Monday, December 7, 2009

I stand by Gears!

So, no sooner had I posted the last post on my blog when I saw that Google are seriously considering dropping Google Gears at all.

Google are dropping support for the most important piece of software in the last 10 years?
Yes, and no.

Google introduced the world to the idea of offline applications by creating Gears. But maintaining it in all the different browsers and all the different Operating Systems (and variations of each) is painful. And was necessary until HTML5.

But HTML5 is a standard way to implement offline applications, it will be implemented in all browsers soon enough and it will be implemented in a standard way. And Google doesn't need to maintain it.

Google gets what they want and they don't need to support it.

One of the new features in Chrome that separates it from other browsers is the speed that it runs javascript. This became a major feature and forced Mozilla to speed their javascript up to compete. IE will do the same. (Mozilla had a faster javascript engine but they released it sooner than they would have otherwise done.)

So Google don't need Gears but it has already changed the world.

The most important piece of software this decade

[and most people don't even know what it is!]

I've spoken about this software before, I think, but it deserves its own blog post.

And what piece of software is the most important for the last 10 years?

*drum roll*

Google Gears!

"Oh yes of cour- eh, what?!" I hear you say.

Google Gears is a silly little piece of software that merely allows one to run javascript offline. It tricks the browser into thinking that changes are going to the net but are actually stored locally. When an Internet connection is available, the databases are synchronised. Very technical stuff.

But what it really allows is a PC to run only web applications and allows web applications to be feature rich as desktop ones. What is really allows is GMail to compete with Outlook and Google Apps to compete with Office. It not only allows Google to compete directly with Microsoft head-to-head but gives them a slight lead.

Since Google's applications are designed with sharing in mind and Microsoft's are not, Google is ahead in this respect. And since Google's applications are on the Web, you can get to them pretty much from anywhere.

And since Google are driven by a policy of "good-enough as fast as possible" their applications are sleek and ready to be used online - Microsoft have some way to go if they want to compete in this area.

In the mid-90s I remember a whole host of companies decided to take on Microsoft directly and all of them came off second best. Netscape (with navigator - remember that?) , SUN (SunOffice, Java, Net-PC) , IBM (OS/2), Apple (pre-Jobs, iPod).

Netscape is no longer but they did spawn Firefox which is eating into IE's market share in a big way. SUN has some amazing software like Java and SunOffice (or OpenOffice) but they never really impacted on Microsoft's dominance as they looked like they might have. The less said about OS/2 - the better. And Apple reached their lowest point when Microsoft invested in them to keep the company alive.

SUN's vision for a NetPC is coming about again with Google's ChromeOS. The only difference really is that SUN's vision had lots of pretty blue SUN Servers being the central store for all data and apps while Google's vision has lots of ugly grey and black Internet Servers being the central store. (Internet being the important part). Google are making true what SUN never could - "The (Inter)Network is the Computer".

Whether Google will succeed where many have failed remains to be seen but they have lined up some interesting tools to get themselves with at least a chance and at the heart of each of these tools is Google Gears making it all possible.

Friday, September 18, 2009

SANS Confirms

So, when SANS comes out with a document - The Top Cyber Security Risks then it is time to sit up and take notice.

And especially when their findings pretty much agree with what the rest of the industry is saying.

The interesting thing is that there are really only two major risks highlighted and one observation.

The observation is that Companies are being good with patching Operating System level vulnerabilities. I guess this is well-done to Microsoft and the other OS creators. However, if you are not fully patched on an OS level then you are the low hanging fruit. And you will be in trouble.

"Hackers" are moving to hacking applications these days - both pre-packaged ones which you will be more likely to find on the desktop and custom built ones which will more likely be hosted on a website.

So, companies now need to look at patching applications quicker.

They must also have a good solid web application plan in place and stick to it before exposing themselves online.

Monday, July 20, 2009

If you only read one article on Information Security...

[... this is it]

Actually, this is a bit unfair because after reading this one article, you'll be compelled to read more.

Richard Bejtlich's article sums this up nicely. He links to another blog post by Verizon Business.

I have some issues with Verizon Business's annual report but it is probably the most important document on Information Security to be published.

My one criticism of the Verizon Business Breach Report is that it shows credit card data to be more at risk than anything else. I was never sure if this is because it is easier to abuse than other data (such as Intellectual Property) or is just easier to detect when it is abused. According to the article, it is the latter. IP is leaving our companies, we just don't know it.

