Daily Archives: July 12, 2018

Your IoT security concerns are stupid

Lots of government people are focused on IoT security, such as this bill or this recent effort. They are usually wrong. It's a typical cybersecurity policy effort which knows the answer without paying attention to the question. Government efforts focus on vulns and patching, ignoring more important issues.


Patching has little to do with IoT security. For one thing, consumers will not patch vulns, because unlike your phone/laptop computer which is all "in your face", IoT devices, once installed, are quickly forgotten. For another thing, the average lifespan of a device on your network is at least twice the duration of support from the vendor making patches available.

Naive solutions to the manual patching problem, like forcing autoupdates from vendors, increase rather than decrease the danger. Manual patches that don't get applied cause a small, but manageable constant hacking problem. Automatic patching causes rarer, but more catastrophic events when hackers hack the vendor and push out a bad patch. People are afraid of Mirai, a comparatively minor event that led to a quick cleansing of vulnerable devices from the Internet. They should be more afraid of notPetya, the most catastrophic event yet on the Internet that was launched by subverting an automated patch of accounting software.

Vulns aren't even the problem. Mirai didn't happen because of accidental bugs, but because of conscious design decisions. Security cameras have unique requirements of being exposed to the Internet and needing a remote factory reset, leading to the worm. While notPetya did exploit a Microsoft vuln, it's primary vector of spreading (after the subverted update) was via misconfigured Windows networking, not that vuln. In other words, while Mirai and notPetya are the most important events people cite supporting their vuln/patching policy, neither was really about vuln/patching.

Such technical analysis of events like Mirai and notPetya are ignored. Policymakers are only cherrypicking the superficial conclusions supporting their goals. They assiduously ignore in-depth analysis of such things because it inevitably fails to support their positions, or directly contradicts them.

IoT security is going to be solved regardless of what government does. All this policy talk is premised on things being static unless government takes action. This is wrong. Government is still waffling on its response to Mirai, but the market quickly adapted. Those off-brand, poorly engineered security cameras you buy for $19 from Amazon.com shipped directly from Shenzen now look very different, having less Internet exposure, than the ones used in Mirai. Major Internet sites like Twitter now use multiple DNS providers so that a DDoS attack on one won't take down their services.

In addition, technology is fundamentally changing. Mirai attacked IPv4 addresses outside the firewall. The 100-billion IoT devices going on the network in the next decade will not work this way, cannot work this way, because there are only 4-billion IPv4 addresses. Instead, they'll be behind NATs or accessed via IPv6, both of which prevent Mirai-style worms from functioning. Your fridge and toaster won't connect via your home WiFi anyway, but via a 5G chip unrelated to your home.

Lastly, focusing on the vendor is a tired government cliche. Chronic internet security problems that go unsolved year after year, decade after decade, come from users failing, not vendors. Vendors quickly adapt, users don't. The most important solutions to today's IoT insecurities are to firewall and microsegment networks, something wholly within control of users, even home users. Yet government policy makers won't consider the most important solutions, because their goal is less cybersecurity itself and more how cybersecurity can further their political interests. 

The best government policy for IoT policy is to do nothing, or at least focus on more relevant solutions than patching vulns. The ideas propose above will add costs to devices while making insignificant benefits to security. Yes, we will have IoT security issues in the future, but they will be new and interesting ones, requiring different solutions than the ones proposed.

NBlog July 13 – ISO/IEC 27001 Annex A status


I've just completed an internal audit of an ISO27k ISMS for a client. By coincidence, a thread on ISO27k Forum this morning brought up an issue I encountered on the audit, and reminded me of a point that has been outstanding for several years now.

The issue concerns the formal status of ISO/IEC 27001:2013 Annex A arising from ambiguities or conflicts in the main body wording and in the annex. 

Is Annex A advisory or mandatory? Are the controls listed in Annex A required by default, or optional, simply to be considered or taken into account?

The standard is distinctly ambiguous on this point, in fact there are direct conflicts within the wording - not good for a formal specification against which organizations are being audited and certified compliant.

