12.09.2010
On Wikisteria...
Wikisteria. Noun. 1. A condition brought on by the sudden and unexpected release of your not-so-deep-dark-secrets in a public forum characterized by outbursts of irrational and/or ill-conceived policies, statements and/or actions.
Since the word got out on this story, we've heard everything from "hey...those are ours- give them back" to "Don't visit that website or you'll be breaking the law" to "We should launch a stuxtnet-like virus and 'fry their computers'" to "The Cyber War is joined"- and we are just getting started.
Some claim there's no difference between the NY Times and Wikileaks. Really?
What is the difference between reading the NY Times web edition (or other Journalist web site), this blog- or wikileaks? (other than funding, contacts, professional reputation and talent of course!)
Here's one difference: the NY Times does not promote (even if only through silence) the use of illegal techniques to get a point across (such as a DDoS). If Wikileaks were playing chess instead of checkers, they'd take the Free Press route and ask the DDoSers to stand down- and provide support in other ways.
Meanwhile efforts to stifle the message (the important part- the information- not the website) have failed. There are by some estimates over 1200 wikileak mirror sites- and growing.
The lesson: the web was built to SHARE...not to protect.
So, what are the rules? Or are there none?
There are. The US has the responsibility to bring to justice those that broke their law within their jurisdictional reach, particularly those putting people's lives in danger as a result of their actions.
However, the nature of the web complicates the execution of blanket policies or the interpretation of sweeping statements.
The fact is, the toothpaste is out of the tube. The genie is out of the bottle. The cat is out of the bag- pick your metaphor. Instead of expending energy on half-cocked statements and actions, the US should take the opportunity to shape its message and actions more carefully.
The US should take a stand that says: "the breach in our security is illegal under our law, regrettable (to those whose confidence and trust was violated) and will be quickly and effectively dealt with. However, it is important to bear in mind the data stolen represents unconfirmed and in some cases incorrect raw reporting and certainly does not necessarily reflect the US government position. That said, we stand by our principles. If you are up to no good and are offended by what you are reading about you, then stop being up to no good."
On the other hand, Wikileaks isn't scoring points either. Instead of taking the 'free speech' high ground, they risk losing the battle of public opinion as Wikileaks' perceived 'opponents' (perceived by others as legitimate businesses) come under assault.
There are important, if not always popular, and arguably legitimate arguments on both sides of this. The enforcement of espionage laws, the protection of sources, the need for secrets balanced against freedom of speech and the right of the people to know.
Regardless of which side of the controversy you champion- one thing is true:
How we respond in crisis defines who we are: as an organization. As a Nation. As a Society.
We will learn a lot over the coming days- weeks- months... and not just from reading the cables.
~ Cpwnk
2.11.2010
Buzz Off!!!
So, the company that decided to FINALLY enable https for the entire email session (not just the logon process), and has expressed "outrage" at China's privacy practices decides to implement a "feature" that by default posts your email contacts for the world to see? (okay... it requires a public profile... but c'mon!)
Don't be evil... (?)
Don't be stupid either...
Buzz off.
For how to do tell them to Buzz off, check out this link: http://lifehacker.com/5469388/stop-google-buzz-from-showing-the-world-your-contacts
1.21.2010
The Age of Privacy is over??? I hope Mr Z is wrong
Okay... when facebook first launched, I had an account. Then I shut it down. I thought to myself, why would I want to put my personal life on the web? Fast-forward a few years and EVERYONE I know not only share their personal lives, but things about me and those I care about on their facebook pages. I restarted my account... if for no other reason than to attempt to keep an eye on what was posted and at least try and protect those I care about from doing something too dangerous from an information security perspective.
But your efforts to protect your privacy won't amount to much if the founder of the site sees the information protected by your privacy settings as lost revenue...
Perhaps, Mr Zuckerberg needs to take a close look at the results of this survey: Cyber Crime Survey: Trust Shaken
Globally, criminals are reviving our concern for our personal information using a powerful motivator- economics (read as: we fear of losing our hard-earned cash)... and unfortunately, Mr Z is missing an opportunity to distinguish himself as a privacy leader.
Why would people continue to use facebook? For now, the perceived benefits of sharing our lives with those we interact with (our tribe) outweigh the risk. However, other tribes want to use our information for another purpose... to scavenge it for tasty morsels of personal information to use to clean out our bank accounts and otherwise disrupt our lives.
Mr Zuckerber's view on the privacy of his customer's data favors the latter group.
I think it may be time to once again, close my facebook account (as though my data is REALLY gone).
Sorry, mom. You'll just have to switch back to email.
