big sister is watching you

To content | To menu | To search

Thursday 21 November 2013

keep cool

Do not panic

Wednesday 13 November 2013

Knowing-doing gap in information security

According to various surveys most companies have a security policy in place. And if you would ask top management they’ll confirm. This is good and we have noticed a steady progress since the last 10 years. But it appears not to solve the information security pains. In many cases we’re fighting with the tools from yesterday to defend ourselves against the threats of tomorrow. When we look back and took another step in security by integrating information security management in the companies many assumed that it would close the gap between what we know and what we do. But it seems the opposite, we’ve spend a great deal of time, money and resources to get that policy written, integrated and reported on. Unfortunately, it stopped at the written part. Many employees are not aware of its existence and if they are they can’t tell you what is in there.

Time for awareness? Perhaps. Awareness is not the silver bullet you’re waiting for. It probably solves some issues, but it does not guarantee that your policy is respected. We need controls to do that and some reporting by preference with transparency.

Thursday 24 October 2013

Smart traffic camera’s make dumb cops

Yesterday, 23/10/2013, we had a debate on television about the usage of smart camera’s by the police. Of course we should be positive about it since it is to increase the security of society. But is it only about security? We are fading the border between common sense of security and our liberty. The problem is rarely the technology but how we use it and for what purpose we’re deploying it.

Today the Belgian police has 2 different types of smart camera’s, the once that are static and can be found at the main roads when you enter a city. But these days they use in addition to the static ones, mobile devices. These are mounted on a unrecognisable police car. The controls it can perform vary but mostly it is used for detecting stolen cars, driving without insurance, driving without valid car inspection certificate etc… The information is passed in real-time, whenever the car passes the police vehicle they’ll get instantly information about this car and the owner. In the example shown during the show we noticed that somebody passed the police vehicle and an alert went off. Because this driver had been fined previously for driving under influence of alcohol. As you notice the system shown is capable of detecting irresponsible drivers. In this particular case the police starts chasing the car in order to check if this driver has been drinking.

Would this be problematic? Police will put efforts on people that are present in the system because of previous behaviour. The focus is lost which should be make roads safer this means also checking for other anomalies. Because you’re in the system, you will need to get halted by policy and they have to check officially that you’ve not been drinking at time to get out of the system. Otherwise the alarm bell keeps ringing. They suggest the system is updated on a regular basis, but nobody what this means. Is it once week, a year, month ?

In most cases the government uses the argument stating that they find back more stolen vehicles than previously, meaning pre-technology era. And that those vehicles are used for hold-ups and/or burglary but till now there is no evidence it is the case. And if we can find those stolen cars in a more efficient way by using this technology why not limiting the system to only check for stolen cars? How long will it take until criminals will use stolen cars from a neighbouring country to avoid the alarm bells?

How long will it take till this type of system will be used to use against us for any kind of control. We’re innocent until proven guilty, with these systems we’re guilty before proven innocent.

Benjamin Franklin said : “He who sacrifices freedom for security deserves neither.”

Tuesday 22 October 2013

Security Myths

Information security is for nerds Yes, you’re absolutely! We’re all nerds or techies locked in a cage and we can survive years without daylight and food. Of course we’re not nerds, we’re passionate just like you can or are in your job. It is not because we’re wearing not your type of clothes and we like computer games that we are estranged from the world. __ A good security solves all my security issues and keeps me safe__ Uhu, if you implement it though. Laws are useless if nobody enforces them. Make management accountable and you’ll go a block further down the security city. Be aware, choose your battles carefully because managers sting like a scorpion. __ I need 100% security before we can continue__ If you find the solution, take a patent and don’t tell anyone until it is approved. You’re rich! Unfortunately it doesn’t work like that, you cannot have 100% security. You can increase security to a tolerable level to conduct business.

