Security Pie

First, let me start stating that this is NOT a security issue with Google, even though it might be presented this way.

Unless you were hiding in a cave in the past hours you know that Google is taking some serious steps to protect its customers (you, me, all of us) after it was attacked one more time (see  ”Google on the defensive, vulnerable; China risks international and U.S. response“). Among other things, “Google Finally Improves Security of Gmail Connections as Consumer Watchdog Urged” which is great:

Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail.The new security measures would not have prevented the sort of cyber attack that targeted Google from China. It does increase security to prevent third parties from snooping as information moves from a computer over a network to Google’s servers. Google has offered SSL encryption using the https protocol as an option since 2008

But if you look on the  the screenshot you can see that NOT all the traffic is encrypted… While this might be OK for static pages, who knows what other pages are not protected with SSL? Why can’t you turn it on for the entire site? It will add more credibility and assurance…

HTTPS by default - not so sure

At the end of every quarter, there’s this magical moment: its best time. If you are working in a sales or sales support position, you are probably connected to your mobile email device working 24×7 on getting this next deal… Lots of adrenalin in the air. It’s fun time. Unfortunately, RIM’s Blackberry network is down. In other words, no-mail-for-you…

Some BlackBerry customers in the Americas are experiencing delays in message delivery,” RIM said in a statement. “Technical teams are actively working to resolve the issue for those impacted. RIM apologizes for any inconvenience experienced by customers.”

The outage is the second for RIM in that past five days. For several hours on Thursday, users were once again not able to receive or send e-mail messages. RIM did not provide any details on what caused the outages on Thursday or Tuesday night.

Googling around, you’ll find several outage reports. Few are during this time… while it’s clear that it is only a coincidence it proves again that there’s never a good time for an outage…

The government is now asking people to avoid eating raw alfalfa sprouts, including sprout blends that contain alfalfa sprouts, because of possible salmonella contamination.  According to the FDC press release, 

Initial investigation results trace the contaminated raw alfalfa sprouts to multiple sprout growers in multiple states. This suggests a potential problem with the seeds used, as well as the possible failure of the sprout growers involved to appropriately and consistently follow the FDA Sprout Guidance issued in 1999 . The guidance recommends an effective seed disinfection treatment immediately before the start of sprouting.

To me, this whole issue sounds like a classic case of malfunction with the risk management process: I’m not an expert in food safety, but I know few things about risk management. From reading the last reports, it looks like someone in the FDA should start to enforce better controls on food manufacturers.  We can’t change our diet because someone forgot to read a manual from 1999. 

January – It’s this time of the year. Sales Kick Off. SKO. Many high technology companies are having their annual or bi annual sales meeting this week.  Flights to the Silicon Valley are fully booked, hotels are crowded and the bartenders are busy.  The company I’m working for is not different. We’ll have our bi annual meeting event in one of the Silicon Valley’s finest hotel later this week.  Some of us gathered together at the hotel to have more in depth discussion before the entire sales and marketing force will arrive. 

This hotel was chosen by a different company as their SKO launch pad. Apparently, this company competes with one of our products. At the same time, we are also very synergetic. (Think about PCI 6.6 WAF + VA synergy).  Keeping the insider threat and the real enemy in mind, those who run sales for this company should take a look at Brian’s book (link to Amazon) 

Read the rest of this entry »

The below is a true story. Some of the names were changed to protect the innocent. Yes, there is a moral to this true story, but you’ll have to read all the way…

It was a typical day. Jose Arcadio was at his office in Los Gatos CA, probably planning the next perfect restaurant visit.  Consuela Martinez was (as always) at a random hotel. This time it was in Manila, the Philippines, just before bedtime. In Sunnyvale CA Porky Leibowitz was Blackberry-ing .

9:34 AM| Los Gatos CA|Jose: What the heck is wrong with Security Pie – It came up all jumbled.

1:46 AM+1 day | Manila, Philippines |Consuela: Looks fine to me. What exactly do you see, Jose?

9:48 AM |Sunnyvale CA|Porky : See how we see it here in the US: Chrome and FF (screen shoot added )

1:50 AM +1 day |Manila, Philippines |Consuela: Did anyone touch the style or the sidebar plugin recently?

10:51 AM |Sunnyvale CA|Porky : Not me…

10:52: AM |Los Gatos CA|Jose: Ok. So this morning it looked okay. But then I posted my post as a page (by mistake). I then reposted it as a post. It happened somewhere there. But I did not knowingly make any changes anywhere. Just wrote a blog item. But I can hear Silvester saying “did you touch it”? So it was probably me…

1:55 AM +1 day|Manila, Philippines|Consuela : Okay let’s backtrack. What is the sequence of operations that you did, precisely?

10:52: AM |Los Gatos CA|Jose: I think I did the following:

1. Clicked new page.

2. Wrote.

3. Clicked save and then post.

4. Couldn’t find it on front page.

5. Went back, looked around, found Hong Sin’s remark under moderation and allowed it, and then figured out it was a page and not post.

6. Copied the page to a post, named it the same and posted it. It posted corruptly.

7. Deleted the page (but not the post).

2:10 AM +1 day |  Manila, Philippines|Consuela: Okay fixed. The culprit was a <div class=”main”> tag that was somehow transferred with your post when you cut and pasted it. It isn’t visible in the “visual” view, only when you switch to “HTML” view. I suggest you style-edit your post, it contains this ugly link in the middle; I think you can have some text instead where the link is just the target.

