Thursday, November 29, 2007

Just let me do my job!

Another post has popped up. This time from The Hoff. I think general consensus is that you will probably disagree with him at some stage, but you have to read his blogs.

Anyhow, he posted a question from someone at a conference he was at:

Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?

My answer to this is the following: Please correct me if I am wrong because I am probably very biased.

A modern business is essentially a group of people who know how to do something. A doctor is a person who knows how to cure people. He has studied and has certificates and such but at the end of the day if he loses his memory - he is no longer able to cure people and is not worth very much.

A little larger - a company that makes car tyres. There are some people who handle the books of the business and manage the investments of the company, manage the money etc. There are engineers who design the tyres and make them the best way possible. There are the sales reps who sell the tyres in the best way possible. The real value of the business is not the tyres and buildings and such... it is the information that the people know. Some of it is in their heads, some of it is in databases. Some of it is just a culture. But take all of that information away and you have a bunch of useless people hanging about and some desks.

Business today is quick. A company can close down in a few months and a new one can be built up in days. It is relatively simple to get capital. It is fairly easy to get premises, phones, cars, etc . It is not easy to get staff who know what they are doing. That is where the real value of a business is.

So, essentially a business relies on its information to stay alive and to grow. If you lose information, a part of the business is lost.

Steve Ballmer knew this when he lost Mark Lukovsky to Google - he was losing some of Microsoft.

The American Government knows this which is why there is legislation making sure companies protect their systems. Information loss is business loss.

So, the answer to the question is - how much is your entire business worth? Take away the net value of the desks and coffee machines and that is how much information security is protecting. HR is involved in protecting the information inside the heads of the staff so you may want to minus that.

Everyone in the organisation is either creating information (this CEO, accountants, etc) or using information to build products or perform services (think craftspeople, packers, factory workers). Only Information Security is tasked with making sure that the information is available and stays inside the company.

Where is most of the information contained? What is most at risk? That is not so easy to answer but is important to us doing our jobs. Should business be concerned? I'm not sure, I don't think so. Should infosec be required to cough up figures so that we can do our jobs? I really don't think so.

But I could be wrong. What do you think?

Monday, November 5, 2007

You have to take your (white) hat off to these hackers.... and a lot else too!

The Washington Post has an article on an interesting new piece of malware.

Captchas are those weird little blocks with numbers and letters all jumbled up and fairly difficult to read. They are there to check whether the user is a human or a computer pretending to be a human. They essentially prevent hackers from automating things that server owners would prefer them not to automate.

An example is - when you sign up for a mail account you have to decipher the captcha so that you can have the email account. This is to prevent spammers from signing up with free accounts 100 or 1000 at a time and using them to send spam, repeating the process when they are shut down. captchas have a lot of negative points but they have been rather effective.

The new malware is essentially a picture of a blond lady who will do a strip show for you. The catch is that you need to decipher some captchas, for each one she has less and less clothing. This sounds like a nice trade-off but each captcha that you enter basically signs a spammer up for a free email account. They are using you (being a human) as the middle man.

I hate spammers with a passion but I have to admit that this is a piece of genius.

Thursday, November 1, 2007

South African Spam is World Class!

I found this interesting table on Trend's website which takes the number of spam messages it receives, extrapolates it to estimate total worldwide spamming from an IP range and then reports on the range.

The bottom line is that they estimated that SAIX users (corporate, dial up, sub-ISPs, etc) all sent out about 82 Million spam emails in the last 24 hours making SAIX the 88th worst spam network in the world.

It is scary that so many spams are originating in sunny South Africa. Since spammers use unsuspecting PCs to do their dirty work this hints that there are many computers that have been compromised.

Its time for South Africa to take Information Security seriously.

Like Taking Laptops from a Baby

Here in South Africa crime is one of our largest issues but it seems that theft of laptops is a worldwide phenomenon.

It also seems that the controls put in place do not help.

An article on reports that Eric Almly is believed to have stolen 130 laptops from 24 different companies.

All of these companies have the same physical security barriers that most companies do - card machines, cameras, etc. The guy managed to get through them all with a smile and a calm personality.

It may be time to test out your physical security or at least accept that laptops will get legs.

Friday, October 26, 2007

TJX - Who suffers?

Just a quick break from the 7 habits. They take awhile to think out and I need to post something..

All the signs are pointing that TJX has suffered a text book case hack attempt and so all the Security Chicken Littles were salivating because this would be the "I told you so" opportunity of a lifetime.

And it didn't happen. I blogged about it here and here.

So, what happened? My personal feeling is that this was just the first punch in the fight. Consumers have taken the knock and have felt a bit upset by it but they can deal with it.

In the back of their minds though they have decreased the amount that they like both TJX and credit cards and maybe their bank ever so slightly depending on how much this breach has impacted them.

TJX is lucky in that if their service levels are up to scratch and if they have no more major breaches then over time their image will be improved and their customers will be happy once more.

For the credit card companies it will be a bit harder. If someone now suffers a breach at another store it won't impact TJX but the consumer may feel a bit less trusting of the whole credit card process.

This is problematic in the same way my swimming pool theory is bad for networks. Every store only suffers a bit of the problem but the whole credit card process suffers the most. Perhaps this is why the PCI members (Visa, Mastercard, etc) are working hard to get the stores to implement the PCI DSS security standard. They may find consumers start to give up using credit cards as much or at all ever.

Maybe the answer is actually for the whole process to be scrapped and redone.

Tuesday, October 9, 2007

Seven Habits of Highly Effective Security Plans [Part 4]

Friday, September 21, 2007
Seven Habits of Highly Effective Security Plans [Part 3]

In this post we deal with habit 2: Begin with the End in Mind

Please first read the Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]
Please first read the Seven Habits of Highly Effective Security Plans [Part 3]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and this topic was the one I wanted to get to as fast as possible because I think that it is the most important one for Security Plan development.

If you have read the book this blog post is based on then you'll know that each habit builds on the ones before them. The last one was being proactive and making sure that you define your environment and how you will handle Information Security.

In the past Information Security was a matter of having whatever the box of the day was - firewall, anti-virus, IDS, etc etc. It was also having audits done and responding to their negative findings. And it was about hopefully detecting incidents and preventing the same incidents in the future. Reactive.

Now, what is happening and should be happening is that Information Security is becoming more proactive as per habit 1. We are looking rather at what we are protecting and trying to understand why it needs to be protected and how best to do so.

But once you realise that you have work to do, you need to know what to do. You need a plan - a long term plan. You probably already have one of those - a policy.

I know of a company (not the one I work for) that was told by their holding company to get Policy documents. And they got the boilerplates, filled in their company name and - voila- policy documents. But they missed the point.

The documents are not there for the auditors. ("Yeah, we got some policies." [Tick]). They are a living document of the Company's plan for Information Security. They are an excellent opportunity for the Company to define their end goal and work towards it.

It makes life a lot easier for everyone too when they know their goal and it makes deciding on what is important and what isn't very much easier.

A boilerplate is a good start if you haven't got any idea where to start. The risks to most companies are the same, the technology is similar too. Most of the techniques can be applied to all different organisations. But a lot of work needs to be done to the Policy to get it just right for the organisation.

Another good place to start is with the people who own the information. And these are not IT. These are the people who make decisions based on Information, they guys who would pack up and go home if there was no information for them to work with. they know what it is important to the business and where it is. I will write a lot more on this in later posts but for now just realise that Information Security must start with the end in mind and the end is "protect all important information so business can operate".

Friday, October 5, 2007

Symantec - "We don't (just) sell anti-virus".

