Tuesday, June 23, 2015

Media frenzy stupidity: 1,400 passengers grounded

Here we go again, the media has jumped into the chasm of despair.  Slow news week.

Reporting that 1,400 passengers have been grounded is after all breaking news.

Reporting on how BIG this risk is.

First off, stopping planes from taking off is hardly a life threatening risk.

Secondly, 20 planes couldn't take off, once again, not a big deal.  And, of interest in this case, there are at least three other ways to file your flight plan.

What is a big deal, is the lack of security found at most airlines.

As a pilot, I'm in the right seat to explain how "flight planning" works and the risks associated with it.

I will take the US as an example.

A pilot must file a flight plan before taking off.  Once airborne, this flight plan must be activated and this is often done by the control tower.

In general aviation, a lot of pilots will use an application on their iPad to prepare their flight plan and file & activate it.

Take a look at this screen shot for a general idea of what it looks like

Once filed, this data is packaged and sent to Lockheed Martin who has the contract to handle flight planning in the US.  You can also call them and file by voice, or fax them.  Or you could walk your flight plan to the tower and hand it to a controller (busy airports will not be too pleased with that)

This is what the paper version looks like 

 So if someone hacked into my CLOUD based flight planning service, and my trusty iPad could not work, I would have alternate means to react.

In this case, based on the declaration made by the airline in question, their private system for filing flight plans was affected, and unable to send planning information upstream.

If they would have had a plan B (which most airlines do not), or if they would have had better security, this would not have been an issue.

Since aviation is a complex ecosystem, news agencies will once again get their panties in a bunch and get overly excited about hackers impacting the aviation world.

I'm not saying that better security is not required (it is), I'm saying that we should invest in the right areas first since no one has won the lottery and has unlimited security dollars.

The state of security in most organizations is so poor that we shouldn't have to use FUD media outbreaks to advance, yet experience seems to indicate that this remains the only way to move things along.

Monday, June 22, 2015

6 Managers charged with murder

Two Canadian Mining Companies charged with Criminal Negligence

This is nonsense.  The news report talks about fines ?   If it is CRIMINAL isn't someone ACCOUNTABLE ?

You cannot throw an incorporated entity in jail for doing something criminal.

Shouldn't this headline be, 6 Managers from 2 Canadian Mining Companies are charged with involuntary Manslaughter ?

Like the families of the hard working individuals who perished in these events reported to us as criminally negligent, we await the rest of the story and the outcome that our system will have for the ones at fault.

Will it be the ones who took these negligent decisions or the shareholders who pay the price.  

One thing is certain, someone has already paid the ultimate price.

Canadian International Company gets fraudulently PCI certified

The PCI-DSS standard started off as a great idea.

Awhile back I crossed paths at a conference with one of the original creators of the PCI standard and his comments towards his child now teenager haunt me to this day.

Short version - Devastation at what this great idea has become, a cash cow for auditing firms with results that are far from ideal.

Here is a concrete example: A large Canadian and International firm hires a PCI attestation partner.  The company is Canadian based, yet their attestation partner is far far away.

Why is that ?

Far from the heart, far from the mind.

Intrusion testing is an important part of the PCI standard, yet every honest security specialist will tell you that the results are far from perfect, since no detailed guidelines exists as part of PCI, any chimpanzee can perform anything and call it an Intrusion Test and voila, compliance.

So this Canadian company needs to get some application testing done, and their TRUE compliance when you take everything into account is a failure.

So how do they ensure they PASS their PCI audit.   A 3 step process.  Simple really.

1) You hire a firm (surprisingly one that does not even have penetration testers on staff), who sub contracts the job to really qualified individuals.  This gives you great references to fall back on and distances you from any liability.

2) You provide only limited information about what is being tested, and you control the scope to limit the visibility of what is being tested.

3) You get a report that you have performed a penetration test, and passed it, and submit that to your attestation partner, who in turn does not have the responsibility to understand your ecosystem and pass judgement on the validity of the results.

