Archive for the ‘Uncategorized’ Category

Did your company spend millions on “access governance” and fail to automate anything?

Friday, June 8th, 2018

Imagine that you’re a mid-sized organization (say 2,500 employees in the case of a particular, real-world organization I have in mind) and a few years ago your company took the advice of a leading systems integrator / consulting firm and purchased licenses for the market leading IAM product.

You have since invested over $4 million in software, runtime platform, maintenance fees and lots (!) of implementation services. You have purchased as much consulting time as seemed appropriate, and you still have projects on the go.

By this time, after this much time and money spent, you would expect to have a lot of integrations and process automation in place, wouldn’t you? Several years and 4 million dollars should buy a lot, you’d think.

Unfortunately, if you were convinced to buy SailPoint, you probably haven’t got much to show for it. You have an excellent platform for running access certification campaigns, and you have built a system that integrates directly with your AD domain, plus consumes all sorts of CSV files from many applications, but that’s about it.

You haven’t automated any joiner/mover/leaver processes.

You don’t have a request portal rolled out to your users.

The SoD enforcement is sketchy at best — there are definitely ways to submit requests that should but do not trigger SoD violations.

Integrations are mainly via “flat files” — not real connectors.

But hey – there are pretty dashboards! Those must add value, right?

That’s not a great way to spend $4 million, but the integrator keeps proposing more — though every deployment phase seems to amount to just more CSV file “integrations.”

Maybe it’s time to get off the treadmill and look at better solutions, that can actually automate IAM processes, rather than delivering “access governance” but only promising (and never delivering) IAM process automation?

I can name a few organizations in this boat. Are you stuck in this situation too?

Please ‘like’ or ‘share’ if this scenario sounds all too familiar.

PC, Smart phone shipments declining

Thursday, March 1st, 2018

I noticed two apparently-unrelated news articles today:

9to5google.com

and

theregister.co.uk

One talks about declining unit sales of phones and the other talks about the same thing for PCs.

Reading these articles, you’d think the sky is falling. Less phones are selling, on an annual basis! Less PCs too! Oh no! These industries are in trouble!

I think the reality is actually much simpler: PCs have been quite good for years now. Smart phones have likewise reached a plateau in terms of functionality and performance. Sure, new PCs and phones are nicer than old ones, but the extra screen pixels, camera resolution and compute power are not solving any new problems – they just meet the same old needs slightly better than before.

More than that, both PCs and phones are increasingly used to access cloud platforms. The heavy computation, storage, etc. are done on someone else’s server, not on personal devices any more. This makes local compute and storage even less meaningful.

So when a hardware manufacturer asks for $1000 for a shiny new phone or $1500 for a shiny new PC, most consumers compare the extra value of the new toy to the functionality of their existing PC or phone and choose to just leave the old device alone. It’s not broken. It’s working fine. Why upgrade?

I think this is the new normal. If you write software, or provide on-line services, then you shouldn’t care about this. People are on-line pervasively. They use browsers to access everything. There is no problem here.

If you are a phone or PC manufacturer, you just have to reset your expectations. The hardware replacement cycle is lengthening, not because consumers don’t want your product any more, but because your last generation was very good and the current generation is not so much better as to justify a new purchase. You’ll still sell lots of units, but the age of rapid growth is over. Heck, the only way you’ll grow your shipments is to win more market share from competitors. Get used to flat sales and razor thin margins folks. That’s the steady state of selling hardware.

Will this situation change? I doubt it. I have a hard time imagining what new capabilities phone or PC makers will be able to invent tomorrow, to excite consumers into a big hardware refresh cycle.

So a tough situation for hardware makers and a good situation for everyone else. That’s life.

Bitcoin Hype

Tuesday, January 16th, 2018

Blockchain has become quite the hyped technology over the past year.

Consider this: it’s a distributed, validated ledger of transactions. It’s useful to transfer value between parties who may not know each-other, who may wish to remain anonymous and who wish to ensure that transfer is singular — no “double payment.”

That’s the high level picture.

