Hack The Planet

In recent weeks Brian Krebs of The Washington Post has been covering a lot of bank account heists that have been done using the Zeus Trojan that steals credentials of authorized users. In a more recent article he goes on to say that you should use a Linux LiveUSB when doing your online banking. It great to see a major newspaper run this story. If you are going to bank online and you use Windows you may as well accept that your credentials are in the wild. Download Ubuntu, and then never go back to Windows. Your life will be much easier (and you bank account more safe).

Recently there was a server outage at Microsoft subsidiary Danger which has ended in a lot of user’s losing their personal data. This is what happens when you don’t do your own backups and leave all of your data in the cloud (internet). There is a discussion about this on Slashdot but what it really comes down to is responsibility. Your data is your responsibility. If you give it to someone else then it is your fault when they fail to keep it safe or even to keep it at all.

I couldn’t have said it better myself so I won’t. Richard Bejtlich wrote “If a file is only readable once it has been decrypted in front of a user, that is where the intruder will attack once his other options have been exhausted. This means that the only way to completely “protect data” is to make it unusable.” The job of your Information Security team is to make it more expensive to get your data than what your data is worth.

So MSE was released and has received a decent amount of press. It was reviewed and found to be about the same as other free services which I think we all expected. I didn’t really see the need to comment until I saw this post and thought it highly relevant….and funny.

I have heard a lot of discussion around Signature based security systems and Behavior based systems. There doesn’t seem to be a lot of benefit to either without the other though. One of the nastier trojans, Zeus, is still evading most AV products on the market. I need to look into this more but it seems like companies either lean towards heavy signature and light behavior or light signature and heavy behavior. It shouldn’t be a religious debate. Companies should focus on strong signatures and strong behavior anomalies to determine if a machine is infected. I am very curious to see how Microsoft’s entry in the market will affect it.

I think anyone in the security profession has to be a little paranoid to be any good at their job. You have to be a little paranoid to be able to see risk everywhere and assess what you can solve, what you can’t and the most important piece; the difference between the two.

As a parent you are constantly reminded by your children that no matter how hard you try, they will find a way to hurt themselves. The best you can do is minimize the risk and make sure you have an escalation plan. The same thing is true in security. Limit your risk and be aware of the steps to take when something does happen. One of the most difficult things for me to do is tell the difference between what I can do and what I should do (ie no kennels for the kids to keep them safe).

Now as far as security goes it is the same thing, find what you can do to best secure your data but also make sure that the people who need access to that data still can be productive. I find that too often I get into the mind set of “locking it down” instead of the business mindset of how to make it as secure as possible without affecting productivity.

Just because you can make something more secure doesn’t mean you should. You need to take a step back and think about what the extra security will affect and weigh the consequences. Sometimes being a little paranoid is okay, but not turning on your computer so that you never get a virus may be going to far….or maybe it isn’t.

I was recently at the hospital for an extended period of time and found that they really had a great Access Control solution. The solution I am talking about is their physical solution for the maternity ward specifically. Every time you wanted to enter or exit the ward you had to buzz in and out and have someone check to make sure you weren’t smuggling babies. And if you want to take your baby out you need to be checked and double checked to make sure your wrist strap has the same ID as the baby you are smuggling. What if your office had someone that checked you in in the morning and out in the evening to make sure you had the same things you came in with? Sounds a little far fetched and not time or cost efficient but don’t be surprised to see your company move a little closer to being big brother with all of the headlines talking about insider threats.

Not even a week after scientists discover how to fabricate DNA our next favorite criminal catcher, Stylometry, goes down for the count. How are all my favorite crime dramas going to catch their bad guys?

In every crime drama on TV (and there are a lot of them) one of the constants is that DNA evidence is king. Once the prosecution has the DNA of a person the show takes the dramatic twist and the person confesses to whatever crime is hot that week. Recently Ponzi schemes seem to be the big hit. The criminal justice system may need to reconsider what they consider their “gold standard of proof” because DNA evidence isn’t quite as strong as it used to be.

The really scary thing is that most of individuals that will make up the “jury of our peers” probably won’t have read this or understand that DNA can be fabricated. ‘You can just engineer a crime scene,’ said Dan Frumkin, lead author of the paper. ‘Any biology undergraduate could perform this.’

If you still felt safe John M. Butler, leader of the human identity testing project at the National Institute of Standards and Technology, said he was “impressed at how well they were able to fabricate the fake DNA profiles.” However, he added, “I think your average criminal wouldn’t be able to do something like that.” So don’t worry about some average criminal planting your DNA at a crime scene. It would take someone like, maybe the government, to plant your DNA. As the Joker said, “Who do ya trust?”

This just in, you get what you pay for. I was just reading up on the latest case of free not being free with Digsby IM installing software that uses your system resources when idle. Digsby defended this by saying the software was free but just because something doesn’t cost any money up front doesn’t mean it is free. The disk space that the extra software is taking up costs money. The electricity and network connection costs money and the time it will take your brother, cousin or other random familial IT person to clean off your computer so that it doesn’t run slow after all of the free software you have installed isn’t free. Just remember, nothing is free.