Archive for August, 2010

Statistically, I’m either gay, diseased, a single parent, living below the poverty line or all of them

August 27, 2010 1 comment

Scrolling idly through Ceefax (the BBC’s teletext news service) this evening I came across an item that will change my life: it will turn me into an introverted hermit, or at the very least will ensure I don’t kiss any of my neighbours this Christmas.

You’ll have to check my figures here because I wouldn’t get a pass even in today’s maths exams. However, it’s this: “…it emerged that there were half a million new STI cases in 2009, a 3% rise on the year before.”

OK, here we go, and talking in broad round figures: if 3% = 500,000, then 100% = 16,000,000. That is, there are approximately 16,000,000 STI infections in the UK.

The population of the UK is 61,792,000 (give or take a few recent births, deaths, immigrations, emigrations and deportations). That means that 16,000,000 in 62,000,000 UK residents have an STI; or, to avoid bits of people, one in every four is infected.

There are three people in this house. Next door, to my left is a family of four. And on my right is a single parent with one child. So that’s a total of nine people in the three houses. Statistically, two of those nine people have a sexually transmitted infection. But nobody in my house has an STI. That means there is a high likelihood that I am surrounded by STIs! Like I said, I’m not kissing anyone anymore…

These figures are sacrosanct. I got them from the BBC. That means I must either believe that I am surrounded by sexually transmitted infections, or I must doubt every single statistic I come across. And that would include things like computer virus infections, money lost to online fraud, hours lost through misuse of the internet…

Hmm. I’ll have to think about this one.


Google, Hadopi and hypocrisy

August 26, 2010 Leave a comment

France is getting terribly upset. It appears that Google has resumed its Street View filming too soon. According to Reuters (Mon Aug 23)

France’s National Commission on Computing and Liberty (CNIL) said it was “premature” for Google to restart its collection of street images, given that its investigation of those activities is still not complete.

After Google admitted on May 14 that its Street View cars had collected not just photos but also communications data from unencrypted Wi-Fi networks as they drove around, CNIL ordered Google to stop collecting such data without the knowledge of those concerned. The CNIL said it wanted to make sure Google did not collect such data illegally in future, and to provide CNIL with information about the way it collected such data for use in its Street View service. Google gave CNIL access to the data on June 4.

Now, let me see… Is this the same France that values its citizens’ privacy so much that it appears to be on the verge of installing spyware on their computers? According to EDRI (the European Digital Rights organization)

Hadopi (the French Authority for the implementation of the 3 strikes law) did not make public the document regarding the draft specifications of the security measures for the Internet (part of the three strikes system), although the document should lay at the basis of a public consultation.

However, under the pretext that the document was a preparatory one, the authority decided to treat it as confidential. The website has made the document public on the basis of the right to information and having in view that a public consultation should rely on a public document and not a confidential one.

According to the document, French Internet users could soon be required to install spyware on their PCs tracking down their searching habits and analysing the applications installed on their PCs, in order to prevent “file-sharing piracy”.

See Exclusif : le document secret de l’Hadopi sur les moyens de sécurisation for further information (if you read French).

To be fair, although this comment is specifically about France, just about every government in the world is hypocritical in its attitude towards personal privacy. Except perhaps Britain and China. Neither of those countries make much pretence about caring about their people’s rights at all: and are therefore innocent of hypocrisy.


Categories: All, Security Issues

Traitorware: the latest software from Apple?

August 24, 2010 1 comment

Back in January I wrote: Jobs’ megalomania: the fatal flaw of a tragic hero. I was wrong. Jobs isn’t a pathological egotist suffering from delusions of grandeur – but I’m afraid I can’t think of the term that describes someone who thinks he is God.

His company, an erstwhile hero of mine, Apple, has applied for a patent for which EFF has had to invent a new word: traitorware.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple’s “invention,” this information “can be gathered every time the electronic device is turned on, unlocked, or used.” When an “unauthorized use” is detected, Apple can contact a “responsible party.” A “responsible party” may be the device’s owner, it may also be “proper authorities or the police.”

Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.

