At a local conference, one presenter had a topic of “Blow Your Own Horn.”  The point was to be ready with some kind of success story (any kind of success story) ready for presentation.  Elevator pitch level stuff, except you aren’t selling anything specific, just success.

For example: “Last year you (the Board) approved purchase of a $50,000 licence fee for AV software on the email server.  This past month, records show it stopped 1 million viruses, which would otherwise have gotten through.  Had they been run, they would have cost $500 each (estimated industry average) to clean up.  Therefore, your prescient decision to spend $50,000 has returned $500,000,000 to the company.”

(OK, yes, any infosec professional knows the holes in that logic.  And you are turning it so that you are creditting the Board with what should be *your* success.  But you get the idea.)

I suggest everybody have a file in some readily accessible drawer, for scribbling down any idea you come up with along these lines, using company specific data.  One idea per page.  Any time you get called to the Boardroom (or, depending upon how many ideas you can come up with, any meeting) grab a sheet and read it in the elevator.  Whatever they asked you to talk about, walk in and start off with, “Thank you for your interest in X.  Before I begin, I’d like to let you know that, because of our investment in a $2,000 course in Ethereal, for one of the net sec admins, last April’s intrusion was detected within 5 hours, and we were able to ensure that all servers were hardened against that particular attack within only a further 12 hours, all within house.  Normally such an attack would be undetected for three days, and would have required outside help at a usual cost of $7,000.”

(Yes, this gets down into the weeds in regard to architecture, but security is a lot more about politics than technology.  And people love stories.)

I think I may finally be getting the hang of this XP Mode thing.  (I may also be fooling myself …)

As previously noted, XP Mode doesn’t access the “real” drive, but a virtual drive which is contained in one large file.  (Actually, seemingly a minimum of three, but only one appears to contain the drive “contents.”)  XP Mode does provide you with links to the real drives on the computer, but, while accessible from most Windows programs, since they are not mapped to drive letters, you cannot do anything with DOS programs, even though such programs run under XP Mode.

I figured I would have to create the directories, with files I wanted to work on, within the “virtual” drive, and, each time I made any modifications, remember to copy the new versions back to the “real” disk so they could be used under Win7.  Not only is this a nuisance, but it wastes disk space.  XP Mode takes up enough space as it is: starting at about 1.5 gig, by the time you get it up to speed with Windows updates, it has ballooned to 6 or 7 gig.  Any programs or file space you want come on top of that.  (And, since I no longer trust XP Mode to stay stable, I have been making backup copies as I have been doing the updating and adjusting of the virtual machine, wasting even more disk space.)  An annoyance, to say the least.

I can’t remember where I found it, but somehow I noted a reference to the actual description, within XP Mode, of the links to the real drives.  It looks just like a network reference to a shared resource.  So I tried mapping that format and creating a DOS “lettered” drive mapping (from within XP Mode).  So far it seems to work fine.

For those who’d like to try, the “network” name of the real computer seems to be TSCLIENT.  So, in order to create a link to the C: drive on the real computer, map to \\TSCLIENT\C .  (It does not seem to matter what your real machine’s name is, that name does not seem to be used in the reference.)

Well behaved anitvirus programs can safely work together in peace and harmony.

Unfortunately, relatively few AVs are well behaved.

On my new desktop, I’ve got Avast (came with the machine, has a free version, and is a pretty good product) and MSE (it’s free, and it’s pretty safe for most users, although, as a professional, some parts of it irk me).  I’ve set both to ignore the virus zoo, although they aren’t too good at taking that restriction to heart.

MSE quarantined a few samples before I got things tuned.  Of course, it doesn’t have any function to get stuff out of “quarantine.”  (As I say, as a professional this is irksome, but, considering the average user, I’d say this is a darn good thing.)

Today Avast gave me a warning of some dangerous files.  They were the ones MSE quarantined.

(In case anyone is interested, the quarantine seems to be in \ProgramData\Microsoft\Microsoft Antimalware\LocalCopy.)

Well, further observations on XP Mode.

