tag:blogger.com,1999:blog-74026850391076336132024-03-16T05:24:35.638-04:00securambling .... Rambling comments / reactions about Information SecurityA place for me to ramble, rample and whatever securely. Let my thoughts roam freely, about the state of security in information around me and I follow them and seek to engage. Ideas and plans and my dreams of security. And a place for events which inspire me or stoke the urge to comment.Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.comBlogger53125tag:blogger.com,1999:blog-7402685039107633613.post-70717466458615604122015-07-21T18:27:00.000-04:002015-07-31T14:37:55.153-04:00A New Proactive Responsibility For Bankers in the Face of Cross Border Frauds<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
Let's face it - <strong>no one,</strong>,<strong> </strong>(whether an individual, a government or an organization)<strong> </strong> is immune to or safe from a breach, an attack, a scam, a rootkit or a virus / APT or whatever you may call it. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
A crack is a crack is a crack is a crack (calling it a hack is sacrilege) </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
And this is a global problem which is growing (exponentially) by the day, by the hour, minute, second and even nanosecond. Everyone has to face the threat, directly or indirectly, and no one ever knows when he/she will fall victim to an attack or an incident, and it really does not matter whether you are hyper intelligent or live inside Fort Knox. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
We do not have to go too far into history to see institutions like OPM, SONY, White House; global security organizations like RSA, The Hacking Team, HB Gary, NSA etc - the list is really big and includes banks etc.</div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
In this global cybersecurity threat and crime maelstrom the Law Enforcement Agencies (LEA), Intelligence and Defense Agencies are first and foremost affected. They have a responsibility to investigate cybercrimes perpetrated across international borders, using sophisticated attack techniques or compromising insiders into malicious acts, voluntarily or involuntarily. Invariably while following cross-border leads, the LEA meets with insurmountable challenges and lengthy procedures (or red-tape even non-cooperation). And, if the request is to an unfriendly nation, the case might as well be closed and filed away!</div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
Example challenges faced by LEA are in (1) following a money trail, (2) getting source IP information, (3) user name and address, etc. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
We will only look at "following the money trail" - in this case the victim may know the name of the bank where the funds were fraudulently transferred. However, when the bank is advised about the same they may not take any action until there is an order for the same in compliance with their locally applicable laws and regulations. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
However it is time for these officials, across the world, to raise a red flag at their end when they receive a communication directly from the victim (or victim country LEA).</div>
<blockquote style="font-family: Georgia, serif; font-size: 16px; font-style: italic; line-height: 24px; margin-bottom: 30px; padding-left: 40px; padding-right: 5px;">
Imagine if a bank manager gets a mail from a victim who informs about a fraud which has been perpetrated and where the funds have been transferred to that particular branch of the bank. The branch Manager may not be able to stop the account from operating but he/she can inform the local LEA about the suspect transaction. In addition, he/she can proactively guide the foreign victim and LEA about the quickest procedure to get the legally appropriate instructions for necessary action. </blockquote>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
The only (simple) reason why this bank manager in a foreign country should stand up and raise a red flag on the account, on the account holder and the transaction(s) is .... it can happen to him/her too. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
Yes, there is no guarantee that this bank branch, anyplace in the world, may fall victim to a fraud or a bank client may fall victim - then this manager will be running the same hoops as the victim / LEA who had connected earlier. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
This is not a call to disclose information, neither a call to work against the law or invade the account holder's privacy. It is not an aggressive look into transactions which is done through Risk Management and AML practices. In these changing times, it is an acceptance of responsibility by the banking professionals to set up a simple deterrent control. Criminals will slow down on using accounts in foreign lands once they are aware that ANY transaction can be notified to LEA proactively. </div>
<div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 30px;">
<br /></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-69407797285381830012015-07-11T06:33:00.001-04:002015-07-11T06:33:06.366-04:00What I Learned when Hacking Team became Hacked Team<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">There are many takeaways from this hack which has effectively named and shamed many and (possibly) relegated Hacking Team to history (good riddance to an arrogant lot). I am sharing some lessons which I have learned as a security practitioner and will touch upon some issues (e.g. NDAs are worthless and a waste of time; they can't cover gossip, resumes et al) </span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">(my apologies for the flowery language which is prompted by my glee at the fall of this organization for personal reasons of my own)</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Security bloopers courtesy the hacking team (RIP)</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 1 - If you are in the security business (or any unsavory business) and you are dealing in sh**, crack, LSD, heroin, 0-day, malware or any such crap ...<strong style="border: 0px; box-sizing: border-box; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">make sure your emails and data is encrypted - </strong>saves your clients the embarrassment of dealing with a debauched organization </span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 2 - Remember your underpants always smell but you will never know how bad; once put out in public and you will know how bad it stinks ... and you will also learn you have holes in the wrong places <em class="_4-k1 img sp_fM-mz8spZ1b sx_7f72ac" style="border: 0px; box-sizing: border-box; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">wink emoticon</em></span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 3 - Once your privates are exposed be prepared for ridicule about your size, morals, hygeine, etc... and don't be surprised if the guys at Daesh / ISIS / Al Qaeda are leading the criticism - just goes to show how low you are in the reputation index</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 4 - Just because you have all the 0-days in the world in your kitty OR all the kings of the world at your doorstep wanting to buy your wares.... this does not mean someone 'cannot' screw you because arrogance rising from your mal-knowledge and a big order book corrupts you as bad as power in hand <strong style="border: 0px; box-sizing: border-box; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">(remember to respect the forces of humanity and nature)</strong></span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 5 - You think you know the world and it's underbelly but then it brings you into the gutter yourself.... and then it is survival you against the real shi****s and they will always win because you are a wannabe shi****</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 6 - When the sh** hits the ceiling you can be kicked off the throne without the opportunity to wipe your ass ... and we all know what happens when you are soiled</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 7 - When underground stay there and make sure everything you own is also there... air gap, pgp, whatever</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 8 - We all know doctors do not follow their own advise... as security guys we do not indulge in data classification, encryption, backup, etc... that sermon is for our clients</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 9 - What goes round comes round... if you sell cyber weapons or surveillance stuff and think it cannot come back and hit you... you do not even deserve to live in Wonderland too as Alice will be scandalized</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 10 - An intelligence agency is not setup to be ethical or maintain loyalties to anyone except their government... if HT expected their tools will not be used on them by every buyer they needed a reality check</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">Learning # 11 - You are never "there" in security even if you are the cat's whiskers so stay grounded, say your prayers diligently and make sure you ask your God to keep you safe from the omissions and commissions of your vendors and other malicious trespassers !</span></div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<span style="font-family: Verdana, sans-serif;">If there are any learning you can add to my list please be my guest and help the community!</span></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-47409030772926834772015-01-01T02:05:00.000-05:002015-01-01T02:05:59.593-05:00Hopes for 2015<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
This was first published on Linked in https://www.linkedin.com/pulse/hopes-2015-dinesh-o-bareja</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
My prescription is for awareness and common sense! Both practices need guts and will guarantee glory.</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
<span style="font-size: 16.3636360168457px;">T</span>he experts, oracles, analysts, market-leaders, gurus have spoken - forecasts for 2015 have been made, published, read, publicized, devoured and digested by all across the world (and I am talking only in the Information Security and Technology space). These soothsayers have already told you how accurate they were in 2014, and I do not dispute anyone of their position as a cool guy or where he/she makes magic. My quadrant is nowhere near any so I am not worried. </div>
<blockquote style="color: #333333; font-family: Georgia, serif; font-size: 16.3636360168457px; font-style: italic; line-height: 24px; margin-bottom: 30px; padding-left: 40px; padding-right: 5px;">
As an aside - have you realized the only people in the world who really do not worry about opinions are the very rich and the very poor. The rich cares a F for what the world or people think about him and lives, dances, splurges in a cocoon - they set the opinion! The poor cares a F because if things are anyway shi* in life what more can go wrong. That's where I am with my opinion ;-)</blockquote>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
I see some gaps (from my perspective) in all the forecasts and analyst opinion floating around that I decided to start the year by enlightening my small band of friends and followers. While this list of mine may not cover "everything" it will be inline with that of the big brand forecasters because none of them are complete <laugh></laugh></div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
1. Awareness - The one thing missing in EVERY forecast is the highly critical need for user awareness and as an appendix to this is the need to use awareness content which is prepared by some good experts and not by a newbie sysadmin who is has skills to do 'blind-ctrl-c-v". </div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
There is a lot of talk about malware, spear phishing, cloud insecurities and more.. but who is aware of the risks that these things carry? Has anyone told anyone using gmail carries a risk and that spear phishing is used to catch people and not fishes in the backwaters of Australia! Has anyone in your organization EVER explained that malicious code can be come into the organization embedded in a document or an image and can then steal stuff or wreak havoc?</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
