RSS

Monthly Archives: October 2014

Thinking Outside the Box

Once you’ve secured the software and hardware, why you’re still vulnerable and how to address it.

INTRODUCTION

This is a non-technical article, the aim of which is to raise awareness of the threats that often get overlooked when hardening software and hardware. In practice, you can only ever mitigate against security threats. For example, Symantec’s Bryan Dye has just told the Wall Street Journal that Symantec, the biggest anti-virus vendor, is getting out of the anti-virus business because the software stops at most around 45% of viruses. He says the money is no longer in “protect”, but instead in “detect and respond”. Or consider the compromising of RSA’s SecurID. The theory at the time was that a nation state was trying to get access to secrets at a military aerospace vendor but was blocked by the vendor’s use of SecurID. So instead they sent targeted email to RSA employees, which enabled them to breach the SecurID security and get what they were really after. RSA took a lot of criticism for how it responded to this attack. As an aside, that’s why it’s important to train your staff to recognize phishing emails.

If you don’t have a disaster recovery plan then when the worst happens, and I’ll just call out the heartbleed OpenSSL vulnerability as an example of the worst happening without a disaster recovery plan, because even if you changed all your passwords you know you’ll have to do it again once all of the services you use have got their new keys in place, and you’ll still wonder if anyone managed to leave any snooping software on those services while the keys were compromised.

As IT professionals, when we talk about security we’re mostly talking about confidentiality, integrity, and availability of data. We don’t want confidential data leaving the organization so we enforce a trusted device policy to ensure all BYO devices have their data encrypted and can be remotely wiped. We block the use of file sharing applications like DropBox that can lead to confidential data being stored in the public cloud and we provide users with alternatives that keep the data within the corporate network, because users really like DropBox. We lock down all the USB ports, because corporate spies have started sending out free mice with hidden malware to employees. I’m not making this up. And we use access controls to ensure people only have access to the information they need to do their job. We look after data integrity by making regular backups, and we do periodic restores to make sure those backups are working. And we make sure the data is available by doing system maintenance while the west coast of America is asleep. Ok, so outside of California your mileage may vary. So assuming you’ve done everything you should to secure your software and hardware, what have you missed? Well, I’ll get to that later.

PART I

I’ve been interested in security since the late 1980s when I got my copy of Hugo Cornwall’s Hacker’s Handbook, where I discovered the existence of the Internet, or ARPAnet as it was then known. Prior to joining the security business I worked for a retail software company where I discovered all sorts of frightening things about how card payments are processed. For instance, did you know that when chip and PIN payment was originally introduced in the UK that there was no encryption between the mobile radio units and the base stations? Thankfully that’s now been resolved.

Or, and I’m not sure if this is still the case, but I suspect so, that all the card payment transactions in high street stores are stored and sent unencrypted to the banks. Now the reason for this is because, as I’m sure you can imagine, there are a very large numbers of transactions throughout the day’s trading. Traditionally these were sent to the bank at the end of the day for overnight processing. You’ll be glad to know that these are sent over a dedicated line rather than the public Internet. But even so, they are still sitting on the host system without any encryption. And the reason for this is that the overhead added by decrypting each transaction, because they would all have to be individually encrypted and decrypted to work with the batch processing system at the banks, would have added just enough delay to ensure that eventually the system wouldn’t be able to keep up with the number of transactions. Payments would be going into the queue faster than they could be processed.

Now you may have heard of PCI DSS, that’s the Payment Card Industry Data Security Standard. And what, among other things, that standard says, is that organizations have to restrict who has access to the folder with the card payments in it. And so already we’ve gone beyond the software and hardware and we’ve got a security policy, the PCI DSS, and that policy is based at least in part on trust. Now I could spend the rest of my allotted time talking about trust, but instead I’ll just recommend Bruce Schneier’s book Liars & Outliers.