This patent is downright creepy and invasive…
Steve Jobs Is Watching You: Apple Seeking to Patent Spyware

No matter. Nietzsche has an answer to the fallacy of God. We must stop believing in Apple. Then we will have killed Apple. I think it is time to fall out of love with Apple, and to return to the secularism of open systems.

Categories: All, Blogs, General Rants

Is the Cloud an opportunity to improve security; or the doorway to disaster?

August 24, 2010 Leave a comment

The world is divided into those who believe the cloud to be a security nightmare, and those who believe it to be an opportunity to improve security. I belong to the latter; but I cannot deny that the majority of surveys support the former. The latest is from Fortify Software, and was conducted at the recent DEF CON in Las Vegas.

Barmak Meftah, chief products officer at Fortify Software

Fortify questioned 100 of the elite IT professionals attending this year’s Hacker conference – and 96% believed that hackers view the cloud as having a silver lining for them. There is a strong belief that the cloud providers are not doing enough to address the security issues in their services. “89% of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45% of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” said Barmak Meftah, chief products officer at Fortify.

Well, there’s nothing like going to DEF CON to get it straight from the horse’s mouth – so do I need to change my view? Given that Gartner predicts that “By 2012, 20 percent of businesses will own no IT assets” largely (though not entirely) because of an increasing migration into the cloud, are we actually heading for a security meltdown? In reality, of course, I don’t need to change my view at all: the two options are not mutually exclusive. The cloud does provide an opportunity to get security right; but if companies don’t take that opportunity, then it is more likely to lead to a security nightmare.

And I suspect the real problem is down to motivation. Cloud providers (apart from security as a service providers) haven’t set out to deliver security – they are providing a service. So providing an acceptable service at the minimum cost is the priority. Similarly, companies moving their own processes into the cloud are not doing so to improve their security  – they are doing it to reduce their costs. The likelihood is that we will simply repeat all the mistakes we have already made: we will attempt to bolt security on after the event (the cheapest option) rather than take the opportunity to design it into the process (much more expensive in the short-term). And that supports the meltdown scenario.

Fortify has its own recommendations. “More than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource,” says Meftah. “It is of great concern to us here at Fortify that the message about software assurance has still to get through to everyone in the software development community, and the DEF CON survey results strengthen our resolve to get this message across to as large an audience as possible.”

Fortify Software

Categories: All, Vendor News

Data loss is not simply down to security breaches; what price loyalty?

August 24, 2010 Leave a comment

Verizon/USSS Data Breaches Report

Earlier this year Verizon published its 2010 Data Breach Investigations Report: A study conducted by the Verizon RISK TEAM in cooperation with the United States Secret Service. I wanted to comment at the time, but, frankly, found it too difficult. My first concern, which probably won’t worry many people as much as it worries me, is simply that there is no such thing as a free lunch. Why has the US Secret Service lent its name to this study? I can see enormous name-dropping benefit to Verizon (American citizens tend to have a high regard for their Secret Service); but can see little visible benefit to the Service. My fear is that there may be an invisible benefit. Translate things to my side of the Atlantic: would I want CESG/MI5 and BT scratching each other’s back? No, I absolutely would not.

But that aside, I had difficulty with the arithmetic of the statistics – for example, the top three types of hack attack accounted for 180% of the stolen records during the period concerned. My assumption (and I may well be wrong here, because I am no mathematician) is that sometimes more than one type of attack is used in the theft of individual records; but that reduces the value of the information given since I don’t know which different attacks were most successfully combined.

I am not trying to diminish the report – far, far from it. It is an absolute Aladdin’s cave of security information. If you are involved in infosec, you really need to get and read this report. All I’m doing is explaining why I didn’t review it at the time. OK, so why bring it up now? Well, it’s because of a new employee survey conducted by SailPoint. Verizon had earlier commented:

Recently, many have hypothesized that insider crime would rise due to financial strain imposed by global economic conditions. Hard times breed hard crimes as they say. It is entirely possible that this is occurring, but neither the Verizon nor USSS caseload show evidence of it. As seen back in Figure 6, Verizon shows a flat trend for insiders and the USSS shows a downward trend over the last three years.