When a whole bunch of credit card information is stolen then the banks track which credit cards are abused. They are good at this and they slowly work out where all the credit cards were used together. So, if 5 credit cards were all used at a specific shop and then end up being abused that points to that shop having had an information breach. In the case of IP, there is no bank tracking abuse so you have to track it yourself... and companies are really bad at that.

The other point which I found quite amazing is that very few times when a PC is lost, is it used for fraud. End point encryption is cheap and easy to apply so it should be done, but most information is lost, not through assets being lost but through network attacks.

Tuesday, July 7, 2009

[OT] Men are chickens**t.

If you walk into (any) Exclusive Books book store and go to the counter you will be confronted by a whole bunch of gifts.

There are bookmarks, pens, little torches etc. And there are little gift-books. Some are small, some are sentimental, some are silly but they are all intended to be gifts.

So, on the counter at the EB in Cresta shopping centre are two boxes that hold books. One is called "Don'ts For Husbands" with a blue cover and one is called "Don'ts For Wives" with a pink cover.

Now remember, these are by the gift books, not on the shelves where you'd go to browse and buy a book for yourself. So, the intention of these books is for a husband to buy for his wife and vice-versa.

All the "Don't For Husbands" were snapped up by wives and given. The "Don'ts For Wives" were still on the shelf. The one copy that was purchased was apparently buried with the husband the next day.

You've got to love married bliss.

(This whole article is true - except for the bit about the one copy of "Don'ts For Wives" missing.)

(The pic above is not such great quality but take my word for it - there are no copies in the left box and the box on the right is almost full.)

Thursday, June 25, 2009

[OT] Open Question to Nokia

So, I have a Nokia E71.

It is absolutely amazing. There is very little in the way of hardware that I can fault.

My wife has a Nokia too and its camera is so good that our regular camera is now collecting dust.

Bottom line - we love our Nokias.

But, Nokia fail on one aspect which I would hope that they can sort out.

According to this Vodacom page, a Blackberry subscription with Vodacom costs R60 and includes email, all on-device-browsing and most importantly - turn-by-turn navigation.

Nokia offer an email service which is "free for now". My browsing is pretty much covered by my contract and I try not to browse from my phone if I can help it.

But... navigation is R100 a month. That is truly mad. It is almost double the Blackberry deal and doesn't include the email, browsing, etc etc.

If Noka want to compete in the new cellphone world then they need to realise that there is more to a cellphone than just the device. There is a service now and Nokia need to make the price realistic. I wouldn't swap my Nokia for Blackberry any day but Nokia needs to come to the party and bring services that are not ridiculously priced.

So, Nokia, what can you do?

Monday, June 8, 2009

The most important security advice for home users!

[Make backups of your important information. Totally erase all devices with storage before you give them away]

So, because I manage Information Security for a large organization people ask me for advice on how to protect themselves.

The first thing I tell them (stuck record time) is to do backups.

The most important thing that home users can do is backup their information. That includes photographs.

Its like smokers - the people in a restaurant most likely to complain about smoke are the ex-smokers. The people who are most likely to make good backups are those that have lost information.

Except for the fact that my wife does scrapbooking, we would have precious few printed pictures of my younger daughter. They all reside digitally. If my wife's harddrive had to crash then we (potentially) would lose every photograph of our daughter ever taken.

The thing is that hard-drives are built like everything else - to fail. So, all your precious information (and every household has some) is sitting on a device built to fail. (Read that sentence again and again until you totally understand the implication.

Now, consider that most modern PCs have CD/DVD writers and the disks can be bought quite cheaply. What are you waiting for? Disaster?

Having said all of that, my SD card in my phone was corrupted. There was nothing really important on it (and what is important has been backed up) but I thought I'd try recover what I could from the device. I found a tool called PC inspector File Recovery. It is freeware and will analyse a drive and try to restore files which can be saved onto another drive. It is very easy to use and the price is right (free).

It managed to restore files that non-free software was not able to. I highly recommend this tool.

So, yes, it is possible to get files after a drive has crashed but it is not 100% and Murphy will come to the party by making all files restorable except the one you really want. Backup!

On the other hand, delete is not as permanent as it sounds. So, if you have private information on any device (including PCs, cellphones, USBs etc) assume that the information on them is readable by whoever you sell/give the device to when you are done with it. Another good free tool is Eraser .This tool will erase everything on the disk so it can't be undeleted.

