubt you've seen reports to that effect with different slants.

So the question here is: Why should software produced in the country where there are more evil-minded programmers be superior to software produced in Russia?

Please Realize That Piracy is a Service Problem.

Posted by Anton Aylward

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18:  Protesters demonst...

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

 

Enhanced by Zemanta

“Cybercrime” is still Crime and “Cyberfraud” is still Fraud

Posted by Anton Aylward

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no "Royal Mail" (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk "something must be done NOW" attitude.

Here in Canada we have a criminal code. It covers fraud. We don't need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That's why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don't think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical "Ptolemaic" system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of 'perfect spheres' was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Cover of "Paper Moon"

Fraud is fraud is fraud. It doesn't matter if its perpetrated by a hustler in person as in the scenes in "Paper Moon", by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don't need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don't, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that's not what detailed, reductionist legislation is going to achieve, is it?

 

Enhanced by Zemanta

Doubts about “Defense in Depth”

Posted by Anton Aylward

 So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a  direct attack).

I have doubts about "defence in depth" analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its "ablation": that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you "go around it" the defence isn't a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we've seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What's needed is more like an all-enclosing "bubble" rather than something linear with the 'defence in depth' model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really "spies inside the defensive perimeter".

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public -- its form of showing that "its doing something".

But how can we tell? The reality is that "security specialists" are finding errors - never mind deliberately malicious code - in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find "errors" that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that's a no-brainer isn't it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

Warning – they are out to get you.

Posted by Anton Aylward

McAfee has released a new study on malware in cars:
http://www.mcafee.com/autoreport

Now you may think that this is scaremongering on the part of McAfee because their traditional market is drying up. Not so, this is actually a threat we have been aware of or nearly half a century:

http://www.amazon.com/four-weekend-Belmont-Science-Fiction/dp/B0007FCDJY/ref=sr_1_8?s=books&ie=UTF8&qid=1315499979&sr=1-8

 

His Bipolar made him do it

Posted by antonaylward

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than "The Dog Ate My Homework".

Keep taking the tablets, Mr Klatch!

 

Sony backs U.S. ineffective cybersecurity legislation

Posted by Anton Aylward

Magic Link

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said.

"By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.

To people like us, IT Audit and InfoSec types, 'control' come in 3 forms

  • preventative
  • detective
  • compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Enhanced by Zemanta

A large scale failure of information security

Posted by Anton Aylward

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec's nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? "One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish," said the SANS Technology Institute's Johannes B.
Ullrich in a blog post. "I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security."

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I'm reminded of the IRA's statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may - will? - introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS "certified" sites get hacked, and more, *DOES* at least _demonstrate_ "a large scale failure of information security".

Filed under: Crime, Failures, Risk No Comments

Risk due to network administrators

Posted by Anton Aylward

Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don't know.

"Major"?
As in often?
As in large impact that stops the business operating?

If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.

I've written here and elsewhere that many people from a technical background don't understand 'risk'. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage - else why would you be doing it?

The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.

But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds - in a casino you know them for sure. In InfoSec we don't know the odds (except when they are a certainty, like SPAM or Viruses).

So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people's mail or a CFO that defrauds the company by writing phony cheques?

So if a network admin is a "major" threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?

Context, I keep telling you, is Everything.

Cell phone risks

Posted by Anton Aylward

ISRAELI-GAZA BORDER, ISRAEL - JANUARY 07: An I...
Image by Getty Images via @daylife

I hope somebody's thinking seriously about the implications of this:

http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/

Israel has already seen some consequences of soldiers with cellphones.

Here in Toronto we have a law against driving and using a hand-held cell phone. I note that researchers are reporting that even hands-free pones are distracting enough to be a major risk. never the less, I have stood back fro the kerb at an uptown intersection and seen drivers turn against the lights and narrowly miss pedestrians because they were on the phone. The drivers, that is.  (I'm still on the look out for pedestrians using phones and being oblivious to their surroundings causing accidents.)  Perhaps I need to use my own phone and make videos of this and upload the to YouTube :-)

So I'm very cynical about the use of distracting technology in the battlefield. Use of the smartphones 'in barracks' is one thing; using them in the field is another.

