The InfoSec Blog

 So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a  direct attack).

I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really “spies inside the defensive perimeter”.

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.

But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives
like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

McAfee has released a new study on malware in cars:
http://www.mcafee.com/autoreport

Now you may think that this is scaremongering on the part of McAfee because their traditional market is drying up. Not so, this is actually a threat we have been aware of or nearly half a century:

http://www.amazon.com/four-weekend-Belmont-Science-Fiction/dp/B0007FCDJY/ref=sr_1_8?s=books&ie=UTF8&qid=1315499979&sr=1-8

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than “The Dog Ate My Homework”.

Keep taking the tablets, Mr Klatch!

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

• preventative
• detective
• compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Related articles

• Sony backs U.S. cybersecurity legislation (canada.com)
• DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
• Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
• Obama to Introduce Cybersecurity Proposal (circleid.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)
• What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
• White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
• Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec’s nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? “One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish,” said the SANS Technology Institute’s Johannes B.
Ullrich in a blog post. “I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security.”

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I’m reminded of the IRA’s statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may – will? – introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS “certified” sites get hacked, and more, *DOES* at least _demonstrate_ “a large scale failure of information security“.

Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don’t know.

“Major”?
As in often?
As in large impact that stops the business operating?

If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.

I’ve written here and elsewhere that many people from a technical background don’t understand ‘risk’. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage – else why would you be doing it?

The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.

But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds – in a casino you know them for sure. In InfoSec we don’t know the odds (except when they are a certainty, like SPAM or Viruses).

So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people’s mail or a CFO that defrauds the company by writing phony cheques?

So if a network admin is a “major” threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?

Context, I keep telling you, is Everything.

I hope somebody’s thinking seriously about the implications of this:

http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/

Israel has already seen some consequences of soldiers with cellphones.

Here in Toronto we have a law against driving and using a hand-held cell phone. I note that researchers are reporting that even hands-free pones are distracting enough to be a major risk. never the less, I have stood back fro the kerb at an uptown intersection and seen drivers turn against the lights and narrowly miss pedestrians because they were on the phone. The drivers, that is.  (I’m still on the look out for pedestrians using phones and being oblivious to their surroundings causing accidents.)  Perhaps I need to use my own phone and make videos of this and upload the to YouTube

So I’m very cynical about the use of distracting technology in the battlefield. Use of the smartphones ‘in barracks’ is one thing; using them in the field is another.

There seems to be a big mental hole here.
The idea of a coms system that has a central control or the cell/tower model is inherently vulnerable; no less so than GPS if you think about it, and probably more so; you don’t need a rocket launch and EMP capability to take out cell phone towers and the phone system.

But the kind of Wifi system that allows the nodes to mesh and forward and heal (WiMax) is just the kind of thing the cell phone companies don’t want.

WiMax – http://www.open-mesh.com/ – may assume an internet backbone
connecting the various meshes, but in a battlefield scenario the local mesh would be adequate. Its simply uses different “smartphones” and software. Maybe there is a back haul WAN, maybe it can download satellite or surveillance images or the front-line commanders.

But OTS cellphones … I can see too many high risk scenarios in a military setting.

Related articles

• Cell Phones Responsible for Traffic Deaths (cellphones.org)
• Cell Phones Significant Part Of Traffic Deaths (informationweek.com)
• Do Cell Phones Cause Cancer? (everydayhealth.com)
• Vietnam: Cell phones and students (textually.org)
• Do You Have These Cell Phone Accessories Yet? (socyberty.com)
• Cell phone concept phones blow, kiss and touch to make talking intimate (textually.org)

Thank you Howard! This has long needed to be said by someone in authority!

Yes, crime and espionage will cripple us all economically.
We won’t see enemy troops occupying our land.
(We might see the same result from ‘enhanced homeland security’: troops and law enforcement on every corner checking papers, breaking down your front door at 3am and other Stasi SS-Sto�truppen tactics. But that’s another matter, and when it happens you know not only have the
Terrorists have won, but your own government is the main source of Terror..)

Howard Schmidt, the new cybersecurity czar for the Obama administration,
has a short answer for the drumbeat of rhetoric claiming the United
States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview
Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible
concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity
efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of
national intelligence who made headlines last week when he testified to
Congress that the country was already in the midst of a cyberwar — and
was losing it.

Related articles by Zemanta

• There Is No Cyberwar (yro.slashdot.org)
• White House Cyber Security Guy: There Is No Cyberwar (techdirt.com)
• Howard Schmidt, White House Cyber Czar: ‘There Is No Cyberwar’ (huffingtonpost.com)
• USA’s Cyber Generals (tech.bl0x.info)
• White House Cyber Czar: “There is No Cyberwar” (wired.com)
• Cyberwar Doomsayer Lands $34 Million in Cyberwar Contracts (wired.com)
• Is there really a cyberwar? Term might be misused (seattletimes.nwsource.com)
• Cyberwar Cassandras Get $400 Million in Conflict Cash (wired.com)
• Check the Hype – There’s No Such Thing As ‘Cyber’ (wired.com)

It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:

risk = threat x vulnerability x consequence

rather than solely focusing on threat vectors and actors.

