jump to navigation

Who’s Risk Is It Anyway? June 6, 2016

Posted by wastedspacer in IT Security, Notable Incidents, Risk, Social State, Spam, SPIM and other annoyances, Technologies.
Tags: , , , , , ,
add a comment

Nolan GouldHuman beings as a species are generally terrible at rationally assessing risk. This is particularly apparent when we consider basic everyday risks as well as common threats and risk from an IT security standpoint.

All thanks to the media, blogs, viral videos and security services the general public substantially overestimate the likelihood of spectacular, headline-worthy catastrophes.  At the same time completely ignoring many extreme dangers posed by common, everyday activities.

A prime example of this irrationality is a fear of flying. Fueled by news reports citing terrorism, bomb-threats, near misses as well as mysterious or even spectacular plane crashes. Other perceived threat vectors come from government agencies with a stated vested interest in keeping us safe (and of course themselves funded). Consequently, airport security screening services further amplify this level of latent terror for the misinformed traveler.

The end-result, we in the US put up with paying(as of 2015) another $7 Billion in taxes and even more added to the cost an airline ticket for the illusion of feeling safe. As the former FBI assistant director when asked about an effective method to fund anti-terrorism he put it thus: “Keep Fear Alive”. The FBI can’t even explain their success metrics around the perceived “war on terrorism”. The only real measurement we appear to fall back on is when the security fails! The only answer seems to be: we need to spend more!

Tragically, this appears to be a similar rhetoric that the terrorists themselves use to measure how effective their terrorism is on their intended target populations. The more perceived threats and the larger the anti-terror agencies become the more apparent they are as they broadcast the potential threats posed by future terrorism! Aside from the actual heinous terrorist attacks, the terrorist organization perhaps measures their success by how much additional chaos, media coverage, public inconvenience, fear and growth in anti-terror security services their actions are catalysts for.

Shocking airborne terrorist attacks such as 9/11 understandably leave the vast majority of our world population with a “never again” security-at-all-costs attitude.  Although the total number of people ever wounded or killed by terrorism on air travel is many orders of magnitude less than the number of victims by “ordinary” dangers driving to and from the airport.  Consider events such as having a blow-out or hitting a (deer, cow, dog, pothole) or being hit by (distracted driver, truck, road debris) when driving to the airport, all of these have serious or even lethal consequences to 1000s of travelers every year.

From a pure risk/value/mitigation assessment seems like an absurd disparity we could dramatically reduce the overall risk simply paying a little more money to fix potholes. Our collective thinking is habituated and skewed by sheer terror, amplified by sensational media coverage, augmented by continual terrorist rhetoric and supplemented by security agency threat alerts. As a result the perceived terror risks are far more salient and likely than reality. Consequently we are collectively convinced that it is worth standing up and funding entire government security agencies to combat the potential threats!


Keeping “Little Jimmy” safe!

As a general rule most individuals underestimate the risks for which there is a perceived benefit to the individual. The intended achievement of a laudable goal (or simply what’s in it for me) often creates tunnel vision where many risks are ignored or at least not adequately considered in context. Consider first-time parents of a small child they need to start taking to kindergarten. They logically purchase a very large SUV, perhaps a Chevy Suburban so that “little Jimmy” can be safe. What they understandably fail to consider is the consequences when the brakes fail on the Suburban. A smaller vehicle would simply bounce off the curb, the airbags would deploy and perhaps some minor injuries. With the height and gross tonnage of the Suburban however, it bounces over the curb and through the wall into the classroom killing six of little Jimmy’s classmates!


At least “Little Jimmy” was safe!

A less contentious example is the inevitable project management by dashboard method where NOT delivering on-time and on-budget are the only perceived risks. This conversely leads to the introduction of greater or imaginary risks for activities that have no perceived upside. The perfect IT security solution is a prime example where the pinnacle of success can be measured by “nothing bad happened today”!