Specifically, main body clause 6.1.3 Information security risk treatment clearly states as a note that "Organizations can design controls as required, or identify them from any source." ... which means they are not required to use Annex A.

So far so good .... however, the very next line of the standard requires them to "compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted". This, to me, is a badly-worded suggestion to use Annex A as a checklist. Some readers may interpret it to mean that, by default, all the Annex A controls are "necessary", but (as I understand the position) that was not the intent of SC 27. Rather, "necessary" here refers to the organization's decision to treat some information risks by mitigating them using specific controls, or not. If the organization chooses to use certain controls, those controls are "necessary" for the organization, not mandatory for compliance with the standard.

To make matters worse still, a further note describes Annex A as "a comprehensive list of control objectives and controls", a patently false assertion. No list of control objectives and controls can possibly be totally comprehensive since that is an unbounded set. For starters, someone might invent a novel security control today, one that is not listed in the standard since it didn't exist when it was published. Also, there is a near-infinite variety of controls including variants and combinations of controls: it is literally impossible to identify them all, hence "comprehensive" is wrong.

The standard continues, further muddying the waters: "Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed." This directly contradicts the previous use of "comprehensive".

As if that's not bad enough already, the standard's description of the Statement of Applicability yet again confuses matters. "d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A". So, despite the earlier indication that Annex A is merely one of several possible checklists or sources of information about information security controls, the wording here strongly implies, again, that it is a definitive, perhaps even mandatory set after all.

Finally, Annex A creates yet more problems. It is identified as "Normative", a key word in ISO-land meaning "mandatory". Oh. And then several of the controls use the key word "shall", another word reserved for mandatory requirements in ISO-speak.

What a bloody mess!

Until this is resolved by wording changes in a future release of the standard, I suggest taking the following line:
  • Identify and examine/analyse/assess/evaluate your information risks;
  • Decide how to treat them (avoid, mitigate, share and/or accept);
  • Treat them however you like: it is YOUR decision, and you should be willing to justify your decision … but I generally recommend prioritizing and treating the most significant risks first and best, working systematically down towards the trivia where the consequences of failing to treat them so efficiently and effectively are of less concern;
  • For risks you decide to mitigate with controls, choose whatever controls suit your situation. Aside from Annex A, there are many other sources of potential controls, any of which might be more suitable and that’s fine: go right ahead and use whatever controls you believe mitigate your information risks, drawing from Annex A or advice from NIST, DHS, CSA, ISACA, a friend down the pub, this blog, whatever. It is your choice. Knock yerself out;
  • If they challenge your decisions, refer the certification auditors directly to the note under 6.3.1 b: Organizations can design controls as required, or identify them from any source. Stand your ground on that point and fight your corner. Despite the other ambiguities, I believe that note expresses what the majority of SC27 intended and understood. If the auditors are really stubborn, demonstrate why your controls are at least as effective or even better than those suggested in Annex A;
  • Perhaps declare the troublesome Annex A controls “Not applicable” because you prefer to use some other more appropriate control instead;
  • As a last resort, declare that the corresponding risks are acceptable, at least for now, pending updates to the standard and clearer, more useful advice;
  • Having supposedly treated the risks, check that the risk level remaining after treatment (“residual risk”) is acceptable, otherwise cycle back again, adjusting the risk treatment accordingly (e.g. additional or different controls).
If you are still uncertain about this, talk it through with your certification auditors – preferably keeping a written record of their guidance or ruling. If they are being unbelievably stubborn and unhelpful, find a different accredited certification body and/or complain about this to the accreditation body. You are the paying customer, after all, and it’s a free market!

Inspire 2018: Opening doors for partner innovation, growth and differentiation

Organizations around the world are undergoing transformation fueled by cloud, artificial intelligence, mixed reality and the Internet of Things. These technologies are helping businesses and society reach new heights – retail is becoming more personal, banking is becoming more seamless, and healthcare is becoming more predictive and preventive.

