Category Archives: Security

History, Security

Global Peace Index and Hacking Tools

1 Comment

Goodbye Big Mac cost-of-living indicators, hello Peace Index:

The Economist Intelligence Unit measured countries’ peacefulness based on wide range of indicators – 24 in all – including ease of access to “weapons of minor destruction” (guns, small explosives), military expenditure, local corruption, and the level of respect for human rights.

[…]

The main findings of the Global Peace Index are:

— Peace is correlated to indicators such as income, schooling and the level of regional integration
— Peaceful countries often shared high levels of transparency of government and low corruption
— Small, stable countries which are part of regional blocs are most likely to get a higher ranking

Lack of corruption? Education? Regional blocs? Ouch. It is like the index was created just to make countries like the US, Israel, Russia and Nigeria look bad.

The US comes in at 96th place, but I am certain someone will try and point out that the top 95 owe their spot to the bad-cop behavior of America. There is no proof of that, of course, any more than a bully in school creates peace in the yard. The underlying problem is one of defining fair governance and representation rather than right by might.

Hard to avoid noticing where Japan and Germany are on the list…near the top.

Speaking of governance and regulation, it appears Germany has just tried to ban “hacking tools”:

On Friday night the German Bundestag – the lower chamber of Germany’s federal parliament – passed without amendment a controversial government bill designed to facilitate criminal prosecution of computer crimes. Only the Left Party voted against it. At a hearing in March security experts and representatives of IT companies raised many objections all of which have been turned down.

It becomes an offence to create, sell, distribute or even aquire so called Hacker Tools that are built to conduct criminal acts like aquiring illegal access to protected data. It is feared by many that this might keep administrators and security experts from doing their job – i.e. from properly testing applications or networks to enhance security while on the other hand the blackhats don’t really care that their choosen tool has been made illegal now. Interestingly a similar clause in the Police and Justice Act amendments to the UK Computer Misuse Act has recently been suspended pending amendment for this very reason.

Another new offence is the unauthorized access of secured data by means that require the disabling or circumventing of security measures. This echoes the circumvention clause of the US Digital Millennium Copyright Act, which is still highly controversial after almost a decade and has been used in ways not anticipated by its creators to stifle legitimate security reaearch.

I’d like to get a copy of that bill…

Security

Ongoing Ameritrade Breach Issues

Leave a comment

Slashdot has the scoop on the latest Ameritrade customer concerns:

So it’s pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.

AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?

Some say a breach has no effect on consumer confidence. Having been invited to work on several investigations that looked at consumer response and complaints, I disagree. I think that many, although perhaps not yet the majority of, consumers are definitely sensitive to breach notification. They might have reacted warmly in the past, but times are quickly changing and the costs are more abruptly apparent now.

The frog doesn’t jump when the temperature changes slowly, but if they perceive water as suddenly hot, they jump.

History, Poetry, Security

More Proof Microsoft is Run by Monkeys

Leave a comment

No, I am not talking about the video of Steve Ballmer doing the monkey dance — showing his dislike of creationism.

And I also am not talking about the theory that Shakespeare’s work could be replicated if you put enough monkeys on keyboards.

I am talking about the simple fact that if you are asked to secure a network environment, you will inevitably end up facing a Microsoft system setup to be a primary source of authentication, yet at great risk from attackers. You want to help, but every security expert knows Microsoft is a mess to work around.

It’s like being asked by a king to secure a castle after his keep was built with open doors at the top of stairs that terminate all over the place, often outside the perimeter walls. Imagine having to say “This design allows the village idiot to walk right into your bedroom and sleep with the queen. You didn’t know you were paying for that?”

Companies have to pay a hefty fee to make it safe after the fact, and in some cases the only way to make it safe it to tear it out and replace it. Can you believe Windows 98 was even allowed to be put on the market?

“Cheep, cheep” comes to mind.

Could monkeys stand in for Shakespeare? Interesting question, but perhaps more interesting is why people think it is fine for monkeys to manage software products.

Maybe Eliza Griswold’s Monkey poem explains this somehow:

Last week, the children ate his mother—

dashed her head against the breadfruit.

A young girl soldier laughs,

tears the baby from my leg

and hurls him toward the tree.

Corporate politics? Primitive product testing?

Security

Men’s gold tub missing

Leave a comment

A hotel in Japan has reported missing one of two 18K gold tubs. The BBC picked up the story:

Staff reported the tub was missing on Wednesday at the Kominato Hotel Mikazuki, a resort overlooking the Pacific Ocean, east of Tokyo.

Police said they had no idea how it was stolen, saying they had found no sign it was dragged on the floor.

The tub weighed 80kg (175lb) and was made of 18-carat gold.

It was normally chained to the door and padlocked when the room was closed, Japanese TV reported.

I think two people could easily carry 200lbs, and they certainly could lift it onto a dolly. The bigger question might be why the only control for a million dollar gold object was a chain and padlock. It wasn’t locked to the floor with secure bolts? Even for earthquake safety? Dual-purpose controls are often easier to justify in terms of expense, especially when there are regulations driving one.

One might think a camera would be in place in a hotel, but since this object involved bathing, perhaps someone thought privacy would be at risk. Fair enough, but the trade-off should have led to compensating controls rather than none at all.

In terms of suspects, the article does mention that only the men’s bathtub disappeared…