Bang, attested!

Is that not awesome !

The fact that the individuals testing the application had no clue what they where testing, and had crippling information (as in non) is not taken into account.  The fact that the individuals who did the testing are not proud of it is not taken into account either.

How often does this happen?   Way more often then you think!

So as a society, how do we fix this.    Accountability.  Today, accountability simply is not part of the game.  When a manager gets caught with his/her hand in the cookie jar, they often get a promotion.  Why a promotion... simple, the person who hired them rarely has the courage to pull the plug, it would make them look like they hired the wrong person. 

The US government has shown us this at an unthinkable level.  Bailing out billion dollar companies with tax payer funds.  Having the managers take the money and basically run with it.  When companies are caught doing something nasty, they get fines.  Who pays the fines, the shareholders....   I still find it hard to grasp that heads don't roll and that the ones paying the penalties, absorbing the impact, is so infrequently the ones who cause it. In fact, it is even more insulting when you realize the salaries that these folks are getting.

The word for today is Accountability.  

If we encourage and reward bad behaviour, which is what enterprises are doing today, we are certain to keep going through scandals and abuses.

Everyone knows that bad press only lasts a few weeks, so take the money and run.

Sorry, I'm a little more medieval.  I would tune into a channel that broadcasts the penalties being handed out, or the heads being chopped off if you will.

Being good in business has become being good at bending the truth (what normal people call lying).

Am I the only one that longs for the days when delivering a quality service or product was the main objective ?   I know Zig Zigglar thought that helping others was the way to success, turns out a lot of people want to cut out the middle man and just help themselves.

So, to any CEO or board member happy to have heard that your enterprise is now PCI compliant I tell you this:

You have been lied to.  How does it feel to know the truth ?  Do you feel "accountable" !

I can already hear some cry babies whining that I can't be saying that no one is truly PCI compliant, to that I say, MAY I AUDIT YOU ?   And if you FAIL at any degree, ANY of the PCI requirements, can you agree to give me your car, your house, and you bank account ?

I think not right....

I asked that question "who here is truly PCI compliant" at the respectable and large Bankers Association meeting.... no one raised their hands.

Case close, your all just playing along.

When sports teams hack each other

Perhaps a movie is in the making.

If sports teams are hacking each other for competitive information, I wonder if that happens in other businesses..... <smile on my face>.

St-Louis Cardinals under investigation by FBI

To think that these things do not happen is like being naive enough to think that powerful government entities do not use their powerful positions to maintain said position.

A few decades ago, before the popularity of the Internet took hold, I was intimately involved with various couvert activities.  When I left that world, I started giving seminars on corporate espionage.  After one of my seminars, I was approached by a man who wanted to team up with me to spy on his competitor who happened to have a bigger Yellow Pages phone book advertisement (a full page ad!) and taping into his business phone line would give us plenty of leads!   Heck, if we tapped into his fax, we would see what he is quoting too!  It would be a dream come true...for him.....   What kind of company was it:  A pavement repair company. 

I walked away... a little irked that someone would come to ask me that after I just gave a conference defending against it.

It happens at all levels. 

Fast forward 25 years later, you no longer need to <tap> onto a phone line physically and risk getting caught.  Sure, it is effective, just not the way to do it.  Employees come and go with user accounts and access to vast amounts of information.  In fact, if you ask most employees to make a list of all the good stuff they have access too, you would be surprised, we are very permissive.  Since an employee who has decided to leave our wonderful firm knows ahead of time that they will have their accesses cut.....  good security practices would dictate that it is important to have adequate access logging activated on our systems.   When someone annonces their departure, looking through the last month of activities could be very interesting and conclusive.  Something that most companies simply do not do since they have no such details.  Remember I said adequate logging, not academic logging.

When I assist in crisis management, the biggest hurdle is the lack of evidence, as in, poor system activity logs or completely absent activity logs on key systems.

I guess the message here is, don't be too much of a good sport.  Don't make it too easy for your information to leave the building.

