Monthly Archives: January 2014

Who do you trust?

Mr. Ken Thompson creator of the Bon programming language, B programming language, and co-invented the C programming language. The Plan 9 and UNIX operating systems.  He as received the Turing award, IEEE Richard W. Hamming Medal, Fellow of the Computer History Museum, Tsotomu Kanai Award, Japan Prize and the National Medal of Technology.  By all measures a “god” in computers.

In his acceptance speech for the Turing Award he gave a lecture in Reflections on Trusting Trust.  In the first two pages he explains how to write self-replicating code.  He further explains on how a compiler is trained or updated to accept future conditions as yet unknown.  In short how to introduce binary into a compiler. If this were not deliberate, it would be called a compiler “bug.” Since it is deliberate, it should be called a “Trojan hours.” (Thompson, 1984)

 The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler.

I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect. (Thompson, 1984)

         Ken Thompson 1984

Mr. Thompson is talking about code from 1969 in the year 1984. Now roll forward 2014 to EMC and their RSA division with respect to the embed encryption software and the use of the Elliptic Curve Cryptosystems.  We have a document that would indicate that something has been “planned” between RSA and the NSA. (James Ball, 2013)  In 2007, security export Bruce Schnier detailed the flaws in the algorithm’s use of secret constants. (Schneier, 2007). We have the denial that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation of EMC RSA division. (RSA, Speaking of Security, 2013)  Mr. Thompson thirty years earlier is warning us what would happen.

Schneier, B. (2007, 11 15). Did NSA Put a Secret Backdoor in New Encryption Standard? Retrieved from www.wired.com: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Thompson, K. (1984). Reflections on Trusting Trust. Communication of the ACM , 27 (8), 761-763.

James Ball, J. B. (2013, 09 5). Revealed: how US and UK spy agencies defeat internet privaacy and security. Retrieved from www.theguardian.com: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

RSA, Speaking of Security. (2013, 12 22). RSA Response to media claims regarding NSA relationship. Retrieved from blogs.rsa.com: https://blogs.rsa.com/news-media-2/rsa-response/

 

 

Catalyst Concepts | CSC

In addition to this weeks policies: SecSDLC and ISPME I use the following:

CSC Catalyst

CSC Catalyst is CSC’s strategic methodology for delivering business change that addresses all aspects of a change program. It provides a common framework, language and processes that CSC uses to deliver consistent, efficient and high-quality services and solutions to our clients worldwide.

Catalyst is a set of repeatable processes and techniques for analyzing a business situation and developing and implementing the best solution. It is based on industry best practices, and reflects the thinking and experience of CSC employees globally. We use Catalyst for every outsourcing engagement, as well as to support clients in every industry.

Catalyst aligns with established standards, frameworks, and reference models. This enables organizations to come into compliance with such standards and guidelines as the SEI CMMI, ISO 9001, PMBOK, PRINCE2, ITIL and Lean/Six Sigma, among others.

Catalyst Concepts | CSC.

To be fair, I have watched the Cloud and CyberSecurity technologies and offerings get adopt and get adopted into the Catalyst models.    In my day job we are investigating all the offerings in Catalyst to apply to our customers existing framework to increase the maturity model in the database space.

Books, Stephen Pedneault, Fraud 101, Anatomy of Fraud Investigation, Preventing & Detecting Employee Theft & Embezzlement | Forensic Accounting Services

Not knowing very much on fraud investigation I ran across Stephen Pedneault’s book: Anatomy of a Fraud Investigation From Detection to Prosecution.  This was an interesting read.  Since it was cold and snowy outside I got the ebook from Amazon and read it.  Although Mr. Pedneault spends considerable time taping and cutting the tape to the storage closet for the 26 boxes, four computers and four garbage bags of evidence he tells a great story.  Lots of twists and turns but from a computer guy studying computer forensics it has great detail.  I still want to know what was on the laptop!  Some very important points are made in the book along the way to help explain why certain actions are taken or not taken.  Very important to beginners just starting out in forensics.

 

Books, Stephen Pedneault, Fraud 101, Anatomy of Fraud Investigation, Preventing & Detecting Employee Theft & Embezzlement | Forensic Accounting Services.