An Information Security Place

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society - the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

Here’s another law (trying to get passed in New York) to try to stop sex offenders from getting on social networking sites, and in particular those sites where they might contact minors.  I haven’t seen the bill yet, but from what I am reading, it is essentially useless.  Just like all of these laws, it is really just political posturing.

Here are some of the details I have:

• The bill is called E-STOP, which stands for Electronic Security and Targeting of Online Predators Act (very witty). 
• According to InformationWeek, the bill “requires paroled sex offenders to submit their e-mail addresses and online identities to a central registry that will be used to deny them access to social networking sites. The bill also would forbid sex offenders, on parole or probation, from communicating online with anyone under the age of 18 if the offender is classified level 3 (high-risk of re-offending) or if the offender’s crime involved the Internet or a minor.”
• According to cnet: “It would be a violation of parole for a convicted sex offender to change e-mail addresses without notifying authorities within five days.”

So from those last two points, we see that sex offenders must register their email, online ID’s etc., then the sites will deny access based on that database.  And also, it is a violation of parole if they CHANGE their email and don’t notify authorities within five days. 

First, notice the all caps above.  I sincerely hope there is a provision for adding emails and not just changing emails.  Second, it really doesn’t matter anyway because a criminal is a criminal.  If they are not reformed, then they are going to continue to do what they do.  Drug dealers BREAK laws.  Car thieves BREAK laws. And sex offenders BREAK laws.

I applaud the fact that this law is trying to be proactive and will probably stop a few people.  But for the most part, this is useless.  Sex offenders are going to get around this easily.  It is just too simple to fake your ID on the web.  But politicians have to justify their paycheck, so this won’t stop anytime soon.

Vet

Man, am I getting hammered for my latest post over at Computerworld about the DDoS launched on the Church of Scientology! I really can’t engage in a lot of back and forth over there since it is not my personal site, so I will do it over here.

For all you people slapping me around over there, let me ask you something.  Do you advocate the use of DDoS attacks every time you don’t agree with someone?  I am seriously dismayed when an attack is downplayed such as this one.  Yes, the school was inadvertently attacked.  Yes, COS was the original target.  And maybe the attack only lasted for a few minutes.  And an apology may have been issued… BUT THAT IS NOT THE POINT!!!

This is illegal, and it is irresponsible.  Tom Cruise may be weird.  L. Ron Hubbard may have made up a cult out of whole cloth.  But they are still an organization that has the right to exist and practice their religion.  Just because they are strange does not give you the right to make the Internet your personal playground.  These things always end up affecting other people, even if it is for a few minutes.

Grow up people.  Quit hiding behind the anonymity of the Internet and do something about your issues the way grown ups do.  Call people.  Write letters.  Protest on their front steps.  Get the attention of the media and the people WITHOUT acting like brats.

Sheesh…

Vet

I just wrote a post over at Computerworld entitled The Security of Web 2.0 - an Oxymoron. Then I find this story about Senators McCain and Schumer proposing legislation that will require sex offenders to register their IM names and email addresses. I need to read more about this bill. Like typical security legislation passed by our government, this one appears on the surface to be nothing but security theater and something else to boost Schumer and McCain’s appeal before the presidential elections.

Think about it. How difficult is it to create a different IM name or email address?

The registration provisions would make failure to notify the authorities of all e-mail addresses a felony punishable by up to 10 years in prison.

Uhhh, so? These perverts are already breaking the law and facing jail time and some serious nastiness in the big house (child molesters supposedly don’t fair well in prison - though I have no proof of that). What makes anyone think they are going to change their ways because of another law?

Don’t get me wrong. I am fully on board for catching these “people”. I have children and would unleash all hell if one of these sick, twisted individuals even came close to one of my kids. But another law on the books that effectively does nothing to help the situation is just words on paper. Just make the behavior illegal (which it is) and make the punishment such that if the perv is caught he never sees the light of day again (there are a couple of punishments that would fit that description - you decide which one is right for you).

Vet

I’ll be the first one that says TV shows and movies are hardly based on reality.  But when they screw up something that is near and dear to me, I get very upset. 