I went to a Symantec presentation today to learn about their new End Point Protection and to take a sip of their Kool-Aid.

They took great pains to make sure that the audience was aware that they do not sell anti-virus software anymore - they sell "end point protection". Which, really, is anti-virus with other stuff.

The point is that even according to Symantec's reports viruses are dying out. (By virus I mean a program that self replicates - not a trojan, spyware, rootkit or worm). Trojans and worms and rootkits are becoming easier to modify and deploy and signature lists (against which these uglies are compared and blocked) are becoming too slow.

The moral of the story - viruses are (pretty much) dead... they have been replaced with new threats. Symantec painted a picture of their protection product as the silver bullet that will protect a PC against all the new threats. It looks good but I'm not 100% sold. I'd recommend the product but I'd back it up with a lot of other Information Security goodies.

The Conscious Competence Security Model

A while back I learned of the Conscious Competence Learning Model (we'll get to exactly what it is) and I knew I had to blog about it and then I forgot but I was reminded of it again when I read this article by Richard Bejtlich.

He in turn is discussing CIO Magazine's Fifth Annual Global State of Information Security which is worth a read especially if you are in the Information Security field.

It was these two quotes that reminded me of the Learning Model -

You're undergoing a shift from a somewhat blissful ignorance of the serious flaws in computer security to a largely depressing knowledge of them.

As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all the potential problems. You see that maybe you were spending money securing the wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out there, it's overwhelming."
This sounds very depressing and sounds like we should just throw in the towel but I think it is more positive then that.

The Conscious Competence Learning Model has many different names and versions but the concept is as follows:

  1. At first you are blissfully unaware of how much you don't know.
  2. Then you start learning and get overwhelmed once you learn just how much you don't know.
  3. Then you learn some more and you struggle along learning all the time.
  4. Then you become a professional and know everything without having to think very much.

My Information Security spin on this is:
  1. At first you have firewalls and antivirus and you feel safe. You don't know what is really happening on your network but you are sure that everything is fine.
  2. Then, for some reason you take Information Security seriously and spend some more money on what is really important. You realise just how unsafe your network and information really is.
  3. You work at it, struggling all the time to get a proper plan in place and back it up with all the good stuff you can such as technological solutions, training, awareness, processes etc all the time refining and updating the process to get more secure. At the same time new projects have security built in from day 1. All the time you are finding new issues to fix but these are getting less and less and you know that you are getting more secure.
  4. All your systems are secured as much as they need to be. All new threats have action plans in place. New projects, users, systems all have procedures that make them as secure as possible. All risks are dealt with in the way Business expects them to be. There may be incidents but there are no surprises.
From the CSO article and Richard's blog post I think that most companies in the survey are at step number 2 moving (hopefully) to step 3.

My feeling is that most companies are at stage 1 with a resistance to move to stage 2. Companies that are at stage 1 would (probably) not be a part of the CSO magazine community. I think that very few companies would be at step 4 but many companies would be battling along at step 3.

Obviously the size of the company and what sector the company is in would help determine what step they are on. As well as the amount of leadership the Top Brass have and the enthusiasm of the Security Department.

Friday, September 21, 2007

Seven Habits of Highly Effective Security Plans [Part 3]

In this post we deal with habit 1: Be Proactive

Please first read The Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and in this post we look at how being proactive can help raise the general security of an organisation. This is applicable from a micro 1 person business to a multi-national company.

Being proactive really translates into taking ownership. There is a general feeling that Information Security is someone else's problem - usually IT. The thing is that even IT shelve the responsibility onto technology such as Firewalls, Antivirus and IDS boxes.

It has taken legislation in the United States and Europe (not so much in South Africa yet) to put Information Security risk back where it should be - the Business and by "Business" I mean non-IT people. Is this fair? Sure, it is their data and they must protect it from getting lost. Security is there to help and IT is there to make sure that the technology is there but at the end of the day if a spreadsheet with financial information goes missing - it is the department that owns the spreadsheet that is going to suffer.

Of course, all the three camps can be proactive. InfoSec can, should, must promote awareness of Security. They need Business and IT to understand what the dangers are and what is expected from a regulatory point of view. Posters, education, emails, etc etc can all be done.

IT can help by telling InfoSec of incidents that they may find, by making systems secure from the start, from being enthusiastic about patching and hardening servers and helping out with standards that are secure.

Business can be aware that it is information they use everyday that IT and InfoSec are protecting and the protection is for them so they can do their work more effectively which is what business is all about. They should strive to understand the tools that they use and how to use them securely. Strong passwords, clean desk policy, locking workstations, locking offices, thinking twice before opening strange files are all things that can be done for free and together are far more effective than anti virus, firewalls and NAC.

It is difficult to get the inertia going and people are reluctant to change but it is important to at least start working on a culture where information is seen as an important asset is protected as such.

I think this is lot more productive than playing each part of the business off against each other.

Thursday, September 20, 2007

Backups are like parachutes only realize that you need them when its too late.

This morning there was a story in the Pretoria News about a rapper from the US who had his laptop stolen. Welcome to Joburg.

He is now offering a R50 000 ($7000) reward for the return of his laptop because according to him he has lost 12 years of his work. R50 000 is not a lot of money for 12 years of work but assuming that his laptop is insured against theft then the R50 000 is basically how much the information is worth to him.

Now most of what you find on a laptop hard drive is junk - downloaded jokes, movies, etc etc. and also software which is either very easy to replace or comes bundled with the laptop anyhow. Just how big is your My Documents folder anyhow.. so lets assume that the rapper had just under 12 Gigs of vitally important, irreplaceable stuff on his laptop - that is 3 DVDs worth.

An external CD writer is just under R800. Add on a box of 50 DVDs for just over R130 and you are looking at a backup solution costing about R1000 ($140).

This sounds like a better deal than R50 000. Of course the technology is not going to save you on its own.. you need to actually use the technology. It takes about 5 minutes to burn a DVD but maybe 30 minutes to set the burn image up.

But it is very worth it, yo.

Friday, September 14, 2007

The Seven Habits of Highly Effective Security Plans [Part 2]

Please read The Seven Habits of Highly Effective Security Plans [Part 1] first.

Stephen starts his book with the idea of a paradigm and goes to great efforts to explain what it is and why one needs to understand it.

In terms of Information Security I think that the paradigm shift has been forced upon us on July 13, 2001 but it has taken until now for us to be able to understand and deal with the new understanding.

That was the date that the Code Red Worm struck. The darling of Security at the time - the firewall was no match for this worm and anti-virus was infective too.

Today the worm would be very much less effective because we now have more defenses. We have proper patch management, IDSs, deep packet inspection firewalls and application security. These were all around in the time of the Code Red Worm, they were just not being used effectively. We had the technology but the mind set was not right.

When the SQL Slammer Worm arrived it proved that we still hadn't learned our lesson. The paradigm shift had not happened yet but we are slowly getting there.

The fact that new worms are coming out all the time but we haven't had a global epidemic of Slammer proportions means that we are learning our lesson. The fact that the Storm worm is still being successful means that there is still some way to go.

Our first paradigm shift was from realising that:
  1. security has to be done all the time
  2. technology alone will not save us
I think the next one is that we can't tack on security. We need to think security from the beginning even if it means somethings need to be redesigned or abandoned totally.

To Be Continued.

Friday, September 7, 2007

The Seven Habits of Highly Effective Security Plans [Part 1]

I've been thinking about doing this for a while. I admire Stephen Covey and his book The Seven Habits of Highly Effective People. I have seen the book being used to manage huge companies and I think that the principals in the book are broad enough to be applied to pretty much anything including Information Security.