Listen to Mr Zuckerberg's comments here: http://www.ustream.tv/recorded/3848950
1.10.2010
Cybercrime: the Next Driver of Internet Innovation
Crime is the next driver of Internet innovation: regardless of what color hat you wear.
Sure, crime always been part of the Web (and its ancestors). Remember BBS sites with stolen credit cards back in the 80s? I do. Crime has been with us, just as porn, chatting with our friends and email have been there. Porn begat pay per click... which was adopted by legit advertising... which begat online shopping... which (combined with email) begat social adoption of the web (video games helped for the younger generation... but my mom uses FaceBook because she got used to interacting with the Internet via shopping)... which begat social networking... all of the above begat opportunities for criminals to take money from the unsuspecting- cybercrime.
I'm not implying crime hasn't always been an issue. It has. But it has taken on an entirely new flavor as competition AMONG criminals has sparked heretofore unseen levels of sophistication and innovation. And from a broader perspective, cybercrime is coming to the forefront of our collective consciousness and shaping change in our societies and how we interact on the web. And this is only the beginning.
For the black hatters, this is certainly shaping up to be the golden age of cyber-crime innovation. The monetization of malware has arrived! Supply chains, botnet-for-rent (complete with FAQs), pay-per-X schemes (e.g., iFrame, infection, etc), malware help desks, money-mule recruiting sites, even pay-per-scan sites to test your code against malware scanners! All the while, legal frameworks, jurisdiction issues and white hat technologies struggle to keep pace. These are great times indeed...
And what is the impact of all of this? In the US, municipalities, small businesses and school districts are getting fleeced. National and corporate secrets are being siphoned off like foam from a pint of beer. And perhaps more importantly, the Internet, which began as a place to share ideas freely is becoming a scary place to be... not what we (regardless of what color hat you wear) intended.
For the white hatters our there... this may FINALLY be their wake-up call. Clearly, the old way of doing business, which previously simply hasn't worked is not only becoming embarrassing, it is becoming expensive. It is only a matter of time before the citizenry begins to pressure their governments to shape the future of EULAs... license agreements that hold no one accountable for shoddy work- regardless of the damage it causes. Signature-based tools are so 2000s- stale and woefully not up to the task. The speed of change in the malware world is driving white-hatters to look at new technologies, revisit assumptions and take a new look at risk management. What REALLY needs to be done via the web? What is an acceptable level of risk. Heck, do we as an organization even understand the risk?
Security used to be an afterthought- speed to market, content richness and features were THE issue- regardless of their impact on security or privacy. They still are important... but to the user, privacy and security are quickly becoming an increasing (if not the primary) concern. THAT is change.
Crime is the next driver of Internet Innovation: if I'm wrong... we are all in trouble- regardless of what hat we wear.
~Cpwnk
12.14.2009
This is Your Friend... This is Your Friend on FaceBook.
... an egg sizzles as a criminal that has exploited your friend's weak password (or lame security questions), crawls through your personal info and tricks you into downloading and installing a key logger.
The fact is, you aren't really interacting with your friend when you visit a social media site. Each of you interacts with software (most likely, poorly written software) that serves up pages and content to you that are designed to serve as a surrogate for your friend or their interests. It isn't the same thing as having a face to face conversation with them... not by a long shot.
We are social creatures. We like our tribe. We want to belong... We want to trust our friends- our tribe.
Unfortunately, there are some tribes that want what we have.
Incomplete design, flawed privacy and security models and user agreements that hold no one accountable add up to an environment that may be rich in features to lull us into a false sense of security and trust, but is also one which criminals are all too happy to exploit.
Trust your friend. Just don't trust their profile... the click-aholic flash game they are inviting you to play or anything else on your social media site.
... and don't post all of your personal details on your Facebook page. If they are your friends, they already know when your birthday is. Make the bad guys work for it.
Instead, meet your friend for coffee and talk... just pay in cash.
~CPwnk
7.10.2009
All Hail the Incompetent Masses of Cyberspace
Its amazing to watch. As "cyber space," "cyber crime" and "cyber war" become the next big thing, watch the re-branding- the sudden emergence of "cyber security experts." I know some of these guys... smart? Yes. Experienced? Some are. Camera friendly? Not the ones I know ;) . "Experts?" Hardly. In to paraphrase the words of the venerable Warren Buffett: "first there are the innovators. Then there are the imitators. Finally, the incompetent masses." All hail... the incompetent masses have arrived. Article after article espousing "wisdom" such as: "we need to work with our service providers better"... or we need to focus on education or... "government needs to work more closely with industry"... the list goes on...
Why should we care?
If you are a black hat hacker, you are drooling at the fresh victims they are about to serve up to you. Half-informed designs feeding under-skilled developers the raw ingredients of your next digital playground.
