Nobody wants to pay for security, including security companies
https://www.linkedin.com/pulse/nobody-wants-pay-security-including-companies-beno%C3%AEt-h-dicaire
In theory, consumers and businesses could punish Symantec for these
oversights by contracting with other security vendors. In practice, there’s
no guarantee that products from other vendors are well-secured, either
— and there is no clearway to determine how secure a given security
product actually is.
Too many firms take an “appliance” or “product” (aka ‘technology”) approach to security. There’s a saying that’s been attributed to many security specialists over the years but is quite true:
If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.
Its still true today.
Can We Secure the ‘Internet of Other People’s Things’?
http://www.eweek.com/security/can-we-secure-the-internet-of-other-peoples-things.html
I think that title expresses the problem very well.
There are a few generalizations and ‘skating on thin ice’ in the article, never the less. Linux itself is not a lightweight OS, though there are stripped down and altered versions, such as Android. Other competing RTOS exist. Some like QNX are much more suited to small embedded devices that don’t have a GPU/GUI and comprehensive set of commands/applications.
The reality is that the inherent model of Linux is NOT real-time, it cannot guarantee a real time response that many embedded systems such as TVs and some classes of network devices demand, especially in a small controller, limited CPU, limited memory configuration.
But yes, the Internet has already shown the problems lie with “Other People”.
Related articles
U.S. Defense Secretary Carter emphasizes culture change needed to
http://www.scmagazine.com/ash-carter-spoke-at-stanford-university/article/411392/
Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.
A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS. And please note: none of this is new or radical.
But a read of Bruce’s articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won’t. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce — and others — have long since shown them to be in the same class as The Emperor’s New Clothes.
When the government talks of cyber-security experts it really doesn’t want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them — but consistently don’t[1] — tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting ‘uber 133z h4x0r’-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn’t make for good security[2].
Yes, a culture change is needed. But the kind of changes that the ‘insiders’ — and that goes for the media too — envision don’t really amount to a meaningful change.
[1] http://www.gao.gov/key_issues/cybersecurity/issue_summary#t=1
http://www.regblog.org/2014/09/18/18-yang-gao-and-it-oversight-report/
http://www.cnn.com/2014/12/19/politics/government-hacks-and-security-breaches-skyrocket/
[2] The idiom “rearrange the deckchairs on the Titanic” comes to mind
Or perhaps the Hindenburg.
Related articles
14 antivirus apps found to have security problems
http://www.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die
Let us pass over the “All A are B” illogic in this and consider what we’ve known all along. AV doesn’t really work; it never did.
Signature based AV, the whole “I’m better than you cos I have more signatures in my database” approach to AV and AV marketing that so bedazzled the journalists (“Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others. The boundary between what actually works and what works for marketing blurs.
So then we have the attacks on the ‘human firewall’ or whatever the buzz-word is that appears in this month’s geek-Vogue magazines, whatever the latest fashion is. What’s that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they’ve tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven – yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn’t convinced and didn’t buy.
That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by ‘lines of code per day’ metrics, feature driven popularity and the ‘first to market’ imperatives.
So when I read about, for example, RSA getting hacked by means of social engineering, I’m not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.
But then all too many organization take a ‘risk-based’ approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. “It was too expensive” – until it was more expensive not to have implemented it.
Related articles
Data on a Train
http://www.informationsecuritybuzz.com/daily-commute-mean-data/
The latest intelligence on Al-Qaeda, a high profile Child Protection
report and plans for policing the London 2012 Olympics; three very
different documents with two things in common: firstly, they all
contained highly confidential information and secondly, they were all
left on a train.
Or maybe “Strangers on a Train“
Our latest research reveals that two thirds of Europe’s office commuters
have no qualms about peering across to see what the person sitting next
to them is working on; and more than one in ten (14 per cent) has
spotted confidential or highly sensitive information.
Most CEOs clueless about cyberattacks
http://www.zdnet.com/most-ceos-clueless-about-cyberattacks-and-their-response-to-incidents-proves-it-7000025396/#%21
Perhaps that’s cynical and pessimistic and a headline grabber, but then that’s what makes news.
What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don’t need to be better than the herd.
Former Head Of Airport Security: ‘The TSA Couldn’t Save You From
http://www.businessinsider.com/problems-with-tsa-2013-12
Based on the demonstrated persistence of their enemies, I have a lot of respect for what Israeli security achieves.
Back to Verb vs Noun.
His point about baggage claim is interesting. It strikes me that this is the kind of location serious terrorists, that is the ones who worked
in Europe through the last century, might attack: not just dramatic, but shows how ineffectual airport security really is. And what will the TSA do about such an attack? Inconvenience passengers further.
Full article at
http://www.cracked.com/blog/7-reasons-tsa-sucks-a-security-experts-perspective/
Related articles
Another Java bug: Disable the java setting in your browser
http://www.kb.cert.org/vuls/id/625617
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.
Well, yes …. but.
Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don’t work.
A cautionary tale about the dangers of keeping everything in the Cloud
“Once the hacker gained access to Honan’s iCloud account, he or she
was able to reset his password, before sending the confirmation email
to the trash. Since Honan’s Gmail is linked to his .mac email address,
the hacker was also able to reset his Gmail password by sending a
password recovery email to his .mac address.Minutes later, the hacker used iCloud to wipe Honan’s iPhone, iPad
and Macbook Air remotely. Since the hacker had access to his email
accounts, it was effortless to access Honan’s other online accounts
such as Twitter.”
Every new technology has people, the pioneers, who buy into the vendors hype … and pay a price for that.
We should learn from them.
