Monthly Archives: December 2014

Episode #180: Open for the Holidays!

Not-so-Tiny Tim checks in with the ghost of Christmas present:

I know many of you have been sitting on Santa's lap wishing for more Command Line Kung Fu. Well, we've heard your pleas and are pushing one last Episode out before the New Year!

We come bearing a solution for a problem we've all encountered. Ever try to delete or modify a file and receive an error message that the file is in use? Of course you have! The real problem is trying to track down the user and/or process that has the file locked.

I have a solution for you on Windows, "openfiles". Well, sorta. This time of year I can't risk getting on Santa's bad side so let me add the disclaimer that it is only a partial solution. Here's what I mean, let's look for open files:

C:\> openfiles

INFO: The system global flag 'maintain objects list' needs
to be enabled to see local opened files.
See Openfiles /? for more information.


Files opened remotely via local share points:
---------------------------------------------

INFO: No shared open files found.

By default when we run this command it gives us an error that we haven't enabled the feature. Wouldn't it be nice if we could simply turn it on and then look at the open files. Yes, it would be nice...but no. You have to reboot. This present is starting to look a lot like a lump of coal. So you need know that you will encounter the problem before it happens so you can be ready for it. Bah-Humbug!

To enable "openfile" run this command:

C:\> openfile /local on

SUCCESS: The system global flag 'maintain objects list' is enabled.
This will take effect after the system is restarted.

...then reboot.

Of course, now that we've rebooted the file will be unlocked, but we are prepared for next time. So next time when it happens we can run this command to see the results (note: if you don't specify a switch /query is implied):

C:\> openfiles /query

Files Opened Locally:
---------------------

ID Process Name Open File (Path\executable)
===== ==================== ==================================================
8 taskhostex.exe C:\Windows\System32
224 taskhostex.exe C:\Windows\System32\en-US\taskhostex.exe.mui
296 taskhostex.exe C:\Windows\Registration\R00000000000d.clb
324 taskhostex.exe C:\Windows\System32\en-US\MsCtfMonitor.dll.mui
752 taskhostex.exe C:\Windows\System32\en-US\winmm.dll.mui
784 taskhostex.exe C:\..\Local\Microsoft\Windows\WebCache\V01tmp.log
812 taskhostex.exe C:\Windows\System32\en-US\wdmaud.drv.mui
...

Of course, this is a quite long list. You can use use "find" or "findstr" to filter the results, but be aware that long file names are truncated (see ID 784). You can get a full list by changing the format with "/fo LIST". However, the file name will be on a separate line from the owning process and neither "find" nor "findstr" support context.

Another oddity, is that there seems to be duplicate IDs.

C:\> openfiles /query | find "888"
888 chrome.exe C:\Windows\Fonts\consola.ttf
888 Lenovo Transition.ex C:\..\Lenovo\Lenovo Transition\Gui\yo_btn_g3.png
888 vprintproxy.exe C:\Windows\Registration\R00000000000d.clb

Different processes with different files, all with the same ID. This means that when you disconnect the open file you better be careful.

Speaking of disconnecting the files, we can do just that with the /disconnect switch. We can disconnect by ID (ill advised) with the /id switch. We can also disconnect all the files based on the user:

C:\> openfiles /disconnect /a jacobmarley

Or the file name:

C:\> openfiles /disconnect /op "C:\Users\tm\Desktop\wishlist.txt" /a *

Or even the directory:

C:\> openfiles /disconnect /op "C:\Users\tm\Desktop\" /a *

We can even run this against a remote system with the /s SERVERNAME option.

This command is far from perfect, but it is pretty cool.

Sadly, there is no built-in capability in PowerShell to do this same thing. With PowerShell v4 we get Get-SmbOpenFile and Close-SmbOpenFile, but they only work on files opened over the network, not on files opened locally.

Now it is time for Mr. Scrooge Pomeranz to ruin my day by using some really useful, built-in, and ENABLED features of Linux.

It's a Happy Holiday for Hal:

Awww, Tim got me the nicest present of all-- a super-easy Command-Line Kung Fu Episode to write!

This one's easy because Linux comes with lsof, a magical tool surely made by elves at the North Pole. I've talked about lsof in severalotherEpisodesalready but so far I've focused more on network and process-related queries than checking objects in the file system.

The simplest usage of lsof is checking which processes are using a single file:

# lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1250 root 1w REG 8,3 13779999 3146461 /var/log/messages
abrt-dump 5293 root 4r REG 8,3 13779999 3146461 /var/log/messages

Here we've got two processes that have /var/log/messages open-- rsyslogd for writing (see the "1w" in the "FD" column, where the "w" means writing), and abrt-dump for reading ("4r", "r" for read-only).

