Laws won’t stop cybercriminals, say experts

They won’t?
Tell us something we didn’t know.

(A follow-on to http://www.securityabsurdity.com/failure.php)

Is this any different from the Canukistani Federal Gun Registry Boondoggle?
You expect criminals to register their guns?

“You can’t attack this castle unless you are this high”
Its back to erecting a pole in your garden for the burglars to run into and knock themselves out on.

http://www.infoworld.com/article/06/05/10/78183_HNlegalsol_1.html

Terrorists and organized criminals are using computer vulnerabilities to line their pockets, but many cybersecurity ideas coming out of the U.S. Congress may not help much, some experts said Wednesday.

Congress tends to make reactive laws, too late, that address style not substance and get rolled in with other matters that dilute and weaken. Look at DHS. Where’s its budget? Where’s it vision?

I’ve read other articles recently to the effect that people who manage technology can no longer remain ignorant of the technologies they manage. Sadly, we’ve had a ‘management’ view that the science of management is independent of what it manages. We are not seeing the end of that paradigm.

Since a rash of data breaches in early 2005, Congress has introduced more than 10 bills related to data breach notification.

TEN!! Can’t they get it right?
Obviously not.
But with a shotgun you don’t have to be precise, do you?

The working model for a data breach bill seems to be the SOX law, which has cost U.S. businesses hundreds of millions of dollars Kobayashi said. “The model is a sledgehammer,” he said. “What economists hope is Congress steps back and looks at the costs and benefits before they do something like that.”

I’m sorry? Why should they do that?
Yes it would be nice, even sensible, but what evidence is there from past behaviour that they do this?

Instead of waiting for Congress to act, businesses should demand more secure IT products, said Ken Silva, chief security officer for security vendor VeriSign Inc. He encouraged technology buyers to join organizations that advocate for more secure products.

Well, lest skip the ‘self serving’ bit in that, and just look at “What do you mean by ‘secure’?”. When we’ve solved that we can start on the trivial stuff like “Does God Exist” and “why do men and women have trouble communicating”.

“We can’t wait for Congress to solve this problem because it’s not going to solve the problem,” Silva said. “The fact of the matter is extortion is already illegal. Passing a law to make electronic extortion even more illegal looks good on television, but it doesn’t really solve the problem.”

Therein lies the difference between the US and the Canukistani approach. Here in the GWN we have a “Criminal Code”. Instead of whole new bills that are “Seen to be doing something”, we insert an extra clause in the Criminal code to extend scope or definition.

As its says above, extortion is extortion is extortion. Fraud is fraud is fraud is fraud. It doesn’t matter what medium or technology.

This is no different from what I preach in my workshops on Developing Policies and Procedures. I try to show that your “Access Control” policy is NOT about passwords, its about authorization – be it to the computer, the parking lot or the executive washroom. If you have all your policy as ‘reductionist’ low level statements, each one addressing a technology rather than an principle, you will be forever revising them.

But some people never seem to learn from past mistakes. What’s the line in my quotable quote database…

People who won’t quit making the same mistake over and over are what we call conservatives.
– Richard Ford, in his novel Independence Day

(Note the small ‘c’. Ford should have listened to Disraeli.)
However I can find about a dozen more in the quotes database that are appropriate.

New twist on laptop theft

We’ve all read about how the Big N-1 Accounting firms have had laptops stolen with financial & personal details of their client’s employees.

Well Here’s a new twist on laptop theft.

http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/08/MNGE9I686K1.DTL

A San Francisco finance manager stopped in at a Mission District cafe and was tapping on his laptop as he enjoyed his coffee just before noon on a Thursday. Suddenly, he was under siege.
“I looked up, and I saw this guy leaning into me as if he was asking a question,” he said. “I leaned forward, and out of the corner of my eye, I saw someone fiddling with the computer cord. I tried to stand up, and as I stepped back, he stabbed me in the chest.”
The attack marked a violent turn in a wave of crime that has hit the city — the “hot spots” frequented by wireless laptop users are becoming hot spots for laptop robberies.
The 40-year-old San Francisco victim of the March 16 attack suffered a partially collapsed lung and was hospitalized for six days. The two suspects fled with his Apple PowerBook, worth $2,500.