At the heart of these incredible stories of transformation – and more – are Microsoft partners. The Microsoft partner ecosystem is a group of hundreds of thousands of organizations driving positive, global impact. Building everything from line-of-business apps to industry-specific solutions on Dynamics 365 to gaming experiences, these companies are a natural extension of the team at Microsoft, delivering cutting-edge technology to millions of customers.

For Microsoft partners – their success is our success. We are squarely focused on delivering a true, two-way partnership with our partner network. It is with success and partnership in mind that, on the eve of Inspire 2018, I’m thrilled to announce new programs, tools and resources to help partners innovate, grow and differentiate their businesses.

Delivering innovation through apps and services

Whether they’re building apps or services, we know partners need access to the latest technology from Microsoft and guidance on how to extend that technology to build tailor-made solutions.

Today, we are announcing exciting new innovations in Microsoft 365, including a free version of Teams, new intelligent events capabilities, the Workplace Analytics teamwork solution and more. We are also announcing new cloud, apps and data technologies including Azure Data Box Disk, Azure Virtual WAN, Azure Firewall and more. We’re so excited to see how our partners will leverage these new offerings to help customers embrace and innovate in the modern workplace and continue to help customers in their journey to the cloud.

In addition to new technologies, we’re releasing new Digital Transformation eBooks, and practice-building playbooks, expanding on the popular resources already leveraged by tens of thousands of partners looking to build and enhance their practices.

Reach more customers to sell your solutions

In our third quarter, we noted that Azure revenue grew by 93 percent, with partners driving a considerable portion of that growth. To build on this great momentum, we’re doing two new things to fuel partner growth – leaning in on our marketplaces and enhancing AppSource as the entry point for selling with Microsoft, and enhancing our go-to-market benefits for partners to help them grow their businesses.

The new marketplace capabilities, available today, include integrated partner-to-partner solutions, private offers, and expanded consulting services. Each of these new capabilities provides partners new ways to get solutions in front of a bigger base of customers and to provide them with a better buying experience. There is no greater priority for us than connecting partners with customers.

We’re also providing greater flexibility and more opportunities to unlock new benefits that help partners go to market. Starting later this year, partners with competencies will have a choice of benefits packages based on their business focus. We’re expanding core benefits to include access to services that support generating leads, improving lead velocity and increasing close rates for app or service offerings.

Focus on differentiation to attract customers

We hear from partners that specialization is key to growth. This concept has been a cornerstone of our profitability guidance to partners and many have taken that message to heart. The ask to Microsoft, from partners and customers, is to do more to help customers find the right partners with the right solutions. Today, we’re announcing new ways for partners to demonstrate their proven expertise to customers with the introduction of new advanced specializations and the new Microsoft Azure Expert MSP initiative. Partners can now demonstrate that they have the right capabilities to help with specific customer business challenges.

Last year at Inspire, we initiated a transformation at Microsoft, and a new journey with our partners that continues together. We are here for our partners, we are working hard to prepare them for the future, and we are committed to their success. We are at a unique time when the combination of technology and opportunity brings us together, and we need to rely on each other more than ever. In the world of Digital Transformation, everyone needs an ecosystem, and a partnership with Microsoft is a partnership with our ecosystem. Together, we are in a position to take advantage of the unprecedented $4.5 trillion opportunity and unleash the power of true partnership to unlock incredible growth and success – for each other, and for our customers.

The post Inspire 2018: Opening doors for partner innovation, growth and differentiation appeared first on The Official Microsoft Blog.

CVE-2017-14710 (shein)

The Shein Group Ltd. "SHEIN - Fashion Shopping" app -- aka shein fashion-shopping/id878577184 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2017-14612 (shpock)

"Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-boot-sale-classifieds/id557153158 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2017-14709 (komoot)

The komoot GmbH "Komoot - Cycling & Hiking Maps" app before 9.3.2 -- aka komoot-cycling-hiking-maps/id447374873 -- for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Handling Social Media Stress – Pointers to Share with Your Teens

The lion’s share of modern day communication happens online and for that, thanks to the hundreds of apps available. Whether it is news or videos, blogging or education, social media or gaming, entertainment or social movements – a lot is happening online, all the time.

