Archive for February, 2012

Infosecurity Magazine news stories for 28 February

February 29, 2012 Leave a comment

My news stories on Infosecurity Magazine yesterday:

2012 : Expect DDoS botnets to be smaller, more effective and more of them!
A new analysis of DDoS attacks in the second half of 2011 predicts smaller-sized but increased numbers of specialist DDoS botnets.
28 February 2012

M2M presents new security risks that require new security solutions
We are entering a brave new world of machine to machine (M2M) technology. We know it. We have concerns about it. But are we ready for it?
28 February 2012

Gatekeeper – a new security feature or a walled garden for OSX?
Apple’s OSX 10.8 Mountain Lion due this summer will contain a new feature called Gatekeeper. Opinions vary on whether it is a genuine security feature or the cornerstone of a new walled garden.
28 February 2012

Categories: All, Security News

Anonymous arrests – what next?

February 29, 2012 Leave a comment

I see that various police forces have arrested 25 (and counting?) alleged members of Anonymous – although I’m not sure how you can be a member of something that doesn’t exist. Anonymous says it is an idea rather than an organization. Well, I have certain sympathies with some of the political protests of Anonymous (not all, I have to say, but certainly some). Does that make me a member of the Anonymous idea? Well, I hope The Law, which increasingly seems to be a law unto itself, doesn’t think so.

Anyway, here’s my predictions:

  • we will see more arrests in more countries as those that have been arrested are investigated and the confiscated computers examined
  • we will see more effective Anonymous retaliatory strikes against law enforcement websites (more effective than the very brief DDoS disruption of the Interpol site yesterday)
  • the majority of those arrested will be released; but a hard core will be prosecuted vigorously for purposes of deterrence

We shall see…

Categories: All, Politics, Security Issues

Infosecurity Magazine news stories for 27 February

February 28, 2012 Leave a comment

My news stories on Infosecurity Magazine yesterday:

Mac users – you’re not a safe as you think
The Mac Flashback trojan installs itself by either using one of two Java vulnerabilities, or via a social engineering trick that gets the user to install it.
27 February 2012

Harriet Harman urges warning letters and site blocking
The Digital Economy Act (DEA), introduced by Lord Mandelson and rushed through parliament as one of the last acts of the New Labour administration in a process known as ‘wash-up’, is on the statute books, but is not yet enforced.
27 February 2012

OACP website hacked in protest against Canadian Bill C-30
The OACP website currently displays a simple message: “Ontario Association of Chiefs of Police – UNDER MAINTENANCE”
27 February 2012

Categories: All, Security News

Schrödinger asks, if you put security in a box, were you secure before you opened the box?

February 27, 2012 Leave a comment

I love it when I get to disagree with the luminaries – and they don’t come much more luminous than Bruce Schneier. But to the point… He was interviewed about ‘trust’ by The Browser, and posts the outcome on his own site here: Liars and Outliers: Interview on The Browser.

“Security exists to facilitate trust,” he says. “Trust is the goal, and security is how we enable it.”

I don’t see it. Trust is an intangible: it can be neither seen, nor touched nor measured. It is unquantifiable – it can only be felt in a subjective, relative manner. But if we cannot measure it, we cannot prove whether we have it or not. So if Schneier is right, the purpose of security is to provide belief in something we cannot prove – it is to persuade us that we have something that we may or may not have. If the purpose of security is ultimately unprovable, it is ultimately meaningless: its only effect is to give us a belief in something that may or may not, like Schrödinger’s cat, actually have legs.

I see Schneier’s relationship between security and trust more like the relationship between preachers and God: the preachers are there to try to prove the unprovable – the existence of God. Many of us believe in God just like many of us have trust. That doesn’t mean that either is valid. Ultimately, trust provided by security is just as much a blind unprovable leap of faith as is belief in God provided by preachers. Personally, I am atheist: I don’t believe the preachers. And I don’t trust, because security is a circular argument signifying nothing.

Categories: All, Security Issues

Is the AV industry showing signs of exasperation at users’ apathy?

February 24, 2012 Leave a comment

I wrote about the March 8 deadline for remaining DNSChanger victims to get clean or lose their internet in Infosecurity Magazine: DNSChanger poses a new threat to its victims.

But I had two late comments from anti-virus people currently in the States and separated by the trans-Atlantic time difference. They both echo Graham Cluley of Sophos’ comment that “if this is the only way to wake the affected users into sorting out the problem, so be it.”

Panda Labs’ Luis Corrons used remarkably similar language. “At least this will make affected people react and secure their computers,” he told me.

And ESET’s David Harley said, “Pragmatically, I don’t have a problem with this: law enforcement doesn’t have a specific responsibility for maintaining service for infected machines.”

But reading between the lines, I suspect that any anger is really directed not at the infected users being apathetic with their own security, but that the nature of the infection makes further infection likely. Such users are being apathetic with other users’ security; and that’s really not on.

Categories: All, Security Issues

We the People deserve our Privacy; but we ain’t gonna get it yet

February 24, 2012 1 comment

Yesterday, with great fanfare and trumpets, President Obama announced he was looking after his people and protecting their privacy. “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” he announced. And he gave them an Online Bill of Rights. It’s not quite a We the People moment; but it’s probably not a bad election speech.

And true to form, the EU immediately jumped in with ‘it was our idea, guv’. “USA jumps aboard the ‘Do-Not-Track’ standard” screams Neelie Kroes in her latest blog. “Good news today as the White House supports efforts for online service providers and web browsers to implement a ‘do not track standard’ – just as we have been doing here in the EU.”

But if there is one thing I have learnt about government announcements and reports, it is simply do not place too much credence on the apparent suggestions in the headlines and major paragraphs. The devil, and government always has a pandaemonium of devils, is in the detail. In this instance I simply point to a Washington Post analysis: Web privacy guidelines viewed as ‘win’ for Google.

After a year of negotiations, the White House on Thursday unveiled privacy guidelines for these firms that urged them to install “do not track” technology on browsers but fell short of requiring it. Tech giants, in particular Google, breathed a sigh of relief. They would agree to curb some tracking activities, but it would largely be on their terms and wouldn’t hobble their cash cow.

Categories: All, Politics, Security Issues

Let’s not miss a single opportunity to demonise Iran, even if it’s justified

February 23, 2012 Leave a comment

I’ve written about the new House of Commons report on the electro-magnetic pulse threat on Infosecurity Magazine: The Electro-Magnetic Pulse threat to national infrastructures.

But lookee here:

However, certain states such as Iran could potentially pose a realistic threat in the future, even if it does not currently do so, if nuclear non-proliferation efforts are not successful.

The grammar’s wrong. And House of Commons Committees don’t get their grammar wrong.

But remove ‘such as Iran’ and ‘even if it does not currently do so’, and the grammar’s good again:

However, certain states could potentially pose a realistic threat in the future if nuclear non-proliferation efforts are not successful.

Added later? Affirming the specific nuclear threat from Iran? Politicking in action?

Categories: All, Politics