It may be necessary, but it’s touchy as all get out.  Also, so far I have not found anything that seems to be willing to do a restore.  There is a function called “Undo Disks,” but that possibly makes the system less stable when it is enabled.  More on that later.

After the crash on Gloria’s account, I found where the files were, particularly the disk file.  Since I had my account working, and since I had already applied all the Windows Updates to it, I copied my disk file to her directory.

It fired up just fine,and I made the necessary changes, setting it to her preferences and installing and testing some programs she wanted.  I tested the program setup, and everything seemed to be fine.  So I shut the program down.

It came up again demanding a username and password.  No matter what I tried, nothing worked.

So, I tried copying my disk file over top of hers again.

(Let me say, at this point, that all this is taking much longer than would be evident.  The disk files are enormous, multiple gigabyte files.  Just copying them takes about a quarter of an hour at times.  Also, each time you shut down, and start up, the virtual machine, it takes at least five minutes just to start.)

I got the same kind of crash as before, a missing file.  Different file, but same result.  No possible way to get it to start.  By this time I had found the setting that allows me, when closing the system, to shut it down, rather than just hibernating it.  (If you allow it to hibernate, it is, as far as Windows is concerned, still running, and therefore cannot be messed with.  Or fixed.)

By this time I had found the original, plain jane, basic, vanilla XP Mode virtual disk file.  It is stored elsewhere on the computer.  So I tried getting rid of some of the (obviously corrupted) working files, and tried to start from scratch.

Somehow this has created two virtual XP Mode “machines.”  Well, if one of them will keep working, it may be worth the wasted disk space.

Ah, yes.  I promised more on “Undo Disks.”  Given the name, you would think that this would allow for a sort of restore point type situation.  Well, it does, but it does it in a fairly kludgy manner.  If you enable Undo, the virtual machine, when you make a change to the disk (write a file, modify settings, whatever), the change isn’t actually made on the virtual disk.  It’s held in a separate file.  You can see that this might create problems, since the system has to read the basic virtual disk file, and then has to read the diff file, as it were, and apply the changes as a kind of journalling.

In researching the purchase of the new desktop, I found/was told/noted that you needed Windows 7 Pro version for “XP compatibility.”  Naturally, I assumed that this would be built into the product that I bought.  (Actually, I was a bit worried by that statement, since one would assume that a new version of an operating system would still run stuff that the old one did.  I still use programs that I first ran on MS-DOS 2, and they were still working fine on XP.)

Not so.

Well, I’m sure that Microsoft would take issue with that statement.  After all, when you try to use the “recommended settings” when troubleshooting compatibility, it tells you that it is running “Windows XP (Service Pack 2)” compatibility mode.  (Pretty much regardless of what the program or utility is.)  And if, trying the more manual troubleshooting, you tell the troubleshooting program that it did run under previous versions of Windows, there are XP SP2 and XP SP3 options (among nine others) to choose from.

It doesn’t matter which you choose.  I haven’t found any of them to work with any program to date.

However, the advice to buy Win7 Pro is sound, if you want to have much of a chance of running anything (interesting) that you have been using up until now.  You absolutely must have XP Mode.  It solves all your problems.  (Well, it solves a bunch of problems, and you can probably fix the rest with some scripting, which is annoying, but better than nothing.)  You have XP Mode if you buy Win7 Pro.

Well, no you don’t.

XP Mode turns out to be part of Windows Virtual PC.  You don’t have it with the base install.  You have the right to have it, but you don’t have it, and you have to download it and install it.  In trying to find out why I couldn’t run stuff that had run perfectly well under XP, I found a mention in the Help system, which made me realize this was a possiblity.  Sure enough, chasing this mention down through a few related help articles, I found a link to go and get it.  So I did.