I think that the 7 Habits are already built into "Best Practice" already in most cases but this should allow us insight into why we need to do what we already do.

Do I run a highly effective Information Security Plan? I like to think that I am working on it. I also think I won't ever finish but going back to first principals is always a good idea.

I don't aim to rewrite the entire book, that would be pointless and quite illegal. I aim to use it merely as a guide.

Wednesday, September 5, 2007


Brother Andy sums up nicely the debate that has been happening on the Security Bloggers Network (see right column) about CISSP.

He also sums up most of what I think of the Cert:

  • It shows that the person is serious about security.
  • It opens doors. Even Australian immigration.
  • It is easy for headhunters to spot. And match up with.
  • The ISC2 is a problematic organisation.
  • CISSP is not for everyone.
Of course, I have my bit to add:

Terry Pratchett writes amazing stories with some deep concepts. One word he created (or at least a Witch of his Disk World created) is headology. Basically, a witch will never be caught without her hat because once the hat is on anything the witch does, magic or not, will be seen to have been done through the use of magic.

I believe the CISSP is our headology. For security people to be taken seriously we need the tools to make people we are serious and that includes (for better or worse) a professional organisation such as the ISC2 and a certificate of membership - the CISSP.

Having a CISSP doesn't make me very more knowledgeable about Information Security than the me before the exam but it does show that I am serious about Information Security and want to be seen as an Information Security Professional.

It also helps in Information Security debates to sign the extra little letters with a flourish. Headology.

The Thin Blue Line

On the 2nd September 2007 the South African Police Service held a commemoration day service to remember the 108 police officers killed in the line of duty in the past year.

Having been a reservist police officer for a short period I understand exactly what these police have faced and what the police continue to face on a daily basis.

In honor of that I dedicate some time and some space on my blog to remembering the heroes in blue who paid the ultimate price to protect the families of South Africa and to those who continue to protect us with the knowledge that they may be the next to die.

- Anonymous

When I start my tour of duty God,
Wherever crime may be,
as I walk the darkened streets alone,
Let me be close to thee.

Please give me understanding with both the young and old.
Let me listen with attention until their story's told.
Let me never make a judgment in a rash or callous way,
but let me hold my patience let each man have his say.

Lord if some dark and dreary night,
I must give my life,
Lord, with your everlasting love
protect my children and my wife.

"I am the Officer"
- Anonymous

I have been where you fear to be,
I have seen what you fear to see,
I have done what you fear to do -
All these things I have done for you.

I am the person you lean upon,
The one you cast your scorn upon,
The one you bring your troubles to -
All these people I've been for you.

The one you ask to stand apart,
The one you feel should have no heart,
The one you call "The Officer in Blue,"
But I'm just a person, just like you.

And through the years I've come to see,
That I am not always what you ask of me;
So, take this badge ... take this gun ...
Will you take it ... will anyone?

And when you watch a person die
And hear a battered baby cry,
Then do you think that you can be
All these things you ask of me?

Thursday, August 30, 2007

What are Microsoft Thinking?!

Microsoft has, in the past, had a reputation for not taking security seriously. It had previously run the company on the idea that users want features and that is where the development costs went. Security was put only in where it couldn't be avoided.

Things changed and security became a feature. Microsoft woke up and have done an amazing job of establishing a patching schedule (Patch Tuesday) and supplying tools like WSUS and MBSA to make sure that patches are rolled out with minimal issues.

Thats great for larger organisations but while my PC at work is always up-to-date and secure, my PC at home has been lagging. I feel rather safe because it is not connected to the Internet 24/7 and is firewalled when it does dial up. Yes, dial up. With a modem. I don't process any funny documents on the box so it is really in a safe world of its own.

But being a security professional I feel that I should take some time to patch the box just to be sure.

So...lets get back to that modem thing. My modem does not run at 100% and the connection is pretty faulty. In South Africa local calls are charged for so it could get quite pricey to patch my machine not to mention the amount of time that my phone at home would be engaged.

That is for my one PC... if I had others the time to download and patch would be longer.

Enter the amazing AutoPatch software. All the Microsoft Patch Happiness you can get (and other stuff too!) all on one little platter! Basically it is all the Microsoft Patches on CD with a utility to work out what is needed and deploy. Download it at work, burn it, take it home and patch patch patch. This is one amazing little package and so necessary for smaller companies and home users.

Microsoft also benefit with the bandwidth savings and happier customers (isn't that what business is all about?)

But now Microsoft have instructed AutoPatcher to remove the Microsoft patches from their site. They are quite allowed to do this under copyright law because the patches are really Microsoft patches repackaged. It means that AutoPatcher really doesn't have much of a purpose though.

I can understand the fact that Microsoft doesn't want to face legal liability if AutoPatcher breaks a third party machine but I have no idea now how I can patch my home PC quickly and easily like I was able to before.

If I were Microsoft I would have bought out AutoPatcher for less than Bill Gates makes in a day and renamed it Microsoft CDPatcher. That move would have shown that Microsoft is serious about security and cares for customers rather than serious about security only to make money.

As it stands today I think Microsoft has made a mistake.

Monday, August 27, 2007

Dr Beetroot and the Stolen Records

This is my take on the whole Manto Tshabalala-Msimang vs The Sunday Times controversy.

Being an Information Security professional I am going to relate it as I see it. And the way I see it both the minister and the paper are correct.

For those of you who read this blog and are not from South Africa I'm going to put a bit of background down for you. If you are from South Africa you can safely skip the next little bit - you know this already.

Manto Tshabalala-Msimang is the Minister of Health and is also known as Dr Beetroot because of her criticized belief that AIDS is cured better through vegetables than medicine. This belief kills people every day and the opposition want her to leave the government because of it.

The Sunday Times newspaper is the most popular weekly newspaper in South Africa and they published an article that hinted very strongly that the minister was an alcoholic without actually saying it outright. They worked this out because of evidence that came from her medical records when she was in hospital and had alcohol when she was not supposed to.

The Minister has not denied the fact that she had alcohol while in hospital but has been upset that the Sunday Times had a copy of her medical records. (This is typical government spin doctoring; according to Nick Naylor from Thank You For Smoking: "That's the beauty of argument, if you argue correctly, you're never wrong". But thats not the point of this post.)

The point is that the Sunday Times did not steal the documentation. They merely happened to get a copy of it. And, once they had a copy, it is their duty to report on news they think the country should know about. And, of course, the whole country is following this very closely so the Sunday Times was right to publish.

So, where does information come from? That is the big question. In Information Security we have a saying "protect all the information that you don't want to read about in tomorrow's newspaper". The Sunday Times is a respectable, "non-tabloid" newspaper. I can't picture their staff crawling around in hospitals, looking for medical records or hacking into medical systems.

Somehow there was a leak in the hospital and this is who the minister should be going after but its a lot easier to sue a newspaper than a hospital especially for the minister of health who would like to pretend that all is well with patient records in hospitals.

The Minister is right that her private details should be kept private but once it is in the newspaper it is too late. It should have been protected from the start and the hospital is (in my humble opinion not being a lawyer) to blame.

If the Minister does take up the issue with the hospital then some questions may arise as to why she used a private hospital for an operation that could have been done at a public hospital and why the government does not protect patients (even at private hospitals) from having their records go missing, ending up at newspapers. Maybe California can help her out.

More on the TJX Stock

It appears that TJX have taken a bit of a knock but their share capital is $14 Billion.

This means that a hack that costs them $118 Million is peanuts. To them. It essentially ends up costing each shareholder 25c per share. I don't see any shareholder selling shares based on this hack attempt.