Threat agents over time by percent of breaches

Fig 6 from the Verizon report: showing insider threat flatlining

To me, this simply flies in the face of current received wisdom – and even common-sense. The SailPoint report would seem to agree with me, finding that 23 per cent of UK employees will take customer lists and other sensitive data when they leave their employer. Considering that a far higher number of staff will ‘leave their employer’ in difficult times (like right now), the only logical conclusion is that staff data thefts are increasing.

Amichai Shulman, CTO, Imperva

“More than anything, this highlights something we’ve been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicised external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled,” said Amichai Shulman, CTO of  security company Imperva. “In addition, the survey shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed – staff also need to be monitored during their employment as the information may not necessarily be ‘maliciously’ downloaded after the termination notice but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT Team” he added.

There’s another statistic from this report we should also consider: if staff inadvertently get access to a confidential file, such as one containing salary information, personal data, or plans for a pending merger, only 57% of respondents would actually look at the file. “This figure is surprising,” comments Shulman, “as I would have thought that 99% of people accidentally stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty.”

This word, loyalty, is possibly the explanation for the different views of the insider threat between the two reports. Data breaches (as per the Verizon report) are decreasing because of staff loyalty. But staff who are terminated have their loyalty terminated at the same time – and are quite likely to take corporate data with them. So data loss caused by insiders might well be increasing. If this is the case, companies must beware of putting all of their security budget into security products – they need also get their procedures and staff relations optimized in order to prevent information walking out of the door with the staff they are ‘letting go’.


Categories: All, Security Issues

BLOGS: Where do you stand in the Open Web vs Closed Internet debate?

August 22, 2010 Leave a comment

TechnoLlama has a fascinating and worrying comment on “The open Web vs the closed Internet”. It suggests that ‘the battle for the future of the Internet is taking place right now’, and asks ‘Where do you stand?’.

On the one hand we have the anarchic, chaotic but essentially free (in both spirit and cost) internet we have known so far. But on the other hand we have those who are trying to close it down and own it so that they can charge us to use it: what TechnoLlama calls the ‘Jobsian future’ (Steve Jobs, not JobsWorth, of course). Think of what Jobs is already doing: music for the iconic iPod can only be got from him; apps for the iconic iPhone and iPad can only be bought from him. And where he leads, others will follow.

The Apple Internet is a very different place to that which we know, in this vision of the future your browser will be the least important element of your daily interaction with the Internet. In this future, you will open your mobile device (smart phone or iPad), you will read your daily newspaper through a paid app (The Times, The Guardian, NYT), you will also browse the magazines through an app (Wired, The Economist), then you will read your Twitter feed through TweetDeck, check your email through yet another app, plan your route to work using the Google Maps app, and then get to work and read books with the e-book reader app of your choice. During this process, you will not have touched the browser once.

And don’t expect help from governments. They want a closed internet as much as Jobs does; not so much on commercial grounds as on political control grounds. So it’s time to decide. As TechnoLlama asks: ‘Where do you stand?’ If you stand for an open and free internet, you may need to act now. Whenever there is a choice, choose the open source option: Android or other rather than iPhone; Linux rather than Windows; Firefox rather than IE, Safari or Chrome. In many cases it may simply be ‘anything but Apple’. But don’t let the Jobsian future take root by default.

TechnoLlama: The open Web vs the closed Internet

Categories: All, Blogs

“When people think of security…”

August 20, 2010 Leave a comment

2nd Lt Jeffery Brown of the 4th Space Operations Squadron, Schreiver Air Force Base, Colorado has written about security:

When people think of security… However, one piece of security that is often overlooked and seems so small, but could put lives in danger everyday is information security.

Jesus! These people are supposed to be protecting us!

“Shredding helps to protect our information from falling into the wrong hands,” said Capt. Michael Sontag, 50th Space Wing operational security manager. “Terrorist groups are more focused on getting unclassified information because it isn’t illegal to gather. When you get many unclassified pieces together they sometimes begin to tell a classified story.”

I suppose, in fairness, it is not so much that these officers of the mightiest air force in the world are making such comments, but that they feel it is necessary for them to do so.

100 percent shred required for INFOSEC

Categories: All, Security Issues