Archive for the 'General' Category

Aug 19 2014

A swarm of cars

Published by under General,Risk

It’s a given that we will have ‘intelligence’ in our cars within the next decade.  Quite frankly, there’s no way it is avoidable, given the appetite of consumers for 

all things to be connected to the Internet and too each other.  In the case of cars, it actually makes sense for them to be talking to each other.  But there’s one question: what will the unintended consequences be?

Earlier this week the National Highway Traffic Safety Administration (NHTSA) revealed plans to implement vehicle to vehicle (V2V) communication technology that allows one car to communicate with another and transmit information about location, speed of travel and direction of travel.  Basically, 10 times a second a V2V car tell other V2V enabled cars its exact location, where it’s headed and how fast it’s getting there.  The theory is that this would enable your car to warn you when someone is going to run the red light in front of you or is merging onto the highway in an unsafe manner near you.  Presumably this would also integrate into smart car technologies, enabling them to better fend for themselves in high traffic conditions, since they’d no longer have to solely rely on their own sensors in the decision making process.

I have a host of security concerns about the idea of V2V cars, since most of the manufacturers who are creating the Internet of Things have shown that security is their last concern, if they even think about it at all.  I can imagine the V2V system being used to track individuals every movement in a way that makes Orwell’s 1984 look Utopian.  The privacy implications of having a car that’s constantly beaconing its location are pretty severe and in all likeliness the ability to track individual cars will be mandated by law. I can also imagine someone breaking into the communications systems to cause chaos, either by targeting an individual vehicle with false information or by disrupting a segment of the network that V2V relies on.  At least there is someone else who’s thinking about the security concerns of interconnected vehicles, mainly I am the Cavalry and their Five Star Automotive Cyber Safety Program.

But what I find interesting in relationship to V2V is work that’s being done in swarm intelligence, as it relates to the idea of cars.  Researchers at the Harvard School of Engineering and Applied Sciences have developed a swarm of tiny robots that can self-organize into a number of shapes without needing a central controller to manage them.  The tiny little robots, Kilobots have very little intelligence (meaning computing power) individually and they don’t know much about their position as compared to the whole of the swarm, yet they manage to communicate with their peers in order to create organized shapes when they receive a command from the researchers.  They know where they are in relationship to other robot near them and they use this information as to figure out what their role should be forming the shape requested, rather than having some sort of central program with an overview of the whole telling them what to do.  

The swarm research that’s being done at Harvard is directly relatable to the V2V technology that (NHTSA) is doing.  Even if there is never a centralized tracking program implemented with V2V (which I posit there will be, it makes tracking easier for the government) there will be swarm behavior from these smart cars.  Swarm behavior already exists on our roads, it’s just that instead of a computer program making decisions, it’s human beings with limited awareness of the world around them.  We make the same sorts of decisions that V2V cars would be making constantly; we call it ‘driving’.  Most humans don’t have an overall view of the roads and what’s going on, though a lot of work has gone on to develop apps to give us this awareness of traffic.

Part of what makes a swarm of cars interesting, and a little scary, is the concept of emergent properties, or the idea that the whole is greater than the sum of its parts.  This is exactly what’s going on with the Kilobots, the emergent properties of their intelligence means that the whole is able to figure out how to form shapes without an individual Kilobot having to be told exactly where it’s place is in the grand scheme.  It’s up to the individual to do it’s best to conform to the needs of the whole to create the shape.  But while the emergent properties of the Kilobots was the end goal of the experiment, what happens when you design a swarm of cars without an emergent property in mind?

We’re in the beginning stages of understanding how a swarm does what it does.  How does a flock of birds really fly and wheel in unison?  How does a school of fish form and stick together?  How does a swarm of bees operate?  Maybe over the next 5-6 years we’ll have a better understanding of what makes these things work like they do, but will this understanding be applied to our vehicles?  The implications of a system of cars that have some sort of emergent property concerning how they enter, exit and move through traffic could be pretty severe, unintentionally creating gridlock and other safety concerns.  It could also work to alleviate the same gridlock in unforeseen ways, which makes the technology worth pursuing.