You can use "lsof +d" to see all open files in a given directory:

# lsof +d /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1250 root 1w REG 8,3 14324534 3146461 /var/log/messages
rsyslogd 1250 root 2w REG 8,3 175427 3146036 /var/log/cron
rsyslogd 1250 root 5w REG 8,3 1644575 3146432 /var/log/maillog
rsyslogd 1250 root 6w REG 8,3 2663 3146478 /var/log/secure
abrt-dump 5293 root 4r REG 8,3 14324534 3146461 /var/log/messages

The funny thing about "lsof +d" is that it only shows you open files in the top-level directory, but not in any sub-directories. You have to use "lsof +D" for that:

# lsof +D /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1250 root 1w REG 8,3 14324534 3146461 /var/log/messages
rsyslogd 1250 root 2w REG 8,3 175427 3146036 /var/log/cron
rsyslogd 1250 root 5w REG 8,3 1644575 3146432 /var/log/maillog
rsyslogd 1250 root 6w REG 8,3 2663 3146478 /var/log/secure
httpd 3081 apache 2w REG 8,3 586 3146430 /var/log/httpd/error_log
httpd 3081 apache 14w REG 8,3 0 3147331 /var/log/httpd/access_log
...

Unix-like operating systems track open files on a per-partition basis. This leads to an interesting corner-case with lsof: if you run lsof on a partition boundary, you get a list of all open files under that partition:

# lsof /
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,3 4096 2 /
init 1 root rtd DIR 8,3 4096 2 /
init 1 root txt REG 8,3 150352 12845094 /sbin/init
init 1 root DEL REG 8,3 7340061 /lib64/libnss_files-2.12.so
init 1 root DEL REG 8,3 7340104 /lib64/libc-2.12.so
...
# lsof / | wc -l
3500

Unlike Windows, Linux doesn't really have a notion of disconnecting processes from individual files. If you want a process to release a file, you kill the process. lsof has a "-t" flag for terse output. In this mode, it only outputs the PIDs of the matching processes. This was designed to allow you to easily substitute the output of lsof as the arguments to the kill command. Here's the little trick I showed back in Episode 22 for forcibly unmounting a file system:

# umount /home
umount: /home: device is busy
# kill $(lsof -t /home)
# umount /home

Here we're exploiting the fact that /home is a partition mount point so lsof will list all processes with files open anywhere in the file system. Kill all those processes and Santa might leave coal in your stocking next year, but you'll be able to unmount the file system!

i/o

Wow, it's been a awhile since i haven't written anything new here...
So to answer many questions.. no i'm not dead, and will try to get active again a bit next year.

I'm not writing this due to explanation requests or people worried (even if i got solicited many time to write something) but more because i'm motivated again to write.
As i've said many times to the recurrent e-mails i receive and continue to receive (even after 7 months of inactivity!)
I've did a lot of changement in my life, and during this time i got better things to do than writing in a blog.
Principaly i had many personal issues to resolve.
It's also not the first time i repeat that i've a life and that i've always run this blog for fun and nonprofit like my other services such as cybercrime-tracker.net
And sooner or later i will get bored and do a break although i've continued to update CCT, to don't leave people with nothing.


I changed of job also and shifted in the energy sector.
I wanted to get a job who combine my passion for mechanic and electronic.
And now i'm winding turbo-alternators for nuclear/hydraulic power plants around the world and governmental organisations. (pretty cool, huh?)
I can't tell you details obviously due to confidentiality clauses as it's critical, but making those huge machines/projects are quite awesome and the job is very meticulous.

I've joined also the administration of my local hackerspace, and now holds the position of treasurer.
I'm doing also various workshops mostly electronic/borderline related who take me time to prepare and organize.
In parallel i experiment myself also a lot, those who follow my youtube/twitter activity probably know what i mean, i received 2 day ago hydrofluoric acid.

2014 started a bit bad for me as i had a car crash the day of christmas and got the clavicle broken. Anyway globally it was a nice year, and off my blog i've met a lot of people like Horgh and many others.
Sadly i wasn't able to go to BotConf neither DahuCon this year due to my job... so maybe next year !

I've worked a bit also with Hackerstrip and released recently some codes for DarK-CodeZ #6, nothing fancy but it was fun to participate, thanks guys.
So that all, see you in 2015 for throwing cobblestones and breaking bones !

Have the Snowden revelations changed your attitudes about privacy?

It’s been well over a year since the first revelations from former National Security Agency contractor Edward Snowden became public.