We tend to mostly ignore or underestimate the less controllable risks in IT security. For example consider how easily can anyone in our organization get phished, scammed or inadvertently disclose sensitive information? We have awareness training for that but how easily or accurately can it be measured?  A number of security solution providers have a large marketing budget supporting products they can sell you to manage areas, functions and individuals you already have a degree of control over. But what happens when the actual threat is the password that’s shared with a spouse then used and inadvertently disclosed outside the organization? How can their solution address that?

The bottom line is that assessing risk can only be a general guide and not absolute. Perhaps risk assessment is more akin to Heisenburg’s Uncertainty Principle. A thorough unbiased quantitative risk assessment can certainly give a bottom-line risk score but as soon as it is observed and the results consumed by you, me or anyone else, each score will probably be different.


Serious Security Threat or Marketing Ploy? – WSJ “Night Dragon” February 10, 2011

Posted by wastedspacer in 1, Global Industry, IT Security, Notable Incidents, Political Issues, Rants, Spam, SPIM and other annoyances, Technologies.
1 comment so far

According to a report from the Wall Street Journal – on “Night Dragon” attacks:
Oil Firms Hit by Hackers From China, Report Says

How convenient for something like this to turn up the week before RSA! Seemed like an important headline and I suspect some additional news coverage could have been imminent given there was even a scrolling ticker about this on a couple of the local TV News channels this morning. Unfortunately for whoever thought this was a perfect time to disclose they got usurped by the Egypt breaking news alerts!

The McAfee PDF report is an interesting enough study however, there appears to be a number of shortcomings in the analysis, far too much circumstantial intelligence and many disclaimers of actual allegations. Furthermore “Night Dragon” is merely McAfee’s selected report moniker for their particular identification of a threat-bundle. Symantec, Microsoft, Trend, Sophos may select the same individual threats but call them different names and may not pull them together into a creative study such as McAfee sponsored. A couple of virus definitions are highlighted identifying known threats several months ago from May and August 2010.

I’m always skeptical when a security products company does a periodic security driven “the sky is falling” in-depth analysis. There may indeed be some bread crumbs of significance, my main concern is that it could just be another thinly disguised “wag the dog” company visibility increase exercise.

My more cynical side suggests that perhaps this is an effective security company marketing strategy that undertakes a “scientific” study around high-visibility targets, periodically wave a headline comprised of: (insert enemy state here) hackers attack (insert newsworthy Western iconic industry here) Gigabytes of data and trade secrets stolen. Then add some vague traffic analysis to show the volume, where it’s going and who’s allegedly controlling it, who knows, maybe some US bank or oil company outpost had been leveraged and was being unwittingly used as a Chinese/Ukrainian managed BitTorrent host for illegal videos? Or is it really corporate sensitive bidding information and active well log data? Without concrete proof in-stream or at the endpoint, any possible botnet C&C and network findings results would show pretty much the same data stream which could allow any security company to allege such a finding without actual proof.

We (or at least corporate executives as the target of this info when escalated to the lofty heights of a WSJ article) certainly appear to fall for it every time and then demand answers around what their internal security experts intend to do about it? Of course in the shadow of “cry wolf” warnings , once in a while there really are dire and present issues that require immediate remedial action so those security experts always have to remain vigilant but circumspect.

Perhaps if we (and apparently the WSJ) are really concerned about threats from “Chinese Hackers”, we should also address the oil industry “best-practice” of off-shoring to low-cost-geographies and perhaps consider that hiring an increasing number of our Western petroleum engineers and geologists from Chinese universities may pose a more insidious threat in the potential espionage space over the long term? We certainly should take security integrity and sustainability in mind when chasing the almighty short-term efficiency and cost savings fuelled drive to top ratings supporting the investors on Wall Street itself.

On a positive side, the WSJ article cited the attack vectors were typically via Microsoft vulnerabilities so companies that take an aggressive stance towards rapidly applying patches to help obviate threats. McAfee and Sophos share threat signatures so in this particular case where the detection was spearheaded by McAfee, at least, customers of these companies may enjoy a slightly better level of immediate protection and thus should benefit from any behind-the-scenes patching that McAfee had put in place to mitigate these threats. I just cant help wonder when Symantec, then Trend, then Kaspersky will see this approach as a “winning” strategy and start spinning their own versions perhaps “Soup Dragon” or “Nuts Dragon” analysis variations?