Nobody is interested in my data or in attacking my small company Not only your present customers are interested in you, so are you direct competitors or some miscreant that like to get his hands on your data, computer, use your bandwidth or processing power. If it were the case nobody would attack a single home user yet they suffer the most from all the malware circling around your connection at home.

I do not need anti-virus protection, I never had a virus Great! Or not, how do you now if you have a virus if you do not have protection against it? Without anti-virus you’re lost in this digital jungle.

A BIOS password protects my computer Where should I start, NO, no and NO. BIOS passwords help against modifying a BIOS setting but it can be circumvented easily. If you like real protection, buy a solution that provides harddisk encryption, with two factor authentication and boot protection.

Tuesday 8 October 2013

U-turn

In the early internet years information security was as good as non existing. The more important the Internet became in conducting business companies realised that adequate protection is a must. We had the 9/11 aftermath and security in general was a hot topic. But a reality shock crippled budgets and a long period of recession is amongst us today.

Today, I witness that there is no real information security budget in many companies. It is nearly a subset of the IT budget and the spending of it is rarely based on profound arguments rather than some decision that took place in a burst of panic. The gap between business and information security has only increased over the recent years, clever attacks launched with success and too complex solutions created an averse affect. We cannot convince business people with FUD nor with geek wisdom.

From the business perspective the knowing-doing gap is becoming immense, they cannot deny today that they haven’t been warned. In most cases they prefer increasing their risk appetite instead of their spending. It is time to make a U-turn and start thinking how to convince the board and the exec’s. In order to achieve it information security has to be uplifted to a governance strategy instead of solely relying on management practices. Security professionals must learn about business and speak business lingo, we need to get some useful metrics in order to have transparent reporting and we need to have an idea on operational costs as well as future spending required to keep the bad guys out. We are far from home on that part because since the beginning we’re the firemen that come for rescue, contain the spreading and limit the damage. Afterwards we go back to our office and we wait for the next to surface on our monitors.

We need to give business tools, to make them work in a secure fashion without losing flexibility and if possible enable new business. Instead of denying demands we should consider how we can authorize them without outspending the budget for the next years. Creativity is key and communication with our business peers a must.

Thursday 3 October 2013

Weak encryption

There is a lot of going on in the debate on the revelations made by Snowden about the NSA. And ok, they used wiretapping on almost the entire Internet. That is of course a big deal and should not be underestimated in the damage to freedom of speech and liberty. However I’ve a bigger issue with the weakening of encryption standards, including the behaviour or role of NIST. The rumour goes that the random number generation isn’t that random any more. Which to you sounds perhaps ok, but if you’re in the security field it doesn’t feel that ok.

Today, if you lock yourself out of your apartment you call a lock smith and he’ll get you back in. Most probably he’ll change the lock and give you a new pair of keys. Imagine that this guy could look at your door, watch some people going and going out of the building and be able to reproduce a key without receiving any additional information. Scary right? That is what NSA would be able to do according to the documents revealed. They can look to your VPN traffic, see what type of encryption you use and reproduce a key because the random number generator is predictable.

How can you lock your door now? Change door vendor and change lock technology could do the trick in some cases. And if that doesn’t help you might have to close the door with a brick wall and use an alternative entrance.

Wednesday 7 August 2013

That is what I meant

Failure to communicate. We all heard it, we explain something you get some jibber jabber back in the form of an unpronounced question. You correct the person and the reaction that hits you like a boomerang is That is what I meant

Well is it? Say it, loud and clear. Today we’ve a multitude of communication possibilities and sometimes I get the idea that our communication has never been so bad. We use email, IM, facebook and and others to communicate, talk, speak and express ourselves but it seems nobody understands us any more. Because our complex society learned us to be pragmatic, diplomatic and even dogmatic from time to time which makes the message go unnoticed in the overhead of unneeded words and information. There are 50 ways to say yes, I read on a blog, but there is only one way to say it clear, YES. There are maybe 1000 ways to say no, but nothing as clear as the power of NO.