To be honest, I sometimes wonder why people obsess about threat vectors in the first place.  There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.

Look at it this way: what do you have control over?

Why do you think that people like auditors refer to the protective and detective mechanisms as “controls”?

Yes, if you’re a 600,000 lb gorilla like Microsoft you can take down one – insignificant – botnet, but the rest of us don’t have control over the  threat vectors and threat actors.

What do we have control over?

Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the “vulnerability surface” such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn’t it behind the web server, which in turn is behind a firewall).

Asset to a large extent. Document them. Identify who should be using them and implement IAM.

And very import: we have control over RESPONSE.

Did the FBI equation mention response? I suppose you could say that ‘awareness’ is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.

And response is – or should be – totally independent of the threats
since it focuses on preserving and recovering the assets.

I think they have it very, very confused and this isn’t the most productive, most effective way of going about it.  But then the FBI’s view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.

But lest face it, most corporations and are not in the business of policing.  neither are home users.

Which is why I focus on the issue of “what you have control over”.

Related articles by Zemanta

• School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
• The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
• FBI searching for ‘Flavor Flav Bandit’ (seattlepi.com)
• Why Security Vendors are loosing (tech.bl0x.info)
• Editorial: Flawed F.B.I. Background Checks (nytimes.com)
• FBI details surge in death threats against lawmakers (americablog.com)

http://news.cnet.com/8301-1009_3-10405824-83.html
http://news.zdnet.co.uk/communications/0,1000000085,39909136,00.htm
http://community.zdnet.co.uk/blog/0,1000000567,10014530o-2000331761b,00.htm

The thin edge of the wedge was when pubs were fined or letting patrons get drunk, drunk enough that they shouldn’t drive.

Now that wedge is being driven further.
Read the rest of this entry »

Yesterday, my friend and collegue, Rob Slade, noted that …

Idly leafing through yet another IT executive rag (preparatory to recycling it),
and noticed an article on privacy by the head of a data destruction company. He
was talking about the problem of “data reminisce.”

Well, it may not have been the author at fault.
We’ve criticized journalists for lacking knowledge of various technical professions and so mangling and misinterpreting reports, but what about typesetters? And editors?
Read the rest of this entry »

http://www.bloomberg.com/apps/news?pid=20601109&sid=a5wZ95KdSuJQ

This is something we should *ALL* be aware off, not least those that think legal and world economic stuff is off topic.

We all have to face standards; or the most part those are dictated by industry groups and we can, if we choose, partake of those.
I’ve been involved in technical standards groups in the past[1].

We have also, recently, had to face a lot of ‘regulations’, that is requirements with legal backing. Its easy to say that those are all very regional, which is why they don’t (any longer) appear in the CBK.

Personally I think this is a weak argument. SOX may only have been ‘legal’ in the USA, but many companies in other countries trade in or have offices in the USA and need to be aware of US laws and regulations.
In addition, SOX has been the model for regulations in other countries (and some of those have corrected deficiencies[2]).

Never the less the legal principle that is addressed in this article hold for many countries: while the politicians dither the people who have to deal with the details and actualities of making the legal system happen are getting on with it.

Free from the pressures of lobbyists, judges typically refrain from showing emotion or expressing opinions during court proceedings to appear impartial. During sentencings in criminal cases, they sometimes let their hair down about their feelings about the damage Wall Street firms or their executives did.

However, I don’t know it its the journalist or the judges that are being facetious:

In sentencing imprisoned con man Bernard Madoff June 29 to the maximum penalty of 150 years in prison, U.S. District Judge Denny Chin described Madoff’s crimes as “extraordinarily evil.”

What?
“Evil” compared to what? Read the rest of this entry »

People occasionally ask about InfoSec courses that cover law and cyberlaw and about schools that offer cyberlaw programs.

I’m curious about this whole thing for a slightly tangential reason.

On the one hand there’s the idea of Cyberlaw as part of a general law school curriculum.

On the other, there’s cyberlaw for InfoSec people and managers and executives.

The former will already have covered issues like criminal law, contract law, rules of evidence an so forth. Would all that be necessary for the latter group?

An in general, we do have a domain of the CISSP CBK that covers ‘law an ethics’, but I get the impression that in the effort to “internationalize” it has been gutted; the rationale being that many laws are so regional that the exam can’t address them without being very biased.

Well, I disagree. For a number of reasons.

