cynic belsec

All posts by this author

cynic belsec wrote 7 posts

  • Slimme camera's maken domme flikken

    Gisteren, woensdag 23/10/2013, was er een debat rond de slimme camera's die de politie inzet om de criminaliteit in te perken. En men kan alleen maar positief reageren als men technologie inzet tegen criminaliteit. Zoals dikwijls is voorzichtigheid geboden wanneer men nieuwe technologie toepast aangezien de grenzen tussen vrijheid en veiligheid dikwijls worden misbruikt. Het grote probleem is niet de camera zelf, maar de manier waarop deze kan worden gebruikt. En laat het duidelijk zijn die dingen kan men ook inzetten op een verantwoordelijke manier waardoor deze geen inbreuk plegen op onze dagelijkse portie privacy.

    Zo'n slimme camera bestaat zowel als vaste camera die dan meestal staat op de invalswegen van een stad/gemeente maar nu heeft de politie ook zo'n gadgets voor de mobiele eenheden. Deze eenheden ontvangen in realtime informatie over de voertuigen die hun passeren. Die informatie gaat van gestolen voertuigen, niet verzekerd, niet gekeurd tot zelfs informatie of u al eens een positieve alcoholtest hebt afgelegd. We nemen aan dat u 3 jaar geleden teveel gedronken had en dus morgen in Dendermonde, Turnhout of Mechelen aan't rondrijden bent. In de wagen zitten uw gezin, vrouw en kinderen en een buurjongen. U passeert net een mobiele eenheid met een "slimme" camera en zoals u kon zien in de reportage zetten die de achtervolging in met sirene en zwaailichten. Een indrukwekkend vertoon voor een banaal iets. U wordt tegengehouden en zal onderhevig zijn aan een nieuwe alcoholtest die blijkt negatief te zijn.

    Waar zit nu het probleem?
    Men viseert die mensen die al eens iets hebben fout gedaan, terwijl de wagen voor u op dat moment eigenlijk stomdronken kan zijn en men geen doelgerichte actie voert tegen veiliger rijden.
    U zit dus in een systeem als slechte weggebruiker of m.a.w. als crimineel terwijl het kan zijn dat u nooit geen veroordeling hebt opgelopen en dus ook geen strafregister hebt. Stel nog dat u een veroordeling hebt opgelopen 4 jaar geleden bij de politie rechtbank dan is deze ondertussen ook al verdwenen van je strafregister. Volgens de politie zou je na 1 negatieve controle uit het systeem worden gehaald.
    Ze beweren dus dat het systeem regelmatig wordt bijgewerkt. Wat is dan regelmatig? Is dat 1 keer per week, per maand, per jaar? Waar kan ik dit systeem raadplegen of ik al dan niet terecht in zo'n databank zit?
    Zelf ben ik ooit valselijk beschuldigd geweest door de rijkswacht dat men wagen zou geseind staan voor een hold-up en diefstal. Men nummerplaat kwam overeen met een nummerplaat in Griekenland die toen geseind was. Vandaar slimme technologie maakt dus niet altijd slimme politie Rigolant

    Men haalt graag het voorbeeld aan dat men veel meer gestolen voertuigen kan recupereren en daardoor preventief inbraken, holdups etc... kan vermijden. Dat zou kunnen, er is nog weinig bewijs tot op heden dat dit daadwerkelijk de zware criminaliteit een halt toe roept. En stel dat men daardoor gestolen wagens kan vinden, waarom het systeem dan niet beperken tot enkel deze functie?

    Waar zal men ophouden? Tot op heden gaat het alleen over inbreuken op de wegcode. Maar niets houdt hen tegen om deze technologie te gebruiken voor andere doeleinde. En eens criminelen weten dat dit een praktijk is die op grote schaal zal worden ingezet zal men enkel nog zware misdrijven plegen met auto's die zijn gestolen in't buitenland. Want daar zal het systeem nu nog falen.

    Nog even dit, Benjamin Franklin zei ooit: " Zei die vrijheid opgeven voor tijdelijke veiligheid, verdienen noch vrijheid noch veiligheid".

