|
 |
September 30, 2004 |
For paranoiac
Fractionate your information stream
Everybody will tell you that it’s good practice to change your password periodically. It’s definitely true. Any computer user must do it. Here I’ll say a thing that must be done by paranoiac.
Take a stream of information that you create over year. Take note that the stream isn’t continuous but partitioned like a stream of email messages sent over time. If you encrypt the stream with a public-key encryption algorithm; you’ll be able to aggregate many message from different sources. The thing is that if you don’t change you public/private keys, anybody who discovers your private key will be able to access your entire stream over time if he logged it. This is a real problem if such a thing append. It’s why the concept of information partitioning is important. You only need to change you keys each n day and if your attacker find your current private key he’ll not have access to the whole stream of information. It’s a way to add security within the security provided by the cryptosystem.
As I said, it’s for paranoiac only. It’s just a little thought that come up in my mind today, enjoy it.
8:50:56 PM  [] []
|
|
|
September 28, 2004 |
Nuclear in the news today
There are two interesting piece of news concerning nuclear security. The first one is from the BBC. The Kyrgyz authorities had arrested 2 men that tried to sell 60 small containers containing plutonium-239. Who said that terrorists or other criminal groups don't have the power to find and buy such material? This is possible that the news isn't true. This is possible that the Kyrgyz government to prove something to the Russian or American government invented this. However, personally I think that such a situation is possible. Think about it 2 seconds. The CIA probably doesn't have many agents in the central Asia zone since 1980 or 1990. The US army have a base in Uzbekistan but they are confined here. We need to rely on local governments for such investigation and probably the world security. The problem is that they have their own problems. Is that possible the Kyrgyz government had arrested them? If it's true, praise them. Is that the first time that criminals try to buy/sell such products on the black market? I doubt. Why a country where 80% of their weddings are done with kidnapped women care about some criminals that sell/buy plutonium on their territories? The possibility exists; but I have doubts. What's freaky is that we rely on such governments(there governments in central Asia) to do the work that concerns us. We need to change our mentality and put back our agents on the field where the things append. When I say "we", I talk about the countries that care about their homeland security or countries that need to care about it.
[In addition to the post: 02 October 2004]
----------------------------------------------- It was finally a false alarm. It suppose to be in reality 55 old-fashioned Soviet smoke detectors. I warn you in the first edition of the post that this was possible that this piece of news was not real or true. However most of the facts remind I said on the subject remain.
-----------------------------------------------
The other piece of news is from SecurityFocus. They talk about cyber attacks against nuclear facilities. There are some interesting things that they said and that I want to think about:The fact: "Last year the Slammer worm penetrated a private computer network at Ohio's idled Davis-Besse nuclear plant and disabled a safety monitoring system for nearly five hours. The worm entered the plant network through an interconnected contractor's network, bypassing Davis-Besse's firewall". The solution they found to resolve the problem: "News of the Davis-Besse incident prompted Rep. Edward Markey (D-MA) last fall to call for U.S. regulators to establish cyber security requirements for the 103 nuclear reactors operating in the U.S., specifically requiring firewalls and up-to-date patching of security vulnerabilities". It's sure that they have problems with their firewalls and vulnerability updates. But for the specific case of what append at Davis-Besse, the best firewall and latest updates would not stop the virus. Why? Because he propagated himself through the contractor's network. The point here is to demand the same level of network security to their contractors. Any security system with a backdoor is not secure at all.
What if the contractor is bribed or menaced by a criminal group? Security is not just about firewalls and security updates. It's more than that. You need to think about things that you don't think about. It's not just a process; it's a way of thinking. It's like doing a great discovery. You need a mind shift, imagination. You need to understand how your enemies work and think. You need to understand how your employees work, think and react in certain situation. Personally I see a great deal of psychology in security (any type of security), I'm I paranoiac? Security is not distributed in distinct parts, it's a whole.
There is a hope when you finish to read the article: "A working draft of the NRC guide reviewed by SecurityFocus would encourage plant operators to consider the effect of each new safety system on the plant's cyber security, and to develop response plans to deal with computer incidents. Additionally, it would urge vendors to maintain a secure development environment, and to probe their products for backdoors and logic bombs before shipping."
But as I said, this is not just a question backdoors and logic bombs in software. However they are in the good way because we can see that they are preoccupied by their sofware development companies and their interaction with them. There is not any link between these two piece of news. But I think that it's a good opportunity to think about the problem. There are probably many things that I don't understand in the situation, but if I base my thoughts on what I perceive, there is a real problem for the world security.
10:03:51 PM [] []
|
|
|
September 26, 2004 |
Some thoughts and highlights on the Global Information Security Survey 2004 of ErnstYoung.
