Unless you were hiding in a cave in the past hours you know that Google is taking some serious steps to protect its customers (you, me, all of us) after it was attacked one more time (see  ”Google on the defensive, vulnerable; China risks international and U.S. response“). Among other things, “Google Finally Improves Security of Gmail Connections as Consumer Watchdog Urged” which is great:

Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail.The new security measures would not have prevented the sort of cyber attack that targeted Google from China. It does increase security to prevent third parties from snooping as information moves from a computer over a network to Google’s servers. Google has offered SSL encryption using the https protocol as an option since 2008

But if you look on the  the screenshot you can see that NOT all the traffic is encrypted… While this might be OK for static pages, who knows what other pages are not protected with SSL? Why can’t you turn it on for the entire site? It will add more credibility and assurance…

HTTPS by default - not so sure

Some BlackBerry customers in the Americas are experiencing delays in message delivery,” RIM said in a statement. “Technical teams are actively working to resolve the issue for those impacted. RIM apologizes for any inconvenience experienced by customers.”

The outage is the second for RIM in that past five days. For several hours on Thursday, users were once again not able to receive or send e-mail messages. RIM did not provide any details on what caused the outages on Thursday or Tuesday night.

Googling around, you’ll find several outage reports. Few are during this time… while it’s clear that it is only a coincidence it proves again that there’s never a good time for an outage…

Initial investigation results trace the contaminated raw alfalfa sprouts to multiple sprout growers in multiple states. This suggests a potential problem with the seeds used, as well as the possible failure of the sprout growers involved to appropriately and consistently follow the FDA Sprout Guidance issued in 1999 . The guidance recommends an effective seed disinfection treatment immediately before the start of sprouting.

To me, this whole issue sounds like a classic case of malfunction with the risk management process: I’m not an expert in food safety, but I know few things about risk management. From reading the last reports, it looks like someone in the FDA should start to enforce better controls on food manufacturers.  We can’t change our diet because someone forgot to read a manual from 1999. 

January – It’s this time of the year. Sales Kick Off. SKO. Many high technology companies are having their annual or bi annual sales meeting this week.  Flights to the Silicon Valley are fully booked, hotels are crowded and the bartenders are busy.  The company I’m working for is not different. We’ll have our bi annual meeting event in one of the Silicon Valley’s finest hotel later this week.  Some of us gathered together at the hotel to have more in depth discussion before the entire sales and marketing force will arrive. 

This hotel was chosen by a different company as their SKO launch pad. Apparently, this company competes with one of our products. At the same time, we are also very synergetic. (Think about PCI 6.6 WAF + VA synergy).  Keeping the insider threat and the real enemy in mind, those who run sales for this company should take a look at Brian’s book (link to Amazon) 

enemy at the water cooler

I’ve unintentionaly learned so many things about this company… All I had to do was – nothing.

Jsut stand at the bar, smile, nod when other people say hello and listen…..

It was a typical day. Jose Arcadio was at his office in Los Gatos CA, probably planning the next perfect restaurant visit.  Consuela Martinez was (as always) at a random hotel. This time it was in Manila, the Philippines, just before bedtime. In Sunnyvale CA Porky Leibowitz was Blackberry-ing .

9:34 AM| Los Gatos CA|Jose: What the heck is wrong with Security Pie – It came up all jumbled.

1:46 AM+1 day | Manila, Philippines |Consuela: Looks fine to me. What exactly do you see, Jose?

9:48 AM |Sunnyvale CA|Porky : See how we see it here in the US: Chrome and FF (screen shoot added )

1:50 AM +1 day |Manila, Philippines |Consuela: Did anyone touch the style or the sidebar plugin recently?

10:51 AM |Sunnyvale CA|Porky : Not me…

10:52: AM |Los Gatos CA|Jose: Ok. So this morning it looked okay. But then I posted my post as a page (by mistake). I then reposted it as a post. It happened somewhere there. But I did not knowingly make any changes anywhere. Just wrote a blog item. But I can hear Silvester saying “did you touch it”? So it was probably me…

1:55 AM +1 day|Manila, Philippines|Consuela : Okay let’s backtrack. What is the sequence of operations that you did, precisely?