     

  • Sky is cleared, the cloud disappeared

    Nirvanix a US cloud provider has filed for a chapter 11, in other words they're gone. Bad news for its customers as you can imagine. Maybe the cloud isn't that reliable as we always like to think. I would not like to be a CTO/CIO who has chosen to shift data and their applications to an IaaS/SaaS provider who runs out of business and forces you to migrate your entire infrastructure to another solution. In the case of Nirvanix it is mostly about second or third storage for a company. In other words halting replication and moving it to another storage sounds simple but this is as simple as the reliability of the connection. The short windows of transfer could raise questions if the pipes will not crack. If every customer is moving data across the lines they'll get slow and this means timeouts, reconnects etc...

    Another issue is pricing, perhaps you've chosen Nirvanix due to the package/price value. Now you've 2 weeks to find a new provider, sign a contract, agree on SLA, transfer your data, test the new replication and go into production. If you manage all this in 2 weeks without loss and too much hassle you have managed well. You can now start to question why you initially required 4 or 6 weeks for the same. Though I doubt it will go that smooth and I wonder how much data is lost in transfer, more important how long will it take before you or the company find out that you've lost data and that it is not recoverable.

  • IT security risk vs business risk

    Risk management is a well known concept in most of the companies today. And it works, partly. The problem is that we do not talk the same lingo, and by we I mean the business people and the information security/IT people. Which is totally acceptable since  we have a different task to achieve in the company. However we've come to a point that we loose an immense number of opportunities, in either business deals or security improvement.

    Both are in today's interconnected world and harsh competition equally important. I've been researching since a few a months on this topic and unfortunately I cannot draw a simple conclusion. If there is one overal conclusion it is that there is no top-down approach. Boards and management do not care, they don't bother to understand technology and these IT and security whizzkids do not bother to understand the business they support.
    A survey done by tripwire showed that around 60% of the respondents believe think that risk based security management helps align security with business objectives. But around 45% of the same respondents feel that there is little involvement from their organisation in aligning risk based security with business objectives.
    It seems that there is will but no support, from top management side we could speak about the knowing-doing gap. These people, and this counts for government too, know that they need to do something about but for some reason they don't. They prefer to sit in the dark and wait, they hope the drifting ship is coming back on course by itself.

    It will not, if you do not steer your government or your company you're left hopelessy insecure.

  • Strong encryption weakened

    Since weeks the scandals around the NSA and their surveillance programme keep flowing in. It seems endless and that some techniques applied were 2 months ago science fiction are now become real. Not only such behaviour of an all controlling body undermines our society it also brings inherently additional danger for all of us or at least most of us.

    Putting in a covert channel in an encryption standard is pure madness, companies and people rely on those and have considered them secure. Now we have learned that an organisation can in certain cases easily read our precious and private data. It is only a matter of time that the enemies of that particular organisation discover and exploit the weakness. I wonder what happens next?

    Even worse is the fact that some constructors/vendors actively participated in the set up of those covert channels. Organisations buy these products and rely on them, first for the security aspects delivered by these products and secondly because they are confident to have bought a product that has been seriously and conciously designed to protect and safeguard their digital assets. After years of trust it seems they have been betrayed and it leaves a bitter taste. If I were leading a company today, I would review my entire product portfolio and perhaps try to think how to get rid of them in the near future. Why not going for open-source, integrated products maintained by a smaller player who has his business near you and is far away from any political influence?

    If you run a  big fiber connections, perhaps it is time for you to get a fiber encryption solution and perhaps investigate in a quantum cryptography solution instead of using encryption with pure math.

    Snowden opened a pandora's box and I'm pretty sure there is a big nasty boomerang ready to hit back.

  • Security failures part 2

    Change, some like it some hate it. People in the security field are open minded when it comes down to change. We're used to it, but we should question it just like we question many other things in our personal and professional life. I wonder why we still need to change hardware every 3 to 5 years not taking into account the overpriced support contracts.

