Saturday, June 03, 2006

May's Security Streams

Here's May's summary of all the security streams during the month. This is perhaps among the few posts in which I can actually say something about the blog, the individual behind it, and its purpose, which is to - question, provoke, and inform on the big picture. After all, "I want to know God's thoughts... all the rest are details", one of my favorite Albert Einstein's quotes. The way we often talk about a false feeling of security, we can easily talk about a false feeling of blogging, and false feeling of existence altogether. It is often assumed that the more you talk, the more you know, which is exactly the opposite, those that talk know nothing, those that don't, they do. There's nothing wrong with that of refering to yourself, as enriching yourself through past experience helps you preserve your own unique existence, and go further. Awakening the full potential within a living entity is a milestone, while self preservation may limit the very development of a spirit -- or too much techno thrillers recently? :)

It's great to see that a knowledgeble audience has become a daily reality at this blog, it's never too late to meet new friends or their pseudo personalities. I've also included this month's stats area graph so you can get a grasp of the activity, go through past summaries for - January, February, March and April, in case your brain is hungry for more knowledge.

It is my opinion that the more uninformed the end user is, the less incentive for the vendors to innovate at the bottom line, and on the other hand, it is also easier for a vendor to put emphasize on current trends, instead of emerging ones -- which is what is going to add value to its propositonin the long-term. It's more profitable to treat the disease, instead of curing it. And while curing one doesn't mean curing all, it's a progress. So, I inform both sides and everyone in between. Information has never been free, but it wants to be free, so enjoy, syndicate, and keep yourself up-to-date with my perception on information warfare and information security, even when I'm not blogging, but just linking!

01. Biased Privacy Violation
While the site's niche segment has a lot of potential, I doubt it would scale enough to achieve its full effect. Providing Ex-couples with the microphone to express their attitudes is as quistionable as whether playing 3D shooters actually limits or increases violance.

02. Travel Without Moving - Typhoon Class Submarines
There're a lot of strategic security issues going beyond the information security market, and that is the defense and intelligence community's influence on the world. What used to be a restricted, or expensive practice, satellite imageryis today's Google Earth/Maps's service on a mass scale, anyone can zoom in front of the NSA. And as it's obvious you can spot things you can somehow define as sensitive locations though Google Earth/Maps, the question is so what? I've managed to dig quite some interesting locations I haven't seen posted anywhere and will be adding them shortly, feel free to suggest a spot if you have something in mind. The series in no way compete with the Eyeball-Series.org, though I wish.

03. The Current State of Web Application Worms
Web application worms, their potential and possible huge-scale impactis a topic that's rarely covered as an emerging trend by the mainstream media sources. On the other hand, over 200 words acticles on yet another malware variant going in depth into how the Internet is driving force for the E-commerce revolution, and how a ransomware pience of malware is changing this.The problem is rather serious due to the common type of web application vulnerabilities huge eyeball aggregators suffer from. Whether it's speed or infected population to use as a benchmarking tool, just like packet-type of worms, web application worms are foundamental for the creation of a Superworm beneath the AV sensor's radar.

04. Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Resoucesful post providing overview of the most recent developments inthe emerging market for software vulnerabilities, and the possibilityto secure future vulnerability releases. As Adam at Emergentchaos.com pointed out, the legality of such markets is among the cons of the idea, which is perhaps the time to consider the usability of markets for what's turning into a commodity - security vulnerabilities. The major problem which prompts for the need of such, is the current "private club" only vulnerability sharing practices among the infomediaries, but it can easily be argued that empowering vulnerability diggers, not researchers, isn't the smartest thing the community can do.

Vendors are often discussed as liable for the vulnerabilities in their software, but it's like blaming a dating service for not generating you dates, my point is that you cannot simply blame vendors for the vulnerabilities in their software as it would result in a major slowdown of innovation. Think about it, we all hate Bill Gates and use, while trying to avoid Microsoft's products pretty much everywhere, monocultures are bad, we'd better have half the Internet using MACs, and the other Windows so there would be an incentive and fair "allocation of resources" targeting both sides, as the plain truth is that malicious attackers aren't just attacking these days, they are gaining scale and becoming efficient. In a free market, where market forces invisibly shape and guide it, there's little room for socially oriented iniciatives like these. Today's software and technologies are shipped to get adapted, that's insecure ones we become dependent on, to later find out we have the live with their insecurities -- no one is perfect, and being all well-rounded is so boring at the bottom line.

If we were to start "thinking Security" everywhere, there wouldn't be anything left in respect to usability at the end of the day. And as I've pointed out in a previous post on valuing security, if security doesn't bring anything tangible, but prevents risks, that's the cornerstone of the problems arising with justifying expenditures. The Internet we've become so addicted and dependent on wasn't build with security in mind, but our conscious or subconscious marginal thinking gave us no choice, either live with the vulnerabilities and take advantage of its benefits, or stop using it at all. If we were to start thinking security first, there wouldn't be Internet at all, at least not in our lifetime. ISPs avoiding to take action on customers participating in botnets as they still haven't managed to find a way to commercialize the service, or Microsoft shipping its products in root mode and with all features turned on by default, are important points to keep in mind when refering to the practice of threatening and not curing deceases.

