[SecurityRatty] tag: escape

Mayhem in Mumbai

Thu, 27 Nov 2008 02:48:00 +0000

The total number of casualties rise in the financial capital of India after terrorists attack multiple locations.

The latest figures suggest that at least 100 people have been killed and as many as 900 injured. Radio and television reporters are saying that it has all the hallmarks of an Al-Qaeda attack. Locations included a railway station, a cinema, the Taj Hotel, and another very popular restaurant.

It appears as if the terrorists singled out Westerners as they are reported to have taken British and American tourists hostages and brought them up to the 18th floor of the hotel. This evening the hotel is on fire and the fate of the hostages is still unknown.

The good news for some, is that they were able to escape form the hotel in the confusion. It appears that the terrorists could have numbered dozens of heavily armed men. This is definitely not a random attack but a well planned and executed operation aimed at causing mass casualties amnd hitting India's financial markets in much the same way as Wall Street was attacked on 9/11.

We do not hear that much about India's terrorist problems in the West but I was made aware of it when I was invited to India to speak on Security matters this time last year. I have since that time made clients and potenital clients aware of the security situation.

There has been much outsourcing to India and many U.S. businesses are sending personnel over there as a result. Those who can afford to have their own professional security protectors should consider that option very carefully. It could very well turn out being more of a necessity than a luxury in these dangerous times.

Flash 10 Fixes Clickjacking Flaw

Thu, 16 Oct 2008 10:07:56 +0000

Not long after "clickjacking" attacks appeared several weeks ago it became clear that the culprit was Adobe's Flash. And the problem, as we say in the software biz, wasn't a bug, it was a feature. This feature has been modified in the new Flash 10 player to address the problem. The problem is clipboard access. By default, Flash 9 allowed a Flash program to read and write to the clipboard. "Clickjacking" attacks took advantage of this to persistently stuff a value. usually a malicious URL, into the clipboard, in the hope the user would visit it. The attack is as cross-platform as Flash, working on Macs as well as Windows. In Flash 10 the clipboard methods will only work when called through ActionScript which originates with a user action, like pressing a button. No longer will a silent Flash app be able to hijack the clipboard completely without the user noticing. This change was just one of many security changes in the Flash 10 player. Changes in how Flash handles policy files means that developers will have to address their use of them. Errors on socket connect() calls will be handled differently. And much in the same philosophy as with clipboards, file uploads and downloads may only occur in script that begins with a user action. There are other changes as well. The flip side of this fix is that it is not implemented in Flash 9. This means that the only way to escape clickjacking attacks is to upgrade to Flash 10.

Trick or Treat

Wed, 08 Oct 2008 20:00:00 +0000

October's here, and you can't escape the coming onslaught of Halloween. Children (and quite a few adults) dressed up as vampires, ghosts, goblins and other scary creatures, going around asking people for treats and threatening them with tricks if they don't provide them. A cynical person might boil it down to a a combination of scare tactics and extortion. So what does this have to do with IT security and compliance? Unfortunately, the way security and compliance professionals have traditonally gone about obtaining funds and resources for tools and projects necessary to do their jobs all too closely parallels what happens on Halloween. We frequently use scare tactics such as new threats (the trick) to get management to cough up the funding and resources (the treats) we need to accomplish what we view as our jobs...

Be careful what hand you play, and when you play it

Tue, 30 Sep 2008 20:00:00 +0000

Yet another analogy from the credit crunch shows us security folks that even if we changed jobs we probably wouldn't be able to escape our frustrations. The executive branch is currently trying to win over Congress and convince them to hand over a large sum of money, or else something really bad is going to happen. This is a situation I'm sure many security folks have found themselves in, albeit under less extreme circumstances. The people with the check books seldom know anything about what you're doing. Congress is full of politicians, not economists or experts on the banking system. They need to rely on their gut feeling to do the right thing. Same thing with your management, so it's up to you to guide them towards the right decision -- in their language...

Random Stupidity in the Name of Terrorism

Thu, 03 Jul 2008 08:57:04 +0000

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if he raised a fuss he would be falsely accused:

When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."

More on the British war on photographers. A British man is forced to give up his hobby of photographing busses due to harrassment.

The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."

Is everything illegal and damaging now terrorism?