10:52: AM |Los Gatos CA|Jose: I think I did the following:

1. Clicked new page.

2. Wrote.

3. Clicked save and then post.

4. Couldn’t find it on front page.

5. Went back, looked around, found Hong Sin’s remark under moderation and allowed it, and then figured out it was a page and not post.

6. Copied the page to a post, named it the same and posted it. It posted corruptly.

7. Deleted the page (but not the post).

2:10 AM +1 day |  Manila, Philippines|Consuela: Okay fixed. The culprit was a <div class=”main”> tag that was somehow transferred with your post when you cut and pasted it. It isn’t visible in the “visual” view, only when you switch to “HTML” view. I suggest you style-edit your post, it contains this ugly link in the middle; I think you can have some text instead where the link is just the target.

What’s the moral?

There is always more one bug. There is always something that can go wrong and you can bet your pie that it would.  Paraphrasing Assaf, I have interest in PCI section 6.6 (don’t sue me).  As I wrote in another place, things will go wrong. The above example takes place every day in different places. Innocent mistakes that can go wrong. This time, nothing serious happened and our man in Manila was able to take care and fix the problem. Is your organization is as lucky as Securitypie ?

As a service for those who forgot, here’s how email privacy works:

How email works

And here’s the message that turned me mad (Identifiable elements deleted to protect the innocent):

Cisco is promoting Diego Rivas

Dave, a developer from Melbourne, Australia brings an interesting story . He was installing a newly purchased VPN product. When he loaded the VPN client software, he discovered that in the place of the usual boring software was an audio disk with 12 tracks of Spanish music (see Cisco\’s Hit). A lively discussion on Dave’s blog tried and successfully managed to identify the musician.  You can watch the video below.

Beyond the anecdotal story there are few things that we can learn from this incident. I’m not picking on Cisco specifically: In the past, one of the products that I was managing was built by very large OEM partner that was responsible for building the appliance, packaging, forwarding etc. Though it was very rare, we had few incidents when customer X received parts of a printer with his order (inside the appliance package), while another customer received the wrong CDs etc. Errors do occur and I believe that Cisco will do everything it can to learn from this manufacturing snafu and improve its quality assurance process. However from a security risk management point of view , this incident is a reminder to trust no one:

Every CD should be considered suspicious, even if it arrived inside a box that has the Cisco logo. Due to the popularity of Cisco’s gear there’s a second hand market and also some fake devices. Softpedia tells that even the United States government is reportedly using some 3500 fake Cisco-branded network devices, including routers, network switches and hubs. “According to the investigation results, the fake devices are worth up to $3.5 million.” 

Trust no one is the moral of this story.  On a side note, this story also explains why the DOD is investing so much money looking for the kill switch. 

Enjoy the music!

(Arik, What’s going on down there in Australia?, we’re getting a steady stream of weird reports recently  

‘American economy is facing unprecedented challenges‘ added a concerned George W. Bush http://www.foxnews.com/story/0,2933,425261,00.html

“The Secretary of the Treasury, Henry Paulson, will be granted unprecedented authority in the financial bailout plan” http://www.lockergnome.com/forsythe/2008/09/29/unprecedented-authority-granted-to-henry-paulson/

In a series of moves culminating overnight, Washington took an unprecedented step into the financial sector in a bid to steady an ailing housing market and ease a global credit crunch, analysts said. http://www.theaustralian.news.com.au/story/0,25197,24310593-20142,00.html

Tuesday, Paulson is spearheading an unprecedented global change as the Bush administration point man for the proposed $700 billion bailout of the U.S. financial industry as the economy reels from the credit crisis sparked by the national real estate slump and spiraling mortgage failure rates. http://www.usatoday.com/money/economy/2008-09-22-paulson-treasury_N.htm

But the $700bn (€480bn, £380bn) bail-out marks an unprecedented test of both the Democratic and Republican leadership in Congress, who are seeking to pass a proposal that they know will be unpopular among voters in an important election year and is opposed for ideological reasons by factions within both political parties. http://www.ft.com/cms/s/0/2c86b58a-89a4-11dd-8371-0000779fd18c.html

Bush: ‘unprecedented challenges‘ call for ‘unprecedented action‘ http://network.nationalpost.com/np/blogs/fpposted/archive/2008/09/19/bush-unprecedented-challenges-call-for-unprecedented-action.aspx

Why terrifying?
Because after all these exciting ‘unprecedented firsts‘ everything will be ‘precedented seconds’ or, in other words, bland.

