Sunday, October 07, 2012

More Cobbs on Information Security: Selected articles by Stephen & Michael

As you may know from my previous post, my first book on computer security was published in 1992. That led to an invitation to speak at the 1994 Virus Bulletin conference, and in 1996 I was one of the first people to pass the CISSP exam. A few years later, my brother Michael Cobb, became an MCDBA and then a CISSP, and later a CISSP-ISSAP.

Michael, who also writes as Mike Cobb, is also CLAS (stands for the UK's CESG Listed Advisor Scheme--CLAS consultants play a key role in providing Information Assurance advice to government departments and other organisations that provide services for the government.)

Over the year's Mike and I have written and spoken a lot about security. W've taught a lot of security classes, and delivered a host of security and privacy themed seminars, podcasts, and webcasts. Right now I am working up the strength to create a library of links to as many of these as I can find online. But in the meantime, here are 5 recent items from each of us.

Michael's List

Michael Cobb, CISSP Mike/Michael Cobb writes for a variety of publications, including SearchSecurity and Dark Reading. Here are 5 recent articles:
  1. Measuring Risk: A Security Pro's Guide
  2. Evaluating and Choosing Threat Intelligence Tools
  3. When To Outsource Security - And When Not To
  4. How Did They Get In? A Guide To Tracking Down The Source Of An APT 
  5. How To Detect And Defend Against Advanced Persistent Threats 

Stephen's List

I write for the ESET Threat Blog as well as my own blog and SC Magazine's Cybercrime Corner. Here are 4 widely read items and an index of my posts from the ESET blog:
  1. Data security and digital privacy on the road, what travelers should know 
  2. FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law
  3. Malware RATs can steal your data and your money, your privacy too
  4. Privacy and Security in the Consumer Cloud: The not so fine print
  5. Library of Stephen Cobb's articles on the ESET Threat Blog 
I hope you find this material helpful.

Sunday, July 22, 2012

Cobb's PC and LAN Security: 20th anniversary of publication (available as a free download!)

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 20 years ago. In celebration of this anniversary, I'm publishing a PDF copy of the most recent version of the book, freely downloadable under a Creative Commons license. The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (Yes, my organizational skills are legendary.)

Despite the title, which was imposed by the publisher, the volume that appeared 20 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though did not exist when the first version was published. The images immediately on the right are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this:
The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression.
I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia and history. At some point in the future it might be interesting to see what computer security looked like in the late 20th century.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security--a 700 page paperback that was published in 1995--but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand. However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion).

Computer Security Prognosis and Predictions 

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:
The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use.

Friday, June 29, 2012

Stuxnet, Flame, Information Security and Privacy Blog Posts

I thought I would update the blog for June by listing some of my recent articles and posts from elsewhere, mainly the ESET Threat Blog, unless stated otherwise.
As you can see, the reports that Stuxnet was indeed a U.S. government project sparked a couple of articles. It also got me talking on a podcast: Demystifying nation-state attacks and their impact

Wednesday, May 16, 2012

QR Code Privacy Issues and AT&T

Ouch! After saying that I thought AT&T had done a better-than-average job with its QR code scanner app for the iPhone someone pointed out that AT&T's scanner is one of a number of such apps that have privacy issues. The point was made in a comment on the ESET Threat Blog by Roger Smolski who runs this excellent website focused on QR codes.

It seems that, like me, Roger is a fan of technology but keeps a wary eye on potential downsides, like a QR code scanner that does more than the user bargained for. This definitely seems to be the case with the AT&T scanner, which let's AT&T know what you scan. I liked the AT&T scanner for installing with a preview option by default, but now dislike it because of this under-disclosed sharing of data that I consider personal (i.e. what QR codes I choose to scan).

According to Roger, confirmed by his technical code scanner analysis, some QR scanner apps, like NeoReader, are gathering data on your use of the app. The AT&T scanner is an example of this. An example of a decent scanner that does not do this is Bar Code Scanner for Android. I am going to have to look further for an iPhone QR Code scanner app that is independently confirmed as "non-tracking." In the meantime, here are other QR/privacy articles by Roger Smolski:

Oh, and BTW, FYI, it seems QR Code is a registered trademark of Denso Wave Corp. So maybe I will adopt Roger's usage of 2D codes to avoid stepping on anyone's IP toes.

Monday, April 23, 2012

AT&T Gets QR Code Scanner Right

AT&T might not be the best-loved company in America but it deserves praise for getting something right: The QR code scanner that it supplies for the Apple iPhone has a preview-and-authorize mode installed as the default. 

I have explained why this is important in this article on QR codes and NFC tags which includes a video that makes the point quite vividly: You should not let your hardware act on the instructions embedded in a QR code of NFC tag without first knowing what those actions are. The AT&T code scanner for iPhone is set up to do that. Other scanners also have that ability but do not behave that way by default.

I have bashed AT&T for poor wireless products and service on numerous occasions, but I believe in praise where praise is due. Security has long been a priority at AT&T. Over the years I have trained thousands of AT&T employees on everything from server security to security in the workplace. So I was happy to see their QR code reader was designed right.

Sunday, March 18, 2012

Cybersecurity Reading List for March 2012

Cybersecurity reports, blog posts, and white papers are not in short supply these days, so I thought I would help folks decide what subset to read. I'm hoping this will make up for some of the neglect this blog has suffered over the past few months, due in no small part to my heavy--yet enjoyable--workload at ESET.

Tuesday, January 03, 2012

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.