One last thing on this topic. Some malicious software (eg viruses) puts fake file recovery software on your PC, encrypts files and tells you that the files are corrupted, asking you to buy the software so it can "repair" the files. Don't fall for this trick, you will just be making the cyber-criminals rich.

Tuesday, June 2, 2009

Quick Tought - The Pelzman Effect

I was reading about Ralph Nader on Wikipedia, and came across something called the Pelzman Effect.

This is something I see a lot and I spend a lot of time in my induction meetings trying to work against.

The Pelzman Effect (named after Sam Peltzman, a professor of Economics) is when you are aware of safety controls.

Knowing that you are fairly well protected, you take more risky behavior. This essentially makes all the controls less valuable, worthless or actually creates more risk than if the controls were not in place.

Two of these controls (Firewalls and Antivirus) are important but they do not cover 100% of all risk and users need to know that they must not assume total protection but need to take some of their own precautions.

Backups are even worse.. they are not magical but they are assumed to be.

Friday, May 29, 2009

ITWeb Security Summit - Day 1 Keynote Reflections

Bruce Whitfield did an excellent job of chairing the morning sessions. He managed to gather enough knowledge to challenge the speakers and get the audience involved in the round table. His question about the $1 trillion to Greg Day will go down in history. Craig Rosewarne asked Bruce the question that was on the tip of my tongue too. Bruce, as a Business Radio Presenter, has access to all of the top C level executives in South Africa and we wanted to know just how much they were concerned about Information Security. His feelings were "not so much" but he would follow this up on air.

Phil Zimmerman did punt his new product but leading on from that was an interesting talk about privacy. According to one of the delegates, South Africa is about to be flooded with video cameras all with the latest and greatest facial recognition systems. The government will use the "combating crime" and "stopping terrorism" excuses to do the roll out. While these are important in times of massive risk (such as the World Cup 2010), the equipment will stay. Phil is not from South Africa so he wasn't aware of the whole Mbeki, Zuma wiretapping tapdance but his talk largely was about how VOIP is less secure than normal phones but with encryption can be more secure.

Jeremiah Grossman
. Well.. a speech about how to hack free pizza.. what more can one say - amazing. I think the key takeaway from this speech is that technology is not everything. Hackers can use the technology in the correct way but exploit bad business plans. Jeremiah is very much at ease in front of a large audience and his speech is very polished and nice use of humor.

Greg Day made the fatal mistake of quoting the $1 trillion dollar figure for how big cybercrime is. This is maybe what his keynote will be remembered for. But. I think the key take-away from his speech is that trojans are so easy to compile and send out that signature anti-virus products are lagging. McAfee are trying to fix this by speeding up their signature system. They have also invested in an application white-listing product. Greg refered to this in passing but without going into details. I referred to the proliferation of trojans in my own speech, stating that the insider threat/ outsider threat is no longer up for debate. The point is that hackers are in your internal network. Its a given. Now, what are you going to do?

ITWeb Security Summit - Reflections (Part 1)


The ITWeb Security Summit has come to a close and it was amazing.

Unfortunately, being stuck in South Africa, I really don't have anything to compare it to but I thoroughly enjoyed to conference and look forward already to next years' event.

I highly recommend it to all business people, security professionals and technical security people.

(I was involved in the conference as a speaker but, really, honestly, truly, I would say this even if I wasn't involved.)

The only major criticism I have (as a speaker and delegate) is that the Management breakaway sessions were held in the main conference room which meant that you had a smaller number of people spread out in a large area which was rather dark. This meant that the speakers of the management stream were quite separated from their audience.

And, to nitpick - the breakfasts were not great. However, the lunches were amazing and the coffee was great.

Generally, everything moved well. The audio-visual systems worked fine. The microphones worked very well and the clicky things (to move slides) worked.

Registration was a breeze and the venue was perfect. (Aside from the Midrand early morning traffic, yuck!)

The speakers were very interesting, especially the ones from overseas and it was a treat to be able to understand what is happening elsewhere in the world.

Well done ITWeb!

Friday, May 22, 2009

Happy Birthday Important Blog Post

I just realised that its been a year since I posted a blog post - Information-centric Security is Dead.

Ironically enough, next week I am presenting at a Security Summit on, well, Information-centric Security.