Though President Obama has called for reforms in his government’s mass surveillance polices, the one significant attempt to reform U.S. laws and end “bulk collection” of data– the USA Freedom Act — failed in November. And many privacy advocates warned that even that bill was far too limited to do much good or excite the public. With the PATRIOT Act, the law passed in the immediately aftermath of 9/11, up for renewal in 2015, there may be a larger debate about the tactics embraced by the NSA over the last decade and a half coming.

But for now, all that has changed is that we are slightly more informed about how governments may be spying on us.

F-Secure-Infographic-Privacy-Final (1)

Will we just give in to an “aquarium” life and a perverse definition of “privacy”? Watch our Mikko Hypponen’s latest talk “The Internet is On Fire” and see if you’re ready to grab the microphone.

How have the Snowden revelations changed your views about privacy?

[Image by Josh Hallett via Flickr]

When the Press Aids the Enemy

Let's start with this- Freedom of the press is a critical part of any free society, and more importantly, a democratically governed society.

But that being said, I can't help but think there are times when the actions of the media aid the enemy. This is a touchy subject so I'll keep it concise and just make a few points that stick in my mind.

First, it's pretty hard to argue that the media looks for ever-more sensational headlines, truth be damned, to get clicks and drive traffic to their publication. Whether it's digital or actual ink-on-paper sensationalism sells, there's no arguing with that.

What troubles me is that like in the war on terrorism, the enemy succeeds in their mission when the media creates hysteria and fear. This much should be clear. The media tend to feed into this pretty regularly and we see this in some of the most sensational headlines from stories that should told in fact, not fantasy.


So when I came across this article on Buzzfeed called "The Messy Media Ethics Behind the Sony Hacks" it suddenly hit me - the media may very well be playing perfectly into the enemy's hands. The "Guardians of Peace" (GOP) in their quest to ruin Sony Pictures Entertainment have stolen an unfathomable amount of information. As Steve Ragan who has repeatedly written on about this and many other breaches tweeted that's 200Gb or 287,000 documents. That's mind-blowing.

This cache of data has proven to be yet-unreleased movies, marketing presentations, email exchanges between executives and attorneys, financial plans, employees' medical records and so much more. The GOP have made it clear their aim is to "punish" Sony Pictures Entertainment - and while we don't really have an insight as to the true motivations here, I think it's clear that releasing all this data is meant to severely negatively impact the business.

What has followed in the days since the announcement of the hack is a never-ending stream of "news" articles that I struggle to understand. There were articles like this one providing commentary and analysis on internal marketing department presentations. There were articles analyzing the internal and privileged (as far as I know, but I'm not a lawyer) communications between corporate legal counsel and Sony Pictures executives. There were articles talking about the release of SPE employee medical records. The hit-parade goes on and on... and I'm not linking over to any more of the trash because it embarrasses me.

Clearly, clearly, the mainstream media (and hell even the not-so-mainstream) have long lost their ethics. Some would claim that it's the "freedom of the press" that allows them to re-publish and discuss sensitive, internal documents. Others argue that since it's already in the public domain (available on BitTorrent) then it's fair game. Note: This was discussed during the Snowden release - and it was clear that classified information released to the public domain does not suddenly lose its classified status. I'm fairly certain this easily applies to the not-national-security type of assets as well. To be honest, this argument makes me question the intellectual integrity of some of the people who make it.

Anyway, back to my point. If the GOP wanted to destroy Sony Pictures Entertainment then hacking in and releasing secret information and intellectual property was only half the battle. The second half, unfortunately, is being picked up and executed by the media, bloggers, and talking heads putting out "analysis" on all this data. Publishing links to the hacked data, analyzing its contents, and looking for further embarrassing and ugly things to publish- the media should be ashamed of itself.

The hack alone wasn't going to damage SPEs image to where it has fallen now - the media is clearly complicity in this and it's a shame. I'm not an attorney so I question whether publishing and discussing confidential communications between an attorney and executive is ethical. Forget that, is it even legal? Journalists and bloggers continue to hide behind the "freedom of the press", and some folks even to blasting me for daring to question the absolute rights of the press. Except - the freedom of the press isn't absolute, as far as I know.

But whether it's legal, clearly there are ethical problems here. If you're in the media and you're poring over the confidential email communications stolen from Sony Pictures Entertainment systems, I emphasize stolen, and you're commenting on this - to what end? Arguing that the media is releasing this information because (a) it's already in the public domain and (b) it's "for the public good" is ludicrous.

Remember - while you're reveling in someone else's misery that you too may be a coincidental victim one day. Then it'll be your turn to have your private information released and analyzed and attacked as part of the next breach. Your recourse? None... Glass houses, journalists. Glass houses.

