To get notices of new blogs via email, click here:

Thursday, August 30, 2012

Coming soon? An "active deterrence protocol."

Could a "long shot" connection with the Romney Campaign be yielding fruit? Take a look at the GOP platform as reported in today's Computerworld (see story here). They use the phrase "active deterrence protocol" which, if I might be so bold, means we're going to stop playing defense and put some teeth into deterrence. Not a stretch to suggest things could be getting interesting.

Monday, August 27, 2012

How to handle a digital-certificate fraud incident THE RIGHT WAY

Today's kneeslapper from NetworkWorld is their story (read here) on How to handle a digital-certificate fraud incident. Their net-net is to have a policy document knowing who to tell, what to tell them, and how to issue new certificates fast. Kind of a waste of ink, but hey, it's the dog days of August, and who reads this crap anyway? If Congress knew security from shineola, licensed and bonded cyber privateers following The Cyber Privateer Code (read it here) would bring a biblical curse upon the culprits as recorded in 1 Samuel 3:11:
And the LORD said to Samuel, Behold, I will do a thing in Israel, at which both the ears of every one that heareth it shall tingle.
Cyber privateers would certainly be the antidote to slow-news-day journalism. Selah.

Wednesday, August 22, 2012

10 ways to say, "Welcome to Hell!"

It's the Dog Days of Summer. Journalists in every discipline are scrambling for new headlines to garner readership. Cosmo is done with the how-to-look-good-in-your-swimsuit-in-just-21-days articles—although they still manage to have the word "sex" on almost every cover—and they're now doing everything from sex surveys to the 10 reasons men cheat (could it be that men attracted to Cosmo readers are prone to cheating?). The tech press is torn between the 10 rumored features of the new iPhone 5 and the iPad, with the big "list-of-10"security story being CIO's "10 Ways to Easy Public Cloud Security Concerns" (see story here). Welcome to Hell. Paraphrasing Dante's Divine Comedy, "Abandon hope all ye who enter here." Abandon hope all ye who take seriously any of the above lists of complete and utter tripe. As to CIO's article on easing your concerns about cloud security, let me convert their "10 Ways" into appropriate Hell Welcome Mats:

  1. Select the Right Apps for the Public Cloud. Right. This means selecting only apps that require absolutely no security. Welcome to Hell.
  2. Evaluate and Add Security, If Necessary. If  the world expert in IP security and mission-critical systems, Network Solutions, can't keep their infrastructure up and immune from attacks, what chance does the average IT schmoe have (see my story here)? Welcome to Hell.
  3. Identify and Use the Right Third-Party Auditing Services. Translated, you can't do #2 above, so maybe you'll feel better outsourcing responsibility for your inevitable doom. Welcome to Hell.
  4. Add Authentication Layers. This wonderful advice begins: "Most CSPs provide good authentication services…" I added the color to the word "good." Hey, don't you want "perfect" or "unbreakable" authentication? To hell with "good" authentication. Welcome to Hell.
  5. Consider How Additional Security Will Affect Integration. Translated: "Your peformance will go to hell, your users will be irate with all the hoops you make them jump through, and you'll still get cracked on a daily basis by the Chinese." Welcome to Hell.
  6. Put Security at the Forefront of Your SLA.  "SLA" means Service Level Agreement. A realistic SLA should contain the following: "Security is a joke, because US law makes it impossible for us to attack the attackers. So if you trust your mission critical applications to us, you'd better have a jim-cracking-dandy insurance policy, because you will most definitely have to use it." Welcome to Hell.
  7. Insist on Transparent Security Processes. That way, you can see time-lapse photographs as the crap storm wipes you off the planet. Welcome to Hell.
  8. Streamline Logging and Monitoring. "Comparing one CSP's logging and monitoring practices with another before you sign a SLA may reveal subtle differences in the security that's provided." Sure. Like you know dittley squat about logging practices. Welcome to Hell.
  9. Add Encryption. Then, "…only the customer and the third party know the key…" And how long do you think it will take a clever phisher to worm the key out of one or the other of you? Welcome to Hell.
  10. Spread Risk with Multiple, Redundant CSPs. I'll bet the Iranians got their biggest laugh out of this one. Shamoon, Flame, Duqu, Stuxnet, Gauss, et al. All you need is one to work, and all your systems will be compromised. Welcome to Hell.
The solution is at www.cyberprivateer.com. Forget playing defense. Make a public example out of anyone stupid enough to so much as probe your system. Give them a proper sendoff…to Hell.

Friday, August 17, 2012

Finally, Google does it right: $2 million bug bounty for Chrome

In March of 2011, I publicly named Chrome as my "browser of choice" (see my story here) in this Mad Magazine world of cyberspy vs. cyberspy. At the time, I lamented not being able to run Chrome on my iPhone and iPad. That has since changed. Now, in today's Network World story (see here), Google is doing what EVERYONE SERIOUS ABOUT SECURITY should have been doing, and raised their show-us-our-flaws bug bounty to $2 million.

Too bad we don't have coherent cybercrime law that would allow someone to have a similar contest for identifying and crippling cyber thieves.

Saturday, August 11, 2012

Today's Network Solutions DDOS attack proves my point

No wonder my email today has been virtually nonexistent. I just got a text from my former Israeli commando friend telling me that his email to me is getting bounced. So I called the Network Solutions tech support hot line and got a recorded message that they are currently under a DDoS (Distributed Denial of Service) attack. Given that these guys are as good as it gets, and if they cannot defend against these attacks, then doesn't it stand to reason that our DEFENSE-ONLY cyber security legal framework is positively and absolutely idiotic?

Come on, Congress! Don't you remember the days when we only sent amateur athletes to play basketball in the Olympics? We got creamed. But when the USA is NOT forced to play with our hands tied behind our backs, we prevail. Ditto for cyber security.

You force us to play defense only, we are guaranteed to lose big time. How about leveling the playing field and NOT forcing us to play with BOTH hands tied behind our backs? The answer is licensed and bonded cyber privateers who live by…THE CODE (see here).

Selah.

Wednesday, August 1, 2012

Huawei vulnerabilities accidental or by design?

Former Cisco employee Dan Kaminski was quoted in the Network World article (read the article here)  as saying:
If I were to teach someone from scratch how to write binary exploits, these routers would be what I'd demonstrate on.
According to the article, "Huawei equipment powers half the world's Internet infrastructure…" Given the "data exhaust" of China's documented "bad Internet citizenship," it is not a gigantic leap of logic to suggest that those security holes are no accident.

NYTimes Passion + Google Zombies = Cyber Privateers

Today's New York Times story "Cybersecurity at risk" (see here) passionately suggests we need a solution. Unfortunately, their ignorance of the real issue makes their support of current legislation laughable. However, there is a synthesis of ideas that they should consider: Google's "Kill Zombies and Get a Job" program (see article here). Aren't cyber intruders the metaphorical equivalent of honest-to-goodness real-life zombies? So with due respect to the well-meaning but flatulently ignorant editors at the New York Times, licensed and bonded cyber privateers (Zombiekillers, if you will) really turn the financial equation on its head and make for a sustainable, scalable, damn near foolproof mechanism. Come on Times! Playing defense only (holding hands and singing Kumbaya) while we wait for a bunch of bureaucrats to reach consensus is NOT a solution that stands the remotest chance of success.