Archive for August, 2010

Statistically, I’m either gay, diseased, a single parent, living below the poverty line or all of them

August 27, 2010 1 comment

Scrolling idly through Ceefax (the BBC’s teletext news service) this evening I came across an item that will change my life: it will turn me into an introverted hermit, or at the very least will ensure I don’t kiss any of my neighbours this Christmas.

You’ll have to check my figures here because I wouldn’t get a pass even in today’s maths exams. However, it’s this: “…it emerged that there were half a million new STI cases in 2009, a 3% rise on the year before.”

OK, here we go, and talking in broad round figures: if 3% = 500,000, then 100% = 16,000,000. That is, there are approximately 16,000,000 STI infections in the UK.

The population of the UK is 61,792,000 (give or take a few recent births, deaths, immigrations, emigrations and deportations). That means that 16,000,000 in 62,000,000 UK residents have an STI; or, to avoid bits of people, one in every four is infected.

There are three people in this house. Next door, to my left is a family of four. And on my right is a single parent with one child. So that’s a total of nine people in the three houses. Statistically, two of those nine people have a sexually transmitted infection. But nobody in my house has an STI. That means there is a high likelihood that I am surrounded by STIs! Like I said, I’m not kissing anyone anymore…

These figures are sacrosanct. I got them from the BBC. That means I must either believe that I am surrounded by sexually transmitted infections, or I must doubt every single statistic I come across. And that would include things like computer virus infections, money lost to online fraud, hours lost through misuse of the internet…

Hmm. I’ll have to think about this one.

Google, Hadopi and hypocrisy

August 26, 2010 Leave a comment

France is getting terribly upset. It appears that Google has resumed its Street View filming too soon. According to Reuters (Mon Aug 23)

France’s National Commission on Computing and Liberty (CNIL) said it was “premature” for Google to restart its collection of street images, given that its investigation of those activities is still not complete.

After Google admitted on May 14 that its Street View cars had collected not just photos but also communications data from unencrypted Wi-Fi networks as they drove around, CNIL ordered Google to stop collecting such data without the knowledge of those concerned. The CNIL said it wanted to make sure Google did not collect such data illegally in future, and to provide CNIL with information about the way it collected such data for use in its Street View service. Google gave CNIL access to the data on June 4.

Now, let me see… Is this the same France that values its citizens’ privacy so much that it appears to be on the verge of installing spyware on their computers? According to EDRI (the European Digital Rights organization)

Hadopi (the French Authority for the implementation of the 3 strikes law) did not make public the document regarding the draft specifications of the security measures for the Internet (part of the three strikes system), although the document should lay at the basis of a public consultation.

However, under the pretext that the document was a preparatory one, the authority decided to treat it as confidential. The website has made the document public on the basis of the right to information and having in view that a public consultation should rely on a public document and not a confidential one.

According to the document, French Internet users could soon be required to install spyware on their PCs tracking down their searching habits and analysing the applications installed on their PCs, in order to prevent “file-sharing piracy”.

See Exclusif : le document secret de l’Hadopi sur les moyens de sécurisation for further information (if you read French).

To be fair, although this comment is specifically about France, just about every government in the world is hypocritical in its attitude towards personal privacy. Except perhaps Britain and China. Neither of those countries make much pretence about caring about their people’s rights at all: and are therefore innocent of hypocrisy.


Categories: All, Security Issues

Traitorware: the latest software from Apple?

August 24, 2010 1 comment

Back in January I wrote: Jobs’ megalomania: the fatal flaw of a tragic hero. I was wrong. Jobs isn’t a pathological egotist suffering from delusions of grandeur – but I’m afraid I can’t think of the term that describes someone who thinks he is God.

His company, an erstwhile hero of mine, Apple, has applied for a patent for which EFF has had to invent a new word: traitorware.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple’s “invention,” this information “can be gathered every time the electronic device is turned on, unlocked, or used.” When an “unauthorized use” is detected, Apple can contact a “responsible party.” A “responsible party” may be the device’s owner, it may also be “proper authorities or the police.”

Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.

This patent is downright creepy and invasive…
Steve Jobs Is Watching You: Apple Seeking to Patent Spyware

No matter. Nietzsche has an answer to the fallacy of God. We must stop believing in Apple. Then we will have killed Apple. I think it is time to fall out of love with Apple, and to return to the secularism of open systems.

Categories: All, Blogs, General Rants

Is the Cloud an opportunity to improve security; or the doorway to disaster?

August 24, 2010 Leave a comment

The world is divided into those who believe the cloud to be a security nightmare, and those who believe it to be an opportunity to improve security. I belong to the latter; but I cannot deny that the majority of surveys support the former. The latest is from Fortify Software, and was conducted at the recent DEF CON in Las Vegas.

