The InfoSec Blog

Customers are Ignoring You (Photo credit: ronploof)

http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html

Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.

That being said, ‘competitive advantage’ can lead to paralysis.

In the auto world, each badge, each product line has an ‘advantage’.
But what many customers want is a blend.

Suppose you had

• the hydropnumatic suspension of Citroen
• the crash survivability of Volvo
•  the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
•  the BOSE sound system of a BMW
•  the capacity of a Dodge minivan
•  the fuel efficiency of a Prius
•  the twin camera automatic following/crash avoidance system of a Subaru

all rolled into one ….

The problem is that you can’t.

For a while, the IBM-style PC chassis offered that kind of ‘blend’.
As the saying went …

Be very glad that your PC is insecure –it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
– John Gilmore of the EFF

But the majority of consumers are the “lemmings”. In reality its like the stage magician fanning a pack of cards and saying “pick a card, any card you want”. You don’t really have freedom of choice, you can only pick what’s offered to you, by the stage magician or the vendor.

And sometimes the constraint of choice, as Apple is doing, says “focus, focus, focus” and play to the Big Brother Knows What’s Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).

Related articles

• Consumption and Consumer Behavior (thinkingbookworm.typepad.com)

Call me a dinosaur (that’s OK, since its the weekend and dressed down to work in the garden) but …

Surely COMPLIANCE is a binary measure, not a “level of” issue.
You are either in compliance or you are not.
As in you are either deal or alive.

Now it may be that some “standard” (such as ISO27001) has a number of clauses and its possible to be in compliance with some and not with others, and so fall into the delusion that you are “82% compliant” with the standard. This gets back to the silliness of exams where you are not expected to be able to answer all the questions and so the pass mark was 65%. In actuality its a recipe for disaster; if you’re only required to have 65% of the items complaint to “pass” then the standard is a joke.

It brings to mind the advert for the disinfectant that “kills 99% of all known germs“. OK, but that remaining 1% is highly deadly and highly infectious.. And then what about the Rumsfeld Class III germs?

No, really, would you let a military expedition or a group of mountaineers attempting to scale Mt Everest with only the “passing grade” – 65% – of the equipment (be if food, ammunition, ropes, insulated clothing, whatever) that they needed?

So there’s this marriage ceremony and the groom only manages to get 65% of the way to the church; is that a passing grade? Ask the bride what she thinks.

No, compliance is binary.

Compliance Bridge - Broad requirements so that clients are Ready, Willing and Able to comply. (Photo credit: Wikipedia)

Related articles

• Job Description for Quality Assurance Compliance (informationassurence.wordpress.com)
• Perils of Social Media and Compliance (arnoldit.com)
• Is ISO 27001 Worthwhile for Your Business? (deurainfosec.com)
• Leading ISO 27001 Roadmap Refreshed – Takes Guesswork Out of Information Security Certification Process (prweb.com)
• Four key benefits of ISO 27001 implementation (iso27001standard.com)
• Is ISO 27001 Right for Your Company? – New On-Demand Webinar Offers Answers from Pivot Point Security – A Champion of the Information Security Standard (prweb.com)

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

http://hdguru.com/is-your-new-hdtv-watching-you/7643/

well 28 years actually …

So, the two-way tv sets of Orwell’s novel have arrived, over a quarter of a century late!

George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)

It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra ‘i’) we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn’t the same enthusiasm about replicating its technology.

Related articles

• Books that Changed my Life: 1984 by George Orwell (caracaleo.com)
• Orwell’s Nineteen Eighty-Four forecast for Hollywood remake (guardian.co.uk)
• Near-Future Fiction (madgeniusclub.com)
• Orwell vs. The U.S. House of Representatives (pubcit.typepad.com)
• And the privacy invasion award goes to … (sgtreport.com)
• How to resist Big Brother 2.0 (blogs.reuters.com)
• Microsoft speaks on privacy following ‘NUad’ concerns (thenextweb.com)
• Glancee + Facebook = Orwell’s Big Brother in Spades….. (tishgrier.wordpress.com)

http://www.infoworld.com/d/security/the-19-most-maddening-security-questions-187983

An interesting list, since it covers issues of public structural security.

I recall reading that the greatest contribution to the health of individuals came about from good public sanitation and clean water, that is civic changes (presumably enabled by legislation) that affected the public in a structural manner.

What would be on your list?

A poster for drinking water security from the EPA (Photo credit: Wikipedia)

Related articles

• Companies slow to react to mobile security threat – InfoWorld (infoworld.com)

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/

And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days.

No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that
is already illegal, it is OK as long as they declare it within 30 days? …

It gets worse:

http://compliancesearch.com/compliancex/insider-trading/house-republicans%E2%80%99-insider-trading-bill-accused-of-catering-to-insiders/

I’d like to claim the system is rigged so ‘the rich get richer’ but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to
describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

http://en.wikipedia.org/wiki/Political_spectrum

Try this test:
http://www.politicalcompass.org/

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of ‘how authoritarian’.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of ‘root cause analysis‘ is no longer used in analysing plane crashes. The reality is that “its not just one thing”, its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the “American Empire” by manufacturing more nails.

Except possibly Journalists.