But what I want to get across here though is that software and hardware are just part of the security solution. So all retailers in the UK are supposed to be audited for compliance with PCI DSS. But according to Financial Fraud Action UK, card fraud losses in the UK for 2013 totaled £450.4 million. Now that sounds bad, but it to put it another way it’s equal to 7.4 pence for every £100 spent. And the things we have to consider here are the risk and, the cost of mitigating that risk.

The payment card industry wants to keep fraud down, but if putting in place a solution that eliminates fraud costs more than the cost of the fraud itself then it will look for a cheaper solution. So actually, even before you secure the box, you really need a security policy. Because if there’s nothing of value in the box, then you don’t really need it to be that secure. But if what’s in the box is the most valuable thing you have, then you really need to be able to deal with a situation where all of your security measures failed.

PART II

So although that was a bit of a roundabout way to get to my point, what I’m advocating is that organizations need a security policy. And vendors of security solutions, need to help their customers to think about security in this way. So what makes a good security policy? Well first of all you need to have someone with the responsibility for the policy, the chief security officer. And one of their most important responsibilities is to keep the policy under review, because the environment is changing all the time, and a static policy can’t address that.

So how do you come up with a good security policy? Well there are various things you need to take into account. But primarily it’s about working out the risk: How likely is it that someone will walk out of this facility with all this government data on a USB pen drive? And the cost: What will be the effect if this confidential information about everyone we’re spying on gets into the public domain?

So for each risk, you work out the associated cost and then you come up with a solution proportionate to the risk. Let’s go back to the early days of hacking. I’m not sure anyone ever calculated the risk of hackers going dumpster diving for telephone engineer manuals. But I’m reasonably confident that the cost of shredding all those manuals set against the risk of someone typing the whole thing into a computer and uploading it to a bulletin board system was fairly high. Now this is in the days before cheap scanners, good optical character recognition and widespread access to the Internet, which is why everyone now securely disposes of confidential documents, don’t they?

Now in the Snowden case there were a couple of things that surprised me. First, that the NSA wasn’t using mandatory access control. Or in other words they weren’t using a trusted computing solution. They were using the same operating systems as the rest of us. I think partly that can be explained by the fact that it’s expensive to get support for Trusted Solaris and similar operating systems, because almost no-one besides governments use them. And often the applications that governments want to run aren’t available on those platforms so the cost of using them may exceed their benefit in mitigating risk. But the other thing that surprised me is the practice of password sharing.

And that brings me to the main vulnerability you face if your hardware and software are secure. Your users. Kevin Mitnick, I’m assuming you’ve heard of him, if not look him up. He asserts, and I don’t disagree with him, that humans are the weakest link in security. In fact I recommend his book “The Art of Deception” if you want to know exactly how predictable and easy to manipulate people are.

So let’s look at the password sharing issue. If you put up a big enough road block for your users to getting work done, they will find a detour around it. Is it easier to tell someone your password than jump through hoops to get that one file they need? Cisco’s own password policy states that passwords need to contain at least eight alphanumeric characters, both upper and lower case letters, at least one number, and at least one special character. It also can’t be one of the previous three passwords. So what do users do? They pick dictionary words with substitutions. And then users have to change their password every six months, or quarterly if it’s an administrative password. This leads to one of two things. They write the passwords down. Or they repeatedly change their password until they cycle back to their original password. It’s pretty easy to get a valid Cisco username. They’re in all of our email addresses. If you can actually get on to a Cisco site and physically connect to the network you can just keep trying to connect until you brute force the password.

So how do you get on site? Well, this touches on the other main vulnerability, physical security. At Cisco we use our employee badges for building access and various areas are restricted to specific groups of employees. We have a policy of not holding the door open for people we don’t recognize. Unfortunately it is in most people’s nature to be helpful. If I smile at someone as they go through a door and I’m dressed appropriately, they’re less likely to question if they should have just let me follow them. Mitnick’s book is full of these kind of social engineering techniques. But actually the easiest way to get on site at Cisco is to sign up for a training course. You might have read in the news earlier this year about the gang of crooks who stole £1.25 million by going into bank branches and attaching KVM (that’s keyboard/video/mouse) switches. Reports haven’t detailed how they got into the building, but it’s safe to assume it was low tech, and they didn’t break in.

