Category: Opinion


Apple need to get past their own security hyperbole

Filed Under: Opinion by Stephan — Leave a comment
15/05/2012

Apple has a problem. For years, the message that many Apple users heard was that Macs don’t need anti-virus because the OS was invulnerable. In the late 90s and early 2000s, Windows suffered from dozens of vulnerabilities that were massively exploited, partly prompted by the fact that, suddenly, everyone was plugging their poorly managed PCs into broadband connection. Cue crowing from the (comparatively) small number of Apple aficionados: their view was that their age-old nemesis was getting what it deserved.

The problem was, and to some extent still is, that this perception of invulnerability was grounded in an uncomfortable fact: Apple’s share of the PC market was tiny. In 2001 it was around 3%. By 2011, it was nearly 10% (not including phones and tablets). Bearing in mind the explosion in computer ownership in this time, it amounts to a very large increase.

What all this means is that Macs are now economical to exploit.

Microsoft recognised that they had a problem in the early 2000s, resulting in a huge engineering effort to reduce the number of bugs in their code. The main crux of this strategy was to weed vulnerabilities out early using their Security Development Lifecycle (SDL) as the earlier you find a bug, the cheaper it is to fix. Sun, as was, and Oracle adopted a similar approach.

In addition, there was a real push to engage with security researchers, they promoted responsible disclosure through giving credit where it was due to those who had discovered flaws and improved their patching processes. All in all, the process has become much more transparent.

The results of these efforts are clear: while Microsoft OSs are still the most targeted, most malware no longer targets the OS, rather 3rd party apps have become the target of choice. A good example of this is the recent discovery of the “Sweet Orange” malware development kit that goes for vulnerable browser addons.

(Mozilla provide a free browser plugin checker that works for most common browsers, so you can see what’s vulnerable on your system.)

Apple have taken a different approach:

Now, we are hearing of increasing numbers of Macs infected, a user base that is confused because they think they don’t need anti-virus and seemingly poor software QA (take the recent example of Filevault’s unencrypted passwords).

Eugene Kaspersky has said what many people in the information security world have been thinking: Apple are now ten years behind Microsoft when it comes to security. Interestingly, Apple has restated that it is “open to collaboration” with Kaspersky on improving its security.

So, if anyone from Apple reads this, I strongly urge you to swallow your pride and take a look at how other people, including Microsoft, approach security. This means changing the way software is developed and how it’s patched. Transparency and collaboration is important: if people fear that they might get treated badly when they’re trying to help will quickly stop trying to help.

There is still vastly more malware for Windows but the tide is turning. Apple is running out of time to stop repeating Microsoft’s mistakes.

Comment

Censorship-busting satellites

Filed Under: Opinion by Stephan — Leave a comment
10/01/2012

I’ve been meaning to write something up about the news that a group of, what the media calls “hackers”, but are probably more accurately termed scientists, who are planning on launching some satellites to provide censorship-free Internet connectivity to people in regimes that cannot get unfiltered Internet connectivity.

It raises a whole raft of interesting questions, but the one I thought of particularly is where the downlink will be. Satellites, on their own, cannot provide Internet connectivity. They are an elaborate mirror, allowing signals to be bounced between two or more points.

So, where is the ground-based Internet connection going to be? If there are a limited number of ground stations providing access to the rest of the Internet, these will be major targets for those regimes that want to control access to content. What better place to go to find out who your dissidents are?

How does a user of this censorship –busting network know:

  1. That they are connecting via a ground station that is in a friendly country, and;
  2. That the infrastructure hasn’t been compromised.

With such a concentrated amount of valuable information the temptation will be there for a number of states to covertly tap into this infrastructure and a lot of effort needs to be made to physically secure the environment that this data will go through, regardless of which country it’s in.

Comment

Drawing a line between privacy and security

Filed Under: Opinion by Stephan — Leave a comment
15/11/2011

Security theatre is something I talk about a lot on this blog. It has a place, but often has a tendency to invade an individual’s privacy without really reducing the risk and costs a lot to implement. My favourite example of this is the millimetre-wave body scanners at airports.

The latest example is the news today that Oxford City taxis are to be fitted with sound-recording CCTV to capture all conversations in the backs of cabs. I have no doubt that the good, taxi-driving Burghers of Oxford are subjected, in some cases, to pretty awful behaviour by punters, but do they make up such a proportion that every passenger must have their private conversations recorded?

In the real world, there’s a fine line between security and privacy. Too little security and too many people take advantage, creating anarchy. Too little privacy and you suddenly find yourself living in a totalitarian state. The balance between the two is culturally subjective.

