Dec 15 2013

Twitter spam filters overloaded

I believe the Twitter spam filters are currently overloaded or at least someone’s figure out a way around them.  In the last 72 hours, I’ve gotten more twitter followers than I normally get in a three weeks.  At first it was hard to tell if they were real people or not, but as they’ve accumulated, I’m certain that the vast majority of them are not.  It’s gotten to the point that I’m reporting all new followers as spam, unless there is sufficient reason to believe they might be a real person. 

So what characteristics do the spam followers share in common?

  1. Non-english speakers.  Russian, Spanish, Arabic, and any number of other languages I don’t recognize.  I’m assuming some are gibberish even in their own language.
  2. Very low number of tweets.  Almost all of these accounts less than 200 tweets and a significant number have less than 50 tweets.  There doesn’t seem to be a commonality of having links in these tweets, but I’ve given up on looking at their tweets.
  3. High following count/low follower count.  In an organic growth pattern, twitter users don’t tend to have a 10 to 1 following/follower ratio, since close to 10% of twitter is the bots anyway.  
  4. No listed count.  It doesn’t look like the bots have figured out how to get themselves listed quite yet.  Maybe there will be a botnet that will autolist bots in the future, but this is a big giveaway for now.

I’m confident the folks at twitter will figure out a way to stem the tide of the current bot invasion, but in the mean time I’ll continue to report these accounts for spam.  I apologize ahead of time if I block any real people by accident.  


One response so far

Dec 12 2013

Annual Predictions: Stop, think, don’t!

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!


3 responses so far

Dec 08 2013

Will limits work?

Published by under Government,Privacy

A number of tech giants are petitioning the US federal government to put limits on the surveillance powers of agencies such as the NSA.  Specifically, there are eight organizations, led by Microsoft and Google who are stating that the governmental spying machines are putting them in a bad business position by eroding the trust that the public and other companies have in the systems created by the monitoring efforts.  Here in Europe this is definitey true and as each new revelation of phone tapping and metadata collection is revealed, it only becomes harder and harder for businesses and users to trust.  But the real question is, even if the laws are changed to make the wholesale collection of data harder, will it put a check on the organizations who see it as their mandate to protect the public from ‘terrorists’ no matter what the cost?

I could go on for pages about the problems with the current attitudes of law enforcement, about the problems with justifying all this spying by invoking the specter of terrorism, about the potential for abuse, about the cost in capital and human time to use this data, and the lack of effectiveness of wholesale data collection.  And I want to, but it wouldn’t do much good.  Most people have already made up their minds on the subject, our agencies are addicted to the power this surveillance gives them, and most people are ignorant as to the danger the wholesale capture of data can create.  If the last point were even slightly wrong, we wouldn’t be giving companies our data by the bucketload in order to share pictures of our cats and kids.

I believe in due process, the rule of law and constraints on government power. And I think we’re at a point in history where most of that has been thrown out the window, using a witch hunt as an excuse.  Changing the laws won’t make it any better; either the laws will be written by the very agencies we’re trying to limit, with plenty of loopholes designed to let them keep doing what they’re doing, or the laws will be ignored and circumvented until we have a new leak that sets off another round of … the same exact thing.  I’m pretty pessimistic on the subject.

Can changes in law lead to a reform of the system?  Yes, they can, but the question is, will they?  In the short term, I think it’s impossible for us to have any meaningful change, in part because the system in the US is too drunk on it’s own power.  In the long term, if the public will is strong, then we might see changes.  We’ve had McCarthy and Hoover and Nixon, we’ve made it through dark times before, but it took a long time to recover from each of these people.  The world will survive another round of abused power, but the question is where will we end up as an worldwide population?  Probably with less liberties forever.


