Tag: Infosec

I am not me. Myself: nope, neither.

Now that infosec has become to lean so much on the People side of things – as in theory all things Tech have been solved, for decades already just not implemented to any degree of seriousness..! and ‘process’ having been exposed as utter nonsense ‘management’ babble – it is strange to see that psychology hasn’t come to the fore much, much more. Even when pundits and others, and the minions like Yours Truly even, have posted over and over again that no tech system however perfect can stand the assault of through, e.g., casual negligence and unattentive error let alone gullibility and other vices.

E.g., in the area of IAM. Where I, the construct, the behind-the-persona ego I recognise as such, is constantly changing. In my case, developing fast, forward, up. In your case… well, let’s be nice to one another so I’ll remain silent.
And all sorts of avatars are developing as substitute for you and me within systems. See, with AI mushrooming lately, avatar ‘development’ may quite easily, soon, surpass ‘you’ in being ..?

Back to the story line: It’s just not userIDs anymore; context-aware and -inclusive, capability- and rights-attached constructs they are, and integrating with the Avatar Movement (Rise of the Machines, yes) to morph into actual beings that might soon pass Turing for comparability to/with humanoid identities. We’ll be on equal footing, then, or soon after, bland dumbed-down versions of personas/egos.

But How Is This Relevant … Ah, the clue of today’s post: Because social engineering, phishing etc. play on the weaknesses of humans to be able to impersonate. So, either stop the weaknesses (as vulnerabilities; eternally impossible) logical-OR stop the impersonation (the assumption of avatars/personas by attackers; taking down their masks). The latter, by at least being aware that the avatar, the persona, isn’t the actual person. How to get that into systems, and at the same time recognising ‘actual’ avatars/personas i.e., the link between those and the right real persons behind the masks even when considering through human weakness the persona has been ‘compromised’ …? That will solve so many infosec troubles…
But heyhey, I don’t have a clue like you do. Or do you ..? Very much would like to hear ..!

[Edited to add before publishing: Hold Press; include this on behavioural stuff]

DSCN2608
[“Riga”..? Aptly French?]

Nice note

Just a long-form quote this time, by Norm Laudermilch:

In addition, we should stop using the term “advanced threat” to describe the threats we see every day. It’s too common to hear a recently breached company point to a “very sophisticated cyber attack perpetrated by a nation-state”, which makes it sound like this was something undetectable and impossible to stop. Gartner analyst Neil MacDonald calls this the “dog ate my homework” excuse. More likely we find that it was just another piece of malware cranked out by one of the latest exploit toolkits, delivered via spear-phishing or targeted malvertising, perpetrated not by highly advanced nation-state adversaries but by comparatively low-tech cyber crime gangs. Even if a nation-state attacker crafts an extraordinarily unique and complex malware payload, they’re probably using the common delivery vectors mentioned above. Why? Because these attacks work every time.

Emphasis mine and I second. Until quantumcrypto is cracked, each, any and all cracks are of sophistication Zero. Or One, at most. Combining the most basic of ‘attacks’ i.e. exploits of negligence. Read the full article, and agree. Oh, and [self-plug] there could be side benefits in sloppiness, like this – IF deployed properly. And have your press release at hand, like this one.

So, …
DSC_1024
[Surpreme court; would you want your ball there?]

Trigger seeding

In defense of sloppy account management …
Sort of. Rather, deliberately sloppy account management.

Reading through this in particular, and that, I wondered: Would there not be a nice part of a solution in seeding your user accounts database(s) with fake accounts, to act as tripwires ..? They could be given no access to anything, or access only to honeypot-like info / environments. And then trigger the alarm when accessed – by intruders, or by own security staff or auditors when doing surveillance of controls functioning.
Somehow also, I have a gut feeling there’s some hidden secondary effects in this. Any of you who has given this some more thought already, and have info on this ..? Much appreciated.

For now, this:
DSCN1106
[This makes me look fat. La Défense again.]

Summarily: yolosec

Yes that’s the summary title at once describing the sum total result of all your humongous efforts to ‘secure’ … whatever scope, in infosecland. HT to @thegrugq
To which we may add the find of yeauleau for francophones. Of course.

That’s it for today. With:
DSCN8135
[Fashionable Without A Cause, too; (i.e.) Milan. Look to the left (shop) and shiver…]

Pro-nun-ciation

OK.
We already had the CGEIT title certification. Which is pronounced in Dutch as ‘See goat’.
Now let’s add CSX. Pronounced by all as ‘See sex’.

Oh jolly! One is ignorant, XOR one is prepubescent.
Either way, #fail – big time. Let alone for content. This, if you’re still a believer.

You still deserve?
DSCN6161
[To be in your stroller; Nancy city park]

P( Danger(You) > 0.5 ) ⇒ Shutdown( You )

For the Fellow Travelers among you, that still believe that AI (AGI or ASI) will bring us joy and an arcadic peaceful creative work-free life forever after, please do consider this here piece. And see that we’re only at the beginning.
[Oh for AGI/ASI reference, see here.]