There are some of my thoughts and highlights that I wish to share with you about the Global Information Security Survey 2004 of Ernst&Young.
First, there is the targeted population: more than 1230 enterprises in 51 countries. 22% of them have more than 1 billion in revenues and 56% of them more than 100 millions.
One of the things that I need to point you out in this survey is what I already observed and I posted on this blog since 3 weeks. This thing is the management-based approached of security. It’s the importance of the employees as a security layer in the infrastructure of the system. Unfortunately, senior management is more trusting than prudent. This situation seems to be the root of many problems.
As many people think, one of the best security layer that enterprises can have is his employees. Ironically, this same layer can also be the weakest link. The problem is that they need to be trained and educated in there role in the infrastructure as a security layer. If you do so, you’ll have one of your strongest link; otherwise, there is a good probability that this layer would be your weakest... Read the full story...
9:13:30 PM [] []
|
|
|
September 24, 2004 |
What’s best: block a port or lets Windows Automatic Updates go on?
This is another thing that I ear from the company mentioned in this story. This time, they block all ports, except 80 and few others. Blocking all ports mean the Windows Automatic Updates program’s port too. What do you think is best, blocking a random port or download and automatically install windows patch in your park of about 100 computers? It seems that it’s not every body that learns from experience. After being infected by MyDoom and some other virus, the holes are always open. They will not if they don’t change their mentalities and do a review of their security policies (if they have some).
The purpose of this post is just to give you another example of what companies can do. This is not an isolated case. I’ll come back with some stats for you this weekend.
7:52:34 PM [] []
|
|
|
September 23, 2004 |
Social responsibilities toward violence
This is just a little thought about a piece of news that appeared on the BBC this week. This post is hard to write because anybody can read it, from anywhere on the planet, from any culture. The perception toward the violence depends greatly from a place to another, from a culture to another, from a social layer to another. I just want to warn you that it’s strictly a personal thought that don’t need to be shared; so read it with your eyes and if you not agree with it, then start a discussion and I’ll be happy to try to understand your point of view. Don’t be shy, I’m really open with others’ thoughts, it’s how I learn and it’s how I can adapt myself and survive in a new environment and situation.
So, have you read this article? This is just a story like many others. It’s in China but you can see the same thing anywhere else in the world. It’s not a question of race or religion, it’s a question of violence. It’s a question of people toward violence, pure violence. They had probably a motivation to do it, possibly none. The fact is not there. The question I need to ask is: Is everybody having a social responsibility toward violence? A couple of bums versus 80 other peoples. Two of them done a blood bath. Nobody reacted to the situation. They have knifes? Clients had chairs, keyboards, probably some type of poles, etc. There were security guards. Nobody moved. It’s sure that no one know how they will react in this type of situations before live it. Think about it. You, what would you have done in this situation?
Can we check other citizens been slashed in our face without reacting? Do we have the duty to try to do our best in these situations (and not just bow our head)? I think it’s a good society question. We need our society as secure as possible. They are not, they’ll never be. The thing is not to live in a completely secure world. The thing is to be aware of the problem, to study it and try to understand it. The real problem is that people play the ostrich and hide there head in the sand. They don’t wish to sea the reality. Personally, here in Canada, it’s how it work. People don’t need to get stock in the story of others people. Personally, I think we are wrong to think in this way. I think that we need to help other citizens if they are in danger. We need to help them at our best and not fear the prosecution. I also think that we need to learn this thought to citizens and to our future generations. Really, I’m dreaming, I don’t think that a majority of Canadians agree with me but it’s my point of view for the moment. What lack in Canada and probably in many other countries? The citizenship spirit.
If I wish to have the sense of security in my community, I think that this same community needs to have a citizenship spirit , be able and have the courage to help me if I’m in troubles. I’ll do it for them, but will they’ll do it for me?
9:56:12 PM [] []
|
|
|
September 22, 2004 |
In the life of some computer security workers for a day.
I just finished reading an interesting article about a day in the life of Johannes Ullrich of the Internet Storm Center's. It was entertaining because this type of article is quite interesting and relatively rare. It’s always interesting to see how other people works in there environment. It’s why I’m posting this today, to show you another point of view of how some people works in the field of computer security (in this case: virus infection response team).
Another interesting blog called A Day in the Life of an Information Security Investigator is interesting to read for the same reason. Chief is mainly writing about anecdotes that he encounter during a day of work.
10:40:14 PM [] []
|
|
|
September 21, 2004 |
You need a foundation before rising your house.
Avoid complexity when you talk of security, back to basis
I just get around a really interesting piece of news that talk about the last IT Security Summit conference of the Gartner research center. Normally peoples that talk in these shows talk about what you need in your enterprise to upgrade your security. Normally they talk about the last technology that you need to be up-to-date and a foot ahead of hackers. Victor Wheatman, vice president and research area director at Gartner said the opposite. His speech was about what enterprise don’t need in the field of computer security technology. He says that they need to go back to basis if they really care about their security infrastructure.
" Wheatman also singled out "500-page security policies" and security awareness posters as things an IT manager would be better off not spending company resources on. "You do need security policies, but not ones so large that no one reads them. It is also important to have a business continuity plan. We got a lot of calls when the hurricanes came through Florida, but for the most part, that was a little too late. "
It’s the same as for physical security. If you are not the president of the United-States, you don’t need 10 bodyguards, an aerial surveillance and 15 hidden snipers when you walk on the street. You only need some awareness basic principles. A basic procedure like the code color of Jeff Cooper. More complex the procedure is, less people will follow it. It’s the same principles as them in self-defence. You’ll not use your kung-fu style if you are assaulted in a bar. You’ll use your gross skills that don’t need any reflection to use. You’ll not look at every person and think about all possible scenarios when you walk on the street. You unconsciously check for hints that can lead to a possible threat. It’s the same thing with a computer security policy; you need it as simple as possible for all of your employees. If you protocol is not simple and straight to the goal, your employees will not follow it. You can do one more elaborated for your system administrator, but not for your normal employees, this is not there job and they are a big part of your security infrastructure, take care of them! This fact is a question of human nature.
Another interesting thing that I noted in this article is this discussion:
" Perhaps most importantly, an IT manager needs to demonstrate to the executives within the company how to take better advantage of the systems it already has through the use of security. "
" We have an appalling absence of basic management metrics for our trade. If you can measure a problem accurately, you have the Holy Grail," Smith said. "But what you also must have is a champion at the board level. Without senior-level support, nothing will ever happen and you are doomed. "
I already discussed of this in this article some weeks ago. It just connects my thoughts with this fact.
9:23:53 PM [] []
|
|
|
September 19, 2004 |
Where to start in computer security
The root node of your search tree
When someone is interested in a new subject, he try to find an introduction work that will tell him what the subject is about, the fields that compose it, the terminology and references for further reading. You need a start point that will be the root node of your search tree on this subject. Computer security is not excluded and fit this pattern. I read a post on joatBlog that point me out this article: First Things First - An Introduction to Learning About Network Security. I didn’t take the time to read it this week. I just finished reading it and it’s why I’m writing this post now. It remembered me the methodology of searching on a new subject. The importance of introduction works in a field. It’s why I take the time to share this article with you. If you don’t have any experience in this field and that you want to learn more about it, I recommend you to read it and the references pointed out in it. Moreover, I suggest you to read most of the articles on the SecurityFocus website. This is another great source of information for any person interesting in computer security. I recommend you to read these sources of information before buying any book on computer security. In this way, you’ll know if the book worth his price and the specific field that you want to deepen.
Have a good reading. Remember, if you have any question don’t hesitate to ask me them.
5:12:22 PM [] []
|
|
|
September 18, 2004 |
Review: The Myth of Homeland Security
I just finished to read The myth of Homeland Security. This is a good book about homeland security; mostly concentrated on United-States homeland security post 9/11. This is an apolitical essay on the subject. He bases his thoughts mostly on the analysis of the PATRIOT acts and other governmental writings. A thing that I really don’t like is that he didn’t do a bibliography; he justified this by... Read the full story...
6:55:15 PM [] []
|
|
|
September 17, 2004 |
A9.com search engine.
The consequences on your privacy
...
After a couple of minutes, I thought about it and I find that this cannot be done by magic. I remembered all books that Amazon proposed me when I logged in with my personal account, they were most of the time really interesting. Then I thought that this would probably be the same thing with the A9 search engine. There is the result of my little research, some tips and comments for your privacy about this search engine of a new kind. Personally I’m a big customer at Amazon, I buy approximately 30 to 40 books by years on there website. However, I’ll not use the A9 search engine because I don’t want that Amazon know not only my customer habits of reading but also all other subjects that I search for on the internet. I can deal with the fact that Amazon.com uses my customer habits to propose me interesting new books. I can deal with this because this can point me out some books that I never think of before. However, I don’t want that they propose me many others things. I need to control the pub that popup in my view. It’s what I do by doing the choice of not using this new search engine.
... Read the full storie ...
8:54:27 PM [] []
|
|
Weblogs as knowledge management tool.
I send this post because today I find this really interesting article about blogging. It first describes the knowledge: what is it, how it’s done, the process of knowledge, etc. After, the author lists some tools for knowledge management like email and weblog. It describes the utility of weblog for personal purpose and how weblog is a useful tool for knowledge management.