Barmak Meftah, chief products officer at Fortify Software

Fortify questioned 100 of the elite IT professionals attending this year’s Hacker conference – and 96% believed that hackers view the cloud as having a silver lining for them. There is a strong belief that the cloud providers are not doing enough to address the security issues in their services. “89% of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45% of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” said Barmak Meftah, chief products officer at Fortify.

Well, there’s nothing like going to DEF CON to get it straight from the horse’s mouth – so do I need to change my view? Given that Gartner predicts that “By 2012, 20 percent of businesses will own no IT assets” largely (though not entirely) because of an increasing migration into the cloud, are we actually heading for a security meltdown? In reality, of course, I don’t need to change my view at all: the two options are not mutually exclusive. The cloud does provide an opportunity to get security right; but if companies don’t take that opportunity, then it is more likely to lead to a security nightmare.

And I suspect the real problem is down to motivation. Cloud providers (apart from security as a service providers) haven’t set out to deliver security – they are providing a service. So providing an acceptable service at the minimum cost is the priority. Similarly, companies moving their own processes into the cloud are not doing so to improve their security  – they are doing it to reduce their costs. The likelihood is that we will simply repeat all the mistakes we have already made: we will attempt to bolt security on after the event (the cheapest option) rather than take the opportunity to design it into the process (much more expensive in the short-term). And that supports the meltdown scenario.

Fortify has its own recommendations. “More than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource,” says Meftah. “It is of great concern to us here at Fortify that the message about software assurance has still to get through to everyone in the software development community, and the DEF CON survey results strengthen our resolve to get this message across to as large an audience as possible.”

Fortify Software

Categories: All, Vendor News

Data loss is not simply down to security breaches; what price loyalty?

August 24, 2010 Leave a comment

Verizon/USSS Data Breaches Report

Earlier this year Verizon published its 2010 Data Breach Investigations Report: A study conducted by the Verizon RISK TEAM in cooperation with the United States Secret Service. I wanted to comment at the time, but, frankly, found it too difficult. My first concern, which probably won’t worry many people as much as it worries me, is simply that there is no such thing as a free lunch. Why has the US Secret Service lent its name to this study? I can see enormous name-dropping benefit to Verizon (American citizens tend to have a high regard for their Secret Service); but can see little visible benefit to the Service. My fear is that there may be an invisible benefit. Translate things to my side of the Atlantic: would I want CESG/MI5 and BT scratching each other’s back? No, I absolutely would not.

But that aside, I had difficulty with the arithmetic of the statistics – for example, the top three types of hack attack accounted for 180% of the stolen records during the period concerned. My assumption (and I may well be wrong here, because I am no mathematician) is that sometimes more than one type of attack is used in the theft of individual records; but that reduces the value of the information given since I don’t know which different attacks were most successfully combined.

I am not trying to diminish the report – far, far from it. It is an absolute Aladdin’s cave of security information. If you are involved in infosec, you really need to get and read this report. All I’m doing is explaining why I didn’t review it at the time. OK, so why bring it up now? Well, it’s because of a new employee survey conducted by SailPoint. Verizon had earlier commented:

Recently, many have hypothesized that insider crime would rise due to financial strain imposed by global economic conditions. Hard times breed hard crimes as they say. It is entirely possible that this is occurring, but neither the Verizon nor USSS caseload show evidence of it. As seen back in Figure 6, Verizon shows a flat trend for insiders and the USSS shows a downward trend over the last three years.

Threat agents over time by percent of breaches

Fig 6 from the Verizon report: showing insider threat flatlining

To me, this simply flies in the face of current received wisdom – and even common-sense. The SailPoint report would seem to agree with me, finding that 23 per cent of UK employees will take customer lists and other sensitive data when they leave their employer. Considering that a far higher number of staff will ‘leave their employer’ in difficult times (like right now), the only logical conclusion is that staff data thefts are increasing.

Amichai Shulman, CTO, Imperva

“More than anything, this highlights something we’ve been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicised external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled,” said Amichai Shulman, CTO of  security company Imperva. “In addition, the survey shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed – staff also need to be monitored during their employment as the information may not necessarily be ‘maliciously’ downloaded after the termination notice but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT Team” he added.

There’s another statistic from this report we should also consider: if staff inadvertently get access to a confidential file, such as one containing salary information, personal data, or plans for a pending merger, only 57% of respondents would actually look at the file. “This figure is surprising,” comments Shulman, “as I would have thought that 99% of people accidentally stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty.”

