Discovering SAM

Software Asset Management (SAM) and meFrankly I do hope people read through such long articles.

I chanced upon SAM in the course of my infosec consulting and was very impressed with the requirements of the practice. I also realized that a majority of software users are unaware of their license compliance requirements and are clueless about the benefits of SAM. Going deeper into SAM practices and requirements I decided that I shall take this as an area of specialization for my practice.

So I begin to review tools, standards, best practices and gaining more experience. One day I attended a seminar where BSA was a sponsor and after the talks I tried to get to talk to the person who had presented on software licensing etc. I was in for the first rude shock of my InfoSec career when I was brushed off with the comment that Big-4 are qualified for this work and that I need to be certified too … which means I should spend about $2,000 with BSA.

Walking away I wondered if I shall learn rocket science or develop some super powers by paying 2k. Today I am seriously thinking about spending this money just to get to know (firsthand) what is it that BSA teaches. I mean I have seen a lot of practices and would seriously like know if this is what is taught for the 2k!

Well after this I got down to doing my own thing, helping clients achieve compliance with their license requirements.

Until one fine day when I was to visit New Delhi and called BSA for an appointment – surprise ! I am told that they are not available for a meeting – this is disclosed after I have shared my objective for the meeting. And my objective is that I want to work with BSA guidelines in my SAM practice.

In this interim I tried to reach out to some of the License Managers with the software majors and guess what – no one had the decency to respond to my request to meet me so I can request an understanding of their licensing practices to include in my advisory service. Yes I found that there are a couple of other organizations like BSA and I found one with an Indian country manager. This Country Manager is ex-BSA head and I managed to connect with him on Linked In. After connecting I sent him a message asking for a meeting and guess what – after 6 months or so I am still waiting for a reply! Even he does not want to meet me to discuss issues of piracy and how I can work at my level to wean my clients away from this practice.

My thought is that I help my client go legit and avoid the hassle of a software audit / review / raid but it seems that all these people (organizations and software vendors) who are “supposedly” protecting the rights of license owners are not interested in having informed users.
Maybe they are afraid that an informed user will be legit and these people would have spent money hiring the big-time auditors for no reason.

Another thing I have learned is that SAM compliance audits contribute about 25-30% of the sales revenue for any of these software majors. No wonder this is highly secretive, with an expensive entry barrier and very very grim.

So, me and SAM are apparently not getting along very well. The reason is that I am a simpleton and a straight shooter and cannot understand this stonewalling. I do understand the desperate lives of these ‘license compliance’ people and the power they wield – sort of paradoxical. I do know about the modus operandi and my lawyer and consulting friends provide more case studies.

Nothing is likable here. I mean – these guys are selling software which is insecure. They issue patches in more numbers than one visits the washroom to clean up. These systems and applications are compromised and breaches take place. And if you read the license terms it is like they have done you a big favor by allowing you to use their dirty stuff. To add insult to injury, a goon in a suit may visit you at any time, shove his/her script into your network, probe your crown jewels and unleash the grim reaper on you.

Thank you for buying my software. I am not a monopoly, I am an autocratic oligarchy. And, since I was a child I wondered why Open Source existed – am I happy there is another world.

OK so SAM is not a clean thing. I call it a baby iceberg. Just because it has the smallest visible threat surface but may be the biggest threat-in-waiting. Keep the APTs, DDOS attacks, malware etc aside – this is a WMD, a pet which will turn rabid without warning and bite you.

Enough said and until the day ethics, morality and decent business practices are considered important it will be good if you prevent the WMD going off in your organization. Make sure you track every single license you purchase and install. Keep a license register and log installations, removals and retirements. Be careful not to use unlicensed software or cracks, even if it is only to test. Do not exceed the number of installations you are entitled to under your agreement. If you do not know make sure you ask your vendor to arrange a training and awareness session BEFORE you sign the PO. Oh yes, if there is an upgrade then make sure you ask this question twice because you may be entering into a grey zone.

Licenses take pride in being complicated and big. In fact everyone is unusually impressed by a document which is long, very verbose, with paragraphs in capital letters  dispersed throughout the document, numbered paragraphs, complex internal cross references,  no spelling errors and lots of legalese. That’s why you just clicked ‘accept’ and then next > next > until ‘finish’ – what you do not realize that (possibly) you violated some term of the license during installation itself !! hahahah – yes sir – read it closely and the agreement assumes that the person installing the software is authorized to legally bind the company with the terms that are being accepted. 

Cyberwar Anonymous v/s Israel

It's wartime folks, except there are no people being killed, no guns, no tanks or bombs. It's a silent war focused on bringing down a country. And the problem is that this country, Israel, does not know whom to hit back at ! The attackers are from all over the world - different countries, nationalities and hiding behind multiple proxies. 