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.

Boston public school locked down after someone saw a ninja:

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus":

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

Are llamas really that hard to count?

EU bloggers under assault by the European Parliament - they need your help

Thu, 12 Jun 2008 05:38:11 +0000

One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world. Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network. I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government. It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors and publishers of weblogs causes uncertainties regarding impartiality, reliability, source protection, applicability of ethical codes and the assignment of liability in the event of lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices. There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too. The EU is a democratic, progressive entity. Forcing these bloggers to make their "status and identity" public should not be mandatory here.

Blogs are todays pamphlets. Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights. What would Thomas Paine and others like him think of this restriction?

If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so. If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly. If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

EU bloggers under assault by the European Parliament - they need your help

Thu, 12 Jun 2008 04:38:35 +0000

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors
and publishers of weblogs causes uncertainties regarding impartiality, reliability, source
protection, applicability of ethical codes and the assignment of liability in the event of
lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and
publishers as well as disclosure of interests and voluntary labelling of weblogs.

If you feel that this is a restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so. If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly. If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

Sometimes, It Takes a Thief to Catch a Thief

Mon, 09 Jun 2008 13:00:00 +0000

News from Portfolio.com

Also on Portfolio

Time for Tech to Throw Everything Into Energy

Hollywood Frets Over Corruption Crackdown

McCaw's Back to Remake the Wireless Landscape

Subscribe to Portfolio magazine

Apollo Robbins won't say whether he's ever stolen anything in his life, but it's clear he could if he wanted to. Having grown up in Missouri with three half-brothers who were all involved in various criminal activities (one of them is in the witness protection program after testifying against former colleagues of his), the 34-year-old Robbins was indoctrinated at an early age into the finer aspects of pickpocketing and con games.

He eventually developed those skills into a successful career as a sleight-of-hand artist and performer in Las Vegas. His latest act, though, has him starring as a corporate security consultant. In this role, it is less his dexterous hands that appeals to his clients than his mastery of all aspects of criminal cons, grifts, and social-engineering ploys.

"When you're trying to steal something, you find the weakest link and work that," Robbins says. "Nowadays, as technology gets better and security systems get harder to break through, the weakest link in any system is the human running it."

Robbins founded his consulting operation, Whizmob Inc. (the name comes from the street term for a team of pickpockets working together), two years ago while still performing full-time.

After doing a show a few years back in which he pickpocketed Secret Service agents accompanying former president Jimmy Carter, the resulting publicity led several law-enforcement agencies and other groups to contact him about his techniques.

"At first, I'd refer them to security people I knew," says Robbins. "Then I realized that instead of being a referral service, I could capitalize on this."

It was a good time to get in on the act. Information security consulting, which barely existed in the mid '90s, has become an estimated $10 billion to $12 billion business as the need to protect sensitive information stored on computers and servers has become a more central concern.

Today, Robbins counts the N.F.L., TNT, and several Fortune 500 companies among his customers. He recently advised the N.F.L. on information security protection at this year's Super Bowl in Phoenix to combat the expected flow of thieves and con artists lured by all the deep-pocketed spectators coming to town.

His work included getting a major hotel to upgrade its WiFi security so that fake access programs known as Trojans couldn't extract valuable data and password information from unsuspecting guests' computers. And at the stadium where the game was held, Robbins and his team identified areas where pickpockets would most likely operate—specifically, places with lots of traffic where bumping into people would be customary, and easy access to exits for escape purposes.

Besides the shadier elements of Robbins' childhood, his father, a blind minister, instilled in him a strong sense of morality. "It was like living in two worlds," Robbins says.

In many ways, he still is living in two worlds, since he keeps in regular contact with some professional thieves he knows in order to stay abreast of the latest cons. (While he doesn't pay them, Robbins says that "a lot of these guys are really good at what they do but they can't exactly discuss it with a lot of people.") But increasingly, Robbins is spending time in the more staid settings of the corporations that hire him to vet their security systems.

"It's a good time to be in the business," he says.

