Dec 302014
 

German author Jürgen Todenhöfer recently returned from an incredible visit to the Islamic State.

His experiences and his conclusions are sobering. He believes that the threat represented by ISIS (which he considers a legacy of George W. Bush’s illegal war in Iraq) and the strength of the Islamic State are greatly underestimated. He also believes (and I tend to agree) that ISIS cannot be defeated by bombs; that unless a viable, credible alternative is offered to the Sunni population, ISIS will prevail.

I disagree with his conclusion, though, that ISIS is the greatest threat to world peace. It is a threat, to be sure, but apart from random attacks by ISIS sympathizers (which, thankfully, are few and far between) I don’t think ISIS represents a serious security challenge to the West. If I went looking for the greatest threat to world peace, I’d be more concerned about a potential conflict between nuclear-armed adversaries in Asia, or about a Putin presiding over a failed Russian oil state, whining to the world that because he has so many nukes, he must be taken seriously and be treated with more respect.

 Posted by at 10:01 am
Dec 272014
 

It appears that an Indonesian AirAsia flight with over 160 souls on board vanished a few hours ago.

Here is the last track of the flight from flightradar24.com:

I don’t know if the tracking ended because the flight vanished at that point, or perhaps it just flew out of range of ground-based facilities and had no appropriate satellite service subscription like ADS-B. I guess we shall find out in the coming hours or days.

 Posted by at 11:19 pm
Dec 262014
 

So tonight, my wife and I watched the infamous movie, The Interview, for the princely sum of 7 Canadian dollars, courtesy of YouTube.

Chances are that without the SONY hack and the subsequent decision to pull the film from theaters, we would never have seen it. To be honest, it is a rather crappy movie. And I chose that word with care, as much of the so-called humor was really lower body humor. There were perhaps a few decently funny movements (though none that would make me laugh uncontrollably, not even close.)

Still, let that be a lesson to pisspot dictators: clumsy attempts to censor the West’s entertainment industry only provide invaluable free publicity. An entirely forgettable piece of Hollywood trash this way became an instant immortal icon, mentioned along with classics like Chaplin’s The Great Dictator.

It appears though that the film found a receptive audience in China of all places. Great! Perhaps it will give Beijing’s communist government some food for thought as they consider the consequences of their continuing support for one of the world’s most totalitarian, most abusive regimes.

 Posted by at 11:07 pm
Dec 242014
 

Year after year, I can find no better way to wish Merry Christmas to all my family, my friends, and all good people on Earth, than with the immortal words of Apollo 8 astronaut Frank Borman from 46 years ago: “And from the crew of Apollo 8, we close with good night, good luck, a Merry Christmas and God bless all of you – all of you on the good Earth.

 Posted by at 3:57 pm
Dec 232014
 

It’s Christmas so it’s bejgli time.

Bejgli is Hungarian (well, actually, the word comes originally from German but let’s not be pedantic at Christmas) for a (walnut or poppy seed) nut roll that is typical Christmas fare in Hungary. This is what they looked like, (nearly) fresh out of the oven earlier this afternoon:

Oh yes, the picture was taken with my thermal camera.

 Posted by at 9:21 pm
Dec 182014
 

While much of the media is busy debating how the United States already “lost” a cyberwar with North Korea, or how it should respond decisively (I agree), a few began to discuss the possible liability of SONY itself in the hack.

The latest news is that the hackers stole a system administrator’s credentials; armed with these credentials, they were able to roam SONY’s corporate network freely and over the course of several months, they stole over 10 terabytes (!) of data.

Say what? Root password? Months? Terabytes?

OK, I am going to go out on a limb here. I know nothing about SONY’s IT security, the people who work there, their training or responsibilities. And of course it wouldn’t be the first time for the media to get even basic facts wrong.

Still, the magnitude of the hack is evident. It had to take a considerable amount of time to steal all that data and do all that damage.

Which could not have possibly happened if SONY’s IT security folks actually knew what they were doing.