The other interesting thing is that while Javelin Strategy and Research said that:

"77 percent of consumers intended to stop shopping at merchants that incurred a data breach"

according to research done in April, they have had to explain how just a couple of months later TJX has reported an increase in sales since they were hacked. Javelin explain that there is just not enough competition.

Gartner are also a bit boggled by this fact but they comment that:

"Most TJX customers clearly care more about discounts than about card security, because they know banks will usually cover potential losses if a card is stolen and used, with the costs eventually shifted back to the retailers."
Gartner go on to preach on how retailers should adhere to good security practices but the "... OR ELSE!" is a bit weak.

I guess this proves that people are just not logical. It will probably take a lot more pain on their behalf before they say that they will avoid shopping at a store with bad card protection and then actually do it.

It also shows that TJX is just not a very good example of what effects a hacking incident can have on a business. They have a strong company, a lot of money to play with and the ability to entice customers back even after TJX has lost their private information.

The TJX stock is just not co-operating!

According to wikipedia :
The TJX Companies, Incorporated is the largest international apparel and home fashions off-price department store chain, based in Framingham, Massachusetts in the United States.


On January 17, 2007, TJX announced that it was the victim of an unauthorized computer systems intrusion.

TJX ended up as the default PCI black sheep. PCI, for those not in the know, is an industry standard created by the credit card companies telling stores how to protect their customer's information, specifically credit card information.

Basically TJX did everything wrong including storing information they should never have stored in the first place. 45 million credit card numbers are now being traded on the black market because of this breach.

Net income for their 2nd quarter dropped 57% due to information security costs related to the breach.

Bad news for the company, right? Wrong. Maybe someone can explain this to me but on January 16th, 2007 the share price was $29.94. Friday's closing price was $30.75. Man, did the market get them (not)! To be fair they have underperformed the S&P500 until recently but the company does not seem to be very hurt by the breach.

Thursday, August 16, 2007

Calif-online-crime Law

According to CSO merchants in California may end up liable for data breaches.

I think this is a good thing but I also think it is a bad thing.

Its good because a lot of large companies pay lip service to Information Security and don't take it seriously enough. This will make sure that they do. It is good because it is not the poor customer who takes the risk when he does his shopping.

Its bad because it attacks companies for essentially being victims of crime. Not does the company suffer from the crime itself but it suffers from the after effects of the crime.

On the other hand, (I think we are up to 3 by now) there is always a risk in doing business and especially a risk of crime, it has just moved online now. Companies make good profits or else they would not be doing what they are doing so they need to offset some profits into protecting themselves and their customers' information from the criminals rather than ignoring the issues and pushing the risk onto the very customers that give them money.

I guess its kinda like me locking my expensive car and keeping the keys in my pocket but borrowing a friend's cheap car and leaving it unlocked and motor running in the street because, hey, its not my car.

This law is receiving strong opposition but I think it will be passed. If it is you can bet that somehow the cost will be passed on to the customers who will pay for protecting their own information.

The Wall Street Journal Followup

Since my posting on the 7th, the Wall Street Journal has posted a follow-up article here

It is by the same author who obviously was not aware of my post because she gets most of it wrong again. She chose to ignore Andy's input too. I found out about this follow-up from his Blog,thank you Andy.

My original post basically pointed out the main problem in her article which is that the Information Security policies that she is showing how to bypass are not made up by IT but by the security department. More to the point, they are signed off by upper management and by breaking them you can get into serious trouble with the Boss. Failing that the Boss himself may get into serious trouble with the law.

The author writes in this article about how "IT workers said they get blamed both by employees who feel too restricted and by company executives who, when things go wrong, fume that policies must not have been restrictive enough."

At the end of the day its not the It Guys who should be enforcing security, they have enough on their plates. It is business people themselves who should be enforcing the rules.

The IT department is usually the least respected department, it hires young people who don't know the art of dealing with people, especially those in upper management. More importantly - they are enablers. They fix things and make things work and that is how they are rated. They are also clueless (or they should be anyhow) about what information is important anyhow.

What about the fools in the Information Security department I hear you ask. They are there to make sure that Information Security is done, yes. But, at the end of the day neither them nor the IT guys will be in big trouble if Information is lost or leaked. Or wrong decisions are made using altered documents. It will be Business that pays. So, why have these lazy Information Security guys around in the first place? Really, its to inform the business people and to help them with implementing security.

If your staff are knowingly breaking rules that you have put in place... well... no Firewall, IDS or Antivirus or amazing CISSP is going to save your data.

I think that the WSJ has missed an opportunity to push the idea that Information Security is important and that the rules are there for a reason and that breaking them will not only upset the guys in IT but can make an employee lose the respect of his/her employers and possibly even his/her job.

Monday, August 13, 2007

3rd Party Security - The big question

As happens in the "Blogworld" I read a blurb in the Daily Incite which then linked to a good Blog entry by Andy It Guy which in turn linked to a really good PDF document by Rebecca Herold who has more letters after her name than in her name.

While we are so busy concentrating on our own security structures (You are, aren't you?) how do we make sure that our partners are protecting our data?

There are several places where this is important

  1. The obvious first one: you give your credit card information to someone. What they can and can't do with it is governed by a standard made by the credit card companies. It is called PCI compliance. It seems most companies don't abide by the rules but the fact is that the rules have been very well designed and slowly, hopefully, companies will abide by them. The nice thing is that PCI complience is worked out already. You don't have to worry. You should as a matter of principal make sure that a company is PCI compliant. I think it would be a good idea for the credit card guys (visa, mastercard, etc) to actually promote PCI compliance as a marketing tool for companies to diplay proudly on their websites and in their stores.
  2. You fill in a form, any form, anywhere, online or offline. This is your personal, private information and you should be aware exactly what happens with it. If you have to give the information across for some law such as the ones preventing money laundering, you don't want that form going to the company's marketing department. ("You are a treasured customer of ours, do you want to be the first to use our new services...?") You also don't want it put into a dustbin and used by anyone who finds it in the street. '
  3. You are trusted with someone's details and have to send them to a 3rd party. If something happens to the details - its you to blame.
Basically, wherever someone has some of your personal data, your company's confidential data or data that has been given to you by some entity that trusts you with it, you should be able to make demands on how they treat it. No security is 100% but you should be able to at least, without getting into all the details, know enough about how your data is treated to make an informed decision on whether or not you trust the person you are giving it to.

The PCI standard came out of a need to protect data but there should be a broader standard for all types of data allowing us to make spot decisions on who to trust and who not to trust with our data.

And, taking an observation from Andy but broadening it: the specification of how data is looked after should be more specific than a framework. A framework is fine for protecting your own data, but other people should be able to judge exactly how you treat their data.

But, on the other hand, you don't exactly want to go around to every company that you deal with (perhaps all over the world) investigating in minute detail exactly what methods they use to protect their network and data. You can't be expected to watch that none of their staff take their laptops home etc.

You shouldn't even be expected to take a look at their policies.

You should just want to be able to see a logo that says "we are secure up to the level 3 of the "3rd party information control standard (3pics)". This should be good enough for a bank but a video shop may be able to get away with level 2 and a doctor should have level 4.

By the way, I made up 3pics because, as far as I can see, there is no widely accepted standard with clearly defined levels that the man in the street can trust and be used to (except PCI and that is for credit card information only). But shouldn't there be? Wouldn't it be nice to be able to trust that a company you are about to deal with is going to treat your information the same way you do?

Rebecca's PDF document (linked to above) goes into great detail about how one can manage personal information that is given to 3rd parties but it is a lot of work and is fine for companies who have few partners but when there are many partners it would be nice to be able to just check their "3pics" compliance level and start dealing with them.

