Archive for November, 2013

Nov 25 2013

Two more years of Snowden leaks

Published by under Cloud,Government,Privacy,Risk

I’ve been trying to avoid NSA stories since this summer, really I have.  I get so worked up when I start reading and writing about these stories and I assume no one wants to read my realistic/paranoid ranting when I get like that.  Or at least that’s what my cohosts on the podcast have told me.  But one of the things I’ve been pointing out to people since this started is that there were reportedly at least 2000 documents contained in the systems Edward Snowden took to Hong Kong with him.  There could easily be many, many more, but the important point is that we’ve only seen stories concerning a very small number of these documents so far.

One of the points I’ve been making to friends and coworkers is that given how many documents we’ve seen release, we have at least a year more of revelations ahead of us, more likely two or more.  And apparently people who know agree with me: “Some Obama Administration officials have said privately that Snowden downloaded enought material to fuel two more years of news stories.”  This probably isn’t what many businesses in the US who are trying to sell overseas, whether they’re Cloud-based or not.  

These revelations have done enormous damage to the reputation of the US and American companies; according to Forrester, the damage could be as much as $35 billion over the next three years in lost revenue.  You can blame Mr. Snowden and Mr. Greenwald for releasing the documents, but I prefer to blame our government (not just the current administration) for letting their need to provide safety to the populace no matter what the cost.  I don’t expect everyone to agree with me on this and don’t care if they do.  It was a cost calculation that numerous people in power made, and I think they chose poorly.

Don’t expect this whole issue to blow over any time soon.  Greenwald has a cache of data that any reporter would love to make a career out of.  He’s doing what reporters are supposed to do and researching each piece of data and then exposing it to the world.  Don’t blame him for doing the sort of investigative reporting that he was educated and trained to do.  This is part of what makes a great democracy, the ability of reporters (and bloggers) to expose secrets to the world.  Democracy thrives on transparency.

As always, these are my opinions and don’t reflect upon my employer.  So, if you don’t like them, come to me directly.

No responses yet

Nov 24 2013

Et tu, Television?

Published by under General

I’m getting used to the idea that the NSA and the GCHQ are looking at every packet that crosses the Internet.  I hate it, I think it’s wrong, but I can understand that they think it’s their mandate to spy on us in order to protect us.  The logic is deeply flawed, but at least it’s understandable that they’d convince themselves that it’s worth the risk that such spying entails.  However, when my television starts spying on my viewing habits, the drives I plug into it and every file on my network, then sending the information back to LG, all in the name of providing ‘a better viewing experience’, someone has most definitley pole vaulted over the line to into the pit of pure stupidity.

If you’ve missed it, last week blogger DoctorBeet did some sniffing on his home network and found his LG TV was phoning home to the manufacturer and reporting on his viewing habits.  It sent packets when turned on, as it was turned off, any time he changed the channel, and most importantly, it catalogued any USB he plugged into it.  And now a second blogger has found that LG is scanning all the network shares you might have and reporting that information back to the home servers.  When confronted by DoctorBeet with these egregious privacy violations, LG’s initial response was “you signed off on the terms of service, so take the TV back to the store you bought it from if you don’t like it”.  They’ve since had a change of heart, mostly because bloggers and news sites around the globe have started raising a big stink about the story.  Oh, and while there is an option to turn off the data collection, this just means that you’ve set a flag to tell LG to ignore your data when it gets to their servers, not stop collecting it in the first place.  You’ll just have to trust them that there’s no PII and that they actually dump your infomration from the databases.

We already know that Smart TV’s are riddled with vulnerabilities and that many are running a stripped down Linux kernel in the background, some complete with web servers on the backend.  I’d hazard a guess that most of the services are running as root on the TV, that the developers have never heard of SSL and that all the connections to your phone and tablet are done over the public internet completely unencrypted.  While someone at the manufacturer might have raised the spectre of security, he or she was probably shouted down in favor of adding more capabilities to the TV as cheaply as possible.

The Internet of Things means that this type of spying and vulnerable technology on our home networks is only going to get more prevelant as time goes by.  Someone out there is probably already working on the web enabled refrigerator that reads the NFC chip on your milk carton to automatically send a request to Tesco when your milk gets low or reaches it’s expiration date.  And some day we’ll have an alarm clock that phones in to work for you when you sleep in and are going to be later for work.  And this will all be a data source for the marketing companies.  And the NSA.

Some of this will be handled by legislation that makes data collection like what LG is doing illegal.  It will still happen, but it’ll become less common as companies get caught by bloggers and the press, embarrased into removing the snooping technologies from their hardware.  Or, more likely, they’ll learn to be more circumspect in what they’re capturing and how they transmit it back to home base.  And the intelligence agencies will want access to it all.  Isn’t paranoia fun, especially when it’s closer to reality than a psychosis?

Update: I’ve only had a little time to poke at the web server on my Samsung TV, but some gentlemen at University of Amsterdam have dug into it more deeply than I could hope to.  I’m guessing there’s still more to find on these TVs.