Not that I am surprised. SONY is not alone in this regard; everywhere I turn, corporations, government departments, you name it, I see the same thing. Security, all too often, is about harassing or hindering legitimate users. No, you cannot have an EXE attachment in your e-mail! No, you cannot install that shrink-wrapped software on your workstation! No, we cannot let you open TCP port 12345 on that experimental server!

Users are pesky creatures and most of them actually find ways to get their work done. Yes, their work. This is not about evil corporate overlords not letting you update your Facebook status or watch funny cat videos on YouTube. This is about being able to accomplish tasks that you are paid to do.

Unfortunately, when it comes to IT security, a flawed mentality is all too prevalent. Even on Wikipedia. Look at this diagram, for instance, illustrating the notion of defense in depth:

This, I would argue, is a very narrow-minded view of IT security in general, and the concept of in-depth defense in particular. To me, defense in depth means a lot more than merely deploying technologies to protect data through its life cycle. Here are a few concepts:

  1. Partnership with users: Legitimate users are not the enemy! Your job is to help them accomplish their tasks safely, not to become Mordac the Preventer from the Dilbert comic strip. Users can be educated, but they can also be part of your security team, for instance by alerting you when something is not working quite the way it was expected.
  2. Detection plans and strategies: Recognize that, especially if your organization is prominently exposed, the question is not if but when. You will get security breaches. How do you detect them? What are the redundant technologies and methods (including organization and education) that you use to make sure that an intrusion is detected as early as possible, before too much harm is done?
  3. Mitigation and recovery: Suppose you detect an intrusion. What do you do? Perhaps it’s a good idea to place a “don’t panic” sticker on the cover page of your mitigation and recovery plan. That’s because one of the worst things you can do in these cases is a knee-jerk panic response shutting down entire corporate systems. (Such a knee-jerk reaction is also ripe for exploitation. For instance, a hacker might compromise the open Wi-Fi of the coffee shop across the street from your headquarters before hacking into your corporate network, intentionally in such a way that it would be discovered, counting on the knee-jerk response that would drive employees in droves across the street to get their e-mails and get urgent work done.)
  4. Compartmentalization. I don’t care if you are the most trusted system administrator on the planet. It does not mean that you need to have access to every hard drive, every database or every account on the corporate network. The tools (encrypted databases, disk-level encryption, granulated access control lists) are all there: use them. Make sure that even if Kim Jong-un’s minions steal your root password, they still wouldn’t be able to read data from the corporate mail server or download confidential files from corporate systems.

SONY’s IT department probably failed on all these counts. OK, I am not sure about #1, as I never worked at SONY, but why would they be any different from other corporate environments? As to #2, the failure is obvious: it must have taken weeks if not months for the hackers to extract the reported 10 terabytes. They very obviously failed on #3, and if the media reports about a system administration’s credentials are true, #4 as well.

Just to be clear, I am not trying to blame the victim here. When your attackers have the resources of a nation state at their disposal, it is a grave threat. But this is why IT security folks get the big bucks. I can easily see how, equipped with the resources of a nation state, the attackers were able to deploy zero day exploits and other, perhaps previously unknown techniques that would have defeated technological barriers. (Except that maybe they didn’t… the reports say that they stole user credentials and, I am guessing, there is a good chance that they used social engineering, not advanced technology.) But it’s one thing to be the victim of a successful attack, it’s another thing not being able to detect it, mitigate it, or recover from it. This is where IT security folks should shine, not harassing users about EXE attachments or with asinine password expiration policies.

 Posted by at 9:57 pm
Dec 172014
 

If you thought that the scary news from yesterday was the mass murder of 145 people at a Pakistani school, think again. Tragic as that event was, it has zero effect on your security or well-being unless you happen to live in northern Pakistan.

But what happened in Russia yesterday may threaten the security of us all. The Russian central bank’s decision to hike rates by a whopping 6.5% overnight is a sign that the Russian economy is in deep trouble. Worse yet, it is unlikely that Putin will change course, since his popularity is based mainly on his newfound nationalism, not his economic performance.

Which raises the possibility that Putin will lash out and do something stupid. Not just in the Ukraine but, perhaps in a fatal miscalculation, in the Baltic region. If he has any reason to think that NATO would not respond to Russian aggression in places like Estonia, we are all in deep trouble, because I cannot see how NATO would not respond… and that, of course, is a nightmare scenario.

