Wednesday, January 24, 2007

What's Next next? A new time for Daylight Saving Time

Just a quick post to point out the change in DST this year which will require some systems to be patched. I have some tech details over on Cobb on Tech. From a security perspective, the possibility exists that someone could exploit mis-matches between systems that correctly auto-update time on on 3/11/2007 and those that do not (mis-match being the non-technical term for who-knows-what-kind-of-synchronization-errors). One area to watch [apologies for the pun] will be access control devices for both perimeter and system security.

Sunday, January 21, 2007

Much Anticipated Brussin Blog Now Online

Attention all serious blog readers! There's a new tech blog on the block and I'm betting it will become a "must-read" for anyone serious about Web 2.0, Business 2.0, and the whole intersection of technology and business. The blog is called "What Comes Next" and the blogger is David Brussin.

While David Brussin might not be a household name in high tech households, I would add the caveat "yet." I've been in the high tech field for over 25 years and have yet to encounter a sharper mind than Brussin's. It was no coincidence that he was named to the 2004 list of the world's 100 Top Young Innovators by Technology Review, MIT's Magazine of Innovation. Brussin has that rare combination of a. technical brilliance (he was building serious commercial networks before he graduated from high school) and b. business acumen (he had co-founded two successful startups before he was thirty, and both were snapped up by public companies).

Then there is c. he is very articulate. So, not only does Brussin come up with valuable and sometimes highly complex insights, he can put them into full sentences that are easily understood. Now, you sometimes meet people who have a or b or c. Occasionally you meet people with two of the three, but rarely do you encounter someone who has all three AND a sense of humor AND above average scores in tact and diplomacy.

So check out Brussin's blog. I hope you find it as interesting as I do.

Thursday, January 18, 2007

Small Business Continuity Gets a Boost: IMCD from ContingenZ

What if you could buy a large amount of expert advice on how to keep your business running despite everything that fate throws at you? Want to learn how? Read on...

Everyone knows that small businesses are the true powerhouse of free market economies, whether in the US, the UK, the EU, or beyond. Most people also know that the failure rate of small businesses is very high. What a lot of people don't realize is that many of those failures could be avoided if only small businesses did a little more advanced planning. This fact gets lost in the seemingly endless array of factors that adversely impact small businesses: fire, flood, wind damage, snow days, power outage, earthquake, employee theft, virus outbreaks (biological and digital), hacking, abrupt departure of key employee(s), prolonged office evacuation due to nearby toxic spill, over-eager customer driving through the front window and mowing down the file server, unexpected incarceration of treasurer, public relations snafus. All of these happen and it is hard to predict when (you don't have to believe if global warming to know that the weather has been mighty unpredictable and frequently severe in recent years).

But all of these things have something in common: they are incidents, and incidents can be managed. Hence the art and science of Incident Management. One of the finest practitioners of this art is my friend Michael Miora who started a company called ContingenZ. The idea was that he couldn't be in two places at once and there just aren't enough incident management experts to go around meaning that smaller businesses couldn't afford to hire one. So why not distill his expertise into a piece of software that any business owner or manager can use to create an incident management plan and business continuity strateg precisly tailored to the specific needs of the company?

And that is what Michael Miora has done, working with someone I also know quite well, Mike Cobb. Both Mike and Michael are CISSPs with a ton of experience in business management and data security. The product they came up with, IMCD, is now available in two versions. The more expensive Pro version is suitable for larger companies (and some very large companies are using it right now). The brand new and considerably less expensive Small Business Edition is ideal for small firms. What is more, businesses large and small can download a trial copy of IMCD to check it out.

This is a product that could literally save your business and it may well make you a ton of money even if--fingers crossed--you never have a single incident to deal with. How? Consider what happened to one of IMCD's first customers, a small firm specializing in shipping antiques that was in the running to get a big fat contract from a major shipping company. Like many big companies establishing new vendors, this one was doing due diligence. Did the small company have a business continuity plan? Yes, replied the small company. Can we see it? asked the big company. Umm, yes, well, it is sort of...informal, replied the small company. No formal plan, no big contract. And so the small company used IMCD to formally document its business continuity plan in a complete set of highly professional documents automatically generated by the software.

Result, the company that bought IMCD got the contract. And should anything ever happen to disrupt their business they are well placed to "keep on trucking." Scobb says "Check it out!"

[Disclaimer: I don't own stock in this company. Even if you buy a zillion licenses to IMCD I won't get a single penny. On the other hand you will make two of my friends very happy.]

Monday, January 15, 2007

Prairie Dogs and Information Security

I have blogged elsewhere about the Bush administration's interference with science. In the Union of Concerned Scientist's great catalog of these crimes against reason there's an interesting example of why it is important that everyone learn the basics of information security. The example concerns the white-tailed prairie dog (aww shucks, ain't he cute y'all).