And then there’s the sci-fi concerns, ala Maximum Overdrive.  Swarm behaviors plus smart cars could create a series of emergent properties that make our cars decide that the safest option is to not get on the road in the first place.  Or that it’s better to be in the middle of the swarm and keep driving instead of getting off at the proper exit.  Or a hundred other scenarios that science fiction authors have explored in depth multiple times.  It’s not that this sort of ending is a certainty, it’s more that it’s a possibility that has to be explored and prevented, rather than dismissed as an impossibility.

No responses yet

Jul 28 2014

“Your cons are just an excuse to drink and party”

Published by under General,Humor,Social Networking

I’m sure we’ve all heard it before when trying to get approval to travel to conventions:  “This is just a boondoggle and you’re going to party the week away!”  Many people believe that the only thing that gets done at security conferences is that a lot of alcohol gets consumed and people get silly at night.  If you go by some of the things we talk about publicly, it’s no surprise that managers might believe that.  While there’s a little bit of truth in accusations, the reality is that there’s so much more going on at conferences that we don’t talk about.  

There’s obviously the talks.  While I personally only attend two or three talks a conference, I know people who spend their entire day running from talk to talk and wish they had time to see more.  There’s a lot of research being revealed at Security Summer Camp, some of which is being seen for the first time there.  It’s valuable to know what’s up and coming, what’s new and interesting and what the trends are in the security field.  The talks given at conferences are one way to find out about all of these.

A second reason to attend conferences is the contacts.  Having connections amongst your peers is easily as important as having knowledge about your field when it comes to a career in security.  There’s too much going on to know everything, there are times when you’re going to need help, so creating and cementing the relationships that will help you over the course of a career are fundamental to your success.  This happens in the hallway track between sessions, this happens during lunches and dinners and this happens even more during the parties at night.  Conferences provide a means to be social with like minded individuals that simply doesn’t exist in many other venues.

And finally there’s the break from the daily routine to de-stress and relax a little.  We need to get away from the daily routine from time to time, it’s a fact of life and why we have vacations.  Conferences provide a similar function, but in addition they give us an opportunity to gain new perspectives on our routine and exchange ideas with others that can be incredibly valuable in dealing with the problems in our normal work environment.  That shift of focus can make all the difference in the world in how you tackle a problem when you return to the routine.

So, yes, the conference parties are what a lot of people think of when they hear us asking to go to a conference.  But they’re only a small part of what’s going on at the conference and even they serve an important role as a social lubricant.  Of course, that’s assuming that you’re safe and sane when drinking and don’t do something that’s going to get you in deep trouble back at the office.  There’s always a few people who don’t know when to stop at every conference.  Don’t be ‘that guy’.

No responses yet

Jul 27 2014

Balancing digital privacy

Published by under General

I had an interesting conversation with a relative this week about privacy.  Which is, of course, why I’m writing about it on the blog.  The irony of the situation doesn’t escape me.  

“I’ve been listening to you and it’s made me very careful about what I put on the Internet.  I have almost no digit presence, I’ve used very little social media and what few accounts I do have are under pseudonyms, with no direct link to me.  When I do a Google search on my name, it turns up a few hits on me, then the rest of the results are of you and and a friend of yours who shares my name.  The few results about me that do turn up are from competitions I was in when I was younger and I’m not directly tagged in any of the pictures.”

First of all, it’s good to know my family is listening, or at least one member of my family is.  They understand the importance of limiting what you make available on the Internet and have consciously taken steps to make sure that only the information that’s available is data they’ve decided is unavoidable and necessary.  But I have to wonder if they haven’t taken my advice too far and limited their footprint too much.

In this day, it’s important to have a presence on the Internet.  We know that businesses hiring new employees, colleges looking at potential candidates and even the people you might date or meet with search the Internet to learn about us as part of the process of dealing with strangers.  And while leaving a digital trail that’s littered with detritus about when we got drunk or stupid is a negative, having no evidence that you existed on the Internet is nearly as bad to some people and organizations.  If there’s nothing out there about you, while you may not have done anything wrong, there’s no evidence you’ve done anything right either.  And some people take a lack of presence as evidence that you’ve been up to no good.

