what happened to the volcano of death?

No fly zone?What a difference a few weeks make in aviation safety… we have gone from closing down large swathes of European air space because any volcanic ash is too much volcanic ash to “a little ash never hurt anyone.”   What happened?  As usual, New Scientist magazine has a very insightful article explaining the shift in thinking.

Apparently, a little mishap in 1982 in which a BA 747 lost all 4 engines due to ash contamination prompted international regulators to decide that if any volcanic ash was observed or predicted to cross airspace, that airspace needed to be closed.  (By the way, the BA pilots managed to restart the engines, but, I am sure that a lot of undies had to be changed by that time).  However, no testing was ever done to determine if there is a safe ash concentration level, below which planes can fly without losing their engines.

Fast forward to the past few weeks.  The eruption of Eyjafjallajökull was the first one which affected such a large and busy area of active air space, and grounding 6.8 million passengers and causing untold hundreds of millions of dollars in losses to the airlines and businesses which depend on air transport provided a wake up call for regulators – maybe we need to do some risk assessment here.  (Ya think?)  So now, the aircraft engine makers and regulators are working their fingers to the bone to figure out just how much ash is too much ash for safe jetting about.

So, if Eyjafjallajökull acts up again, how safe will it be to fly?  (This is a question near and dear to my heart, as I have a trip to London coming up…)  The European Air Safety Agency has published recommendations to operators of jet aircraft which allow flight in airspace with a “low contamination” of volcanic ash.  However, the document does not define how low the concentration must be to allow safe operation.   Carriers are probably looking to Alaska Airlines for some help in making volcanic operation safe.  Since their service are covers volcanically active Washington State and Alaska, they have had ample opportunity to learn how to fly safely during eruptions.  

So will I get on the plane if Eyjafjallajökull gets heartburn but the airlines are flying?  Yes – I think that the level of awareness and safety checks on the part of carriers and regulators reduce the risk to an acceptable level for the occasional traveler, but I will feel better when testing has been performed to put some firmer numbers around this problem.  In the meantime, I plan to curl up with the ICAO Manual on Volcanic Ash Clouds, Radioactive Material and Toxic Chemical Clouds and a cup of tea.

Last post for today… my train is almost to NYC and no volcanoes in sight.

what happened to the volcano of death?

a word from our paranoid janitor

I’m just in a blogging frenzy today – this is what happens when I have 4 hours to kill on the Acela with wifi and power.    So here are a few housekeeping announcements…

If you’d like to be alerted to when there is a new post available on Paranoid Prose, you now have three, count em, three choices – follow my Twitter stream (@alberg),  subscribe to the blog in your favorite RSS reader, or sign up for an email subscription.
 
I also wanted to point out the availability of al’s paranoia links… each day in my travel around the interwebs (it’s a series of tubes, you know), I come across all sorts of articles which tickle my fancy, but which my limited blogging time (pesky day job!) precludes me from writing about.  You can access these links either here at Paranoid Prose, on Delicious or via an RSS feed.  Now you can see the raw material that goes into making me the miserable, cynical, paranoid recluse that I am.
 
Finally, if you are a security professional in the New York Metro area, I heartily recommend that you check out the NY Metro InfraGard web site and consider joining.  InfraGard provides a link between private sector security professionals and the Federal Bureau of Investigation.  Membership provides you with access to a wealth of information, programs, networking opportunities, and the FBI gives you a gun!  (OK, I made that last part up.)  Even without the free weaponry, it’s really worthwhile.
a word from our paranoid janitor

no fear?

Another tidbit from Josh Corman’s excellent talk on FUD (Fear, Uncertainty and Doubt) in the information security industry… the following comes from Frank Herbert’s Dune series of scifi novels: 

LITANY AGAINST FEAR 

I must not fear.
Fear is the mind-killer.
Fear is the little-death that brings total obliteration.
I will face my fear.
I will permit it to pass over me and through me.
And when it has gone past I will turn the inner eye to see its path.
Where the fear has gone there will be nothing.
Only I will remain.

Josh asked an important question during his talk – is there any place for fear in information security?
 
My two cents:  Humans (and animals) fear for a good reason; responding to perceived threats in a timely fashion is very handy if your goal in life is to survive.  In the info sec world, I think that fear has some use, as an indicator and a call to action.  However, once the threat causing the fear reaction is identified and evaluated, we need to discard the fear and replace it with a heightened sense of awareness and a sense of the true nature and proportion of the threat.  The fears we face in info sec are not typically existential in nature; once we know and understand our enemy, we need to devote our mental and physical energy to meeting the challenge – fear just gets in the way.  
So, we must not fear (for more than a couple of minutes).

