Weapons Control, or not ?

Long time I didn't post anything on this blog, sorry, I was working on my CISSP exam, successfully passed, now waiting for recommendations and experience validation :)

For some years in the USA, the question of weapons control hits the news, more after every tragedy, for obvious reasons.
Many weapons like automatic rifles which are rather freely available in the USA are tightly controlled in most European countries.

Nevertheless, in some european big cities suburbs, this kind of weapons became easily available and affordable for gangs, after the war in former Yugoslavia and the fall of eatern Europe's communist regimes.
This was and still is a challenge for law enforcing forces and security companies (banks/ATMs, cash transport, jewel shops, etc.).

I'm not an expert in weapons, I won't try to argue for one side or the other.

My point here, is we seem to have a similar situation in our not so virtual world: iOS vs Android.

iOS is like an European country, with a tight policy preventing even legitimate and anti-malware software editors to have access to the low-level OS to build efficient protection software.

Android is more like the USA: the OS is more accessible, making life easier for malware creators AS WELL AS for anti-malware and protection software writers.

My 2 cents:

- The "fortress" of iOS will be breached, with devastating effects. Just an hint which is #1 here: Top 10 most Worrying Things We Saw at Black-Hat
  0-days on iOS are among the most expensive on the black market, which is a kind of limited and temporary protection: only state agencies/spies can afford them. For how long ?

- The "arms race" logic which will prevail on Android will hit more the security news in months and years to come.
  This will be an iterative process: more threats, counter-weighted by more protection techniques, and so on.

As a strong supporter of Agile methods and their iterative processes, you'll guess which side I'm on ;)
At least on the long term.

I don't say I have the same opinion about firearms control, but it's not the subject of this blog, and opinions can change.

The Roman Limes: Data Loss Prevention

One more lesson from History: Limes/Adrian's Wall.

Like the Maginot Line or the Chinese Wall, the fortified frontier built by the Romans never prevented barbarians intrusions.
But it had another more important mission: preventing or at least hindering their return with their spoil.

During several centuries before the Germanic tribes invaded and toppled the Roman Empire, small bands of them attacked the Roman fortified frontier.
It was rather easy for them to penetrate the Empire, as they chose the exact place of their attack after long observation of the defense weaknesses, and always by surprise.
Once in Roman territory, they wandered at will, as there were few if any in depth defenses.
But they were followed and tracked by their victims or some Roman scouts. So their way back to the frontier and to their own territory was guessed, reinforcement brought to the place, and it was far more difficult for the Germanic warriors to pass the Limes back.
The legend of the Rhine Gold comes from this, they say: so much of this stolen gold and goods was drought in the frontier river, it seemed the gods had cast a curse on it.

Nowadays, in Information Security, it is well known a perimeter defense like the Roman (fire)wall is not sufficient.
Most of Defense in depth techniques are also in a difficult straight.
Recent Advanced Persistent Threats proved Data Loss Prevention is not efficient or even not implemented at all.

Maybe we should overturn our priorities, just like the Romans did (and it worked well for three or four centuries):
- Monitor and log and focus our SIEMs on what happens INSIDE our infrastructure.
- Focus on what tries to GET OUT instead of on what tries to GET IN.
- Implement this monitoring and alert everywhere in the infrastructure: servers, network devices, desktops/laptops and mobile devices.
- Surely many more to do, educating users not the least...

Let's face it: I was probably an insider threat as well as most of us, even if we never noticed it. It's so easy to introduce a malware inside our perimeter by simply browsing a compromised web site or app store.

Comments and critics welcome! :)

My Answer to: Everything Wrong With The Hobbit in 4 Minutes Or Less

My Answer to: Everything Wrong With The Hobbit in 4 Minutes Or Less

Well... A bit out of topic on a blog supposed to be about InfoSec, even though we have an excellent example of one time (a year) two factor authentication in this book & movie ;)

Everything Wrong With The Hobbit An Unexpected Journey In 4 Minutes...

Badly stored bread, burning candles, etc. Hey, this a fantasy movie, inspired by one the best fantasy book in history. What did you expect ? This is a magick world. I won't argue with every one of your mean points.

Elvish blades don't shine a blue light, except Sting ? Peter Jackson explained it well in The Lord Of The Rings comments: with all these shining elvish blades, the movies would have looked too much like Star Wars.

As for the Eagles, you should read the books, friend. The answer is in the Silmarillion (and the Lost/Unfinished Tales). It was kind of a hell of a headache for JRR Tolkien to prevent the Eagles to spoil his plots. So Manwë decided to send His Eagles to help a bit the people of Middle-earth, but not too much, as the main tasks remain their to accomplish.

And you missed one AWFULL mistake : when Thorin stands up to fight Azog, at the end of the movie, he has his legendary oakenshield which was never seen before, upgraded with some metal blades. How did he got it ? Sure it's not a pine branch, sure we didn't see him carrying it before, sure he couldn't keep it during the battle with the goblins, he was lucky enough to keep his elvish blade, Orcrist.

So yes, Peter Jackson made many mistakes in his movies. As a fan of JRR Tolkien, reading at least The Silmarillion, the Hobbit, The Lord Of The Rings once a year (twice in fact, in French and in English) and his other "unfinished" books, of course I don't agree with all what Peter Jackson did in his movies. But I forgive him, he had to bend things a bit to give a good show, and in the end, he remained fairly true to the books. His movies' success led many to know and read JRR Tolkien's books, and that what's important in the end.

Finding ways to evangelize Tolkien's writings is a bit like evangelizing Information Security. Not an easy task.

Jargon, Communication, and Respect.

« Qui se sait profond tend vers la clarté;
qui veut le paraître vers l'obscurité ;
car la foule tient pour profond tout ce dont elle ne peut voir le fond. »

“Whoever knows he is deep, strives for clarity;
whoever would like to appear deep to the crowd, strives for obscurity.
For the crowd considers anything deep if only it cannot see to the bottom:
the crowd is so timid and afraid of going into the water.”

Friedrich Nietzsche

One trending topic in InfoSec these days is our jargon usage and more generaly our ability (or lack of) to communicate properly with our stakeholders.

Sure, jargon and acronyms are a necessity in every tech/scientific field. As a vernacular language of the specialists.
But we must never forget: we don't work for ourselves, we are at the service of stakeholders, most of them non-specialists.

Here are some links related to this, in English and French:

RSAC2013 and InfoSec communication (English)
A real life example of what can go wrong (English)
Information Classification in simple words (French)
Excellent InfoSec Terminology Definitions (French)

IT specialists in general have this problem of having a hard time to communicate with non specialists.
It's even more true for InfoSec specialists, even when communicating with other IT fellows.

Certification bodies tell us we must adhere to important values: honesty, respect, responsibility, diligence, etc.
I think Respect is a key: proper communication avoiding obscure jargon is a way to respect others, and they will respect us in return, and more importantly listen to all the fear-mongering, boring and hindering/blocking advices and recommandations we give them ;)
Without this, InfoSec is doomed to fail.

I worked for some years for an antivirus company. This industry is crouded, many competitors. But one thing I marked: key people of these companies often work together and have good relations, doing presentations in common at InfoSec conferences, referencing each other's work in articles, forums, blogs or in social media.
I remember internal orders we had when one competitor had some source code leaked on the Internet: don't try to get it, if media contact you about this, don't answer and worst of all, don't despise. Direct them to our official PR service.

In a word most of them respect each other even if they work for competing companies. Nobody boasts to "go thermonuclear" against another.
This is a good sign, and seems to be mostly true in the InfoSec community in general, not only in the antivirus industry.

Of course, there are strong-minded people in this field, it may even be a requirement to be a good InfoSec specialist ;)
And there are some polemic topics, offensive security currently the main one. All businesses have their darker side.