I am sure even the CEO or Board has never been told the sh***y side of technology.</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
So this is the most important missing link - ensure regular awareness programs, demonstrate risks and threats, show videos, play games and relate everything to the life and work of the participants. Do not run a presentation and mark attendance for your compliance report but make sure you run awareness to actually achieve the objective of making your company users aware!</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
2. Common Sense: Don't laugh. This is the one item missing in most portfolios and plans and it is not easy to have. Everyone thinks he / she has it and this is the first gross error - it may be there but may not be in abundance and may be highly unused. In other words you have it or not and even if you have it, you need guts to use it and stand by your conviction. </div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
CS is not applied in any security implementation or purchase. Corporations pay top dollars to consultants to devise the most convoluted RFPs designed to keep the beggars out. None of them provide the actual "sense" of using the product or service being purchased!</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
OK so you are implementing SIEM or DLP - you purchased it as per your RFP with 5 standard rules out-of-the-box. What did you get - a hahahah roll in the hay! One year or more later you realize you have been taken for a ride and you cannot tell your wife/husband/gf for fear of being kicked with an incompetent tag. </div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
Or you are implementing ISO27001 or any of the other ISO flavors, and what did you do - make a full library of documents and templates but do you really need this? At the end of the day everyone is following the book but if you actually read the change management log you can make a funny movie. You are a 20 person organization and you have an encryption policy... hey hey can you spell encryption for me let alone use it in your day to day work. </div>
<blockquote style="color: #333333; font-family: Georgia, serif; font-size: 16.3636360168457px; font-style: italic; line-height: 24px; margin-bottom: 30px; padding-left: 40px; padding-right: 5px;">
I have been working in IS for a number of years and yet to happily use encrypted emails (who will I send these mails to!). And not to speak of the many password protected files which are on my machine and the password has passed away into the sands of time and memory!</blockquote>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
The one thing that was not applied is common sense because the consultant never mentioned it. And the CEO or CISO did not speak the troubles in his / her mind because he/she was busy playing to the gallery (during sales pitch and PoC) trying to pick holes in the presentation and throwing his/her knowledge in the air!</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
Oh oh oh,, if only you had asked the silliest question that came to your mind because that was most relevant. For example - you asked about references and they connected you with their friendliest neighborhoodest buyer but after the spiel did you ask the reference about the time it took for the deployment, did you ask about the challenges and who sorted them, did you ask about the number of functional meetings in which the consultant participated, did you ask how was the feedback from the operations team... and much more. </div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
So yes, it is simple common sense that if you are purchasing cloud services, you must check the infra, SLA, client history, uptime etc but did you ask about portability and ease of the same? What if you want a divorce - do you have a pre-nup in place? </div>
<blockquote style="color: #333333; font-family: Georgia, serif; font-size: 16.3636360168457px; font-style: italic; line-height: 24px; margin-bottom: 30px; padding-left: 40px; padding-right: 5px;">
There are many more scenarios which you can envision to apply this theory of CS and Awareness and take a lead over your peers.</blockquote>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
These are two things I find missing in all the 2015 forecasts and I sincerely believe that if you dump all the advise given by every guru and soothsayer and just use your common sense you are bound to find awesome success. Add to this a highly aware user community in your organization and you have a strong mix of resilience and proactive security!</div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
But, yes, you need to have the guts to drive this thought and if your management supports you, you are home with a tremendous amount of saving. </div>
<div style="color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16.3636360168457px; line-height: 24px; margin-bottom: 30px;">
So, good luck and best wishes for 2015 - may the most sensible thought win!</div>
<blockquote style="color: #333333; font-family: Georgia, serif; font-size: 16.3636360168457px; font-style: italic; line-height: 24px; margin-bottom: 30px; padding-left: 40px; padding-right: 5px;">
<em>Some Self Promotion: Information Strategy and Policy development or advisory services for states /national bodies and large enterprises is my forte. If you want practical, meaningful and usable advice, KPIs, etc connect with the author on twitter (@bizsprite) or Linked-IN or Facebook (dineshobareja).</em></blockquote>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-78274857886800274202014-12-20T04:47:00.002-05:002014-12-20T04:48:53.690-05:00Cyberwar ... a damp squib?<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
War.. The word conjures up images of people killing one another using warplanes, warships, tanks, cannons etc. Images of cities and countries totally destroyed ... then V Day... then POWs .. medals, martyrs, heros. This was war!<br />
<br style="box-sizing: border-box;" />
And cyber war? Is it really war ? Or, we diluting the devastating danger of war by terming cyber incidents as war?<br />
<br style="box-sizing: border-box;" />
No country has publicly declared the formation if a cyber army, or a new cadre. There is no school for cyber weaponry or tactics. In fact well known generals and leaders have publicly accepted that they do not know how to define cyber war. Yet the media and global voices scream cyber war every time a major hack takes place! No one knows whodiddit but everyone has a theory about whodunit!<br />
Last year Sony was hit by non-state actors, and this winter all fingers are pointing at North Korea. Earlier, in autumn it was the blame-it-on Iran season and the summertime ogre was China! Others who have had their place in the sun are the Syrian Electronic Army, Russia, Georgia and others.<br />
<br style="box-sizing: border-box;" />
One shouldn't forget the private and state armies of India and Pakistan who are constantly engaged in the childish sport of website defacement. Every now and then we have reports about cyber war being staged by either party stating X hundred sites defaced and y hundred retaliated with !</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
Sabre rattling and finger pointing by all countries and the so called private armies and patriots. No government has stood up to say they are responsible for a website defacement or a data breach/theft from someplace.<br />
<br style="box-sizing: border-box;" />
Not a single country has declared war in the real sense of the word. American banks, corporations, government entities, critical infrastructure is under continuous attack (as per US-CERT) but America has not declared war against anyone ! Compare this with the same Americans who went to war because someone said the Iraqi's have WMDs. Then they went out and killed Osama bin Laden because of the WTC attack by the Talisman.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
It is natural for any country to declare a state of war if their sovereign assets are compromised but look at this</div>
<blockquote style="background-color: white; border: 0px; box-sizing: border-box; color: #333333; font-family: Georgia, serif; font-size: 16px; font-stretch: inherit; font-style: italic; line-height: 24px; margin: 0px 0px 30px; padding: 0px 5px 0px 40px; quotes: none; vertical-align: baseline;">
The NSA - Prism program has compromised the assets of friendly and non-friendly states and (possibly) continues to do so. Yet all affected countries have just taken it easy and not spoken up or retaliated (except Brazil).</blockquote>
<blockquote style="background-color: white; border: 0px; box-sizing: border-box; color: #333333; font-family: Georgia, serif; font-size: 16px; font-stretch: inherit; font-style: italic; line-height: 24px; margin: 0px 0px 30px; padding: 0px 5px 0px 40px; quotes: none; vertical-align: baseline;">
India Pakistan have border skirmishes every other day and hordes are killed by terrorists (non-state actors) and armies (state actors). However, even though, website defacement and data ex filtration is regularly announced by non-state players there is no "tough" talk or overt action!</blockquote>
<blockquote style="background-color: white; border: 0px; box-sizing: border-box; color: #333333; font-family: Georgia, serif; font-size: 16px; font-stretch: inherit; font-style: italic; line-height: 24px; margin: 0px 0px 30px; padding: 0px 5px 0px 40px; quotes: none; vertical-align: baseline;">
In the past few days North Korea is (said to be) the country behind the SONY hack because of the movie 'The Interview'. The USA is said to be affected badly with the hack but there is no strike back! And, going back into history, there are other incidents when South Korea has been repeatedly been (supposedly) attacked by North Korea and there has been no counter-strike! Not even a word of warning, leave alone the 'stern warning' type of public statement.</blockquote>
<blockquote style="background-color: white; border: 0px; box-sizing: border-box; color: #333333; font-family: Georgia, serif; font-size: 16px; font-stretch: inherit; font-style: italic; line-height: 24px; margin: 0px 0px 30px; padding: 0px 5px 0px 40px; quotes: none; vertical-align: baseline;">
<strong style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">This<a href="http://www.kaspersky.com/no/images/war_eng-66-147130.png" rel="nofollow" style="border: 0px; box-sizing: border-box; color: #7b539d; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;" target="_blank"> infographic shows a few landmark events</a> but what about counter strikes, what about public warnings what about cease-and-desist statements... none!</strong></blockquote>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
So is cyberwar sabre brandishing just a damp squib? No one is sending their army/navy/airforce to any country. The US is not asking the aircraft carrier to park itself in the Pacific off the coast of North Korea or China inspite of numerous damning statements against both governments.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
Why all this talk about war or elevating these malicious, larcenous crimes to the status of war? These are crimes that may have disastrous consequences; these are disasters that may happen due to oversight or lack of diligence; these are common covert statecraft activities like espionage, agent recruiting etc; these are events which have not been seen or imagined in totality .. and mankind is still struggling to put a name or sentence here.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
Can we keep the word "war" out and stop glorifying common criminal intent - it will blow the hype out and allow proper thought to address the problem(s).</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
Until the internet is all pervasive and is as 'essential' as air / water / land / gravity and we can blast human beings as they walk and talk with precise thought!</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
Scarier times are ahead, but why build and live with FUD.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #4d4f51; font-family: Helvetica, Arial, sans-serif; font-size: 16px; font-stretch: inherit; line-height: 24px; margin-bottom: 30px; padding: 0px; vertical-align: baseline;">
