Kamis, 31 Mei 2012

5000th Tweet

Today I posted my 5000th Tweet. I've apparently been a Twitter user since 1 December 2008. I remember not Tweeting anything until 15 July 2009, when I attended a Webcast about "security monitoring." The speakers were using Twitter to gather questions, so I decided it was a good time to try participating.

With the advent of Twitter I've blogged a lot less. It's tempting to think that I've been sacrificing long, thoughtful blog posts for short, mindless Tweets. It turns out that a decent portion of my blogging volume, especially in my early blogging years (say 2003-2006) involved short posts. I recently reviewed a lot of my earlier blog posts, and noticed many of them looked just like Tweets. They may not have fit within the 140 character limit, but they were short indeed.

For me, Twitter is a very compelling medium. It's more interactive, more frequently updated, and just easier to use. I have only ever blogged from a laptop. I use Twitter a lot on my phone and increasingly on my tablet. The ability to send a Tweet while reading a Web page is especially compelling.

On the down side, Twitter surely lacks the "institutional memory" of a blog. I can easily search my blog for past content, navigate via time or label, and read fairly complete thoughts in a narrative format. I can build a new book around ideas on my blog; I can't do that with old Tweets.

Note: can anyone remember who posted the analysis of blogging vs Tweeting output? I was listed in that post but I don't remember who wrote it. Also, thanks to activating a setting on the blog, I now get an email whenever a visitor posts a comment for moderation. Expect faster response times now!

Selasa, 22 Mei 2012

Whistleblowers: The Approaching Storm for Digital Security

Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details.

This morning I reviewed slides by Frederick Lipman, author of Whistleblowers: Incentives, Disincentives, and Protection Strategies, pictured at left. Mr Lipman spoke about whistleblowers at the same conference, but I didn't see his presentation.

You can read Mr Lipman's slides on this shared Google drive in .pdf format.

To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars after reporting violations by their employers. If that weren't enough, following penalties levied by the government against companies, the private sector also joins the fray through shareholder law suits.

I'm predicting that due to the increase in regulation during the last decade, whistleblowers will begin to report digital risks or incidents to their boards and/or outsiders.

Consider the following scenario: a publicly traded firm targeted by the APT suffers a major loss of intellectual property. The loss will likely result in decreased revenues for a particular product line because foreign companies will clone and sell the technology, undermining the victim's competitiveness and qualifying as a material event.

The firm decides to not report the event in its SEC disclosure documents. Frustrated with the cover-up, members of the security team act as whistleblowers. If the firm is lucky the whistleblowers use the firm's reporting process to notify the audit committee of the board. If the firm is not lucky, or if the whistleblowers don't feel their concerns are addressed, they report to the SEC or other outside entities.

I could imagine many permutations of this scenario to make it better or worse for all parties involved. The bottom line is that I expect this aspect of additional regulations to be a new driver for disclosure, once it becomes more widely recognized and understood.

For fun, imagine a different scenario where hacktivists compromise the same victim and publish its email. Regulators read the email (or learn via those who read the email) that the hacktivism victim is also failing to report material losses due to APT compromise...

Thank you to Mr Lipman for agreeing to let me post his slides publicly. I plan to check out his book too.

Minggu, 20 Mei 2012

Comparing IEDs and Digital Threats

Two weeks ago Vago Muradian from This Week in Defense News interviewed Army Lt Gen Michael Barbero, commander of the Joint IED Defeat Organization. I was struck by the similarities between the problems his command handles regarding improvised explosive devices (IEDs) and those involving digital security professionals.

In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs.

In this post I will highlight elements from the interview which will likely resonate with those working digital security problems.

  • The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques.
  • The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
  • For a "meagre expenditure," the adversary can impose "huge costs on defenders."
  • The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
  • "If you're worrying about the device, you're playing defense." Don't focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
  • Intelligence plays a key role in defeating adversaries. Winning involves applying "lethal pressure, "along with government techniques. "It takes a network to defeat a network."
  • Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
  • JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.
I find the first four minutes of that interview, then comments about unclassified intel sharing at the seven minute mark, to be fascinating. It's clear to me that "malware" is the equivalent to IEDs in this context. Sure enough, just as in the IED world, defeating malware attracts a log of "attention and funding," but training users and "attacking the network" are just as, if not more, important.

If you'd like to see examples of the IEDs encountered in the field and some US countermeasures, check out the first segment.

Cooking Banana Bread in a Rice Cooker



One thing I have noticed in China is that I have had to be a bit more creative here when it comes to cooking. I can't use a full size oven, so I have to make due with a toaster oven. I have been on a banana bread craze and while looking for better ways to cook it I came up with a pretty neat method: cooking it in a rice cooker.

You can find my recipe for banana bread here.

Read article »

Banana Frosting for your Banana Bread


If you are looking for a way to spice up your banana bread, you should try making some banana frosting!

Read article »

Blender Banana Bread Recipe - The Quickest and Easiest Way to Make Banana Bread



I am always looking for the cheapest, fastest and easiest way to do things. I think I have it perfected as far as banana bread goes. Below the recipe ingredients I will have more detailed instructions with a bit of information

Read article »

Senin, 14 Mei 2012

SEC Guidance Is a Really Big Deal

In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal.

Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference.

  1. First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance.

    Clients bombarded insurance firms asking what language they should use in their SEC disclosure documents. They asked "what are other companies saying? What should we say?" The firms noted similar boiler plate shared among clients, most of which insufficiently met the SEC's requirements.

    One lawyer I spoke with said she expects the SEC to give publicly traded firms a "one year pass" before bringing enforcement actions against them for insufficiently outlining digital risk, pre- and post-breach.

  2. Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors. This will probably not be the primary cause for a suit but it will likely be one of other factors a shareholder action uses to show that a board is not fulfilling their duties to investors.
  3. Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower. (That is a real organization!) In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30% of cases.

    Although it doesn't appear that this new office has paid any whisteblowers yet, it is apparently gearing up to do so. Imagine a case where security staff believes that management is not treating a breach as the staff thinks it should be treated, and decides to report the incident to the SEC -- with the possibility of a payout waiting!

Right now Congress doesn't seem to think that the SEC rules are working. Joe Menn reported in Hacked companies still not telling investors the following:

At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.

Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.

But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.

Now Senator Rockefeller is taking a closer look as reported by Jennifer Martinez of Politico this week:

Senate Commerce Chairman Jay Rockefeller thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cybersecurity risk that could jeopardize their financial standing.

The West Virginia Democrat wants the full commission to issue guidance for companies — right now they only have staff-level instructions — on when they have to report cyber breaches or threats and what steps they’re taking to minimize the risks.

“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said in a statement to POLITICO.

Rockefeller will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cybersecurity risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before Sen. Joe Lieberman’s (I-Conn.) cybersecurity bill goes to the floor.

This is the sort of activity that I think is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!

Use Gmail as a GTD tool (Getting Things Done and using Gmail more productively)




Most of us have probably used email more than a handful of times to remind ourselves to do something, or as a shopping list of sorts. I recently discovered a way to help me be more organized with my emails and tasks using Gmail. It is quick and easy to do.

I will show you how to get important emails and tasks at the top of Gmail, so you will always see (and never forget) the most pressing things in your inbox.

Read article »

Rabu, 09 Mei 2012

Passwords Still the Weak Link in the Chain

Networks are only secure as their weakest part, and time and time again, the weakest part of any network system is the user. Weak passwords are by far the easiest aspect of network security to hack, and despite repeated calls by security experts for people to tighten up their password habits, password vulnerability is as bad as it has ever been.

Gaining access to people’s passwords can be extremely simple, primarily because people just don’t listen to advice. Because so many people use weak or recycled passwords, a hacker only needs to determine one person’s login to gain access to an entire network and the great bounty of data therein. Virtually every high profile hack is down to a single user having a weak password; from online retailer Zappo, who earlier this year had the personal details of 24 million users stolen, to global intelligence firm Stratfor that really should have known better, but recently lost 860,000 user names and email addresses to hackers.

Password security can be extremely difficult for a big network to manage, primarily because it requires policing everybody with access, from the website designers and administrators, to the marketers who are in charge of PPC management and Adsense campaigns, and it only takes one person not to take security seriously for the whole network to become vulnerable.

Seven deadly password sins

People are creatures of habit and nearly a fifth of people still commit one of the seven most common sins for generating passwords:
They use the name of their partner, child or pet, perhaps followed by a digit to adhere to the alpha/numerical construction (usually a 1 or 0). These days with everybody having their life laid bare on social networking sites, it doesn’t take long to learn the name of a family pet, child or spouse.
The same is true of people’s date of birth, either the user or their partner/child/pet.
People often use the last four digits of their social security or employee roll number. These details are perhaps more difficult to get hold of, but not impossible.
Amazingly 123, 1234 or abcd1234 are still common password combinations used by people.
Likewise, “password” or “pa55word” (to get that alpha/numerical combination) is another commonly used combination.
Again, Facebook grants easy access to a user’s favorite sports team, which is another common password sin.
Then there are the generic one-word passwords of “god” “love” “money” “access” etc, which are all common strings.

Repetition

Even if somebody follows the protocol for creating a strong password and uses upper and lower case, number and letters, and keeps the string as random as possible, there is a chance that after going through all that effort, they are probably going to use this same password for a whole host of other web activities. While gaining access to a work VPN or bank account is going to take a lot of effort, some sites, such as forums or online retailers, won’t have such strict security. If a hacker gains access to these websites and figures out a user has quite a strong password, then chances are they are using the same string to gain access to their work network, bank or other secure site.

Hear no evil

Despite the repeated high profile attacks, the loss of millions of people’s personal data each year, and the persistent mantra of the importance of strong passwords from network bosses, people just aren’t listening. It isn’t even as if the internet is a new thing. People have been relying on usernames and passwords for decades, but it seems they just won’t listen. There are probably a couple of reasons for this, and they both boil down to human nature.

Firstly, people think it will never happen to them. Hacking is like being mugged, both in the material loss that can result and in the fact that people think it only happens to others. It isn’t until somebody actually gets hacked that they start to take passwords seriously, but of course, by then it is too late. Secondly, people are inherently lazy. Generating new passwords all the time and having to remember them is not fun, and most people have better things to do, which is why so many choose weak and easy to remember passwords or recycle older ones.

Until people start realizing the importance of good password protocol, high profile hacks will continue unabated. Perhaps there will come a time when virtually everybody has suffered some form of hacking attack at least once, by which time, password security may at last become as important a security concept to people as protecting their wallet or locking their front doors at night. Until then, weak passwords are by far the easiest way in to a network for any hacker.

The Hacka Man