The article, I believe is one of my most important ones. Information-centric security is not really dead. But it is a stepping stone. Read my last blog post and the one linked above together and you will see what I believe is the most exciting and important development in our industry, probably since Firewalls.

If you aren't busy next week Tuesday then maybe come see me talk. It'll be fun, I'll make jokes. Promise.

NAC and DLP - lets break them and put them together again

[NAC and DLP can be so effective together, they just need to be trimmed down]

So, Art Coviello's company (RSA) arranges the biggest and certainly the most important Information Security conference. And so he gets to give the Keynote. But, to his credit he is either brilliant or has brilliant people around him because his keynote is always interesting, ground breaking even. I believe that RSA certainly has the best vision in terms of Security.

But enough of that... lets get back to the topic of this blog. (Btw, if anyone from RSA is reading this - contact me for my details to send whatever SWAG you have to give me for the above... cash is best ;)...

Coviello's main points (in my opinion) are that Security tools are point solutions and don't play nicely together. This needs to change and they need to be more open. Following that, they can then start to specialize.

I guess this is sortof what Check Point were trying to achieve with OPSEC. You have "smart machines" that understand policy.

Think - Firewall Policy server, Anti virus server, IPS. Traffic is sent to these machines and they work out what needs to happen to the traffic - allow, block, log, etc. This is communicated to a dumb device like a firewall node which just follows orders.

Coviello names the functions as follows:

  • PolicyManagement
  • PolicyDecision points
  • PolicyEnforcement
  • PolicyAudit
So, assuming I am reading a file on how my company makes its secret widgets. I download the file from the server and the following information is available to the different systems around me:

My username,
The time,
My location by network
My location by GPS (not usually but why not?)
My PC's latest patches and antivirus level (From NAC)
MY PC's installed software
My PC's hardware (including USB devices)
Any IPS triggers

This information is in many separate databases that don't really interact but imagine if they did.

It would allow the system to make a decision to allow/block based on any of the above conditions or all of the above together. So, if I try to access a file from my desk but it is 1AM then maybe I am denied the file. If my antivirus is old then tough, no files are available.

Every piece of network equipment (including workstations and servers) can be PolicyEnforcement machines. Which means that if I try to access a file that I'm not supposed to then the Server will block the connection, the switch will block it too and my laptop will block it too. This may be over-protection, but it may not be.

So, you may have a DLP server and a NAC server and a centrally controlled personal firewall policy but really the enforcement for all of these is "Allow" or "Block" and network switches can do that already. So, all your systems need to talk and when they all agree on "Allow" then the traffic flows.

Exciting times ahead.

Monday, May 18, 2009

ITWeb Security Conference

[Our heroic writer gets interviewed by the Press and gets ready to knock some socks off at ITWeb Security Summit]

In the run-up to the ITWeb Security Summit, I have been interviewed about my Information-centric Security speech.

I'm looking forward to the conference. It will the first time that I am presenting and I think that this year is going to be great. There are a lot of new technologies and concepts that are going to make this year exciting.

At work I have been working hard at planning my next year and I am very excited about that too.

There is some Information-centric Security in there but lots of other stuff. It is going to be a busy year.

Thursday, April 30, 2009

Sneaky Twitter Tweeting

Ok, so I was bored. And then I saw the challenge -

It came, ironically enough via Twitter.

It is a Twitter client that looks like Excel. If you boss walks past then he doesn't spot you wasting time.

Nice idea but lets see if we can take it further.

Twitter inside Excel. No tricks, no fake screens. Just the real deal. Create one sheet for work and one for play.

Ok, so how?

Step 1
Open Excel

Step 2
Click "data" then "xml" then "import" and put in the following URL:[userid].rss

UserId is your userID which you can get by logging into twitter, going to and hovering your mouse over the RSS logo on the right.

Step 3
It will ask you for your twitter username and password (unless you are logged in) and pull the information into excel. As a bonus you can right click, select XML and refresh the information.

Step 4
Different versions of Excel will work slightly differently.

Note that the information doesn't just magically appear in Excel, it is loaded via your browser (running in the background with no window) so if your employer has a proxy server (they should) with logging on (it should be) and they have suspicions about you (I hope not) they can still see your twitter browsing even if your boss can't see it by glancing over your shoulder.

Thank you Dominic for the challenge.

PS. using the Twitter API, it should be possible to post to twitter and see DMs and @ messages and your own status etc etc but I didn't feel like playing with it that much. Maybe I will. At the moment, you only get your personal stream, unsorted. In Excel.