On the other hand, it’s got some draw-backs:

  • It’s computationally expensive, by design.
  • It’s a profligate user of electrical energy.
    Bitcoin alone is estimated to consume over 41 terawatt-hours per year:
    digiconomist.net/bitcoin-energy-consumption.
  • It’s slow.
    The entire Bitcoin network only processes about 300,000 transactions/day
    or about 3.5 transactions/second).
    blockchain.info/charts

People have lots of wild theories about where this technology will bear fruit, but in practice the only major use case today is for criminals to pay for goods and services. Awesome.

The other “use case” today is a speculative market in exchanging Bitcoin for hard currency, like USD. Here’s the chart:

www.xe.com/currencycharts/?from=XBT&to=USD&view=1Y

I recently read a great write-up comparing the hype of blockchain to the reality:

hackernoon.com/ten-years-in-nobody-has-come-up-with-a-use-case-for-blockchain-ee98c180100

So what’s the reality?

  • Is it a safe place to store value? Only if you are sure that your private key and/or password will never be compromised and that you’ll never make a mistake when transferring funds. If you don’t trust yourself enough for that, with large value wealth storage, then it’s a bad platform for you.
  • Are bitcoin exchanges a safe place to store money? Given their history of hacks and shady business, I’d say no.
  • Is it good for funds transfer? Not really, given the cost and delay of transactions. Only criminals who really, really need anonymity would put up with the awful process.
  • Is it good for small payments? Not really. Too slow and costly.
  • Is it a good alternative for hyper-inflationary currencies issued by idiot regimes? US Dollars or Euros are a more practical choice there.
  • Does it have stable value? If you read the news, you know that Bitcoin/USD exchange rates have behaved more like a bubble than an investment-grade product.
  • Would it be a good alternative to inter-bank transfers? Maybe, but not anytime soon.
  • What about smart contracts? Sounds good, but people engaged in legal contracts generally want to understand what they are signing up for, and few can read algorithms. Moreover, how do you tie a smart contract to real-world trigger events?
  • What about using it to manage identities? The only plausible use case here is for citizens or consumers (forget about identities within the enterprise) and in any case it’s not clear how to link such a blockchain to physical things like birth records or driver licenses.

In other words, it’s a cool way for criminals to transfer funds anonymously and a plausible way for institutions to handle large but infrequent transfers among themselves. For everything else, the cost, inconvenience, non-repudiation, delay and even anonymity look like problems rather than advantages.

But everyone is making noises about “doing blockchain,” like this soft drink company:

Long Island Iced Tea?

So why is everyone jumping on the blockchain bandwagon? Because it’s the latest fad, and if your company tells the world that it’s researching the latest blockchain technology, your stock price will probably get a bounce. But don’t hold your breath for results.

Even “security consulting” firms get hacked

Tuesday, September 26th, 2017

I have to confess – I love irony.

… Sounds nice, but the reality is more like this …

Sounds like their Office 365 admin account got hacked … because they used neither the built-in 2FA on Azure nor a privileged access management system. Like our friends at Equifax, Deloitte delayed public disclosure as long as possible and is actively down-playing the scope of the (very serious, it seems) compromise.

Would you take security advice from a firm that got hacked in this way and failed to disclose to their customers?

Equifax breach

Friday, September 8th, 2017

The Equifax breach reported this week sets a new bar for exploited PII!

Apparently SSN, name, DoB and in some cases CC data for 143 million Americans was compromised. Given that probably 1/4 of the population has no credit cards (children, the elderly, illegal immigrants, etc.), this means that PII for over half of US card-holders was compromised in a single hack. That’s huge!

What can we learn from this?

First, what not to do? Other firms should learn from Equifax’ mistakes:

  1. Equifax let this happen, presumably by under-investing in IT security. Did they have a privileged access management system? Effective access deactivation processes? Pen testing against apps? Sound firewalls? 2FA? I don’t know, but I bet some of those questions will come back with a “no.”
  2. Equifax discovered the breach on July 29 but disclosed Sep 7. That’s a 40 day delay – disgraceful and probably illegal in some states.
  3. While the Yahoo breach was larger, this one included SSNs and some D/Ls, so the data stolen from Equifax is much more suitable for identity theft. This is bad folks.
  4. There may have been insider trading – three executives sold some stock after the breach was discovered but before it was public. If they knew about the breach, they are risking jail time.
  5. Equifax setup a web site for consumers to check if their information was included in the hack. But apparently you have to waive your right to join a class action lawsuit against Equifax to use it. That’s “sneaky” – except that lots of people caught on, so now it’s just more bad press.