Luckily, hopefully, the tide will turn. But there simply is no guarantee it will.

And on this most pleasant note, I’ll leave you with:
DSCN7386
[Málaga – but when the struggle is forbidden and ‘ratio’ quod non might seem to prevail, the Dark may roar and explode out of its confines in utterly destructive ways. As in this previous post…]

Signalling healthy process

Yet some more cross-over ideas from the IoT world into the administrative bureaucratic office world: Streams of transactions as signals.
Of the health of the process, of course. To be defined, obviously, as the fit to the surroundings. The fit may be off, either intentionally (wanting to let the world adapt to the process, enforcing (?) change) or unintentionally left blank                i.e., having to cope with exceptions to what was envisaged as transactions’ content or form.

Now apply yesterday’s first picture of process control.
Now, too, consider what one could do with sampling theory (as a subset of ‘Shannon’, if properly elaborated, possibly skirting with ‘classical’ statistics ..?). Taking 2log(n) samples (where n is the number of transactions ..?? Just a wild guess) and being able to reconstruct the ‘signal’ then taking its integral (discrete transactions … just summing it up ..?) for the total. Or Fourier-transforming it all and … get your basic theory straight before dreaming of moving on so don’t start at the other end as ‘accountant’…! And/or treating exceptions (as e.g., found by the sort of analysis that these girls/guys are so good at; that not even being meant as a cynical qualifier) as noise to the signal. Never fully suppressable, but useful to pick up secondary signals, stacked in their variation of frequencies, amplitudes an wavelet transformations. That all tell you something, if you listen. Whether you want perfect, over-HiFi replay [intermission: Ugh I’m getting old, even knowing that HiFi was a thing…], or lively veracity, actual fullness of music. And take in again the ole’ industrial process control with its recipe / derivative function(s), et al., and be able to better control it all from the ‘dashboard’ in the control room. When all of the routine stuff, the routine 80%, of business is done by … ‘robots’. Humanoid or digital-machines, IDC.

And hey, while we’re at it, why not throw in attempts to include in bookkeeping not only discrete numbers (arbitrarily rounded to hunderds, of random currencies) but Real numbers or even Complex numbers as well ..? The latter, e.g., to indicate VAT surcharges, etc.; leading to tuples-as-single-‘numbers’ in bookkeeping. Maybe somewhat harder to track that all is booked correctly, but also maybe powerful in capturing singular transactions and some processing rules/logic, and controls, in one tuple (‘record’).

Where AI may then be applied to do sanity checks. Not on this author; no AGI or ASI would suffice…

OK, for now:
DSCN1436
[“What a shoe box” but yes that *is* the Bata shoe museum, Toronto]

Ack or ook ..?

Yes, there we are again, on the subject of ‘Ethical’ hacking.
Because I came across such a ‘Certified Ethical’ Hacker once again. Which made me think (again…) about the allure of that. And then it struck me: It’s just a matter of replacing ack with ook and we’re all set!

Think about it; and ook does for money what others do for fun and ulterior motives… So does an ack. An ook can be certified (licensed) and get government-controlled medical/physical check-ups, by another bodily-educated professional. An ack can be and get the same; through permanent education requirements and peer review.

But what an ook can’t get, is the Ethical label that the ack has – for no apparent reason and it should be the other way around: Where the ook has proven her (majority; unless some ladies in the readership have sufficient experience to validly claim the opposite) role in society since the dawn of time/mankind/human society, the ack dabbles in what somewhat similar but short by aeons, is a crook’s business.

So, CEH better refer to the ooks out there. For now:
DSC_0081
[It’s … Name That City time again!]

Culpable misinformation

The inescapable Bruce was very mild, characterising Comey’s texts as a joke. Like here, on this. Whereas puppets everywhere (in NL as well, here) can show only a handful cases if any at all where mass surveillance (like this by InfoSec Taylor:
CBgp99KVIAAt4wn
explains) has been key. Referring not to any paraphrase (here) of Ben Franklin (“Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”) ..?

But the point is: Where failure to act may be culpable in the same way that acts may be, deliberate (intentful) misrepresentation by omitting knowledge and/or presenting false conclusions may be as culpable as outright lying. In particular, when in the public sphere (of income) where speaking the truth (the whole, and nothing but…) is part of the deal, however indirectly through defense of a constitution. Wilful neglect of that duty (that may include informing oneself properly!) is a scam, con, deceit, fraud.

So, come clean. And:
??????????
[F..tis didn’t get away with it; too simpleton despite pretense]

Here, First

Integrity at any level is the Yggdrasil of any CIA or other quality of the layers on top of it.

I.e., if at the platforms level the integrity of software (à la Turing, engine/programs and data) cannot be fully 100,000…% be guaranteed, no extreme of measures op top of it can restore the missing percentage, only (somewhat) limit further deterioration of the stack on top.

Okay, this being a bit abstract, a somewhat more simple and extensive explanation will follow.
Till then:
DSCN6859
[No base, no glory; Sevilla]

Maverisk / Étoiles du Nord