You cannot blame vendors for the security vulnerabilities in their software, you can blame them for the huge windows of opportunities their lack of action opens, and lack of overal commitment towards mitigating the threats posed by these, now, how you would you go to turn your day dreaming into a measurable metric, even come up with a benchmark is challenging -- a challenge ruined by the value of keeping an 0day, a truly 0day one.

05. The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking
There you go with your fully realistic 1984 scenario, I wonder would the idea constitute mass surveillance and social networking analysis altogether. DIY alternatives are gaining popularity, and the cell phone industry doesn't really want to be perceived as an "exact location"provider, rather communication services. The excuse if it becomes habitual? Well, since there's no Cold War anymore -- just sentiments -- it's Terrorism today.

06. Snooping on Historical Click Streams
It was about time Google reposition itself as a search company, not as a new media one heading towards portalization. There's nothing wrong with the idea, the realityis they can never catch up with Yahoo -- and they shouldn't! Spending some time with the feature, and you will be able to verify most of your previous research findings, or come across to surprising ones. Do you trust Google and its geolocation services at the bottom line? I do.

07. Pass the Scissors
It's never too late to earn a buck for printing currency, even in times of inflation in between.

08. Is Bin Laden Lacking a Point?
Google trends point to Washington DC as the region with the highest interest in Bin Laden, not surprising isn't it? I feel the entire idea of an organizational hierarchy and Bin Laden on the top is an oudated thinking, but a marketable one forwarding the entire responsibility to one person, who at the end of day wouldn't have any choice but to accept it, even though he had nothing to do with something in particular. Leadership is critical, and so is possible successorship. An image is worth a thousand words in this case!

09. Pocket Anonymity
Harnesing the power of established brands in privacy, encryption and anonymity services and providing portability is a great idea, no doubt, but what I'm missing is a targeted market, a clear positioning, is it privacy or anonymity provider, as there's a huge difference between the two of these. A free alternative to the idea as well.

10. Travel Without Moving - Scratching the Floor
No comment, just awareness.

11. Terrorist Social Network Analysis
Seems like social network analysis practices apply to terrorist organizations as well, and why wouldn't they? As you can see, there isn't big of a different between a Fortune 500 organization, and a terrorist one, the only problem and downsize is the inability to take advantage of the momentum, historical findings out of data mining are useful for power point slides seeking further investment, and that's it.

12. Valuing Security and Prioritizing Your Expenditures
Reactive, Proactive, or Adaptive, what's your security strategy, and what's your return on security investment?

13. EMP Attacks - Electronic Domination in Reverse
Did you know that Stalin was aware of the U.S's A-bomb, even before Harry Truman was? -- the consequence of too much secrecy sometimes! EMP attacks get rarely discussed, yet today's portability of these and potential for chaos put them on the top of my watch list. There have been numerous ongoing Cybersecurity and critical infrastructure security exercies in the U.S for the last couple of years, and while military equipment goes through hardening process, Russia remains a key innovator whose capabilities have surpassed their own expectations. Cyber warfare is the next Revolution in Military Affairs, and it would be naive not to keep thinking of sneaky attacks, the weakest point in an IT and electronics dependent society.

14. Insider Competition in the Defense Industry
Where else, if not in the defense industry?

15. Techno Imperialism and the Effect of Cyberterrorism
Today's public perception of Cyberterrorism is so stereotyped, perhaps due to one basic reality - you cannot fight Cyberterrorism, the way you can blow up a cave in Afghanistan, and it's a big problem. While public accountability is easily achieved through Cybersecurity exercises, there isn't a better tool for propaganda, recruitment, communication and research than the Internet, and as you're about to find out, there are ongoing initiatives to crawl the Web for terrorist web sites, analyze terrorist speaking communication patters on web forums, and how encryption, flight simulator programs are an unseperable reality of the concept.

As the conspiracy theorist inside me is screaming, there used to be a speculation how Disney on purposely brainwashed the perception of UFOs in its content, to make it more user-friendly excuse, and put everyone who's talking the opposite turns into the usual "that's the guy that has seen them" unfavorable position. Today's coverage on Cyberterrorism doesn't provoke discussion, instead it always tries to communicate and question the credibility of the idea, with the usual scenarios relating to SCADA devices, terrorists melting down power plants and the rest of the science-fiction stories. In all my posts on Cyberterrorism, a topic I've been actively writing on, and following for some years, I always point out that terrorists are not rocket scientists unless we make them feel so -- or have benefits to think they are.

16. Travel Without Moving - Cheyenne Mountain Operations Center
Cheyenne Mountain Operations Center from Google Maps, and a summary of a report onGoogle Earth's security implications, I hope you'll manage to get your hands on, the way I did through a friend.