<i>This article was published by me on Linked In</i></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-28635045314648217232014-04-09T00:05:00.000-04:002014-04-09T00:05:33.636-04:00Suing the Government <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1182" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_74" style="font-size: 14pt; line-height: 19.97333335876465px;">Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1182" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_80" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1181" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_70" style="font-size: 14pt; line-height: 19.97333335876465px;">Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1177" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_106" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<blockquote class="tr_bq" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_66" style="font-size: 14pt; line-height: 19.97333335876465px;">This thought has been on my mind for quite some time and was rekindled by this report about an event in the US.</span><span style="font-size: 14pt; line-height: 19.97333335876465px;"><a href="http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407" id="yui_3_14_0_3_1397015940672_61" style="color: #324fe1; text-decoration: none;">http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407</a></span><span id="yui_3_14_0_3_1397015940672_57" style="font-size: 14pt; line-height: 19.97333335876465px;">So a court recognizes that a government agency can sue anyone for not having security in place.</span></blockquote>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1175" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_83" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1175" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_53" style="font-size: 14pt; line-height: 19.97333335876465px;">We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1189" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_103" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1189" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_49" style="font-size: 14pt; line-height: 19.97333335876465px;">Anyway there are cyber and non-cyber considerations:<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1174" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_100" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1174" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_45" style="font-size: 14pt; line-height: 19.97333335876465px;"><b id="yui_3_14_0_3_1397015940672_113">First a look at non-cyber considerations – </b></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1174" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_108" style="font-size: 14pt; line-height: 19.97333335876465px;">a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1173" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_41" style="font-size: 14pt; line-height: 19.97333335876465px;">So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1173" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_86" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1190" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_37" style="font-size: 14pt; line-height: 19.97333335876465px;">Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1172" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_98" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1172" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_33" style="font-size: 14pt; line-height: 19.97333335876465px;"><b id="yui_3_14_0_3_1397015940672_96">Now we take a look at the Cyber scenario – </b></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1172" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_91" style="font-size: 14pt; line-height: 19.97333335876465px;">In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1171" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_29" style="font-size: 14pt; line-height: 19.97333335876465px;">The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1191" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_25" style="font-size: 14pt; line-height: 19.97333335876465px;">Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1170" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1170" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_21" style="font-size: 14pt; line-height: 19.97333335876465px;">Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1169" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_122" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1169" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_17" style="font-size: 14pt; line-height: 19.97333335876465px;">A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1169" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_119" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1162" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_14" style="font-size: 14pt; line-height: 19.97333335876465px;">Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1168" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_1_1397015940672_1167" style="font-size: 14pt; line-height: 19.97333335876465px;">What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1155" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_3_1397015940672_125" style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1155" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span id="yui_3_14_0_1_1397015940672_1154" style="font-size: 14pt; line-height: 19.97333335876465px;">Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?<o:p></o:p></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1149" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<span style="font-size: 14pt; line-height: 19.97333335876465px;"><br /></span></div>
<div class="MsoNormal" id="yui_3_14_0_1_1397015940672_1149" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; font-size: 13.333333969116211px; line-height: 25px; margin-bottom: 0.1em; margin-top: 0.1em; padding: 0px;">
<br /></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-52916138938965533332014-04-04T01:26:00.000-04:002014-04-04T01:28:14.628-04:00WMDs of a different kind<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="font-family: Verdana, sans-serif;">Read </span><span style="font-family: Verdana, sans-serif;"><a href="http://www.politico.com/story/2014/04/united-states-cuba-twitter-105333.html" target="_blank">U.S. secretly built 'Cuban Twitter' to stir unrest</a></span></blockquote>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">No one thought of converting the idea of "Arab spring" into a cyber-weapon! </span><br />
<span style="font-family: Verdana, sans-serif;">Except for the brilliantly evil brains in the American establishment :)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So what does this now do for the world? Increase the level of distrust for all business or things of US origin. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">There is distrust all around! And incidents like this from USAID will not help. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">However, we have a new WMD and it has to be developed in stealth mode. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-87625017856902489372014-03-14T00:41:00.000-04:002014-03-14T00:41:54.016-04:00Friday Musings - happy times under the spotlight<div dir="ltr" style="text-align: left;" trbidi="on">
<div id="yui_3_14_0_3_1394770915019_100" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!</div>
<div id="yui_3_14_0_3_1394770915019_97" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_95" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)</div>
<div id="yui_3_14_0_3_1394770915019_92" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_90" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW. </div>
<div id="yui_3_14_0_3_1394770915019_90" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_87" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<span id="yui_3_14_0_3_1394770915019_104" style="word-spacing: normal;">http://t.co/yWjsCiGN53</span></div>
<div id="yui_3_14_0_3_1394770915019_82" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_82" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
An extract from the reddit post:</div>
<div id="yui_3_14_0_3_1394770915019_79" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
[Question] Did you ever think that the internet would get this big?</div>
<div id="yui_3_14_0_3_1394770915019_76" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. <span style="word-spacing: normal;">(no of course not)</span></div>
<div id="yui_3_14_0_1_1394770915019_1196" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<span class="Apple-tab-span" id="yui_3_14_0_3_1394770915019_69" style="white-space: pre;"> </span></div>
<div id="yui_3_14_0_3_1394770915019_66" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<span id="yui_3_14_0_3_1394770915019_109" style="word-spacing: normal;">Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. </span></div>
<div id="yui_3_14_0_3_1394770915019_61" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_59" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.</div>
<div id="yui_3_14_0_3_1394770915019_56" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_54" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
So say all the wise people outside the establishment. </div>
<div id="yui_3_14_0_3_1394770915019_51" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
So says Tim Berners Lee too. </div>
<div id="yui_3_14_0_3_1394770915019_48" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
But. </div>
<div id="yui_3_14_0_3_1394770915019_45" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it. <span id="yui_3_14_0_3_1394770915019_116" style="word-spacing: normal;">The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. </span></div>
<div id="yui_3_14_0_3_1394770915019_37" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_35" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
There is a lot not happening in the InfoSec domain - good bad and ugly! Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.</div>
<div id="yui_3_14_0_3_1394770915019_32" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_30" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!</div>
<div id="yui_3_14_0_3_1394770915019_27" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_25" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)</div>
<div id="yui_3_14_0_3_1394770915019_22" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_20" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
How many of us can claim this power ;-)</div>
<div id="yui_3_14_0_3_1394770915019_17" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!</div>
<div id="yui_3_14_0_3_1394770915019_14" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_12" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
With that thought... have a great weekend. </div>
<div id="yui_3_14_0_3_1394770915019_9" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_3_1394770915019_7" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
..!Dinesh</div>
<div id="yui_3_14_0_1_1394770915019_1165" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
The world is full of great surprises & the uncommon shortage of common sense is one of them. </div>
<div id="yui_3_14_0_1_1394770915019_1165" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_1_1394770915019_1165" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<br /></div>
<div id="yui_3_14_0_1_1394770915019_1165" style="background-color: white; font-family: 'Helvetica Neue', Helvetica, Arial, san-serif, Roboto; line-height: 25px; margin: 0px; padding: 0px;">
<i>Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.</i></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-25122952188160539982014-03-10T00:52:00.002-04:002014-03-10T00:52:42.988-04:00Sadly MH370 is lost and no thanks to the aircraft manufacturers<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px;">
Malaysian Airlines MH370 loss</div>
<div style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px; margin-top: 6px;">
This is not the first time an aircraft has been lost over sea and we are replaying the same scenario - MH370 loses contact and is feared lost. Now there is a search operation involving about 30+ aircraft and an equal number of ships.</div>
<div style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px; margin-top: 6px;">
The question that nags me is that after so many years of technology advances in aviation we struggle to find missing aircraft and when we find the debris there is big time trouble to locate the 'black box'. By now <span class="text_exposed_show" style="display: inline;">this should be child's play. I have a few childish suggestions...<br /></span></div>
<blockquote class="tr_bq" style="background-color: white; color: #141823; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px; margin-bottom: 6px; margin-top: 6px;">
