Job: Security

About

Eric Rachner's observations on information security, hacking, and the business of IT risk and compliance.

Accounts

Friends

Newer posts are loading.

You are at the newest post.
Click here to check if anything new just came in.

July 28 2010

23:11

Congratulations, Dan Kaminsky

Also, I know where you live. One down, four to go. ;)

(Oh, wait. The problem with these secret-sharing schemes is, you can never be sure which one gave you a bogus fragment of the key. Back to the drawing board, I guess.)

#
React
Share

July 18 2010

23:24

Told ya so.

What was I saying about spies in the workplace? Something like, "...not just Google, and not just in China, and not just by China."

Like, perhaps, at Microsoft, in Redmond, by Russia? From the Seattle Post-Intelligencer:

Redmond Man Deported as Result of Russian Spy Probe

Tags: microsoft espionage

#
React
Share

March 21 2010

20:08

Thought for the Day

Just wait until Google indexes the public record.

#
React
Share

January 19 2010

03:44

Offshoring Partners & The Hand That Feeds

People are catching on to what the smart kids knew all along: of course Google's Chinese offices were compromised. And not just Google, and not just in China, and not just by China.

Ten years ago, the disloyal insider was a fact of life about which there wasn't much to be done. You'd mitigate as best you could with careful access control (right?) and handle incidents as they occurred. Beyond that, what? Fire all your foreign visa holders?

Times have changed. Global enterprises are investing in China, India, Russia, and elsewhere, creating new opportunities for an entire generation of workers to succeed without having to emigrate from their own cultures and communities.

And that's how I, Eric the Prophet, can predict roughly what Hillary Clinton is going to say to China on Thursday:

All of this investment is supposed to give you guys some skin in the game. Surely you don't prefer the previous arrangement, in which the "developed" world lures China's best and brightest abroad, and China's role in the global economy is relegated to "factory?"

Is anybody else just a little bit curious as to the global economy's capacity to issue pink slips in countries whose governments can't or won't prevent the emission of cyberattacks?

p.s. On a personal note, I helped Microsoft select candidates for IT Security positions in China back in 2004. As I recall, wages for Chinese IT staff were on the order of US $5.00/hr. Whatever resentment I felt towards Microsoft at the time for not cutting me in on the expected savings has given way to something more like schadenfreude.

Tags: china aurora google microsoft offshoring doingitwrong

#
React
Share

January 13 2010

15:15

Duly Noted

From the Blackberry Enterprise Server administration manual:

"To ensure [system] email is not blocked or modified, the blackberry.net domain should be whitelisted against any anti-virus, anti-spam, or blacklisting software utilized by the email system or gateway."

Translation:

"Hackers interested in bypassing any anti-virus, anti-spam and blacklisting software utilized by Blackberry customers are hereby advised to use forged source addresses ending in blackberry.net."

Tags: blackberry doingitwrong

#
React
Share

October 26 2009

06:53

A Grain of Salt for Digital Asset Values

&amp;amp;amp;amp;amp;lt;!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0; mso-font-charset:2; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:0 268435456 0 0 -2147483648 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:.5in; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:.5in; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;} @&amp;amp;amp;amp;lt;a href="http://page.soup.io"&amp;amp;amp;amp;amp;gt;page&amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;gt; Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:1023358003; mso-list-type:hybrid; mso-list-template-ids:-1676016582 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --&amp;amp;amp;amp;amp;gt;

A recent flurry of blog posts by some very smart people has reminded me of how in my former life at Microsoft, I often found myself in meetings whose agenda included tallying up the so-called "digital assets" related to a given project.

For the uninitiated, the "digital asset" is the starting point in pretty much every formal and semi-formal IT risk analysis exercise, to wit: What are we protecting, after all, if not assets? What uniquely digital threats imperil these assets, and how awful would it be if any of those threats should be realized, and what are the potential mitigations for each threat, and what is the cost of each contemplated mitigation, and can I somehow avoid being summoned to any more of these meetings, or do I need to step up my search for a new position in the company?

Granted, as a starting point for getting a handle on your security spend, it seems only reasonable to boil everything down to a finite list of items. The obvious next step is, let’s appraise the items in our list according to some kind of valuation scheme, and start sorting. There’s plenty of methodologies to pick from.

Except that we’re not insuring Tina Turner’s legs here. I contend that there is no useful relationship between asset value and loss-per-incident.

With that claim in mind, let’s review the types of costs associated with typical real-world hacking incidents, and ask ourselves which of these costs will vary according to some pre-estimated value of the compromised digital assets:

* Engagement of incident response specialists
* Damage to reputation / loss of future business
* Loss of business advantage (e.g., leakage of details concerning payroll, pending deals, R&D, etc.)
* Direct financial loss (e.g., fraudulent transactions)
* Disruption of regular business operations
* Fines and penalties

Actually, I wrote that list in order, ranging from “no relationship to asset values” to “perhaps some vague, tenuous relationship.”

Sure, the cost of an hour’s operational disruption might be estimable in advance, especially when service level agreements are in place. But when we attempt to quantify the cost of downtime, are we even talking about assets any more?

And is it possible that when we fetishize over the valuations of individual data assets, we’re taking our eyes off the loss-avoidance ball?

Tags: threat modeling doingitwrong

#
React
Share

March 31 2009

09:21

Rebooting.

It's been quite a while since my old blog was a casualty of the Dreamhost hacking incident, and I've been more than a little remiss about restoring things.

But Soup.io seems to be a pretty cool way to publish, so I'm giving it a whirl.

Those of you looking for Alcatraz, GPCul8r, or Scurvy will find them published again on this page in the very near future.

Cheers,

- Eric

#
React
Share

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.

Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...

Just a second, loading more posts...

You've reached the end.