Friday 12 July 2013

Ubuntu and cinnamon

A good combo though sometimes a pain to get it right. I recently reinstalled my laptop, now before the fruit company admirers and the mickeysoft experts start with, owh why did you need to reinstall your Linux. Well I reinstalled it because I was lazy in testing so I tested it directly in my distro instead of setting up a virtual environment.

I always use ubuntu LTS, at this moment in time that would be 12.04.2 and so I did. Afterwards I added cinnamon since gnome 3 deserve a punch in the face. Now, when I logged in into cinnamon I had what lots of people have, NO freakin’ desktop icons. I’m old school so I need them on there even if I rarely click on it. I think I tried every step I found on the web but no success. So here is what I did to get the crap working.

Open a terminal of choice, and do: sudo sed -i ‘s/NoDisplay=true/NoDisplay=false/g’ /etc/xdg/autostart/nautilus-autostart.desktop

sudo sed -i ‘s/NoDisplay=true/NoDisplay=false/g’ /etc/xdg/autostart/nemo-autostart.desktop Both commands will unhide the applications from the startup application list.

Then go to startup applications, in cinnamon that means you click on menu, preferences, startup applications. You’ll have 2 files entries or one Files entry and one Nemo entry. Deactivate the nemo one, do not delete it, you never know what the future brings.

Keep the nautilus one activated, in my case the name of it was Files. If you did not already do sudo apt-get install dconf-tools. And afterwards hit alt+f2 type, dconf-editor and go to org.gnome.desktop.applications.background and check show desktop icons.

Log out and back in or reboot and you should have those silly icons back.

Thursday 6 June 2013

The art of information security

Or is it a science?

To be honest, I don’t think security is a science. The unpredictable element of information security makes it difficult if not impossible to consider information security as a science. In science we try to simplify things to good or bad, one or zero, black or white and so on. Traditionally science try to explain situation by rational logic.

Information security is a lot of things but not rational logic, it is an unpredictable state and tools available have initially been created with some logic integrated and often times based on simple pattern checking. This approach seems to work for everything we know, unfortunately in the digital underworld they use something to with the lingo ” zero day exploit”. This is an unknown attack at least for the majority of people and security vendors. Another issue with the classification approach is that a packet can sometimes be good and sometimes bad. Any criminal can be considered as a good person as long as he does not get caught. Attacks can appear as good or legitimate traffic in your logs and it will go unnoticed. We focus to much on the things we do not authorize and not on what we trust. People on the inside of our network are considered safe but can we really trust every single employee in the company? No, we cannot but we do not have any alternative yet. We have distinguished the Internet from the LAN as the latter being good. It would be, in a perfect world but luckily for us in the information security industry the world isn’t that perfect.

Perhaps we should get some artistic level into security.

The art of information security

Or is it a science?

To be honest, I don’t think security is a science. The unpredictable element of information security makes it difficult if not impossible to consider information security as a science. In science we try to simplify things to good or bad, one or zero, black or white and so on. Traditionally science try to explain situation by rational logic.

Information security is a lot of things but not rational logic, it is an unpredictable state and tools available have initially been created with some logic integrated and often times based on simple pattern checking. This approach seems to work for everything we know, unfortunately in the digital underworld they use something to with the lingo ” zero day exploit”. This is an unknown attack at least for the majority of people and security vendors. Another issue with the classification approach is that a packet can sometimes be good and sometimes bad. Any criminal can be considered as a good person as long as he does not get caught. Attacks can appear as good or legitimate traffic in your logs and it will go unnoticed. We focus to much on the things we do not authorize and not on what we trust. People on the inside of our network are considered safe but can we really trust every single employee in the company? No, we cannot but we do not have any alternative yet. We have distinguished the Internet from the LAN as the latter being good. It would be, in a perfect world but luckily for us in the information security industry the world isn’t that perfect.

Perhaps we should get some artistic level into security.