Syria and Yemen: 29 November 2012

At 10:30 AM GMT yesterday, 29 November 2012, routing to Yemen suddenly changed from London to Dubai through FLAG to New York to Dubai through ETISALAT, as shown in the animation here and detailed in the PerilWatch from InternetPerils. That timing closely matched the 10:26 AM GMT Syrian disconnect time reported by Renesys. This is very reminiscent of Mubarak disconnecting Egypt 22:30 GMT 20 January 2011. This tactic didn't help Mubarak's regime in Egypt, and it probably won't help Assad's regime in Syria; rather the opposite: people don't like their Internet being turned off. And it tends to cause the international community to rally around the rebels.

-jsq

Microsoft, world leader in Internet security: and spamming?

Microsoft, world leader in Internet security, will doubtless clean up its spamming act when it sees its AS 8075 is #1 for outbound spam in the U.S. for April 2012 in rankings from PSBL data, pushing the U.S. to #1 worldwide. Other rankings don't show Microsoft high, but does MSFT really want to show up in any of these rankings?

Rank	(Previous)	Country	Population	Spam Volume	Percent of top 10
1	(3)	US	310,232,863	673,306	18.2%
2	(2)	IN	1,173,108,018	506,397	13.7%
3	(1)	CN	1,330,044,000	413,089	11.2%
		Total		3,689,376	100%

These rankings that show Microsoft high are derived by SpamRankings.net from PSBL blocklist data. The April 2012 SpamRankings.net from CBL blocklist data do not show Microsoft in the top 10. Apparently PSBL's spam traps happened to be in the line of spam from Microsoft, while CBL's were not.

And of course Microsoft probably doesn't mean to be sending any of that spam. More likely botnets exploited a MSFT security vulnerability. Here's hoping they clean it up soon!

-jsq

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they're becoming more realistic.

However, in Figure 17 on page 25 they've got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they're missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26:

SEC moving towards breach disclosure requirement?

The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations. But look at this:

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.

Hm, incentives like showing an improved reputational risk ranking?

Perhaps in order to prevent this sort of thing?

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.

The SEC is still missing at least one connection between dots:

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.

Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.

-jsq

APWG Atlanta Buckhead

Five years of the Anti-Phishing Working Group! Dave Jevans gave a retrospective, followed by country reports:

Japan: Pretending to be grandchild to get bank account transfer is popular. ATM scams are the most lucrative.

Russia: Second biggest global source of spam. Ecrime economy is ten times the si ze of the anti-ecrime industry, and that's a problem.

Brazil: Most phishing is done locally. Is all organized crime.

I don't want to go into too much detail, even though the bad guys don't seem to need any help. APWG continues to climb the ecrimeware curve, catching up with th e miscreants.

OK Leaks Tens of Thousands of SSNs for Years

You'd think they'd know better:

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.

— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15

But the best part is what it took to get the state to fix it:

Auditing Georgia Government Security

Georgia's governor wants to standardize information security reporting across the entire state government:

The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

— Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

New School: New Book by Adam Shostack

Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.

We think there's an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn't just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

— The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven't read the book yet, since it's not published yet, but if it's like the material he posts in his blog, it's a good thing.

One of his commenters doesn't get it:

Availability Is Not Security If an Abandoned Sea Anchor Cut the Cable?

I see in some fora people are still arguing that security involves countering malicious actors, and availability alone is not security, even if people are depending on availabity.

Were all those recent cable cuts in the Med. and the Persian Gulf not security issues, even though some of the affected companies are now planning to spend $300-400m on physical security to fix the problem?

If the culprit had been a Russian mobster or Al Qaeda or the CIA rather than (in one case) an abandoned ship anchor, then it would have been security, but now it's not?

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn't adequately protect taxpayers' information and promises to do better. His quote that I like best, though is:

Top management people in large corporations fear that publicity about internal fraud could well affect their companies' trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil... (Computer Capers, page 72)

— Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That's why corporations fear a breach reporting reputation system. That's also why we need one.

-jsq ~