Category Archives: Security

Security

P903i: something you have for something you have

Leave a comment

In discussions about how to secure information assets, the mobile phone is often an elegant solution. If you can tie the phone into the authentication process, as something you must physically have in your possession before you will be granted access, then you have an advantage over just using a PIN or password (something you know) alone.

However, at least two problems jump to mind with the mobile phone approach of using “something you have”. First, since many phones are valuable enough on their own that they are likely to be stolen. Second, many people seem to have a nasty habit of losing or damaging their cell-phones — they tend to toss them around a fair bit and the expensive devices are often, well, cheap.

A new phone in Japan has been announced by NTTDoCoMo that attempts to deal with the former issue, by introducing…another “something you have”. I’m not just talking about a battery that lasts more than a few hours, users are told to carry a separate chip that has to be near their phone for it to work. This would be a clever approach except the second issue mentioned above is still unsolved.

Anyone want to bet some users will tape the extra access device to the cell phone to make sure it is always there when they need it? I have seen so many RSA tokens glued and taped to laptops I stopped counting, so I won’t be surprised if someone releases a case for the P903i that allows you to put your token and phone together for convenience.

After all, can you imagine grabbing your phone and a new pair of pants in an emergency and then realizing that your access token is lost somewhere behind in an old pair? And if you put the token in an important place like your purse or wallet, or if you make the token desireable enough to be worn like jewelry, you have just increased the chances for the first problem (being stolen).

Where would you hide the token that would be both safe from loss, and yet easy to keep with you? Implanted under your skin? Maybe retina scans, or ear canal scans, to unlock a cell phone aren’t far away…especially considering that these phones are increasingly carrying identity/biometric and financial data.

And we have not even begun to look at the issue of securing the signal between the token and phone to prevent replay attacks…

History, Security

US votes against control of illegal arms

1 Comment

Apparently the illegal trade in arms is linked to 1,000 deaths per day. But that number does not impress the US National Rifle Association, as they apparently were upset by 2,000 international UN delegates working together last June to stem illegal trade in small arms:

The conference has drawn the ire of the National Rifle Association (NRA), the powerful lobby of US gun owners which views it as a first step toward a global treaty to outlaw gun ownership by civilians.

Addressing those concerns, Annan stressed that there was no question of negotiating a global ban.

“Our energy, our emphasis and our anger is directed against illegal weapons, not legal weapons,” he said. “Our targets remain unscrupulous arms brokers, corrupt officials, drug trafficking syndicates, criminals and others who bring death and mayhem into our communities.”

The faces on the petition handed to Annan represented the million people who have been killed by small arms since 2003.

640 million illegal small arms floating around the world today and the NRA is worried about the impact to legal access? Who needs legal access when illegal is so prevalent? Besides, is the slope that slippery? If the NRA applied their argument to logging they would argue against someone being banned from cutting down protected species in the Amazon because it would somehow threaten the business of Christmas tree farms in the US.

Interesting to note who is at the top of the list of arms sale and what is defined as small arms:

Most deaths in conflicts around the world are caused by small arms, which are mainly exported by the United States, Italy, Brazil, Germany, and Belgium, according to a survey released by Small Arms Survey, the brainchild of a Geneva-based independent research project.

“Small arms” include handguns, pistols, rifles, sub-machine guns, mortars, grenades and light missiles. “Light weapons” comprise heavy machine-guns, mounted grenade launchers, anti-tank guns and portable anti-aircraft guns.

Sub-machine guns, mortars, and light missiles are the mainstay of the Taleban, Hamas, Hezbollah and al Qaeda forces (to name a few in recent news). And 200,000 people per year are shot in homicides, with another 50,000 dead by gun suicide, as reported in the Guardian. So one would think that the US would favor trade restrictions that reduce the flow of illegal weapons, right? Actually, the BBC reports that the opposite appears to be the case:

The measure would close loopholes in existing laws which mean guns still end up in conflict zones despite arms embargoes and export controls.