Bottom line: Equifax could well go out of business as a consequence of this event and how badly it was handled. I’d lay at least 50/50 odds that this event kills them within the next few years, as litigation works its way through the courts.

Next, what to do?

  1. Watch your mail for letters from banks or other firms, to see if someone has taken out a loan in your name. Consumers beware, your info is probably compromised!
  2. Stop using name, SSN or DoB as credentials. If someone calls your IT help desk and you need to authenticate them, this data should be assumed to be public and not suitable for authentication.
  3. Lock down your IT systems. You don’t want to be the next victim.

UPDATES:

  1. just saw this:
    Equifax Faces Multibillion-Dollar Lawsuit Over Hack. That didn’t take long!
  2. Krebs lambastes Equifax, noting among other things that the web site to check if you’re affected by the breach appears to be bogus – it just returns a random string, and issues a predictable PIN. He also gives good advice (news to me, as I’m not an American), that you can visit his earlier post to learn how to lock down your credit profile, which should offer some protection against incompetent credit rating agencies combined with identity thieves, at no cost.
  3. It just won’t stop. They were caught with their pants down in Argentina too! admin/admin logins

But what about usability?

Wednesday, May 17th, 2017

Thin and beautiful devices are commonplace nowadays, but it feels like nobody cares about usability any more.

What got me thinking about this is the age of my laptop. It’s an older Lenovo and has an awesome keyboard. We’re talking full keys, long travel, pre-chiclet design. My laptop is ugly as sin, but really easy to use when I travel. Sooner or later I’m going to have to replace this thing, and it seems that all laptops nowadays have chiclet keyboards. Ugh. I find it difficult to type at any appreciable speed on chiclet keyboards.

The newer keyboards look nicer, but they are harder to use. Smaller keys and shorter vertical travel.

This is a part of a larger trend.

Another example is very thin phones — with too small batteries and consequently less-than-desired battery life. I’d really rather my phone was 1mm thicker, a few tens of grams heavier, but had twice the battery life. I think most consumers might agree with me on that one.

Want another example? How about SIM cards. Oh how I hate the shrinkage of SIM cards! I travel often and instead of paying high roaming fees, I like to pick up a local SIM card when I arrive at foreign airports. That works great, but the SIM cards themselves have become so small that they are hard for someone with adult-size fingers to manipulate. Was it really necessary to shave off an extra few square millimeters? All SIM cards are electronically identical — the shrinkage is just in the plastic surrounding the chip. The original SIM card design was quite small, and new “micro” and “nano” SIMs are awful.

I’ve got more examples! Ports on laptops are one: Many new laptops either omit ports (Ethernet, VGA, etc.) or require dongles. Looks great, very thin, but quite a nuisance to use. Laptop power adapters are another. Why are there a hundred different kinds of plugs? All laptops consume 20V and about 5A – so why do we need so many shapes and sizes of power plugs?

Maybe this is an opportunity for some manufacturers to carve out a niche, selling to users who care about usability:

  • Build slightly thicker devices, with more ports and bigger batteries.
  • Support “big” SIM cards in phones.
  • Standardize on something like USB-C PD for power, even in laptops.
  • Advertise that these devices are built to be used, not just looked at.

Patch management in an IoT world

Tuesday, May 16th, 2017

The recent WannaCry ransomware spreading around the world has been both tragic and predictable. Tragic because it knocked out organizations doing important work, like the NHS in the UK. Predictable because there is a growing gap between security practices in the information technology (“IT”) and operational technology (“OT”) arenas.

In IT, we’ve learned long ago that software is inherently buggy and a reasonable defense against that is to patch — automatically and as quickly as possible once a patch is released. This reduces the window of opportunity for attackers.