Do I live the first suburb in the world to be smurfed?

So, strange reports started coming in to the media this week about neighbors whose gate remote controls and car remote controls had stopped working. It was across my neighborhood but not those around us. It didn't affect us thank goodness. No-one knew what was causing it.

It turns out that new special meters that have been installed are to blame. They consist of the bit that measures the electric usage and a bit that reports it back to the electricity company. They communicate with each other using the same frequency that gate and car remotes use.

Somehow they have been "over-communicating". This has led gate remotes and car remotes to stop working due to all the signal-noise. It made the press because in South Africa a non-working gate remote on a dark night can lead to some pretty ugly crime.

The electricity department denied that it was their machines until it was proven otherwise with signal measuring tools. Now they claim that it was a third party device that caused their meters to start shouting to the world at large. They have a 'patch' for the machines that can stop this issue.

Exact details are sketchy but it sounds like someone managed to launch either a smurf attack or a DoS attack on the machines which in turn made things like electric gates, garage doors and cars not work. Parts of the neighborhood were essentially shut down. So, I'm claiming to live in the first suburb to be smurfed.

Friday, April 17, 2009

Analogy vs analogy. Let the games begin!

[Enforcement or Awareness? Whats best?]

Since my posting about how seatbelt legislation improved the use of seatbelts was very popular, I like the idea of traffic rules being used as an analogy for Information Security. So it was quite exciting to see some Gartner thinkers copying me (obviously they read my blog religiously, debate it at length and then copy it. I am that good).

So, the first one was about traffic light cameras causing more accidents than stopping them. And how the government won't remove them because they make some good money from them. Enough said there. The other was about how traffic speed signs have been around for years but not very effective but speed cameras are very effective.

Reading between the lines, it seems to me that the article puts down the idea of awareness in total as being not effective. Which is fair enough. In Information Security you can preach for hours but unless you actually capture the hearts of those in the room then you are lost. They will not listen. One way to go is to use a combination of things including awareness and enforcment.

Taking Then you've won.

Monday, April 6, 2009

The Issue With Cloud Computing

I really like the way The Hoff puts things sometimes:
We’re told we shouldn’t have to worry about the underlying infrastructure with Cloud, that it’s abstracted and someone else’s problem to manage…until it’s not.
I think that sums up in one line the problem with Cloud Computing. You are essentially making your job easier by dumping the responsibility for Security (and Availability) onto someone else's plate. Which is fine until they post a note saying "Sorry" and you are left with no service.

Or worse - data that has gone off somewhere that you don't want it going!

The Conficker Eye Chart - Really!

This Conficker Eye Chart is brilliant!

Information Security can get a bit drab and boring. Especially when the auditors start poking around and you are arguing about the minutiae of your security policy. And especially when you look at the designers with their Apples and the programmers pumping out new Web 2.0 frontiers.

But sometimes, someone out there comes up with something so silly but effective that it just has to be blogged about.

The Conficker Eye Chart is simple - it tries to download images from Sites that Conficker blocks. If you can't see them then it could be that you are infected.

But you really have to see it. I wish I had come up with that one!

Wednesday, April 1, 2009

Isn't Open Source Wonderful?

[Nokia releases Open Source Symbian and it is installed on a toaster]

There is a news story about a toaster running Symbian (the platform that newer Nokia phones run).

It does this so it can provide extra services like measuring the heat of your toast etc.

Full set of features:

  • BreadSense mode that uses internal sensors to figure out the ideal heat setting and time for the bread you have inserted.
  • The large touchscreen UI also allows you to tweak the settings to suit your personal taste.
  • Toast settings can be saved and assigned to individuals. A finger-print sensor on the side identifies the user and automatically displays their personal presets.
  • Additional presets and sandwich serving suggestions can be downloaded from the internet using the built-in WiFi connection.
  • Users can share their own presets and recipes online too.
  • Can connect to your phone via Bluetooth and upload reminders to buy more bread when you run out.
  • The screen can display useful online information such as news headlines, weather forecasts and video feeds to keep you entertained and informed in the kitchen.
  • Firmware updates are automatically downloaded and applied over the air to make sure you always have the latest features.
By the way, happy April Fools Day. Still, some April Fools Jokes come true...

Note: click through to see the image of this toaster, I want one. And I'm not sure why!

