You can't secure what you don't acknowledge.SM

Friday, December 10, 2010

Canon's digital camera image originality not so original

How's this pic for an attention grabber?!

Well, the folks at Elcomsoft have done it again. This time they've discovered a vulnerability in Canon's Original Data Security system demonstrating that digital image verification data can be forged. Apparently Canon has yet to respond.

Why is this a big deal? Well, it's impactful for the media, for forensics investigators, and for those of us in infosec as digital images are used in many aspects of what we do.

Don't test the authenticity of this Einstein photo since the original "hacked" version has been modified by me uploading it to Blogger. However, some originals are here. Dmitry Sklyarov’s presentation that covers all the technical details behind the discovery. Very interesting stuff.

Also, if you're not familiar with Elcomsoft's tools, you've got to check them out. Lots of neat stuff written by a group of sharp people who are helping to drive security in ways that affect practically every aspect of business and lives...especially with this discovery.

Fingers crossed waiting for them to write software involving homes and automobiles one day! That's the next frontier of infosec of which we've just cracked the surface.

Thursday, December 9, 2010

The WikiLeaks lack of security responsibility & mental disorder connection

Last week I wrote out some talking points in preparation for a TV interview with the Canadian Broadcasting Corporation on the WikiLeaks issue and what businesses can do to keep their information secure. At the last minute they ended up not doing the segment so I thought I'd post my perspective here:
  • The leaks are not the problem – it’s the choices and all the events to lead to information being exposed that needs the attention. Surprisingly, we’re not hearing much about that.
  • Certain fundamental aspects of information security like business need to know, data classification, and separation of duties are often ignored OR they’re mired in a wealth of complexity and bureaucracy that to the point where they cannot be enforced or they just don’t work at all.
  • Government agencies and people have been trying to keep secrets for centuries…arguably since the dawn of time. We're just experiencing a new means of keeping secrets and subsequent exposure.
  • The issue we’re now facing is information systems complexity. Be it inside government agencies or in businesses computers systems, applications, and all the hands in the pie create a scenario whereby it’s virtually impossible to ensure that everything of value is secure ALL the time. A fundamental principle of information is that it wants to be free. That, and the fact that the same electronic asset can be in multiple locations at the same time has created a monster that can be difficult to tame if you don’t go about it the right way.
  • You cannot simply classify ALL of your electronic assets as “sensitive” or “critical” like what many people are accusing government agencies of doing – if you do, then it negates most of the benefit.
  • Just because someone has passed a background check, obtained a security clearance, or had glaring references doesn’t mean they’re NOT going to do something bad moving forward…it may also mean they just haven’t gotten CAUGHT.
  • As long as human beings are involved in the process, there will continue to be information risks to government agencies and businesses alike.
  • There’s a fundamental issue here that’s come into play in so many situations – mostly in business: INACTION. Management is out of the loop, users don’t want to be inconvenienced, and many people just keep their heads in the sand.
  • There's a three-step solution to keeping information secure:
  1. Know what you’ve got and where it’s located
  2. Understand how it’s at risk
  3. Do something about it by putting reasonable and measurable controls in place to keep things in check. Okay, maybe a step four: be very careful what you store electronically!
  • Even with all the security controls like tracking suspicious behavior and blocking people from downloading sensitive material to thumb drives and external hard drives there’ll ALWAYS be a way around it.
  • I suspect this data leakage problem will only get worse.
And finally, a few more personal points of view I just thought of. President Obama has created a new position to investigate the leaks…I say, Mr. Obama why not just ask government agencies why they’re not following their own rules?? Bigger government certainly won’t help the matter…

Furthermore, it's obvious Julian Assange is no fan of our country and wants to weaken the U.S....presumably for the same reason so many other people around the world want to weaken us as well. Don't get me wrong, I'm all for freedom of speech, transparency in government and so on. I'm just going about it from a different angle. It is funny how such activists promote "democracy" and rail against censorship while at the same time the politicians they support want to silence anyone who disagrees with their viewpoints.

It's complex world we live in.

Wednesday, December 8, 2010

Are terrorists hanging out at Wal-Mart or something?

Our Imperial Federal Government is at it again with Homeland Security's new "videos" coming to a Wal-Mart near you. Do they have "intelligence" on Islamic terrorists casing our local Wally World parking lots or something. OK, probably not...they're likely just trying to get the word out to the dumb masses.

Unbelievable stuff people...Let's just sit idly and let this government intrusion nonsense continue in support the Islamic terrorists' ultimate goal.

Monday, December 6, 2010

Unbelievable #s in the new Billion Dollar Lost Laptop Study

I spent last Thursday in San Francisco at a press briefing held by Intel's Anti-Theft Technology group regarding the new Ponemon Institute Billion Dollar Lost Laptop Study. Larry Ponemon's study found that businesses are losing billions of dollars through lost and stolen laptops - something I wrote about three years ago...and a problem that's been around even longer.

Malcolm Harkins (Intel's CISO), Anand Pashupathy (GM of Intel's Anti-Theft Services), Larry Ponemon (Founder of the Ponemon Institute) and I had a lively discussion on the findings of the study, why we have this problem, and what it's going to take to stop it.

I still shake my head when I see businesses ignore such a high-payoff security control.

Here's some press coverage for your reading enjoyment...check out what the reporters involved in the briefing had to say. The numbers are crazy and can be a great resource for finally getting some support for laptop encryption and related security controls. It's arguably some of the most important stuff affecting infosec today.

Wall Street Journal: Intel-Backed Study Tallies Laptop Losses

InfoWorld: Corporate America's lost laptop epidemic

eWeek: Intel: Failing to Protect Laptops Cost Companies Billions

The Register: Intel reveals 'the billion dollar lost laptop problem' - Chipzilla's plan to rescue $bns spent on McAfee

CRN: Intel Says Businesses Must Do More To Protect Their Mobile PCs

VentureBeat: The Wikileaks wake-up call: Lost or stolen laptops cost corporations $2.1 billion per year