We can talk about other causes – the NSA weaponizing zero-day exploits or hackers stealing and remarketing that stuff – both are problems – but I don’t imagine either of these things is going to end any time soon.

We can point to Microsoft for introducing the bug in the first place, but to be fair their coding practices have been pretty good over the years and their response to security problems has been exemplary.

What remains is us, the end customers patching known problems.

Our IT shops generally do a pretty good job, though this bit of ransomware certainly caught out a few who may have not had the skills, mandate or funding to do it right.

What we aren’t talking about is systems that are not managed by any IT organization. Operational systems control the doors and heating and cooling systems in our offices. They run devices ranging from security scanners at airports to camera surveillance at the mall. These are “operational technology” — same basic technology as IT, but used to interface with and manage physical systems.

The trouble with OT is that it gets installed by people without IT skills. Heating/ventilation/air conditioning (HVAC) vendors install PCs that keep us warm or cool. Physical security vendors install camera and door control systems. The list goes on. These are often people without IT skills. Worse, the systems they deploy are installed and forgotten. They keep running, without anyone thinking much about them, for decades.

Here’s a cool example: an old Commodore Amiga system running HVAC in a school for 30 years:

http://www.popularmechanics.com/technology/infrastructure/a16010/30-year-old-computer-runs-school-heat/

Historically, these systems have not been connected to any network. Their security basically relied on physical isolation, both from other computers and — behind locked doors — from unauthorized people. It didn’t matter if the code was buggy and exploitable, because only one or two authorized people could physically interact with them.

The world is changing, however. Your HVAC or security vendor wants to be able to assist you without a site visit. You want to be able to monitor who just walked into the building without leaving your desk. These systems are getting connected to (at least) private networks and in some cases to the public Internet.

That’s a problem, because these systems run old code, without anyone looking after security, such as firewalls, OS patches, intrusion detection, anti-malware, etc.

This is the brave new world of “Internet of Things” where old, unpatched devices perform critical functions and also get IP addresses.

We should worry. It doesn’t matter how good a job we do building IoT systems today, how confident can we be that what we build today will still be secure in 10 years? 20? 30?

WikiLeaks Vault7

Wednesday, March 8th, 2017

WikiLeaks dropped a trove of information about hacking tools from the CIA this week. It’s available via BitTorrent, in an encrypted archive, whose password is SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds. That’s amusing, I suppose.

So what’s in the archive and what does it mean?

First, the archive appears to be a dump of an Intranet portal at the CIA, where staff share information about hacking tools. It’s missing a bunch of stuff – images and documents – so the download appears to have been incomplete. Moreover, this is information about the tools, rather than the tools themselves, though those were apparently leaked
earlier in a separate incident.

There are tools here to hack every common operating system – Windows, MacOSX, Linux, Android and iOS. There are also tools for various other platforms, including some Samsung TVs.

There has been a bunch of wild and wooly press coverage about this leak, but no, the CIA does not appear to have tools to compromise encryption in popular messaging system. It’s simply the case that if you can compromise either end of the conversation, then encryption between the two ends of the conversation is irrelevant. They can’t magically turn your TV into a spy device (without first breaking into your house) and they can’t (yet?) cause your car to suddenly crash. All of these things are plausible, and even discussed in the leaked documents, but not described as current capabilities.

Many of the tools discussed in the leak require physical access. i.e., if you are some “bad guy” that the CIA is interested in, and they can touch your phone or PC or TV, then they can install malware on that device to help them spy on you. Clearly, that doesn’t matter much to most people.

Some of the tools work over the network, and obviously that’s more serious, especially if they get into the hands of criminals or other adversaries that the average business or consumer might be more worried about than the CIA.

Also of note is that some of the tools leverage security vulnerabilities in popular products that the vendors and security researchers were not previously aware of. For the US government to discover such bugs and not work with vendors to close them leaves the public at risk and represents quite dubious ethics.

So is it time to panic? Hardly. We already knew that every large and complex piece of software has bugs (they are written by human beings after all) and that some of those bugs can be used to compromise security. We also already knew that all advanced government spy agencies work to compromise device security to either collect information about their adversaries or to disrupt their operations. That the CIA is doing this is only vaguely surprising, in the sense that it really should be the job of their sister agency, the NSA.