Meanwhile, Obama made the bombshell announcement of restoring diplomatic ties with Cuba. Long, long, long overdue. (To those who think this amounts to appeasing a communist regime, all I can say is, look how well the policy of isolation worked in the last 50+ years.) I also wonder what the Kremlin’s masters think about this. Cuba was one reliable ally in America’s backdoor that they could always count on… what is going to happen now?

We seem to be living in interesting times.

 Posted by at 9:10 pm
Dec 172014
 

Recently, I had to fill out some security-related forms with the Canadian government. To do so, I had to log on to a government Web site and create an account using a preassigned, unmemorizable user ID.

While I was doing that, I had to set up a password. It seems that the designers of the government Web site are familiar with XKCD, because their password policy (which also includes frequent password expiration and rules to prevent the reuse of old passwords) seemed like an exact copy of the policy ridiculed here:

Once I managed to get past this hurdle, I had to complete some forms that were downloadable as PDFs. Except that the forms (blank forms!) were in the form of encrypted PDFs, which made it impossible for me to load them with my old copy of Acrobat 6.0 for editing. The encryption was trivial to break (print to PostScript, remove encryption block using an editor, convert back to PDF) but it was there just as an annoyance.

If they invited me to audit their security policy (of course they wouldn’t), I’d ask them the following questions:

  1. What is the rationale of your password expiration/password strength policy, ignoring best advice from actual security experts who know the meaning of terms like “entropy”? What are the data supporting Draconian rules that, effectively, force infrequent users to change their passwords every time they log on to your system?
  2. What is the rationale behind your policy to encrypt PDF files unnecessarily? Exactly what threat is this supposed to address, and what is the anticipated outcome of employing this security measure?
  3. Now that you have successfully alienated your users, what are your plans for detection, analysis, mitigation and recovery in case a real attack occurs? Would you even know when it happens?

I suspect that the real answer to the last question is a no. Security theater is not about protecting systems or preventing attacks; it’s about protecting incompetent hind parts from criticism.

 Posted by at 8:55 pm
Dec 172014
 

The news tonight is that SONY has pulled The Interview from theaters, with no plans to release the movie at this time either through theaters or digitally.

This is wrong on so many levels.

Most importantly, because that grown up crybaby, that Eric Cartman from the land of dictators, should not have his way. Simply put, Kim Jong-un is not just a murderous jackass like his pa and his grandpa, he is also a vain little bully with a bloated ego who is throwing a hissy fit because someone dared to joke at his expense.

Dear little Kim Jong-un… grow up already. Right now, even South Park’s characters seem wise and mature in comparison.

 Posted by at 8:42 pm
Dec 132014
 

Meet Rufus, our newest cat.

I don’t usually like the idea of accessorizing kittycats, but Rufus is such an elegant creature, a bow tie seemed like an absolute necessity.

The cat who photobombed the shot in the background is our oldest kitty, Kifli.

And, since someone will inevitably ask for it, here is a picture of Rufus in the infrared (sans bow tie, this time):

 Posted by at 9:18 am
Dec 092014
 

Today, I became a proud owner of a new smartphone attachment: a thermal camera.

I long wanted to have a thermal camera, but the prices were frivolously high. One of the cheapest cameras from FLIR, for instance, the TG165, costs five hundred dollars and has a measly 80 x 60 pixel sensor resolution. FLIR has a smartphone thermal camera attachment that’s cheaper, but its resolution is also low, and it only works with the iPhone.

In contrast, the Seek Thermal camera attachment costs only two hundred bucks and has a 206 x 156 pixel sensor, which is quite decent, insofar as thermal sensors go. And it works with Android phones, notably my Samsung S3. Better yet, much to my delight I found out that the device is actually manufactured in the United States.

So I knew immediately what I wanted for Christmas. Okay, it arrived a little early, but that’s okay. It is a lovely little device, nicely packaged, looks very well manufactured, with a protective jewel case for safe storage when not in use.

And this is what I look in the infrared:

Lovely mugshot, isn’t it.

 Posted by at 10:33 pm