I think this is going on my wall…

 
Except… 

http://i.adultswim.com/adultswim/video2/tools/swf/viralplayer.swf

no fear?

when was the last time we retired a security control?

This weekend, I attended the Security B-Sides Boston conference  (which, by the way, I heartily recommend to all info sec types).  My favorite session of the day was Josh Corman‘s “Fsck the FUD” talk… this talk was chock full of security thought leadership goodness and will probably result in a number of blog postings here at Paranoid Prose.

In his talk, Josh asked a really thought provoking question:  When was the last time that the information security community retired a control?  If you take a look at lists of recommended security controls from 10 or even 20 years past, you will see many of the same measures that are found in the latest PCI, COBIT and other prescriptive documents.  Each year, a few new must have controls are added, much to the chagrin of CSOs and security personnel (who then have to spend more of their limited time and resources implementing new controls as well as maintaining existing ones) and to the delight of auditors (who get job security and longer audit checklists to fill out, and thus more billable hours).  This approach of continuous “improvement” of security “standards” is just not scalable, given most organizations’ unwillingness to fund the corresponding infinite growth of security resources (how unreasonable!).

Why is this happening?  Josh’s theory (with which I agree) is that auditors and standards writers tend to be very conservative.  In their minds, once a control is written down, it becomes revealed truth, and having more controls must ensure a higher level of security, right?  As a result, many organizations (especially those in heavily regulated industries like Finance, Health Care and payment card processing) seem to fear their auditors more than the attackers who the security folks are supposed to be fending off.   We have to make sure that we can check all of the boxes and get “good grades” on our audits and assessments, whether or not the controls being tested are relevant and provide real protection.

This model leads to a stifling of innovation in the info sec industry, according to Corman.  Since most info sec spending is concentrated around passing audits and fulfilling regulatory and compliance requirements, we continue to spend most of our time and money on legacy controls which may or may not be very effective at addressing evolving (and quite dangerous) threats.  We get that warm and fuzzy feeling from passing the audit, but that does not necessarily mean that we are well protected.  Security vendors respond to this pattern and concentrate their product offerings in spaces which address the tried and true controls they know that their customers need to meet.  They are simply not incented to come up with new ideas and better products and their marketing departments spend most of their time figuring out how to spread FUD and convince CSOs that their existing products somehow address the mind numbingly scary threat du jour.

A couple of examples come to mind:

Anti malware software – signature based anti malware software is having a harder and harder time keeping up with the threats we expect it to protect against.  More and more evil code is produced from toolkits which generate custom versions that differ from the AV vendors’ signatures just enough to slip by the defenses.  In a number of recent cases, totally customized, highly targeted code has been used to infect machines of interest and extract valuable information.  It seems to me that signatures are becoming less and less effective as controls against malware and that protections based on system behavior make much more sense.  Yet we still buy, deploy, maintain and update lots of signature based AV software, so that we can check the proper audit boxes and vendors don’t have real incentive to come up with new and more effective defensive products.

Passwords – One of the most frequent complaints I get from users at my company is that our password policies (long passwords with different types of characters that need to be changed pretty frequently) are a pain in the posterior.  I feel for them… complicated passwords that are changed frequently do provide protection against some threats, but it seems to me that the main threat to passwords today is malware which grabs the password as it is typed – and it doesn’t matter how long, complicated and frequently changed the password is.  Yet, we still enforce our password policy.  Part of the reason is that the policy does provide a certain level of protection against some threats, but in reality, we have kept the policy mainly because our business partners (customers, regulators, etc.) expect us to have such a policy and would look askance at us if we didn’t.  (In spite of recent research suggesting that the negative economic effects of these policies may exceed their protective benefit).

So… what do we need to do as an industry?  I think we need to start a dialog in which we take a long, hard look at the security controls we “require” and answer some key questions about them:

  • What is the threat that this control addresses?
  • Is the threat we are protecting against still a threat?  If so, has the nature of the threat changed significantly?
  • How can we update the control requirements to better address the threat using currently available technology or processes?
  • What new technology (if any) do we need from vendors in order to address the threat as it stands today?

The big question is how to get this discussion going… conferences like Security B-Sides, Defcon and the like are great places to start talking, but we need to find a way to get the mainstream security media and standards bodies to participate… going to be giving this a bit of thought and would love to hear from you with ideas!

when was the last time we retired a security control?

a data breach story with a twist…

Public enemy #1?