My suggestion to my relative was to carefully cultivate a digital presence.  Make some of the positives of what you do available for people to find.  Use social media sparingly, but maintain a presence.  It’s okay to have opinions and put yourself out there, as long as you’re aware that what you say will be searchable for the foreseeable future of the Internet.  Be a real person, but be a person who controls the image they present to the world.  I was very careful to also point out that I might not be the best example of limiting your presence.

The conversation degenerated from there into creating a ‘digital persona’, a search engine friendly front that presents exactly what you want to the world and nothing more.  We all wondered about the ethics of creating a persona that’s carefully crafted for future job searches and dating.  No one in the family had a good answer for that one.

3 responses so far

Jul 13 2014

Impostor syndrome

Published by under General,Personal

What am I doing here?  When are they going to realize I don’t know what I’m doing?  How long until they fire me for faking it?  I don’t belong with these people, they’ve actually done something, while nothing I’ve done is remarkable or interesting.  I’m not worthy of this role, of being with these people, of even working in this environment.  I’m making it up as I go along and nothing I could do would ever put me on the same level as the people around me.  How did I end up here?

I know I’m not the only one who has these thoughts.  It seems to be common in the security community and not uncommon in any group of successful people.  It’s called ‘impostor syndrome‘ and it’s often considered a sub-set of the Dunning-Kruger effect.  Basically it’s a form of cognitive dissonance where a successful person has a hard time acknowledging his or her success and overemphasizes the many mistakes everyone makes on a daily.  To put it simply, it’s the thought we all have from time to time that “I’m not good enough” writ large.

It’s not hard to feel this way sometimes.  In security, we create heroes and rock stars from within our community.  We look at the researchers who discover new vulnerabilities and put them on a stage to tell everyone how great their work is.  We venerate intelligence, we stand in awe of the technical brilliance of others and wish we could do what they do.  We all tend to wonder “Why can’t I be the one doing those things?”

It’s easy to feel like this, to feel you’re not worthy.  We know the mistakes we made getting to where we are.  We know how hard it was, how rocky the road has been, where the false starts and dead ends are and all the things we didn’t accomplish in getting to where we are.  When we look at other people we only see the end results and don’t see all the trials and tribulations they went through to get there.  So it’s all to common to believe they didn’t go through exactly the same road of mistakes and failure that we did.  As if they don’t feel just as out of their depth as we do.

I don’t think there’s a cure for impostor syndrome, nor do I think there should be.  We have a lot of big egos in the security community and sometimes these feelings are the only thing keeping them from running amok.  The flip side of impostor syndrome, illusory superiority, the feeling that you have abilities that far outstrip what you actually have, is almost worse than thinking your an impostor.  And I’d rather feel a little inadequate while working to be better than to feel I’m more skilled than I am and stop working to get better.

If you feel like an impostor in your role as a security professional, I can almost guarantee you’re not.  The feeling of inferiority is an indicator that you think you’re capable of more and want to be worthy of the faith and trust those around you have put into you.  You might be faking it on a daily basis, making things up as you go, but the secret is that almost all of us are doing the exact same thing.  It’s when you know exactly what you’re doing day in and day out that you have to be careful to fight complacency and beware of illusory superiority.  It’s better to think you’re not good enough and strive for more than to think you’ve made it and are the best you can be.

One response so far

Mar 05 2014

DDoS becoming a bigger pain in the …

Published by under Cloud,General,Hacking,Risk

I’m in the middle of writing the DDoS section of the 2013 State of the Internet Report, which is something that makes me spend a lot of time thinking about how DDoS is affecting the Internet (Wouldn’t be all that valuable if I didn’t put some thought into it, now would it?).  Plus I just got back from RSA where I intereviewed DOSarrest’s Jag Bains and talked to our competitors at the show. Akamai finally closed the deal on Prolexic about three weeks ago, so my new co-workers are starting to get more involved and being more available.  All of which means that there’s a ton of DDoS information available at my fingertips right now and the story it tells doesn’t look good.  From what I’m seeing, things are only going to get worse as 2014 progresses.

