Tag: Information security

BIOS hacked; bury it! ..?

Over the past year (five Internet years), we have seen regular messages about the ‘hacking’ of BIOSes. Due to which all that we can trump up for information security, is nullified through this lowest thinkable level form of unknown, unlocked backdoors.

After a week or so, usually the news value drops and we hear very little. Mainly by this being such a deep, deep into technology issue; a showcase of a class break — it’s hardly worthwhile to think about solutions. The perpetrators, usually considered to be agencies of powers-that-be of Western, Eastern or anything in between origin, are seen to mainly fight each other and we can only be mangled in between can’t we? The one taints the BIOS on the chips that the other installs, the other does the same the other way around. And, how long ago isn’t it that you yourself were babbling in de BIOS with some assembler or even lower-level code ..?

However, and this is similar to laws against crypto (as e.g., here), those with bad intent may use the backdoors just as the good guys (the above, that work their a’s off for your privacy, right?) might. And don’t we all want to remain at least a little in control ..?

Hence the question: What would be roadblocks against a solution of ‘isolation’ of a possibly tainted BIOS ..? I’m thinking here of some form of inverse, upside-down sandbox. That isolates and screens all messaging from and to the BIOS and filters all malicious, unauthorized stuff out.

This calls for clear and complete rules about what is generally good and normal, and what is naughty. We may solve that with checksums, hashes of extensive lists of functionality we would allow. But who calculates these checksums, and how reliable is the baseline when already off-the-dock OEM stuff may contain malware in the BIOSes; who can you trust ..? And all that white listing: Isn’t there a huge context dependency regarding superficially trustable but in effect malicious messages? With a sandbox we put the problem at a somewhat higher, more insightful level. Be it also somewhat ‘higher’ in the architecture which raises the question whether the sandbox is sufficient and isolates completely, all around. And the sandbox has to run on … the chip with (support of the) BIOS…
This creates an arms’ race where the bad guys (unsafe-BIOS-wanters) will try to make the BIOS circumvent or dig through the sandbox, and where the good guys will have to build repairs, patches and new versions to plug ever new the leaks. Looks almost like the information security we all know already.

And here, too, the question is: Who can we trust? The sandbox should be made and maintained by utterly independent experts. Do we know these Lone Wolves well enough, how do we establish the sufficiency of their technical expertise, what are their interests, aren’t they secretly (and I’m thinking double secrets here, too) bribed or coerced to let that one agency in despite it all? And, how do we know the patches we receive, would be reliable? If we can’t trust the most mundane of apps or -store, how can we be sure to not download an infected sandbox?

In short, the simple question of feasibility of a sandbox over the BIOS to keep things safe, ushers in a surge wave of new questions — but those are all questions we already have on other, ‘higher’ levels of security: Are the patches of the applications we have, reliable? What about the antimalware-software we deploy (yeah, bring in the ‘haha’)? The employees and contractors of our Managed Security Provider (we chose, NB, as lowest-cost supplier)?

But also for this reason, my question is: What do I miss; are there principled, logical fallacies here or is it a matter of (tons of) effort that we put in, should be prepared to put in?

Dazzles one. Hence, for relaxation:
20150911_155809
[For the people living here, rather Mehhh of course]

Trivial TLA Things-Tip

If you Thought This Time Things would be easier, as the universality of plug-‘n-play has spread beyond even the wildest early dreams into the realms of the unthought-of non-thinkingness, think again. Drop the again. Think. That was IBM’s motto, and they created Watson. No surprises there.
However… It may come as a surprise to some that now, an actual TLA has some actual tips, to keep you safe(r). As in this. Who would have thought… On second thought, this agency of note might have no need for the access disabled themselves anymore, as they’ve provided themselves of sufficient other access (methods) by now and just want to hinder the (foreign) others out of their easy access ..?

Oh well, never can do well, right? And this:
DSC_0070
[Another one from the cathedral of dry feet — only after, making sticking fingers in dykes worthwhile; at Lynden, Haarlemmermeer]

Complexity beaten by [The mechanics of Joe Average]

Yes it’s time to remind you again. And again. That the mechanics of the mindset of Joe Average (notice how that’s a he not she …?) will beat even the best laid-out strategic plans, Von Moltke-style. As can be read in this here piece; instructive both on the surface and in the sub-surface semantics, meaning. I.e., that JA is even ‘smarter’ than you thought when it comes to achieving JA’s actual objectives of GetOffMyBackWithYourStupidTargets. Through which it all reminds us, being you too, to build security around actually desired functionality — as desired by end users to get their in-tray empty. Nothing more, certainly not your lofty functionality goals, that’s just burdensome nuisance. If you hinder the former and leave space for abuse in the latter, you’ll be doomed doubly. All the pain, no gain.
Be reminded, too, that your efforts down the blind alley will result in complexity that JA will beat, but maybe, all too often, you don’t. Meaning even that, is for nothing and will leave you out to dry.

Hm, as a pointer, this point needs both much more elaborate thought, in your heads, and is depleted for write-up here. Go and do well.