So you need to educate staff about threats. Phishing email, social engineering, not picking up USB pen drives that you find lying around and connecting them to your corporate PC. We’re short on time so I’m not even going to cover BYOD. That’s “Bring Your Own Device”, although some have called it “Bring Your Own Disaster” because of the additional risks and management headaches it entails. Ok, well I will say that the mitigation is to require BYO devices to meet a minimum level of protection: a secure password, encrypted storage, the ability to do a remote wipe. But basically, the message is that it’s all very well having a security policy, but it isn’t much use if your staff don’t know about it.

Once you’ve got a policy in place then you need to stress test it. This is where the “red team” comes in. This can be an internal group, or an externally hired group, the job of which is to attempt to penetrate your security, for instance by leaving USB pen drives lying around or sending test phishing emails. Penetration testing needs to be conducted on a regular basis, the frequency of which will depend on the risk and cost analysis, and the security policy updated following the findings.

But let’s come back to physical security, or location, location, location. In the aftermath of hurricane Sandy it seems fairly obvious to state that if you’re doing offsite backup to multiple data centers that at the very least you don’t want them co-located in the same flood plain. Of course since then everyone has looked at where their critical services are and ensured sufficient redundancy to deal with a major disaster. Haven’t they? Well actually I can think of one Cisco cloud service that has a single point of failure in that it’s primary data centers are located in the same city, which has historically been vulnerable to terrorist attacks.

But assuming you’ve got the location sorted out and you’re outside the 500 year flood plain, you’re going to want to consider alternate power sources, given the increasing demands being placed on the power grid. And when you’ve got your failover power supply in place it helps to test that it actually works. Your backups are only as good as your ability to recover from those backups so it’s important to perform regular testing to make sure that’s the case. Physical access can be controlled by physical barriers, locks, guards, but it can also be monitored by video cameras. Servers get hot, so you need to consider fire suppression systems. Ideally ones that will leave the data in a recoverable state.

SUMMARY

I’m afraid I haven’t had the space to go much below the surface, but hopefully I’ve given you some things to think about. So to sum up. You want a security policy that is under continual review and covers:

• Human Nature
• Disaster Recovery
• Physical Location
• Penetration Testing
• Social Engineering

And really the most important thing is to raise security awareness.

Advertisements
 
Leave a comment

Posted by on October 30, 2014 in Technology

 

The Poor Man’s Ferrari California?

CaliforniaGT86

Following on from an attempt to compare the Triumph GT6 to the legendary Ferrari 250 GTO, here’s an even bigger stretch: comparing the Toyota 86 (also known as the Scion FRS and the Subarau BRZ) to the outgoing Ferrari California (replaced by the California T).

Just as the GT6 has half the cylinders of the GTO, the 86 has half the cylinders of the California. However, it has a lot more in common than the previous comparison. The dimensions are not wildly different. The displacement per cylinder, compression ratios and specific output are quite close. Of course the Ferrari has about two and a half times the power and torque, but that means you are less likely to wrap it around a tree.

Ok, so driving a Toyota doesn’t give quite the same bragging rights as driving a Ferrari, but you look a lot less foolish stuck in traffic in the former.