Monday, March 23, 2009


My mother-in-law runs a small craft shop (with lovely craft products, sold very cheaply and with good friendly advice ;) and her business relies a lot on the Internet. Queries come in via email, she has an online store and a website.

Yesterday she got sent an email telling her that due to some unsavory use of the Internet, she would be disconnected. The email had an attachment which was (pretending to be) some sort of log of her activities.

Now, the more savvy of us may think - scam. But she is not "the more savvy of us" and this email freaked her out. She imagined her Internet presence being shut down. And, of course, she was always careful about her browsing.

Fortunately for her, her ISP's antivirus recognised the attachment as being a trojan and deleted it. But she may have been stressed into opening the attachment to see what the accusations were.

I have written this post to tell people about this type of trickery and to just remind those out there that are maybe not so Internet savvy - NEVER open attachments that you are not expecting. If you are concerned about your Internet connectivity being taken away then contact your ISP directly.

And always have an up-to-date antivirus.

The Victorian Police Have Issues (Ironic Post)

[The irony in this article is so lovely, it has to be shared]

The Age newspaper reports that a leaked memo from inside the Victorian Police (Australia) department says that their IT systems are risky.

The article lists a whole bunch of "Availability" risks such as backups failing and the like. It doesn't really go into details about how information security can be compromised although it does list the kind of information that the police have on hand which is very confidential.

The wonderful part is that the article says: 'A police spokeswoman said the force believed its IT applications were secure and there was a "full back-up regime across all our services as well as disaster recovery for core applications".'

My question is ... if the Victorian Police are secure, as they claim to be, how did a highly confidential memo with the ability to cause massive amounts of embarrassment to the department get leaked to the press?

Friday, March 20, 2009

More Fame... Where is the Fortune?!

[The Highly Esteemed Author Presents At ITWeb Conference]

I applied and my presentation was accepted to be presented at the ITWeb Security Conference.

If you have read my Blog posts then there will be very little new information in the presentation. However, I do tie my thoughts together in one big "this is where you should be going" session. It will be on the management track so I should be expecting some high level thinkers and, yes, the presentation is very high level.

Even though I am now involved, I highly recommend this conference for all that can make it. I missed out in 2007 but the twice that I attended (2006, 2008), I certainly came out with some mind blowing insights.

I also highly recommend that management don't have the mindset: "we need to think about this security stuff" and then send their IT Guy but rather that they make the effort to send someone who can make business decisions. Even better - send both. That is why there is a management stream and a technical stream.

The reason I promote this event (and I really don't get commission) is that it is the only major event in South Africa with an Information Security focus. I believe that management at any company should make an effort to stay in touch with what is happening in Information Security.

Unless you don't use information or none of your information is private.

Monday, March 9, 2009

Fame! I'm gonna live forever!

[The esteemed writer of Security Thoughts Gets a Mention in Two of His Favourite Blogs]

Yes, not only did I get a mention on The Hoff's Rational Survivability.

But I also got a mention on Securosis.

Life is good.

[OT] So, you think YOU have problems?

[A bit of background info for our International readers..I think we have more than 1..]

Shabir Shaik was a prisoner. He was arrested for (allegedly) bribing the President of South Africa's biggest political party - the ANC.

It seemed as though he believed that he would escape arrest but after appealing all the way through the justice system he ended up with a 15 year sentence.

From the start things didn't seem kosher. Complaining of a heart problem, he spent more time in hospital than actually in jail.

Eventually, after 2 years of being incarcerated he was released. The reason given is that he was in the last stages of a terminal illness. The law exists that terminally ill patients are allowed out of jail to spend their last days at home.

Huge questions are being asked about this particular case considering his connections with the leaders of South Africa, his huge wealth and his legally proven happiness to use that wealth to grease palms.

[South African readers can start here]
So, basically, the only way, really, that Shaik can prove that he is innocent of these new suspicions is to die. And you think that you have issues. :)

Tuesday, March 3, 2009

Pepsi is not desperate.

[The other side to my prediction. Why I still believe it will happen but why it hasn't happened just yet.]

As per usual, the Securosis guys are smack bang on the pulse and deliver some interesting reading.

The take-away quote from the article is this:

[J] ust because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales.
The Securosis blog entry links to an article about a Coke employee trying to sell Intellectual Property (IP) to Pepsi. Pepsi said "no thanks" and helped Coke who tipped off the FBI who made 3 arrests.

