Category: Human Factors

Online Ad Industry Threatened by Security Issues

http://www.databreachtoday.com/online-ad-industry-threatened-by-security-issues-a-9488

Most people use ad blockers because they’re irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from malvertisements.

The social media site Reddit, which can be a rich traffic source for publishers, warns users of links to content that demand people to disable their ad blockers, including publishers such as Forbes and Wired.

“Warning! Disabling your ad blocker may open you up to malware infections, malicious cookies and can expose you to unwanted tracker networks,” Reddit’s warning says. “Proceed with caution.”

I don’t know whether to be glad or worried by this.
It may be considered unsocial of me, but I use adblockers. Continue reading Online Ad Industry Threatened by Security Issues

UN privacy head slams ‘worse than scary’ UK surveillance bill

http://www.theregister.co.uk/2015/11/10/un_privacy_head_slams_uk_surveillance_bill/

Two points in this caught my attention.

Cannataci also argued forcefully that mass surveillance was not the way to
handle the threat from terrorism and pointed to a report by the Dutch
intelligence services that argues that point. “To get real terrorists, you have
to go for good old-fashioned infiltration,” he argued, wishing that the security
services would spend less money on computers and more on real people who go out
and get real, actionable intelligence on what people are up to. “It’s time to be
realistic and actually examine what evidence shows.”

Where have I heard that before?
Oh, wait:

If you think technology can solve your security problems, then you don’t
understand the problems and you don’t understand the technology
Bruce Schneier

Essentially what he’s saying is summed up by another Schneier quote:

People often represent the weakest link in the security chain and are
chronically responsible for the failure of security systems
— Bruce Schneier, Secrets and Lies

Continue reading UN privacy head slams ‘worse than scary’ UK surveillance bill

Everybody wants in on ‘Cybersecurity”

Intel Sets McAfee Free …

http://www.databreachtoday.com/blogs/intel-sets-mcafee-free-p-2244?

… becoming what Intel bills as one of the world’s biggest “pure-play cybersecurity companies.”

When I graduated the hot topic was then chemistry, mostly organic but anything to do with chemistry was IN. Engineering was considered ho-hum, aviation was in the doldrums especially in Europe, and electronics & computing — nobody blathered on about ‘cybernetics’ or ‘cybersecurity’ in public back then — held no potential. The future was chemistry. Continue reading Everybody wants in on ‘Cybersecurity”

The Hidden Curriculum of Work

http://www.strategy-business.com/blog/The-Hidden-Curriculum-of-Work

I think part of the problem I have in dealing with the current generation of head-hunters and corporate recruiters is that they focus on the job description, the check-list. They focus on it two ways: the first is demanding it of the hiring managers, who are often ill equipped to write one. Many jobs are not circumscribed, especially in a field like IT which is dynamic and about continuous learning and adaption to changing circumstances. All to often the most valuable question I’ve been able to ask of a manager in a hiring situation amounts to “what do you need done?”.
Their description of the work – the WORK not the JOB – only makes sense in context, a context that another practitioner understands, but someone in HR would hear as the gobbledygook of technology-talk. How can you base a bullet-list Job Description on that? Trying to translate it into a vernacular that allows the HR-droid to ask appraisal questions of candidates that the HR-droid can make sense of removes it from what the work is about.

Which leads to the second point. Continue reading The Hidden Curriculum of Work

Nobody wants to pay for security, including security companies

https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire

In theory, consumers and businesses could punish Symantec for these
oversights by contracting with other security vendors. In practice, there’s
no guarantee that products from other vendors are well-secured, either
— and there is no clearway to determine how secure a given security
product actually is.

Too many firms take an “appliance” or “product” (aka ‘technology”) approach to security. There’s a saying that’s been attributed to many security specialists over the years but is quite true:

If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.

Its still true today. Continue reading Nobody wants to pay for security, including security companies

Brexit: What’s Next for Privacy, Policing, Surveillance?

http://www.databreachtoday.com/brexit-whats-next-for-privacy-policing-surveillance-a-9225

Now we’re getting over the “how could that do THAT!” shock stage and starting to think what the operational, rather than just the financial, implications are.

Related articles across the web

Cyber risk in the business

https://normanmarks.wordpress.com/2015/06/05/cyber-risk-and-the-boardroom/

The take-away that is relevant :

Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.

Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset. Continue reading Cyber risk in the business

Purpose unclear. Why are the FBI *really* trying to subvert encryption?

Tim cook says Apple will fight a federal order to help the FBI hack an iPhone.  

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find on Farook’s work phone or why the information would not be available from third-party service providers, such as Google or Facebook, though investigators think the device may hold clues about whom the couple communicated with and where they might have travelled.

