This Mess We’re In

Teaching Children is Easy

Hong Kong has apparently been working hard at its efforts to integrate its multi-racial society a bit closer. This satirical jab from Hong Wrong on the statelet’s (sorry Self Governing Territory) efforts at educating the younger members of it’s society shows they clearly have some way to go.

The Trouble with Politicians

Speaking of Hong Kong, there was news this week that a politician born there was considering leaving Northern Ireland after more than 40 years…

…for good because of enduring sectarianism and now rising racism.
Lo, who represents South Belfast in the regional parliament, also cited first minister Peter Robinson’s support for a born-again Christian preacher’s depiction of Islam as “the spawn of the devil” as a reason for wanting out of Ulster politics.

Far be it for me to suggest that The North’s thin veneer of success following the end of the Troubles might be wearing thin, but I do* look forward to this month’s and next’s Parade Season to kick off. (* in the way that I look forward to a screaming baby at 3am).

A More Secure Commute

Meanwhile in Beijing qz is claiming they are now subject to Airport Security style searches before entering the subway, leading to massive lines. As one commenter mentions:

Surely “throwing a bomb into this crowd would be more lethal” than setting one off on the subway, noted one skeptic

Exactly, everything’s fine!

This Teenage Government

Our venerable Prime Minister today released an announcement ostensibly about the 70th anniversary of D-Day and upcoming visit to Canada and the USA. It contained such D-Day references as:

The Government’s Economic Action Strategy to lower tax, cut red tape and encourage trade will improve the competitiveness of businesses so that we can build a stronger Australia.
We welcome investment and we are making investment more attractive by scrapping the carbon tax and the mining tax, cutting 50,000 pages of red tape and ending the “analysis paralysis” on major projects.
Our international partners can see that our Budget is again under control, we are tackling debt and deficits and we are serious about building a strong and prosperous economy.

I’m sure the diggers and others who thought they fought to save Europe from tyranny would be surprised to know it was actually to protect Tony’s mates from Carbon Taxes. That they later withdrew the statement should only add to the concern the teenagers have left another mess for the adults to clean up.

This Mess We’re In

After that selection of mind-numbing news, I have to leave it the magnificent Polly Jean Harvey to remind us how much it seems to change, but never really does:

And I have seen the sunrise over the river
The freeway reminding of this mess we’re in

Link

In his 11 sure signs you’ve been hacked post, Roger Grimes writes

Most malicious hacking originates from one of three vectors: unpatched software, running Trojan horse programs, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy — and luck.

For at least two of the three vectors Grimes mentions, the long held belief is that awareness and endpoint security will help the customer offset the threat. But the opposite appears to be the case, the more protection software we give the user, the less likely they are to rely on their own wiles.

Is the challenge for the Security industry then to focus on certain less obvious to the customer prevention opportunities rather than the more lucrative and overt cure of endpoint anti-virus which has been so valuable to the industry for so long? It’s going to be hard to leave the money on the table, especially when so many have been conditioned to accept that anti-virus is to a computer as a saddle is to a horse.

The reward is likely to be a happier, more confident customer, and a refocus on where the puck is going to be rather than where it was last year.

IBM buys Trusteer, gets a lot more than Anti-Virus

What does it say about News Limited’s Business Spectator when they pigeon hole Trusteer as an "anti-virus" company? Some simple journalism, including other sources for the news about IBM’s purchase of the security company would have told them that such a description was beyond reductive. But it’s the challenge anyone in the security industry has to face when translating what we do in a way that most people understand.

The most interesting part about the purchase, the recent purchase of Sourcefire by Cisco and Intel’s purchase of McAfee a couple of years back, is that security might finally be seen as a core business offering, at least at the enterprise level.
In June Cisco CEO John Chambers said,

we are not our customer’s primary security vendor and that’s got to change.

Certainly IBM VP Marc van Zadelhoff has the same view;

all our products will work together and share data…IBM is leaps and bounds ahead in covering the most domains and doing the integration that is necessary. Five years from now [the market is] not going to be so fragmented.

What this reduction in fragmentation means for those security operations that traditionally added value to core services offered by organisations like Intel, Cisco and IBM will be interesting to behold. Should we expect further consolidation in the coming years as customers expect the services they purchase to be secure out of the box, leaving less room for over the top players? I can’t see it any other way.

For smaller, more nimble and innovative providers, as well as being able to attract attention just as Trusteer and Sourcefire have done, they may also have the ability to continue to build on top of the core security offerings and stay independent. For those who don’t fit that bill, it must be certain we will see a contracting in the market.

Link

By using words like ‘confidential information’ and ‘stored in your keychain’, OSX describes the state of your saved password’s current security. It’s the very security Chrome is about to bypass, by displaying your passwords, in plain-text, outside your keychain, without requiring a password.

I don’t personally allow Browsers of any ilk to keep my passwords, but as Elliot Kember writes, most users just click “OK” or “Allow” in order to proceed.

There’s a fine line between convenience and security, it’s quite likely that those who are most need of one, end up tending to the other.

A Shark Net for the Insecure

You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website - the iPad Hack - and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?

Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.

It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.

It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.

Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.

Link

RSA, the manufacturer of ‘Security, Compliance and Risk-Management solutions have discovered a new method of delivering what’s known as an Advanced Persistent Threat:

methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.

In effect assuming a number of compromised computers or devices will be introduced into the targeted corporate network lying in wait like lions at a watering hole for the opportunity to attack.

Link

Excellent article from Glenn Fleishman at TidBITS Safe Computing on how Elcomsoft Criticism of iOS Password Apps is Overblown.

The core point I took from the article is that there is a four factor authentication process before you can get to individual passwords:

  • Get the Device (or the data file)
  • Get the Security code on the Device
  • Get the Security code or password for the app
  • Get the Master Password

Which doesn’t preclude a user of an application like 1Password from;

Disclaimer: I user 1Password on my Mac and on iOS and have done since I originally got a free install  about 3 years ago. I have since then purchased both the Mac software (currently 3.8.17) and 1Password Pro for the iPhone. Both of which I use daily on both devices.

Link

The summary of AV Test’s March 2012 Malware Protection for Android Tests includes the following:

Close to two thirds of these scanners are not yet suitable for use as reliable products and identify less than 65% of the 618 types of malware tested”

Though I think the most damning quote was about one of the large number of “free” - mainly ad supported – services:

“…showed no detections in our tests and crashed several times. The advertisements worked properly”

Disclaimer: In my current role I promote Lookout Mobile Security which was in the top 7 tested applications