Sony Pictures – Lessons From a Real Worst-Case Scenario

There is a lot of junk floating around on the Internet and in the media regarding the Sony Pictures breach. Who did it? What were the motives? These are all being violently discussed in the Twitter-sphere and elsewhere, and if you happen to read the articles and blogs being churned out by the media your head is probably spinning right now.
While I don't think we (the public) generally know enough to be able to talk about the breach with any certainty yet - and perhaps we never will - there is an critical point here which I think is being missed.

What is the lesson the public should take away from the breach, and subsequent consequences?

Why nearly everyone has focused on the circus surrounding the breach itself - including the celebrity dirty laundry going public, un-released movies being leaked to bit torrent download sites, and the truckload of everything you never want to get out that's been dumped to the Internet - there is very little focus being given to the thing (or things) that we should all be taking away from this breach.

By now everyone should agree breaches are inevitable, and continuing to pour money into the black hole that is prevention is ridiculous. Let me be clear, I'm not saying to spend nothing on prevention, I'm simply pointing out the continuing folly of pouring ever more money and resources into prevention which we know will fail. So this can't be the lesson.

We all also know that segmentation of duties, data and processes should be a key point in every security program. We've been learning this lesson for almost 20 years now - and I can't help but feel that this push to an even faster delivery of IT services has made segmentation and segregation a near impossibility in  many large enterprises. I've watched CISOs try to leverage tools, network architectures, system re-designs and even cloud services -- much in vain as the result is data, processes and duties of all levels of risk end up in a big free-for-all. So, again, this isn't the lesson to learn.

Should the lesson be that we much not poke the bear? I mean, let's face it, if you look at this objectively outside the limited American viewpoint - Sony Pictures did antagonize North Korea quite a bit. Then again, recent information  made public by the Federal Bureau of Investigation (FBI) has indicated that North  Korea was in fact not the perpetrator of this breach. So maybe poking the bear isn't the problem, and anyway this is a lesson we as humans should learn in Kindergarten not in the corporate world.

So if you're still reading then like me you may be searching for a so what? moment. And to be honest, I am struggling to  provide one. So maybe it's not one thing that we need to learn but a much bigger set of things together. Maybe it's a lesson in humility, communications, planning, execution, operational efficiency, and crisis response all rolled into a heaping pile pushed down the hill and lit on fire. Maybe the bigger lesson we need to learn is that it's not one thing that we need to get right - but rather all of them have to just work well together, and be planned, practiced and tuned.

I seriously doubt anyone out there is planning and practicing for the kind of disaster Sony Pictures is facing right now. If every single piece of intellectual and secret property (including employee records, confidential communications, financials of all kinds, and more) you have was made public - where would you start to recover? Getting your IT systems back online is a good start, but that doesn't mean you can recover your business when your employees, partners, vendors, and customers are banging on your door demanding answers and action.

Maybe that's it then, maybe the lesson is that you can't always package up a lesson learned neatly with a bow based on someone's catastrophic incident. I think it's clear we all can be set ablaze in this manner. If it's not then it should be. So the question I pose to you is this - what's your take-away from the Sony  Pictures catastrophe?

As a side note, many people and articles have taken to calling this an "unprecedented" breach. I am inclined to agree but not for the technical reasons that are being rattled off. It's not because the method of attack was novel, or that there was likely an insider, or even the quantity and quality of the assets that were stolen - or heck even that everything is being made public in an embarrassment to the company. No I think this is unprecedented because we're seeing company executives apologizing to political leaders, civil rights activists fanning race-war flames with some of the email content published, and as one article put it "Sony is a pariah in Hollywood" right now. Folks - that's not good. This is a meltdown of a brutal nature the likes I don't believe we've seen before. This is a PR catastrophe.

As always, I'm interested in your thoughts... leave a comment, or hit me on Twitter.

A Breakdown and Analysis of the December, 2014 Sony Hack

Another incredibly far-reaching in-depth compromise of Sony Pictures has happened, this time by a group known as the Guardians of Peace (GOP). The new compromise has all of the excitement of the old events and more, as blaming North Korea for the attack in retaliation to a movie being released by Sony Pictures is all the rage. Risk Based Security has been keeping an updated timeline of the breach, analyzing the leaked documents, and providing links to additional information.

If you are looking for a comprehensive resource on the Sony Hack then please visit the following page:
https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

F-Secure Wins Golden Cloud Trophy for Cloud Strategy

We’re proud to announce that our cloud has been officially recognized as golden!

F-Secure recently took part in a business-to-business cloud conference named Partner VIP in France, where companies such as manufacturers, distributors, integrators and service companies meet to intensify their business relationships. The yearly conference features an innovation contest, the Golden Cloud Awards, which recognize innovative players in the cloud business.