Stories of data breaches have become annoyingly normal, so when Affinity Health Plans announced the accidental disclosure of personal information on over 400,000 employees, former employees, customers, applicants and business partners, most security folk just sighed, thanked their lucky stars that they didn’t work for that particular company and moved on. However, this breach was different than many of the other data losses that have been in the news recently.

Unlike your standard lost or stolen laptop or misplaced USB thumb drive, this breach resulted from the return of a leased multifunction copier to its owner. Like most business copiers, this one had a hard drive on which copies of documents copied, faxed or scanned were retained. When the copier was returned to the leasing company, Affinity failed to scrub the hard drive of this stored information, which “may have included Social Security Numbers, dates of birth and medical information,” according to a company press release

The actual risk to the people whose information was found on this particular copier is actually quite small; the documents were found on one of four copiers purchased by a CBS News investigation team in NJ.  The other three copiers’ hard drives contained data from the Buffalo, NY Police Department (Narcotics and Sex Crimes related documents) and a construction company (building plans, checks, pay stubs and employee info).  However, the records described in this disclosure represent only a tiny fraction of the sensitive information routinely disposed of without proper security measures when copiers are sold or returned to lessors.

Affinity (and I would assume the other organizations whose data was found) have started taking corrective actions, such as inventorying its copiers to identify those with onboard storage, finding any other copiers which may have been returned to vendors recently, and making arrangements to ensure that devices are scrubbed before they are returned to vendors.

These types of data breaches are eminently avoidable;  Manufacturers of multifunction devices such as Xerox and Sharp provide security software for their products which implements encryption and secure deletion of stored documents.  By making sure that your devices come with these features and properly configuring them, you can plug this potentially damaging and embarassing hole in your information security defenses.

So, what are the takeaways for security professionals?

First, take a look at your existing multifunction copiers and make sure that they are equipped with the manufacturer’s security software and that the security features are properly configured and active.

Next, make sure that your organization’s specifications for the purchase or lease of copier/scanner/printer devices require security features such as encryption of stored information as well as the ability to securely erase all information from the hard drive.

Then, make sure that configuration process for new multifunction copiers includes setting the security options properly.

Now, add these devices to the list of things with blinking lights that are examined during security assessments.  While you are at it, remember that these devices have network interfaces as well as upgradable software which could have vulnerabilities.  Are you patching your multifunction devices?

Finally, have a process for decommissioning multifunction devices which includes wiping all data from them before they are returned to lessors, sold, donated or recycled.

As the non computer devices in our offices and homes get more intelligent, they also become more interesting to attackers.  As an infosec professional, they should be more interesting to you – before your organization makes the news.

a data breach story with a twist…

monday volcano news roundup

From the BBC News website…  this map shows today’s ash situation… does not look too good as far as trans Atlantic flights from the States to Northern Europe and vice versa, but I am hearing that some trans Atlantic services are resuming (see @AirlineRoute  for updates). 

However, it looks like the European travel situation should be getting better tomorrow, as the EU replaces a blanket ban on air travel with a more focused and layered approach.  European air space will be divided into sectors described as “no fly zones,” “limited service zones,” and “open airspace,” based on the amount and dispersion of ash from Iceland’s volcano, according to the BBC.  I get the first and last categories, but I don’t know that I would want to go on a flight in the “limited service zones” – does this mean they are sorta safe?   In a press release issued today, Eurocontrol (the air traffic agency for the EU) had this to say… 

  

“…while the initial reaction by the States was prudent and reduced risk to an absolute minimum, it was now time to move towards a harmonized European approach (set out below) that permitted flights – but only where safety was not compromised… Accordingly a limited “No-fly zone” will be established by the States concerned, based on forecasts from the VAAC. EUROCONTROL will provide the data and the forecast to States every 6 hours.  Aircraft Operators will be permitted to operate outside this zone. In their decision as to whether to fly, they will be supported by shared data including advice from the scientific community (meteo, volcanic ash proliferation etc.) – including safety assessments supported by tests under the oversight of the competent Safety Authorities.  The conference also concluded that, in time, it should be possible to move towards an approach in which full discretion is given to Aircraft Operators.” 

Earlier today, a mislabeled webcam in Iceland led to false news reports of yet another volcano erupting.   Turns out that it was the same volcano continuing to erupt.  D’oh! 

Looking for some stories and advice from the people affected by this whole mess?  Searching for #ashtag on Twitter yields a fascinating real time look at what’s going on – and makes you glad not to be traveling…”

Oh, and by the way, here is how (and how not to) pronounce the name of the Icelandic volcano… 

monday volcano news roundup