If you are an IT professional, you are rolling your eyes as you see snake oil salesmen line out the door and attempt to divert intellectual capital and your IT budget toward their latest "security solution" and away from projects that could make progress in managing the risk of operating in the information domain, cyberspace, e-market place- whatever you want to call it.
This is a serious issue. New ideas are absolutely welcome. But if you are new to the scene... listen. Read. THEN speak... and don't hold yourself out as an expert... as soon as you do that, you become another one of the charlatans.
Depending on your perspective (to paraphrase Charles Dickens): "It was the best of times, it was the worst of times; It was the age of wisdom, it was the age of foolishness"
My guess is, it's all of the above...
~CPwnk
2.03.2009
Digital Insurgency
Digital insurgency.
Why? Traditional IT (in)security begins with an "us-in-here" vs. "them-out-there" approach to protecting the network (and in a few enlightened organizations, the data). We refer to "defense-in-depth"... bastions... firewalls... etc.
The problem is, we are looking at the problem the wrong way.
The reality is, "they" are already among us. Once you start thinking of the adversary among you and your valuable data, your approach changes (or at least should). Sure, don't take down the walls... but you had better learn to operate in an untrustworthy environment. Remove the false sense of security. Assume the enemy knows your technology, your infrastructure layout, your processes, the skill level of your people... everything (except, hopefully your crypto keys).
Get on with counter-insurgency operations within your network. Listen to Sun Tzu- use spies. Engage in insider monitoring. Watch for anomolous behavior. Block "escape routes." Disrupt communications (outbound filtering). Identify and protect what's really important- your data! Encrypt encrypt encrypt (no it doesn't solve the problem... but it does make it harder for script kiddies to pwn you in ways it REALLY counts). Go on the offensive in surgical, well-informed strikes. Improve your interior communication lines' security. Coordinate with the locals... educate and incentivize the populace to cooperate. Associate with those you would never mention among polite company- your competitors... your service providers. Cooperative defense.
Finally, make lasting changes for the long-term good- FIX THE F-ING PROTOCOLS and fatally flawed architecture that allows this to happen!!!
... you get the idea.
~CPwnk
11.30.2008
Quantity vs Quality- the Tech Blogger's Dilemma
That said, this blog this blog is not intended to be a page mill that spews out re-writes of AP news wire stories with the useful life expectancy of a Microsoft "security feature." It is intended to cause you to think about more enduring subjects you may not have previously considered. If we've done our job, the entries won't age like cheap cheese, but remain useful regardless of their time stamp.
Read it once a month... once a week... once a year- or if we suck, not at all. Hopefully, when you do, you'll leave with a few thoughts of your own.
~CPwnk
11.08.2008
If he were alive today, Willie Sutton would be a hacker
In Willie's day, the only place to buy a Trojan was in a pharmacy. No longer. Want a botnet? No problem, you can rent one. Want a Trojan to use as a payload? No problem. Not only has the bar been lowered for entry to the world of hacking, the potential for damage at the hands of a noob has been raised to that on par of seasoned crackers (as long as the script kiddie can pay for it). And to pay for it, he or she can buy a few stolen credit card numbers.
Willie (when explaining his preference for using a Tommy-gun) observed "you can't rob a bank on charm and personality." You can rob the Web that way. Barriers to entry are low. Attribution remains problematic (whether that is good or bad is perspective-based). Software quality remains shoddy. And it all runs on a fatally flawed architecture (which is unlikely to change for the foreseeable future.) In short, economy and technology favor the attacker.
As for Willie- while he may not have said "Why do I rob banks? Because that's where the money is," he did say:
"Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job. But to me the money was the chips, that's all."
Sound like anyone you know?
~CPwnk
Learn more about Willie Sutton
8.22.2008
Improve E-fraud detection- inform the customer
In today's MSNBC's Red Tape Chronicles an intriguing idea re: fraud detection was raised that I'd like to share:
First, some background on the article, by Bob Sullivan
The subject of the Mr Sullivan's blog was the vagueness of "Dear John" letters from a company informing some hapless victim their data was stolen and a call for more informative letters of notification (e.g., was the data stolen from an insider?). He hit the mark, though it is unlikely companies will provide actionable, useful information without being compelled to do so through the "R" word (regulation).
While it may be time for regulation regarding disclosure of data loss (particularly given a Verizon 2008 Data Breach Investigations report [pg 11] stated when insiders are involved the impact is 10 times greater than when an incident was caused by an outsider), Mitch Ring from Lancaster CA posted a comment that was a fantastic idea and would go a long way toward mitigating the damage caused by thieves and perhaps improve fraud-detection response time as well:
"A useful-and-very-affordable safeguard: Consumer gets an email for every charge on credit card, or check. With such-a-program, the consumer is quickly warned (if they monitor their email) when a false charge is made, and can cancel the credit card or account before charges are high."