This word, loyalty, is possibly the explanation for the different views of the insider threat between the two reports. Data breaches (as per the Verizon report) are decreasing because of staff loyalty. But staff who are terminated have their loyalty terminated at the same time – and are quite likely to take corporate data with them. So data loss caused by insiders might well be increasing. If this is the case, companies must beware of putting all of their security budget into security products – they need also get their procedures and staff relations optimized in order to prevent information walking out of the door with the staff they are ‘letting go’.


Categories: All, Security Issues

BLOGS: Where do you stand in the Open Web vs Closed Internet debate?

August 22, 2010 Leave a comment

TechnoLlama has a fascinating and worrying comment on “The open Web vs the closed Internet”. It suggests that ‘the battle for the future of the Internet is taking place right now’, and asks ‘Where do you stand?’.

On the one hand we have the anarchic, chaotic but essentially free (in both spirit and cost) internet we have known so far. But on the other hand we have those who are trying to close it down and own it so that they can charge us to use it: what TechnoLlama calls the ‘Jobsian future’ (Steve Jobs, not JobsWorth, of course). Think of what Jobs is already doing: music for the iconic iPod can only be got from him; apps for the iconic iPhone and iPad can only be bought from him. And where he leads, others will follow.

The Apple Internet is a very different place to that which we know, in this vision of the future your browser will be the least important element of your daily interaction with the Internet. In this future, you will open your mobile device (smart phone or iPad), you will read your daily newspaper through a paid app (The Times, The Guardian, NYT), you will also browse the magazines through an app (Wired, The Economist), then you will read your Twitter feed through TweetDeck, check your email through yet another app, plan your route to work using the Google Maps app, and then get to work and read books with the e-book reader app of your choice. During this process, you will not have touched the browser once.

And don’t expect help from governments. They want a closed internet as much as Jobs does; not so much on commercial grounds as on political control grounds. So it’s time to decide. As TechnoLlama asks: ‘Where do you stand?’ If you stand for an open and free internet, you may need to act now. Whenever there is a choice, choose the open source option: Android or other rather than iPhone; Linux rather than Windows; Firefox rather than IE, Safari or Chrome. In many cases it may simply be ‘anything but Apple’. But don’t let the Jobsian future take root by default.

TechnoLlama: The open Web vs the closed Internet

Categories: All, Blogs

“When people think of security…”

August 20, 2010 Leave a comment

2nd Lt Jeffery Brown of the 4th Space Operations Squadron, Schreiver Air Force Base, Colorado has written about security:

When people think of security… However, one piece of security that is often overlooked and seems so small, but could put lives in danger everyday is information security.

Jesus! These people are supposed to be protecting us!

“Shredding helps to protect our information from falling into the wrong hands,” said Capt. Michael Sontag, 50th Space Wing operational security manager. “Terrorist groups are more focused on getting unclassified information because it isn’t illegal to gather. When you get many unclassified pieces together they sometimes begin to tell a classified story.”

I suppose, in fairness, it is not so much that these officers of the mightiest air force in the world are making such comments, but that they feel it is necessary for them to do so.

100 percent shred required for INFOSEC

Categories: All, Security Issues

Cameron Diaz is the most dangerous thing on the Internet; apart from Intel buying McAfee…

August 19, 2010 1 comment

Today McAfee releases two news announcements. Firstly, “Cameron Diaz Named Most Dangerous Celebrity in Cyberspace by McAfee, Inc”. Oh yes, and by the way, Intel is buying McAfee.

cameron diaz

Eye candy on McAfee news item

This is important: “Justin Timberlake’s Ex Knocks Current Girlfriend Biel to #3 Spot”. Let’s get our priorities right! And knowing which item most of us will be most interested in, here’s the graphic from the announcement…

Just to finish off, the top ten celebrities used for social engineering are:

  1. Cameron Diaz
  2. Julia Roberts
  3. Jessica Biel
  4. Gisele Bündchen
  5. Brad Pitt
  6. Adriana Lima
  7. Jennifer Love Hewitt, Nicole Kidman (equal)
  8. Tom Cruise
  9. Heidi Klum, Penelope Cruz (equal)
  10. Anna Paquin

But Intel buying McAfee? That really is interesting and full of possibilities – and concerns. Firstly, Intel does not have the cleanest reputation in the industry, having, off the top of my head, been sued recently by Japan, the EU and the USA’s FTC (we’re not talking about companies litigating against Intel, we’re talking governments here). So, frankly, if I was NE Other AV vendor, I’d be more than a little concerned. For example, many PCs are sold pre-configured with 12 months of Symantec’s Norton AV. Is this going to end? Will PC vendors get any choice over what AV product is supplied with the PC? Is this, in fact, something for the Competition Commission (and other national competition bodies) to investigate?

