The InfoSec Blog

Online Ad Industry Threatened by Security Issues

Posted by Anton Aylward

http://www.databreachtoday.com/online-ad-industry-threatened-by-security-issues-a-9488

Most people use ad blockers because they're irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from malvertisements.

The social media site Reddit, which can be a rich traffic source for publishers, warns users of links to content that demand people to disable their ad blockers, including publishers such as Forbes and Wired.

"Warning! Disabling your ad blocker may open you up to malware infections, malicious cookies and can expose you to unwanted tracker networks," Reddit's warning says. "Proceed with caution."

I don't know whether to be glad or worried by this.
It may be considered unsocial of me, but I use adblockers.

UN privacy head slams ‘worse than scary’ UK surveillance bill

Posted by antonaylward

http://www.theregister.co.uk/2015/11/10/un_privacy_head_slams_uk_surveillance_bill/

Two points in this caught my attention.

Cannataci also argued forcefully that mass surveillance was not the way to
handle the threat from terrorism and pointed to a report by the Dutch
intelligence services that argues that point. "To get real terrorists, you have
to go for good old-fashioned infiltration," he argued, wishing that the security
services would spend less money on computers and more on real people who go out
and get real, actionable intelligence on what people are up to. "It's time to be
realistic and actually examine what evidence shows."

Where have I heard that before?
Oh, wait:

If you think technology can solve your security problems, then you don't
understand the problems and you don't understand the technology
-- Bruce Schneier

Essentially what he's saying is summed up by another Schneier quote:

People often represent the weakest link in the security chain and are
chronically responsible for the failure of security systems
-- Bruce Schneier, Secrets and Lies

Everything old is new again

Posted by Anton Aylward

http://www.databreachtoday.com/whitepapers/seven-reasons-micro-segmentation-powerful-to-have-painless-to-add-w-2704

What's the saying "Those who forget history are doomed to repeat it over again"?

Weren't we doing this with routers and ... well if not firewalls as such then certainly filtering rules in the routers, way back in the 1980s?

Jon Postel, c. 1994

Jon Postel, c. 1994 (Photo credit: Wikipedia)

I recall attending a luncheon put on by Dell about "Software Defined networking". Basically it was having routers that were 'agile' enough to change routing and implement tactical policy by load, demand and new devices or devices making processing demands.

Again we were doing that in the 1980s. Working with ANS as they cut over the academic internet to the commercial internet with their "CO+RE" pseudo-product. basically it was that they had been supporting the academic internet and were not selling commercial services using the same backbones, trunks and "outlets" (sometimes known as 'point of presence'). This 'policy based routing' was carried out by custom built routers; they were IBM AIX desktop boxes -- the kind I'd used to implement an Oracle based time management/billing system for at Public Works Ottawa a few years earlier, along with some custom built T3 interface cards.

The Hidden Curriculum of Work

Posted by Anton Aylward

http://www.strategy-business.com/blog/The-Hidden-Curriculum-of-Work

I think part of the problem I have in dealing with the current generation of head-hunters and corporate recruiters is that they focus on the job description, the check-list. They focus on it two ways: the first is demanding it of the hiring managers, who are often ill equipped to write one. Many jobs are not circumscribed, especially in a field like IT which is dynamic and about continuous learning and adaption to changing circumstances. All to often the most valuable question I've been able to ask of a manager in a hiring situation amounts to "what do you need done?".
Their description of the work - the WORK not the JOB - only makes sense in context, a context that another practitioner understands, but someone in HR would hear as the gobbledygook of technology-talk. How can you base a bullet-list Job Description on that? Trying to translate it into a vernacular that allows the HR-droid to ask appraisal questions of candidates that the HR-droid can make sense of removes it from what the work is about.

Which leads to the second point.

Nobody wants to pay for security, including security companies

Posted by Anton Aylward

https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire

In theory, consumers and businesses could punish Symantec for these
oversights by contracting with other security vendors. In practice, there’s
no guarantee that products from other vendors are well-secured,
either
— and there is no clearway to determine how secure a given security
product actually is.

Too many firms take an "appliance" or "product" (aka 'technology") approach to security. There's a saying that's been attributed to many security specialists over the years but is quite true:

If you think technology can solve your security problems,
then you don't understand the problems and you don't
understand the technology.

Its still true today.

Another reason to have a policy not to eat at your operations

Posted by antonaylward

I've worked in places where the policy was that you're not allowed to bring a camera in; that was before cell phones, I admit, but I imagine there are places where such is enforced today. My current cell phone doesn't have the resolution of a spy-era Minox, but there are better available, and a phone has a lot more storage and fair bit of image processing power.

Cyber general: US satellite networks hit by ‘millions’

Posted by antonaylward

http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many 'real' hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these 'repulsed' probes really 'need to know'? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, "precursor probes".

Can we live without this?

U.S. Defense Secretary Carter emphasizes culture change needed to

Posted by Anton Aylward

http://www.scmagazine.com/ash-carter-spoke-at-stanford-university/article/411392/

Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.

A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS.  And please note: none of this is new or radical.

But a read of Bruce's articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won't. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce -- and others -- have long since shown them to be in the same class as The Emperor's New Clothes.

When the government talks of cyber-security experts it really doesn't want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them -- but consistently don't[1] -- tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting 'uber 133z h4x0r'-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn't make for good security[2].

