[Log In] []

Exploring the science and magic of Identity and Access Management

Character is higher than intellect … A great soul will be strong to live, as well as strong to think. — Ralph Waldo Emerson

Thursday, December 18, 2014

Identity Management for Zombies?

Humor, Social Media
Author: Mark Dixon
Thursday, August 26, 2010
2:36 pm

Buffer

Note: This little post chronicles my favorite social media exchange in a long time.  You need to see the embedded images to get the gist of an intriguing conversation.

 

The intrigue began Wednesday afternoon when I was waiting in the Chicago O’Hare airport for a flight to Central Wisconsin Airport, near Wausau, WI.  I tweeted my intentions:

image 

Within a few minutes, I was being followed on Twitter by Wausau Loner:

image

I had never heard of the Zombie Apocalypse, so I started poking around the web.  I thought, “Do Zombies need Identity Management?”

I found that my tweet was listed on the Wausau Wisconsin Best Blogs and Tweets …

image

… along with my new follower, the Zombie Apocalypse expert, Wausau Loner.

image

This morning (Thursday), I received a nice thank you note from Wausau Loner:

image

I pinged him back and got this reply:

image

I posed the big question:  Do zombies have unique Identities?  Do they need Identity Management?

Sadly, the answer was negative:

image

imageWell, there are still many unanswered questions.  May be next time I visit Wausau, I’ll get together with Wausau Loner and get more details!   I’ll let you know.

 

Stuxnet Worm: Hijacking Critical Infrastructure

Information Security
Author: Mark Dixon
Monday, August 23, 2010
8:29 pm

Buffer

[article image]CNET published a thought-provoking article last week,  about Stuxnet, a sophiscated software worm that “targets critical infrastructure companies.”  It “doesn’t just steal data, it leaves a back door that could be used to remotely and secretly control plant operations.”

This complex software is targeted not at desktop or laptop PC’s, but at industrial control systems.  It has infected systems particularly in Iran and India, but also companies in the US.

The malware, which made headlines in July, is written to steal code and design projects from databases inside systems found to be running Siemens Simatic WinCC software used to control systems such as industrial manufacturing and utilities. The Stuxnet software also has been found to upload its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs. …

An attacker could use the back door to remotely do any number of things on the computer, like download files, execute processes, and delete files, but an attacker could also conceivably interfere with critical operations of a plant to do things like close valves and shut off output systems

The eCommerce Times commented:

“The Stuxnet worm, which targets industrial control systems, or "SCADA" systems, is one of the most sophisticated bits of digital malware security researchers have come across in a long time. Now, those researchers want to know where it came from. Was Stuxnet the product of a den of hackers working on their own accord, or did a national government somewhere in the world have a hand in its creation?

"Given the sophistication and organization behind it, we highly suspect it has nation-state involvement rather than being a tool for competitive intelligence," Roel Schouwenberg, a senior antivirus researcher with Kaspersky Lab, told TechNewsWorld.

In a recent post, I quoted a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” where the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

By targeting systems that control vital parts of a nation’s critical infrastructure, this worm is an example of how increasingly sophisticated technology can be used as an offensive weapon.  Lots of questions still exist about this specific worm, but it really illustrates how we must be concerned about the security of all computer-based systems, not just those in data centers.

Somehow, this causes more concern in my paranoid mind than vulnerabilities in my iPhone.

 

Intel and McAfee: What Do You Think?

Information Security
Author: Mark Dixon
Friday, August 20, 2010
5:48 pm

Buffer

Yesterday’s announcement that Intel would pay $7.68 billion for McAfee, Inc. triggered a couple of instant thoughts:

  1. McAfee has come a long way from when I first met founder John McAfee in the early 1990’s in a small, cluttered office in Santa Clara.
  2. Intel/McAfee: What strange bedfellows!

imageimage

According the Wall Street Journal article where I first read the news, Intel executives were bullish (as they should have been, after laying nearly $8 billion on the table in a surprise deal.)

“Intel executives argued growing security dangers require new measures, describing the acquisition as an essential step to design chips and other hardware that can protect systems better than software alone. …

"’We believe security will be most effective when enabled in hardware,’ Intel Chief Executive Paul Otellini said in a conference call.