    Many companies apply this policy and even worse, when time has come they even think it is a good idea to change vendor for replacing their important firewalls. Imagine you apply that strategy on your file servers?
    You've been running Windows as your favourite OS to provide the fileservers in your company, after 3 years you decide to replace the hardware but at the same time you think it would be wise to shift to a samba solution because your service partner says it has extra features and lower cost. And you tell you're admins well guys from next week on you'll be migrating our data to these new servers and you keep up with the management of it.
    I wonder how your staff will reflect and react on that!

    For some odd reason it happens all the time in perimeter security field. I've been involved in numerous projects where we think it would be wise to replace a Cisco firewall (change vendor by the one you most like) with a Checkpoint(change vendor by the one you least like) one or vice versa. And if those admins are lucky they get a training course to explain them the basics. For me it sounds like suicide, for management it sounds like a plan.
    The security risks in this approach are important but neglected, never seen them in an audit report either.

    Some car manufacturers provide 7 years of warranty, it seems something impossible for the IT sector at present. Of course exceptions exist, some firewalls/routers/appliance run continuously under heavy duty but a lot of them are not.

  • Security failures, part 1

    In security we have preventative and detective controls, and you're encouraged to use both. The problem with the detective controls is that nobody reads the logs let alone try to interprete the results. I've been involved in building NOC and SOC environments in the last 10 years and the recurring error is what are we going to log? Everything. If you have the money, resources and computer power like amazon or google you can. If you don't, try to filter that what is interesting. Sounds easy but it is not. So people buy expensive correlation engines, SIEM solutions or other tools alike. Which is good, but you need intelligence and intelligence does not comes out of green, orange or even a black box. It comes from people, experience, bright minds, situations, reports or even statistics.

    Pattern detection can be automated to a certain extend but needs to be interpreted by human minds and the hard thing is that if humans look over endless long log files you become not only numb but you do not see the patterns anymore. If you look at a stream of black balls for minutes and we throw in a coloured ball in every now and then you will not detect it. Same problem with our pattern detection.

    If we narrow down the log amounts to something useful and search for a pattern for a very specific service, attack vector, action, software or error we increase the success rate. Sounds simple no? My question, why don't we ?

    Because for whatever reason we're spending our budgets on fancy security devices that generate the logs but not on those that can handle the logs.

    I'll be back for more cynical views on security!

  • reporting transparency

    Lately a lot of high level breaches surface, which is worrying since we expect that companies and/or organisations with a substancial number of accounts and business have the ability to adopt to the latest security developments. However it seems they have not, more specific some of the breaches are relatively easy to exploit but even easier to solve or prevent to happen.

    In July 2013 OVH a French hosting provider got hacked, the positive note about it is that the provider decided to disclose the breach and even some details on how this could happen. They also made a statement on how to solve the issue from reoccuring. Imagine your local bank would do this?
    The culprit was able to gain access to the mail account of an administrator, this access provided him the details to access the VPN, once in the network things became fairly simple to fiddle around with systems and search around for sensitive data. Now why would it be possible for an administrator to have access to his emails without using some sort of VPN connection, and I do not mean clientless vpn aka httpS. There is no appropriate answer to this question.
    Only fools and horses in the layers of a company would allow this kind of access.
    OVH explained that in the future a VPN connection is mandatory for these operations.
    But a positive side note is that they were transparent about which data had been stolen, what consequences it had for you as a customer and how they will prevent it in the future. Let's say a step forward after having been set two steps back.

    Another major hack happened only a few days earlier, the ubuntuforums got compromised. 1.8 million usernames, passwords and email adresses were stolen. The passwords were not stored in plain text, woohooo party we're secure! The fact of the matter is, you weren't . Because we lazy human beings tend to recycle the password a zillion times for each of our online accounts. And if true, the passwords are stored in a simple non salted md5 hash, which would make it for a brute forcing a realistic easy attack. The organisation informed each user and advised to change your passwords on the zillion other accounts you have. A daunting task that will lead everybody to use an identical password for each and every account Sourire

    But hey, you can use a passwordmanager and generate a unique password for each account and store it safely.