In his 11 sure signs you’ve been hacked post, Roger Grimes writes

Most malicious hacking originates from one of three vectors: unpatched software, running Trojan horse programs, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy — and luck.

For at least two of the three vectors Grimes mentions, the long held belief is that awareness and endpoint security will help the customer offset the threat. But the opposite appears to be the case, the more protection software we give the user, the less likely they are to rely on their own wiles.

Is the challenge for the Security industry then to focus on certain less obvious to the customer prevention opportunities rather than the more lucrative and overt cure of endpoint anti-virus which has been so valuable to the industry for so long? It’s going to be hard to leave the money on the table, especially when so many have been conditioned to accept that anti-virus is to a computer as a saddle is to a horse.

The reward is likely to be a happier, more confident customer, and a refocus on where the puck is going to be rather than where it was last year.

IBM buys Trusteer, gets a lot more than Anti-Virus

What does it say about News Limited’s Business Spectator when they pigeon hole Trusteer as an "anti-virus" company? Some simple journalism, including other sources for the news about IBM’s purchase of the security company would have told them that such a description was beyond reductive. But it’s the challenge anyone in the security industry has to face when translating what we do in a way that most people understand.

The most interesting part about the purchase, the recent purchase of Sourcefire by Cisco and Intel’s purchase of McAfee a couple of years back, is that security might finally be seen as a core business offering, at least at the enterprise level.
In June Cisco CEO John Chambers said,

we are not our customer’s primary security vendor and that’s got to change.

Certainly IBM VP Marc van Zadelhoff has the same view;

all our products will work together and share data…IBM is leaps and bounds ahead in covering the most domains and doing the integration that is necessary. Five years from now [the market is] not going to be so fragmented.

What this reduction in fragmentation means for those security operations that traditionally added value to core services offered by organisations like Intel, Cisco and IBM will be interesting to behold. Should we expect further consolidation in the coming years as customers expect the services they purchase to be secure out of the box, leaving less room for over the top players? I can’t see it any other way.

For smaller, more nimble and innovative providers, as well as being able to attract attention just as Trusteer and Sourcefire have done, they may also have the ability to continue to build on top of the core security offerings and stay independent. For those who don’t fit that bill, it must be certain we will see a contracting in the market.


By using words like ‘confidential information’ and ‘stored in your keychain’, OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password.

I don’t personally allow Browsers of any ilk to keep my passwords, but as Elliot Kember writes, most users just click “OK” or “Allow” in order to proceed.

There’s a fine line between convenience and security, it’s quite likely that those who are most need of one, end up tending to the other.

A Shark Net for the Insecure

You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website - the iPad Hack - and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?

Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.

It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.

It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.

Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.


RSA, the manufacturer of ‘Security, Compliance and Risk-Management solutions have discovered a new method of delivering what’s known as an Advanced Persistent Threat:

methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.

In effect assuming a number of compromised computers or devices will be introduced into the targeted corporate network lying in wait like lions at a watering hole for the opportunity to attack.


Excellent article from Glenn Fleishman at TidBITS Safe Computing on how Elcomsoft Criticism of iOS Password Apps is Overblown.

The core point I took from the article is that there is a four factor authentication process before you can get to individual passwords:

  • Get the Device (or the data file)
  • Get the Security code on the Device
  • Get the Security code or password for the app
  • Get the Master Password

Which doesn’t preclude a user of an application like 1Password from;

Disclaimer: I user 1Password on my Mac and on iOS and have done since I originally got a free install  about 3 years ago. I have since then purchased both the Mac software (currently 3.8.17) and 1Password Pro for the iPhone. Both of which I use daily on both devices.


The summary of AV Test’s March 2012 Malware Protection for Android Tests includes the following:

Close to two thirds of these scanners are not yet suitable for use as reliable products and identify less than 65% of the 618 types of malware tested”

Though I think the most damning quote was about one of the large number of “free” - mainly ad supported – services:

“…showed no detections in our tests and crashed several times. The advertisements worked properly”

Disclaimer: In my current role I promote Lookout Mobile Security which was in the top 7 tested applications

Ducking out of Google Search


When Google were just a search company, they made the web one of the most usable things ever. Life was great and everything was a Google away.

Today, as they face the challenges of Facebook, Apple and potentially Microsoft in the turf they made their own, they’ve changed their search algorithms so much that finding a good result can be a challenge at the best of times on a desktop browser. Though surprisingly in the Safari browser on iOStheir results are more like the “good old days”.

So like many other companies who either fail to disrupt themselves or whose attempts at disruption are less successful than expected, they’ll do whatever it takes to maintain their lead. From next week they will make your Google Web history available to it’s other products. A bit like when Microsoft integrated Office into Windows, perhaps?

Because they still have a lot of soul, they at least make it very easy to prevent them from gathering said web history.

Well before the recent discovery Google were compromising, without permission, the privacy setting I had chosen in my browser, I’d already mostly stopped using them for search in the last 6 months. There will still be the odd time what is still the best search engine on the planet has to be used. But, for now, I prefer the growing ability of DuckDuckGo and other services to answer my queries.

DuckDuckGo sounds like they don’t want to be evil after all.