Archive | Rants RSS for this section

Election Day Security

I feel proud today.

Like apple pie, hot dogs and online bank fraud, nothing is more American than personally selecting (kinda) the next President of the United States. And doing it in the hometown of Uncle Sam makes it that much more special.

But lately I’ve become more concerned about the integrity of my vote.

My concern is not with the security of the voting machines. There are only a few different types of electronic voting machines, including optical scanners and direct recording machines, where voters press buttons that are digitally recorded. And both types of machines have been compromised on numerous occasions.

In one case the voting machine was so vulnerable researchers were able to install Pac-Man on it. One team member was quoted, saying that it only required an 8th-grade education and $10.50 to hack the machine.

We also know that the networks, storage and computers that the machines rely on are vulnerable. As are the people involved in the voting process.

But this is not my concern.

What I find most worrisome is, if and when it happens, how will we know?

Happy voting America.

Advertisements

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

Black Hats – Function or Fashion?

If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.

Unfortunately, I fell into the latter category.

Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.

Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.

But let’s be honest, they’re a lot like fashion shows.

I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.

Other than an evening of pageantry and spectacle, it’s a complete waste of time.

Kinda like Black Hat.

Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.

For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.

Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.

Yet other research focused on compromising iris recognition systems.

I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.

However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.

There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.

The rest will probably stay in the closet until next year.

Have a Coke and a (Security) Smile

Sometimes, security just sucks.

It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.

When it’s not done well, well…

I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.

Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.

The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.

Getting credit for the hotel stays was another story.

What I thought would be a quick call to the provider, started out bad and turned worse.

“Thank you for calling [hotel provider], can I help you?”

I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.

After several minutes of haggling, I was told that this individual could not post my credits. They would need approval from a supervisor. I was baffled.

I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.

Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.

This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.

Even the Secret Service lets the President kiss a few babies.

I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.

But I might still ask for that Coke recipe.

Security is a Myth

If you own a printer or a smartphone, you’ve probably done some rethinking about a few things over the past week or two. The recent rash of headlines to hit the mainstream media have produced much speculation, misinformation and meetings with Congress, but they have been successful in reaffirming one thing:

Security is a myth.

On the surface, the act of collecting semi-personal information about our calling habits and surreptitiously shipping this data off to mobile phone carriers is bad. At a minimum, having 140 million printers and multifunction scanners and faxes on our networks that are vulnerable to attack is bad.

But the real problems go much deeper.

Consider that our mobile phone carrier told us all about CarrerIQ, but we didn’t care. Yes, it’s right there in the fine print. Very fine. Our End User License Agreement told us that they were going to steal our personal information and use it to analyze our usage habits, and then we happily signed the paperwork. We had a chance to say no, but we either didn’t care, didn’t take the time to understand the security implications, or made the decision to trade our personal data for convenience.

We do it every day.

We should also consider that Angry Birds isn’t much different than CarrierIQ, and the information is going to a pretty-much-unknown-third-party. Our names, addresses, possibly even our GPS coordinates given the appropriate permissions. Yet we happily trade that information for a few minutes of enjoyment.

It’s bad that smartphones are shipping off our personal information, but it’s much worse that we said it’s OK.

And we introduce hardware and software to our work environments in the same manner. Hardware and software that was never designed to be secure. Sophisticated multifunction devices that host web servers and command shells that accept software updates and connections from anyone. These devices are like hacker outposts.

It may be bad that these devices are vulnerable, but it’s much worse that they have access to all of the other assets on our networks.

If you want to know what it’s like to attempt security in today’s world, try jumping into a pool without getting wet. The odds are the same. Everything around us is vulnerable, from our resumes to our Facebook walls, from our mailboxes to our personal interactions. The true saving graces are that there are always less secure entities than you and there are only 24 hours in a day.

Now if this sounds a bit cynical, please don’t misinterpret: I believe that good will always prevail over evil.

We just might get a little wet along the way.

Democrats, Republicans and CyberGods

This morning I exercised my true American right. I voted.

For some, voting is a delicate process that involves days of analysis, research and personal preference. For some, just having the ability to vote is more important than the outcome.

For some, however the election is a ruse. A rote, choreographed series of motions undermined by well-scripted television ads, slick marketing campaigns and overstated commitments.

For those who truly understand the global state of information security, it’s something altogether different.

In fact some believe that the new regime has already assumed power. This new guard isn’t a bunch of Harvard-educated attorneys and career politicians. They have no experience in legislative process, and they’ve never run a campaign. They are nameless and faceless. They’re 17 years old. They’re in their mid-thirties. They’re Russian, British and American.