1) Ensure your keeping activity logs for the important stuff
2) Know where your important stuff is (see #1)
3) Have someone review activity logs when certain triggers take place

So as a manager, wondering if your well oiled machine is doing what it is supposed to be doing, how would you validate this ?  Simple!

   a) Show me the inventory of our information assets and their classification
   b) Show me the last ten people who accessed XYZ information (taken from (a))

If you get a blank <dear in headlights> response, you have something to optimize. ;-)

Friday, June 19, 2015

The PARTY is over in Quebec Public Sector IT

Breaking news it seems, that the IT party is over according to local papers.

The same paper that had asked CGI's founder (Serge Godin) his opinion on the state of abuse in the IT world, to which he responded it was his opinion that nothing was wrong.

Well, it was my opinion at that time that ethics would dictate that he not give an opinion since his business was built on..... IT projects...... large IT projects.......  many for the government.

It was also my opinion that the newspaper should never have entertained the idea that his opinion had any value.

Oh look, CGI is being investigated for a $30M contract.

I have a lot of friends at CGI, competent onces, and I apologize for any negative press I may cause.

On the other hand, I really despise hypocrisy from senior managers who abuse EVERY possible option and takes HONEST tax payers money to build their empire.

Take the TAX CREDIT for simply building a building and MOVING employees into that building.

That is criminal.  Why are my taxes used to promote a building or a sector when NO NEW JOBS are created.

Non sense I tell you.

Thursday, June 18, 2015

We are all ok - Cyberattack on the Canadian Government

I love the way things get reported and how elected officials react.

A cyberattack, that sounds nasty.  

I think we are going to need a new catch phrase because things are indeed going to get worst before it gets better and what happened to the Canadian governments systems was actually more a form of digital harassement.

Like getting all your friends to call someones cell phone number non stop.  

Unless of course this NOISE was used to hide a real attack.

I love how fast our elected officials came forward and said NOTHING HAS BEEN BREACHED, we are just bleeding from the nose and no one can access our very popular web pages.

Those in the security industry know that they have no way of knowing if something was breached that quickly, if ever.

The fact is, performing a distributed denial of service attack can be orchestrate by a child with a few bit-coins bit-coins or dads stolen credit card.  It can also by a more worthy adversary who is trying to cover up his tracks while he empties the main vault.

The thing with stealing information as opposed to stealing a car... is that the information is still there. 

The thing with most breaches is that the victims often never realize it.

I feel that everything is fine, after all, that is what I was told ;-)

Monday, June 8, 2015

Really...."Feds can charge you with obstruction of justice for clearing your browser history"

Sometimes I just love headlines.  My friends know I really like certain compound words for their individual parts.

Full article here

At face value, from this headline, I would think I can go to jail for clearing my browser cache, something I recommend you do on your personal computer, automatically every time you close your browser.

So what the heck is this news.  When reading any headline, one must remember the sweet wisdom of Pen & Teller.

First off, no one is going to jail for clearing their browser history.  You may be going to jail for something else and adding a longer jail time for destruction of evidence.  Huge difference.

Lets first understand the contexte.

FACT:  Stupid people do stupid things
FACT:  People who control money, often abuse this power
FACT:  People with power and control who abuse of it, often cover their tracks
FACT:  I look better after a few drinks

So if you are being hired and paid to drop off a bus load of kittens, and you "accidentally" kill one.  If your next action is to mop up the floor and cover it up, you're guilty of TWO things; kitten murder and destruction of evidence.

Why would it be fundamentally different when you work for a large, powerful organization that handles millions if not billions of dollars ?

Most trading companies will not allow you to bring your cellphone into the trading block, and taking a picture will get you escorted out and fired.  It's policy.

Perhaps I'm old school and feel that when your at work, you are there to work, not do personal stuff.  And I feel that a company policy in certain cases imposes that the tools made available be made so under terms that indicate that they are to be used for WORK and sometimes work only, and not to expect privacy.  These same policies should indicate that because of your high risk job tasks, you're simply not allowed to delete your browser history.  I'm actually ok with that.  I use my smart phone to do all my stupid things anyways.