The punchline:

The victim in San Francisco’s Mission Creek Cafe stabbing, who requested that his name not be used, said since he was attacked, his friends from New York have urged him to go back there. It’s safer, they say.

The moral of the story is: Telecommuting is fine but telecommute from home, don’t skive off to the local coffee shop while you’re supposed to be working.

It’s a crime to delete files

Occasionally I pluck up enough courage to read the Risks Digest.
I found this: http://catless.ncl.ac.uk/Risks/24.20.html#subj6

If you don’t read Risks Digest regularly you probably have a cheerful and upbeat disposition and positive outlook on the world and hope for mankind’s future.
If you DO read Risk Digest then you probably don’t need to read apocalyptic SF as you’d it unrealistic. Its not technology that’s going to destroy the world, not Global Thermonuclear war, no Nuclear Winter, no nanite “Green goop” scenario, not biotech poisoning.

It will be lawyers and politicians!

Now suppose that in this case Mr Citrin also kept purely personal stuff on the laptop: his calendar also included things like PTA meeting, kids baseball games, addresses of relatives … and he deleted those.

From my list of quoteable quotes – this seems apropos

The Internet is not the greatest threat to information security; stupidity is the greatest threat to information security.
– Will Spencer

Better than Free Chocolate Bars

Some while ago people were peruaded to give up their passwords in exchange for a chocolate bar. This goes one better

With chocolate bars you only get the password, which is not a lot of use unless you’re already behind the corporate firewall.
http://www.networkworld.com/news/2006/031306-free-cds-security-weakness.html

To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind.
By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London’s financial district last month was more nefarious than it appeared.
Like flies to garbage, dozens of victims took the CD, unable to control the irresistible attraction of “free.”
Secret agents behind enemy lines, the CDs piggybacked through companies’ physical security systems tucked in the bags and pockets of their couriers. The office workers dutifully took the CDs to their desks and plopped them in their employers’ computers.

There’s a moral here.  But the implication that  people can be so easily subverted is frightening.

“Vendors that don’t understand security, except that it will make them money”

That assertion is the title of this article:
http://www.crn.com/showArticle.jhtml?articleID=180203279I think they used the wrong tagline!

“Just about everyone is hawking security, secure networks, secure systems, secure applications, secure websites, secure whatever,” …… It is pretty clear that most of them don’t even know what security means, but they do know one thing: Security sells.”

Why does Internet Security Systems CEO Thomas Noonan say this?

“Business enterprises are starving for the solutions that live up to this hype,” he said. “Last year alone, the financial losses resulting from online fraud, theft and business disruption proved unequivocally that trustworthy, self-defending, fearless networks are failing.”

Oh, so he’s targeting Cisco. Well that understandable, one vendor sniping at another, even though his premise and evidence are – dare I say it – statistically evident.

The conclusion – this is a vendor speaking remember – is forgone.

Best-of-breed technology and security suites are not enough to solve today’s security challenges, Noonan said. The answer is through what ISS is calling security platforms.

So, guys and gals, what do YOU think is the answer?

Gates says security boils down to four focus areas

http://www.networkworld.com/news/2006/021406-gates-keynote-rsa-security.html

However its unclear what those four areas are from the article.

The best quote I can find relating to it is:

Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms.

… but later …

Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser.

so I wonder what substance there is. Later on in the article: Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security. “We have chains of trust,” Gates said. “What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time.” He said today people live without a trust ecosystem. I’m not sure I like the idea of “grabbing” permissions. My mother always told me it was rude to grab. Do you think software and system engineering rates well on

  • trust ecosystem,
  • engineering for security,
  • simplicity,
  • fundamentally secure platforms.

Of those .. well ‘simplicity’, yes, but be careful; there are many naive approaches to that. As for fundamentally secure platforms – hogwash! We do know how to engineer secure and reliable systems from insecure and unreliable components. We’ve been doing it for years in other fields. Perhaps what we really need to do is to overthrown the mystique of computers and treat software like any other engineering discipline. Where is Steve McConnell when you need him?