<span class="text_exposed_show" style="display: inline;"><b>- why can't <a class="profileLink" data-hovercard="/ajax/hovercard/page.php?id=93354056830" href="https://www.facebook.com/pages/Boeing/93354056830" style="color: #3b5998; cursor: pointer; text-decoration: none;">Boeing</a> and other companies just embed homing beacons all over the body or an aircraft (it should not add more than $ 1000 to the cost) </b></span><span class="text_exposed_show" style="display: inline;"><b>- Why can't these guys put reflective paint on the body</b></span><span class="text_exposed_show" style="display: inline;"><b>- Why not have more than one black box OR keep a voice channel open to the ground where they can keep recording the cockpit activities</b></span><span class="text_exposed_show" style="display: inline;"><b>- Why not have a 'call home' transmitter embedded across different parts of the aircraft</b></span></blockquote>
<div class="text_exposed_show" style="background-color: white; color: #141823; display: inline; font-family: Helvetica, Arial, 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 14.44444465637207px; line-height: 21.46666717529297px;">
<div style="margin-bottom: 6px;">
<br /></div>
<div style="margin-bottom: 6px;">
Then when you think about all the issues reported by the Boeing Dreamliner you realize that this is not happening because these guys have yet to get their act together in the flying section so how can we expect them to be good in the security segment!</div>
<div style="margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="margin-bottom: 6px; margin-top: 6px;">
It is the same story being replayed when precious lives are lost and the relatives are clueless about their loved ones and how did they die! </div>
<div style="margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="margin-bottom: 6px; margin-top: 6px;">
As I write this there is a massive search operation underway and in the end we will have a monument somewhere in the middle of nowhere. Security checks have addressed many risks, however, when we think about the hardships which could have been avoided with a swifter search (in the event of an unfortunate mishap) there is no excuse. </div>
<div style="margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="margin-bottom: 6px; margin-top: 6px;">
Someone from the design teams or from the FAA in USA or DGCA in India or equivalent bodies across the world should exert pressure on the aircraft manufacturers to something!</div>
<div style="margin-bottom: 6px; margin-top: 6px;">
<br /></div>
<div style="margin-bottom: 6px; margin-top: 6px;">
<br /></div>
</div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com1tag:blogger.com,1999:blog-7402685039107633613.post-38902609106149144562013-09-20T09:13:00.000-04:002013-09-20T09:13:43.187-04:00Creating A New World Order on the Internet - SAC5<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Trebuchet MS, sans-serif;">It was a dark day in Internet history to which the world woke up when </span><span style="font-family: 'Trebuchet MS', sans-serif;">The Guardian</span><span style="font-family: 'Trebuchet MS', sans-serif;"> published </span><span style="font-family: Trebuchet MS, sans-serif;">Snowden's disclosures about NSA's Prism program. Then over the next few days we read how the US Government unleashed it's wrath, using 'all the king's horses and all the king's men' to get to him in Hong Kong. Since then, the story has taken many twists and turns, bringing grief and embarrassment to the US establishment as every new disclosure peels of the layers of the prism program and reveals the depth (and extent) of surveillance carried out globally. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">As it has turned out - there is no safe harbor, nothing is sacred and no one can be believed. It is akin to the world known to spies during the cold war when the world was fractured into the western world and the communist camp. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">In those times of strife a few nations rose above the demands of the powers that be to ally with them and formed the Non Aligned Movement (NAM). This eventually morphed into regional movements driven by social and commercial motives. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Now, we been brought to the cusp of another era of global strife and mistrust with the US program that has been spying on, practically, human being on the planet. Against this power center is China which has created exceptional capability and capacity in all things cyber - offensive, defensive, proactive and preventive. The third player is Russia with it's underground players who are also very nationalist, as was proven during the known cyberwarfare attacks on Georgia and Estonia. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">Whether a country is aligned to any of these three global players is of no consequence whatsoever because, as per the disclosures, even if you are actively participating and contributing to the Prism program, you will continue to be monitored and spied upon.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">So,maybe the world order needs change and the 'weak' nations need to come together to form their own support and power club. India can lead this movement, in the same way as having led the NAM many years earlier by forming a South Asian Cybersecurity Capability and Capacity Cooperation Council (SAC5). </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">The South Asian Council can comprise neighboring countries, Middle Eastern and African countries with India leading the way. Collectively, these countries can share information, develop joint capabilities, conduct skill enhancement training and form a central response or early warning cell. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">Brazil has put out the clarion call for an Independent Internet and slowly and steadily the backlash against US (and Allies) resources will gather momentum like a tsunami. The Prism - NSA disclosure has implicated US corporations like Google, Microsoft, Facebook etc and resistance is bound to rise in time. </span><br />
<blockquote class="tr_bq">
<a href="http://www.globalresearch.ca/the-brics-independent-internet-in-defiance-of-the-us-centric-internet/5350272"><span style="font-family: Trebuchet MS, sans-serif;">http://www.globalresearch.ca/the-brics-independent-internet-in-defiance-of-the-us-centric-internet/5350272</span></a><span style="font-family: Trebuchet MS, sans-serif;">Brazil says - let's break away from the Internet ! The Brazilians have also protested strongly to the US and this has led to a long phone call between the two presidents. </span></blockquote>
<span style="font-family: 'Trebuchet MS', sans-serif;">So is it time for the world to polarized again and, worse, for the internet to publicly lose it's independence and be branded as a tool of American hegemony. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">The movement to break away from dominance of a few countries on the internet has been shouted out. If the South Asian countries ally and form a Council it will be another power center which will be an effective foil to any type of actions to take over this critical medium. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;">As I have said earlier this is a new and different dimension and has to be understood and accepted in a different light. Mankind co-exists with the dimensions of water, air and has to learn to live with ether - better early... before this dimension is destroyed by mankind itself. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-87689561311541194132013-09-09T05:32:00.000-04:002013-09-09T05:32:02.133-04:00Innocence Lost.... <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Sometime back we lost our innocence. </span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">When wikileaks leaked
Manning’s files worms crawled out affecting the pride of country leaders across
the world. Egos were punctured because the cables sent by US embassy minions to
their masters were judgmental in nature and revealed “private” foibles and
conversations. This has been followed up by Snowden’s snowfall which is more
damaging for the US Government and business than for any other government. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Over the past few
months, every day we are stripped layer by layer by the revelations of the NSA’s
prowess for invisibile intrusion. We thought the TSA guys were having fun
seeing us in whole body scanners and sharing the pics, but it turns out that
the NSA has been having more fun. Move over Guantanamo Bay that was just a
small set of prisoners who could be stripped, chained or flogged – here they have
the world at our fingertips, and no one looking over their shoulders. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">First one learned that
there was access to emails and internet conversations, the next layer included
voice conversations, then came location data, followed by the revelation that IT
majors like FB, Google. Microsoft, et al are participating in the program. Alongwith
these businesses, some governments also howled in only to retract when the next
revelation exposed their participation and remuneration. It was another shocker
that told everyone about the possiblity of backdoors in commonly used software and
hardware. The world started thinking about seeking safety under cover of encryption
and proxy technologies only to learn that these have been seduced long ago – in
other words encryption technologies have a backdoor. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">So, is there anything
which is safe? Maybe we have to go back to living in caves to save ourselves
from this intrusion, because it seems that the only thing Uncle Sam cannot do
is shove a finger up your 455. But, maybe the time is not too far off too what
with the Internet of Things promising particle transportation and more! <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Yes our innocence is lost
– the new innocence is that “we do not look inside, we only search patterns”.
The new innocence is that you are just a lump of flesh which eats, breathes,
shits and screws and that’s it – simply put you are an animal and no more. Of
course, this is so if you are not the most powerful man on earth, a.k.a. Mr
President. Liberty, freedom, privacy and such rights are good to discuss but not
to be expected in the face of secret laws and powers available with the
intelligence organizations. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">In any case, even if you
are Mr P there is no gurantee that someone did not dip into your smart phone or
that of your wife or children. There is no way you would know, just like the
world did not know until it started snowing. Quite possibly Mr Snowden carried
some stuff on you and that is the major cause of the big manhunt that has been
launched. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Today, every government
wants their own NSA with enough powers to run every sort of surveillance on
their citizens. What will be done with the data is anyone’s guess – maybe it
will help run genocides and progroms more effectively. Or get to play
ghetto-ghetto by segregating people based on caste, color, religion etc. At the
cost of development, Governments are spending billions on technology selling
the dream of nirvana that follows thorugh an e-governance portal or a new
registration card, and it does not matter whether you can read or write, or
whether you have had a square meal in a day. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Innocence lost forever,
welcome to the new order Kalyug is now the C-Yug where C=corruption, chamchagiri, cronyism,
chutiyapanti, conmanship, carpetbaggers, cybercrime, computers and any other C which
you can define negatively. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">So what is happening is
that we are all without clothes, having been stripped, layer by layer and naked
for NSA eyes. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">I wonder – are we a
number or a name in the NSA records? Is this numeric, alpha-numeric, with or
without capitalization. Or is it a continuation of the numbers given in Auschwitz and Dachau .. that may be apporpriate. Will we soon start hearing
‘arbeit macht frei’ or will it be embedded into our flesh at birth. Are we
going to see Mr President in a new role as the oracle from Minority Report? <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<br />
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Mommy is that what Big Brother’s
look like. </span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Verdana, sans-serif;"><a href="http://usbek-et-rica.fr/blog/wp-content/uploads/2013/07/BIG-BROTHER-OBAMA-1984-facebook.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://usbek-et-rica.fr/blog/wp-content/uploads/2013/07/BIG-BROTHER-OBAMA-1984-facebook.jpg" width="237" /></a></span></div>
<span style="font-family: Verdana, sans-serif;"><br /></span><o:p></o:p><br />
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Wooooohhh !</span></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com1tag:blogger.com,1999:blog-7402685039107633613.post-64160425380586715612013-06-05T13:51:00.000-04:002013-06-05T13:51:06.296-04:00Software Asset Mis-management... who deserves to be hit?<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">It was another day and I was excited when I learned about another possible 'victim' of the SAM missile. Am putting them here for record...</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Case 1 - Last month a close friend who is the IS head got the review call and I was happy to help him face the notice and the threatening discussions that followed when he pushed back. Yes, he pushed back and the License Manager was sort of surprised and changed tracks. Eventually it was a bad one and everyone was smelling bad too. To cut the story short his company was wrong in the license use - they have a good quantity of licenses but needed more. They were plain lazy and this requirement kept going under against other "priority" budget items. Well they had to spend about Rs. 85 lacs ($ 150k) within a week of closure. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So much for the budget ! All I can be happy about is that they are compliant and I could help them save about Rs. 40 lacs ($ 70k) - pro bono work to help a friend. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Today a fellow consultant provided information about a bank that is presently under scrutiny. Now this is different - it is a bank and they are covered only about 15% with licenses. And the balance 85% these guys are using pirated stuff. Well they are desperately trying to move to open source and I am waiting for them to be HIT. They deserve to be HIT and HIT BAD and i hope that the s/w vendor that is reviewing them includes a penalty too. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I did offer to help and may provide advice too, but it is going to cost them if I am called. I know that they will not agree to pay my fees and will just seek advice (which I am not going to offer).</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In any case I do not think they can be saved and I will really not be happy doing this.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">===============</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Am I being judgmental ? I don't think so as it is my prerogative. However, as I repeatedly say - I do not support piracy. Especially if the person (or entity) can afford to buy the software. I am against strong arm tactics against ignorance bred due to complexity, and will continue to speak out my mind whenever I come across an instance. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">In the above cases both could afford to buy licenses, one was delayed in purchasing and had a friend at the helm, so I wsa okay in my support. The other could afford to buy but did not do this on purpose and deserve to be penalized. If I can get a share of the amount they will have to spend it will be my good luck :)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">More SAM as and license stories as I keep going hunting.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-37870574801827691652013-05-19T23:04:00.003-04:002013-05-19T23:04:52.615-04:00Discovering SAM<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<blockquote class="tr_bq">
<span style="font-family: Verdana, sans-serif;">Software Asset Management (SAM) and me</span><span style="font-family: Verdana, sans-serif;">Frankly I do hope people read through such long articles.</span></blockquote>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<span style="font-family: Verdana, sans-serif;">I chanced upon SAM in the course of my infosec consulting and was very impressed with the requirements of the practice. I also realized that a majority of software users are unaware of their license compliance requirements and are clueless about the benefits of SAM. Going deeper into SAM practices and requirements I decided that I shall take this as an area of specialization for my practice.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">So I begin to review tools, standards, best practices and gaining more experience. One day I attended a seminar where BSA was a sponsor and after the talks I tried to get to talk to the person who had presented on software licensing etc. I was in for the first rude shock of my InfoSec career when I was brushed off with the comment that Big-4 are qualified for this work and that I need to be certified too … which means I should spend about $2,000 with BSA.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Walking away I wondered if I shall learn rocket science or develop some super powers by paying 2k. Today I am seriously thinking about spending this money just to get to know (firsthand) what is it that BSA teaches. I mean I have seen a lot of practices and would seriously like know if this is what is taught for the 2k!</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Well after this I got down to doing my own thing, helping clients achieve compliance with their license requirements.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Until one fine day when I was to visit New Delhi and called BSA for an appointment – surprise ! I am told that they are not available for a meeting – this is disclosed after I have shared my objective for the meeting. And my objective is that I want to work with BSA guidelines in my SAM practice.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">In this interim I tried to reach out to some of the License Managers with the software majors and guess what – no one had the decency to respond to my request to meet me so I can request an understanding of their licensing practices to include in my advisory service. Yes I found that there are a couple of other organizations like BSA and I found one with an Indian country manager. This Country Manager is ex-BSA head and I managed to connect with him on Linked In. After connecting I sent him a message asking for a meeting and guess what – after 6 months or so I am still waiting for a reply! Even he does not want to meet me to discuss issues of piracy and how I can work at my level to wean my clients away from this practice.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">My thought is that I help my client go legit and avoid the hassle of a software audit / review / raid but it seems that all these people (organizations and software vendors) who are “supposedly” protecting the rights of license owners are not interested in having informed users.</span><br />
<span style="font-family: Verdana, sans-serif;">Maybe they are afraid that an informed user will be legit and these people would have spent money hiring the big-time auditors for no reason.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Another thing I have learned is that SAM compliance audits contribute about 25-30% of the sales revenue for any of these software majors. No wonder this is highly secretive, with an expensive entry barrier and very very grim.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">So, me and SAM are apparently not getting along very well. The reason is that I am a simpleton and a straight shooter and cannot understand this stonewalling. I do understand the desperate lives of these ‘license compliance’ people and the power they wield – sort of paradoxical. I do know about the modus operandi and my lawyer and consulting friends provide more case studies.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Nothing is likable here. I mean – these guys are selling software which is insecure. They issue patches in more numbers than one visits the washroom to clean up. These systems and applications are compromised and breaches take place. And if you read the license terms it is like they have done you a big favor by allowing you to use their dirty stuff. To add insult to injury, a goon in a suit may visit you at any time, shove his/her script into your network, probe your crown jewels and unleash the grim reaper on you.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Thank you for buying my software. I am not a monopoly, I am an autocratic oligarchy. And, since I was a child I wondered why Open Source existed – am I happy there is another world.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">OK so SAM is not a clean thing. I call it a baby iceberg. Just because it has the smallest visible threat surface but may be the biggest threat-in-waiting. Keep the APTs, DDOS attacks, malware etc aside – this is a WMD, a pet which will turn rabid without warning and bite you.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Enough said and until the day ethics, morality and decent business practices are considered important it will be good if you prevent the WMD going off in your organization. Make sure you track every single license you purchase and install. Keep a license register and log installations, removals and retirements. Be careful not to use unlicensed software or cracks, even if it is only to test. Do not exceed the number of installations you are entitled to under your agreement. If you do not know make sure you ask your vendor to arrange a training and awareness session BEFORE you sign the PO. Oh yes, if there is an upgrade then make sure you ask this question twice because you may be entering into a grey zone.</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">Licenses take pride in being complicated and big. In fact everyone is unusually impressed by a document which is long, very verbose, with paragraphs in capital letters dispersed throughout the document, numbered paragraphs, complex internal cross references, no spelling errors and lots of legalese. That’s why you just clicked ‘accept’ and then next > next > until ‘finish’ – what you do not realize that (possibly) you violated some term of the license during installation itself !! hahahah – yes sir – read it closely and the agreement assumes that the person installing the software is authorized to legally bind the company with the terms that are being accepted. </span><br />
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-32607790571033285612013-04-07T06:11:00.002-04:002013-04-07T06:12:14.863-04:00Cyberwar Anonymous v/s Israel<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;">It's wartime folks, except there are no people being killed, no guns, no tanks or bombs. It's a silent war focused on bringing down a country. And the problem is that this country, Israel, does not know whom to hit back at ! The attackers are from all over the world - different countries, nationalities and hiding behind multiple proxies. </span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;">Anonymous says Israel crossed a "line in the sand" so they declared war !</span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">As on today this is what is making news.. </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="background: white; margin-bottom: 6.0pt; mso-outline-level: 1;">
<span style="color: red;"><span style="font-family: Verdana, sans-serif;"><b>Anonymous
making History, CyberWar begins, Israeli hackers hit back</b><o:p></o:p></span></span></div>
<div style="background: white; line-height: 12.25pt; margin-bottom: 12.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm;">
<span style="color: #333333; font-size: 9pt;"><span style="font-family: Verdana, sans-serif;">Anonymous Hackers from
Iran,South Africa, Palestine,Pakistan and many others countries ,start
first ever cyber war against a country, #OPISRAEL messages goes round on every
social media about thousand of Israeli website defaced and hacked. .<o:p></o:p></span></span></div>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial; line-height: 12.25pt; margin: 12pt 0cm;">
<span style="color: #333333; font-size: 9pt;"><span style="font-family: Verdana, sans-serif;">Anti-Israel hackers stepped up their attempts to pull down
Israeli sites over the weekend, with numerous attempted denial of service
(DDoS) attacks against Israeli government sites. Hacker sites listed numerous
websites they claimed to have disabled, and several sites reported slowdowns on
Saturday night, but nearly all the sites the hackers claimed to have taken down
were operating normally.<o:p></o:p></span></span></div>
<div style="background-color: white; background-position: initial initial; background-repeat: initial initial; line-height: 12.25pt; margin: 0cm 0cm 0.0001pt;">
<span style="border: 1pt none windowtext; color: #333333; font-size: 9pt; padding: 0cm;"><span style="font-family: Verdana, sans-serif;">Israeli Elite Strike Force
worked on Saturday night to pull down more sites. The group started attacking
sites in Pakistan Friday but took off for Shabbat. <a href="http://www.cyberwarzone.com/anonymous-making-history-cyberwar-begins-israeli-hackers-hit-back" target="_blank"><b>Read more… </b></a><o:p></o:p></span></span></div>
<div style="background: white; line-height: 12.25pt; margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div class="MsoNormal">
<span style="background-color: white; font-family: Verdana, sans-serif; line-height: 36pt;"><span style="color: red;"><b>As cyber-war begins, Israeli hackers hit back</b></span></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><a href="http://www.timesofisrael.com/as-cyber-war-begins-israeli-hackers-hit-back/">http://www.timesofisrael.com/as-cyber-war-begins-israeli-hackers-hit-back/</a><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<h2 style="background: white; margin-top: 0cm;">
<span style="font-family: Verdana, sans-serif;"><b><span style="color: #2f2f2f; font-size: 11pt;"><br /></span></b></span></h2>
<h2 style="background: white; margin-top: 0cm;">
<span style="color: red; font-family: Verdana, sans-serif;"><b><span style="font-size: 11pt;"><span style="border: 1pt none windowtext; padding: 0cm;">Quran Cited on Hacked Israeli Police Website Cyber War against
Israel on Holocaust Memorial Day</span></span></b></span></h2>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif; font-size: x-small;">http://www.cyberwarzone.com/quran-cited-hacked-israeli-police-website-cyber-war-against-israel-holocaust-memorial-day </span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;"><br /></span></o:p></div>
<h1 style="background: white; margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm;">
<span style="color: red;"><span style="font-family: Verdana, sans-serif; font-size: small;">Major Israeli Government website
Down,Mossad Agents emails Online<o:p></o:p></span></span></h1>
<h1 style="background: white; margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm;">
<span style="font-family: Verdana, sans-serif;"><span style="font-size: x-small; font-weight: normal;">Details of 1500 Mossad agents is posted on Google
Drive; about 19k Israeli FB pages are down; #OpIsrael says "When the government of Israel publicly threatened to
sever all internet and other telecommunications in and outside of Gaza,
they crossed a line in the sand,"</span><span style="color: red; font-size: 11pt; font-weight: normal;"><o:p></o:p></span></span></h1>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><a href="http://www.cyberwarzone.com/major-israeli-government-website-downmossad-agents-emails-online">http://www.cyberwarzone.com/major-israeli-government-website-downmossad-agents-emails-online</a><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<h1 style="background: white; margin-bottom: 6.0pt; margin-left: 0cm; margin-right: 0cm; margin-top: 0cm;">
<span style="font-family: Verdana, sans-serif;"><span style="color: red; font-size: small;">Israel Set Up a Hotline Prepares for April 7 Anonymous Attack</span><span style="color: red; font-size: 11pt; font-weight: normal;"><o:p></o:p></span></span></h1>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><a href="http://www.cyberwarzone.com/israel-set-hotline-prepares-april-7-anonymous-attack">http://www.cyberwarzone.com/israel-set-hotline-prepares-april-7-anonymous-attack</a><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p><span style="font-family: Verdana, sans-serif;"><br /></span></o:p></div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-24165153922002663302013-04-05T14:36:00.000-04:002013-04-05T14:36:06.071-04:00Information Security education, training and more...<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">For a very long time I have been thinking about the dearth of 'good' education or training in the InfoSec domain. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Then there is the thought of how will any new person get into the domain, considering that we all seem to have landed here by accident, providence, interest or plain luck in being at the right place at the right time !</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I put my thoughts into a small presentation and am working on creating an Information Security Management program which will be good for the non-technical manager and the technology geek manager, as both will learn about their missing pieces. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Check this concept document and your feedback will be welcome !</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">http://slidesha.re/XicQcn</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-32911146161062346172012-12-05T10:46:00.004-05:002012-12-05T10:46:56.487-05:00Cybercrime responders become partners in a new crime <div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">This is copied from my blog infosecgallery.. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Sometime back I was pondering about surrogate criminal activity that happens in the absence of incident disclosure by corporate bodies. While pondering whether the regulators will act to bring in any form of control I realized that it is not just the corporate but others too who are engaging in criminal activity.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<blockquote class="tr_bq">
<span style="font-family: Verdana, sans-serif;">To illustrate I present an example ... </span><span style="font-family: Verdana, sans-serif;">I have a pistol and shoot a friend accidentally. We take the injured person to a hospital where he/she will be refused treatment by the doctor until a police compliant is registered. A police complaint will lead to my arrest and confiscation of my gun. I shall be in a lockup I get bail and then even if my friend stands by me the cops will interrogate and investigate and may not drop the case.</span></blockquote>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Now we come to a cybercrime scenario - a company or government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told "we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">So we have the victim company (organization, bank, department..), CISO, Forensic/Security consultant, and Police investigators who have all colluded to close a criminal case (theft, hacking, piracy, porn... whatever)<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Does this make all these people / institutions party to the crime of abetting a criminal act ?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">If yes then can the various banks, government departments and organizations be taken to court along with the police departments of all states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for conspirators.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">Will the ITA be amended soon for 66A and can the mandarins add "disclosure" as an obligation under the act.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;">The moot question is whether everyone is a criminal now? The consultant who found out the modus operandi and advised on new controls, the cybercrime police who did not register the case and advised closure thus (possibly) causing loss to shareholders and the exchequer.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
<div class="MsoNormal">
</div>
</div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-15681948480318634312012-05-28T01:38:00.000-04:002012-05-28T01:42:46.379-04:00Indian firms under Anonymous attack.... extreme inarchy!<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">Posting without comment... </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">#op NewSon</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">This is a different one.... FBI warning to a number of top firms to expect an attack, starting May 25, and the list includes Reliance Industries Limited (RIL). I learned about this earlier through our commercial Security Threat Intelligence services and was trying to find someone at RIL to pass the information. Unfortunately could not connect with anyone and gave up trying after the start of the attacks on May 25.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://threatpost.com/en_us/blogs/fbi-warns-top-firms-anonymous-protest-hacks-may-25-052412?utm_source=Newsletter_052512&utm_medium=Email+Marketing&utm_campaign=Newsletter&CID=&CID">http://threatpost.com/en_us/blogs/fbi-warns-top-firms-anonymous-protest-hacks-may-25-052412?utm_source=Newsletter_052512&utm_medium=Email+Marketing&utm_campaign=Newsletter&CID=&CID</a>
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">This is the list of top firms identified by FBI:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://threatpost.com/en_us/img_assist/popup/11219">https://threatpost.com/en_us/img_assist/popup/11219</a>
</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">UPDATE: this was a failure... but they have not yet given up.</span><br />
<a href="http://www.cyberwarnews.info/2012/05/28/anonymous-release-message-about-opnewson-claimed-failure/">http://www.cyberwarnews.info/2012/05/28/anonymous-release-message-about-opnewson-claimed-failure/</a><br />
<br />
<a href="http://kevtownsend.wordpress.com/2012/05/26/why-did-thewikiboats-opnewson-fail/">http://kevtownsend.wordpress.com/2012/05/26/why-did-thewikiboats-opnewson-fail/</a>
<br />
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">#opindia</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Anonymous announcement of their attack on various Indian sites / companies. One of them was Relaince Communications and started the day before. People using the RCOMM network for internet access were presented with a page carrying a message from Anonymous. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://www.zdnet.com/blog/india/anonymous-hacks-reliances-internet-filtering-server/1112">http://www.zdnet.com/blog/india/anonymous-hacks-reliances-internet-filtering-server/1112</a>
</span><br />
<a href="http://www.ehackingnews.com/2012/05/opindia-reliance-internet-hacked-by.html">http://www.ehackingnews.com/2012/05/opindia-reliance-internet-hacked-by.html</a>
<br />
<br />
<br /></div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-13704148497142933532012-05-18T18:28:00.001-04:002012-05-19T20:22:59.880-04:00The Shape of things to come- Internet Inarchy<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: 'Trebuchet MS', sans-serif;">Anarchy, move over - it is time for INarchy. </span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<blockquote class="tr_bq">
<span style="text-align: justify;"><span style="font-family: 'Trebuchet MS', sans-serif;">They tweeted: </span></span><span style="text-align: justify;"><span style="font-family: 'Trebuchet MS', sans-serif;"><i>“Namaste #India, your time has come to trash the current
government and install a new one. Good luck.” </i></span></span></blockquote>
<blockquote class="tr_bq">
<div style="text-align: left;">
<span style="font-family: 'Trebuchet MS', sans-serif; text-align: justify;">A YouTube video (May 15) by user Sen0nymous, titled ‘Operation India Engaged’, issued a call to
action for fellow hackers. The video stated, </span></div>
<i><span style="text-align: justify;"><span style="font-family: 'Trebuchet MS', sans-serif;">“It has been known that the
government of India and its ministers are committing aristocracy. The idea of
democracy remains an idea only.”<br /> </span></span><span style="text-align: justify;"><span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></span><span style="font-family: 'Trebuchet MS', sans-serif;"><span style="text-align: justify;">“We were and are watching closely all
activities of the government and its ministers. </span><span style="text-align: justify;">Many ministers were and are
charged with severe cases of corruption. They do not care. They do not care for
the injustice happening. They do not care for the freedom being snatched.”
<br /> </span></span><span style="font-family: 'Trebuchet MS', sans-serif;"><span style="text-align: justify;"><br /></span></span><span style="font-family: 'Trebuchet MS', sans-serif;"><span style="text-align: justify;">“The government has been covering up its activities and hiding the facts
from its citizens. It has imposed the IT Act which allows it to censor the
internet as it seems fit. None other than the DoT needs to be </span><span style="text-align: justify;">blamed. One can’t block on
purview of security concerns.” </span></span></i></blockquote>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;">So Anonymous does not like the moves made by the Indian government and they start firing all cannons. They had started off protesting against the US, Swedish and the UK government actions regarding Wikileaks and that sort of hacktivism was cool. Now, and with other actions (anti SOPA etc) is this morphing into a sort of conscience keeper for the world ? </span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;">And for the moment the actions are just defacing websites and pulling any data that is bagged in the operation - so how long before this activity turns more malicious. Or how long before there is another few groups that do not have morals or have some sort of hate driven objectives. We do not have to search too far to find psychos !</span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;">We can dump all the international treaties and cooperation programs aside - a cyber-war or cyber-terror scenario is so easy to conjure ... just a handful of faceless people from anywhere in the world meet over time in a chat room and put together their bag of tricks. And, they let loose. </span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;">They can attack, plant an APT, steal data, commandeer weapons ... in short, they can do a lot. Or they can just choose to poison an information source like a satellite. Let your internal criminal out and let your imagination run wild, soon you will have enough zillion doomsday scenarios that an asteroid hit will be child's play</span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;">After that, all the king's men can spend their lifetimes to find who did it. </span></div>
<div style="text-align: justify;">
<span style="font-family: 'Trebuchet MS', sans-serif;"><br /></span></div>
</div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-469958176661527182012-05-15T04:11:00.000-04:002015-01-09T01:49:52.933-05:00License to Surf .. the shape of things to come<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana, sans-serif;">Internet Commerce, Presence and the Shape of Things to come</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The internet has evolved dramatically since conception ... </span><span style="font-family: Verdana, sans-serif;">inception and I do not believe that the founding fathers of would have imagined it in it's present form. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Like all things "free", the world has used, misused and abused the internet as it is continues to be a self governed network, owned by no one. <a href="http://en.wikipedia.org/wiki/Internet_organizations" target="_blank">Organizations</a> like ICANN, IETF, W3C do their bit in controlling or running this worldwide network. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">When I started an online business in the mid-nineties, I realized that there are no taxes in cyberspace - the seller in country A was not selling in the domestic market so there was no tax liability... and the buyer in country B was buying (retail for personal use) from overseas so there was no domestic transaction ! Cool.. a lot of people made a lot of tax free money.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Email, tweets, networking, websites, graphics, content ... et al - everything is "free" on the internet. Or so it seems. We in India, and many other countries, are yet to face the whiplash of IP theft or have an organization like SOPA follow an IP address to prosecution and penalty. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">All that we pay for is internet access and once on the information highway, one just let loose. There are no rules - one site leads to another, check out recipes or people, post stuff online or make your sites. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">We are leading to an Internet which will be paid for and with the amount of wild west type shootings and lawlessness, pretty soon we shall have to have a "License to Surf". A license which will uniquely identify me and allow me to visit a certain set of websites. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Governments are already creating tough laws to rein in the lawlessness and the new breed of criminals. Websites, service providers and law enforcement agencies are increasingly tracking every move / keystroke made online for their own purposes. Technology is advancing towards a more connected life, towards blurring the difference between online and offline persona. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">ISPs are already 'shaping' traffic and can start offering 'bundled' internet access much like a cable service. Websites will consolidate services and will charge a small fee when you visit and this will be charged from the ISP - based on time. Emails will start costing money and so will tweets and social network posts - quite possibly the ISP will have to share a part of their revenue here too or pay an annual license fee. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">The "free" internet is slowly fading - there is an Internet Interpol proposed, international treaties coming up, international cooperation among law enforcement agencies, global takedowns and many other such related activities happening. On the other hand, botnets owners, spam-masters, cybercrime gangs and such criminals use free resources and cyberspace anonymity to wreak havoc on the global user community.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">Maybe this will be a good thing because it will protect us from the paedophiles and other cyber criminals. A small price to pay for the protection and personal safety on the internet but a </span><span style="font-family: Verdana, sans-serif;">very</span><span style="font-family: Verdana, sans-serif;"> </span><span style="font-family: Verdana, sans-serif;">high price when one considers the surrender of privacy and the 'freedom' of an unfettered cyberspace. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span></div>
Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-33833604781392395552012-03-24T13:05:00.000-04:002012-05-15T04:12:07.684-04:00India Risk Survey 2012 ... unreliable references and more !<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">When I saw a new report <a href="http://www.pinkertonindia.com/pdf/IRS%202012.pdf">India Risk Survey 2012</a> </span><span style="font-family: Arial, Helvetica, sans-serif;">I was really happy because it carried the names of FICCI and Pinkerton - both are respected and one can expect solid work from them. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Unfortunately I am terribly disappointed with the report, in the area where it relates to Information Security.. and as I write this, I hope these organizations rewrite the report or withdraw parts of it, as their gesture of apology.</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">While reading the report the first 'jhatka' came to me when I read they quoted a Norton report stating cyber crime losses at 34,110 cr (where on earth does one conjure up such a number) - such numbers only fools will suffer !</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">The second one was a big shocker - they have the gall to quote a Univ of Brighton report which is so full of crap that even a kid can see through that sham of a white paper ! This is personal for me since I wrote about the sad guys who wrote that paper (check <a href="http://securambling.blogspot.in/2009/11/univ-of-brighton-research-paper-bunchof.html" target="_blank">Univ of Brighton - bunch of liars</a>) The paper writers did not have the guts to write back to me. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">This same university has been trashed by one of the leading national authorities in Information Security - <a href="http://www.business-standard.com/india/news/phishing-study-bunchlies/375390/" target="_blank">Dr Kamlesh Bajaj wrote about this outfit way back in 2009</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Now this report started bothering me and I feel sure they have lifted some of the text - lo and behold - do a check for plagiarism and I find text lifted from "The Hindu". There is a statement wrongly attributed to the CID Review. Refer to the article on Cyber Crime in this CID Review newsletter on the subject of cybercrime from Jan 2008 </span><span style="font-family: Arial, Helvetica, sans-serif;"><a href="http://tnpolice.gov.in/pdfs/ReviewcyberJan08.pdf">http://tnpolice.gov.in/pdfs/ReviewcyberJan08.pdf</a> - come on - who writes spam as SPAM in a regular sentence :) only a SPAM eater !</span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;">Over the past few years, we have seen many 'branded' reports and surveys published under BIG banners - they carry outlandish statistics and statements about cyber crime, information security etc in the country. While almost all such statements need to be taken with a large pinch of salt it is more necessary to trash stuff like what is written by these Brighton chaps. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">It is time to call them back to the table, if they have the guts to come and substantiate their bullS^1t. </span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<br /></div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-38555988134363461472012-02-14T05:56:00.001-05:002012-02-14T05:56:23.093-05:00You are ethical ... and Information Security is a blind alley...!<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">Ethics is a much used word and we know that EVERYONE in the security is ethical, trustworthy with a high level of integrity and will keep all my corporate secrets deep in his/her heart until death do us part (or if you do not pay my bill!)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">Well a number of times I have asked some friends how can they say that they are ethical hackers ! I mean you are certifying your own honesty. Simply speaking, if walk around Mumbai or Gurgaon wearing your white hat for less than half an hour and it will become dirty ... lo and behold you are a gray hat. And, if you accidentally bump your car or cycle into someone you will morph into a black hat :)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">Earlier I have been thinking about individuals because you do not mistrust security majors. And then this happens.... </span><br />
<blockquote class="tr_bq">
<span style="font-family: Verdana, sans-serif;">Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishmenthttp://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment</span></blockquote>
<span style="font-family: Verdana, sans-serif;">The evolution of the internet, technology and mankind are a fact. Also that concepts of privacy, democracy, freedom, human rights, commerce, economics, crime, war et al are being re-written. Symantec keeps quiet for five years after being hacked, the Arab spring helped overthrow despots, wikileaks has shaken the most powerful nation so badly that they want to get to him anyhow, state or non-state players are not distinguishable.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">So who can we trust ? And how is trust proven ? Can the company we trust trust the thousands of persons who contributed to the millions of lines of code or that small widget that was embedded in my cellphone, or pacemaker !</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">Sinister thoughts in a dark world where we are all walking blind and talk like we know it all. I mean I feel clueless / helpless and what-have-you when I read about Symantec, RSA, Microsoft, Verisign, Diginotar (the CA that was hacked),SONY, Heartland, TJ Max, Citibank etc etc - and other bastions of security that were felled.</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">Then you read about the suspicion that malware or spyware is embedded in hardware coming out of China, or that Apple and others installed tracking software from Carrier IQ. </span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span><br />
<span style="font-family: Verdana, sans-serif;">What is ethical, what is not; where do we draw the line. In a zillion lines of code how does anyone know if there is that one line that is keeping tabs on you (and maybe the developer company does not know about it too).</span><br />
<br />
</div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-33139121914460752102012-01-16T10:46:00.001-05:002012-05-19T20:24:46.762-04:00Data – The Ultimate Asset<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">Traditionally, business has looked at land, plant, building, machinery as assets that need to be protected and security thoughts have focused on fortification of the perimeter surrounding the assets. Business was about manufacturing, trading, services and then came the technology age... and life changed. Or did it ?</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">Unfortunately, businesses transposed traditional experiences into the technology realm thinking that firewalls, anti virus solutions, IDS/IPS and server hardening will protect the perimeter and life will continue securely. Computers became assets, but not data and it has taken a long time for businesses to realize their folly. While mature organizations have taken adequately appropriate steps, a majority continue to give lip service to their data assets.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">And therein lies the error of judgment – it is easier to buy a new plant than to make sense of a thousand files with unstructured data. Data is the ultimate asset in the technology age and the dependency on IT systems is growing exponentially. At work we grapple with more information (data) than we can handle and one hoards relevant and irrelevant data. The data which we work on grows into multiple copies across the organization and, whether one likes it or not, dependency on data is absolute.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">Business organizations, or individuals, cannot survive in event of non availability or loss of data and must accept that data is their most critical asset. It is essential to enable data security and manage this asset throughout the lifecycle using technologies that enable real time proactive protection.</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">Data security is critical for business in the manner that</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">• Confidentiality is maintained and data is not exposed, leaked, lost, stolen or compromised</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">• Integrity of data is assured and users know that it is not tampered</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">• And it is available at all times for uninterrupted business operations</span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;"><br /></span><br />
