Category Archives: Awareness

Who do you trust?

Mr. Ken Thompson creator of the Bon programming language, B programming language, and co-invented the C programming language. The Plan 9 and UNIX operating systems. He as received the Turing award, IEEE Richard W. Hamming Medal, Fellow of the Computer History Museum, Tsotomu Kanai Award, Japan Prize and the National Medal of Technology. By all measures a “god” in computers.

In his acceptance speech for the Turing Award he gave a lecture in Reflections on Trusting Trust. In the first two pages he explains how to write self-replicating code. He further explains on how a compiler is trained or updated to accept future conditions as yet unknown. In short how to introduce binary into a compiler. If this were not deliberate, it would be called a compiler “bug.” Since it is deliberate, it should be called a “Trojan hours.” (Thompson, 1984)

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler.

I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect. (Thompson, 1984)

Ken Thompson 1984

Mr. Thompson is talking about code from 1969 in the year 1984. Now roll forward 2014 to EMC and their RSA division with respect to the embed encryption software and the use of the Elliptic Curve Cryptosystems. We have a document that would indicate that something has been “planned” between RSA and the NSA. (James Ball, 2013) In 2007, security export Bruce Schnier detailed the flaws in the algorithm’s use of secret constants. (Schneier, 2007). We have the denial that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation of EMC RSA division. (RSA, Speaking of Security, 2013) Mr. Thompson thirty years earlier is warning us what would happen.

Schneier, B. (2007, 11 15). Did NSA Put a Secret Backdoor in New Encryption Standard? Retrieved from www.wired.com: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Thompson, K. (1984). Reflections on Trusting Trust. Communication of the ACM , 27 (8), 761-763.

James Ball, J. B. (2013, 09 5). Revealed: how US and UK spy agencies defeat internet privaacy and security. Retrieved from www.theguardian.com: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

RSA, Speaking of Security. (2013, 12 22). RSA Response to media claims regarding NSA relationship. Retrieved from blogs.rsa.com: https://blogs.rsa.com/news-media-2/rsa-response/

Catalyst Concepts | CSC

In addition to this weeks policies: SecSDLC and ISPME I use the following:

CSC Catalyst

CSC Catalyst is CSC’s strategic methodology for delivering business change that addresses all aspects of a change program. It provides a common framework, language and processes that CSC uses to deliver consistent, efficient and high-quality services and solutions to our clients worldwide.

Catalyst is a set of repeatable processes and techniques for analyzing a business situation and developing and implementing the best solution. It is based on industry best practices, and reflects the thinking and experience of CSC employees globally. We use Catalyst for every outsourcing engagement, as well as to support clients in every industry.

Catalyst aligns with established standards, frameworks, and reference models. This enables organizations to come into compliance with such standards and guidelines as the SEI CMMI, ISO 9001, PMBOK, PRINCE2, ITIL and Lean/Six Sigma, among others.

Catalyst Concepts | CSC.

To be fair, I have watched the Cloud and CyberSecurity technologies and offerings get adopt and get adopted into the Catalyst models. In my day job we are investigating all the offerings in Catalyst to apply to our customers existing framework to increase the maturity model in the database space.

WoW is probably where they need to be looking…

Online Gaming

I was a bit dumb on the online gaming part. It has been a while since I played WoW (2004) and I was thinking as a scout leader where we do everything with two adults including e-mails.

Here are some interesting articles I have dug up on this subject and it get worse.

http://www.dfinews.com/articles/2010/05/multiplayer-game-forensics#.Uq4-6JG6z98

http://gamepolitics.com/2011/11/03/teen-murderer-confess-crime-world-warcraft-chat#.Uq4-8pG6z98

http://exforensis.blogspot.com/2010/05/multiplayer-game-forensics-ceic-2010.html

http://socialtimes.com/sociologists-measure-social-behavior-and-psychology-in-world-of-warcraft_b12433

So it looks like we need online police and they need to be watching.

To fel with you! There’s an NSA spook in my World of Warcraft • The Register

To fel with you! There’s an NSA spook in my World of Warcraft • The Register.

Okay most programs now have the ability to leave a message to convey a message. Should adult agents be pretending to be children to “talk” on game message boards. No I think they have crossed the line. Gathering information from a database or a tap is one thing but interaction with children is a big no no. Who is watching them? I am not cool with this.

NIST sends out Preliminary Cybersecurity Framework RFC | HealthITSecurity.com

NIST sends out Preliminary Cybersecurity Framework RFC | HealthITSecurity.com.

In response to concerns about the increasing numbers of incidents with critical infrastructure a new or updated framework is being constructed to reduce risks. I am curious to see the updates for handling data and databases.

The 5 Causes of IAM Failure | FishNet Security

The 5 Causes of IAM Failure | FishNet Security.

My experience with IAM failure is from unrealistic expectations. Where original suggested design is too far from implemented design leading to unhappy customers and preventable outages. The cost on implement project plus outages and further implementations exceed early design by a wide margin. The get is in and we will fix it mentality vs lets look at end state build our roadmap to that.

Talking Data Security and Compliance » Security is a Business Imperative, Not an IT Task

Talking Data Security and Compliance » Security is a Business Imperative, Not an IT Task.

We cannot just bolt it an. It is a new way of thinking. For example, there is a generation of us that hold doors open for people. This thinking leads to “tailgating” thru a security point. A whole new way of thinking has to be adopted to prevent this. Everything else from having issues with a common system and asking to borrow a user-id and password to “just get it done”. Change is hard. Breaking bad habits when they are not thought of as bad or a security issue is going to be harder. BYOD should be very fun for classification of data and the issues it bring with that policy.

OUCH! Security Awareness Newsletter

OUCH! Security Awareness Newsletter.

These are great tips and easy reading. A very easy way of updating business units in easy to read snippets.