No responses yet

Nov 21 2013

Had fun in Norway

I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event.  I always enjoy visiting cities I’d probably never see if not for my job.  Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter.  It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do.  I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.

The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd.  There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them.  But Mo brought up some points about security awareness and training that many security teams need to be thinking about.  Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.

It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer.  We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it.  This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.

Mo related a lot of his past experience from teaching English abroad to teaching security within a company.  And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club.  So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.

One response so far

Nov 17 2013

Using the Secret Weapon

Published by under Cloud,Personal,Simple Security

I’m not the most organized person in the world; I never have been and I never will be.  But I’ve usually been able to keep a modicum of organization in my life by using pen and paper and a notebook.  Sometimes things would fall through the cracks, as happens to everyone, but I can normally keep up.  Lately though, that hasn’t been true.  Since moving to the UK and expanding my role there, I have so much on my plate that just keeping up with tasks has been a major issue.  So I did what any good security geek does, I asked on Twitter about the tools others are using and how they use it to track their todo list.  By some margin, the biggest response I got was Evernote and The Secret Weapon.

Evernote is a free, with upgrade to premium, note taking/scrapbooking/catch-all program that’s been around for a few years.  I’d signed up when it first came out, but never really understood how to use it for myself.  The Secret Weapon isn’t a piece of software, but instead a way to use Evernote with your email and the Getting Things Done (GTD) system.  Basically, there are a set of tutorials on the Secret Weapon site that walk you through how to set up Evernote and your email and how to use the system going forward.  In all, you can watch the videos in about an hour, though I’d suggest you watch the first few, let it percolate for a little while, watch one or two more, etc. until you’ve watched them all over a few days.  It gives you a very good point to start from for using this system.

Like many people, I’ve had to modify the GTD/TSW methodology to meet my own needs and work style.  I’ve been using a number of the GTD principals for some time without realizing it.  I’m using Mail.app on OSX which allows me to use Smart Mailboxes to tag and flag emails, but I leave them in my inbox, which acts as my archive folder.  And since I’m using Mail, I don’t have the easy integration that would be available if I was using Outlook.  But then I’d have to use Outlook, so I consider manually cutting and pasting into tasks in Evernote to be the lesser of two evils.

Once you’ve set up the system, getting hooked on the organization it gives you is incredibly quick.  I love that I can tag my todo list by priority, project, people involved and any number of other aspects.  I love being able to tell at a glance exactly which projects I should be working on today and knowing that I haven’t forgotten anything major (unless I’ve forgotten to enter it into Evernote). And I’ve started to take more and more of my meeting notes in Evernote as well, though using a keyboard instead of pen and paper can be a bit distracting for me as well as those around me.

And then there’s the downsides.  The biggest concern I have by far is the security of Evernote; you can’t encrypt your notes except individually, which is unrealistic if you have dozens or hundreds of notes, which is bound to be the case once you’ve been using it for a while.  Evernote does have a two-factor authentication capability, but I have yet to try it and I’m not sure I can use it given the amount of travel I do; I never know how much connectivity I’m going to have on any given day.  Evernote has both iOS and Android applications available and I’m starting to dip my toes into them, but quite frankly they both seem to be pretty hard to use, other than for checking the status of your projects.  I’m not very satisfied with the user interface with either operating system and don’t know if I have the patience to deal with them.

The other piece of software that several people suggested I try is Omnifocus.  It also offers integration with iOS devices, but both the desktop and phone/tablet versions are pay for.  And there’s no Android support for the program, which is a pain for me as I have an Android phone and I’m shifting to using my Nexus 7 more than my iPad as time goes by.  

The bottom line for me is that TSW and Evernote works well, but I’m very concerned about having my organizational matrix on the Internet in a way that is much less secure than it could be.  I’d upgrade to a premium account if that’s what it took me to get that encryption and I may end up upgrading since I’m using it so much anyway.  I’m not sending my email to Evernote wholesale as is suggested by TSW tactics, so I feel less uncomfortable than I could be, but I’m still not happy with this security lapse.  

Let me know what your experience has been using Evernote and The Secret Weapon.

 

2 responses so far

Nov 10 2013

Big Brother in the Sky

Published by under General

I fly a lot; I’ve flown well over 100K miles this year so far, and at least as much the previous two years.  I know that the airlines I fly, primarily Star Alliance, know a lot about me.  And I know that security isn’t one of their primary concerns, something illustrated very graphically by the way United’s own site log on and phone system treats passwords and PINs.  So don’t expect me to be very hopeful that they’ll do a very good job in protecting my information from threats internal or external as they begin creating huge data mines about every customer who ever flies the friendly skies.

It still surprises me slightly when an attendant on a flight greets me by name when I get an upgrade, but when I think about it, I shouldn’t be.  After all, every seat on the plane is assigned, we filled out forms telling them what our credit card numbers are, where we’re coming from, where we’re going and what we’d like to eat along the way.  Now take that a few steps farther and start keeping track of what we like to drink on the way, what movies we watched while we’re in the air and what each of our destinations have been in the last five years.  It’s fairly easy to build up a pretty sophisticated profile on a customer from just that data, but if you add in all the little tracking details that might be available from when you were browsing the Internet to purchase the ticket to begin with a whole new world of profiling exists for the airlines to explore.  I truly doubt their ability to protect this data in a meaningful way, which means it’ll be open to attackers, whether they’re governments or organized crime.