There seems to be a big mental hole here.
The idea of a coms system that has a central control or the cell/tower model is inherently vulnerable; no less so than GPS if you think about it, and probably more so; you don't need a rocket launch and EMP capability to take out cell phone towers and the phone system.

But the kind of Wifi system that allows the nodes to mesh and forward and heal (WiMax) is just the kind of thing the cell phone companies don't want.

WiMax - http://www.open-mesh.com/ - may assume an internet backbone
connecting the various meshes, but in a battlefield scenario the local mesh would be adequate. Its simply uses different "smartphones" and software. Maybe there is a back haul WAN, maybe it can download satellite or surveillance images or the front-line commanders.

But OTS cellphones ... I can see too many high risk scenarios in a military setting.

Enhanced by Zemanta
Tagged as: No Comments

White House Cyber Czar: ‘There Is No Cyberwar’

Posted by Anton Aylward

Thank you Howard! This has long needed to be said by someone in authority!

Yes, crime and espionage will cripple us all economically.
We won't see enemy troops occupying our land.
(We might see the same result from 'enhanced homeland security': troops and law enforcement on every corner checking papers, breaking down your front door at 3am and other Stasi SS-Sto�truppen tactics. But that's another matter, and when it happens you know not only have the
Terrorists have won, but your own government is the main source of Terror..)

Howard Schmidt, the new cybersecurity czar for the Obama administration,
has a short answer for the drumbeat of rhetoric claiming the United
States is caught up in a cyberwar that it is losing.

"There is no cyberwar," Schmidt told Wired.com in a sit-down interview
Wednesday at the RSA Security Conference in San Francisco.

"I think that is a terrible metaphor and I think that is a terrible
concept," Schmidt said. "There are no winners in that environment."

Instead, Schmidt said the government needs to focus its cybersecurity
efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of
national intelligence who made headlines last week when he testified to
Congress that the country was already in the midst of a cyberwar -- and
was losing it.

Reblog this post [with Zemanta]

The FBI risk equation

Posted by Anton Aylward

It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:

risk = threat x vulnerability x consequence

rather than solely focusing on threat vectors and actors.

To be honest, I sometimes wonder why people obsess about threat vectors in the first place.  There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.

Look at it this way: what do you have control over?

Why do you think that people like auditors refer to the protective and detective mechanisms as "controls"?

Yes, if you're a 600,000 lb gorilla like Microsoft you can take down one - insignificant - botnet, but the rest of us don't have control over the  threat vectors and threat actors.

What do we have control over?

Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the "vulnerability surface" such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn't it behind the web server, which in turn is behind a firewall).

Asset to a large extent. Document them. Identify who should be using them and implement IAM.

And very import: we have control over RESPONSE.

Did the FBI equation mention response? I suppose you could say that 'awareness' is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.

And response is - or should be - totally independent of the threats
since it focuses on preserving and recovering the assets.

I think they have it very, very confused and this isn't the most productive, most effective way of going about it.  But then the FBI's view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.

But lest face it, most corporations and are not in the business of policing.  neither are home users.

Which is why I focus on the issue of "what you have control over".

Enhanced by Zemanta

The wedge gets thicker

Posted by Anton Aylward

http://news.cnet.com/8301-1009_3-10405824-83.html
http://news.zdnet.co.uk/communications/0,1000000085,39909136,00.htm
http://community.zdnet.co.uk/blog/0,1000000567,10014530o-2000331761b,00.htm

The thin edge of the wedge was when pubs were fined or letting patrons get drunk, drunk enough that they shouldn't drive.

Now that wedge is being driven further.