Meanwhile, while things are still interesting, have you placed your bets on September Madness?

SBInet, DHS Secure Border system

Just replace some of the names and you feel like your in the Middle East, where projects are known to be delayed, technology is always ahead of what was originally planned and the overall cost is several times higher then originally planned….

Important aspects of SBInet remain ambiguous and in a continued state of
flux, making it unclear and uncertain what technology capabilities will be
delivered, when and where they will be delivered, and how they will be
delivered. For example, the scope and timing of planned SBInet deployments and
capabilities have continued to change since the program began and, even now,
are unclear. Further, the program office does not have an approved integrated
master schedule to guide the execution of the program, and GAO’s assimilation
of available information indicates that the schedule has continued to change.
This schedule-related risk is exacerbated by the continuous change in and the
absence of a clear definition of the approach that is being used to define,
develop, acquire, test, and deploy SBInet. The absence of clarity and stability in these
key aspects of SBInet impairs
the ability of the Congress to oversee the program and hold DHS accountable for
program results, and it hampers DHS’s ability to measure program progress.

SBInet requirements
have not been effectively defined and managed. While the program office
recently issued guidance that defines key practices associated with effectively
developing and managing requirements, such as eliciting user needs and ensuring
that different levels of requirements and associated verification methods are
properly aligned with one another, the guidance was developed after several key
activities had been completed. In the absence of this guidance, the program has
not effectively performed key requirements definition and management practices.
For example, it has not ensured that different levels of requirements are
properly aligned, as evidenced by GAO’s analysis of a random probability sample
of component requirements showing that a large percentage of them could not be
traced to higher-level system and operational requirements. Also, some of SBInet’s operational
requirements, which are the basis for all lower-level requirements, were found
by an independent DHS review to be unaffordable and unverifiable, thus casting
doubt on the quality of lower-level requirements that are derived from them. As
a result, the risk of SBInet not
meeting mission needs and performing as intended is increased, as are the
chances of expensive and time-consuming system rework.

SBInet testing
has not been effectively managed. For example, the program office has not
tested the individual system components to be deployed to the initial
deployment locations, even though the contractor initiated integration testing
of these components with other system components and subsystems in June 2008.
Further, while a test management strategy was drafted in May 2008, it has not
been finalized and approved, and it does not contain, among other things, a
clear definition of testing roles and responsibilities; a high-level master
schedule of SBInet test
activities; or sufficient detail to effectively guide project-specific test
planning, such as milestones and metrics for specific project testing. Without
a structured and disciplined approach to testing, the risk that SBInet will not satisfy user
needs and operational requirements, thus requiring system rework, is increased.

Seriously, long term, highly technological projects always risky to manage. In a way, I admire those that can manage a project with hundreds and thousands of dependencies, external controls, budget constrains and eventually deliver a solution. I am sure that under the proper guidance, this said system will become the cornerstone of the border control system.

]]> http://securitypie.com/you-dont-build-a-fence-this-way/feed/ 0 http://securitypie.com/powerpoint-snafu/ http://securitypie.com/powerpoint-snafu/#comments Sun, 14 Sep 2008 06:42:21 +0000 sharon http://securitypie.com/?p=77 The life of the technology road warrior are filled with airports, Starbucks, very longs days, short nights and lots of PowerPoint slides … During my travel last week, I was presenting to a large forum. Typically, I was refreshing the slides at night,  several hours before the presentation.  When I presenting I noticed two errors that I have made. One was just a typo. I really don’t like typos (unfortunately, I have more than a few). The other was an error made while copying and pasting a sentence from another presentation.  To make me feel better, here are two pictures shot in Israel during the past months.  Feel free to choose the caption

Copy&Paste

Typo