No responses yet

Dec 04 2013

Everyone’s moving to PFS

Last month I wrote about Perfect Forward Secrecy (PFS) for the Akamai corporate blog.  But if you’d asked me two months earlier what PFS was, you would have seen me madly scrambling for Google to find out more about it.  And I’m not alone; before this summer only a few deeply technical engineers had heard of PFS, almost everyone else had either never encountered it or dismissed it as an unnecessary burden on their servers.  Except the NSA managed to change that perception over the summer.

Now most companies are looking at PFS, or looking at it again.  In a nutshell, PFS is a method used with SSL that creates a temporary key to transmit the session keys for the browser session and then dumps key from memory afterward.  You can use words like ‘ephemeral elliptic curve cryptography’, but the important part of this is that PFS enables a method of encrypting SSL communications that don’t rely on the master key on the server to protect your traffic, it creates a new key every time.  This means that even if that master key is somehow compromised, it doesn’t allow access to all the traffic for that SSL certificate, the attacker must crack each and every session individually.   Which means you have to have a lot more computing power at your disposal to crack more than a few conversations.

PFS is a good idea we should have instantiated some time ago, but it’s got a downside in that it requires a lot of server overhead. But having to view our own governments as the enemy has given tech companies around the globe the impetus to make the change to PFS.  Google is moving towards encrypting all traffic by default, with PFS being part of this effort.  Facebook has moved in the same direction, with PFS also being a critical piece in the protection puzzle.  And Twitter.  And Microsoft.  And … you get the picture.  Companies are moving to use PFS across the board because it gives them a tool they can point to in order to tell users that they really care about securing end user communications.

I have to applaud these companies for taking this step, but even more, I have to hand it to Google, Yahoo, Facebook, and Microsoft for challenging the current status quo of National Security Letters and the secrecy they entail.  There are more questions than answers when it comes to how NSL’s are being used, if they’re necessary and if they are even something a country like the US should be allowing.  Technology is great and it’ll help with some of the problems we’re just starting to understand, but the only long term changes are going to come if we examine the current issues with the NSA and other agencies slurping up every available byte of data for later analysis.  Changes to the laws probably won’t stop anything immediately, but we have to have the conversation.

Using PFS is just a start in to what will be fundamental changes in the Internet.  Encryption everywhere has to become an integral part of the Internet, something privacy boffins have been saying for years.  It may be too late for this to be an effective measure, but we have to do something. PFS makes for a pretty good first step.


No responses yet

Dec 03 2013

Santa Claus is coming … to your tablet?

Published by under Humor,Microsoft

Okay, this is just something cute for Christmas:  a tablet based Santa Claus tracker.  It appears that the actual application is only for Windows phones and Windows 8 systems, but there’s a web based version everyone can use.  Now, my Spawn are too old to be fascinated by this, but I’m sure there are a few people who have kids young enough to find this interesting.  I wonder if it’s hackable?


No responses yet

Dec 02 2013

Huawei is pulling out?

Published by under General

Apparently the CEO of Huawei says they are giving up on America.  But he doesn’t say exactly what that means.  To me, that says they’ll probably stop any expansion in the US and stop trying to actively find new business, rather than closing any offices, at least in the immediate future.  They’re fairly happy with their handset sales, according to Ren Zhengfei, but their sales of networking equipment has been severely hampered by allegations of being nothing but a thinly veilled front for the Chinese government, something the company strenuously denies.

In case you’ve never heard of Huawei (Hwa-way, is the correct way to pronounce it), they’re a Chinese networking and phone manufacturer who’s long been accused of having back doors in their system software for use by the Chinese government.  As far as I know, there’s never actually been such a backdoor found, but the software is also so buggy and easy to compromise that there isn’t really a need to backdoor the systems. The quality control of their operating system is possibly some of the worst in the world if rumor is to be believed, but I’m in no position to know or look at the software myself.

So Huawei has been banned from a number of projects in Australia, they’re pulling back on the US and they’re not considered trustworthy by many other countries around the globe.  You’d think this would limit their growth, but they’re apparently prefered over many of the US vendors by China, which should be no surprise.  China’s market is huge, so the company can have a long and fruitful life, but any dreams of world domination are probably going to have to go by the wayside for now.  


2 responses so far

Dec 01 2013

Security in popular culture

One of the shows I’ve started watching since coming to the UK is called “QI XL“.  It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain.  As often as not I have no clue who these people are.  It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks.  I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.

Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear.  A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security.  He even knew he wasn’t supposed to write them down.  Except he was wrong on that last part.  As Stephen Fry pointed out, “No one can remember all those complex passwords!  At least no one you’d want to have a conversation with.”

Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long.  Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life.  I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed.  I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.  

But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users.  I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy.  So why can’t they use something they’re intimately familiar with, the pen and paper?  The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.

We have a secret every one of us carry with us every day, our keys.  You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret.  If someone else knows the shape of your keys, they can create their own and open anything your keys will open.  This is a paradigm every user is familiar with and they know how to secure their keys.  So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys?  Other than the fact it’s not what we were taught by our mentors from the beginning, that is.

A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise.  And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole.  So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys.  If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.


3 responses so far

Nov 25 2013

Two more years of Snowden leaks

Published by under Cloud,Government,Privacy,Risk

I’ve been trying to avoid NSA stories since this summer, really I have.  I get so worked up when I start reading and writing about these stories and I assume no one wants to read my realistic/paranoid ranting when I get like that.  Or at least that’s what my cohosts on the podcast have told me.  But one of the things I’ve been pointing out to people since this started is that there were reportedly at least 2000 documents contained in the systems Edward Snowden took to Hong Kong with him.  There could easily be many, many more, but the important point is that we’ve only seen stories concerning a very small number of these documents so far.

One of the points I’ve been making to friends and coworkers is that given how many documents we’ve seen release, we have at least a year more of revelations ahead of us, more likely two or more.  And apparently people who know agree with me: “Some Obama Administration officials have said privately that Snowden downloaded enought material to fuel two more years of news stories.”  This probably isn’t what many businesses in the US who are trying to sell overseas, whether they’re Cloud-based or not.  

These revelations have done enormous damage to the reputation of the US and American companies; according to Forrester, the damage could be as much as $35 billion over the next three years in lost revenue.  You can blame Mr. Snowden and Mr. Greenwald for releasing the documents, but I prefer to blame our government (not just the current administration) for letting their need to provide safety to the populace no matter what the cost.  I don’t expect everyone to agree with me on this and don’t care if they do.  It was a cost calculation that numerous people in power made, and I think they chose poorly.

Don’t expect this whole issue to blow over any time soon.  Greenwald has a cache of data that any reporter would love to make a career out of.  He’s doing what reporters are supposed to do and researching each piece of data and then exposing it to the world.  Don’t blame him for doing the sort of investigative reporting that he was educated and trained to do.  This is part of what makes a great democracy, the ability of reporters (and bloggers) to expose secrets to the world.  Democracy thrives on transparency.

As always, these are my opinions and don’t reflect upon my employer.  So, if you don’t like them, come to me directly.


No responses yet

Nov 24 2013

Et tu, Television?

Published by under General

I’m getting used to the idea that the NSA and the GCHQ are looking at every packet that crosses the Internet.  I hate it, I think it’s wrong, but I can understand that they think it’s their mandate to spy on us in order to protect us.  The logic is deeply flawed, but at least it’s understandable that they’d convince themselves that it’s worth the risk that such spying entails.  However, when my television starts spying on my viewing habits, the drives I plug into it and every file on my network, then sending the information back to LG, all in the name of providing ‘a better viewing experience’, someone has most definitley pole vaulted over the line to into the pit of pure stupidity.

If you’ve missed it, last week blogger DoctorBeet did some sniffing on his home network and found his LG TV was phoning home to the manufacturer and reporting on his viewing habits.  It sent packets when turned on, as it was turned off, any time he changed the channel, and most importantly, it catalogued any USB he plugged into it.  And now a second blogger has found that LG is scanning all the network shares you might have and reporting that information back to the home servers.  When confronted by DoctorBeet with these egregious privacy violations, LG’s initial response was “you signed off on the terms of service, so take the TV back to the store you bought it from if you don’t like it”.  They’ve since had a change of heart, mostly because bloggers and news sites around the globe have started raising a big stink about the story.  Oh, and while there is an option to turn off the data collection, this just means that you’ve set a flag to tell LG to ignore your data when it gets to their servers, not stop collecting it in the first place.  You’ll just have to trust them that there’s no PII and that they actually dump your infomration from the databases.

We already know that Smart TV’s are riddled with vulnerabilities and that many are running a stripped down Linux kernel in the background, some complete with web servers on the backend.  I’d hazard a guess that most of the services are running as root on the TV, that the developers have never heard of SSL and that all the connections to your phone and tablet are done over the public internet completely unencrypted.  While someone at the manufacturer might have raised the spectre of security, he or she was probably shouted down in favor of adding more capabilities to the TV as cheaply as possible.

The Internet of Things means that this type of spying and vulnerable technology on our home networks is only going to get more prevelant as time goes by.  Someone out there is probably already working on the web enabled refrigerator that reads the NFC chip on your milk carton to automatically send a request to Tesco when your milk gets low or reaches it’s expiration date.  And some day we’ll have an alarm clock that phones in to work for you when you sleep in and are going to be later for work.  And this will all be a data source for the marketing companies.  And the NSA.

Some of this will be handled by legislation that makes data collection like what LG is doing illegal.  It will still happen, but it’ll become less common as companies get caught by bloggers and the press, embarrased into removing the snooping technologies from their hardware.  Or, more likely, they’ll learn to be more circumspect in what they’re capturing and how they transmit it back to home base.  And the intelligence agencies will want access to it all.  Isn’t paranoia fun, especially when it’s closer to reality than a psychosis?

Update: I’ve only had a little time to poke at the web server on my Samsung TV, but some gentlemen at University of Amsterdam have dug into it more deeply than I could hope to.  I’m guessing there’s still more to find on these TVs.


No responses yet

Nov 21 2013

Had fun in Norway

I got invited to speak at the annual dinner of the Cloud Security Alliance in Oslo, Norway earlier this week and had a lot of fun at the event.  I always enjoy visiting cities I’d probably never see if not for my job.  Even more importantly, I love talking to people who are outside of the conference circuit and the echo chamber that is twitter.  It’s always interesting to see how these people see security differently than I do and differently than most of the people I hang around with (digitally, at least) do.  I appreciate the invitation Kai Roer (@kai_roer/kairoer.com) extended to me and I’m glad I went.

The other gentlemen who talked at the event was Mo Amin (http://www.infosecmo.blogspot.co.uk/) a London-based security professional who was giving what was only his second ever talk in front of a crowd.  There were some rough edges to his talk, but then again, there are enough rough edges to my own talks that you could grate cheese on them.  But Mo brought up some points about security awareness and training that many security teams need to be thinking about.  Specifically, he asked how many of us are teaching to a plan we developed in a vaccuum without understanding the needs of our audience or having talked to the people we’re trying to communicate with before hand.

It’s surprising (or maybe not) how many security training seminars are something that was developed by people who are more concerned with what the target “needs to know” as defined by the trainer.  We spend a lot of time developing the training based on what we believe our co-workers need to know to be secure, rather asking them what they’d like to know about and how they’d like to be taught it.  This is by no means true of all security teams, but it’s more prevalent than it should be and it’s thought of as ‘the right way to do things’ by many people.

Mo related a lot of his past experience from teaching English abroad to teaching security within a company.  And when you think about it, from the point of view of a lot of our co-workers outside of security, we really do speak a different language in our little club.  So maybe it’s worth taking some time out as you develop training to talk to your users in order to find out how they’d like to be taught. It might be interesting to see how that changes your effectiveness.


One response so far

« Prev - Next »