Toyota 86 / Ferrari California
Wheelbase              : 101 in                      105 in
Track front            : 60 in                       64.2 in
      rear             : 61 in                       63.2 in
Length                 : 166.7 in                    179.6 in
Width                  : 69.9 in                     75.1 in
Height                 : 50.6 in                     52 in
Length:wheelbase ratio : 1.72                        1.83
Kerb weight            : 3682 lb                     3825 lb
Fuel capacity          : 13.2 US Gal                 20.6 US Gal
Bore x stroke          : 3.39 in x 3.39 in           3.7 in x 3.05 in
Cylinders              : boxer 4                     V8 in 90 degree V
Displacement           : 121.93 cu in                262.22 cu in
Type                   : double overhead cam         double overhead cam
Compression ratio      : 12.5:1                      12.2:1
Fuel system            : direct petrol injection     direct petrol injection
Maximum power          : 197 bhp @ 7000 rpm          483 bhp @ 7750 rpm
Specific output        : 1.62 bhp/cu in              1.84 bhp/cu in
Maximum torque         : 151 ft-lb @ 6500 rpm        372ft-lb @ 5000 rpm
bmep                   : 187 psi                     214.2 psi
Bore/stroke ratio      : 1                           1.21
Unitary capacity       : 499.5 cc per cylinder       537.13 cc per cylinder
 
Leave a comment

Posted by on October 22, 2014 in Motoring

 

Intellectual capital, and related intangible assets and intellectual property are the core assets of our time. What are the implications for management?

In this essay I will examine patent management. According to the United Kingdom Intellectual Property Office (IPO), a patent “protects new inventions and covers how things work, what they do, how they do it, what they are made of and how they are made.” Patents give their owner “the right to prevent others from making, using, importing or selling the invention without permission.”i Patent law varies by country, but the premise is the same. The inventor is given an exclusive right to profit from the invention for a limited period of time, 20 years in the case of the UK, but the invention is made public and after the patent has expired anyone else can use the invention without paying a royalty. Thus it could be argued that the aim of the patent system is to encourage the disclosure of new discoveries. However, for some businesses, particularly those in the field of Information Communication Technology, it could be argued that the patent system in its current form is in fact a barrier to innovation.

To receive a patent in the UK, according to the IPO an invention must: “be new, have an inventive step that is not obvious to someone with knowledge or experience in the subject, and be capable of being made or used in some kind of industry.” Whereas in the past software fell under the works that could not be patented, together with scientific and mathematical discoveries and artistic works, this is no longer the case. This change brings the UK into line with the United States. In fact in 2004, Bessen and Huntii found that software patents comprised 15% of all patents issued in the US.

One of the most high profile patent disputes of recent times is that between consumer electronics companies Apple and Samsung.iii Both companies are close business partners with Samsung acting as a major supplier of components to Apple. In April 2011, Apple filed numerous claims against Samsung over design similarities between specific models of mobile telephone and tablet computer. Samsung counter-claimed that Apple had infringed on many of its related patents. In August a German court issued a preliminary injunction, which prevented the sale of Samsung’s new tablet computer in every European Union member state, except the Netherlands. In October, Australia also banned the computer, but a month later Samsung attempted to ban the sale of Apple’s new mobile telephone in Australia. The case has now been postponed until March 2012. In the mean time, Samsung has redesigned its tablet computer in an attempt to get around the injunction.

But this is just one such case in the lucrative ‘smartphone’ and burgeoning ‘tablet computer’ markets. The Samsung products that Apple took legal action against, run the Android operating system, developed by Google. On August 15, 2011, Google acquired mobile telephone company Motorola Mobility for US$12.5, ostensibly not for its products but for its patent portfolio of 17,000 patents and 7,500 pending patents.iv Google has subsequently extended the protection afforded by these patents to other manufactures of devices running the Android operating system such as HTC.

In April 2010, Microsoft announced that it had reached a patent agreement with HTC.v In practice, this meant that HTC had agreed to pay a royalty to Microsoft on every Android device it sold. Although it has not been established if Android does in fact infringe on any of Microsoft’s patents, HTC clearly felt that it made better business sense to pay the royalty than risk action in the courts.

The above examples illustrate the difficulty companies face, both in protecting their own patents and in avoiding infringement of the patents of other companies. In a market as competitive as the ‘smartphone’ one, patents play a critical role in giving companies the edge they need to succeed.

Different companies in the ‘smartphone’ market use different structures to derive value from their patents.