Is that “Whom” grammatically correct?

This does raise a ‘why’ in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the ‘traffic analysis of who they communicated with? Isn’t this the sort of “metadata” that the government spies are supposed to be collecting?

Opening the phone won’t give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I’m not sure how helpful that will be and its likely to cast suspicion on innocent parties. Continue reading Purpose unclear. Why are the FBI *really* trying to subvert encryption?

We’re mobile addicts but we just don’t want new smartphones

http://www.zdnet.com/article/research-were-mobile-addicts-but-we-just-dont-want-new-smartphones/

For whatever value of “Mobile” is applicable in context, yes.
A lot of what I see is students in the library with their laptops or large tablets_keyboards with paper and books beside. Perhaps if students had the multi-screen displays like the one in the movie “Swordfish” AND there were more books on-line at low cost and multi-access (which isn’t how many libraries work, sadly) then the marketers dream of students with ebooks rather than a knapsack of books would happen. As it is, with only one viewer, books and papers are still needed. Continue reading We’re mobile addicts but we just don’t want new smartphones

The fatal flaw in IT Risk management

Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:

In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the ‘Net and adopting question lists from there is using a solution to someone else’s
problem. If that.

Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.

Gary recommends “open ended questions” during the interview rather than ones that require a yes/no answer. That’s good, but I see problems with that. I prefer to ask “Tell me about your job” rather than “Tell me how your job … can be made more efficient”.

My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don’t know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA – failure Mode Effect Analysis. Some people think of this in terms of “impact”, but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, “Root Cause Analysis” no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure – the ‘tree’ fans both ways!

Yes, FMEA can’t be dome blindly, but failure modes that pertain to the business – which is what really counts — and the fan-in/out trees can be worked out even without the technical details. Rating the “risk”: is what requires the drill-down.

Which gets back to Donn Parker‘s point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.

All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.

 

Cyber, Ciber or Syber?

Occasionally, people do ask:

What exactly do you mean by “cyber security”?
Or “cyber” for that matter. Please explain.

“Steersman Security”?

It seems to be one of those Humpty-dumpty words that the media, the government and others use with — what’s the current politically correct phrase to use now when one would, 50 years ago have said ‘gay abandon’? — because its current;y “in”?

I see it used to mean “computer” and “network” in the specific and “computers” and “networks” in the general, as well as specific functions such as e-banking, & other e-commerce, “Big Data”, SCADA, POTS and its replacements.

I see it used in place of “Information” in contexts like “information Security” becoming, as above, “Cyber Security“. But you don’t know that it means that.

Are we here to protect the data? Or just the network? or just the computer?

Until a few years ago “Cyber” still did mean “steersman”, even if that was automated rather than a human presence. No-one would call the POTUS a “Cyber-man’ in the sense of being a steersman for the republic.

Perhaps we should start a movement to ban the use of “Cyber-” from use by the media.

Perhaps we might try to get some establishments to stop abusing the term.
I doubt very much we could do that with media such as SCMagazine but perhaps we could get the Estate of the Late Norbert Weiner to threaten some high profile entities like the State Department for the mis-use of the term?

 

Related articles across the web

Another reason to have a policy not to eat at your desk

Hackers Can Use Pita Bread to Steal Laptop Encryption Keys, Say Researchers

Embedding such devices in something edible only means it will end up in the stomach of the targeted user. Perhaps that is intentional, but I suspect not.  Better to put the device in the base of the coffee cup.

 

Tracking kids via microchip ‘can’t be far off,’ says expert

http://www.kens5.com/story/news/2015/05/07/tracking-kids-via-microchip-cant-be-far-off-says-expert/70986060/

Dickerson said she though one day, “I microchip my dog, why couldn’t I
microchip my son?”

I think there’s something despicable about treating a human being the same way you would treat a dog or your keys.

Its one thing to chip your keys or have one of those devices that when you whistle the keyring goes bleep-bleep to help you find it. I can imagine extending that to people who let their dogs (or cats) roam and need/want to have them in at night. Domesticated pets might not be able to cope with even urban predators such as badgers and grizzly raccoons.
If, that is, the animals aren’t smart though to come in when you call them.

But treating a human as you would a dog? Continue reading Tracking kids via microchip ‘can’t be far off,’ says expert

Cyber general: US satellite networks hit by ‘millions’

http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many ‘real’ hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these ‘repulsed’ probes really ‘need to know’? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, “precursor probes“.

Can we live without this? Continue reading Cyber general: US satellite networks hit by ‘millions’

U.S. Defense Secretary Carter emphasizes culture change needed to

http://www.scmagazine.com/ash-carter-spoke-at-stanford-university/article/411392/

Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.

A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS.  And please note: none of this is new or radical.