Related articles
- Hard-Learned Lessons from the Honan Hack (lumension.com)
- 60-minute Security Makeover: Prevent Your Own ‘Epic Hack’ (pcworld.com)
- Former Gizmodo writer Mat Honan’s hacked iCloud password leads to nightmare (nextlevelofnews.com)
- Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls (macrumors.com)
- How Secure Is the Cloud, Really? (technewsworld.com)
Tight budgets no excuse for SMBs’ poor security readiness
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/
From the left hand doesn’t know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be “hard-pressed” to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the “IT Doesn’t matter” thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don’t fully utilise their resources, don’t fully understand the capabilities of the technology they have, don’t follow good practices (never mind good security), this is all a moot point.
Escalation
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
At one level there’s the old argument about disclosure of security holes, but this is also an example of ‘driving’ security improvement.
Related articles
- How a trio of hackers brought Google’s reCAPTCHA to its knees (arstechnica.com)
- Google’s reCAPTCHA briefly cracked (h-online.com)
- How Hackers Nearly Took Down Google’s ReCaptcha System (gizmodo.com.au)
- How Hackers Listened Their Way Around Google’s Recaptcha (tech.slashdot.org)
- How Hackers Nearly Took Down Google’s reCaptcha System (gizmodo.co.uk)
Why Info Sec Positions Go Unfilled
http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/
There are many holes in this, but I think they miss some important points.
First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: “Should Infosec report to IT?” The overall decision was no;. Infosec might need to ‘pull the plug’ on IT to protect the organization.
Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to “Governance”. You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?
Technology won’t solve your problems when technology *is* your problem.
InfoSec is about protecting the organization’s information assets: those assets can be people, processes or information. Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information. Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper. The technology may have changed but most of the fundamental principles have not. In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.
Related articles
- Bruce Schneier on the mic: InfoSec 2012 (blog.bt.com)
- InfoSec Sniffs Out Security Risks (prweb.com)
- Incomplete Thought: Offensive Computing – The Empire Strikes Back (rationalsecurity.typepad.com)
- The Infosec Investment Equation: Can You Solve It?… (neirajones.blogspot.com)
- Myth or Fact? Debunking 15 of the Biggest Information Security Myths (tripwire.com)
How to get a job in security
http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/
I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn’t it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a ‘sleeper’ for a terrorist organization?
Think again:
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.
Oh, right, there are so many of them, that level of investigation is impractical.
Didn’t Bruce Schneier say something about the TSA’s approach being impractical, being “Security Theatre“?
Related articles
- ‘Dead Man Walking’ Tricks Airport into Giving Him Top Security Job (wired.com)
- Airport worker allegedly had man’s ID before death (heraldonline.com)
- Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
- Congress considers threats from airport employees (cbsnews.com)
- Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)
Managing Software
Last month, this question came up in a discussion forum I’m involved with:
Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software’s at
the free will and introduce malicious code in the organization.
The short answer is “no”.
The long answer leads to “no” in a roundabout manner.
Unless your developers are developing admin software they should not need admin rights to test it.
Social Engineering and sufficency of awareness training
Someone asked:
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.
Yes but as RSA demonstrated, it is a moving target.
You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology!
Please Realize That Piracy is a Service Problem.
NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)
The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.
Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.
Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.
It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.
There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.
With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.
But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.
Its as if the RIAA have it exactly backwards.
So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.
Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.
The RIAA are not just stupid, they are extremely stupid.
A stereotypical caricature of a pirate. (Photo credit: Wikipedia)
Related articles
- A Peek at a Few Trends (laf.ee)
- Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
- What’s the true cost of piracy? (infographic) (venturebeat.com)
- US mistakenly seizes a music domain – and holds it for 18 months (art2science.org)
- Study: BitTorrent music piracy increases album sales (electronista.com)
The Death of Antivirus Software
http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html
The real issue here isn’t Ubuntu, or any other form of Linux.
Its that AV software doesn’t work.
PERIOD.
There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can’t cope.
This isn’t news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What’s that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use … and so on.
Many people in the industry – myself included – have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor – which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no “master key” out there. If your private key is compromised then do what you’d do with PGP – cancel the old one, generate a new one and sign all your software with the new one.
The real problem, though, is not in having the key compromised but is the problem that has always existed – its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don’t bother setting their defaults to “no execution” or just say “yes” to the pop-up asking them to permit execution.
No technical measure can overcome human frailty in this regard.
Related articles
- Avira antivirus upgrade wreaks ‘catastrophic’ havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser 🙂 (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don’t Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- ‘Catastrophic’ Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
”My dog knows you don’t look like me”
http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157
So do my cats. But so what?
Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in “Minority Report“.
And I’m sure there are _other_ ways to hack that than the one mentioned in the movie.
Related articles
- SSL governance and implementation across the Internet (net-security.org)
- Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
- Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)
Doubts about “Defense in Depth”
So to have great (subjective) protection your layered protection and controls have to be “bubbled” as opposed to linear (to slow down or impede a direct attack).
I have doubts about “defence in depth” analogies with the military that many people in InfoSec use.
Read what they are really talking about in those military examples: its “ablation”: that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2). They try to slow down a direct and linear attack, hopefully to a standstill.
As the Blitzkrieg showed in dealing with the Maginot Line, if you “go around it” the defence isn’t a lot of use.
Through the ages of war and politics and empire-hood and nation-hood and tribalism we’ve seen many threats and attacks and subversions used.
The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form. What’s needed is more like an all-enclosing “bubble” rather than something linear with the ‘defence in depth’ model. But that gets back to the problem of the perimeter.
Many wifi enabled devices are really “spies inside the defensive perimeter”.
There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them. No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public — its form of showing that “its doing something”.
But how can we tell? The reality is that “security specialists” are finding errors – never mind deliberately malicious code – in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find “errors” that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that’s a no-brainer isn’t it!) never mind commercial databases.
I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html