Anonymous says Israel crossed a "line in the sand" so they declared war !

As on today this is what is making news.. 

Anonymous making History, CyberWar begins, Israeli hackers hit back

Anonymous Hackers from Iran,South Africa, Palestine,Pakistan and many others countries ,start first ever cyber war against a country, #OPISRAEL messages goes round on every social media about thousand of Israeli website defaced and hacked. .

Anti-Israel hackers stepped up their attempts to pull down Israeli sites over the weekend, with numerous attempted denial of service (DDoS) attacks against Israeli government sites. Hacker sites listed numerous websites they claimed to have disabled, and several sites reported slowdowns on Saturday night, but nearly all the sites the hackers claimed to have taken down were operating normally.

Israeli Elite Strike Force worked on Saturday night to pull down more sites. The group started attacking sites in Pakistan Friday but took off for Shabbat. Read more…

As cyber-war begins, Israeli hackers hit back

http://www.timesofisrael.com/as-cyber-war-begins-israeli-hackers-hit-back/

Quran Cited on Hacked Israeli Police Website Cyber War against Israel on Holocaust Memorial Day

http://www.cyberwarzone.com/quran-cited-hacked-israeli-police-website-cyber-war-against-israel-holocaust-memorial-day 

Major Israeli Government website Down,Mossad Agents emails Online

Details of 1500 Mossad agents is posted on Google Drive; about 19k Israeli FB pages are down; #OpIsrael says "When the government of Israel publicly threatened to sever all internet and other telecommunications in and outside of Gaza, they crossed a line in the sand,"

http://www.cyberwarzone.com/major-israeli-government-website-downmossad-agents-emails-online

Israel Set Up a Hotline Prepares for April 7 Anonymous Attack

http://www.cyberwarzone.com/israel-set-hotline-prepares-april-7-anonymous-attack

Information Security education, training and more...

For a very long time I have been thinking about the dearth of 'good' education or training in the InfoSec domain. 

Then there is the thought of how will any new person get into the domain, considering that we all seem to have landed here by accident, providence, interest or plain luck in being at the right place at the right time !

I put my thoughts into a small presentation and am working on creating an Information Security Management program which will be good for the non-technical manager and the technology geek manager, as both will learn about their missing pieces. 

Check this concept document and your feedback will be welcome !

http://slidesha.re/XicQcn

Cybercrime responders become partners in a new crime

This is copied from my blog infosecgallery.. 

Sometime back I was pondering about surrogate criminal activity that happens in the absence of incident disclosure by corporate bodies. While pondering whether the regulators will act to bring in any form of control I realized that it is not just the corporate but others too who are engaging in criminal activity.

To illustrate I present an example ... I have a pistol and shoot a friend accidentally. We take the injured person to a hospital where he/she will be refused treatment by the doctor until a police compliant is registered. A police complaint will lead to my arrest and confiscation of my gun. I shall be in a lockup I get bail and then even if my friend stands by me the cops will interrogate and investigate and may not drop the case.

Now we come to a cybercrime scenario - a company or government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told "we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.

So we have the victim company (organization, bank, department..), CISO, Forensic/Security consultant, and Police investigators who have all colluded to close a criminal case (theft, hacking, piracy, porn... whatever)

Does this make all these people / institutions party to the crime of abetting a criminal act ?

If yes then can the various banks, government departments and organizations be taken to court along with the police departments of all states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for conspirators.

Will the ITA be amended soon for 66A and can the mandarins add "disclosure" as an obligation under the act.

The moot question is whether everyone is a criminal now? The consultant who found out the modus operandi and advised on new controls, the cybercrime police who did not register the case and advised closure thus (possibly) causing loss to shareholders and the exchequer.

Indian firms under Anonymous attack.... extreme inarchy!

Posting without comment... 


#op NewSon
This is a different one.... FBI warning to a number of top firms to expect an attack, starting May 25, and the list includes Reliance Industries Limited (RIL). I learned about this earlier through our commercial Security Threat Intelligence services and was trying to find someone at RIL to pass the information. Unfortunately could not connect with anyone and gave up trying after the start of the attacks on May 25.


http://threatpost.com/en_us/blogs/fbi-warns-top-firms-anonymous-protest-hacks-may-25-052412?utm_source=Newsletter_052512&utm_medium=Email+Marketing&utm_campaign=Newsletter&CID=&CID


This is the list of top firms identified by FBI:
https://threatpost.com/en_us/img_assist/popup/11219


UPDATE: this was a failure... but they have not yet given up.
http://www.cyberwarnews.info/2012/05/28/anonymous-release-message-about-opnewson-claimed-failure/

http://kevtownsend.wordpress.com/2012/05/26/why-did-thewikiboats-opnewson-fail/


#opindia
Anonymous announcement of their attack on various Indian sites / companies. One of them was Relaince Communications and started the day before. People using the RCOMM network for internet access were presented with a page carrying a message from Anonymous.  


http://www.zdnet.com/blog/india/anonymous-hacks-reliances-internet-filtering-server/1112
http://www.ehackingnews.com/2012/05/opindia-reliance-internet-hacked-by.html

The Shape of things to come- Internet Inarchy

Anarchy, move over - it is time for INarchy. 

