This week I was asked nicely by our marketing folks if I could write something that could link to our presence at Infosecurity Europe (We're at stand K60, come visit us, there's probably free stuff, and definitely interesting people - there, y'happy now marketeers? ;) ).
Anyway, I thought i'd do a piece on new Infosec exhibitors I planned to visit. Sadly, I didn't find a lot to get me excited on my trawl through the exhibitor list! Don't get me wrong, I'm sure there's some great stands there (including ours, K60, did I mention it?), but the list just about failed to get a hoary old 10-year-infosec-veteran like me engaged.
What I did see though, was a couple of vendors offering "end user training" - particularly Bob's Business (extra points for being from Yorkshire), and Phish.me. Now, there are those who suggest that this sort of training isn't that wonderful an idea - including infosec superhero Bruce Schneier writing over at Dark Reading. I kinda agree with Bruce, especially with regard to the value of implementing training measures "server side", and increasing our resilience to inevitable failure, but I think maybe he paints slightly too dark a picture of end-user training.
I know we fail with a lot of our efforts to change user behaviour, but eventually, some of it sticks. I've written in the past about how tough it is to change people's mindset: I had to remind my dad to wear his seatbelt pretty recently, and campaigns to encourage their use have been ongoing 40 years (plus laws to that effect, plus obvious downside of going un-belted), but younger folk seem to be much more likely to belt up - something has caused the message to "stick". Eventually.
In the tech world, things seem to happen more rapidly - just around the office here we've had 2 factor authentication turned on by default for a year or so on our email. When it was first turned on, people moaned. It was hard to use. It was inconvenient. Now, it's kind of expected. Indeed, when we launched a new system that couldn't SSO, people asked: "Where's the 2FA?". Now, these were non-techies, but they were people working in the security business... but I see that as a glimmer of hope. Perhaps in this more fast-moving world the "buckle up" message will sink in within a generation?
Would love to hear from people in "the real world", where their users really don't have an interest in IT security. Have you been able to train out bad habits? Is Bruce right and end-user training won't help?
Finally... since we're here, and you've gotten this far, here's a few people I'll be visiting at Infosec anyway - Vuln management folks RandomStorm (Yorkshire connection, plus a few ex-Smoothwallers there), SIEM Maestros Splunk (I just love graphs... I think I caught the bug from one of our developers...), SSH (Which self respecting Linux-botherer would miss it?), Bunker Secure Hosting (you had me at "Bunker") and, last but not least Vipre (the now-divorced-from-GFI anti-malware used in Smoothie). Hey maybe it won't be so dull after all... visit K60. Go on. Please.
We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people.
Our collective blog is a space for our insights, observations and interests...
(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)
Monday, April 15, 2013
Monday, March 25, 2013
Mobile Malware: 3 Key Differences and 3 Top Tips
Traditional
malware is relatively easy to spot - well, ok, I am sure most security
vendors would disagree, but it is. Compared to mobile malware - I did
say “relatively”, didn’t I?
Why
is mobile malware so different to regular “desktop” malware? Well, for
a start, there’s the environment. Even on our most lightweight laptops,
we’re willing to leave an antivirus running 100% of the time. Sure
we’ll bitch and moan about it slowing the whole show down from time to
time (usually poor software, or underwhelming tin... but still...) , but
in the end, it stays. On our ‘phones however, small is king (don’t get
me started on “phablets”, if I wanted to walk around with a plasma telly
in my pocket i’d shoplift at dixon’s). Small devices mean small
batteries, and we generally can’t afford to keep cpu chewers around
“unnecessarily”. This means that anti-malware often takes a back seat:
most users won’t run it.
Second
up, there’s the homogeneity of the devices. Android often gets slated
for a “fragmented platform”, but if you’re looking to have the same
fundamental attack vectors, mobile is a great place to be. This was a
criticism levelled at the Microsoft environment 5 years ago, but while
Windows is still highly popular, the software stack is much more varied -
Outlook is no longer de-facto, and nor is IE. iOS is going to give you
even more of a predictable basis for attack, so as a malware author,
it’s a great place to be. Our user has less control of the OS too,
coming behind the vendor and the network in the pecking order - often a
good thing, less rope to hang one’s self, but it means any AV has less
foothold in the OS, and makes it hard for the user to spot “interesting”
issues: the diagnostic tools aren’t readily available.
Finally,
we come to the killer feature - the ability to make calls. If I “own”
(or pwn, if you’re 17) your PC, you’re going to make me work to turn a
profit: I can sell it, but for peanuts, I need 1000s. You probably don’t
have your bank details in a text file on the desktop (do you? If so,
please send your IP address on a postcard...), or at least I can’t rely
on it. Your phone, however has the ability to spend money on your behalf
right out of the box by placing calls to premium numbers, or signing up
to text services. Even the appstore is more likely to be an easy place
to slyly spend your coin than anything I can find on your PC.
So
- before this post becomes “TL;DR”, i’ll leave you with a few tips on
how to avoid getting your phone hacked (russian mafia style hack, rather
than lazy journalist style hack)...
Rule
Zero: The fundamental rule of safety - if it looks too good to be true,
that’s because it is. If an app is normally 70p, and there’s a free
copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad
supported, worst case, it’s worse. If an app offers you something for
nothing that you know normally costs money, well, you’re paying
somewhere. See also: Free lunch, existence or otherwise thereof.
Rule
One: Check the permissions. Both iOS and Android apps will state what
the app is allowed to do. Be especially cautious with things that could
cost you money. Sadly, most things need network capability for something
or other, so that’s not really a good red flag, but think: does this
app need this permission? Why?
Rule
Two: Follow the crowd. Wildebeest know there’s safety in numbers, and
you should too. If an app has many users it is more likely to be kosher,
but if an app is brand new to the app store and has very few downloads,
tread carefully - especially if it looks like a mature app. Check the
reviews while you’re at it.
Tuesday, March 19, 2013
Death of the Keyboard? It's not just the keys that are numbered...
I bet there's a keyboard within two feet of you right now, be it mechanical, or virtual.
You'll probably use at least three different keyboards today, which for me at least makes the keyboard more ubiquitous than the teacup.
In one guise or another, the idea of pressing buttons to produce one character at a time has been with us since 1714 and has evolved considerably in that period.
So it's been with us for a while, but personally I think the keyboard's days are well and truly numbered.
Don't get me wrong, the day you have to go to a specialist shop for an antique piece of 'typing aparatus' aren't upon us yet, but I think soon it will be possible for even the most hardened technophile to get through the average day without typing a letter.
We're halfway there already. Between Google Now and Siri, you don't really have to touch your smartphone any more to bend it's powers to your will, though there are still limitations. Touchscreens are making a valiant effort to kill the mouse and even the humble Ford Focus comes with voice control (dubbed SYNC).
In the office, things like the Leap Motion and Space Top are promising to revolutionise the way we think of the 'desktop', stripping out the middlemen of the mouse and keyboard and freeing your hands to be the expressive and dexterous tools that they were meant to be.
Couple these concepts together in a package like Google Glass or the Oculus Rift you end up with a picture more advanced than Star Trek, with people searching for, creating and sharing information without ever pushing a button. It's a fascinating technological landscape that has sweeping implications for Smoothwall and our ilk.
Thursday, January 10, 2013
10 Ways I Saved Time With Android Apps
I owned smartphones between 2001 and 2006. They were of limited use back then costing about the same as a good smartphone in 2012, the applications were often slow, lacking features and the interface cumbersome. Mobile internet was usually very slow, patchy and often frustrating. Not so long ago in retrospect. I was put off, they were not value for money at all....
Can the market sell to me again? I did not own another smartphone, until late 2012. I threw down the gauntlet. I enjoyed some of the advertisements and peer influence, but until the sums looked as if they were adding up for my requirements, I did not buy in. Bingo - a refined Android powered device appeared; the Galaxy Note 2. Another thing, tablets. I had resisted those too, but quite liked the look of those handy, intuitive pads. Readers are looking good as well. The Note 2 is a fusion of all these things. For someone like me, who is interested in many things, this device convinced me to buy into the marketplace again.
During my first month of ownership, these apps have genuinely saved me time whilst mobile:-
1) Camera + Gmail. Taking pictures of complex equipment at work, domestic appliances and the outcome of meetings. I reference the images to find parts, diagnose faults and communicate issues.
2) National Rail. Checking journeys and viewing delays. Less time spent waiting on a platform.
3) Met Office. Checking the five day forecast. Plan time to chop reclaimed wood for domestic multi-fuel burners.
4) Bank Balance App. Check balance and recent transactions. Knowing if payments have been received on purchases. Information to use when chasing late or lost deliveries.
5) Spotify. Finding a tune during a social gathering. A group of friends wanted to sing along to the popular folk song, The Wild Rover. Found the tune within seconds, the device speaker was good enough for a nice sing-along. I decided to subscribe to download play-lists.
6) Navigation. Searching for a store in a busy, unfamiliar area. Found the store without making any wrong turnings and had time to browse.
7) Google Sky Map. I was given a telescope for Christmas and wanted to provide Jupiter viewings for guests at a social gathering. Located Jupiter, then was easily able to point the telescope at the planet and focus. Everyone was able to see the planet’s markings and moon.
8) Clock. Setting an alarm. Usable and flexible alarm clock management. I can set alarms quickly when tired, each night I need them.
9) Independent. Independent news on-line. I no longer need to read my least favourite newspapers in a cafe I use regularly for lunch, if the single copy of ‘The i’ is in use by another customer. I might subscribe to the on-line version.
10) S Notes. I needed to take some notes whilst talking to a colleague. Important ideas, which may have been lost whilst looking for a pen and paper, were saved. For an ongoing task I couched a few ideas then noted them; the solution came to me whilst out walking.
The time accumulated in these examples range from a few seconds to minutes. As I find more time saving apps and become more adept at using them, this function of time will improve. The apps are good at saving time in context, when you are busy seconds are more valuable than when relaxing at home, for example. Catching up on missed TV is perfectly viable and I'll be ordering a take-away Friday night, using the web browser.
Can the market sell to me again? I did not own another smartphone, until late 2012. I threw down the gauntlet. I enjoyed some of the advertisements and peer influence, but until the sums looked as if they were adding up for my requirements, I did not buy in. Bingo - a refined Android powered device appeared; the Galaxy Note 2. Another thing, tablets. I had resisted those too, but quite liked the look of those handy, intuitive pads. Readers are looking good as well. The Note 2 is a fusion of all these things. For someone like me, who is interested in many things, this device convinced me to buy into the marketplace again.
During my first month of ownership, these apps have genuinely saved me time whilst mobile:-
1) Camera + Gmail. Taking pictures of complex equipment at work, domestic appliances and the outcome of meetings. I reference the images to find parts, diagnose faults and communicate issues.
2) National Rail. Checking journeys and viewing delays. Less time spent waiting on a platform.
3) Met Office. Checking the five day forecast. Plan time to chop reclaimed wood for domestic multi-fuel burners.
4) Bank Balance App. Check balance and recent transactions. Knowing if payments have been received on purchases. Information to use when chasing late or lost deliveries.
5) Spotify. Finding a tune during a social gathering. A group of friends wanted to sing along to the popular folk song, The Wild Rover. Found the tune within seconds, the device speaker was good enough for a nice sing-along. I decided to subscribe to download play-lists.
6) Navigation. Searching for a store in a busy, unfamiliar area. Found the store without making any wrong turnings and had time to browse.
7) Google Sky Map. I was given a telescope for Christmas and wanted to provide Jupiter viewings for guests at a social gathering. Located Jupiter, then was easily able to point the telescope at the planet and focus. Everyone was able to see the planet’s markings and moon.
8) Clock. Setting an alarm. Usable and flexible alarm clock management. I can set alarms quickly when tired, each night I need them.
9) Independent. Independent news on-line. I no longer need to read my least favourite newspapers in a cafe I use regularly for lunch, if the single copy of ‘The i’ is in use by another customer. I might subscribe to the on-line version.
10) S Notes. I needed to take some notes whilst talking to a colleague. Important ideas, which may have been lost whilst looking for a pen and paper, were saved. For an ongoing task I couched a few ideas then noted them; the solution came to me whilst out walking.