F-Secure presenteF-Secure wins Golden Cloud Award for Best Cloud Strategyd our flagship business solution, Protection Service for Business, as well as our hot privacy and security solution, Freedome, as business tools for data protection. And with those, we took away the Golden Cloud Trophy for Best Cloud Strategy! This particular award is given to a company where corporate strategy is recognized as successful in the cloud world.

For us, it’s an honor to provide businesses around the world security from the cloud via PSB and Freedome through our global network of reseller partners. And the Best Cloud Strategy award is just more confirmation that we’re doing the right thing.

Not a business? The same cloud-based security is available for consumers too. You can use Freedome to protect your privacy and become untrackably invisible. And to experience the best in cloud protection for all your computers and mobile devices, check out F-Secure SAFE.

 

Banner image courtesy of Robert S. Donovan, flickr.com

Facebook’s new terms, is the sky falling?

You have seen them if you are on Facebook, and perhaps even posted one yourself. I’m talking about the statements that aim to defuse Facebook’s new terms of service, which are claimed to take away copyright to stuff you post. To summarize it shortly, the virally spreading disclaimer is meaningless from legal point of view and contains several fundamental errors. But I think it is very good that people are getting aware of their intellectual rights and that new terms may be a threat.

Terms of service? That stuff in legalese that most people just click away when starting to use a new service or app. What is it really about and could it be important? Let’s list some basic points about them.

  • The terms of service or EULA (End User License Agreement) is a legally binding agreement between the service provider and the user. It’s basically a contract. Users typically agree to the contract by clicking a button or simply by using the service.
  • These terms are dictated by the provider of the service and not negotiable. This is quite natural for services with a large number of users, negotiating individual contracts would not be feasible.
  • Terms of service is a defensive tool for companies. One of their primary goals is to protect against lawsuits.
  • These terms are dictated by one part and almost never read by the other part. Needless to say, this may result in terms that are quite unfavorable for us users. This was demonstrated in London a while ago. No, we have not collected any children yet.
  • Another bad thing for us users is the lack of competition. There are many social networks, but only one Facebook. Opting out of the terms means quitting, and going to another service is not really an option if all your friends are on Facebook. Social media is by its nature monopolizing.
  • The upside is that terms of service can’t change the law. The legislation provides a framework of consumer and privacy protection that can’t be broken with an agreement. Unreasonable terms, like paying with your firstborn child, are moot.
  • But be aware that the law of your own country may not be applicable if the service is run from another country.
  • Also be aware that these terms only affect your relationship to the provider of the service. Intelligence performed by authorities is a totally different thing and may break privacy promises given by the company, especially for services located in the US.
  • The terms usually include a clause that grant the provider a license to do certain things with stuff the users upload. There’s a legitimate reason for this as the provider need to copy the data between servers and publish it in the agreed way. This Facebook debacle is really about the extent of these clauses.

Ok, so what about Facebook’s new terms of service? Facebook claim they want to clarify the terms and make them easier to understand, which really isn’t the full story. They have all the time been pretty intrusive regarding both privacy and intellectual property rights to your content, and the latest change is just one step on that path. Most of the recent stir is about people fearing that their photos etc. will be sold or utilized commercially in some other way. This is no doubt a valid concern with the new terms. Let’s first take a look at the importance of user content for Facebook. Many services, like newspapers, rely on user-provided content to an increasing extent. But Facebook is probably the ultimate example. All the content you see in Facebook is provided either by the users or by advertisers. None by Facebook itself. And their revenue is almost 8 billion US$ without creating any content themselves. Needless to say, the rights to use our content is important for them. What Facebook is doing now is ensuring that they have a solid legal base to build current and future business models on.

But another thing of paramount importance to Facebook is the users’ trust. This trust would be severely damaged if private photos start appearing in public advertisements. It would cause a significant change in peoples relationship with Facebook and decrease the volume of shared stuff, which is what Facebook lives on. This is why I am ready to believe Facebook when they promise to honor our privacy settings when utilizing user data.

Let’s debunk two myths that are spread in the disclaimer. Facebook is *not* taking away the copyright to your stuff. Copyright is like ownership. What they do, and have done previously too, is to create a license that grant them rights to do certain things with your stuff. But you still own your data. The other myth is that a statement posted by users would have some kind of legal significance. No, it doesn’t. The terms of service are designed to be approved by using the service, anyone can opt to stop using Facebook and thus not be bound by the terms anymore. But the viral statements are just one-sided declarations that are in conflict with the mutually agreed contact.