This seems like an ideal opportunity for security personnel to put in place better detection systems beyond IDS/IPS. Perhaps including honey-pots to at least be in a position to identify the liklihood of actual inside-the-perimeter threat activity. Furthermore, they will be able to consistently state whether they are being actively targeted over time and how frequently. Those metrics could be easily accumulated and used to not only track down current threats but also provide a current state report to executives when these kinds of issues are raised by the media.

In the meantime it’s ok to cry “wolf” (or depending on your security company’s naming convention: “loup”, “mac tíre”, “भेड़िया”, “الذئب”, “lupo”, “úlfur”), CVE goes a little way towards individual definitions but would help if anti-malware security companies got together and agreed upon a common name or at least resolution for a collection of threats from a suspected single source.

China – pesistent threat vs convenient “demon”? April 1, 2010

Posted by wastedspacer in IT Security, Notable Incidents, Political Issues, Social State.
Tags: , , , , , , , ,
add a comment

When average folk in the US are asked about what they think of China – it would seem that they simply parrot much of what the media peddles: human rights abuses, disregard for the concept of intellectual property, stealing manufacturing jobs from the rest of the world, state corruption, militarism, gulags, illegal software, brand-name knockoffs, the source of advanced persistent threats and a lot of other big-brother-state demonizing in general. While there are no doubt factual elements that reflect some or all of those issues, when an accusation appears, the media quickly escalates to the usual feeding frenzy to highlight any “facts” they can derive from reports. When it turns out that perhaps the issue was not so heinous or even a work of fiction, the retractions and general backing down reports are buried way down the page or even completely ignored. Come to think of it, that’s actually pretty normal for just about any sensationalized media news event.

Case in point the recent accusations of conspiracy between the infamous Aurora botnet and a series of attacks on US Companies – Google, Adobe, Intel, Northrop Grumman et. al. This has appeared in a recent DarkReading article on the retracted McAfee stance supporting this theory.

DarkReading Article.

This report paints a picture to indicate perhaps China should not always be the usual suspect root of all malware. Has McAfee been somewhat hasty in their “cry wolf” analysis that had solidly linked a series of targeted attacks as part of the overall Aurora malware efforts? McAfee initially had positively identified China as the perpetrator for the attacks against US Companies. Further analysis has subsequently identified this to be botnet establishment malware out of Vietnam that just happened to end up on commonly infected machines and probably not even related to Aurora at all.

Disturbingly, although primarily leveraging Chinese services such as 3322.org (a domain service run by one Peng Yong) it may simply be driven by the fact that statistically Chinese PC users have by far the largest percentage of its population using hacked/illegal OS and application software that typically come equipped with “free malware” or are much easier to infect since security update patching frequently gets disabled as part of the hack.

It will be interesting to see the knock-on effect of the recent Chinese edict and domain registration crackdown requiring a verifiable address (in China), business registration number along with a head/shoulder photograph. This was brought about reportedly (at least according to the Chinese Govt) following the identification of massive numbers of non-Chinese addresses registering .cn domains. GoDaddy recently pulled its registration policy while grumbling about loss of protection of identities, at the same time it may have a positive effect on the nefarious use of .cn domains as smokescreens for botnet operations run out of other countries. One wonders if GoDaddy is also inwardly grumbling more about the loss to its revenue stream?

GoDaddy Exit’s the .cn space.

Excellent HBGary Analysis on Aurora:

Real Criminals use Sony Playstations June 24, 2009

Posted by wastedspacer in Notable Incidents.
add a comment

Here’s an amazing story from the UK. It would seem that there is a generally accepted rule that people that are in prison are not permitted direct unsupervised communication. True that smuggled cellphones and radios do often appear but those are quickly confiscated. One area that seems to have been overlooked is game consoles. Here’s a report from the UK where communications subsystems within games running on Sony PS3s are used by criminals inside prison to organize crimes on the outside. I guess planning Grand Theft Auto while playing the game of the same name must be the height of irony: