Thursday, February 24, 2011

Cool Things I Learned About Security From Watching Spy Movies...

I love spy movies, I've watched every single one I can find from "Spies Like Us" to the "Mission: Impossible" series and everything in between (including the really, really bad ones too).  Spy movies teach us a lot about real security, how it can be defeated and some of the Hollywood truisms (and "bending the rules") demonstrate what we're all already thinking, and probably now to be true anyway.  I've learned a lot, and I see a great many applications to real life InfoSecurity so I thought I'd share them with you here ...

  1. You're being attacked.  Right now... and now... and now.
  2. Computers are easy to manipulate
  3. People are even easier to manipulate
  4. Your 'perimeter' is only as strong as the guy holding that USB stick walking in your office door
  5. Encryption is breakable ...actually - "encryption" you build yourself is breakable
  6. The common denominator amongst the thousands of daily use social media, financial, and other high traffic sites is one set of credentials
  7. If you want to break military-grade encryption to steal intellectual property or state secrets, use a $15 hammer applied to the owner's open palm
  8. Knowing where your target is located at all times is critical.  Spies use expensive equipment like satellites, GPS, and other gadgets, in lieu of expensive gadgetry I suggest FaceBook or FourSquare.
  9. Remember when it was cool to watch a movie spy 'tap in' and listen in on a person's cell phone call from another part of the world?  Yea, that's possible.
  10. By the time you've gotten down to here, I've utilized the exploit you don't know about in that browser you're using to gain access to your machine.  You really shouldn't keep pictures like that in that 'hidden' folder in "My Documents" ...HR would be unhappy with you.

Wednesday, February 9, 2011

Hooray for Accountability (ZDI Drops 22 0day)

Well, it's February 2011, and the year is flying by already.  Quite frankly, I'm thrilled to see this story run and made a big deal out of -because if you're anything like me you're sick to your stomach from all the large software vendors that have been non-accountable for the crap they release.

The Register is running a story about how the ZDI has "spilled the beans" on 22 advisories, and some of the juicy details of the bugs.  Rather than waiting indefinitely for the vendor to decide whether they care to take the time to patch their software or not - ZDI has taken a stand and published the bugs just 180 days after confirming the vulnerability with the vendor.  I think that's fair, don't you?  6 months to analyze, identify, strategize and release a patch is plenty of time -even if you're a monster Fortune 100 corporation.

What I think is the bigger story, bigger than the 22 bugs released (one of which is of an unpatched flaw in the parent company, HP ...oh noes!) is that the ZDI changed their policy a while back so as not to wait indefinitely for a patch from the vendor before publishing the bugs.  Now, it's 180 days, and time to pay the piper... and you have to hold them in high regard for that.

If you'd like to see the disclosure on the ZDI blog, check it out here ...companies include EMC, Novell, CA, SCO, HP and of course IBM.

In all the buzz and press around this release, I think it's critical to remember one thing - accountability is paramount.  If you don't hold yourself accountable ...the ZDI boys and girls will.