First, there is a lot of law that is about principles.
I think its important to cover basics like CONTRACTS and LIABILITY, which I have seen one in a way that covers the variety of the western European legal codes.

Second, there is a fair bit of international or internationally recognised law. How else could trade and commerce go on? In addition there are many laws that are being applied or recognized cross-border in
one way or another, especially in the areas of cyber-related crimes such as fraud and extortion. Some of these may only be the basis for extradition, but they are examples of what happens in practice.

Finally the study of law in other jurisdictions is valuable as is the study of history; it gives us examples of the goo and the bad, how they were applied and what their successes, pitfalls and limits were.

This is more relevant that it seems at first. The impact of Sarbines-Oxley (SOX) applies to many of us outside the USA because we deal with companies in our own nation that have offices registered and trading inside the USA. On top of that, SOX has been the basis for – often better thought out – similar legislation in other countries. The same reasoning applies to things like the DMCA, CAN-SPAM and the like.

I ought to mention things like PCI as well, even though they are not “laws” in the same sense. PCI *IS* international, just as other banking standards that those of us who deal with finance InfoSec have to deal
with – BASEL, FFIEC and others.

Purely as a side issue, I think all of us need to know about matters like employment law, many of us are ‘consultants’ and need to know about contract law. Many of us are in situations where InfoSec deals with HR and that justifies knowing about employment law. We my also need to know about matters such as copyright and non-disclosure, and what contracts can and cannot bin one to.

Speaking as a “consultant”, I’d add that I’m very glad of my grounding as part of the management electives of my undergraduate degree in engineering that covered contract law. Many of the contracts I have been offered by small firms where they were drawn up by the owner (often an ‘entrepreneur’ with no business or legal background and often without guidance of a lawyer or even a CMA/accountant) were inequitable, unreasonable and full of ‘traps’ because of poor wording.

I think an understanding of the basics of criminal law, contract law and law pertaining to international trade are essential to members of our profession, regardless of their role. The CBK and exam may avoid them but as individuals we should each recognise the relevance of these and other legal and quasi-legal ‘standards’ and make them part of our ongoing education.

My collegue Gary Hinson made the follwoing observation on the ISO 27001 list in August:

There are numerous assumptions and estimations in the risk
assessment process, so all calculated values have quite wide margins
of error. Worse still, there are almost certainly risks or impacts
that we have failed to recognise or assess, in other words we need to
allow for contingency.

Oh,its worse than that!

The problem is that the potential perpetrators are the ones that determine “the most significant risks” of which you speak, in both frequency (when they decide to strike) and impact (how much damage they will do and what they will do with the results of their attacks), not the person performing the risk analysis.

We are debating how to value an asset, book value, replacement value or the value of the process of using it. Well that doesn’t matter; its the value to the perpetrator of the attack at counts. What you value and defend might be of no interest to him (or her). Obtaining the desired asset may result in collateral damage.

So long as you focus on a Risk Analaysis model rather than a comprehensive plan of diligence and security stablemen you are going to get caught out by these false assumptions.

Face it: the Risk Analysis approach means you have no idea who and where the potential perpetrators are, rational or irrational; when and how they may strike (with a tank, an army, or with false data entry).

But act and calculate as if you do.

You have no idea of the perpetrator’s

• skills
• knowledge
• resources
• authority
• motives
• objectives

but the Risk Analysis approach presumes that you do.

I’m sorry, this doesn’t make sense and hence arguing about how to calculate the value of an asset doesn’t make sense in this context. Its like arguing over how many angles can dance on a pinhead when there’s war and famine going on outside.

Related articles by Zemanta

• Step 1b for defining your fans and customers (flowingmotion.wordpress.com)
• The Pirates Are Getting to the “Better” Part of Their Rotation (bleacherreport.com)

http://blogs.zdnet.com/security/?p=3809&tag=nl.e539

Oh, the ignominy!

On their way to search for clean IPs through which to send out yet another scam email, 419 con-artists (Mrs Sharon Goetz Massey) have recently started using Dilbert.com’s recommendation feature in an attempt to bypass anti-spam filters — and it works. The use of Dilbert.com’s clean IP reputation comes a month after 419 scammers used the same tactic on NYTimes.com ‘email this’ feature.

One thing in InfoSec is certain: the bad guys will always in a way round whatever controls we put up an find ways to subvert legitimate tools an protocols.

Related articles by Zemanta

• How Are ISPs Changing Their Spam Filters? (b2bemailmarketing.com)
• Scammers target AIB (gita.agiletech.ie)

http://www.manchestereveningnews.co.uk/news/s/1109560_burnham_sorry_over_security_blunder

We can all see what went wrong here.