Ted Kennedy: a lifetime of achievement, regrets of a world that could have been

Tue, 20 May 2008 20:04:43 +0000

I usually stay away from politics on my blog. As I have said before, it is my blog and I can write what I want, but politics usually is just to controversial for me to write on. Upon hearing the terrible news about Ted Kennedy's malignant brain tumor, I was moved to write something, than thought twice about it and thought yet again. However, Ted Kennedy and his life and times has been such an influence and part of my life, that I am compelled to write. So on this night where it appears that an African-American has won a majority of the pledged delegates of the Democratic Party, while running against a woman, I think it only fitting to remember Ted Kennedy. I do not mean this as a eulogy or obituary and in fact hope against all that I have read and heard that a miracle will grant him many more years of serving in the Senate. But it seems Teddy has a tough road ahead and this is as good as a time as any to speak out.

One of my earliest memories of current events was when Ted's brother John was assassinated. I was a little boy playing catch with my Dad when my Mom came to the door and called us in because something terrible had happened. I didn't really understand, but my parents told me that the President (who I had seen with VP Johnson drive by in a motorcade months before) had been shot. I don't remember a lot more of the details, but do remember Oswald getting shot and some pictures of the funeral. The mind of a young boy is quickly filled with other things though and I moved on past that horrific November day.

Next when I was a bit older, the crazy year of '68 was upon us. I was still fairly young, but I remember riots in the cities, pictures on the news of the war and Bobby Kennedy, the Senator from NY running for President when President Johnson said he would not run. Martin Luther King was shot and killed and so was Bobby shortly after. By now I was old enough to realize the tragedy of these killings. I remember hearing Teddy's eulogy of Bobby and thinking what a terrible thing to have happened to this family, losing two of their sons like this.

For me it was the start of a life long interest in all things Kennedy. I read many books about all of the Kennedy's and lamented what could have been if not for the bullets that killed first John and than Bobby. A key part of my core political beliefs was that if John Kennedy would have served out his first term and been re-elected, how different the world would have been. If Bobby Kennedy had been elected President instead of Nixon, what would the world look like now? There was always a sense that Teddy, the baby Kennedy brother would rise up and take the mantle and place that seemed to belong to this family. He would restore Camelot. Alas it was not to be. His time just never came. Though he ran a noble race, Chappaquiddick haunted and doomed his candidacy. After that Teddy was the patron of a family that just seemed unable to escape tragedy. One mishap after another befell this family that had been previously granted so much good fortune. It truly did seem as if they were cursed. Teddy himself had his ups and downs with drinking and divorce and the health of his children. Though he asked us to never let the dream die, the legacy of Camelot did seem to pass on.

Through it all Ted Kennedy continued to do good work for this country in the Senate. Looking back Teddy's legislative record has probably had more of an influence on this country than either of his brothers had. His name is attached to many of the greatest laws passed over the last 40 years. Teddy was also a great orator. Many say that his finest speech was as the keynote speaker at the 1980 Democratic Convention, when he mounted his challenge to a sitting President Carter. But for me Teddy's finest moment was in delivering the eulogy for his brother Bobby. The "some man ask why, Bobby dreamed of what could be and asked why not" speech never ceases to move me. I include this You Tube as a tribute to Ted Kennedy and all that he and his brothers meant to me along with my prayers for a recovery from this terrible condition.

Cloud Computing and Security For The Masses: Interview on NPR

Mon, 05 May 2008 07:52:27 +0000

Cloud Computing is starting to escape the technical and business press.

The proof?

I was invited to talk about Cloud Computing and Security on NPR “Morning Edition”.

NPR - National Public Radio - is a US based, non-commercial radio station covering news, talk and current affairs. British readers may find it similar to BBC Radio 4.

Every Monday, the “Morning Edition” has a technology theme. The Cloud Computing segment was high level and aimed primarily at a non-tech audience. I always find it hard to answer the question ‘what is Cloud Computing?’ as there are so many different definitions. Regardless, it was a great chance to talk about an exciting technology and highlight the need for a real security conversation between the providers and people interested in IT security - the primary reason why I created cloudsecurity.org.

The show boasts a very impressive audience - around 13 million! I’ve never before had the opportunity to confuse that many people in one shot ;-).

If you would like to listen (its short - 3.5 mins), click here.

I’d like to publicly thank Nina at NPR for reaching out and extend a warm ‘Welcome’ to any NPR listeners who have dropped by. Feel free to leave a message below or email me if you have any comments or questions.