Top
Tuesday
Jun212011

LulzSec, Anonymous, and infosec:

"And publicity was such a useful thing. Corporate security officers, including telco security, generally work under conditions of great discretion. And corporate security officials do not make money for their companies. Their job is to PREVENT THE LOSS of money, which is much less glamorous than actually winning profits. If you are a corporate security official, and you do your job brilliantly, then nothing bad happens to your company at all. Because of this, you appear completely superfluous. This is one of the many unattractive aspects of security work. It's rare that these folks have the chance to draw some healthy attention to their own efforts."

The Hacker Crackdown, Bruce Sterling

That quote was published in 1992, almost twenty years ago.  The description still applies to most companies.  Yes, there is more awareness, and there are regulations forcing companies to do some modicum of lip service, but overall the description is still accurate. 

It is also correct to say this is one of those times when Information Security gets attention.  This is one of infosec's times to shine, don't be hyperbolic, don't use this as an excuse to buy software FOO or widget BAR; this is a rare opportunity to sit down and have a rational, reasoned discussion about security and business from the top down.

IT is a goofy bird at most companies.  You hear silly phrases like "IT doesn't drive the business" or "We need to run IT as a business".  When was the last time you heard "Accounting doesn't drive the business" or "We need to run HR as a business"?  Never I bet. 

We need to get over this silly dichotomy that runs throughout corporate culture.  IT and infosec should be so deeply integrated into the business, that silly ideas and notions about IT being different from HR or accounting are not conceiveable.

 

Monday
Jun202011

Not a WiFi security loophole

So, a magazine called Infosecurity has a posting that claims "Potentially major Android WiFi security loophole revealed"  which references a blog posting "Google knows where you've been and they might be holding your encryption keys" on TechRepublic.  In this posting, Donovan Colbert raises concern over the a function that is built into the Android Operating System.

...except it isn't really dangerous.  The author has discovered the feature called "Backup my settings" or "Back up my data" depending on the build/version of Android that is installed.  This feature "backs up application data, Wi-Fi passwords, and other settings to Google servers" (Introduced in Android 2.0)  The data doesn't sync back and forth between devices, but if you setup a new device, or rebuild an existing one, you don't have to re-setup all of your wireless networking, the data, settings and keys are restored from Google and Bob's your Uncle.

Backup  You can choose to back up some of your data, such as your bookmarks,
your user dictionary, your Wi-Fi passwords, and many other settings, to your Google
Account, on Google servers. Some third-party applications may also take advantage
of this feature. That way, when you need to replace your phone (when you upgrade or
replace a lost phone), or if you reinstall an application, you can restore your settings
and other data. For information about changing this setting later, see “Privacy
settings” on page 370.

The article goes on state "As far as I can tell, there is no clear and easy way for Android end-users to 'opt out' of sending their access points to Google for storage on the cloud and synchronisation to other Android devices the user may own"

That would be wrong.  Very wrong.  100% wrong.  You don't even have to search the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'  Don't want that feature? Don't like it?  From Reading The Fine Manual: "If you uncheck this option [Back up my data], you stop backing up your data to your account, and any existing backups are deleted from Google servers." Uncheck the box and a dialog box pops up to confirm you want to stop backing up to google and erase all copies of data on Google's servers.

If one is to be upset by a smartphone backing up to the cloud, where is the outrage over Wi-Fi settings being backed up to uncontrolled, non-company computers by iOS users?  And when iOS 5 backs up to Apple's servers?  What about all the laptop users that someone could grab the wifi keys from after they leave?  If this is a serious concern for a company I strongly recommend an 802.1x solution and limiting the number of concurrent logins to eliminate this problem.  Sure, someones password may get stored on a server outside your control, but, it is easy to disable/change a user password and the network is not at risk for the loss of a WPA2 key.  The whole worry about Google having your encyrption keys, when they could be; stolen by malware, saved in in email, put into a password safe, stored in an online filestore (SpiderOak, Dropbox), etc.

Wringing hands over a backup made by a smartphone, and not having done basic research into the function does the industry, and users no good.

Thursday
Jun162011

This isn't happening it only thinks it's happening.

"How are we doing, Chief?"
"We have True Wisdom, Divine Speed, and Maximum Justice."
"What does that mean?" Trent opened his eyes and looked at her. "We are, this fine diurnal period-" "Morning." "-kicking serious ass. We are green across the board. The system likes me a lot. And I am awful damn fond of it, too. We have Total Mutual Respect and Admiration." Melissa looked amused despite herself. "You computerists are such . . . such . . ."
"Nerds," Trent said. "I think that's the word you're looking for." "You are not a nerd," said Melissa. Trent laughed. "Of course I am. You think anyone spends the tens of thousands of hours I've spent doing work like this unless they love it?" Trent looked at the board, green all the way across, and grinned again. "I'm a nerd and you bet I love what I do. I am so damn good at it."
-- Daniel Keys Moran "Players: The A.I. War"

Wednesday
Jun082011

It's IPv6 Day!

Happy IPv6 Day

If you click on the link: http://[2a00:1450:8003::93]/ do you get google or an error page? 

If you get an error page, bug your IT admin, Helpdesk, ISP... you are not ready for IPv6

The pool of IPv4 addresses will be exahusted by the end of this year by most estimates.  IPv6 deployement has been delayed, and delayed, by companies, ISP's and vendors.  Further delays are only possible with technologies like carrier grade NAT that are problematic for games, and VPN's

Monday
May232011

GXAT

The Generation X Aptitude Test:

1. Do you want to change the world?

Yes, and I’m proud to say we did it, man. We changed the world. Just look around you!

Yes, absolutely, and I promise I will get back to doing that just as soon as interest rates return to where they’re supposed to be.

Omigod, omigod, changing the world and helping people is, like, totally important to me! I worked in a soup kitchen once and it was so sad but the poor people there had so much dignity!

The way you phrase that question is so fucking cheesy and absurd that I am not even sure I want to continue with this pointless exercise.

 

That’s the only question on the GXAT. I could tack on a bunch of stuff about John Hughes movies and George Stephanopoulos and the Austrian version of “Rock Me Amadeus,” but there is no need. We’re done. If you chose d, accept it: you’re an Xer, even if you happen to be eighty years old. As people like Coupland have been pointing out for years now, X is more a sensibility than a rigidly confined demographic.

X Saves the World, Jeff Gordinier

Thursday
May122011

Y YOU NO RUN MSFT?

"My room is crowded enough as it is without letting Microsoft crashware eat up valuable workspace."

-Little Brother (Cory Doctorow)

Monday
May092011

Stylish!

 

Nice Looking (-:|3 youv'e got there.