The InfoSec Blog

14 antivirus apps found to have security problems

Posted by Anton Aylward

http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die

Let us pass over the "All A are B" illogic in this and consider what we've known all along. AV doesn't really work; it never did.
Signature based AV, the whole "I'm better than you cos I have more signatures in my database" approach to AV and AV marketing that so bedazzled the journalists ("Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the 'human firewall' or whatever the buzz-word is that appears in this month's geek-Vogue magazines, whatever the latest fashion is. What's that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they've tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven - yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn't convinced and didn't buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by 'lines of code per day' metrics, feature driven popularity and the 'first to market' imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I'm not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a 'risk-based' approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. "It was too expensive" - until it was more expensive not to have implemented it.

 

What Applicants Should Ask When Interviewing For An InfoSecurity Position

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/applicants-ask-interviewing-information-security-role/

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.

 

Most CEOs clueless about cyberattacks

Posted by Anton Aylward

http://www.zdnet.com/most-ceos-clueless-about-cyberattacks-and-their-response-to-incidents-proves-it-7000025396/#%21
Perhaps that's cynical and pessimistic and a headline grabber, but then that's what makes news.

What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don't need to be better than the herd.

 

 

Tagged as: No Comments

Former Head Of Airport Security: ‘The TSA Couldn’t Save You From

Posted by Anton Aylward

http://www.businessinsider.com/problems-with-tsa-2013-12

Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.

His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.

Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/

Tagged as: , , , , No Comments

On ‘paranoia’ – revisiting “Paid to be paraoid”

Posted by Anton Aylward

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

"We're paid to be paranoid" doesn't mean we're ill.
It's a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.

"We're paid to be paranoid"

Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

The #1 Reason Leadership Development Fails

Posted by Anton Aylward

http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
Training
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.

But this does relate somewhat to security as awareness training, sort of ...

My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

An “11th Domain” book.

Posted by Anton Aylward

http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm

Gary Hinson makes the point here that Rebecca Herrold makes elsewhere:   Rebecca Herold
Awareness training is important.

I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:

First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths.  "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...

Learning to Counter Threats – Skills or Ethics?

Posted by Anton Aylward

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,' etc.) by practising lying (conning, `social engineering', etc.) is logically identical to innumerable arguments about whether "good guys" (e.g. cops and security folk) should teach, learn, and practice

  •  writing viruses,
  •  picking locks,
  •   penetrating firewall-protected networks,
  •  cracking safes,
  •  initiating and exploiting buffer overflows, or
  •  engaging in any other practice that is useful to and used by the bad guys.

We can't build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects.

Marketing Is Dead – Harvard Business Review

Posted by Anton Aylward

http://blogs.hbr.org/cs/2012/08/marketing_is_dead.html

Of course you have to have a catchy title, but what this really says is

... in today's increasingly social media-infused environment,
traditional marketing and sales not only doesn't work so well, it
doesn't make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don't come from the
buyer's world and whose interests aren't necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn't work.

Yes but there are assumptions there.
Marketing WHAT to WHOM?

As opposed to just selling.

See also:

http://blog.penelopetrunk.com/2012/07/09/how-i-got-a-big-advance-from-a-big-publisher-and-self-published-anyway/#more-10038

Which makes the point that book publishers have come adrift as far as
marketing in the Internet world goes.

English: Infographic on how Social Media are b...
Enhanced by Zemanta

Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The

Posted by antonaylward

http://www.businessinsider.com/steve-wozniak-cloud-computing-will-cause-horrible-problems-in-the-next-five-years-2012-8

Perhaps The Woz isn't the influence he once was, and certainly not on Wall Street and the consumer market place.

Woz and I at dinner

The unbounded RAH-RAH-RAH for the "Cloud" is a lot like the DotComBoom in many ways. No doubt we will see a Crash rationalization.

 

Enhanced by Zemanta

Tight budgets no excuse for SMBs’ poor security readiness

Posted by Anton Aylward

http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/

From the left hand doesn't know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.

Escalation

Posted by Anton Aylward

http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

English: for use in recaptcha

At one level there's the old argument about disclosure of security holes, but this is also an example of 'driving' security improvement.

 

Enhanced by Zemanta
Tagged as: No Comments

Why Info Sec Positions Go Unfilled

Posted by Anton Aylward

http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/

There are many holes in this, but I think they miss some important points.

First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: "Should Infosec report to IT?" The overall decision was no;. Infosec might need to 'pull the plug' on IT to protect the organization.Risk management sub processes

Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to "Governance". You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?

Technology won't solve your problems when technology *is* your problem.

InfoSec is about protecting the organization's information assets: those assets can be people, processes or information.  Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information.  Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper.  The technology may have changed but most of the fundamental principles have not.  In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.

 


 

How to get a job in security

Posted by Anton Aylward

http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/

I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.

What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.

If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.

But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:

NEWARK, NJ - DECEMBER 27:  A stranded traveler...

Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.

Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.

He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.

That really inspires confidence in the system, doesn't it?

So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?

Think again:

Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.

Might we suspect a disgruntled ex-lover?

Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.

Oh, right, there are so many of them, that level of investigation is impractical.

Didn't Bruce Schneier say something about the TSA's approach being impractical, being "Security Theatre"?

Enhanced by Zemanta

If Customers Ask for More Choice, Don’t Listen

Posted by Anton Aylward

Customers are Ignoring You

Customers are Ignoring You (Photo credit: ronploof)

http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html

Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.

That being said, 'competitive advantage' can lead to paralysis.

In the auto world, each badge, each product line has an 'advantage'.
But what many customers want is a blend.

Suppose you had

  • the hydropnumatic suspension of Citroen
  • the crash survivability of Volvo
  •  the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
  •  the BOSE sound system of a BMW
  •  the capacity of a Dodge minivan
  •  the fuel efficiency of a Prius
  •  the twin camera automatic following/crash avoidance system of a Subaru

all rolled into one ....

The problem is that you can't.

For a while, the IBM-style PC chassis offered that kind of 'blend'.
As the saying went ...

Be very glad that your PC is insecure --it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
-- John Gilmore of the EFF

But the majority of consumers are the "lemmings". In reality its like the stage magician fanning a pack of cards and saying "pick a card, any card you want". You don't really have freedom of choice, you can only pick what's offered to you, by the stage magician or the vendor.

And sometimes the constraint of choice, as Apple is doing, says "focus, focus, focus" and play to the Big Brother Knows What's Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).

 

Enhanced by Zemanta

Surely compliance is binary?

Posted by Anton Aylward

Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ...

Surely COMPLIANCE is a binary measure, not a "level of" issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Social Engineering and sufficency of awareness training

Posted by Anton Aylward

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Security tokens from RSA Security designed as ...

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!

Orwell: a quarter of a century late

Posted by Anton Aylward

http://hdguru.com/is-your-new-hdtv-watching-you/7643/

well 28 years actually ...

So, the two-way tv sets of Orwell's novel have arrived, over a quarter of a century late!

George Orwell in Hampstead On the corner of Po...

George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)

It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra 'i') we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn't the same enthusiasm about replicating its technology.

Enhanced by Zemanta