In Yahoo press coverage, Mr. Otellini is quoted:

"Everywhere we sell a microprocessor, there’s an opportunity for a security software sale to go with it … It’s not just the opportunity to co-sell, it’s the opportunity to deeply integrate these into the architecture of our products."

Business week’s analysis was a bit less upbeat:

“Intel will have to persuade customers they need security in non-PC electronics in much the same way it has convinced businesses and consumers that they required chips that speed computing tasks or ensure seamless wireless connections.

“’Right now nobody is screaming for security in their cars and in their cell phones,’ said Gartner’s Peter Firstbrook.”

Forrester Research’s Andrew Jaquith was downright negative:

“What on earth does Intel expect to get for all of the money it is spending on McAfee? I’ve been scratching my head over this, and despite McAfee CTO George Kurtz’ helpful blog post, I am still struggling to figure this one out. …

“I see four problems with Intel’s strategy (at least as much as I can glean, so far):

  • Neither Intel nor McAfee are serious players in the mobility market …
  • Intel’s hardware platform strategy will not work. …
  • Intel doesn’t understand software. …
  • The security aftermarket will be very different on Post-PC devices. …”

What do I think?

  1. I agree that security at the chip level is part of an integrated end-to-end security chain that will be essential in the mobile market, especially as mobile devices are enabled for mobile payments and other high-value functions.
  2. I wonder why Intel had to buy a whole company to get the security expertise necessary to build in security at the silicon level.  Maybe McAfee has some diamonds in the rough hidden away in the R&D lab that will justify Intel’s big acquisition.
  3. This very visible acquisition highlights the critical need for Information Security, a topic that is near to my heart.

What do you think?

 

Pay by Phone: The Rising Tide of Mobile Payments

Telecom
Author: Mark Dixon
Friday, August 20, 2010
5:14 pm

Buffer

image

Yesterday, in an interesting article yesterday for ReadWriteWeb, Mike Melanson wrote about increased industry cooperation in mobile payments:

Bank of America has started working with Visa to begin testing the use of smartphones to make in-store payments without the need for cash or credit cards. The system will make use of Near Field Communication (NFC) technology, which is a short-range communication technology for mobile phones, to make payments as simple as waving your phone at another NFC-enabled device.

Sarah Perez of ReadWriteWeb reported earlier in the week that:

Apple has just hired Benjamin Vigier, an expert in the field of near-field communications, as its new product manager for mobile commerce, reports NearFieldCommunicationsWorld.com, a trade publication for NFC-based products.

A couple of my colleagues at Sun Microsystems had predicted that the iPhone 4 would include NFC capability.  They were premature, but I hope the next iPhone version is NFC enabled, because I really like the idea of mobile payments, and by then, my 3GS iPhone will be due for replacement.  We’ll see …

Technorati Tags: ,
 

Security Vulnerabilities in Popular Platforms

Information Security
Author: Mark Dixon
Friday, August 20, 2010
4:57 pm

Buffer

image Earlier this week, I participated in a spirited discussion with some of my colleagues about whether the popularity of devices such as iPhone and iPad would result in increased attempts and successes in hacking those platforms.  On the heels of that discussion, it was ironic to see the following announcement from iTunes when I plugged my iPhone into my PC this morning:

iOS 4.0.2 Software Update

Fixes security vulnerability associated with viewing malicious PDF files.

Products compatible with this software update:
• iPhone 3G
• iPhone 3GS
• iPhone 4
• iPod touch 2nd generation
• iPod touch 3rd generation (late 2009 models with 32GB or 64GB)

(Emphasis mine)

Windows has long been lambasted for the sheer volume of security flaws it contained.  Could it be that at least some of that volume was due to the popularity of that platform and the sheer numbers of hackers trying to break it?  Hopefully, newer platforms are the beneficiaries of the increased focus on security.  But we still need to be careful.

 

Want to Steal $11 million? Use Orphan Accounts.

Identity, Information Security
Author: Mark Dixon
Thursday, August 19, 2010
11:32 am

Buffer

image I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle.  Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices.  The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.