My feeling is that cyber criminals (hackers) are getting desperate. The average price of a credit card on the black market has dropped to the point where it is not worthwhile trading in credit cards anymore. The new currency will be intellectual property. The problem with IP as opposed to credit card data is that credit cards are easy - there are any number of buyers and the consequences are still not too harsh.

Intellectual Property really would only benefit the competitors of a company so there are not so many buyers for the information. And that company would need to act on the information that they get, otherwise it is not worthwhile.

The Coke/Pepsi example is not very technical - it sounds like the employee stuffed files in her bag but it is still a breach. The thing is that there are few companies that would benefit from Coke's private documents. There are fewer that would take the risk in acting on stolen information. Pepsi was not interested in taking the chance.

I think that my prediction still stands but it requires a desperate employee who has access to valuable information. And a desperate competitor that will use the information offered to them. There will probably be a middle-man orchestrating the transaction. Big money will be paid out for the information and the original company will suffer in some way - market share, share price, loss of tender, etc.

I don't think it will be widespread but it may get ISOs around the world thinking "that could be my CEO with egg on his face apologizing to shareholders about losing IP"

Friday, February 20, 2009

The Answer to: What is Cloud Computing

Cloud Computing Summed Up Is Thus:

"A system where part of the deployment is unknown to the IT department"

Cloud = unknown.

Wednesday, February 18, 2009


I have enabled Disqus for my Blog and highly recommend every blogger do so.

(No, I am not being paid for this endorsement, but I am open to bribery...)

The nicest thing about it is that I can track comments made by me on different (Disqus enabled) websites and my comments even get added to my FriendFeed.

Very nice.

[Incomplete Thought] Cloud Computing - WTF is it?!

Sometimes the details are important!

{I'm borrowing the idea of an Incomplete Thought Post from The Hoff - jotting down some though on my blog before it is fully complete. I hope it will lead to faster posting. I have about 25 posts that are half written which I probably should have posted but they are just not quite right. This post is something I have thought about but may be open to discussion.}

Cloud computing is new which is why it is fun. Its like a new gadget and although you probably have no idea what it is or why you need it the Cloud Computing salespeople are already convincing you that your competitors are using it to get ahead of you.

I think that the original plans for Java are pretty similar to what we are expecting from Cloud Computing. Plug in an object a server, know the interfaces to it and Bob's your uncle - you are up and running. You can do limited customisation but you really don't need to know how everything is happening - just accept that it is. In Java we called it "Black Box" and now it is called "Cloud Computing". In both cases you don't get to see the inner workings. In both cases you are not supposed to care.

The power of this is that once you have a good object defined, you can use multiple objects chained together for scaling up or multiple different objects working together for a common cause. You could even get your chain to scale up and down as needed. Likewise, you could drop new objects in place as you want to create new services. You can even change objects as you find better working examples of them.

An example of this is my Blog. I could run it on my own server and manage the server, the database, the web (HTML, code, etc). Or I could go to Blogspot, sign up and be online in a few seconds. And, if all of a sudden there is a massive interest in my Blog (pfft) then Google will supply me the bandwidth and Server power to keep my site up. This is all very well but I have other advantages now too, such as, I have thrown out the vanilla comment section and put in one that works better. I could throw out that one too if I find something better. I have gone with feedburner for managing the RSS feed but I have a few choices there. Inter-connectivity is making my Blog so much more than a static web page.

I am really benefiting from "the cloud". On the other hand - there is nothing on my Blog that is private at all. The whole point of this Blog is to "get the word out there" so the more people that read my stuff - the better. I may not want spammers getting my email but thats pretty much it.

So, honestly, I don't care where my data is stored, what happens to it in transit, who reads it, etc. It is better not to know because my head can hold only so much junk. I also benefit in that I don't have to stick everything together. (Where I do stick different pieces together - it is made very very easy for me) and I don't need to pay for a dedicated server.

On the other hand, (and this is key) if it was corporate information then the details of where, how, what, etc become important.

Monday, February 2, 2009

Sometimes a piece of bread is just a piece of bread

I really like Andy the IT Guy but sometimes he goes overboard...

Andy the IT Guy is, of all the bloggers I read, the most practical. He isn't an analyst like the Securosis guys or a salesperson like most of the others. Or a ninja-type like the Hoff. He is a hands-on security person. Like me.

