Blame it on Amazon?

Posted by Eric Jacksch on May 16, 2011 in News, Opinion, Security | 0 comments

With Sony’s PlayStation Network offline since April 20 following what is being called the second largest breach in history, there has been plenty of time for rumours, speculation, and red herrings.  The latest is Bloomberg’s report,

“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”

While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising.  Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services.  Given the alleged sophistication of the attack, EC2 is simply an obvious choice.

While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else.  Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots.  They probably even purchase their computers the same places we do.

The Sony PlayStation Network data exposure has two causes:

• Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
• The criminals. Let us not forget that Sony was the victim of a crime.

Like TJ Max, the Sony security breach should be a wake-up call.  Consumers often feel safer dealing with larger, more established companies.  But it appears that some of them don’t have security right yet.

We also need to understand that tracking down cyber criminals is becoming increasingly difficult.  Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere.  However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.

I’m sick of HBGary

Posted by Eric Jacksch on Mar 16, 2011 in News, Opinion, Security, Stupidity | 0 comments

I’ll admit it.  I spoke about the HBGary hacks during a guest lecture I gave at Carleton University last week. But in all honesty I’m getting sick and tired of hearing about them.  Journalists keep focusing on the wrong issues and people need to understand that many decisions  – even in so-called security companies — are often not made by security professionals.  Just because the company employs “security experts” doesn’t mean they consult them on internal matters.  In my experience the opposite is often the case and the shoemaker’s children proverb applies.

From a technical perspective, the root cause of the initial security breach was poor software design, poor implementation, and inadequate testing.  It’s an industry-wide problem that won’t change until customers demand better software and are willing to pay for it.  Things got worse because the folks at HBGary appear to have ignored basic and well understood best practices with regard to passwords.

However, let’s not ignore the other root cause.  While it doesn’t justify criminal behaviour, let us not forget that HBGary, in an apparent attempt to obtain publicity for themselves, allegedly did the cyber equivalent of visiting the nearest biker hangout to announce, “Just want to let you know we’re going to screw with you in the media tomorrow, but don’t worry, we’re only going to screw with you a bit.” Or, if you prefer a different analogy, they kicked the hornet’s nest without wearing the customary protective equipment.

As security pros dealing with people allegedly responsible for hacking and denial of service attacks on major companies, HBGary must have expected probes of their systems and at minimum a distributed denial of service attack.  They reportedly kicked the hornet’s nest deliberately and intentionally. It leaves me wondering if  becoming a victim was part of their publicity strategy. Getting yourself hacked would certainly be an bold publicity stunt for a security company, but it wouldn’t be the stupidest thing I’ve seen either.

Feds seek new ways to bypass encryption

Posted by Eric Jacksch on Feb 23, 2011 in Opinion, Security | 0 comments

CNET has an interesting article today entitled, Feds seek new ways to bypass encryption.  While Declan included some interesting tidbits in his article, he completely missed a key point essential to the intensifying debate.

Any mechanism that allows the Government easier access allows criminals and foreign Governments easier access as well.  The point of hard drive encryption, to name one example, is that it protects sensitive information if someone steals your computer. Whether that someone is a junkie, stalker, unethical competitor, or law enforcement officer with a warrant is irrelevant from a technical security perspective.

The issue of key escrow for “lawful” access will certainly be raised again and the answer is simple: Given the security breaches that many governments have suffered, they have proven themselves incapable of protecting their own sensitive information.  Why should we trust them with more?

Businesses must ensure that they retain the ability to access encrypted information in the event that the user leaves or forgets their password.  In that instance, the law enforcement solution is to serve a court order on company.

Personal computers, smart phones, and similar devices are becoming increasingly that — personal. They have become an extension of ourselves.  Law enforcement agencies need to come to terms with this new reality and understand that their access will continue to decline. The cost of gaining access to such devices will continue to increase exponentially until it is impractical for all but the most serious investigations. The tricks Declan outlined in this article will become less effective as criminals quickly learn about them and implement countermeasures.

Back when I studied Criminology I learned that the average IQ of inmates was just slightly lower than the overall community average and that many criminologists believed it was because people with slightly lower than average intelligence were more likely to commit the type of crimes that could land one in jail.  Twenty years of experience suggests another scenario:  We’re much better at catching and convicting criminals with below average IQs.

Organized crime and terrorists have employed countermeasures such as encryption for decades. But what what appears to really make some law enforcement types uncomfortable is that you, me, and dumb criminals can now do it too.

The Self-Serve Emergency Room

Posted by Eric Jacksch on Sep 23, 2010 in News, Opinion, Technology | 0 comments

itBusiness.ca has an interesting article and video on the Self-Serve ER Kiosk.

It’s an interesting concept, and it makes some sense.  But it also begs a question:  Why aren’t we allowing pharmacists to deal with non-urgent issues?

It makes little sense, especially for someone without a GP, to go to an Emergency Room or wait for hours at a walk-in clinic for a condition such as a simple infection.  We have experts at our local pharmacy counter with years of training and a knowledge of drugs that far exceeds most physicians.  In many countries they’re allowed to write prescriptions.  Why not not in Canada?

Kiosks are cool, and they have a role, but let’s leverage the professionals already out there first.

The Future of Computing

Posted by Eric Jacksch on Apr 22, 2009 in Opinion, Technology | 1 comment

As I watched the launch of VMware vSphere 4 on Tuesday I was torn.  Part of the event was more corporate group hug than product launch, and in many ways vSphere is a logical extension of the company’s existing products. But a little voice in my head told me, “This is something big.”

Some technological leaps seem clear, especially when viewed historically. For example, we speak of moving from the mainframe to the PC – from centralized to distributed processing – as if it happened quickly.  But in fact it took years and there were several steps and stumbles before PCs replaced “dumb terminals” in numbers.

For the past ten years VMware has been developing leading-edge virtualization technology.  In the early days it was primarily used by developers and geeks.  Then more powerful servers appeared on the market, RAM prices plummeted, and virtualization moved into the datacenter. The business case for server consolidation can be simple: Less hardware, fewer racks, and power savings. 

But virtualization is quickly moving beyond simple server consolidation. VMWare provides the ability to move a running computer between physical boxes without any downtime.  A new feature allows a running “computer” to execute simultaneously in lockstep on two different physical machines — if one fails the other simply takes over.  Security products will defend each virtual machine against attacks.  And this will all work with existing operating systems and applications.

This year VMWare is bringing true cloud computing to the enterprise, and with it comes the ability to implement highly available systems and solid disaster recovery. We’re about to witness the next major jump in computing technology.  Hold on tight, it’s going to be an exciting ride!