7.31.2008
We really mean it this time- protect the data!
Firewalls, intrusion detection systems, access controls, security suites, tokens, smart-cards. Corporations, governments throw a lot of money at the information security problem- only to fall on their face in a critical area- protecting data at rest!
Encrypted transmission pipes aren't enough. Fine, your email is encrypted. Then you save the attachment to your hard-disk- an unencrypted hard disk. The black hat gods are surely pleased by your sacrificial offering.
They smile even larger when it is a US government computer.
The US Government mandate: "Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing..."
Yet GAO claims 70% of the laptops in use are not encrypting their data! Wow...
And don't let me get started on the fact that the data at rest that is most at risk isn't on a laptop-in-transit at all. It's your office workstation... or the file servers. Why don't we mandate encryption of those? If the technology isn't mature, robust or fast enough... throw money at the problem. Drive toward total encryption.
There a two major categories of encryption
- disk encryption
- file-system level encryption
Which do you need? Quite possibly both.
Q: Okay, I have full disk encryption on my laptop. I'm safe, right?
A: Well, you are better than 70% of the US government; however, that isn't saying much. Put a password on that boot-up to slow down the bad guy while your RAM's data fades...
Okay, done. Am I safe? Probably not. As the venerable Bruce Schneier has stated (paraphrased), "if you think encryption it the answer, then you don't understand the problem." Key management, correct implementation of the encryption, compromises that get inside the encrypt/decrypt chain are all challenges.
However, it's a start. Raise the bar...
A few links you may find interesting reading:
Wikipedia: Full disk encryption
Wired article on disk encryption and potential pitfalls
7.22.2008
Morality vs Economy in Cyberspace
If we are to address (or advance, depending on your perspective) the issues of cybercrime, cyber-espionage or other information security-related challenges, we must adopt a broader, more holistic approach that moves beyond (but does not abandon) technology "whack-a-mole" solutions and get to the root of the matter: human decision making. Two elements of such a broad-based approach are:
1. Establish or modify a sense of shared morality in potential actors- social norms.
Social norms? I am not implying we must all think the same way- both impossible and undesirable as it would destroy the creativity that has delivered such richness to the Web today. However, as open as the Web is, it must have underpinning rules, beyond technical standards, for it to work (even for those with nefarious intent). What I am referring to is shaping the perception of what is "acceptable behavior." Is it okay as a global, connected society for governments to hack their citizen's computers (or those of another country)? Is it acceptable for companies to host malicious websites while claiming they "are not in the editing" business? When does hactivism become crime? When does hacking extend beyond technical curiousity and become crime? When is it a public service? When does hacking conducted by a nation (or its surrogates) become an act of war? What are the limits of such activity?
We have yet to address these issues with the same level of attention as other issues with both regional and trans-regional implications. It is time we did so...
2. Influence their economic decision-making process.
Morality may describe how we want things to work; however, economics is how the world does work. If you want to change behavior, you need to influence the perceived economy of the individual(s) you are trying to influence. At what point is the cost or risk too high relative to benefit gained? How do I raise (or lower) barriers to entry? When do I seek alternatives? You get the idea. Today, the economics of malicious hacking favors the attacker.
Whether we wear white hats or black hats, if we are to proactively deter unwanted behavior (from our perspective), we must shape social norms and expectations; either making the activity we want to engage in acceptable or for that which we are trying to deter- unacceptable.
From there, it becomes a matter of personal morality and ultimately, economics.
I don't have the answers- just wanted to give you something to think about.
~CPwnk
A few cyber-ethics related links:
Fundamental Ethics in Information Systems by Christopher N. Chapman
Ethical Decision-Making in an IT Context: The Roles of Personal Moral Philosophies and Moral Intensity by Carlos Alberto Dorantes , Barbara Hewitt , Tim Goles
The Socrates Institute- K-12 cyber-ethics
Motivations
Frankly, this blog isn't about them. It's about us. This blog is a journey to the edge- an exploration of the black, the white and more often, the gray in cyberspace, infospace, information domain- whatever you call the place where our physical world meets the virtual world. Along the way we intend to learn - and share - a few things with you.
~CPwnk
Great idea, dude! Visa, Mastercard, American Express (not that anyone with a decision-making role in these companies reads this blog) you should listen to this guy. Even if you charged money (under $10 US) for the service, I'd pay it. So would millions of others. Make it happen- now!
~CPwnk