I’m not going to dig deeper into the changes as it would make this post long and boring. Instead I just link to an article with more info. But let’s share some numbers underlining why it is futile for ordinary mortals to even try to keep up with the terms. I browsed through Facebook’s set of terms just to find 10 different documents containing some kind of terms. And that’s just the stuff for ordinary users, I left out terms for advertisers, developers etc. Transferring the text from all these into MS Word gave 41 pages with a 10pt font, almost 18 000 words and about 108 000 characters. Quite a read! But the worst of all is that there’s no indication of which parts have changed. Anyone who still is surprised by the fact that users don’t read the terms?

So it’s obvious that ordinary user really can’t keep up with terms like this. The most feasible way to deal with Facebook’s terms of service is to consider these 3 strategies and pick the one that suits you best.

  1. Keep using Facebook and don’t worry about how they make money with your data.
  2. Keep using Facebook but be mindful about what you upload. Use other services for content that might be valuable, like good photos or very private info.
  3. Quit Facebook. That’s really the only way to decline their terms of service.

By the way, my strategy is number 2 in the above list, as I have explained in a previous post. That’s like ignoring the terms, expecting the worst possible treatment of your data and posting selectively with that in mind. One can always put valuable stuff on some other service and post a link in Facebook.

So posting the viral disclaimer is futile, but I disagree with those who say it’s bad and it shouldn’t be done. It lacks legal significance but is an excellent way to raise awareness. Part of the problem with unbalanced terms is that nobody cares about them. A higher level of awareness will make people think before posting, put some pressure on providers to make the terms more balanced, and make the legislators more active, thus improving the legal framework that control these services. The legislation is by the way our most important defense line as it is created by a more neutral part. The legislator should, at least in theory, balance the companies’ and end users’ interests in a fair way.

 

Safe surfing,
Micke

 

Image: Screenshot from facebook.com

Is Bigger Budget an Adequate Measure of Security Efficacy?

Bigger budgets - the envy of security professionals and the scourge of CISOs the world over. While we'd all like bigger budgets to make security better within our organizations, getting more money to spend isn't necessarily a harbinger of goodness to come.

Earlier a fantastic conversation broke out on Twitter, where else, and it started with this tweet from Tony Vargas retweeted by Adrian Sanabria:



The conversation got a little snarky about how throwing money at a problem clearly doesn't indicate that it'll get any more attention or be any closer to being solved. I then made a comment about the American budget and how spending more isn't really helping there - OK that's a stretch but the parallels are clear, I think.

Stephen Coplan made an interesting point which I've seen made many, many times - but I believe it to be false:
*point of clarification - Stephen pointed out that he's not implying more money equals more efficacy, and I don't intend to represent his comments as such.

I personally do not believe a bigger budget means anything specifically, so to equate higher budget with more relevance- I believe that to be false. I have personally witnessed first-hand how organizations take budget increases to spend wildly on necessary widgets, and then fail to operationalize. Security isn't about spending more, it never has been. In fact, the rapid increase in spending generally means that something went publicly wrong and the budget-holders are trying to make a public display of their sensitivity to fix the issues. Unfortunately all too often these are simply that - public displays with little follow-through.

I believe that rather than focus on how much more money an organization spends as a measure of their seriousness of addressing security issue, we should be focusing on resources. You see, resources is inclusive of everything necessary including the critical people aspect as well as the widgets and gadgets that come in 1U rack-mountable formats to address the issues. Better security comes from better training of existing resources, more executive backing, better communications, and more operational support. Better security comes from a shift in culture, and a willingness by security professionals to reach to the business side and align better to goals and needs, and the business folks making a concerted and serious effort to understand that security issues and breaches aren't just web site defacements anymore.

Security (or rather the criminal aspect of the game) is big business with highly industrialized and specialized trades and vertical markets. Addressing security as a technology problem will lead to more breaches, more lost revenue, productivity, shareholder value and trade secrets to name a few of the obvious. Security isn't a "their problem" anymore, in fact it never has been.

If you're at all paying attention to the absolute worst-case scenario that Sony Pictures is living through right now (Steve Ragan at CSO is churning out an excellent series on the matter, I highly recommend you give it a read) you are becoming painfully aware that we're past business disruption, web site defacements and DDoS. We're into business destruction of the kind that has the potential to cost a company hundreds of millions of dollars not just today, but for years to come.

What will it take for companies to take security seriously, and how will we measure that jump? I don't think the upward delta in budget size is the only indicator here. I believe we need to look at the overall resource allocation to understand whether security is being addressed as a cultural issue in the company, or whether we're just given more capital to buy shiny widgets with.

In the end, Casey John Ellis had the tweet that made our point eloquently. I think he said it best when it comes to the ability to "buy more stuff" for CISOs, in relation to that making a positive program-level impact on the organization-


...and this, my friends, about sums up my feelings on the matter.