It’s interesting that the airlines, or at least American Airlines, are cognizant that there’s a line that once crossed brings them into “creepy” territory.  I fly enough that I recognize some of the staff on my flights, but imagine if you’re meeting a steward on a flight for the first time and they apologize that the airline lost your luggage on your last trip.  Or they ask you how your vacation to Greece was.  The potential for stalkers amongst the crew might be a far fetched idea, but it only takes one really strange person to ruin your day.

Data mining is a given in this day and age, so I guess the only really surprising thing about the airlines getting into it is that they took so long.  I don’t know what they hope to sell me on my flight, since I’ve never purchased anything from an in-flight magazine, but they’re definitely hoping they can increase profits somehow.  Personally, I’m more concerned about getting an upgrade to business class than I am with making a purchase on their site.  And I wish they could put a little more of that computing power into making sure my flights leave and arrive on time rather than trying to sell me stuff.

 

No responses yet

Nov 07 2013

Congratulations to my friends at Twitter

Published by under Social Networking

It looks like the Twitter IPO went well, maybe even exceptionally well.  Now lets hope they don’t pull a Facebook and see their stock at 25% of it’s current value in 3 months.  

No responses yet

Nov 04 2013

Attacking the weakest link

Published by under Cloud,Government,Hacking,Privacy,Risk

I spend far too much time reading about governmental spying on citizens, both US and abroad.  It’s a job hazard, since it impacts my role at work, but it’s also what I would be researching and reading about even if it wasn’t.  The natural paranoia that makes me a good security professional also feeds the desire to know as much as possible about the people who really are spying on us.  You could almost say it’s a healthy paranoia, since even things I never would have guessed have come to pass.  

But every time I hear about someone who’s come up with a ‘solution’ that protects businesses and consumers from spying, I have to take it with a grain of salt.  A really big grain of salt.  The latest scheme is by Swisscom, a telecommunications company in Switzerland that wants to build a datacenter in that country to offer up cloud services in an environment that would be safe from the US and other countries’ spying.  The theory is that Swiss law offers many more protections than other countries in the EU and the rest of the world and that these legal protections would be enough to stop the data at rest (ie. while stored on a hard drive in the cloud) from being captured by spies.  The only problem is that even the Swisscom representatives admit that it’s only the data at rest that would be protected, not the data in transit.  In other words, the data would be safe while sitting still, but when it enters or leaves Swiss space, it would be open to interception.  

It was recently revealed that the NSA doesn’t need to get to the data at rest, since they simply tap into the major fiber optic cables and capture the information as it traverses the Internet.  Their counterparts here in the UK do the same thing and the two organizations are constantly sharing information in order to ‘protect us from terrorists’.  Both spy organizations have been very careful to state that they don’t get information from cloud providers without court orders, but they haven’t addressed the issue of data in motion. 

So while the idea of a Swiss datacenter built to protect your data is a bit appealing, the reality is that it wouldn’t do much to help anyone keep their data safe, unless you’re willing to move to Switzerland.  And even then, this solution wouldn’t help much; this is the Internet and you never know exactly where your data is going to route through to get to your target.  If it left Swiss ‘airspace’ for even one hop, that might be enough for spy agencies to grab it.  And history has proven that at least GCHQ is willing to compromise the data centers of their allies if it’ll help them get the data they believe they need.  

No responses yet

Nov 03 2013

Building the tools to spy on us

Even if folks like Google, Microsoft and Facebook weren’t mining every bit that flows across their networks, there’s a number of companies out there that are building the tools to let government agencies and law enforcement organizations to spy.  Companies like NICE, Bright Planet and 3i:Mind are probably just the tip of the iceberg when it comes to companies who see a profit to be made in the monitoring and spying space.  

I’m a bit torn when it comes to products like these that make it easy for LEO and other state actors to monitor the public.  On one hand, these are valuable tools for catching criminals.  On the other, they create a long term record of everything a protestor or dissident does, something that’s begging to be abused down the line.  And just because it’s not making national news doesn’t mean there aren’t already examples of exactly this sort of thing happening.  

I find Bright Planet’s product, BlueJay to be at least slightly amusing in that it’s basically just a Twitter search engine that looks for people who are stupid enough to tweet about the crimes they’ve committed or are planning to commit.  Why a police department couldn’t do something like this on the cheap I don’t know, but I hope that this isn’t that expensive of a product.

As long as there’s a way to make a buck from monitoring the public, someone will do it.  I’m sure there’s a lot of internal justification and arguments for these products that goes on, just as I’m sure that some of these companies know their products will be used and abused for purposes they weren’t meant for.  I’m just hoping that as the companies build the tools, they take in mind the need for checks and balances to track the usage of their tools and make catching the abusers possible.

No responses yet