They tweeted: “Namaste #India, your time has come to trash the current government and install a new one. Good luck.” 

A YouTube video (May 15) by user Sen0nymous, titled ‘Operation India Engaged’, issued a call to action for fellow hackers. The video stated, 

“It has been known that the government of India and its ministers are committing aristocracy. The idea of democracy remains an idea only.”

“We were and are watching closely all activities of the government and its ministers. Many ministers were and are charged with severe cases of corruption. They do not care. They do not care for the injustice happening. They do not care for the freedom being snatched.”

“The government has been covering up its activities and hiding the facts from its citizens. It has imposed the IT Act which allows it to censor the internet as it seems fit. None other than the DoT needs to be blamed. One can’t block on purview of security concerns.” 

So Anonymous does not like the moves made by the Indian government and they start firing all cannons. They had started off protesting against the US, Swedish and the UK government actions regarding Wikileaks and that sort of hacktivism was cool. Now, and with other actions (anti SOPA etc) is this morphing into a sort of conscience keeper for the world ?

And for the moment the actions are just defacing websites and pulling any data that is bagged in the operation - so how long before this activity turns more malicious. Or how long before there is another few groups that do not have morals or have some sort of hate driven objectives. We do not have to search too far to find psychos !

We can dump all the international treaties and cooperation programs aside - a cyber-war or cyber-terror scenario is so easy to conjure ... just a handful of faceless people from anywhere in the world meet over time in a chat room and put together their bag of tricks. And, they let loose.

They can attack, plant an APT, steal data, commandeer weapons ... in short, they can do a lot. Or they can just choose to poison an information source like a satellite. Let your internal criminal out and let your imagination run wild, soon you will have enough zillion doomsday scenarios that an asteroid hit will be child's play

After that, all the king's men can spend their lifetimes to find who did it. 

License to Surf .. the shape of things to come

Internet Commerce, Presence and the Shape of Things to come


The internet has evolved dramatically since conception ... inception and I do not believe that the founding fathers of would have imagined it in it's present form. 


Like all things "free", the world has used, misused and abused the internet as it is continues to be a self governed network, owned by no one. Organizations like ICANN, IETF, W3C do their bit in controlling or running this worldwide network. 


When I started an online business in the mid-nineties, I realized that there are no taxes in cyberspace - the seller in country A was not selling in the domestic market so there was no tax liability... and the buyer in country B was buying (retail for personal use) from overseas so there was no domestic transaction ! Cool.. a lot of people made a lot of tax free money.


Email, tweets, networking, websites, graphics, content ... et al - everything is "free" on the internet. Or so it seems. We in India, and many other countries, are yet to face the whiplash of IP theft or have an organization like SOPA follow an IP address to prosecution and penalty. 


All that we pay for is internet access and once on the information highway, one just let loose. There are no rules - one site leads to another, check out recipes or people, post stuff online or make your sites. 


We are leading to an Internet which will be paid for and with the amount of wild west type shootings and lawlessness, pretty soon we shall have to have a "License to Surf". A license which will uniquely identify me and allow me to visit a certain set of websites. 


Governments are already creating tough laws to rein in the lawlessness and the new breed of criminals. Websites, service providers and law enforcement agencies are increasingly tracking every move / keystroke made online for their own purposes. Technology is advancing towards a more connected life, towards blurring the  difference between online and offline persona. 


ISPs are already 'shaping' traffic and can start offering 'bundled' internet access much like a cable service. Websites will consolidate services and will charge a small fee when you visit and this will be charged from the ISP - based on time. Emails will start costing money and so will tweets and social network posts - quite possibly the ISP will have to share a part of their revenue here too or pay an annual license fee.  


The "free" internet is slowly fading - there is an Internet Interpol proposed, international treaties coming up, international cooperation among law enforcement agencies, global takedowns and many other such related activities happening. On the other hand, botnets owners, spam-masters, cybercrime gangs and such criminals use free resources and cyberspace anonymity to wreak havoc on the global user community.


Maybe this will be a good thing because it will protect us from the paedophiles and other cyber criminals. A small price to pay for the protection and personal safety on the internet but a high very price when one considers the surrender of privacy and the 'freedom' of an unfettered cyberspace.