AVbytes Multirogue 2015

This Chameleon fake Antivirus is looking for the OS version (XP, Vista, Seven) and changes its name and skin: AVbytes Win 7 Antivirus 2015, AVbytes Win 8 Antivirus 2015, AVbytes Vista Antivirus 2015, (...). It detects fake infections and displays alert messages to scare users. It belongs to the Braviax/FakeRean family.

What is money?

We all try to save it, but sometimes we spend too much. We need it to get by, but we all agree that it’s not needed for the most important things in life. It’s one of those things that if we ask ten people what it really is, we can expect at least eleven answers, if not forty. Money Changes Everything. Money Can’t Buy Me Love. Money, That’s What I Want.

Now I am pretty old. In fact, my sixtieth birthday is this week. (I know, I don’t look that old, and thank you!) and I think of money as paper notes and coins. I have been fortunate enough to have traveled all over the world and I keep a little bit of money from every place I visit. I have boxes of foreign coins and bills, enough that should I ever go back to a place, I have at least cab fare in my pocket. But that’s not the real reason that I keep all that money on hand. Money, you see, is magic. Take out a dollar (or pound or Euro or Kroner or Ringgit or whatever) and look at it. I see pictures of legendary heroes (in my case, George Washington or Abraham Lincoln) and various magical symbols, totems etc. (Eagles, stars, pyramids with eyes, what have you) Those are there as cultural icons to help inspire faith in the money.

If enough people stop believing in money, it can become worth nothing overnight. This has happened many times in history, and, in fact, for most of human history there was no money at all. There are many people alive today who rarely use money for the things they do every day. Money is an intermediary medium; a token that we use to exchange for goods and services. We are so used to it that we don’t think there is any other way for us to do business, and yet, it is only one way and only useful in a society that is based on it’s existence. Inside your family, for example, you have assigned duties and get expected return. Sometimes this includes the distribution of money, and sometimes it is all just goods and services. Mow the lawn, and get lunch, or a ride to the beach, or whatever.

There are all kinds of money. I live in the USA, and we have money based on something called the FEDERAL RESERVE SYSTEM. This is so complicated that I am sure nobody has every really figured it out. (this is a joke, please don’t offer to explain it to me) Recently, people have suggested that there should be monies with no relation to a government of any kind, and we see the rise of cryptocurrencies, the most well known of which is BITCOIN. But the point I am trying to make is really beyond all of this argument. Money is a medium of exchange, but the real point is this: money is information.

MONEY IS INFORMATION

Only a few percent of the dollars in circulation are ever printed or minted. The reset exist only as units of information. Once upon a time those units were ink on a ledger, the records of debts and exchanges in a bank or an exchequer or a depository or whatever you called it. (the magical temple of finance) but nowadays the money only exists that can be found in a computer.

All the money in the world is only money in a computer.

You might have a checkbook or savings passbook that is a record of what you own. You might actually have a trust deed that you own a house, or a pink slip (here in the us) that means you own a car, but let’s get serious–if that piece of paper does not agree with the computer, guess who wins?

This is one of the best reasons that we are taking so much care to protect not only your computer, but your accounts, your sessions, your passwords, your data, and your privacy. You need to use these tools in the world with confidence. This is only one of the reasons why.

We help to protect the magic.

Happy Cyber Monday from David Perry and all of us here at F-Secure.

[Image courtesy of epSos.de]

When Your Marquee Client Gets Hacked

There are people who will tell you that all PR is good PR. In my years in security I have seen both sides of that debate true. Lately though, particularly for security companies who are selling into the enterprise - this may be a double-edged sword that cuts deep.

Look at any reputable (and some not-so-much) security vendor's website and you'll notice there's always a page that gives you all the different logos of the companies who use their products. Most times the vendor pays dearly for that either through deep discounts, or some other concessions just to be able to use the reference. Generally this works to the vendor's advantage because seeing Vendor X used by your peers means that perhaps it's a good idea to give them a look.

Except, maybe, when those peers are getting hammered for being a data breach victim.


This has happened a few times recently with vendors touting big names as marquee clients- then the marquee client suffers a massive data breach. Interestingly enough, some sales people still use the fact that the client had the product running in their environment to push the sales agenda, but I don't think this is the approach they want.

Think about it.

Your big client gets hit while they're being hailed as using your product or service. Are you sure you want to claim victory? Most of these aren't little incidents, but rather the kinds of breaches that make lawyers cry.

There are two ways this presents itself-

First, your product or service supports either the defense, detection, response or recovery from the attack and subsequent breach. This bodes well, generally. If the organization made the investment in your product or service and you helped them decrease the amount of pain they and their customers have to go through - you win.