17. Nation Wide Google Hacking Initiative
I like the idea of auditing a nation's cyber space through Google Hacking, the only problem is communicating the value to public and to the companies/sites. What can be defined as sensitive information leaked through Google, and who's the attacker? Is it a script kiddie, a google hacker, a foreign intelligence personel, or foreign company conducting unethical competitive intelligence? Knowing, or at least theorizing on the possible adversaries will lead your auditing practices to an entirely new level.

18. Espionage Ghosts Busters
No government is comfortable with having to smile at Chinese people, or how their economy is evolving from supplier to manufacturer, still there isn't any serious ground for this case -- besides and uncomfortability issue.

19. Arabic Extremist Group Forum Messages' Characteristics
Great research on today's fully realistic scenario of terrorists communicating over the Web, the public one, as basic authentication would have stopped such automated approaches for sure. What can you actually find with that type of intelligence, real terrorists communications, or growing propaganda sentiments, in between pro-democratic individuals to be recruited?

20. The Current, Emerging, and Future State of Hacktivism
A very well researched dissertation, a lot of visionary thoughts while it goes back to the basics. It is doubtful whether hacktivism would cease to exist despite the for-profit malicious attacks these days, as anarchists, governments, patriots or script kiddies, they all have an opinion on how things should be.

21. Bedtime Reading - The Baby Business
What's a "better" kid, and why you don't need one? Controllable uncertainty can be exciting sometimes, but as always, life's too short to live with uncertainty!

22. Travel Without Moving - Korean Demilitarized Zone
A post with an emphasis on North Korea, which as a matter of fact got recently a decline from the U.S on two-way talks on whether the U.S would condemn their nuclear program. As I've pointed out, there are just looking for attention, while the U.S is sticking to six way talks only. Iran truly took advantage of the overly bad publicity for the U.S around the world.

23. Aha, a Backdoor!
A smart way to fuel growth in homeland security solutions is to be able to exempt publicly traded companies from reporting these activities, and with the SEC trying to achieve better transparency in its data reporting practies, it opens up a huge backdoor for enterprises to take advantage of, without any short-term accountability, or transparency requirements for the use of their stockholder's money. It's the corporate world!

24. Forgotten Security
Forgotten what if security plans on a possible assassination to be precise. It's a like a situationwhere a newly graduated wannabe marketer is asked to conduct a marketing research for a future release of a product, and he just opens his bag and brings out a textbook, and starts looking it up.

25. Delaying Yesterday's "0day" Security Vulnerability
Nothing groundbreaking as this is today's reality for everyone, and there isn't such thing as a true 0day vulnerability these days. Oday to who, to the media, to the underground, to the market, or to the researcher who's catching up with a week of backlog?

26. Who's Who in Cyber Warfare?
In the future the majority of Cyber wars would be waged by nations, and the maturity of their understanding of the concept, and actual capabilities is again going to put the masses as a hostage in between. Defensive or offensive motives behind further development, armies will be defeated, and battles will be won in Cyberspace -- whether by infowar guerilla-fighters, corporations, or nations is the beaty of this uncertain growing reality.

27. No Anti Virus Software, No E-banking For You
Great idea, lot's of revenues for the AV vendor, end users with a feeling of security, all looks and sounds great, but it isn't, as these are the basics. An AV solution doesn't mean you won't get hacked, your financial information stolen, and your home PC won't end up in a botnet, it means there's less chance for it to happen now. Is this campaign worth the publicity and in respect to retaining the bank's customers? I feel it is, but it's where the whole process of bank2customer safety practices communication begins.

28. Microsoft in the Information Security Market
McAfee and Symantec have greatly felt the pressure from Microsoft's ambitions, as they've simultaneously released information on their alternatives of OneCare, all-in-one security and PC tunning for the masses. Moreover, IP violation suits and the rest truly represent the threat, and while I don't see any, I avoid the fact that this is what the end user really needs. And with all the buzz about OneCare, Microsoft's distribution channels, channel partners and strategic partnerships, it would be hard for them to stop using OneCare in an year. That's why McAfee, and Symantec's releases of alternatives neatly ruined the pionner position Microsoft could have taken. Now it's the same old information security market, the one you're so comfortable with, McAfee and Symantec providing security solutions as their first priority, and Microsoft, positioned as a follower catching up. Smart move!

29. Covert Competitive Intelligence
With enterprises considering key extranet participants as potential attack vectors, and web-integration of backend systems as potential targets, insiders are benefiting from within. Dealing with "hackers", malware, firewalls configuration etc. is part of the problem of perimeter based and application based defense. Consider taking into consideration, organizational threats such as insiders, and figure out a cost-effective way of dealing with this hard to detect, measure and secure against threat.

30. The Global Security Challenge - Bring Your Know-How
How would you be more creative, knowing how much is your budget and trying to allocate it for the idea of allocating it, or coming up with the idea first and then trying to commercialize it? Budget allocation is a daily practice, but the way it empowers, the very same way it wastes resources, ones usually wrongly allocated.

Healthy Paranoia
I really feel you.