The InfoSec Blog

Cyber general: US satellite networks hit by ‘millions’

Posted by antonaylward

http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many 'real' hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these 'repulsed' probes really 'need to know'? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, "precursor probes".

Can we live without this?

Should all applicable controls be mentioned in documenting an ISMS?

Posted by Anton Aylward

In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with what we did but the reasoning behind those decisions. This was so that if anything happened to use kn knowledge about the work, the project, what had been tried and thought about was lost, if, perhaps, we were 'hit by a bus on the way to work'.

At that point whoever was saying this looked toward a certain office or certain place in the parking lot. One of the Project managers drove a VW bus and was most definitely not a good driver!

So the phrase 'document everything in case you're hit by a bus' entered into the work culture, even after that individual had left.

And for the rest of us it entered into our person culture and practices.

Oh, and the WHY is very important. How often have you looked at something that seems strange and worried about changing it in case there was some special reason for it being like that which you did no know of?
Unless things get documented .... Heck a well meaning 'kid' might 'clean it out' ignorant of the special reason it was like that!

So here we have what appear to be undocumented controls.
Perhaps they are just controls that were added and someone forgot to mention; perhaps the paperwork for these 'exceptions' is filed somewhere else[1] or is referred to by the easily overlooked footnote or mentioned in the missing appendix.

It has been pointed out to me that having to document everything, including the reasons for taking one decision rather than another, "slows down work". Well that's been said of security, too, hasn't it? I've had this requirement referred to in various unsavoury terms and had those terms associated with me personally for insisting on them. I've had people 'caught out', doing one thing and saying another.
But I've also had the documentation saving mistakes and rework.

These days with electronic tools, smartphones, tablets, networking, and things like wikis as shared searchable resources, its a lot easier.[2]

Sadly I still find places where key documents such as the Policy Manuals and more are really still "3-ring binder" state of the art, PDF files in some obscure[1] location that don't have any mechanism for commenting or feedback or ways they can be updated.

Up to date and accurate documentation is always a good practice!

[1]http://hitchhikerguidetothegalaxy.blogspot.ca/2006/04/beware-of-leopard-douglas-adams-quote.html
[2] And what surpises me is that when I've implemented those I get a 'deer in the headlight' reaction from staff an managers much younger than myself. Don't believe what you read about 'millennials' being better able to deal with e-tools than us Greybeards.

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Escalation

Posted by Anton Aylward

http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

English: for use in recaptcha

At one level there's the old argument about disclosure of security holes, but this is also an example of 'driving' security improvement.

 

Enhanced by Zemanta
Tagged as: No Comments

All Threats? All Vulnerabilities? All Assets?

Posted by Anton Aylward

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.

"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls

Because its the controls and their effectiveness that really count.

Google Phasing out Windows

Posted by Anton Aylward

http://www.h-online.com/security/news/item/Report-Google-phasing-out-internal-use-of-Microsoft-Windows-1012679.html

"According to a report in the Financial Times, Google are phasing
out the use of Microsoft's Windows within the company because of
security concerns. Citing several Google employees, the FT report
reports that new hires are offered the option of using Apple Mac
systems or PCs running Linux. The move is believed to be related to a
directive issued after Google's Chinese operations were attacked in
January. In that attack, Chinese hackers took advantage of
vulnerabilities in Internet Explorer on a Windows PC used by a Google
employee and from there gained deeper access to Google's single sign
on service.

Security as a business decision?
Don't make me laugh!
Look at what precedence they've shown!
Look at Microsoft's attitude and approach to security (no matter how flawed the end result) and compare it with the public stance Google has taken.

No, this is about Business Politics.
Microsoft has been 'staggering' this last decade and now Apple is on the ascendency and the real battle will no longer be in the PC world but in the consumer world with embedded systems.
On the surface this will be Android vs Apple, but since embedded Linux goes so much further, embedded in TVs, GPS units, traffic light controllers, and perhaps it will even replace UNIX in telephone
exchanges (ha-ha-ha!) there's more potential.
(Freudian slip: I just wrote portential.)

Yes, Microsoft hasn't been asleep in the embedded market, or the phone/PDA market, but compared to Linux its a resource hog. To top that, its also proprietary, so vendors rely on Microsoft for the porting to new processor/hardware and for support. Linux/Android doesn't have that limitation. And there are plenty of 'kiddies' eager to play with Android (source) on a new toy.

No, this isn't a security issue, its a business and political issue.
If Google is pushing its range of Android products then it doesn't want to have people - journalists, investors, bloggers - saying "yes, but you USE Windows even though you preach Linux".

Or perhaps you though Google was taking the "High Moral Ground"?
No, I think they are taking the advice of Sun T'Zu and applying it to business

"For them to perceive the advantage of defeating the enemy, they must
also have their rewards."

Betcha Google will be supplying Android phones/slates/pads to its workers.

"He who knows when he can fight and when he cannot, will be victorious."

Look at that ZDNet article and think about the timing of Google's announcement.

"It is essential to seek out enemy agents who have come to conduct
espionage against you and to bribe them to serve you. Give them
instructions and care for them. Thus doubled agents are recruited and used."

Think about that one.

"Opportunities multiply as they are seized."

And look how Android is spreading.
Balmer said Linux was a virus - yes a "meme".

"Thus, what is of supreme importance in war is to attack the enemy's strategy."

Indeed. Microsoft has proclaimed a commitment to "security". Bill Gates said so. That is their "strategy". But Google is working on the fact that Microsoft products still have security flaws. Regardless of the reality, that is "voice" of this announcement. They are saying that Microsoft's strategy isn't working. They are attacking it in the minds of the consumers.

Reblog this post [with Zemanta]