Link

In his 11 sure signs you’ve been hacked post, Roger Grimes writes

Most malicious hacking originates from one of three vectors: unpatched software, running Trojan horse programs, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy — and luck.

For at least two of the three vectors Grimes mentions, the long held belief is that awareness and endpoint security will help the customer offset the threat. But the opposite appears to be the case, the more protection software we give the user, the less likely they are to rely on their own wiles.

Is the challenge for the Security industry then to focus on certain less obvious to the customer prevention opportunities rather than the more lucrative and overt cure of endpoint anti-virus which has been so valuable to the industry for so long? It’s going to be hard to leave the money on the table, especially when so many have been conditioned to accept that anti-virus is to a computer as a saddle is to a horse.

The reward is likely to be a happier, more confident customer, and a refocus on where the puck is going to be rather than where it was last year.

Link

Can’t really add much to Danah Boyd’s logical argument:

Rather than trying to protect teens from all fears and risks that we can imagine, let’s instead imagine ways of integrating them constructively into public life. The key to doing so is not to create technologies that reinforce limitations but to provide teens and parents with the mechanisms and information needed to make healthy decisions.

IBM buys Trusteer, gets a lot more than Anti-Virus

What does it say about News Limited’s Business Spectator when they pigeon hole Trusteer as an "anti-virus" company? Some simple journalism, including other sources for the news about IBM’s purchase of the security company would have told them that such a description was beyond reductive. But it’s the challenge anyone in the security industry has to face when translating what we do in a way that most people understand.

The most interesting part about the purchase, the recent purchase of Sourcefire by Cisco and Intel’s purchase of McAfee a couple of years back, is that security might finally be seen as a core business offering, at least at the enterprise level.
In June Cisco CEO John Chambers said,

we are not our customer’s primary security vendor and that’s got to change.

Certainly IBM VP Marc van Zadelhoff has the same view;

all our products will work together and share data…IBM is leaps and bounds ahead in covering the most domains and doing the integration that is necessary. Five years from now [the market is] not going to be so fragmented.

What this reduction in fragmentation means for those security operations that traditionally added value to core services offered by organisations like Intel, Cisco and IBM will be interesting to behold. Should we expect further consolidation in the coming years as customers expect the services they purchase to be secure out of the box, leaving less room for over the top players? I can’t see it any other way.

For smaller, more nimble and innovative providers, as well as being able to attract attention just as Trusteer and Sourcefire have done, they may also have the ability to continue to build on top of the core security offerings and stay independent. For those who don’t fit that bill, it must be certain we will see a contracting in the market.

Link

By using words like ‘confidential information’ and ‘stored in your keychain’, OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password.

I don’t personally allow Browsers of any ilk to keep my passwords, but as Elliot Kember writes, most users just click “OK” or “Allow” in order to proceed.

There’s a fine line between convenience and security, it’s quite likely that those who are most need of one, end up tending to the other.

A Privacy of iOS Communication

Quote

…conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.

Apple’s response to queries about PRISM has an interesting sidebar. If you want your communications to be private, both you and who you are communicating with should use iOS.

Link

Following Alex Stamos’ intriguing A Taxonomy of PRISM Possibilities  I noted the following path suggested:

The PRISM program exists and gathers large amounts of information indiscriminately. The NSA is gathering broad data sets by passively sniffing huge amounts of traffic on backbones and at interchange points without the knowledge of the end-providers. The NSA is decrypting traffic using the private keys of these companies which it convinced them to turn over. 

In short, one of the paths he seems to suggest is one where (2 B ii a c b) the NSA is passively sniffing without the knowledge of the end-providers but the NSA has their Private Keys.

Even though at first glance it might look like a contradiction – why would they allow them to have their Private Keys if they though they were likely to sniff their traffic, there’s always the chance the Private Key was handed over for other reasons at another time. The chance that this might be the case should now make any organisation become more than normally wary about who has access to their Private Keys.

Unless, and as Stamos says,

This is a way that these companies could cooperate with the NSA without large numbers of employees being involved.

And be able to pretend to themselves while denying in public – as many have – that they’ve allowed any backdoors by Government agencies into their servers and services.

A Shark Net for the Insecure

You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website – the iPad Hack – and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?

Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.

It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.

It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.

Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.