It could also stop the supply of weapons to countries whose development is being hampered by arms spending.

Only the US – a major arms manufacturer – voted against the treaty, saying it wanted to rely on existing agreements.

It is probably less relevant that the US is an arms manufacturer than the fact it is interested in supplying arms to whomever it wants to. So the control of manufacturing is a good start, but the negative vote by the US as well as the abstentions by Russia and China, show that the bigger issue is controlling the countries who wish to proliferate arms to achieve geo-political ambitions. The BBC points out several countries manufacturing the arms actually voted for the measure:

Major weapons manufacturers such as Britain, France and Germany voted to begin work on the treaty, as did major emerging arms exporters Bulgaria and Ukraine.

This supports the point above that these countries have less national or political cause for trade in illegal arms. In fact, there may be room for disassociation between the arms companies and the government in these other states, unlike the US, Russia and China. That is to say, the US developed, armed and trained the Taleban in Afghanistan to fight a large conventional army (USSR) not because they wanted to profit on stinger missle sales but because they believed that destabilization of the region by militant extremists would serve their short-term political objectives. Were those light missles illegal then? Would they be illegal today? CBS news reveals that the NRA has been informing people that there is no need to waste time on such a distinction between legal and illegal arms and to oppose the control measure by the UN:

Wayne LaPierre, the executive vice president of the NRA, said in a message on the NRA Web site that the conference seeks to draft a treaty that would “pass a global treaty banning ownership of firearms.”

That bit of hyperbole and misinformation (e.g. lie) resulted in hundreds of thousands of letters (approximately 4,000/day) sent to the president-designate of the UN by NRA members, with many of the letters based on a form from the NRA website. One can only hope, since these letters were based on pure fiction, that the US position was not influenced by them. Then again, the US did impatiently blow-off the UN and invade Iraq on the premise of imminent danger from WMD. The Bush administration pandering to highly partisan extremists and wearing reality blinders should not be a surprise to anyone:

All three of the public delegates chosen by the U.S. government are strong NRA supporters. In fact, two of the three delegates (Keene and Gilmore) are current board members of the NRA. The third, former Congressman John, received an “A+â€? rating by the NRA while in office. […] The appointment of the three public delegates is a symbolic reminder of the U.S. attitude towards the UN process – that the views of one interest group dominate the agenda.

Sure...

Security

Defining Information Security

Leave a comment

Here is a short report called “Ingredients for hiring a good information security professional”. Perhaps most notable is the advice to define the job well:

One of the biggest information security hiring mistakes can happen long before the first interview – not clearly defining the role being filled. Start by detailing the goals and objectives that the role is expected to accomplish:

– Is the role operational or strategic?

– Management or delivery?

– Compliance or operations?

– Centralized or business unit specific?

– Tied to an application or general to the enterprise?

– Will the person be focused within a small team or reaching out to business unit leaders?

– Are there internal and external communications expectations?

The answers to these questions will go a long way in helping qualify potential candidates.

A more subtle variable is the role of information security within the organization and its direct and indirect reporting relationships. This role could interact with the chief information officer, chief security officer, chief risk officer, IT audit, general counsel and multiple business units – not to mention executive management and the board of directors. Once again, by understanding what is expected, key candidate strengths and capabilities can be defined and assessed.

At first glance this might seem blatantly obvious to any hiring manager. You must know the position well to find the right match. However, the field is relatively young and evolving rapidly so I would argue that definition of the position is even more vital than expressed by the authors. And by that I mean people need to assess exactly where and how in the organization they will operate and what levers they will be expected to know how to push and pull.

There are few organizations or widely-accepted references available that define what exactly a good information security role should look like a year or two from now. And even the good ones struggle to map emerging technology (biggest risks?) to old control language — what do we do about ubiquitous wireless networks when we are required to harden the “perimeter”? This sort of issue always gets me thinking about the speed at which skills become obsolete: is a TV expert someone who can rebuild your television set, or someone who can help you estimate the best time for replacement and pick out a new one with the right feature set/value ratio?