This Reuters story captures the majority of my concerns with DDoS.  As a tool, it’s becoming cheaper and easier to use almost daily.  The recent NTP reflection attacks show that the sheer volume of traffic is becoming a major issue.  And even if volumetric attacks weren’t growing, the attack surface for application layer attacks grows daily, since more applications come on line every day and there’s no evidence anywhere I’ve ever looked that developers are becoming at securing them (yes, a small subset of developers are, but they’re the exception).  Meetup.com is only the latest victim of a DDoS extortion scam, and while they didn’t pay, I’m sure there are plenty of other companies who’ve paid simply to make the problem go away without a fuss.  After all, $300 is almost nothing compared to the cost of a sustained DDoS on your infrastructure, not to mention the reputational cost when you’re offline.

I’d hate to say anything like “2014 is the Year of DDoS!”  I’ll leave that sort of hyperbole to the marketing departments, whether it’s mine or someone else’s.  But we’ve seen a definite trend that the number of attacks are growing year over year at an alarming rate.  And it’s not only the number of attacks that are growing, it’s the size of the volumetric attacks and the complexity of the application layer attacks.  Sure, the majority of them are still relatively small and simple, but the outliers are getting better and better at attacking, Those of us building out infrastructure to defend against these attacks are also getting better, but the majority of companies still have little or no defense against such attacks and they’re not the sort of defenses you can put in quickly or easily without a lot of help.

I need to get back to other writing, but I am concerned about this trend.  My data agrees with most of my competitors; DDoS is going to continue to be a growing problem.  Yes, that’s good for business, but as a security professional, I don’t like to see trends like this.  I think the biggest reason this will continue to grow is that it’s an incredibly difficult crime to track back to the source; law enforcement generally doesn’t have the time or skills needed to find the attackers and no business I know of has the authority or inclination to do the same.  Which means the attackers can continue to DDoS with impunity.  At least the one’s who’re smart enough to not attack directly from their own home network, that is.

No responses yet

Jan 21 2014

Faking Safe Harbor compliance

Published by under General

If you’ve ever had to deal with data privacy laws, then you’ve probably heard of the EU Safe Harbor framework.  These are basically a set of 7 basic guidelines (Notice, Choice, Onward Transfer, Security, Data Integrity, Access & Enforcement)  that govern how any US company doing business in the EU will treat private information.  Doesn’t sound too bad, but the reality is that Safe Harbor is a bit of a pain to comply with, since there are different interpretations of the rules for nearly every country in the EU.  The rules in one country, say Italy, might be relatively short and easy to understand, while the rules in another, maybe Germany, might be long, complex and convoluted.  The general outline is the same for all countries, but they get to decide their own specific implimentations.  You can see that this might make it a little hard to comply with the Safe Harbor framework, even though the laws all orginate from the same framework

So it doesn’t surprise me too much to find out that the Federal Trade Commision has announced that a dozen companies, including Level 3 and a few football teams (??), have violated the Safe Harbor rules.  According to Gigaom, the violations are technical in nature, rather than being willful violations.  This means they were probably tracking visitors using cookies in the wrong way or retaining information about their clients they shouldn’t have.  It wouldn’t take much, since in some countries an IP address can be considered privately identifiable information (PII) and retaining that information would be a violation.  On the other hand, I can fully believe that companies such as the accounting firms named in the violoations knew they were keeping information they shouldn’t, but had to in order to perform the roles they’re paid to do.  

I believe one of the points that’s easy to miss in the article is probably the most important: “US companies have been deceiving people by using out-of-date certification marks”.  In other words, these companies at one time had been self-certified or audited by a third-party, but let this lapse and continued to do business and sell products by stating they were Safe Harbor certified.  If the FTC did an audit of their own records, made a list of the organizations that let their certifications and then investigated those organizations, it would explain why these people made the list.  It would also be a warning shot across the bow for other companies that have let their compliance lapse, and an indicator that there are a lot more companies that might be facing scrutiny in the future.  If your company has Safe Harbor responsibilities, I’d definitely review your own compliance level.