George Orwell’s 1984 describes a totalitarian society where the populace is controlled through mass surveillance, mental conditioning and fear. It is, possibly, the logical culmination of a country’s move to a security state. No-one wants to live in a world like that described in Orwell’s novel. So, how do we stop our slide into an Orwellian dystopia?

People need to realise that it is both impractical and undesirable to completely eliminate risk.

Tags: , , , , , ,
Comment

Private Emails

Filed Under: Opinion by Stephan — Leave a comment
22/09/2011

Michael Gove is reported to have been using his private email account and won’t reply to emails sent to his official address. There are so many reasons why this is a bad idea. Here is my (almost certainly incomplete) list just in case the Rt. Hon. Michael Gove happens to pass by:

  1. It’s not based in the UK. In fact, Google pride themselves in not telling you were the data is held (just try finding out);
  2. Google is a US-headquartered company. As per Microsoft’s announcement, the US PATRIOT Act seemingly trumps EU and UK data protection law, even if the data was in the EU;
  3. You can’t encrypt the emails at rest;
  4. There’s no guarantee that the data will be there tomorrow, as this example from Yahoo amply demonstrates;
  5. While Gmail allows you to turn on HTTPS and a form of two-factor authentication, these are optional and probably turned off;
  6. The foreign governments are alleged to have already hacked into Gmail;
  7. On occasion, email accounts have been mixed up, where one person reads someone else’s mail;
  8. These emails may not be retrievable under the Freedom of Information Act.

You only risk what you don’t value. If Mr. Gove believes the emails he receives and send to be of such low importance to put them at this sort of risk, is he the best person to be a cabinet minister?

Tags: , , , , , ,
Comment

New Airport Security Scanners

Filed Under: Opinion by Stephan — 2 Comments
22/07/2011

The security systems at airports are an interesting example of security “theatre”, where much of what goes on is about re-assurance rather than being particularly effective. I’ve blogged before about this and had some interesting responses, especially around the intrusiveness of current processes versus their effectiveness and where vulnerabilities lie. For obvious reasons, I won’t go in to this.

However, the TSA in the United States is rolling out a new version of their full-body scanner, apparently in response to the criticism that the old-versions were a step too far: the TSA initially denied, for example, that pictures of people’s naked bodies could be stored until several incidents emerged of security staff doing exactly that. Apparently this will be available as a software upgrade. The question is, will the UK do the same?

The new scanner overlays identified potential threats from scans over a generic diagram representing the human form and so masking who the subject is. This has to be a good thing, but like I said in my earlier post, a reliance on technology rather than using intelligence-led investigations will always lead to vulnerabilities while inconveniencing that majority of people.

I’d rather the people who would do me harm never made it to the airport.

Tags: , , , , ,
Comment

Are we at the information security tipping point?

Filed Under: Opinion by Stephan — Leave a comment
21/06/2011

So far, this year, hundreds of millions of users of online services have had their accounts compromised or sites taken down. From Sony, Nintendo, the US Senate, SOCA, Gmail to the CIA, the FBI and the US version of X-Factor. Self-inflicted breaches have occurred at Google, DropBox and Facebook. Hackers have formed semi-organised super-groups, such as LulzSec and Anonymous. Are we at the point where information security professionals are starting to say, “I told you so”?

The telling thing about nearly all of these breaches is simple it would have been to limit the impact: passwords have been stored in the clear, known vulnerabilities not patched, corporate secrecy getting in the way of a good PR message and variable controls on sites of the same brand.

The media’s response is often “hire the hackers!”, an idea that is fundamentally flawed. Would you hire a bank robber to develop the security for a bank? No. The fact is that there are tens of thousands of information security professionals, many of whom are working in the organisations recently attacked, who know very well what needs to be done to fix many of the problems being exploited.

Many corporations have decided to prioritise functionality over security to the extent where even basic security fundamentals get lost. There needs to be a re-assessment of every organisation’s priorities as LulzSec and Anonymous will soon realise that there are juicy and easier pickings away from the large corporates and Government sites, who have had the foresight to invest in information security controls.

This may sadly be just the beginning.

Tags: , , , , , , , ,
Comment

Law and the Internet: An Uncomfortable Truth

Filed Under: Opinion by Stephan — Leave a comment
17/06/2011

While I am not a lawyer and others have said this before, notably Rob Carolina in his talk “The Cyberspace Frontier has Closed“, I thought it worth reviewing some recent developments that demonstrate the fact that the Internet is not lawless and behaviour online may well result in liabilities “in the real world”.

There still seems to be this perception that laws don’t apply to online activity. Take Joanne Fraill, the juror who was jailed for eight months for contempt of court by contacting one of the defendants in the trial she was on. She had received clear guidance from the Judge on the case, as had all of the other jurors, not to research the case online and definitely not to contact anyone related to the trial. I had exactly the same advice when I was a juror at the Old Bailey a couple of years ago.