Second, your product was a bystander - neither helping nor hurting. This is where things get a little sketchy. Maybe you were sold the "SQL Injection Prevent-o-Matic" but your big e-commerce site was thoroughly ransacked using SQL Injection. There are two sub-plots that you can follow...

If your product or service detected or could have prevented, detected, or helped respond/recover from the attack but no one operationalized your product or service - you're in trouble.

Alternatively, if your product or service completely missed the attack and didn't provide value - you're in trouble.

I've watched companies present marquee customers all the time with little regard for what that means to their corporate brand. "This company just got hacked, true, but our product was right there telling them that they were getting hacked! If only they listened to our amazing product!" is perhaps the worst marketing pitch, ever. You know why? Because you're demonstrating that even though your product could do amazing things for your clients, your failure to teach your clients how to operationalize and be effective with your product at best makes the whole thing a bad investment. At very worse, it makes your product or service crap.

This is why I marvel when I hear that claim made - "They bought our stuff, if only they had used it properly...". It makes me crazy because you're taking a backhanded swipe at your client all while making a clear statement that you were part of the failure.

Folks security kit isn't magic. You don't claim victory by having it dropped off at your dock, or even having it in-line and blinking in your racks. Heck you don't even get credit if the console is up on someones screen. Only when it's fully operationalized do you get to claim credit, in a positive way.

Repeat after me - fully operationalized is how we claim success. I can't stress this enough. It's baffling that vendor and enterprise alike aren't fully getting this in wide adoption. Owning a Formula 1 car doesn't make a winning Formula 1 team. A good pit crew, managers, lots of practice, operational mechanics, management, a driver and good telemetry are just the start of it. Once you get all of the parts together you have to work out bugs until the whole thing is near-perfect. Then you push harder. That's how you operationalize security - otherwise you've failed.

Was the past better than now?

Here we go again — another article arguing whether the past was better or not (this one says “better”). These articles are tiresome, rehashing the debate whether technology is enabling or isolating and dehumanizing. But I’m interested in a different line of technology criticism: which parts of technology are a regression and what to do about that.

From the first stone tools, technology has both reflected us and changed us. When we became farmers, we became less portable and vulnerable to robbers, and it was possible to measure capital for the first time via a land’s quality and location.

When evaluating today’s technology, I think it’s important to keep a flexible point of view and not be limited by a linear view of history. For example, what would digital cash look like today if we had adopted a 10-year land ownership rotation back then? A linear progression from good to bad (or bad to good) ignores a more nuanced view that focuses on the good and bad, leading to an understanding what we can do about it.

Even though I work with developing new technology every day, I’m reticent to adopt it until I have time or motivation to review it thoroughly. There are two main reasons:

  1. Advances in technology often come with critical regressions
  2. What you use changes yourself, your way of thinking, and what you believe to be possible

The microwave oven was a huge advance in heating speed, but you lost the key aspect of temperature control. It is still difficult to find one that allows you to heat food to a particular temperature. Instead, you have to guess at the combination of watts and time. Software is even more plastic. You can be using code written by a 20-year-old Javascript newbie for reviewing the intricacies of your personal genome. Calling this entire technology a step forward or back is much too simplistic, and it lets said programmer off the hook for not knowing their own history.

Computer history should be a mandatory part of the curriculum. I don’t mean dry facts like the date the transistor was invented or which CPU first implemented pipelining. I mean criticism of historical choices in software or system design, and an analysis of how they could have been done differently.

Here are some example topics to get you started:

  1. Compare the Mac OS X sandboxing architecture to the Rainbow Series. Which is more usable? Compare and contrast the feature sets of each. Create an alternate history where modern Unix systems had thrown out UIDs and built on a data-centric privilege model.
  2. In terms of installation and removal, how do users expect iOS and Android devices to treat mobile apps? How does this compare to Windows programs or Linux packages? What are the potential side effects (in terms of system or filesystem changes, network activity, etc.) of installing a program? Running it? Removing it?
  3. Some developers have advocated “curl | sh” as an acceptable installation method as a replacement for native packages. They argue that there is no loss of security compared to downloading and installing a native package from an uncertain origin. Compare the functionality and risks of “curl | sh” to both a common package system (e.g., Debian dpkg) and an innovative system (e.g., Solaris IPS), focusing on operations like installing a package for the first time, upgrading it, installing programs with conflicting dependencies, etc. What is truly being lost, if anything?

Good design and engineering involves knowing what has come before, so we can move forward with as little loss as possible. Engineers should learn more about what has come before to avoid repeating the mistakes of the past. The past wasn’t better than the present, but ignoring it makes us all worse off than we could have been.