In case you argue that it is possible already using ISO, SOX etc, then read what Andy said in his article about how they are just frameworks and not generally accepted standards.

What we need is someone (who me? I'm too busy ;) to create a(n auditable) standard with a few levels that are easy to understand and implement. And for companies to use the standard and brag about their level of security.

I think part of my thinking comes from discovering this week (but not being rich enough to follow through with actually buying and reading) a book by Stephen Covey (Jnr) about how once trust is established, business can proceed quickly. It is up to us as the public to demand that companies show how they can be trusted with our private information. It is up to us Information Security specialists to make it easy for them to do it.

Tuesday, August 7, 2007

The Wall Street Journal only got one (major) thing wrong.

The Wall Street Journal, published by Dow Jones & Company published an article that had a few of my peers quite upset.

Particularly upset was my brother-from-another-mother Andy the IT Guy. I call him that because although we are thousands of miles apart we have similar jobs and usually see eye to eye on matters. His post on the issue is here. In the post he links to other bloggers who rip the article to shreds.

I leave it up to the dedicated reader to follow all the links and get acquainted with the article and see why it has upset Andy and several others. Go do that now...I'll wait...


If you are reading this I hope you clicked the above links and read up on the comes my 2c.

The article got it exactly right except for 1 major issue and it is in the title!

It is not the IT department that is trying to stop you doing all of those things, it is the security department.

In fact, in most companies if you are quick (and you have to be quick) you'll see that IT guys are the guys who break the rules the most. Find the geek with the long black coat and chances are he is the guy running the phantom MP3 server that everyone knows about but doesn't exist.

Now that that is cleared up, you may ask: so what? Information Security department...IT department..who cares? But it does make a difference. IT has a mandate from Management to keep the servers humming and the information flowing - thats their job in a nutshell.

Information Security has a mandate from Management to make sure that the company does not leak information and does not break the law. The Information Security guys are also not the ones who make the rules, they may make suggestions but the guys who sign off the policies and rules are Management (read: your boss, his boss, etc etc up to the CEO). The rules you are breaking are the rules set down not by IT but by your boss.

Some of the rules (such as rules 1,2,3) are actually made to stop the top level guys from going to jail or at least to stop the company from being at the receiving end of some expensive legal problems. You can be sure that they would not take kindly at having these rules broken.

Obviously I am all for freedom of the press but just know who sets the rules and who signs off on them - its not IT.

Friday, August 3, 2007

Can your business survive without petrol?

So, yet another strike and another risk to your business.

It felt like I was in Zimbabwe this morning. I had to queue for Petrol. I'm not saying it is as bad as Zims because the queue was only 5 cars long and there was petrol available when I got my turn. I did put in more than I usually do.

I was lucky because I take LRP; the station I went to had no unleaded.

If you have a large corporation what would you do if 70% of your staff are unable to travel into work every day? Can they work from home? Can your VPN handle the load? Do you know your business well enough to work out who should come in to work, who should dial up or connect over VPN and who should just take a few days off?

If you have a small business can you afford for your staff not to come in and to do their work from home. Can you afford your client/customers not to come visit you? Can you afford not to visit them?

One of the aspects of Information Security is availability and most large companies have a plan for Disasters (note the capital - we are talking floods and earthquakes) but not for small issues like lack of fuel. Most small businesses run on gut feel - they will deal with that bridge when they come to it. The bridge is now here and it is Business Continuity.

The most difficult thing with Business Continuity is that it forces us to take a look at our assumptions. We assume that we can buy petrol whenever we want to get us in to work. We assume that while there we can have access to water, food, toilets, electricity, fairly comfortable working environment (Goldilock's not too hot and not too cold), email, our data, the telephone network, etc, etc. Business Continuity is basically the process of saying "what if something is missing" and anyone can do it. Usually the owner or the business people are the best at doing it because they understand the business and how it works.

It can get a little more complicated when multiple things are not available.This is very likely for many businesses at the moment. If you have no electricity and no diesel for your generator, what can you do? Work from another site where there is electricity, but then chances are you will be using more fuel to get there.

Is it worth making your staff come in later to avoid rush hour in the hopes that their petrol will last longer? The humane aspect also comes into this issue in that if the strike lasts long and petrol is scarce will you let your staff save their petrol for family emergencies?

The strike is 3 days on and the negotiations are happening. Hopefully there will be no issues at all except some minor inconvenience and some bad Zimbabwe comparisons. I will then take off my Chicken Little hat but in the mean time: don't panic but have a plan.

Wednesday, August 1, 2007

Facebook privacy... I'm sure it was there a second ago..

So, some people I know were bored yesterday, looking for something to do while FaceBook got its act together. The site was down and productivity worldwide picked up.

But worse than that, according to an article in The Times, Facebook also let private information slip.

I love it when Information security makes the general news: it get people thinking about Information Security.

Basically, you could read your friend's private facebook messages and see their private content even though they had set it not to be shared.

Wow, you must think, Facebook's lawyers must be sweating... not quite.. in their privacy agreement is this little nugget:

"You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk"

Maybe you should reconsider what information is shared on a publicly accessible site.

Monday, July 30, 2007

Rape and the importance of S.o.D

In Information Security it is drummed into us how important Separation of Duties is.

I investigate security methods, security matrices and inform the Operations teams one what to do. I also measure what is being done. But I don't do it and I don't ever measure myself.

According to this article in the Times online paper the police are playing with numbers:

" ‘We were told by police officers that there is a general belief that if there is a reduction in the number of rape cases reported, they stand in line for promotion'."

So hence, "an investigation by The Times into child abuse has uncovered claims that some police officers are not recording all rape cases — in the hope that keeping statistics on the crime down will fast-track their careers."

The article goes on to say that the police are refusing to record the crimes or are recording them as common assaults instead.

The problem is that the crime is not receiving the same attention that it would have, had it been logged as rape. The victim also does not get the right medical treatment such as HIV treatment.

How do we get around this? Separate the duties. The police who investigate crime after it has happened should be rewarded for the number of crimes investigated. The police who prevent crime should be rewarded for bringing down the crime. That way, we all win.

Wednesday, July 25, 2007

spamspamspamspam...pdfs..baked beans...spreadsheets and spam!

It seems that everyone is reporting on new spam techniques. But here goes anyhow:

Spammers are using pdfs and zipped up excel spreadsheets to send spam.

This is not really all that surprising because traditional spam checkers don't look inside these kind of documents or block based on whether a mail has one.

So, its back to the drawing board for spam blockers, they need to check pdfs.

The scary thing about this is that the risk for false positives is much higher with a pdf or office document (I doubt that excel will be the only spam transport chosen) because genuine business documents are usually in these formats.

If you are a broker and someone sends you an excel spreadsheet of their stock picks and you miss it because your spam checker thinks it may be "pump and dump" spam - you could end up in a lot of serious trouble.

Spam is horrible stuff but there obviously is a market for cheap Viagra with no prescription.

Monday, July 23, 2007

The Customer is Always Wrong [Part Two]

Just to be fair...

I have a doctor I go to regularly now but I tried a few of them for a while and there were some who were so clever but just didn't listen to what I had to say.

They were obviously the experts but I figure I know me better than anyone and had they listened to me I think we, together, would have been able to find solutions better than just me alone or the doctor alone.

I think that, in information security too, you are always fighting someone somewhere but the secret to a good relationship is to listen to what the other people in the organisation have to say.

But never forget that you are the expert.