DSC_0084
[In the Cathedral of Pump; Lynden, Haarlemmermeer]

Let’s celebrate (with) a contest for the dumbest security

On this celebration day (for me/us), let’s instate an annual contest — over the most precise prediction of the dumbest information security breach of the upcoming year.
So, the following:

  • Your prediction, storified (½ – 1 page, at most slightly formatted);
  • Realistic, i.e., a combination of dumb and dumber, and stupid and worse, of (non)actions and responses, on the attack and ‘defense’ sides. Realistic, but keep it realistic…;
  • Hence, do include lots of cyberhere, cyberthere, cybereverywhere and only a little bit of #ditchcyber …;
  • Deadline: 1 January 2016;
  • The predictive element means that no sign of the thing actually occuring yet, may be found in the (whatever medium) press already;
  • Prize… ah, there you go. I’ll try to figure out a way to ship a bottle of the finest champagne to the winner;
  • No discussions about my judgement.

Well, off for now. Have fun:
DSC_0161
[Shaky ground (huh, just photographer’s lack of proper alignment due to hurry);
 somewhat relevant, in the opposite (of today)]

Cyber ‘Nam

OK… As you know I wouldn’t be the war monger re ‘cyber’ warfare. And don’t have the answers — neither do you! — but have searched and asked for them; see past posts (numerous).
This one is more about how the campaigns and battles are fought. Full cyberstatefulfirewallcomplexmonitoringNOCSOC jacket style, out there in the field. (Privacy) protesters at home, safely away from the danger. Some top brass (‘generals die in bed’) ordering your data forward, hardly trained/hardened or crypto protected and blaming shoddy execution and wily counterparts. The traumatised demobilised db admin not wanting to shoot down even a deer-like referential integrity violation. Et cetera. Feel free to add to the comparison. E.g., how things will develop. Or– how thing would have to work out if, huge if, for once history is learnt from.

Oh well. @CyberTaters and @cyberXpert will have their way. And #ditchcyber. And this:
DSC_0122
[Will be.]

A sobering thought

Actually, not one but a great many sobering thoughts, in this great piece: What They Don’t Teach You in “Thinking Like the Enemy” Class. In a high-quality series.

To which one might add … not too much. Maybe the 100%-is-infeasible line, and Schneier’s Return of the Security (is..?) Theatre trope. Oh, and the one that has still taken far too little root; the deperimetrisation-means-you-need-to-focus-on-information-not-the-fortress aspect that has been around for a decade already but still has hardly been implemented properly.

Or, we redesign the world. Somehow, we need to get into the mindsets of the global populace – that so far hasn’t been standardised to any degree; happily! for cultural diversity hence overall societal flexibility, development and progress … – to accept that after human development was pushed by physical wars for all of its existence so far, we have arrived at a new round of warfare innovation. After the man-to-man (sic) manual combat, and the ethically despicable practice of not even seeing the Other in the eye individually that gunpowder brought on – glossing over the trebuchet-and-others long-distance hurtling and archers’ reach –, we are now engaging not only in drone-led warfare (distance being even greater), but also in this: humans not being the soldiers anymore; that part being taken over by the robot. By which I don’t mean humanoid robots – why even bother – nor masses of stand-alone AI. But rather, unembodied A(S)I that operates on any platforms together, creating resilience not by numbers of clones but by moving swiftly over servers by having been virtualised at various levels of conceptuality, as they are compounded-mem complexes battling each other evolutionarily. And still aiming at humans.

…? Well, what’s the purpose, otherwise ..!?

Which is far off from where this post started. And foregoing the intermediary step I wanted to write up; where ideas cleverly capture (numb, dumb?) people and ‘ideologies’ fight each other for global dominance. With all sorts of ‘neat’ (quod non) tricks. But [w|h]ell… and this:
DSCN8626cut
[All humans removed from picture. Naturally]

Short post: Offense on the Defense

Apart from love, here too all is fair. Hence, the offense may be pushed into defense every once in a while. Yes, think that one through.
Or, that is misinterpreting it. Offense and defense do a danse macabre while the content fights out at higher abstraction levels. Think that one through ..!

[Edited to add: this link, and this one. Others apply as well.]

OK, ’nuff for now, and this:
DSC_0705
[Not even unique, as a NY wedgie; only just (…) the prettiest]

Preventing detection

At last, there’s a resurgence of non-preventative infosec (#ditchcyber) efforts. As, e.g., here (in Duts though the orig would be Engrish ..?) and here (a decent one, almost making the right point; co-typical ..? and on second reading, a bit empty of actual actionable advice). Hinting at leaving the Prevention Imperative and refocusing on Resilience.
Because ‘deperimetrisation’ may have clouded the longer-term, more strategic failure of locking oneself in and shooing away the so grossly underestimated enemies by one’s own utterly ridiculous overestimation of … authority, power, capabilities and competences, considered-self-evident importance (quod non…). The dumb not realising how dumb they actually are…

We’ve said this before, over and over again. And we’ll say it again. Because the Laggards (hey remember yesterday’s post?) still haven’t got it, deeply enough into their veins.

But, we have a start of that at last. Why only now? Because even the most conservative (sic) can no longer hold the fort (sic) of box-shipping at all levels? Anyway:
DSC_0804
[Rebound into the heavens!]

Maverisk / Étoiles du Nord