I think this is an important article because we need to understand how this new type of web publishing can be used in our life and for our constant quest of knowledge search.
Finally, by reading this article you’ll know how I see this weblog. You can read it as a howto to read my blog. I also had some other motivations to write here; like try to increase my English writing ;)
PS: The author emphasis on the fact that people can post there comments to enhance the blogger’s thought. It’s why I tell you to leave your comments on my posts =)
8:43:07 PM [] []
|
|
What is important? The attitude!
The university as restarted. The northern life in Canada is also restarted. Everybody is going back to there normal activities after summer. People are coming back at the Thai boxe courses. Half-new, half-old, the normal schedule is restarting.
In a year, you see many people coming to try the sport. Some like, some don’t. However, what’s really interesting is to talk to them. This week a new special girl (lawyer of the law of woman (“droit de la femme” in French, I try a literal translation here)) has come to try. She comes 2 times and every time she said to anybody, “What’s important is The Attitude”. Why she was saying this to everybody? I think it’s because she just restarted training and that she had a lack of cardio and what was important at this moment for her was The Attitude.
I just think about it. Why now? Dunno. The thing that I know is that she was right. She was right to say that what is important is The Attitude. The Attitude is at every level. If you want performance and results, you need attitude. In training? You need attitude. In fighting? You need attitude. You had bad news? You need attitude. Finally, she was right. What’s important is The Attitude.
5:54:13 PM [] []
|
|
|
September 12, 2004 |
Security consequences of possible proof of Riemann’s hypothesis
...
The problem is that we don’t know if his proof is right. Mathematicians have doubt if Louis de Branges is able to prove the hypothesis. It’ll take time to peer review the proof by the most important mathematicians of Riemann’s hypothesis. If finally the proof is counter verified and became true, it’ll probably take time to know the consequences of the proof and how to use it.
In the case that he is right and that we can find how to use the hypothesis to make many one-way functions with prime numbers not one-way anymore, what will be the consequences? For now, no one; in the future, probably many with asymmetric encryption algorithms. If the dream to prove this hypothesis comes true, you’ll can forget electronic commerce, certification, digital signatures, TCP/IP security, secure telephones, just to tell some. You’ll not be able to rely on public-key encryption anymore as a easy to use method for encrypted distant transmission. We’ll live a boom of “The new most secure ecommerce solution with our new full proof proprietary public-key encryption algorithm”. Think about it, it took thousands years and many brilliant ideas to be where we are now. Don’t think that it will take 2 weeks or 2 months to make a new leap in the field of public-key encryption. When we’ll find a solution, it’ll need months and years to analyse and harden algorithms.
... Read the full story...
5:26:05 PM [] []
|
|
|
September 11, 2004 |
The Cellular
The way of con artists.
I just saw the movie: The Cellular. This is an entertaining film for sure. Don’t be worry, I’m not a film critic. Why am I writing on the film then? Because there is some interesting things to say about it!
I’ll not resume the film here, it’s why I talk to people that saw it. For person that doesn’t know what I’m talking about, you can always refer here for more information.
One thing stroked me particularly: the bad guys was working in the LA police, they shot at people a couple of times during the film and the only thing that they needed to say was: “I’m from the police [leave me alone then]”. Are people naïve? Some yes, others no… In the film, they were police officers, but what if they were not and wore false badges? How people can know, in few seconds, if it’s a false or not? There is no way. The only way is to call at the police station and ask them. The second problem, whom will do this? Probable no many people, me included. It’s exactly why con artists use this old trick, because people have respect in anybody that wear uniform and badges. Just to tell few, it was the strength of legend con artists like Kevin Mitnick or Frank W. Abagnale. Think about it, if you were at them place and had some doubt, would you ask for his badge number and call at the police station? The only thing that I can say is: be alert.
Just another interesting thing that I saw is the way Jessica killed the first man; she cut his brachial. If I refer to Get Tough! this is a medium size artery at ½ inch of the surface, he will have a loss of consciousness in 14 seconds and death in 1 minute 30 seconds. Personally, I think that this is a realistic way (possibly lucky) to get rid of this man.
Finally, I wish you enjoyed the movie :)
12:53:36 AM [] []
|
|
|
September 10, 2004 |
Change mentalities
Beware old school administrators.
I was talking with the network technician of a Canado-American enterprise that works in the field of technical didactic materiel like didactic aeration systems, radar system, etc. This is a small size enterprise of approximately 215 employees and exists for more than 45 years.
I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password... Read the full story...
7:55:21 PM [] []
|
|
© Copyright 2005 FredOnSomething.
|
|
|