Software security still feels like it is in the primitive state of men hunched over soldering irons and circuit boards, but it will not be long before the assembly lines speed up, the quality/cost model shifts, and the role of security fundamentally changes to address the new (most relevant) risks. That might seem a bit esoteric, but I used to manage a group of engineers who literally de-soldered and rebuilt CRT displays. Similarly, I now hear about positions where security is to be a strategic and business-oriented practice (a fine blend of politics, economics, and polisci) instead of a hands-on firewall wrangler position or a patterns/exceptions expert.

The market for security talent certainly seems to be expanding as more businesses realize information is flowing everywhere all the time and they need to do something about the risks, even if they are not sure exactly what. The dearth of good role-models, templates and examples provides interesting opportunities for leadership, with many more changes ahead.

Energy, Security

Clinton on Prop 87

Leave a comment

Interesting comments from Clinton on the economics and risk issues behind Prop 87

Now, I know the oil companies have trotted out some economists in their ads. But let me ask you something: If they really thought you were going to pay for this, would they be spending all that money trying to convince you to vote against it? You need to know that California is the only state in America without any kind of extraction fee on its natural resources on oil.

I like that. Well said.

I come from a state, Arkansas, where we had an oil and gas severance tax. It never makes any difference in the price. It’s set in the market. There are plenty of states with very, very high severance taxes, much higher than Prop 87 would impose here, that have less expensive gasoline. Believe me, this — all this campaign is a ruse. This is designed to slow down America’s transformation to a clean, independent, energy economy.

And I want you to think about it, all of you students, not just from the point of view of climate change, but also our national security. Aren’t you tired of financing both ends of the war on terror? And think about — think about it from the point of view of our economic security. We are now in a period for the first time ever when we’ve had five years of economic growth, a 40-year high in corporate profits, five years of increasing worker productivity. So the people who are working for us are doing a better job every year, and yet wages are stagnant, poverty is going up among the working poor, and the people without health insurance that are working and their children are increasing.

Now, why is that? That is because we have not found this generation’s new jobs.

True enough. The economy is being stifled by giant fat companies who fear innovation and threats to their strangle-hold on margins. But even more pointedly:

And I cannot tell you how strongly I feel about this. The argument that this is going to raise your gas prices is just bogus. It’s not so. All my public career before I become president — and I’ll say it again — was spent in a state that used to have a lot of oil, still has a lot of natural gas. Nobody in the whole wide world ever thought that measly little extraction tax we had had anything to do with the price people paid for their natural gas or their gasoline. No one. The only way they can even put these ads up and make this argument is that you never had it, so you don’t know. Take it from me. I’ve been there. I lived in a place that had it. It will not make a difference to the price, but it will make all the difference in your future. All the difference in your future.

Tough words from a guy who lied under oath. Despite his past personal issues, it is easy to see that he is 100% right about the economics and risk of Prop 87.

Oh, and I also read an article about Gore’s speech on this topic, but more interesting to me is the anti-Prop 87 statement in that same article:

“When you look at what’s in there, it’s clear to see what harm it would do and it’s totally unclear there would be a benefit,” DeLuca said. “There’s no guarantee that at the end of all this … we’d see anything for the $4 billion.”

Clear harm? I’m afraid I do not follow. What “harm” is there from taxing companies who are extracting natural resources? A decrease in production? That is about as likely as finding WMDs in Iraq. There is no clear “harm” to the taxes. In fact, the second part of DeLuca’s argument gives this away when he reveals his weak grasp of risk management. Do the oil companies only drill when oil discovery is guaranteed? No, they blow hundreds of millions of dollars on prospecting and research. Now, imagine if they made the same/similar investment in another potential source of energy…they might not find the biggest discovery in history, but even a few minor successes would go a long way towards the goal of reduced emissions, new jobs, and independence from petroleum.