Everyone should already be aware that a smart phone is a perfect surveillance device, incorporating network connectivity, a GPS receiver, plus microphones and cameras. It’s obvious that spy agencies would work to hack into these things to monitor people, and would at least sometimes succeed.

So what’s interesting here?

Well, someone at the CIA obviously dislikes their employer enough to leak this information. That’s a serious crime.

The US government does not disclose all zero-day exploits it finds to vendors. That’s morally compromised.

WikiLeaks is more interested in the (fairly mundane) behaviour of the US government than that of various dictatorships, such as Iran and Russia. That makes WikiLeaks and Julian Asange look quite bad, actually. They are pretty much a puppet of the Russian state at this point.

The involvement of both WikiLeaks and Russian intelligence services in the recent US presidential election should be alarming to everyone in the West. There is no reason to believe this kind of interference will stop there — it’ll continue into the future and in other Western countries. This data dump is really just a side show compared to Russian cyber
warfare efforts.

Sometimes, security boils down to pretty simple controls

Monday, August 22nd, 2016

There’s an interesting read this morning about what attack vectors are actually used to compromise corporate networks:

darkreading.com

What’s notable is that most of the commonly used, successful methods used to compromise an organization’s security are related to credential management.

When you read about security, it’s usually about software vulnerabilities, zero-day exploits (i.e., those that have not yet been discovered by others or remediated by the software vendor), perimeter defense and patch management.

That’s sexy stuff – it’s technologically advanced, requires highly skilled people to find problems and develop exploits, etc.

The reality is much more mundane, however:

  • Weak user and admin passwords.
  • Users that unwittingly download and run malware.
  • Use of old, insecure password and name resolution protocols.
  • Plaintext passwords stored on disk and in memory.
  • Wide-open networks, which allow an attacker with a small beachhead to attack additional systems with ease.

The solutions to these problems are fairly simple too:

  • Shut down network services that use old, weak protocols.
  • Patch or upgrade software address plaintext passwords in-memory or on-disk.
  • Limit user access to only what they need, only when they need it.
  • Segment the network with internal firewalls, to limit the impact of a successful breach.
  • Get users to choose strong passwords.
  • Automate controls over admin passwords.
  • User education and awareness, especially around malware and “social engineering” attacks.

Perhaps not as sexy as zero-day exploits, but more effective.

Hitachi ID Systems can help with some of these security strategies:

Whose machine or app is it anyways?

Friday, June 10th, 2016

If you deploy a modern OS, such as Windows 10, you may be surprised to learn that it’s calling home. A lot.

For example, here is a screen shot from my Windows 10 PC of the diagnostic settings, relating to what information the PC shares with Microsoft:

feedback-options-windows-10

Notice that there are 3 options, none of which is “stop doing that.”

I have no reason to believe this is unique to Microsoft. Apple MacOSX does it., Android and iOS on phones and tablets certainly monitor you and even some Linux distributions have telemetry features, though generally off by default / offered as a paid service.

Which begs the question — whose device is it? I bought the hardware, I either purchased the OS with the hardware or installed it separately, I *own* the system. What business does it have snooping on me and sending information to a third party?

I know there are legitimate reasons for this – aggregate health diagnostics, heat maps about apps that misbehave, surveillance to find malware, etc. That’s fine, but surely the default should be “off” and sending anything from my PC to some vendor’s servers should require my permission. That’s not the current state of affairs.

Which brings us to compilers. It’s been known for decades that you can insert malware and Trojan horses into compilers and create hard-to-detect compromise of systems.

It seems that Microsoft has recently, perhaps inadvertently, done something close to that. A recent release of Visual Studio inserts code into even the smallest, do-nothing programs to send telemetry home to Microsoft. (infoq.com). When caught, Microsoft confessed to doing this, claiming (probably rightly) that it was intended to be an innocuous performance tuning tool: (reddit.com).

This instance will be backed out, but Windows 10 remains a “call home” machine, as do smart phones and Mac’s.

I wonder what it will take to reverse this awful trend?