The time accumulated in these examples range from a few seconds to minutes. As I find more time saving apps and become more adept at using them, this function of time will improve. The apps are good at saving time in context, when you are busy seconds are more valuable than when relaxing at home, for example. Catching up on missed TV is perfectly viable and I'll be ordering a take-away Friday night, using the web browser.
Tuesday, November 20, 2012
Right Idea - Wrong Execution?
In my opinion, the Aussie government have always had a robust public stance on on-line child protection issues. However, it seems that they've wobbled a bit recently and dropped their own detailed Australian Communications and Media Authority (ACMA) child abuse content lists for the rather flat-footed INTERPOL 'worst of' lists. The Australian Financial Review has a detailed article on the politics behind the decision here - it makes for interesting reading especially as a foreigner with no axe to grind.
Better and more technically qualified people than I will tell you that the INTERPOL 'worst of' list is just that - it's also the slowest refreshed and the bluntest of tools. Blocking entire domains and IP addresses at DNS level is a concept and technology that belongs in the bad old days. And more importantly, really doesn't provide adequate protection for anybody especially those who are affected by the abuse.
It is also surprising that the Aussies have taken this path as the technology, resources and the will exists all around the world to do battle with this global and persistent threat. The guys at the Internet Watch Foundation and INHOPE (and their colleagues around the world) are delivering quantifiable results without adversely impacting on freedom of expression or access to legitimate content.
So - I applaud the Aussies for doing something - but I believe they (and we) can do better than implementing 'a just enough' policies on on-line child abuse content.
Better and more technically qualified people than I will tell you that the INTERPOL 'worst of' list is just that - it's also the slowest refreshed and the bluntest of tools. Blocking entire domains and IP addresses at DNS level is a concept and technology that belongs in the bad old days. And more importantly, really doesn't provide adequate protection for anybody especially those who are affected by the abuse.
It is also surprising that the Aussies have taken this path as the technology, resources and the will exists all around the world to do battle with this global and persistent threat. The guys at the Internet Watch Foundation and INHOPE (and their colleagues around the world) are delivering quantifiable results without adversely impacting on freedom of expression or access to legitimate content.
So - I applaud the Aussies for doing something - but I believe they (and we) can do better than implementing 'a just enough' policies on on-line child abuse content.
Monday, November 19, 2012
Block or Unlock?
With facebook's announcement that they're slowly opting all their users into HTTPS, yet another large chunk of the web gets a welcome layer of encryption.
Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.
On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!
There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.
The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.
This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.
Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.
On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!
There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.
The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.
This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.
Friday, November 16, 2012
Whose views are they anyway?
Have a look at your various social media accounts – do any
of them contain the name of the company you work for? Do you post a mixture of
work and personal material? If so the decision of the High Court released on
the 16th November is something you need to be aware of.
A bit of background; an employee, who identified his
employer on his Facebook page, posted some comments following a news story
about gay marriage. The comments reflected the employee’s strongly held
religious convictions. Some co-workers complained and the employer determined
the posts amounted to gross misconduct and imposed strong sanctions.
The English High Court considered the case and finally
decided that the employer had been wrong to class the employee’s personal
facebook pages as representing the views of the organisation. On this basis the
action taken over the “gross misconduct” was unfounded and the employer was in
breach of contract.
You might like to think that this decision was on the basis
of the principles of freedom of expression, the human rights act or some
equivalent legislation – you would be mistaken. What it came down to was the
balance of the posts that could be seen to be related to work and those that
were purely personal.
In other words, if you freely mix posts about your work and
social life, you could be opening up your social media account to considerably
stronger scrutiny that you imagined. There has been a rash of cases recently
that demonstrate how the “written” character of social media transforms the
responsibility you bear for firing your views into the ether.
So what should we do – either you need to keep your work and
personal profiles separate, or recognise that anything you say could be seen in
a bad light by your employer, other players in your industry or regulatory
bodies. It’s worth spending a few minutes thought on the matter. Personally, I’ve
just taken any reference to work off my Facebook account!
Subscribe to:
Posts (Atom)