Yes, a culture change is needed. But the kind of changes that the 'insiders' -- and that goes for the media too -- envision don't really amount to a meaningful change.

[1] http://www.gao.gov/key_issues/cybersecurity/issue_summary#t=1
http://www.regblog.org/2014/09/18/18-yang-gao-and-it-oversight-report/

http://www.ihealthbeat.org/articles/2014/4/4/gao-data-breaches-on-the-rise-at-federal-government-agencies

http://www.cnn.com/2014/12/19/politics/government-hacks-and-security-breaches-skyrocket/

[2] The idiom "rearrange the deckchairs on the Titanic" comes to mind
Or perhaps the Hindenburg.

 

14 antivirus apps found to have security problems

Posted by Anton Aylward

http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die

Let us pass over the "All A are B" illogic in this and consider what we've known all along. AV doesn't really work; it never did.
Signature based AV, the whole "I'm better than you cos I have more signatures in my database" approach to AV and AV marketing that so bedazzled the journalists ("Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the 'human firewall' or whatever the buzz-word is that appears in this month's geek-Vogue magazines, whatever the latest fashion is. What's that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they've tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven - yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn't convinced and didn't buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by 'lines of code per day' metrics, feature driven popularity and the 'first to market' imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I'm not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a 'risk-based' approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. "It was too expensive" - until it was more expensive not to have implemented it.

 

OpenBSD forks, prunes, fixes OpenSSL

Posted by Anton Aylward

http://www.zdnet.com/openbsd-forks-prunes-fixes-openssl-7000028613/#ftag=RSS86a1aa4

Interesting, eh?

At the very least, this will apply a 'many eyes' to some of the SSL code and so long as the ssh pruning isn't wholesale slash-and-burn that cutting it back may prove efficacious for two reasons.

Less code can be simpler code, with decreased likelihood of there being a bug due to complexity and interaction.

Getting rid of the special cases such as VMS and Windows also reduces the complexity.

POSIX I'm not sure about; in many ways POSIX has become a dinosaur. Quite a number of Linux authors have observed that if you stop being anal about POSIX you can gt code that works and a simple #ifdef can take care of portability. In the 90% case there isn't a lot of divergence between the flavours and in the 99% case the #ifdef can take care of that.

Whether SSH fits into the 90% or the 99% I don't know. The APIs for 'random' and 'crypto' are in the grey areas where implementations differ but also one where POSIX seems to be the most anal and 'lowest common denominator'. I suspect that this is one where the #ifdef route will allow more effective implementations.

We shall see what emerges, but on the whole the BSD team have a reputation for good security practices so I'm hopeful about the quality.

I'd be interested to see their testing approach.

 

What Applicants Should Ask When Interviewing For An InfoSecurity Position

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/applicants-ask-interviewing-information-security-role/

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.

 

Data on a Train

Posted by Anton Aylward

http://www.informationsecuritybuzz.com/daily-commute-mean-data/

The latest intelligence on Al-Qaeda, a high profile Child Protection
report and plans for policing the London 2012 Olympics; three very
different documents with two things in common: firstly, they all
contained highly confidential information and secondly, they were all
left on a train.

Or maybe "Strangers on a Train"

Our latest research reveals that two thirds of Europe’s office commuters
have no qualms about peering across to see what the person sitting next
to them is working on; and more than one in ten (14 per cent) has
spotted confidential or highly sensitive information.

The Truth About Best Practices

Posted by Anton Aylward

An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepticism and the observations of the author of the article.
One asked

And Anton aren't the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

Does ISO 27001 compliance need a data leakage prevention policy?

Posted by Anton Aylward

On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism.

The DLP Logo

I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply

 Anton
  Data Loss is something you prevent; you enforce controls to prevent data
  leakage, DLP can be a programme, but , I find very difficult to support
  with a policy.

Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?

Let me try again.

Fly Away

Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.

“Paid to be paranoid”

Posted by Anton Aylward

Read the first four paragraphs of this:

http://hollylisle.com/shoes-and-handbags/

Forget the rest, forget that its about 'creative writing', just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.

I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that's a subject for another time.

And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the 'attack surface'?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the 'recovery mode' (aka: line of retreat)?

If you can't do this, then you shouldn't be in "Security".

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Tight budgets no excuse for SMBs’ poor security readiness

Posted by Anton Aylward

http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/

From the left hand doesn't know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.

An OP-ED by Richard Clarke on China

Posted by Anton Aylward

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most 'chicken little' pieces, but please can we have 'history' of how most nations, including the USA, have engages in 'industrial espionage'.

I recall a presentation by CSIS that was making the point that Canada's greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the "English Speaking World" for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don't forget that the "English Speaking World" stole such secrets from China as "Tea":

For centuries, the secret of growing tea was one of China's
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China's tea monopoly was broken.

Robert Fortune (1812-1880)

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune's explorations are detailed in a new book, For All
the Tea in China
, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage - which, of course, it was.

I'm not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I'm just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Enhanced by Zemanta

Managing Software

Posted by Anton Aylward

Last month, this question came up in a discussion forum I'm involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.

The short answer is "no".
The long answer leads to "no" in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it.

Surely compliance is binary?

Posted by Anton Aylward

Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ...

Surely COMPLIANCE is a binary measure, not a "level of" issue.
You are either in compliance or you are not.
As in you are either deal or alive.