And they control the world.

Using 100 million infected PCs globally, they can shut down power grids and cause financial chaos. Using weaponized software they can destroy intellectual property and control military networks. They own your credit card number and can listen to your mobile phone calls. They are CyberGods, and there are no term limits.

They have assumed control.

The world in which they operate is limited only by their imaginations, and their cyberwar is not bounded by rules of engagement. Their power is growing. Their reach is expanding. Their wealth is multiplying. Their armies have already overthrown nations in Africa and the Middle East. They are so much more than thieves. They are organized. They are evolving.

They are motivated.

On this Election Day, remember that the true ruling party – this legion – was not voted into power by throngs of rabid fans, they were implicitly elected by a movement of ignorance. An ethos of apathy.

Throughout history the people have risen up to unseat their oppressors, but not before tremendous hardship. A body in motion tends to stay in motion, as Newton once said, and geo-political movements have been no exception. Those in power will do their best to stay in power, and the cybercrimelords that are feasting on our negligence will find new, more deceptive ways to maintain their rule.

We have waited too long. Their momentum is too great. This global network of organized cybercriminals will not simply resign. The people will need to rise up. We will need to stand and fight.

It may take bloody revolution.

Security Incidents – Prevention is Dead

It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.

For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:

  1. We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
  2. We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
  3. The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.

One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).

The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.

With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.

And grab a shovel, we need help digging this grave.

Avoiding Cyber 9/11

Like most people, I remember September 11, 2001 like it was yesterday.

It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.

As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.

I will never forget the look on Andre’s face.

“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.

Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.

For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.

“It wasn’t a Cessna, it was a jumbo jet.”

For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.

The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.

We didn’t think it could happen to us.

As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.

This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.

By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?

On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:

What are we doing to avoid Cyber 9/11?

 

Hey Linus, Lose the Security Blanket

Cybersecurity insurance continues to be an increasingly popular investment for businesses of all types and sizes. Seen as a catch-all for the unpredictable, unreasonable or undesirable, cybersecurity insurance has become an attractive option for businesses who don’t have or don’t take the time to understand their alternatives.

But cybersecurity insurance policies, like other insurance vehicles can be tricky and expensive. They’re not a cloak of invincibility. Heck, they’re not even a security blanket. Here are just a few of the issues.

  1. First, cybersecurity insurance is a moving target and you may find yourself underinsured or not insured at all. The less you understand about security, your assets and your risks, the less you will understand your insurance policy. One of the most painful lessons of Hurricane Irene was in the area of insurance. We heard countless stories of homeowners who thought that their expensive flood insurance policy would cover their losses, only to find out that they weren’t covered due to some esoteric loophole. Little did these policyholders know that there are many types of flood insurance, each covering a specific condition. The same is true of cybersecurity insurance.
  2. Insurance can be more expensive than prevention. Insurance premiums for flood, fire and other policies are based on endless mountains of actuarial data that have been analyzed, sliced and diced such that the carrier knows exactly how much to charge for coverage. This premium ensures that the carrier will continue to make money even when its policyholders have claims. These calculations are based on statistical certainties. Because cybercrime is both immature and ever-changing, these piles of actuarial data do not exist, causing carriers to conservatively over-charge. The money you’re spending on insurance could have been better spent on avoiding the problem in the first place.
  3. Insurance won’t replace all assets. If insurance is your primary security mechanism for assets that are irreplaceable, you’re putting yourself and your business in jeopardy. Things like backups, historical data, documents and other sensitive or confidential assets cannot be recovered by insurance. There’s a reason that 25% of businesses that are victimized by cybercrime never recover.
  4. Insurance won’t protect your reputation. When your business experiences a databreach, a malware outbreak or other security incident that results in a public relations issue, no amount of insurance coverage is going to repair the damage. Understanding your risks will help you avoid an incident, paying for insurance that doesn’t help only adds salt to the wound.

Cybersecurity insurance can be a valuable defensive mechanism for businesses when applied properly. When properly understood and selected, it can address areas of risk that are difficult to manage with other controls. When misunderstood, it can compound a security incident with confusion, frustration and expenses.

If you’re considering cybersecurity, give the policy a close read. If you already have a policy, give it a closer read. The last thing you want to hear from your insurance carrier after a security incident is, “sorry Charlie”.

Security Awareness and the Apocalypse

As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.

I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.

Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.

And then it occurred to me – what if the same was true of information security?

I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.

But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:

  1. With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
  2. The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.

The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.

And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.

%d bloggers like this: