Random musings on whatever subject strikes my fancy, published every other day.

Tag: infosec Page 3 of 4

Sony: The Gift that Keeps On Giving

As you may recall, late last fall, Sony Pictures Entertainment acknowledged that their entire IT infrastructure had been severely breached.  At the time, the attackers were announced to be the North Koreans.  But serious analysis absent political axes to grind has put that conclusion in doubt, to say the least.  More evidence points to the actions of an unhappy employee/former employee and roughly half a dozen accomplices.

One of the things that the attackers did was release a huge cache of internal emails, emails that did not put anyone from within Sony in the best light.  Who among us can say that the release of all our emails would treat us much better?  Still, these were dumped onto public sites, e.g., PasteBin.

Sony’s immediate response was to try to shut down the press from covering this aspect of the situation by sending legal-ish letters to all major media outlets, claiming that just because they were public didn’t mean that they could be reported.  To understand how this is consistent with the First Amendment, I think you need a law degree and a fat paycheck from Sony.  Needless to say, the folks at WikiLeaks were not impressed.  They spent the next few months building everything that was released into a searchable archive.  You can read about that site they just opened here.

Sony’s well-compensated lawyers have jumped right back into the fray, of course.  Unable to do anything about the WikiLeaks site itself, they have once again taken their, um, peculiar understanding of Freedom of the Press to the medium of threatening letters directed at the press (sample here).

The website TechDirt received one of these letters, and wrote about that fact (coverage).  Yeah, gossip about Julia Roberts is not truly newsworthy but there’s plenty in those emails that is.  It’s worth noting that one of two Investigative Reporting Pulitzer Prizes just given out went to Eric Lipton, who also didn’t think much of Sony’s legal theory in this matter.  Lipton used whatever he needed from that treasure trove.  TechDirt has now made a formal response to Sony, which is rather amusing.

I know Sony likes when their work product makes us want to get popcorn and settle in, but I don’t think this is what they had in mind.

The price of free games

What price do we pay to play our favorite games?  Especially the “free” ones?

Privacy.  It’s not that we don’t value it.  We do; we treat it as currency.  And it’s sobering how lavishly we spend it.

I just sampled the permissions requested by the following apps on my Android phone or tablet:

Ingress  Unblock Me FREE 
Pandora Slice It!
Angry Birds  Flow Free
Bubble Blast 2

Except for Pandora, a music-streaming service, all are free games.  Some support in-game purchases but I am disregarding that.

Here are the permissions they require, in aggregate:

  • access Bluetooth settings
  • add or modify calendar events and send email to guests without owners’ knowledge *
  • approximate location (network-based)
  • change network connectivity
  • change your audio settings
  • connect and disconnect from Wi-Fi
  • control vibration
  • find accounts on the device
  • full network access
  • install shortcuts
  • modify or delete the contents of your USB storage
  • pair with Bluetooth devices
  • precise location (GPS and network-based)
  • prevent device from sleeping
  • read call log
  • read Google service configuration
  • read phone status and identity
  • read sync settings
  • read sync statistics
  • read the contents of your USB storage
  • read your contacts
  • receive data from Internet
  • retrieve running apps
  • run at startup
  • toggle sync on and off
  • use accounts on the device
  • view network connections
  • view Wi-Fi connections

* – I uninstalled the one that needs to be allowed to do that.  ~~shudder~~
For some of these games, some of these permissions make sense.  Obvious example: Ingress is simply not going to “do what it says on the tin” if it cannot know your exact location.  On the other hand, what the heck does a simple cutting-puzzle game like Slice It! need with my phone’s call history?
Not to mention, the fact that a given permission seems aligned with the game’s function does not mean that is the only use to which that info is being put.  Imagine if all of the information in the listing above were being compiled in one building.  We’d think that was the NSA and we were on some terror watch-list.
How different is the situation here?  If a game manufacturer can’t use this info themselves, they can surely find a buyer for it.  And yes their privacy policy might say that they won’t sell your individual information but I have found most of them do allow the resale of the information they collect if it’s aggregated and “anonymized.”  Except, as you can see here and here and many more places, anonymization is laughably easy to reverse.  Not to mention, the buyers of your information might have a looser privacy policy than the original collector.  Or they might have none at all.
I’m not saying, don’t play free games.  Or even don’t use a smartphone, which really has all the same issues.  I’m saying, be aware of what you’re paying for those things.

Tech To-Do List

My home tech to-do list (in no particular order)

  • Network Zones: I would like three segregated network zones in our home LAN.  One for our general purpose computers, one for our Android and BlackBerry devices, and one for our printers and connected entertainment boxes (Roku, TiVo, etc.).  There does need to be some traffic between them, however; at least the computers need to be able to communicate with the printers. I have at my disposal for this an ASUS WiFi router and a TP-Link managed switch.  I may also soon add…
  • A UTM device in front of our Internet connection.  That ASUS router is currently connected straight to the DOCSIS 3 cable modem, and doing boundary duty as well as all its internal responsibilities.  I am considering Sophos Free Home UTM, and pfSense.  I have purchased the Intel Atom D2500 for the hardware base.  This will probably handle the Sophos – if not, pfSense will be no challenge to it, for sure.
  • Need to find a way to set up a group of Raspberry Pi units with USB DVD drives to bulk-rip all our movie and TV DVDs into a format that Plex or Serviio will serve.  This is a living-space-placement issue as well as a tech challenge because cats.
  • We have a Sony Bravia TV and a BD player/receiver combo that do a nice job of switching the sound to our 5.1 speakers… some of the time.  The receiver also has a bunch of streaming applications that are now mostly duplicated on other devices.  So I think it might be time to replace the BD-Receiver.  Anyone who knows of a non-Sony device that does “Bravia sync” please comment.  I’m willing to put in two devices here only if absolutely necessary.
  • I am trying out SpiceWorks for a combination of ticketing and monitoring but I’m leery of giving an online service the amount of internal access and authentication that a monitoring system does need.  If anyone knows of a similar facility I could stand up and host internally, shout it out.
There are probably more but they are all much lower priority.  In fact, the priority is so low I can’t think of them now.  This is why I need a ticketing system.

Getting Ready to Present

Every month at my office, I hold an informal Lunch & Learn.  I take the opportunity to enlighten any of my colleagues who want to listen about some topic related to Information Security.  This is available to anyone in our IT operation who’s interested, anywhere in the world.  Since this event has attracted a bit of a following in the UK, I feel bad for them that it’s always at 5PM local.  Especially since it’s always on a Friday!  So a couple times a year, I will do it at 7AM (or 8AM, as I did today) in order to hit noon UK time.

Between these lunch & learn sessions, and two to four conference talks a year, I have started to notice that the experience falls into a fairly consistent pattern.

  1. A last minute rush of tweaking my slides, which is not helped by the fact that I love to compose the actual presentation in the last 24 hours before presenting.  I will read and research for weeks but I seldom commit anything to PowerPoint before the last 24 hours.
  2. About 30 minutes before my talk I start checking out the logistics: connection to projector and/or conferencing utility software, phone hookups, etc.  Probably because of…
  3. Nerves.  I get nervous, performance-anxiety feelings anywhere from 1 to 8 hours before presenting.  Every damn time.  I am somehow convinced that this helps me do well, so I am okay with it.
  4. Will anyone show up?  I always worry about this in the last few minutes.  Always for no good reason.  I suppose it’s a side-effect of #3.
  5. Presenting begins.  I always feel like I talk too much, I talk too fast. 
  6. I want questions, and at first I usually get silence.  Then I finally get one… then another.  And they’re good! Smart questions!  
  7. I love it!  Want to do it again, and again!
Strange as it seems for someone as introverted as I am, I really enjoy making these large group presentations.  My efforts seem to be pretty warmly-received, and I get asked back.  So I guess I am not just a victim of the Dunning-Kruger Effect here. 

Vulnerability Counting misses the point

In a summary report by a researcher from GFI Software, a security products company, we learned yesterday that the count of vulnerabilities discovered in 2014 was up over the previous year.

We got a lot of graphs.  

Who wants pie?

We got tables, too. 
OSX and Linux make disturbingly large ripples in the pool, for once.
But all this rather misses the point.

The counts of the vulnerabilities researchers have discovered in your software are only one factor in your overall security picture, and I would argue, a relatively minor one.  Most attacks succeed because of misconfigurations and human factors.  Malicious insiders and social engineering.  
The vast majority of technologically vulnerable software is on machines that should not be accessible from the Internet, and perhaps not even from the majority of the company’s intranet.  And yet audit after audit will find default-allow access rules, especially on internal firewalls.  These, plus lousy defaults for on-the-box controls create many times more opportunities for attackers than should exist.
And for the most part, human failures are really design failures.  IT architects design systems with an unspoken and largely unexamined assumption that the operators of those systems will do things correctly.  This assumption is one that we security practitioners must challenge at every turn.  Two things that security uber-consultant Bruce Schneier has said stick with me. The first is about the fact that good security people are people who break stuff, by breaking the assumptions under which they are designed.  For example, here he wrote about a hilarious product called SmartWater, which is water with microscopic particles in it that provide a unique coding, to mark property as yours.  Schneier said, “The idea is for me to paint this stuff on my valuables as proof of ownership. I think a better idea would be for me to paint it on your valuables, and then call the police.”  This should have given the architects of the whole SmartWater idea what we like to call an, Oh, $#!+ moment.

And the second one might be his most-quoted one-liner:  “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

Ultimately, vulnerability counts are about nitpicking the technology.  Good technology is important, and we should be pushing the manufacturers to make it better for security all the time.  But getting the numbers on all those charts and graphs to zero won’t be the final answer.

Page 3 of 4

Powered by WordPress & Theme by Anders Norén