In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.

Again, our lives have converged because of common professional focus on Identity Management and Information Security.

In a recent blog post, Alan pointed out a recent Colorado legal case:

“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’”

A report from TheDenverChannel.com further elaborated:

Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.

How did she do it?  Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around.  Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.

Interestingly enough, preventative Separation of Duties (SOD) controls were in place.  But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work.  In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.

So if you want to steal $11 million, perhaps you can leverage orphan accounts.  However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.

 

New Feature – “InfoSec Site”

DBSec Site, Information Security
Author: Mark Dixon
Thursday, August 19, 2010
9:39 am

Buffer

imageI have added a new feature, “InfoSec Site”, to the Discovering Identity blog.

I frequently come across sites on the web that are relevant to the Information Security community. I may not have time to blog about each in detail, but want to provide a way to announce that I have found the documents and provide a way to easily find them again.

A new category “InfoSec Site” has been added to the blog, so these documents can be easily selected via the “Select Category” drop down list box.  They can also be found by searching for key words.

My previous post is an example of a InfoSec Site post.  It references a useful Data  Breach reference site.  I hope you find it useful.

 

DBSec Site: DatalossDB.org

DBSec Site, Information Security
Author: Mark Dixon
Thursday, August 19, 2010
9:21 am

Buffer

imageDataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide.

The Open Security Foundation, as well as our volunteers, feel that there is a distinct need for tools that provide unbiased, high quality data regarding data loss. There are no other open, downloadable, machine parse-able resources out there that facilitate research into this subject matter. By providing this sort of resource, we feel we can help accomplish the following:

  • Improve awareness of data security and identity theft threats to consumers.
  • Provide accurate statistics to CSO’s and CTO’s to assist them in decision making.
  • Provide governments with reliable statistics to assist with their consumer protection decisions and initiatives.
  • Assist legislators and citizens in measuring the effectiveness of breach notification laws.
  • Gain a better understanding of the effects of, and effectiveness of "compliance".

The following column shows the latest Data Loss incidents:

image

 

Data Breach Threats: Laptops or Servers?

Information Security
Author: Mark Dixon
Thursday, August 19, 2010
8:51 am

Buffer

image I learned an astounding bit of statistics yesterday in a webcast presentation by Andrew Jaquith, Senior Analyst, Forrester Research.  Using source data from DatalossDB.org, Andrew reported that in 2009, 138 million data records were breached.  By any measure, that’s a lot of data, resulting in large financial losses to corporations and lots of consternation to individuals whose identities may be included in those data breaches.

Did the majority of these losses result from stolen or lost laptops or thumb drives or backup tapes that fell off the truck? 

Surprisingly, NO! Of the 138 million breached records, a full 133 million breached records occurred at the server level.

Reinforcing this concept, the Verizon 2010 Data Breach Investigations Report stated that compromises of database servers comprised 25% of breaches, but 98% of total records.

So, while we may hear about more case of data breaches occurring from edge devices, the real challenge is protecting the core database from threats.

This reminds me of the Henry David Thoreau quote: “There are a thousand hacking at the branches of evil to one who is striking at the root.”

 

Are InfoSec Vendors Crying Wolf?

Information Security
Author: Mark Dixon
Wednesday, August 18, 2010
10:10 pm

Buffer

imageRobert Mullins posted an interesting article this week highlighting the tension between people who warn of impending danger from information security threats …

“Mark Bregman, chief technology officer of security company Symantec … spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. … ‘There’s an urgent need for diplomacy to kick start international cooperation on cybersecurity,’ Bregman said.”

and people who think InfoSec vendors are just fear mongers seeking to sell products …

”comments that followed Montalbano’s story suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.”

As an employee of an vendor of InfoSec software, as a student of the technology of security and as a private citizen concerned about the potential for international terrorism, I tend to side with those who point out our immense vulnerability.  I hope that our technology can help combat the real-world threats that exist.

I hope the world is not lulled to passive inactivity by those who are skeptical of such threats.

 
 
 
 
 
Copyright © 2005-2013, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.