And, yet, she still did it, no doubt believing that:

  1. It wasn’t so bad, and;
  2. She wouldn’t get caught anyway.

She was wrong. The trial collapsed.

This sort of thinking is rife online, which is exacerbated by the fact that any search will bring back results that confirm every point of view on every subject, thus not really being much help.

Other areas on the Internet that people should consider in terms of consequences, include:

  • Copyright infringements
  • Data protection issues
  • Harassment
  • Money laundering
  • Tax evasion
  • Libel

Some of these apply to corporate organisations in a different way to individuals. For example, a data protection breach has the potential to seriously damage an organisations reputation. Libel may get you a hefty fine.

Just because people have a romantic notion of the Internet where normal laws don’t apply, doesn’t make it reality.

Tags: , , , , , ,
Comment

Wiping Hard Disks

Filed Under: Opinion by Stephan — Leave a comment
13/06/2011

I want to a presentation by Robert Thibadeau on Thursday last week, who was talking at an ISSA UK Chapter meeting, relating to Advanced Persistent Threats (APT), specifically where an attacker is able to modify some part of the pre-boot code, prior to an Operating System being loaded. The thrust of the discussion was about encrypted hard drives being a part of the armoury against these types of attacks, along with Trusted Platform Modules (TPMs).

As we all know, the standard practise of secure erasure for hard disks is to overwrite every sector seven times.

And then there was this nugget of information that I found highly interesting: this won’t work on Solid State Drives (SSDs). The architecture of these drives is determined by the underlying memory technology. Each “sector” on an SSD can only be written to about 1,000 times. In order to deliver a decent lifespan on the more expensive drives, therefore, the drive actually contains significantly more storage than stated on the packaging, with all data going through a load-balancer, to distribute the “writes” across the drive.

This means that it is very difficult to use a process involving overwriting data as each sector may actually be in a completely different place each time you try to overwrite it.

Robert’s proposed solution to this is to encrypt all data on SSDs, regardless of whether they’re in mobile devices or not. This way, the data can be rendered unreadable simply by erasing the encryption key.

It’s worth considering and factoring in to asset disposal processes.

Tags: , , , , ,
Comment

Facebook Facial Recognition

Filed Under: Advice, Opinion by Stephan — Leave a comment
08/06/2011

News reaches us of the latest, unannounced Facebook feature: facial recognition. What this implies is that Facebook will trawl through all the photos on the site, automatically “tagging” you in pictures that the system think you’re in.

Great time saver, you might think, but there are several things to think about:

  1. It was enabled, quietly, without user consent and requires users to actively disable the feature
  2. No technology of this sort is 100% accurate, so if you don’t disable it, you may find yourself tagged in embarrassing pictures that aren’t of you
  3. This is an indication of the power of data mining. What’s to stop Facebook mining Google or Bing, looking for pictures on other sites?

With thanks to the Sophos blog on this topic, here’s how you disable it:

Go to Account -> Privacy Settings -> Customise Settings (near the bottom) and go to the “Things others share” section.

Then go down to “Suggest photos of me to friends” and click the edit button.

 

Then select “Disable”.

If Facebook want to be seen to be taking privacy seriously, they should start by adopting a policy of opt-in for new features.

Tags: , , ,
Comment

Sony’s Woes

Filed Under: Opinion by Stephan — 1 Comment
06/06/2011

Sony continue to get attacked. Over, and over again. In different countries with different impacts. Searching Google News for “sony hack” comes up with 1880+ articles (6th of June 2011).

It seems to me that Sony don’t have an effective, consistent strategy for dealing with the security of their global online presence. These attacks have gone beyond what the attackers can achieve in terms of compromising systems and are now almost simply providing Sony’s brand and reputation a beating. Even if a script-kiddie were to deface a small-scale, country specific website, the mere fact that it happens to be a Sony site guarantees headlines.

As I have said in previous posts, the biggest change the Internet brings is that distance is no longer a factor when dealing with crime: a hack can look like it’s coming from the other side of the world when, in fact, it’s actually being performed in a coffee shop down the road.

Companies facing these types of issues really have to do some serious work in limiting the impact of future attacks. The first issue is identifying all of the targets, however tenuous a link they may have with the parent brand, and prioritise them in terms of their connectivity to back-end systems or sensitive data. Classify them and review existing controls then implement consistent controls making best use of limited security resources.

I’ve heard senior executives at various organisations state that they don’t see the point of implementing good security because they don’t believe they are a target. It’s impossible to say what motivates every hack, but it’s definitely true to say that it costs organisations less in the long run if they do things properly from the start rather than trying to bolt on security processes after a major incident.

Just look at Sony.

Tags: , , , , , , , ,
Comment