1. He should have gone by car and not the train.
2. He should have had the documents on his laptop
3. The laptop should have been tethered in the trunk of the said car.
4. The documents should have been clearly labelled
“*Not* about the F-35″
5. His laptop should have had its patches and AV up to date.

Just one question.

What’s with this “hit by”?
That headline is trying to make out that the documents were the guilty – and actively so – party.

Well, perhaps that not the fault of the journalist, perhaps that’s the stance the politician is taking

Related articles by Zemanta

• 4 In 10 People Would Exchange Their Laptop For A Tablet (lockergnome.com)
• Bigotgate: the day the PM joined The Thick of It (guardian.co.uk)

http://www.itworldcanada.com/a/Daily-News/03b813a2-f13b-4c3e-9494-ae9064f25da3.html

“When they outlaw X only criminals will have X”

… for many values of the members of the set of Y.

There’s the old saw:

People who won’t quit making the same mistake over
and over are what we call conservatives.

No, they are politicians.

He added that making it easier for law enforcement to tap into wireless
transmissions will probably bring those same capabilities into the hands
of the cyber criminal community. This is certainly not the
business-friendly message you want to be sending out to encourage
investment in technology during the recession, Levy said.

“Especially since the very same government has placed organizations in
the financial services, health care and public sector under increasing
regulatory scrutiny to lock down their own security infrastructure.”

In reality, judging by history, if there’s going to be a way to hack into things like the Blackberry the the criminals will have it long before the LE, and the LE will probably be denied funding for it by the government.

Related articles by Zemanta

• B.C. will outlaw auto secret compartments in gang fight (calgaryherald.com)
• Copyright bill would outlaw breaking digital locks (cbc.ca)

Forty-one percent of small businesses surveyed by Visa Canada said they
don’t believe data thieves and hackers will target them because of their
size.

Where have we heard that before?
Isn’t there some security adage about the hackers (aka criminals) going or “the low hanging fruit” – the easy to get at stuff – first?

I must admit, this isn’t quite what I expected when I read the headline. I was expecting the contents of the laptop that had somehow come into the hands of the police or DEA to contain evidence that lead to the bust.  As it was, the recovery was a result of “phone home” software and the
bust was an incidental.

Security software built into a stolen laptop computer led police to a
Hoisington residence on Tuesday. Authorities not only found the
computer, but they also uncovered what appears to be a methamphetamine
lab.

So what is the procedure around the ‘phone home‘ software? Does it
contact the police directly? Does the owner notify the ‘phone home‘
software vendor and they in turn notify the police when they have a trace?

Detective Denton Doze at the Great Bend Police Department said the
$9,000 computer, along with hand tools and power tools, was stolen
during a burglary reported last Friday at the My Town project, 1419 Main
Street.

That must have been quite some laptop!

As of Wednesday evening, the missing tools had not been accounted for.

Well, obviously. They don’t have ‘phone home‘ software that runs when they are used. Read the rest of this entry »

In this article at TechRepublic, Tom Olzak tries to address the issue of insider threat by talking about why your employees might ‘go rogue’.  I think he completely misses the point by discussing the motivation for spies and convicted traitors. This is a different class of people from toss that commit financial fraud and take revenge on employers who they think have wronged them.

Lets be fair, how many of these characteristics would have applied to people like Nick Leason, Jerome Kerviel, the rogue traders such as Yasuo Hamanaka at Sumitomo Corporation of Japan in 1998 and John Rusnak at the Allied Irish Bank in 2002, Toshihide Iguchi at Daiwa Bank, John Rusnak was a former currency trader at Allfirst bank, Matt Piper of Morgan Stanley, Anthony Elgindy, Thom Calandra and Brian Hunter – never mind the rogue executives as WorldCom, Enron and Parmalat and many other corporate and accounting scandals that were motivated by greed.

The list on the blackboard in the cartoon doesn’t, I think, apply to the ‘rogue traders’. It applies only somewhat to the rogue executives but it does apply more comprehensively to the spies and traitors like Ames & Early.

However Donn Parker’s point that (many) white-collar criminals are led into crime by “intense personal problems” makes more sense and also applies to people such as Brian Molony at the CIBC. So I don’t think this is a very good article. Donn’s observation si more geenral and more useful than Tom’s.

More to the point, since Tom’s article fails to address issues such as senior management ignoring the business controls that are in place because the people concerned were making a profit (aka greed in high places) and because it doesn’t address the issue of having internal resources where staff can come to get advice about pressing personal problems, and finally because it doesn’t deal with the possible channels for ethics complaints and whistle-blowing, it fails to address its title; there is nothing here about prevention – only detection, and very limited form of detection at that.

http://news.hereisthecity.com/news/business_news/6786.cntns

Related articles by Zemanta

• The 20 biggest trading scams
• Bradford & Bingley: ‘Management failure’ added to problems, admits chairman