<span class="Apple-style-span" style="font-family: 'Trebuchet MS', sans-serif;">Technologies like Security Incident and Event Management (SIEM), Data Loss Prevention (DLP), Information Rights Management (IRM) when deployed together in any organization, provide a high level of protection to the data assets and the organization has control on their assets while inside and outside their infrastructure perimeter. The SIEM will help monitor the network and alert against malicious activity, the DLP system will lock down assets from inappropriate access or transmission and the IRM system will provide the ability to remotely control document access rights.</span><br />
<br /></div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-51232971121726421072011-07-02T00:48:00.000-04:002011-07-02T00:48:21.543-04:00Forget DLP, think PLD - the Professional Loser of Data<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">DLP is the technology of choice when it comes to data protection. However in the past few months we are seeing a plethora of incidents which show the presence of antibodies in the system. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Antibodies or bacteria in an environment protected by DLP are PLD's. A PLD is a Professional Loser of Data and I am not surprised that most of the PLDs are in Government. Or in high places. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Take for instance the Adarsh scam - no sooner they started talking of big names that files started disappearing. The files in the Navy, Mantralaya, Mumbai Municipal Corp and the Environment Ministry have all been lost. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Then we had the CWG scam and saw more PLD action. At first the government supported Mr K by allowing him to continue being tje boss and let loose his PLDs. Well these PLDs did a good job and we read abouyt missing files :)</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Radia tapes and Wikileaks are great examples of big time PLDs at work. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The latest PLD operation, shockingly, or should I say expectedly, was the enabling the loss of files relating to the Gujarat riots by the Gujarat government. The PLDs did this four years back and it has come to light in an RTI application. And the Gujarat riots are still under investigation ! This just shows the professional capability of the people in power, the PLDs, who were likely to be screwed. The government cites data retention timeframe as the reason why the documents were destroyed saying all actions were taken strictly by the book. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Now, as I write about this, I wonder why the CBI did not discover the loss of documents when they were arresting Minister Shah. Or maybe one should not be surprised considering the recent incidents where they have thrown cases. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">So, as information security professionals, when we go to plug data leaks and consider insider risks we usually think about disgruntled employee or accidents. It is time to think about the bacteria, the antibody - the PLD. And remember no DLP system will be able to detect or control this guy's action.</span><br />
<br />
</div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-79036872407145141372011-05-06T15:48:00.000-04:002011-05-06T15:48:19.055-04:00Oops I got hacked... no no raped.... no no no I got HAPED !<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">In conversation with a friend we jokingly talked about the situation arising out of the hacking news and the gobbledy gook dished out as an explanation by the hackee CEO. </span><br />
<br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Having a drink later, I had an Eureka moment and conceived the theory of Haped. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Haped, my friends, is a new cyber term for being hacked - the reason why it is "haped" is because the site (or organization) has been raped. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Once haped, life is never the same. Your hidden fruit has been tasted and a million explanations will not bring back your innocence, your original configuration, your OEM feel, or your default settings... that virgin state. It's like the crack in a mirror which is always there when you are looking at yourself and you will keep telling the world how the hape did not disclose the holes . </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><b>The Theory of Hape (abridged): </b></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> Every system or technology environment is built with known or unknown holes all over waiting to be penetrated an exploited. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> After a hape, weak controls and dirty data is exposed to the world and management has to run around trying to save their reputation, jobs and more. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> Hape is inevitable if one thinks that having devices, AV and certifications means total security ! Anyone living in such a fool's paradise must be prepared with red faced excuses followed by ulcers, resignations and silly accusations aimed at all and sundry. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><b>Corollary 1: </b></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">When buying security services with an L-1 mentality you are bound to get the feeling of The Emperor's New Clothes (http://en.wikipedia.org/wiki/The_Emperor's_New_Clothes) - sooner or later you will be hapee (no pun intended).</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><b>Corollary 2</b>: </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">If haped, talk and walk straight. Jalebi (Gobbledy gook) stories drive away sympathy or help and bring ridicule. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><b>Explanations:</b></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">HAPE: a cyberworld term coined to mean a site or system that has been hacked. It is a combination of the words hacked and raped which (sort of) mean the same thing in their respective worlds. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">THE EMPEROR'S NEW CLOTHES: A story about an egoistic king believes he was wearing a robe that was invisible to the lower class whereas he wasn't wearing anything. </span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">MAJOR OR MINOR HAPE: Small incidents like a Website defacement, iframe attack, or a large scale incident like a DOS attack, data theft etc.</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">You got breached ... as bad as being forced into losing your V </span><br />
<div><br />
</div></div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-30728445463565498262011-01-13T08:24:00.000-05:002011-01-13T08:24:32.756-05:00An arrow or a bullet once fired...<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Being a lawyer is good business and when you are hurt it does not matter what you pay your lawyer or how much you pay !</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;"><br style="outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;">I wonder how much did the lawyer tell his client beyond the FUD spiel and how can anyone think that things like arrows, bullets, emails can be recalled. How can any CEO think that a data breach can be just closed. </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Consider these two news items - one in India and the other across the world in California. </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">- Ratan Tata has moved the Supreme Court asking that the Radia tapes be destroyed / recalled etc and that a restraint be put on them. It is a violation of his privacy and more. </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">- Sony asks for restraining order over PS3 hack - which was announced in December and allows users to run pirated games etc and bypass Sony's 'technical protection measures'</span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">In both instances the litigants, with due respect, have failed to understand that any data in public domain just cannot be erased or recalled ! It is now a part of history and "history cannot be wished away".</span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Yes the lawyers will make good money and media has good copy.Strangely media does not make any big noises about the Radia tapes and we all know why <lol>. ,To come back to the main issue - so what should these (such) people do - just avoid going to court and sit tight ? No, Any incident is a learning and such lessons prove to be very very expensive. They are expensive (maybe) because someone overlooked the small risks or did not have proper controls in place. </lol></span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;">It is a big bad world in the realm of corporate or national espionage - this is common knowledge. So, I would not expect the boss of India's largest corporate group to EVER speak on an open line. Like I do not expect the PM to have a prepaid connection ! Nor would I expect Sony to chase a chimera - it's is funny to see them ask a court to restrain someone to release a crack. How will the court enforce the order when there are multiple partners located in different countries ! And how will the court (or Sony) ascertain that there are no copies in the "wild". </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Like I said... good billing for the lawyers.</span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Indian corporates have to realize that as they celebrate double digit growth figures and billion dollar M & A's it is necessary to accept the existence of current day threats and risks. </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;">The powerful and successful move around with the feeling of invincibility or (all round) there is a general sense of complacency. Both lead to situations that one wishes never happened even in one's worst dream, </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Proactive risk management and security is needed like never before. We have not yet learned to tame the beast in various applications and networks that are part of our daily life. One can look forward to bigger nightmare scenarios as mobile computing, cloud and handheld devices hit us.</span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;">Jaago (Wake up !) - how many more wake up calls are needed. </span><span class="Apple-style-span" style="line-height: 16px;"><br style="line-height: 1.22em; outline-color: initial; outline-style: none; outline-width: initial;" /></span><span class="Apple-style-span" style="line-height: 16px;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Verdana, sans-serif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 16px;"><br style="outline-color: initial; outline-style: none; outline-width: initial;" /></span></span>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0tag:blogger.com,1999:blog-7402685039107633613.post-8072976757530361152010-10-19T10:05:00.000-04:002010-10-19T10:05:07.859-04:00The Forrester Wave™: Information Security And Risk Consulting Services, Q3 2010 - excerpt<span class="Apple-style-span" style="font-family: Arial;"><span class="Apple-style-span" style="font-family: 'Times New Roman';"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: medium;"></span><br />
<span class="Apple-style-span" style="font-family: Arial; font-size: medium;"><h2 class="research_summary" id="execSum" style="border-bottom-color: initial; border-bottom-style: initial; border-bottom-width: 0px; color: #999999; font-size: 18px; font-weight: bold; margin-bottom: 0.5em; margin-top: 0px; position: relative; text-transform: uppercase;"><span class="Apple-style-span" style="-webkit-text-decorations-in-effect: none; color: black; font-size: 15.9722px; font-weight: normal; text-transform: none;"><h1 class="research_title" style="color: #688a45; font-size: 23px; font-weight: bold; margin-bottom: 0.1em; margin-left: 0px; margin-right: 0px; margin-top: 0.3em;"><a href="http://www.forrester.com/RB/RESEARCH/WAVE%26TRADE;_INFORMATION_SECURITY_AND_RISK_CONSULTING_SERVICES,/Q/ID/56675/T/2">The Forrester Wave™: Information Security And Risk Consulting Services, Q3 2010</a></h1><div><br />
</div></span></h2><div><span class="Apple-style-span" style="color: #999999; font-size: 15.2777px; font-weight: bold; text-transform: uppercase;">EXECUTIVE SUMMARY</span></div><div class="marTopSml marBotHug" style="font-size: 18px; margin-bottom: 2em; margin-left: 0px; margin-right: 0px; margin-top: 0.25em;">In Forrester's 75-criteria evaluation of information security and risk consulting service providers, we found that Deloitte led the pack because of its maniacal customer focus and deep technical expertise. PricewaterhouseCoopers (PwC), Ernst & Young, and Accenture are market leaders due to their security expertise, breadth of services, and global reach. KPMG provides excellent strategic work and boasts great client feedback. Verizon Business has been quickly catching up to the Leaders due to its focused strategy around security services and flawless execution. Wipro now offers a viable offshore alternative, while HP and IBM have renewed their focus on security consulting services by integrating security competencies from different parts of their business into a coherent unit. BT Global Services continues to provide pragmatic risk-focused consulting services across the globe, and AT&T's recent acquisition of VeriSign's security consulting practice will make it a formidable competitor in this space. Protiviti may not have the same breadth of services, but it delivers excellent customer-focused risk- and compliance-driven services.</div><blockquote>The above is an excerpt quoted from the Forrester website. </blockquote><div class="marTopSml marBotHug" style="font-size: 18px; margin-bottom: 2em; margin-left: 0px; margin-right: 0px; margin-top: 0.25em;"><br />
</div></span><span class="Apple-style-span" style="font-family: Arial; font-size: medium;"></span><br />
<div><br />
</div>Dinesh O'Barejahttp://www.blogger.com/profile/12771818132237880934noreply@blogger.com0