For instance, I was in the Army and Army National Guard for over 7 years.  Though I was never a career soldier, I still took it seriously, and I still do today.  Maybe too seriously.  I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer - that mistake is in too many military movies).

This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks.  Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.  There are all kinds of twists and turns in the plot.  The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him. 

Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help.  They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.  The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.  The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.  Of course, I am thinking, “where are the cameras that should be watching this guy?” 

Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.  There are racks of servers, switches, etc.   Then he sticks another device in the “mainframe”, and away they go. 

He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.  They capture the screens (with all pertinent information on the first screen - nice, huh?), thus saving them the effort of searching through records.

Yea, ok, right.  I know it probably shouldn’t bother me, but that just pisses me off.  At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”

Sheesh.

Vet

Watch the video below.  I have heard and read some stuff about this, but this video really tells the tale.  It seems professionally done.  The people all seem very genuine and not actors, or they are very good actors.

Just a few of my thoughts on the issue:

• This is from a foreign country, so I don’t know if the insurance issues are the same here in the states, but basically the concern was that if there are no signs of burglary, then your insurance company won’t pay a claim.
• The claim was that this was the end of security for physical locks.  I think this is a little bit of the ol’ FUD game, but hearing it from an experienced (30 years) locksmith makes you think a little bit.
• It brings out the need for layers in security.  An alarm system is a fairly good layer, even in houses.  At least it will deter some low-level crooks, which are your typical crooks in home burglaries.
• When it comes to businesses, they will need to start looking into alarms and better locks (keypads, etc.)
• And the overall lesson, no matter what you do, if someone is determined to break in, they probably will.  All you can do is your best.

[gv data="7Uv45y6vkcQ"][/gv]

Martin McKeay posted a few days back about keylogging software on client’s of HSBC Bank.  Bruce Schneier pointed out this article this morning about the same issue.  Both came to roughly the same conclusion: this is ridiculous.

Yes, there are things the bank can do to help with this, but come one, where is the personal responsibility for the clients?  Sheesh.

Vet

…because you can read about it in the news, because it generally happens for the same reason (stupidity, mainly), and I get tired or writing about it.  And the same would be the case on this new VA stolen desktop (also read here), except that this is twice for the VA, and I think this one holds more importance.  Why?  Glad you asked!

1. Because this one, on the surface, seems like a targeted attack.  This was not an average house robbery.  This was stolen from a Unisys facility that was doing insurance collections for the VA.  Far be it from me to start FUD, but I think there was some definite desire for this desktop because of the data it held (why was the data on a desktop, anyway???)
2. This brings forward the point that you are just as responsible for your contractors security as you are your own.  The theft did not actually happen on a VA facility, but you can’t schluff off due diligence.

Vet

I have to make some comments on this post I found on a law blog I peruse. I know this is not directly related to Information Security, but it related to security in general, so I have to make some comments.

Basically, the author of this post (Dan Filler) is making the argument that the cost of shoplifting should be shifted to the retailer. Specifically, he looking at WalMart since the post started out with a comment about how they are shifting their policy to not prosecute first time shoplifters younger than 18 and older than 65 when taking merchandise with a value under $25. That is WalMart’s right to do, and it might actually be a good idea for them.

Read the post all the way through and look at Mr. Miller’s ideas about this. Here are my comments.

Yes, it is a crime. But I have a huge problem trying to shift the cost of enforcement to the retailer is ridiculous.

 

First, many retailers already employee most if not all of the measures you say they should employee. What else can they do? They already have to catch the crook. They don’t bring cops in to patrol the stores! If the security guard is a witness in the case, the retailer should pay him / her for the time they appear in court.

 

Second, when they catch the criminal, they call the cops for prosecution. That is how our system works for CRIMINALS. You are trying to change the system for a particular crime just because some cops don’t want to do their job. That is beyond ridiculous, and the cops that have that attitude and react slower to these types of crimes should be kicked out of the force. That is why WE pay them.

 

Third, how is it fair to the retailer to shift the cost of prosecution to them when they are the victim? They are simply trying to run a business and are already losing millions and millions a year due to these crooks. Why should they be taxed further? Do you tell a rape victim to pay for the prosecution of her attacker? Come on.

Sheesh

 

Vet