Log in

No account? Create an account
11 November 2009 @ 11:06 pm
Let's talk Security.  It's a thing that I do for money.  

I make it sound as if work is always a pain in the ass, but there are times when it can be entertaining.

For instance, we recently learned that there's a new iPhone worm that replaces your wallpaper with a picture of Rick Astley (and no, the link is not a rickroll, though the worm most definitely IS).

And then we have the slightly more serious cases.  I think this is fascinating.

An even more interesting story is told by the activity on the discussion forum.  For those of you who don't feel like going through pages of discussion, here's the gist:  SnapNames runs auctions on expired domain names that they picked up on the cheap.  They have been caught in the act of using a shill, username halvarez (a "shill" is a false bidder; someone who bids at an auction on behalf of the seller in order to raise bid price).  The really entertaining thing here is watching the users in this forum discuss the notorious halvarez and his habit of bidding and losing, with multiple people convinced that he is a bot, and multiple people throwing up their hands and wondering what the big deal is.  The money shot is at the bottom of page 7, where SnapNames actually posts a message stating that an employee has been terminated for the offense of creating a false name and making bids to drive prices up.

The employee (none other then halvarez himself) was a VP of Engineering.  He also received clandestine refunds for auctions he "won", all in the interest of appearing legitimate.  Hands up everybody who really believes this was unauthorized?  Bidding was affected on approximately 5% of all auction revenue to SnapNames.  This has been going on since 2005.  As stated by one of the commenters in the forum, SnapNames accrued close to $50 million in revenue during one of those years.  How much of it can be attributed to fraudulent business practices?

I have to wonder how such transactions are conducted.  Did they offer him a percentage, given his inevitable scapegoat status?  Not that it's working by any means.  Nobody believes he or his department acted alone.  The lawsuits will be pouring in, and a business whose market share was largely based on its integrity... just lost its integrity.

So, yeah.  That was fun.

And then there's this.  I'll just give you the headline:  Sensitive government documents leaked over peer-to-peer.  The government is seriously flagging behind private industry (well, select areas of private industry) in terms of information security.  This is a problem.

It reminds me of something I read on Tao Security recently:
Let's get to the bottom line.  Partnerships and procurement are not the answer to this problem.  Risk assessments, return on security investment, and compliance are not the answer to this problem.

Leadership is the answer.

Somewhere, a CEO of a private company, or an agency chief, or a military commander has to stand up and say:

I am tired of the adversary having its way with my organization.  What must we do to beat these guys?

[...] Leaders who internalize this fight have a chance to win it.  I was once told the most effective cyber defenders are those who take personal affront to having intruders inside their enterprise.  If your leader doesn't agree, those defenders have a lonely battle ahead.

Something to keep in mind and maybe write to your senator or representative about.  Dear government administrator:  please start taking attacks on confidential data personally.  When cyber criminals and spies steal your information, they are stealing MY information.  When you have to spend millions of dollars on disaster recovery after the fact, that's my money.  And when sensitive documents get leaked over p2p, you look like an idiot, and as you are my representative, you are making ME look like an idiot.  Please take that personally so that you can do something about it.  The most expensive guns and tanks on earth can be rendered into so much scrap metal by one wartime security breach.  Even Hollywood is taking this problem more seriously than you are.

But it's funny how Hollywood has treated the new computerized age and the vulnerabilities it leaves us with.  The biggest problems/nightmares visualized on screen very rarely have to do with hackers or cyber criminals, who are romanticized as the proverbial Highwayman.  No, in the movies, the biggest problems with being so computerized are the dreaded AI superintelligence who will kill us all (whether justified or not) or else the evil government surveillance *chorus of hissing and booing*.  There's very little popular concept of how much costly havoc a determined cyber criminal can wreak, nor how personally it will affect people.  Identity theft is just the very nasty tip of the iceberg.  Sneakers did okay with these concepts ("Wanna crash a couple of passenger jets?"), but still had the protagonists playing like children with their decryption chip at the end, because let's face it, hackers are actually cheeky, fun-loving, sexy individualists with secret hearts of gold.

You know.  Sort of like pirates.

(Did you hear that?  She just dissed PIRATES, dude.)

(I'll dissect the egregious misuse of the word "piracy" by mass media conglomerates in some other post.)

I'm not bothering to differentiate black hats and white hats here because, dude, most of the people reading this don't care anyway (I'm arrogant enough to assume people are reading it at all).  For anyone who does, yes, I'm well aware of the presence of white hat hackers.  I work with them every day.  For instance:

I'm putting together some reports today which are deadly dull, but the information contained in them really isn't.  Every day hundreds of reports pour in, and teams like mine have to sift through them, reports that say, "This is a new way that a criminal can compromise your network, your computer, your life.  Here is a patch.  Or a workaround.  Or a warning."  An impressive percentage of these reports come from private individuals discovering security loopholes in their own time and notifying the vendor before exploits are even developed for them; many of them are discovered by people whose job it is to test these things.  Most of the vendors credit these white hat hackers in their security alerts.

It gives you a sense of a massive, world-wide army linked together in the aim to protect the international data infrastructure from those who would abuse it.  Which is good, because the utility of the internet is its weakness -- it has a million open doors, so you really need a million doormen.  It's also good because the black hats' army is pretty damn big, too.  Not because cyber crime is sexy, but because it's profitable.
Current Mood: contemplativecontemplative
Current Music: Boards of Canada - Slow This Bird Down
Plaidplaidomatic on November 12th, 2009 07:53 am (UTC)
This is a huge issue for me, too. Executive buy-in for security accountability is a non-starter. Look at the fallout around the various PII leaks in big corporate: "We were PCI compliant! Compliancy failed us! PCI is a sham!" "We did everything we could! Oh well. Better luck next time, all you identity theft victims."

Just today, I sent an email out to the entire department saying "No, really, a huge password of all of our internal users usernames and passwords is a bad idea. Here's why..." My number one argument against this isn't internal attacks, the possibility of a weakness in the database app itself, or similar. No, my number one argument is that it breaks accountability in audit logging.

The response: "I agree that we should force them to reset their passwords after a while, if they put them in the database." A response which totally ignores my primary argument entirely.
Wiseacreewin on November 13th, 2009 01:59 pm (UTC)
Guh. *facepalm*