So basically if what we have, is someone who was found guilty of fraud, and half a dozen other offenses, also being accused of covering it up.  I'm also ok with that.  

However, instead of making new laws for stupid things like this, I also strongly believe that we should have clear laws to protect Whistle Blowers.  I would go one step further, I would impose that ANY publicly traded corporation MUST have a TRULY anonymous AND documented way to voice concern directly to the board of directors.  This means that a registry of observations with regards to the security or lack thereof would exist, publicly available, for consultation.

Today, board of directors have one priority, set forth by the current legal framework:  Maximize immediate shareholder value.  This means we are forcing our corporation to take really bad decisions.  This is what really needs to change.

As for the situation with Mr Matanov, do we really feel like our freedoms are being directly attacked here?  Do we feel that we know ALL the facts?  I hardly doubt it.  Both people who agree with me, and the ones who don't have one thing in common, a precious lack of details.  Details that could help us be allowed to have an opinion.  The facts seem to indicate that Mr Matanov lied several times to the police.  Perhaps the only accusation being brought onto him is the only thing they could prove.  No one could or will ever know.

If your loosing sleep and feel that your under attack by this law, an entire pharmaceutical industry awaits.  What is indeed surprising is that Sarbanes Oxley, a law designed to thwart abuses in the financial sector, is being used outside of this realm for numerous other crimes.  In fact, I would bet good money it is MOSTLY used outside of the financial sector.  I have yet to see a respectable quantity of CEO's/CFO's/CIO's walking the plank.

If you want a good laugh, read the first paragraph of this judgement involving FISH and the destruction of evidence (Yates v. Unites States)

So how does one protect themselves from this sort of legally abusive perversion ?  You configure your browser to automatically clear your history.  The law stipulates that INTENT must be part of the equation (SOX Section 802).  So your intent is to ALWAYS protect your privacy, not destroy some investigators precious evidence under a specific situation.

Lets face it, the Feds can charge you for using your office shredder, or emptying your cars ashtray if evidence might have been involved.

So for my personal computer and its browser history, damned right I automatically delete my browser history, in fact before this law, the Bro-Code clearly stipulated clearing out my friends browser history in the event they drop dead.  Let's face it, most couldn't handle my browser history anyways, weaklings......

UPDATE:  My friend Denis Canuel pointed out that some browsers have a privacy mode.  Google Chrome has Incognito mode which simply does not keep a history of what you visit.  No need to purge what is not there!

Wednesday, June 3, 2015


Some mornings, I'm more sensitive then others.

This morning, a friend sends me an article about a significant debate on encryption where as the FBI wants to impose that encryption has backdoors.   I had gone to bed after a Skype discussion with the same friend about the United States wanting to Weaponize Computer Exploits and imposing that exploitable vulnerabilities be classified as Export Controlled or even ITAR (International Traffic in Arms Regulation).

I understand that National Security is indeed a complexe area of operation.

However I grow tired of clueless and short term visioned managers and senior politicians who wish to impose ridiculous regulations.

If domestic encryption MUST have backdoors, this means that encryption developed in other countries would be better, therefor other countries would be more secure.

If we outlaw the sharing of found exploitable vulnerabilities, doesn't this mean that we will remain vulnerable through ignorance while other countries openly shares this information and fixes their issues ?

If you outlaw something that is vital to the constant optimization of our consistently ailing IT infrastructure, then only outlaws will have exploits and be able to breach our corporate  and personal systems.

The FBI and NSA desperately need some new blood, and some serious congressional oversight that is not dictated by a powerful minority, but by "we the people".

Disposerons-nous un jour d'une carte d'identité numérique provinciale qui sécurise réellement vos opérations bancaires ?

  J'ai fait une entrevue ce matin sur QUB Radio basée sur un article du Journal de Montréal qui a été publié aujourd'hui et qui disc...