In fact, social media apps have become the new ‘hangout’ zones for virtual citizens. After all, we live in a connected world and enjoy being online. But that may not be always good for tweens and teens as they are still too young to process all the information download happening. This may lead to stress.

Stress is not uncommon in our physical lives. We get stressed by our education, career, relationships and the environment. The same happens in the digital world. In the physical world, our responses to stress are primarily venting, having face-to-face spats or ignoring the issue. Not so in the digital world. In the virtual space, stress may arise from different causes and the repercussions may take on a viral form.

Why do children get stressed by social media? The common causes are:

  • Peer pressure: THE most important reason for children being online is to connect with their friends. And to keep this friendship alive and kicking, they often blindly copy the group leaders, even if they are not comfortable with what they are doing
  • FOMO (Fear of Missing Out): Teens, especially girls, have a competitive spirit when it comes to online presence and don’t want to be ‘the last to know’ so, they end up spending a lot of time online
  • Keeping up with the Jones’: The same competitive spirit leads kids to spend hours posing and selecting the perfect pics to share online or seek approval from strangers. This is risky, as negative comments online can harm self-confidence
  • Excessive sharing: When kids share a lot of their private information on social media, they leave themselves vulnerable to hacking, as well as opening themselves up to contact from inappropriate individuals online
  • Cyberbullying: Most kids have witnessed or experienced some forms of cyberbullying and often end up as either perpetrators or victims or mute spectators. In all cases, this is a disturbing occurrence
  • Lack of screen time limits: Lack of digital balance can have psychological effects and so digital usage rules are a must
  • Lack of empathy: When children are not taught to respect others and their traditions, they do not develop empathy and may end up bullying those with differing views and lifestyles
  • Exposure to inappropriate content or people: The wrong connections and information are a big source of stress
  • Online spats: Differences crop up, leading to squabbles and heated exchanges. It gets complex when this is done in a public forum and strangers join in
  • Disturbing global news: The slew of violent news often creates negative tension in the minds of youngsters, leaving them feeling confused and belligerent

Parenting plays a major role in helping children learn how to tackle social media stress.  As parents, you know your children the best. Yes, even teens.

Observe them and if you note any change in their social media habits or general behaviour, talk to them. The earlier you start having frank one-to-one conversations, the easier will it be for you later. But before that, you may need to modify your own response to stress and learn to control your reactions. That way you will teach them a very important lesson without having to use a single word.

Help your kids fight social media stress:

  • Accept differences: People are different and will have different opinions. Accept the differences and respect their values
  • Be discerning: Life isn’t a bed of roses for anyone, so don’t let profiles fool you. Don’t judge someone by their bio and pictures
  • Practice tact: When things get bitter, the decent thing to do is to agree to disagree and walk away. If you don’t react, it doesn’t mean you are the weak one; it means you are smart enough not to get provoked. However, if the meanness gets out of hand, be the strong one and report and block account
  • Practice digital balance: Limit screen time and have good friends in the real world who will always stand by you
  • Be aware: The world will have both good and bad and growing up means learning to understand and accept this. Maturity is being able to stay true to values. Wisdom is knowing which is bad and avoiding it

Say goodbye to stress and lead a healthier and happier life online. Apply your values from your physical life in the digital one and practice STOP.THINK. CONNECT. And don’t forget! Use McAfee Total Protection on all connected devices to protect what you value the most.

The post Handling Social Media Stress – Pointers to Share with Your Teens appeared first on McAfee Blogs.

Geeky ways to celebrate Friday the 13th

You're in luck
021315 geekyfriday 1

We've cobbled together a slew of things for the geeky among you to do on July 13 -- Friday the 13th that is. And we suggest you do it up because you won’t get another chance until Sept. 13, 2019.

Don’t miss the day!
021315 geekyfriday 2

Mobile apps exist solely for the purpose of reminding you when Friday the 13th is coming up. Pocketkai’s free iOS app will remind you of the one to three Friday the 13ths coming up each year for the next 50 years. The Bogeyman’s Android app will do likewise, for the next 10 Friday the 13ths.

To read this article in full, please click here