crazylazy.info

All I can say: yes, affordable now.

Keeping the tradition of the blog up... just a short write-up this week. Lots of other dings to do. Nevertheless I had some fun with the recent top security news.
The NSA is responsible for national cyber-security issues. Some - hackers - stole information of Joint Strike Fighter's design, according to Wall Street Journal, Peter Cooney, and many other reliable sources out there. Old story, well known, strangely analyzed.

Military secrets stolen? - No! Osamas credentials still active!

There're paying allied contractors which need direct access to these critical data. Allies need to know what's landing, before it's landing - and they want to build similar technology. It makes a good selling point to own an invisible state of the art attack technology and so share the plans.
But no one tends to make the smartest computer-people doing just network administration or security hardening. That's what the lesser sophisticated specialists in IT do. People like me do security. Normally that's complex enough, but not too scientific. There're much smarter computer scientists out there.
So you don't expect a brilliantly secured system: contractors need access and we all know that wide compatibility prevents high-security. Accessing the data mustn't be that hard. So all you'd expect is a well-coded Wep-App, SSL, and constant monitoring through an IDS and trained people.
It turns out that you can send terrabytes of encrypted data out of such of a highly protected network?

Sure... but even these encrypted data streams are detectable. Just by setting a trigger on the amount of outgoing traffic per second. The data were sent to China? Do they even have terra-byte hard-disks there?
The story sounds like a complete lie. No one who's in charge of these kinds of information, including the most unsophisticated NSA computer scientist in the world, does that stupid security. Nevertheless the NSA never wanted the responsibility - these are intelligent people. They are well trained and get many security courses half-priced! Federals just get the training - where private companies tend to save the money. There's no chance that really happened.

- Ah, it's budget time in the US?! Yes, some hackers stole our precious military secrets, so we need more money. Now the Power-Grid story sounds intelligent, too. The last thing you let people know is that something leaked out. Unless you have a good reason to do so.
The only question is: why Hackers? Why the hell do you need those "criminals". Just use terrorists. Say Osama Bin Laden, former CIA agent, stole it. That'd make some sense. Someone forgot to delete his credentials.

Lessions from Confickr - argumentation strategy is needed

What do we learn if critical infrastructures ate up with suck because of a single tiny little detectable nothing called Confickr? - We have to make our stand in security and to learn how to do that more effectively.
Simply saying: "Windows is no OS for security specific needs". - Not enough. Microsoft never designed Windows to be used for Medical reasons, or by the Military. It's basically a consumer operating system for end users. But it's damn cheap and easy to deploy. That's the reason why it's everywhere. Speaking of costs: people have to be able to use it. And normally you cannot expect everything being self-explainng.
If you mention more expensive alternative technology some grumpy half-management half-IT people, stand up and declare to be able to secure Windows and to safe all the precious money needed by alternative technologies. They're the solution. Instead of complaining I took a look at their strategy while losing the match. That's the best thing you can do.
I assume that presentation design and communication strategies are well known by any typical IT security person; social engineering, consulting, explaining policies... you've to make yourself clear to people every day. To management, to employees, watch-guards... all sorts of persons. That's something I very much like at the job. You've to decide how to talk to somebody within seconds: tech-talk, socializing, just the friendly guy, business small talk...

For the initial presentation: "Cost effective", "process orientated", "responsive", "reliable"... make a tag cloud out of random management optimized marketing prospects and collect them into some shiny pseudo-arguments. That's it. Give that a sub-structure and it's shiny.
If there're some real question you win and then you are able refer to security and the potential costs of insecurity and compliance problems. Normally you'd start off the other way around - but that's the lesson I learned. Just don't do. People will ask. Management people get very happy if they suddenly understand what technology is about. It's completely enough to make them believe they do.

Thing is: when Confickr is out there those management-and_IT-people are very silent. Unless they didn't successfully pwn Confickr or enhanced the Windows security model completely, they have nothing to mention here. To make this clear... having a strategy is essential ;).

Links of the week

• PCI-DSS - data breaches 2009, merchants compain about PCI while not disclosing thier data-breaches. But of course no one needs compliance or regulation. The market will regulate itself...
• Malware is a very profitable economy. This links to a short Q&A with Roel Schouwenberg from Kaspersky.
• I use sudo, everybody I know does. Nevertheless sudo doesn't seem to be that well designed. Room for general improvements!
• Charlie Miller and Vincenzo Iozzo's BH presentation on Mac and iPhone payloads.

Have fun,
wishi