I can almost guarantee that Safe Harbor will be getting a lot more attention this year than it has in the past.  The US is, and will be for some time to come, under the microscope by EU governments and organizations.  The NSA efforts uncovered by Snowden make this a given, just as they make the handwaving by the FTC a given.  This probably marks the first time that the FTC has taken Safe Harbor seriously in quite some time, but it won’t be the last.

 

 

One response so far

Jan 05 2014

Much needed vacation

Published by under General,Personal,Risk

I’m back after a two week self-inforced haitus from all things security and work related.  For the last 14 days, I haven’t checked emails, I haven’t been on twitter, I haven’t checked the news, I haven’t read the news sites.  I’ve simply spent time with my family, played Minecraft, watched anime and eaten my way through the Christmas holidays.  And there was gifts in there somewhere as well.  Vacation started as a weekend in Munich, but the vast majority of it was spent at home near London with no deadlines, except a couple of shopping trips with the wife and kids.  All in all, it was one of the most relaxing times I’ve had in years.  And it was sorely needed.

All jobs are stressful to one degree or another, it’s just a fact of life.  But security is a more stressful job then most.  I’ve done a few panels with other security professionals talking about the stress we face, and we’ve done (okay, mainly folks like Jack Daniel and K.C. Yerrid have done) some research into it and found that our high stress is an actual fact, not just something we say to make ourselves feel more important.  Our chosen career is difficult to be good at, we’re constantly under multiple conflicting demands and it almost never slows down.  Is it any wonder that we feel stressed?

It’s almost a joke when you talk to security professionals about substance abuse in our industry.  It’s nearly expected of people to get stupid at conferences.  But it’s not a joke at all, something that was graphically illustrated by the loss of Barnaby Jack last year.  Substance abuse may not be an industry wide problem, but it’s definitely something that we need to be aware of.  I can think of at least half a dozen people who I’ve jokingly made comments about in the last couple of years who might be in real danger.  Most of them know they can come to me if they need support, but I know that’s the best I can do if they don’t want to change.  How many people do you know in a similar position?  Have you expressed concern or at least let them know you will help if they ask?

It’s not my place to get preachy or say I’m any better than anyone else, but I do think we need to be aware and check our own stress levels from time to time.  Let your friends in the industry know you’ll support them if they need help, but more importantly, know when you need to take a break and get away from the  whole scene once in a while.  We do important work, but we can’t do it if we’re too wrapped up in our own problems to function properly.  

Now to get caught up on two weeks of work emails.  Luckily, most of my co-workers took the Christmas holidays off, at least in part, so it won’t be quite as bad as it could be.

No responses yet

Dec 12 2013

Annual Predictions: Stop, think, don’t!

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!

3 responses so far

Dec 02 2013

Huawei is pulling out?

Published by under General

Apparently the CEO of Huawei says they are giving up on America.  But he doesn’t say exactly what that means.  To me, that says they’ll probably stop any expansion in the US and stop trying to actively find new business, rather than closing any offices, at least in the immediate future.  They’re fairly happy with their handset sales, according to Ren Zhengfei, but their sales of networking equipment has been severely hampered by allegations of being nothing but a thinly veilled front for the Chinese government, something the company strenuously denies.

In case you’ve never heard of Huawei (Hwa-way, is the correct way to pronounce it), they’re a Chinese networking and phone manufacturer who’s long been accused of having back doors in their system software for use by the Chinese government.  As far as I know, there’s never actually been such a backdoor found, but the software is also so buggy and easy to compromise that there isn’t really a need to backdoor the systems. The quality control of their operating system is possibly some of the worst in the world if rumor is to be believed, but I’m in no position to know or look at the software myself.

So Huawei has been banned from a number of projects in Australia, they’re pulling back on the US and they’re not considered trustworthy by many other countries around the globe.  You’d think this would limit their growth, but they’re apparently prefered over many of the US vendors by China, which should be no surprise.  China’s market is huge, so the company can have a long and fruitful life, but any dreams of world domination are probably going to have to go by the wayside for now.  

2 responses so far

Dec 01 2013

Security in popular culture

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.

3 responses so far

Next »