I'm kind of a newbie in InfoSec, and I may be a bit naive about this. But I hope Respect is and will remain a key value in this field. I deem it's a necessity.

Famous scientifics, such as Louis de Broglie consider one of their main missions is to popularize their arcane field, as a service to the society and humanity as a whole.
We must follow this track.

Walls and Fortresses: Some History Lessons

Chinese Wall, Limes, Hadrian's Wall, Maginot Line, Siegfried Line, Atlantic Wall, Berlin Wall... And every impregnable fortresses... All have failed.

The so-called "security perimeter" doesn't exist anymore; did it even exist once ?

Cloud infrastructures BYOD APTs (Spear) Phishing etc. or just the human factor ?

Defense-in-depth is an old and well known moto in InfoSec, but many people seem to just stop at the perimeter defense.

Sure, having a so-called "perimeter" to defend is reassuring, putting all efforts defending it ensures that we are safe inside it; good rest while not on the front line.

I don't mean firewalls, antiviruses, anti-spam and other protections, etc. don't avail, they have their use. But don't count on them to provide a complete security. They never have, they never will.

History is repeating itself, over and over. One of the well known and most documented failed perimeter defenses wa the Maginot Line during the Battle of France in May-June 1940.

The French military command, being one war late as often, thought building a fortified line would prevent German invasion. The problem was this impregnable line was too short and didn't cover the Ardennes area, deemed to be impossible to bypass by tanks and mobile units.

Though the "Blitzkrieg" concept existed only on paper at the time, a German general fully used it: Erwin Rommel.

The divisions Rommel commanded were called the "Ghost Divisions" because they moved so quickly even the German high command didn't know their whereabouts, not speaking of the Allies. This led to the Allied armies being encircled in Dunkirk.

After the Dunkirk evacuation, the German army turned south to invade France, took Paris, and seemed about to invade the whole country. At this time, the remaining French army changed its strategy and implemented hedgehog tactics of defence in depth. This was rather effective, considering the state of the French army in June 1940, which had no reserves anymore and so was doomed.

Four years later, when the Allies liberated Western Europe, the Siegfried Line facing the Maginot Line, didn't avail much more against General Patton's tanks.

Lessons to remind:
- The perimeter doesn't provide a complete security. It can even provide a false feeling of security, which is worse than all.
- Changes in the technology, whereas tanks/aircrafts or mobile devices(BYOD or not)/cloud infra can even render the notion of perimeter mostly obsolete.
- In-depth defenses can be more important than perimeter ones.
- Expect the unexpected.
- Dynamism always beat staticness, in the end.
- Oh, and always keep an eye on your logs, the Allies defeat would have been prevented if the air forces observation reports had been heeded at the very start of the German offensive.

Information Security Yield a Bunch of Ranting

You rant when your system is denying you a legitimate access, or just hindering your work.

You rant when your system is breached.

You rant when fellow workers do wrong and put your organization at risk.

You rant when the company/organization you trusted is breached (Certification Authorities, White List providers, etc.).

You rant when there is a bug, security related or not.

You're right, nothing new, DON'T PANIC! ;)

Some info about me:

I'm kind of a newbie in InfoSec, though I had to deal with security for a long time, since I first had to administer internet servers; that was back in 1995.

I worked in some different domains, Operations, R&D, Logistics, Deliveries (not only on software projects) and more and more in management.

Got hit by and witnessed some breaches along the road.

In these latest years, I had the privilege to work at F-Secure, though this was a mere accident ;) The fellows there inoculated me with a virus I was destined to catch. I would never thank them enough for that :)


So I'm taking the opportunity to be out of job for now to study InfoSec, and try to pass some certifications, for a start.

This blog will host my thoughts about this large subject, comments about issues and/or security news, no promise it will be updated as regularly as it should, depending of my schedule.

This (not so) virtual world is changing, I feel it in the cables, I feel it on my servers, I smell it on my wifi... But all is not lost and nothing will be forgotten.