Microsoft licenses its Windows Phone operating system to handset manufacturers such as Nokia who build devices using the operating system. Microsoft retains control of the technology but the device manufacturer benefits from the resources of the software giant and can concentrate its efforts on building the hardware.

Google shares its Android operating system (it is licensed under an Open Source license) but derives benefit from the OS’s tight integration with its services, which are its main source of revenue. But Google’s purchase of Motorola is an example of buying patents, in this case by buying the whole company; that is the value of the company was primarily held in its patents.

Samsung and HTC both use Android on their devices, but they also pay Microsoft a licensing. This is bullying. Android may not infringe on any of Microsoft’s trademarks but the fear of its legal department is enough to compel large consumer electronics companies to sign a deal to protect them from legal action.

Although it is now in decline, the Symbian mobile operating system, is a good example of an IPR pool. The technology was originally developed by a number of companies including Nokia, and Sony-Ericsson. It was also cross-licensed to other companies who were not in the IPR pool. However, the software became less popular and Nokia decided to license a Microsoft operating system instead of spending further resources on its own effort.

Apple has used the ‘hold on’ approach. It does not license its patents and uses them to attempt to prevent competitors like Samsung from entering the market with competing products.

In a market as mature and rapidly changing as ‘smartphones’ the sheer number of patents involved in the production of a new device acts as a strong disincentive to smaller firms. This can be seen by the dominance of large consumer electronics companies and the reduction of the top end of the market to a few brands. However, Google’s sharing of its operating system and its extension of the patent protection it gained with its acquisition of Motorola Mobile to its licensees means that, at least in theory, a smaller company could enter the market with less fear of patent infringement and its associated legal costs. In most markets the costs of searches, applications and enforcement make patents an option that only larger firms can afford to pursue.

It is also important to note the limits of patents. While Research In Motion achieved a massive success with their original BlackBerry, sales of its touch – input based devices have not been strong. The sheer momentum built up by Apple’s iPhone and iPad, their brand loyalty, and their successful marketing campaigns have all but ensured that even after the ‘patent wars’ are over, Apple will remain the dominant ‘smartphone’ and tablet computer supplier for some time. While the original iPhone was a revolutionary product, it could be argued that subsequent models have been evolutionary, rather than a radical change from the original design. Innovation in the market has come from other manufacturers and this has been generated through competition, rather than protectionism.

Patents must be renewed, and there is no global agreement on patents so that while it is possible to get EU wide protection (although local interpretation may vary as in the case of Samsung in the Netherlands), it is often necessary to file patent applications in many countries. The rules and standards vary widely. For example, prior publication is acceptable in the US, whereas in most other countries it is not. And, as we have seen, enforcement may result in multiple legal cases in multiple jurisdictions.

In summary, patents are only one aspect of intellectual property and to be useful they must be managed appropriately. In the case of ‘smartphones’, many of the available approaches have been tried at different times by different companies with varying degrees of success. It is too early to say which strategies will ultimately prove to be the most successful, but Gartner found that Android currently has a 53% share of the market, up from 44.8% last year while all other operating systems have lost share.vi This could be seen as an indication that collaboration and cross licensing is ultimately the best policy for driving both innovation and revenue.

References

i http://www.ipo.gov.uk/types/patent/p-about/p-whatis.htm
ii Bessen, J, Hunt, R. M., (2004) An empirical look at software patents, Boston University School of Law, Working Paper No. 03-17/R.
iii http://mashable.com/2011/11/23/apple-samsung-patent-wars/
iv http://news.cnet.com/8301-1035_3-20092362-94/google-to-buy-motorola- mobility-for-$12.5b
v http://www.microsoft.com/presspass/press/2010/apr10/04- 27mshtcpr.mspx
vi http://www.gartner.com/it/page.jsp?id=1848514

 
Leave a comment

Posted by on October 9, 2014 in Business

 

A Sentimental Journey

“In New York, you’ve got to have all the luck.” —Charles Bukowski

New York City Subway Map

 
Leave a comment

Posted by on October 9, 2014 in Travel