The scientists claim that Julie MacDonald, of the Mountain Prairie Regional Office of the Fish and Wildlife Service, "directly tampered with a scientific determination by FWS biologists that the white-tailed prairie dog could warrant Endangered Species Act protection, and further, prevented the agency from fully reviewing the animal's status." A strong allegation. Any proof? How about Microsoft Word "track changes" edits? Yep, when you go altering reports written in Word you best be careful. Word tries hard not to forget. Check out the detailed sample here, illustrated in a pdf file that shows just what the changes were. As evidence of the scientists' claims I think the phrase that comes to mind is "dead to rights."

And change tracking is not the only way that Word coughs up secrets. Ever open a Word doc with Notepad or Texpad (which happens to be my favorite text editor)? You may well find stuff that doesn't appear in the document itself, stuff you thought you had deleted. Similar problems can occur if you are careless with Adobe Acrobat documents. See a great example of the Word issue (involving Tony Blair, Colin Powell, and the war on Iraq) on Richard Smith's fascinating Computer Bytes Man site.

The point here is that companies using Word or Adobe documents to store and distribute information need to know exactly how those programs work so those documents don't store any information that you would prefer to keep secret.

Tuesday, January 02, 2007

Divining the Devilish: Factors affecting the future of Microsoft Vista

Having previously complained about a lack of "compare and contrast" coverage of Vista versus prior Microsoft operating systems, I feel I should weigh in with a little C&C of my own (with the caveat that this is a blog, not a white paper, so you won't be getting footnotes and fancy formatting—those cost extra).

We know that Vista will be attacked by hackers of all stripes. Only time will tell how well Vista resists attack. One thing to look for in the months to come is the emergence of any "class of vulnerabilities." These are not fragile students, but problems of similar type, for example, memory leaks or buffer overflows. You don't need to get too technical to spot this. Just watch for a Vista hack to be revealed and then patched, only to be followed by news of another hack via a minor variation on the previous technique. This would strongly suggest that code review has not been rigorous enough. and could well presage the sort of rolling patch situation we are in with XP and Office products. Painful as that patch situation is, the early emergence of evidence that Vista is going to be in the same boat will further discourage adoption.

And herein lies one of the variables that emerge from a C&C: rate of adoption. When Windows NT was first released it attracted very little attention from hackers (defined as people who like to pick things apart, for a range of reasons). They were heavy into UNIX back then because if you wanted to explore big and interesting networks, UNIX was the OS you would most likely encounter (if you wanted to do more than explore, the money was also in UNIX and/or mainframes). This created a false aura of security around NT. While UNIX hacks were being announced all the time, NT was relatively--albeit temporarily--unscathed.

But two things happened to change that. One was considered a success for Microsoft, growing adoption of NT in corporate America, as well as the government, the military, and colleges. The other was considered a success for the PC world: the widespread availability of cheap CD-ROM drives and CD-burners. No longer did you need a foot high stack of floppies to install or steal NT. Just a thin, slim, light and easy to conceal CD. Around the 1996-98 time frame you could buy a pirated NT CD for a couple of bucks in Hong Kong or get someone to burn you copy. I remember the first DefCon at which hackers started getting excited about NT. Part of that excitement came from the simple fact that NT was accessible. You could get at it in order to play with it.

So, two factors to consider for Vista are: ease of piracy and extent of adoption. Today we have much faster pipes down which to stuff pirated code and DVD-burners are standard equipment. The strength of Vista's copy protection will be a factor (one that is already under concerted attack). As to adoption. The very thing that Wall Street analysts are mumbling with foreboding--slower than hoped for Vista upgrading--could work to Microsoft's advantage. Several classes of hacking activity are all about the installed base (c.f. first Word macro virus of 1995 after Word doc format had become de facto standard).

But we must also contrast as well as compare, and the landscape of computer abuse today is much different from what it was a few years ago, most notably it is better-funded and more criminally-inclined. That will serve to negate the copy protection obstacles. Suppose you're a criminal who expects most banking systems to be Vista-based by oh-eight. Spending some serious money on cracking Vista in oh-seven might strike you as a good investment (and like they say, anyone who thinks organized crime doesn't make investments hasn't been to Vegas).

However, the most helpful history lesson at this juncture may well be that of "risk displacement" (also discussed here). Even if Vista holds up well in the face of concerted attacks and provides greater protection to users against some forms of information abuse, the level of effort expended to abuse information is unlikely to go down. Not to be flippant, but it is likely to go around. Improved technical controls typically lead to more concerted social engineering attacks (you put a password on the system, the attacker gets the user to reveal the password, and so on).

Just so we are clear, this is NOT the fault of Microsoft. This is the fault of human beings in general--flawed creatures that we are--and the failure of countries around the world to elicit better standards of behavior from their citizens. What would be wrong of Microsoft would be to foster the notion that Vista will somehow make the world a safer place for computing. With three "most secure yet" operating systems under its belt, and IT security spending at all time highs, Microsoft has to know that things are still not very safe out there.