The second thing that worries me about Intel is its involvement with the ‘trusted computing’ movement. Trusted computing is a seductive idea. You protect the hardware so that nothing bad can run on it. But think about this. If you stop bad things, you have to allow good things. Problem is, it’s not you (the user) but them (the trusted computing supplier) that defines what is good and what is bad. Now, already in France we have this HADOPI thing, where it was seriously suggested that the government should be able to impose what amounts to a Trojan on all users’ PCs in order to enforce their own copyright enforcement laws. That’s scary. More scary is that it is easily accomplished via Intel chips already included on the majority of existing PCs – and undoubtedly will be on all future PCs (even AMD PCs).

Now here we have Intel getting actively involved in security. I have to ask if this is a marketing ploy to sell the idea that ‘we understand security and will be able to enforce ACTA, DEA, HADOPI, and anything else you want’ to governments.

Intel buying McAfee is a truly scary thing. I really, really hope that the competition people around the world simply say, “Non!” But don’t hold your breath, because those competition people are the same governments that are bringing in ACTA, DEA, HADOPI etcetera that Intel/McAfee can enforce…


Business continuity testing and incident reporting: advice from ENISA

August 19, 2010 Leave a comment

I often think that ENISA (the European Network and Information Security Agency) is the nearest that the UK has to the American NIST (National Institute of Standards and Technology). It should be the British Standards Institute – which develops excellent standards but then charges you through the nose to get hold of them. NIST doesn’t. And neither does ENISA – which has just released a couple of FAQs for two earlier reports.

Read the FAQs if you like, but the important bit is the two reports themselves, both published in December 2009. The first is Reporting Security Incidents – Good Practices; and the second is National Exercises Good Practice Guide. (The FAQ for the former is here, and for the latter is here.)

Of least value to business (at least in the UK) is the guide on reporting incidents. This should be important since sharing information is an important element in defeating cybercrime and cyber attacks; but the fact is that UK government agencies are very poor at sharing their incident information with business (only with other government agencies and departments). Sharing that is not two-way is not sharing at all; and is not really worth the effort.

The second report, on good practices in national exercises, is however of considerable value to business. Although the report is strictly speaking discussing national exercises, the principles apply just as much to commercial organizations: testing your security response is an essential part of disaster recovery and business continuity planning. Consider the exercise lifecycle graphic below. If you think the steps outlined sound relevant to you (and I suspect that they will), it will be worth reading the full report.

Click for better resolution

ENISA: Lifecycle of an exercise


Categories: All, Vendor News

Social networks: prohibition or mitigation

August 17, 2010 Leave a comment

Banning social networks at work is a mistake on three counts:

  • it misses a trick on staff morale
  • it misses several tricks on free marketing
  • prohibition doesn’t work anyway

The solution is to mitigate the dangers and control the use rather than prohibit it completely. The problem is: how?

Well it requires some pretty sophisticated monitoring and control over a large number of loose ends on a wide range of social systems. Enter FaceTime’s new Socialite, a system that provides an extended set of feature and content controls for more than 1,000 social networks. In the three leading social networks, Facebook, LinkedIn and Twitter, Socialite provides control for 95 distinct activity and content features, and can also moderate and archive content to ensure that only pre-approved content is shared.

The rapid growth in social media has moved business communications beyond the corporate firewall and into the public domain. The control and management of collaborative communications is now a priority for many organisations as they struggle to come to grips with tightening regulatory and compliance standards, particularly in the financial services sector. Socialite addresses these challenges by offering comprehensive control and management over the wide variety of social media channels, integrating seamlessly with existing IT infrastructures.
Nick Sears, VP EMEA, FaceTime Communications

Features include

  • Identity Management: the ability to establish a single corporate identity and track users across multiple social media platforms e.g. @SarahFaceTime on Twitter and Sarah Louise Carter on LinkedIn
  • Data leak prevention: preventing sensitive data from leaving the company, either maliciously or inadvertently
  • Granular Application Control: enabling the access to Facebook and its thousands of  “applets” by category or individual application
  • Activity control: the ability to manage access to features, such as who can read, like, comment upon or access 95 distinct features on Facebook, LinkedIn or Twitter
  • Moderator control: can be applied to Facebook, LinkedIn and Twitter where content is required to be pre-approved by a corporate communications officer or other third-party
  • Log conversation and content: capture all posts, messages and commentary made to Facebook, LinkedIn and Twitter in context, as well as exporting to an archive of choice for eDiscovery


Categories: All, Vendor News

Get every new post delivered to your Inbox.

Join 138 other followers