I find sometimes, I will be sitting in the traffic or walking down the street or shopping or whatever and thinking "there must be some Information Security parallel to this" and I get ready to blog about whatever it was. You can equate just about everything with Information Security. I'm sure that bloggers of all types go around thinking " blog about that..". There should be a support group. Maybe there is. Maybe it has a blog. I hope not.

By the way, Andy's advice about Information becoming "mixed" is really good advice and all companies should take note. I am about to start an Information Classification program and I shudder to think what it is that I will find. If everything was done right from the beginning ("pffft...") then it would be a simple thing to perform.

Andy, I totally agree with your observation, mate. But, sometimes just switch off and enjoy your breakfast. Even if it does taste slightly generic. I could use my own advice too. Maybe we should just give in to the addiction...

Now, what do fishpaste sandwiches have to do with Information Security? They smell funny but they are really good for you? Hmmmm....

Prediction Number 2 for 2009

Security lessons not learned will haunt us in 2009

This is exactly what I was thinking but I can't put it any better...

Please take a look at this article called Security lessons not learned will haunt us in 2009 and learn. This article is written in layman's language so no-one has any excuse not to read it and take in the important information that is included in it.

If you haven't read my 1st prediction - read this article first and then read prediction 1. Then get busy fixing up your Information Security Plan or cower in a corner crying.

Well done Mary Landesman, ScanSafe and ZDNet.

Tuesday, January 13, 2009

Prediction Number 1 for 2009

A major company will suffer losses due to stolen intellectual property.

(I've been trying to come up with all my predictions but I think I will just post them 1 at a time as I think of them. Here is the first.)

If you have been fortunate to attend any of my recent presentations, have read my blog or have gotten caught in a lift (elevator) with me then you'll know all about my Perfect Storm prediction.

I have no idea if it will happen in 2009 or 2010 but it is coming. It may have happened already and we just don't know about it. Briefly - there is a major underground economy happening right now. They are focused on payment card information (PCi) and personal information (PPI) that can be used for identity theft. There is a glut in the availability of this information and it is not worth so much. Either the underground economy will collapse in on itself or (more likely) it will start to trade intellectual property (IP).

IP is worth a lot more than either PCi and PPI but it is harder to find a buyer who can use it and the information is less standardised. But tough times call for tough measures and these are tough times.

I'd like to think that companies would reject offers of stolen information but this is very naive.

The reason that it may happen and we will not find out about it is that companies tend not to report these things to the media or anyone else. And since the information stolen does not belong to anyone else then they don't really have to report it.

The only time they'll have to report it is if it has the potential to make a massive change in their earnings. They'd still be able to fudge the numbers.

So, my prediction is that there will be a growing trend of theft of IP in amounts too small for companies to report until one company is rocked by atheft so big that it can't hide it.

This will happen - the question is whether it will happen 2009 or 2010.

Monday, January 5, 2009

[OT] Helen Suzman (1917-2009)

The times has a moving picture of Helen Suzman being laid to rest in the typical Jewish way, in a plain, ugly, boxy coffin. Everyone is equal in death - it is how we live our lives that defines us. And Ms Suzman certainly lived hers as a shining light to all.

I would say "Rest In Peace" but something tells me that Helen Suzman would not find that very easy. The Jewish nation in South Africa have always had an uneasy relationship with the Government, cordial but uneasy. The Nationalist Apartheid government tolerated Jews as they were "Whites" and were afforded the benefits that Whites were given. Most Jews were appalled at the treatment of Blacks and other race groups under apartheid but were too afraid to rock the boat.

Not so Ms Suzman. She will always be remembered as someone who spoke up.

More than that - she was never a loose cannon - she knew she was right and she had an amazing way of upsetting anyone who was doing wrong but in such a way that she gained their respect.

I have a lot of respect for the likes of Nelson Mandela and the other great leaders of the anti-apartheid revolution. But I have more respect for those that had not much to gain and lots to lose by their support. The ones who just saw what was good and what was not and decided to do something about it. It brings to mind the Edmund Burke quote about evil triumphing because of good men doing nothing. We are lucky in this world to have people such as Helen Suzman who see the evil around them and do something. Well, the world has lost one of those people, hopefully there will be others to take her place.

Finally, two quotes -

"I stand for simple justice, equal opportunity and human rights. The indispensable elements in a democratic society - and well worth fighting for." [Helen Suzman]

"...I don't pull my punches"
[Helen Suzman]