Related articles

• Is your political compass OK post the election? (greenwichlib.wordpress.com)
• Political Compass: May (spinelessliberal.wordpress.com)
• The downsides of experience (cdevroe.com)
• The US Election – 2012 (www.politicalcompass.org)

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html

The real issue here isn’t Ubuntu, or any other form of Linux.
Its that AV software doesn’t work.
PERIOD.

There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope.

This isn’t news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.

What’s that you say? Other types of AV? Like what?

Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use … and so on.

Many people in the industry – myself included – have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.

Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor – which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.

The local signature makes things unique to each machine so there is no “master key” out there. If your private key is compromised then do what you’d do with PGP – cancel the old one, generate a new one and sign all your software with the new one.

The real problem, though, is not in having the key compromised but is the problem that has always existed – its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don’t bother setting their defaults to “no execution” or just say “yes” to the pop-up asking them to permit execution.

No technical measure can overcome human frailty in this regard.

Related articles

• Avira antivirus upgrade wreaks ‘catastrophic’ havoc on Windows PCs (techworld.com.au)
• How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser (shanicomputers.wordpress.com)
• Intel and McAfee unveil plans for unified security future (go.theregister.com)
• John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
• GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
• A Modest Proposal: Please Don’t Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
• Why Authenticity Is Not Security (leviathansecurity.com)
• Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
• ‘Catastrophic’ Avira antivirus update bricks Windows PCs (go.theregister.com)
• Avira fixes antivirus update that crippled many PCs (neowin.net)
• Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
• Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
• Cryptography pioneer: We need good code (infoworld.com)
• Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
• Public Key Cryptography Explained (q-ontech.blogspot.com)

http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157

So do my cats. But so what?

Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“.

And I’m sure there are _other_ ways to hack that than the one mentioned in the movie.

Related articles

• SSL governance and implementation across the Internet (net-security.org)
• Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
• Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)

he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.

Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded?  How much of the justification for the decisions?

Yes, you could have reviews and summaries of all meetings and email exchanges ..

But that is not and has nothing to do with the standard or its requirements.

The standard does NOT require a management review meeting.
Read the rest of this entry »

Read the rest of this entry »

I keep telling everybody that TV is injurious to your (mental) health, but does anyone listen?

Why should they?
They didn’t when Gerry Mander presented his Four Arguments for the Elimination of Television, and he was in a position to know. Read the rest of this entry »

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than “The Dog Ate My Homework”.

Keep taking the tablets, Mr Klatch!

http://www.schneier.com/blog/archives/2010/08/hacking_cars_th.html

A few alarming things here.
More nanny State :

In other words, the nanny state is forcing upon us expensive and insecure systems that aren’t as effective as a human being just doing what he’s supposed to, but we should just think of the children we’re “protecting” with this misguided effort.

Never mind the basic Orwellian aspects.

But the basic problem is the knee-jerk reaction of Congress combined with lack of understanding of science and technology and legislation that, by specifying method rather than objectives, plays, misguidedly, into the hands of one vendor.

They did this with emission control.
The Japanese could beat the original standard by engine design.
The did this with the old Honda CVXX.
GM wasn’t worried, they said it was a technique only for small engine cars. The Honda did it for larger engines. At the time GM had cornered the market in platinum, so they got Congress to write the law specifying the HOW in their favour. Of course that advantage no longer exists, but we still have the expense of the platinum ‘converters’.

Now we have more expense.

TPMS became mandatory because of public backlash after the Firestone/Ford Explorer debacle. The public saw cars flipping over on TV and called up Congress and demanded
that they “do something!”

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

http://www.zdnet.com/blog/apple/congressman-blames-us-unemployment-crisis-on-ipad/9968?tag=nl.e539

In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find
jobs.

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board.  If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do.  If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will.   This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Image via Wikipedia

A people that values its privileges above its principles soon loses both.
– Dwight D. Eisenhower, Inaugural Address, January 20, 1953

Related articles

• The Biggest Problem With iPads (tomrippon.wordpress.com)
• The first restaurant to rely completely on iPads in New York City (thenextweb.com)
• Controversial Congressman Plays Outsized Role In 2012 Race (huffingtonpost.com)

On one of the lists I subscribe to I saw someone make this alarming comment:

There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.

That is a very sad situation to be in, since it

1. shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
2. has no guarantees about what collateral damage the outsider had to do to gain root.
3. says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
4. indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic. Read the rest of this entry »

You gotta love the low-tech solution. It’s really never NOT about people, is it?

Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.

Why the CBK places so much emphasis on technology when the (ISC)2′s motto is “Security transends technology” and why the “people” aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are “about people” and probably have a greater leverage as far as InfoSec “Getting Things Done” (Especially in a stress-free manner_.

As I said previously, I think we’re doing it wrong; and I don’t mean just Risk Assessment!

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn’t call this approach “ad-hoc”. Read the rest of this entry »

Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don’t know.

“Major”?
As in often?
As in large impact that stops the business operating?

If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.

I’ve written here and elsewhere that many people from a technical background don’t understand ‘risk’. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage – else why would you be doing it?

The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.

But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds – in a casino you know them for sure. In InfoSec we don’t know the odds (except when they are a certainty, like SPAM or Viruses).

So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people’s mail or a CFO that defrauds the company by writing phony cheques?

So if a network admin is a “major” threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?

Context, I keep telling you, is Everything.