What’s the moral?

There is always more one bug. There is always something that can go wrong and you can bet your pie that it would.  Paraphrasing Assaf, I have interest in PCI section 6.6 (don’t sue me).  As I wrote in another place, things will go wrong. The above example takes place every day in different places. Innocent mistakes that can go wrong. This time, nothing serious happened and our man in Manila was able to take care and fix the problem. Is your organization is as lucky as Securitypie ?

2008 is almost over but still there are respectable and notable companies that act like security is non of their business. I find it very irritating that some companies that promote security as a product and company differentiators act in a non secure fashion.  Following the “no one want to see an obese promotes healthy food” analogy, I would expect companies nowadays to act in a secure fashion.  Most of the web sites will send you a thank you letter after registering at their web site, but as I discovered today, some will send you an email confirming your registration alongside your username and password in cleartext.

As a service for those who forgot, here’s how email privacy works:

How email works

And here’s the message that turned me mad (Identifiable elements deleted to protect the innocent):

 

 

Cisco is promoting Diego Rivas

Dave, a developer from Melbourne, Australia brings an interesting story . He was installing a newly purchased VPN product. When he loaded the VPN client software, he discovered that in the place of the usual boring software was an audio disk with 12 tracks of Spanish music (see Cisco\’s Hit). A lively discussion on Dave’s blog tried and successfully managed to identify the musician.  You can watch the video below.

Beyond the anecdotal story there are few things that we can learn from this incident. I’m not picking on Cisco specifically: In the past, one of the products that I was managing was built by very large OEM partner that was responsible for building the appliance, packaging, forwarding etc. Though it was very rare, we had few incidents when customer X received parts of a printer with his order (inside the appliance package), while another customer received the wrong CDs etc. Errors do occur and I believe that Cisco will do everything it can to learn from this manufacturing snafu and improve its quality assurance process. However from a security risk management point of view , this incident is a reminder to trust no one:

Every CD should be considered suspicious, even if it arrived inside a box that has the Cisco logo. Due to the popularity of Cisco’s gear there’s a second hand market and also some fake devices. Softpedia tells that even the United States government is reportedly using some 3500 fake Cisco-branded network devices, including routers, network switches and hubs. “According to the investigation results, the fake devices are worth up to $3.5 million.” 

Trust no one is the moral of this story.  On a side note, this story also explains why the DOD is investing so much money looking for the kill switch. 

Enjoy the music!

(Arik, What’s going on down there in Australia?, we’re getting a steady stream of weird reports recently  

‘An unprecedented crisis‘ said Hank Paulson. http://www.politico.com/news/stories/0908/13590.html

‘American economy is facing unprecedented challenges‘ added a concerned George W. Bush http://www.foxnews.com/story/0,2933,425261,00.html

“The Secretary of the Treasury, Henry Paulson, will be granted unprecedented authority in the financial bailout plan” http://www.lockergnome.com/forsythe/2008/09/29/unprecedented-authority-granted-to-henry-paulson/

In a series of moves culminating overnight, Washington took an unprecedented step into the financial sector in a bid to steady an ailing housing market and ease a global credit crunch, analysts said. http://www.theaustralian.news.com.au/story/0,25197,24310593-20142,00.html

Tuesday, Paulson is spearheading an unprecedented global change as the Bush administration point man for the proposed $700 billion bailout of the U.S. financial industry as the economy reels from the credit crisis sparked by the national real estate slump and spiraling mortgage failure rates. http://www.usatoday.com/money/economy/2008-09-22-paulson-treasury_N.htm

But the $700bn (€480bn, £380bn) bail-out marks an unprecedented test of both the Democratic and Republican leadership in Congress, who are seeking to pass a proposal that they know will be unpopular among voters in an important election year and is opposed for ideological reasons by factions within both political parties. http://www.ft.com/cms/s/0/2c86b58a-89a4-11dd-8371-0000779fd18c.html

Bush: ‘unprecedented challenges‘ call for ‘unprecedented action‘ http://network.nationalpost.com/np/blogs/fpposted/archive/2008/09/19/bush-unprecedented-challenges-call-for-unprecedented-action.aspx

Why terrifying?
Because after all these exciting ‘unprecedented firsts‘ everything will be ‘precedented seconds’ or, in other words, bland.

Meanwhile, while things are still interesting, have you placed your bets on September Madness?

The Following text is taken from a GAO report on the SBInet (DHS Needs to Address Significant Risks in Delivering Key Technology Investment) that was published yesterday and caught my attention. The title says it all: risk, technology and investment – everything one needs in order to have a good reading). But then, as I go over the text I was very disappointed to learn that the DHS was not learning from the Israeli mistakes when the security fence was built. Judge for yourself. Read the executive summary below:

SBInet, DHS Secure Border system

Just replace some of the names and you feel like your in the Middle East, where projects are known to be delayed, technology is always ahead of what was originally planned and the overall cost is several times higher then originally planned….

Read the rest of this entry »

The life of the technology road warrior are filled with airports, Starbucks, very longs days, short nights and lots of PowerPoint slides … During my travel last week, I was presenting to a large forum. Typically, I was refreshing the slides at night,  several hours before the presentation.  When I presenting I noticed two errors that I have made. One was just a typo. I really don’t like typos (unfortunately, I have more than a few). The other was an error made while copying and pasting a sentence from another presentation.  To make me feel better, here are two pictures shot in Israel during the past months.  Feel free to choose the caption

Copy&Paste

Typo