[Note: I was going to use a plaster/bandage for the little post image but I used a stethoscope because the point of this post is listening]

The Customer is Always Wrong [Part One]

This little insight I worked out by myself with great difficulty.

My first IT job was probably the hardest I ever did.

It was working in a call centre at an ISP back in 1995 before most people had even heard of the Internet and email. Those that had were termed "early adopters" and it was "cool" to "surf the internet". Having played with Unix and Linux and TCP and configured modems to do interesting things I considered myself to be an expert in what I was doing which was helping people to connect to the Internet. And yet there were people who may well have been experts in what they did that would argue with me. The ones who were the most clueless but argued the most were usually doctors. I guess doctors are used to dispensing advice - not taking it.

I've seen from my wife's craft business that the same is true. Some people look to her for advice on techniques and then ignore the advice and get upset, some listen and are happy with the results. (She tries not to offer advice on the creative aspects, that has to come from within).

And now that I am in security I've seen how business can try to ignore security advice because they feel that they know better. Try to force them to accept what you are saying and you can overstep the "be nice to clients" boundary.

At the end of the day, the client has to accept that he is working with a professional and accept the advice as coming from an expert. Alternatively, if the client can do everything on his own, what does he need an expert for , anyhow?

Friday, July 20, 2007

Why the GPL sucks as a license...

The Security Blogger's Network has been debating the GPL recently but this is a debate that has been going for years..

The short version of the printer story: Richard Stallman worked for a company. They had a printer. They modified the printer driver's source to do stuff the printer makers didn't think of. They were happy. They upgraded the printer. The new printer driver worked but had no source so they couldn't modify it to do what the old printer did. Richard Stallman fell in love with the idea of having source code. He wrote the GPL to enable users to be able to manage their software.

It was later discovered that the GPL can help a company to expand their product for free and get community involvement. This was an unexpected bonus but not why the license was created in the first place. One of the shortcomings is that if you never redistribute the binary or don't redistribute it to the original author, you don't have to forward your source code changes. This could make coders upset but really - the GPL is designed to make users happy.

I've had a good think about companies changing the license from GPL to something else when their product becomes more successful and I think it is fine to do that.. it is their work but.. they must strip out all the bits and pieces that others have contributed to the product or inform them up front that their work may become part of a non GPL software offering.

I remember back when Netscape announced to great fan fare that they would be releasing an open source version of their browser it took a very long time for the source to actually be released because so much of it had to be stripped out because it was non-Netscape proprietary code.

I remember also when the CDDB went private taking all the hard work of their contributors along with them. I am not a lawyer but I know what is fair.

Wednesday, July 18, 2007

Harry Potter Escapes!

It had to happen. Unless Scholastic really had magic powers the Harry Potter book was not going to stay secret forever.

According to a news article on The Age, the new Harry Potter book has been leaked.

There have been a number of fake leaks: there are a number of people who write fan fiction and these have been used to trick people into clicking onto websites with worms and the like.

But this one is slightly different. It is not a pdf or text document; it is photographs of each page in the book.

Now that it has leaked the publishers are desperately trying to put the toothpaste back in the tube but with no luck.

On the other hand, reading a 700+ page book page by page from low quality photographs is not easy. It's just better to buy a copy or, at very least, visit the library.

You can bet that, like number 6, there will be pdf versions floating around the pirate sites within a few days.

The one thing to learn from this is that if you have information that is wanted by someone else, you will have a hard time protecting it and as close as Scholastic came to protecting the Harry Potter book from being released, there is no such thing as perfect security.

The other thing is that: with information it only takes one leak and the number of copies will expand until it is impossible to control.

Wednesday, July 11, 2007

Africa Part 2, Exploding ATMs

While the rest of the world debates the length of a pin number, we in South Africa have a different challenge. At least, the banks do - explosives.

According to this article at The Times: "security companies and banks have warned the public about unexploded bombs in and around ATMs."

Johan Burger, senior researcher at the Institute for Security Studies, said “Because of the increase in ATM bombings, the risk to the public has risen dramatically. ATM bombers are now hitting machines in business premises in metropolitan areas."

Also according to the article: "[First National Bank of South Africa has a] new security and monitoring system [that] will be introduced at 500 sites in areas considered to be at high risk.

Guards on 24-hour patrols will also keep watch over the cash machines."

I can't imagine that an ATM has terribly large amounts of cash and criminals will start to apply this modus operandi to other types of crime. As a risk, this is on the increase and security professionals should analyse if and how this would affect them.

It may be worth positioning your server room more to the middle of your offices rather than against a main wall so that a little explosion won't leave a gaping hole that PCs can be moved through.

Update: I just took a look at the video on the site and I would highly recommend anyone using an ATM to see video evidence of what criminals can try when you are using an ATM.

Monday, July 9, 2007

Welcome to March!

A large march of striking workers just marched past my office.

There has been some violence in the past few marches but these are usually on a small scale and directed at those workers who elected not to strike. Usually marches are fairly harmless, even if they look aggressive and scary.

The question for a security professional is - how does one deal with a march that impacts business. In my opinion, besides electricity rolling blackouts and the winter sickness cycle marches are the most likely threat to business continuity that Johannesburg faces.

If you are a small business based in Johannesburg or any city centre then you should at least make sure that you have a business continuity plan. Make sure that you have backups stored away from your offices, a way to restore them to a separate location and a safe separate location that you can work from. This may be a bit of an issue for a small business (in which case lots of planning is needed . And don't forget to think out of the box, too!) but for a micro or mini enterprise it may be worth working from home or for the more adventurous - a coffee shop for the time that the march is on.

This is not a complete solution; each business needs to assess business continuity for themselves. Just remember that the first rule of Business Continuity is that the safety of all the employees comes before the health of the business.

Friday, July 6, 2007

Department of Transport - ISO27001 will help you save face

Some free advice for the Department of Transport.

My last blog entry about eNatis seems to be exactly what the D.O.T is trying to tell everyone: "leave us alone, everything is fine except the website which is in no way linked to the personal data was hacked".

Hey, even uber-hacker (did I really use that term?!) Kevin Mitnick had his web site hacked. It happens, and what we should be worried about is not the website but the data in the database. Who cares if some kid scribbles junk on a website? You should care if he manages to get inside the data to your credit card details and personal information like name, address, ID number, car registration number and accesses it for himself to use elsewhere (loss of confidentiality), or changes the information (loss of integrity).

I do believe that the press is squeezing this story for more than it is worth because, well, they need news and this is an easy target. But its also easy news to print because of all the issues that eNatis has had in the past and the lingering doubt that the Auditor General's report brought about.

The department tried to stop the report from being made public but once it was made public because it said that the system was very insecure. The department followed up with a statement that the system had since been fixed which is quite an easy thing to say but not very convincing.

I think that we as the public who are forced to put our private information in this database (or alternatively don't have a vehicle or license to operate one) should insist that the system and processes around it be certified in some way. My choice would be ISO 27001 but there are other similar certifications and I'd be happy with any one of those.

But really, the D.O.T should be proactive on this and not wait for public backlash, they should investigate security measures now so that when the inevitable audit comes, they are ready.

And when the media jump on something silly like a minor website hack they would have their ducks in a row to argue back.

Thursday, July 5, 2007

eNatis: Nothing to see here, move along.

For those that read my column and are not from South Africa - eNatis is a new system that the Department of Transport (DOT) has implemented. It has a website portal and is the system used for registering cars, licenses, paying fines, etc. It has a lot of personal information. The website was hacked and the papers jumped on the story, though most calling it (correctly) a non-event.

Web hacks are (apparently) easy to do.

This is part of the reason why no company worth their salt (and some not even worth that) recommend that the webserver does not contain important information. That should be stored in a database and if the webserver needs to read the data, it should make a connection through a firewall. And the database should be closed up as tight as possible.

In fact, it is almost expected that the webserver will be hacked and the company (or government department) should have an incident response in place to deal with this minor breach.

I liken this hack to the real-life-equivalent of a criminal trying to break into an office of the D.O.T, not succeeding and spraying graffiti on their gate.

The media has jumped on this hack because of the issues eNatis has had in the past, but its the equivalent of reporting on a graffiti incident - the result of the attack is very embarrassing because of the fact everyone can see it but, no real loss occurred and once the mess is cleaned up there will be no further issue.

So, what sort of hack is news worthy? One that will not make it all the way into the papers! A newsworthy hack would be one where a criminal (or hacker..whatever terminology you choose) gets into the eNatis database, manages to manipulate the data for self gain or steal personal information from the database.

This will not get into the paper because:
  1. The user will not make it public that he has done anything wrong, it would make it easier for him to get caught.
  2. The D.O.T may not even know it has happened. Stealing information is not like other crime where if someone steals your stuff, you have no stuff left. Information can be stolen but a copy could be left in place.
  3. If the D.O.T finds that a hack has taken place in their database the last thing they will do is inform the press. (my guess)
  4. If information is stolen from the D.O.T, it may be used for identity theft purposes. (ie. pretending to be someone so you can get credit in their name or get access to their personal assets) and the investigation (if it gets that far) may not know the true source of the information used in identity theft.

That is not to say that I know of an instance where eNatis has had its database hacked, nor am I saying that it has been hacked or ever will be in the future. I'm saying that, if it were hacked in a way that was newsworthy, we probably would not be reading about it in the newspaper.

Wednesday, July 4, 2007

PCI Auditors selling stuff?!

In a really good blog entry, Mike Rothman talks about how PCI assessors (auditors) are pitching products and other solutions once the audit is done. He goes on further to talk about separation of duty and how the client should make it clear from the beginning that there will be no further business to be made after the audit.

I agree with Mike but I don't think he took it far enough. In an earlier blog entry of mine I discuss this very issue. Once the auditor has been too visit, it is too late. Have a good strategy and see it through long before you call in auditors. Then once they have arrived and start to sell you products and solutions that you don't need - you'll know that you don't need them.

Never use auditors to tell you what should be done.. use your security experts... use auditors to do the checking.

Friday, June 29, 2007

MS07-0056 and Chutzpah

For those of you that know what chutzpah is...scroll down a bit.

For those of you that don't know this beautiful Yiddish term, it is broadly defined as "insolence," "audacity," and "impertinence". But as with all Yiddish terms, the meaning is deeper than just that. It is someone who does something so bad and with so much courage that you hate him for what his done but admire the fact he had the guts to do it.

My best version of chutzpah is the thief that stole a whole bunch of clothes from a department store and the next day tried to exchange the ones that didn't fit.

So, MS07-0056.

If you are a security expert or just someone that patches regularly (which you SHOULD be doing!) you may recognise that MS07-0056 looks very similar to a Microsoft Advisory number. Almost, but not quite. Microsoft advisory numbers ar MS, the two digit year , dash and a three digit number.

Ms07-0056 is a fake version of an email advisory from Microsoft, complete with their logo and formal looking, no-nonsense, go-patch-now look. The email is very cleverly crafted and has a link at the bottom to fake patch which is really malware.

While phishing is not new and fake emails telling one to download stuff is not new, the fact that patch notifications are being used to distribute malware is just way over the line of what is bad and what is total chutzpah.

While we are on the topic.. you are still reading right.. I want to throw in some other examples of chutzpah: fake antivirus and spyware checkers, or even real ones that are themselves spyware.

We, as security professionals, drone on and on and on about people patching, installing spyware and antivirus tools and using them and keeping them up to date. And along come the enemy and attack us and at the same time sow doubt in our defenses.

The rule is still the same though....treat every link in every email as suspect.

And keep your antivirus up-to-date!

Thursday, June 28, 2007


My wife used to run a little craft shop and her biggest challenge was getting adults to be creative. When she asked someone straight out to do crafts they would usually reply "but I'm not arty" or some such nonsense. Everyone is artistic. We may not all be Picasso or Rembrandt but there is a little artiste inside all of us waiting to get out.

[For both of the guys who read this column for the Information Security bits (thanks mom, dad) , its coming near the end.]

All of these people have cellphones with their own rings tones, themes, personalizations. Even little things that hang off the aerial, little cases, etc etc

The ones that work have PCs that have custom desktops. It may be a soccer team, cute kittens, a nice colour, pictures of their kids etc.

People in the workplace have, in most cases, few opportunities to express themselves creatively. But it has to come out somehow. And hence, people change their desktops and cell phone rings.
This also leads to the attraction of blogging but more to facebook and its friends.

I imagine it would be possible to fill up 8 hours a day for a month customising facebook, adding friends, adding and removing applications, putting in information, getting more applications that need information, drawing, chatting etc etc. And the whole time you are using the creative part of your brain.

How does this relate to Information Security? Well, a big deal of time is spent understanding what users do. A user is a tricky resource to understand. Companies have to accept the fact that their employees need to express their creative side, and not just the advertising guys and the script writers, but Jeff in Accounting too.

The alternative is that users will find ways to bypass measures in place that stifle their creativity. They will spend loads of time on facebook, swap joke emails, download music through p2p or even just spend time by the watercooler.

Or maybe I'm being too lenient, maybe the technological answer is correct and we should just close down undesirable sites, use "managed desktops" where everything is tightened up etc.

But facebook can be used from a cell phone...

Wednesday, June 27, 2007

Paris Hilton could make you lose your virtual underwear.

Beware of Paris Hilton...

She may be behind bars but she can still hurt you..

Or rather, it is reported here that a site offering some private stuff of hers has been hacked. And, ironically, all those looking to get a taste of her private stuff have had their private details downloaded.

Think before you send your details over to "" and its ilk, do you want the world to know, with pretty good certainty what you get up to? If privacy is like underwear on the Internet -you could get caught without it.

Nice term - horrible concept

Part of the reason I blog is to put my ideas down in something more tangible than fleeting thoughts, hence the name of the blog. Others can benefit from my thoughts but sometimes I use the blog to record interesting things I have heard and seen. This blog entry is about that.

I was reading a blog and came across the term "intermittent variable reward". It is basically the quick happiness one gets from doing something that is repetitive but rewards you differently. The example given in the blog entry I was reading (see below) is a jackpot. You pull the handle and each time you get a different reward.

I think facebook is like that. Woo-hoo, a new friend, a new wall posting, a new comment, etc. MXit is even more like that. You are never sure when someone will contact you and what they will say. So hope is always there and the addiction comes very easily.

This is something I've been meaning to blog about for a long time but never really took the time until I saw something similar here but about "twitter" which I haven't really come into contact with much yet.

When I was in University I spent more time than I should have on IRC. I made some good friends along the way and found a beautiful wife. So, some good came out of it but I must say I was addicted to the the rush of seeing what is going to happen next even to the point where I would sit and stare at my computer screen doing nothing, just waiting. What a waste of time.

My brother-in-law is the next generation. Every time I see him he has his cell phone out and it is always beeping from some contact somewhere. MXit prides itself on being next to free but the amount of time spent on MXit by some of the youth of South Africa is scary.

And now I have a term for this addiction: "intermittent variable reward".

Tuesday, June 26, 2007

Information Security - its for Small Businesses too!

I am (about) number 30 in the Business section on Amatomu. For those of you who don't know what it is - it is a list of South African blogs, ranked and indexed.

I have read some of the blogs and am impressed at the quality of them and most of them (the business ones) seem to be aimed at small businesses, which is great.

But I am an Information Security blogger and from what I have seen - small businesses don't seem to take Information Security seriously.

For example, I went to a business the other day and they have me listed on their database. But they had my password on their system in plain text. Thank goodness I use a different password for each online service I use but I know some people that use their pin number as a password and some use the same password for every service. Sorry friend, your password is no longer secure.

When you sign up for a movie contract, where does the information go? Who has access to it? Are your credit card details listed, your ID number? If you have to fill in a piece of paper first, where does that go? You probably fill in enough stuff when taking out a movie contract to allow the young kid behind the counter to be able to impersonate you and mess you around.

When you had over your credit card in a restaurant, does the waiter take down all the numbers? More to the point - is this something the manager will look out for?

Does your lawyer, who works from home, keep all your information on his laptop? Or any of it? Is it encrypted? What if the laptop gets stolen? What if all the documents he is busy with for you get wiped out in a fire/virus attack/mistake? Does he do backups? Do you?

Its not like me to sow some fear, uncertainty and doubt but I think that small businesses need to play along.

For their clients and for themselves.

Friday, June 22, 2007

My Wall of Wisdom (Part 1)

When I moved from Network Security where the "what" of security is obvious and the "how" is not so obvious to Security Management where the "what" is not so obvious and the "how" is done by others I decided I needed to get a bigger picture view on Information Security.

This blog has been an invaluable asset as I wander along the path of elucidation. Also, as I read and search for wisdom I come across some gems. I have made myself a Wall of Wisdom with some choice quotes that I refer back to when I'm not sure what I should be doing.

I'm going to share one of them with you today. And others in the future.

My first challenge is that Information Security is seen as a technical task - get a firewall, get some antivirus, if you still have money - deploy PKI.


Information Security is a business task. And in all things to do with business success or failure needs to be measured. How secure are you, right now? If you can't answer that, you are not doing Information Security right.

My quote is from Lord Kelvin who was a mathematical physicist, engineer and outstanding leader in the physical sciences. In a lecture to the Institution of Civil Engineers on 3 May 1883 he said:

"I often say that when you measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of Science, whatever the matter may be."

Wednesday, June 20, 2007

Sharing is Caring - but not with passwords.

This follows on from my previous post.

We all (should) know by now that we shouldn't share passwords.

But how many of us know exactly where we should use passwords on the internet?

Phishing and its elk have shown us that you can't trust website links that are sent to you via email.

But what if a friend (or what seems to be a friend) pops up on MSN Messenger or via email or facebook and tells you to "check out this cool site". You do it, you trust your friend's judgment and enter your password only to get caught out and your identity is used to send out the next bunch of "hey, check out this cool site" messages.

That is all in my last post which has a real world example of how one can get caught but the question is how do we define what is right and what is not?

My hotmail username and password is my MSN Messenger password and apparently opens up a whole bunch of access for me to other sites. This is the whole "passport", single-sign-on concept dreamed up by Microsoft. I sign on once to one of the "passport" sites and voila, all the other sites need no sign on. Amazing. Except that someone out there could hijack the system and pretend to be a "passport" site gaining them my password and access to all of my "passport" stuff.

Putting down Microsoft's security efforts is like running the 100 meters against a fish. Its too easy; but Google is starting to move in the same direction. My Google username and password gets me into gmail, igoogle, blogger, etc and the list will expand as Google buy more and more companies and bring more and more stuff out of their labs. I don't really use yahoo!'s services but I imagine that they are following the trend which is not limited to Google and Microsoft but is a general industry wide trend.

When I signed up for Blogger I didn't need a new username and password etc; I just logged on with my Google password. Blogger said that they are a Google company so, boom in goes the password. I did check things out first but that's just me, I doubt most people would.

Another thing that surprised me was when facebook asked me for my email username and password so it could check my email contacts against its subscriber base - not my facebook username and password but my online email username and password. This is obviously a service that a large number of people use or else it would have been taken down, freeing up some vital real estate on facebook's main page. Entering this information is optional, but if you do, you have to trust facebook will not store the information, if they do store it then you have to trust that they will store it securely, and not use it themselves except to check your contact list once. Do you trust facebook?

It seems there are no easy ways around this issue. You have to check to make sure that you trust each site you give another site's password to or, better still, don't share the passwords at all.

Tuesday, June 19, 2007

"1 for the show... 2 for the money"

Yes, the title is right. And this is finally a post that is actually useful (as opposed to interesting and useful somewhere down the line, I hope).

If a friend of yours on MSN Messenger messages you to look at a site that looks something along the lines of messengerweb don't go. Or, go but know the risks.

The title - confusing as it may be reflects the change in attitudes of the "blackhat" or "hacker" community.

1 - it used to be for show - how many site can you hack in 24 hours?, how many machines can you bring down?, is Google invulnerable?
2 - now its for the money.

The site above is an excellent example of this. It is packed full of Google adverts. So each time someone visits the site the owner gets a (very) small amount of money. The way to make that into a big amount is to get a large amount of people to visit.

There is the way I do it which is try to make good content and hope that people find it useful but there is another way - the way that site does it.

The site offers a dubious service to the people that log into it. You need to log in with your MSN credentials (which also happen to be your MSN passport and hotmail password). The site does some checking in its database for you (thats the service) and (this is the genius bit) uses the recently acquired MSN username and password to send a message (as you) to all of your contacts telling them about this "really cool" site and so the networking effect goes on until a lot of visits happen and the site owner makes a load of cash.

You have to accept the terms and conditions before connecting where it is spelled out in no uncertain terms what the site will do.

I got "fake announcements" from a number of technical people who had obviously
not only visited the site but also entered in their usernames and passwords.

To the general public: don't give up your password ever! Even when asked to on websites. The MSN password is for MSN only - not for other websites like messengerweb. Ask yourself before you enter any information onto a site - how much do I trust this site? Rather close the window if you are not sure

To security people: it looks like we have failed again if people are so keen and eager to just give away their passwords. We have to focus on the principals - "Don't share your password! Know where to use them and where not to" and not the modus operandi - "watch out for emails asking for your password or directing you to a bank website" because the principals don't change but the modus operandi do.


I have joined Technorati. They need me to do a silly post to prove I own this blog. So here goes. You can safely ignore this post. Technorati Profile

A tale of two CEOs..

A while back I went to a lecture that opened my eyes and inspired me. It is what I look back on when times are dark and enables me to think "Information Security is possible".

The talk was started by the CEO of a large financial institution which is also heavily involved in the medical industry. Alarm bells should be ringing... because the information they have floating around their network is so private - its scary.

The CEO of the company started the talk and told us how secure they are now and how they are working on getting more secure and more to the point - how come he knows.

It seems it wasn't always that way but they are working on getting more secure. They started with a framework, defined goals, worked out a plan and ways to measure their security posture.

And it is something they are very proud of. In fact, that the CEO can talk security already is something special. That he is aware at any one time how secure he is, is more special. Well done to them.

I also had a chance to talk to someone from their competition. I mentioned this inspiring talk and asked this person how secure they are - he told me about firewalls, VPNs and that they had a "full PKI installation with non-repudiation" but gave me no measurables - just product talk. In short, he doesn't know.

There are (apparently) 2 companies in South Africa that are fully ISO27001 certified. I'm not sure what these are but 2 is a very small number. Hopefully, companies will wake up to the realities and as South Africa does more business with overseas companies, hopefully information security will become a selling point.