But a read of Bruce’s articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won’t. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce — and others — have long since shown them to be in the same class as The Emperor’s New Clothes.

When the government talks of cyber-security experts it really doesn’t want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them — but consistently don’t[1] — tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting ‘uber 133z h4x0r’-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn’t make for good security[2].

Yes, a culture change is needed. But the kind of changes that the ‘insiders’ — and that goes for the media too — envision don’t really amount to a meaningful change.

[1] http://www.gao.gov/key_issues/cybersecurity/issue_summary#t=1
http://www.regblog.org/2014/09/18/18-yang-gao-and-it-oversight-report/

http://www.ihealthbeat.org/articles/2014/4/4/gao-data-breaches-on-the-rise-at-federal-government-agencies

http://www.cnn.com/2014/12/19/politics/government-hacks-and-security-breaches-skyrocket/

[2] The idiom “rearrange the deckchairs on the Titanic” comes to mind
Or perhaps the Hindenburg.

 

Related articles

Should all applicable controls be mentioned in documenting an ISMS?

In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with what we did but the reasoning behind those decisions. This was so that if anything happened to use kn knowledge about the work, the project, what had been tried and thought about was lost, if, perhaps, we were ‘hit by a bus on the way to work‘.

At that point whoever was saying this looked toward a certain office or certain place in the parking lot. One of the Project managers drove a VW bus and was most definitely not a good driver!

So the phrase ‘document everything in case you’re hit by a bus’ entered into the work culture, even after that individual had left.

And for the rest of us it entered into our person culture and practices.

Oh, and the WHY is very important. How often have you looked at something that seems strange and worried about changing it in case there was some special reason for it being like that which you did no know of?
Unless things get documented …. Heck a well meaning ‘kid’ might ‘clean it out’ ignorant of the special reason it was like that!

So here we have what appear to be undocumented controls.
Perhaps they are just controls that were added and someone forgot to mention; perhaps the paperwork for these ‘exceptions’ is filed somewhere else[1] or is referred to by the easily overlooked footnote or mentioned in the missing appendix.

It has been pointed out to me that having to document everything, including the reasons for taking one decision rather than another, “slows down work”. Well that’s been said of security, too, hasn’t it? I’ve had this requirement referred to in various unsavoury terms and had those terms associated with me personally for insisting on them. I’ve had people ‘caught out’, doing one thing and saying another.
But I’ve also had the documentation saving mistakes and rework.

These days with electronic tools, smartphones, tablets, networking, and things like wikis as shared searchable resources, its a lot easier.[2]

Sadly I still find places where key documents such as the Policy Manuals and more are really still “3-ring binder” state of the art, PDF files in some obscure[1] location that don’t have any mechanism for commenting or feedback or ways they can be updated.

Up to date and accurate documentation is always a good practice!

[1]http://hitchhikerguidetothegalaxy.blogspot.ca/2006/04/beware-of-leopard-douglas-adams-quote.html
[2] And what surpises me is that when I’ve implemented those I get a ‘deer in the headlight’ reaction from staff an managers much younger than myself. Don’t believe what you read about ‘millennials’ being better able to deal with e-tools than us Greybeards.

Related articles

14 antivirus apps found to have security problems

http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die

Let us pass over the “All A are B” illogic in this and consider what we’ve known all along. AV doesn’t really work; it never did.
Signature based AV, the whole “I’m better than you cos I have more signatures in my database” approach to AV and AV marketing that so bedazzled the journalists (“Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the ‘human firewall’ or whatever the buzz-word is that appears in this month’s geek-Vogue magazines, whatever the latest fashion is. What’s that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they’ve tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven – yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn’t convinced and didn’t buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by ‘lines of code per day’ metrics, feature driven popularity and the ‘first to market’ imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I’m not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a ‘risk-based’ approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. “It was too expensive” – until it was more expensive not to have implemented it.

 

Related articles

What Applicants Should Ask When Interviewing For An InfoSecurity Position

http://www.informationsecuritybuzz.com/applicants-ask-interviewing-information-security-role/

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about “The Tone At The Top“, the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I’d certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That’s not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening (“Yes, I can work on that for you”) all you’ve done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.

 

Most CEOs clueless about cyberattacks

http://www.zdnet.com/most-ceos-clueless-about-cyberattacks-and-their-response-to-incidents-proves-it-7000025396/#%21
Perhaps that’s cynical and pessimistic and a headline grabber, but then that’s what makes news.

What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don’t need to be better than the herd.

Former Head Of Airport Security: ‘The TSA Couldn’t Save You From

http://www.businessinsider.com/problems-with-tsa-2013-12

Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.

His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.

Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/

Related articles