Well, I tried.  In order to install Windows Virtual PC, Microsoft wants to run MGA.  MGA stands for Microsoft’s Grasping Authenticator.  Microsoft disputes this, and refers to it as Microsoft Genuine Advantage, but there is absolutely no advantage to you, the user, in MGA.  There definitely is an advantage to Microsoft, because, if you need MGA to run or install something, and anything at all goes wrong, you have to pay Microsoft to get it fixed.  Even if you’ve paid already.  I had no fear of MGA, because a) I knew that it was a genuine product, and b) I’d already had to run MGA to get the updates to work, and it hadn’t blinked.  This time, however, it would not believe that my Win7 Pro was Win7 Pro, and would I please cough up an extra $200.

(I took it back to the store I bought it from.  They got it fixed, for no money, but it did take them two days to do it.  And all my passwords were gone.  Oh, you thought passwords were there to keep people out of your computer?  Silly you.)

So now I have Windows Virtual PC, and XP Mode with it.  And, absent the fact that it creates a virtual disk for itself, and that, if you want to work on anything on your real disk you probably have to copy it on to this virtual disk, and mess around with settings, it runs everything just fine.  Per my previous posting on compatibility, Netscape/Communicator 4.8 works.  Eudora 1.5.2 works.  My beloved WordPerfect 4.2 (yes, that old) works.  So does WordPerfect 5.1, which is what Gloria prefers.  (I’m not sure I’m going to go to all the trouble of setting up the system that allows us to print from WordPerfect to a winprinter: we really only need to get at the files for reference purposes.)  Good stuff.

I did have to do a whole bunch of Windows Updates on XP Mode itself, which seems very strange to me.  Seeing as how I was downloading it from Microsoft, couldn’t they keep it patched and up to date?  Three or four sessions with Windows Update, and something close to a hundred updates by the time it seemed to settle down.

Ceterum censeo Microsoft esse delendam.

Plenty of frustrations in getting set up with Windows 7.

One of the first things I tried to do was add some utilities into the “SendTo” folder so that they are at hand when I am working in Windows Explorer.  These used to be stored in “Documents and Settings” so that’s where I started.  It still exists.

I couldn’t get access to it.  Couldn’t even open the list of subdirectories.  Even though I am running as admin (yeah, yeah, let me get the dratted thing running, first, and then I’ll worry about trying to restrict myself) access is denied.

So, if I’m an admin, I can change the permissions, yes?  Apparently not.  When I look at the Security tab, I apparently already have full control.  When I try and edit these permissions, just in case full control needs to be confirmed, I get a bunch of messages saying that I don’t have permission to change the permissions.  I’ve tried through a bunch of different screens having to do with security or permissions or rights, or editing any of the above, and so far not one of them has worked.

In any case, all of this is academic.  These settings no longer reside in “Documents and Settings” but in a new as of Vista) folder called “Users.”   “Documents and Settings” is merely a link.  (I think I had to change the permissions on the Users directory in order to get access and make the mods I wanted, but, to be quite honest, at this point I can’t remember everything I’ve had to do.)

OK, it’s reasonable that you shouldn’t be able, from a mere link, to change permissions on the actual directory.  (I think.  I’m having trouble thinking of anything you could actually do, but, on basic security principles, I’d have to agree that there is potential risk, at least.)  But, if so, then why have the link at all? As it is, it is completely useless, and only serves as a distractor for people like me who know some of the internals.

I’ve also got to say that the dialogue boxes for the “Security” and permissions are extremely odd.  You get to see what they are, but you don’t get to change anything, that is on a separate dialogue under edit.  And if you have selected a certain user or group, and then go to the editing dialogue, it is easy to miss the fact that the user or group chosen is no longer selected on that dialogue.  By default what is selected is “Everyone.”  If you are not paying attention, it would be really easy to grant full access to the entire world.

While doing the massive numbers of Windows Updates (it took about seven update sessions [including almost a gigabyte download for SP1], and four reboots, before the system seemed to settle down) I installed MSE.  I still like it for almost all users, and I’ve had some experiences cleaning up other machines where MSE worked well, and other AVs almost crashed the system.  However, as a professional, I’m still annoyed at some aspects of it.  I marked my “zoo” as excluded, but that setting does not, apparently, apply to the “Full scan,” nor to the real-time scanning.  (And, apparently, simply pulling up a directory in Windows Explorer counts as “opening” all the listed files.

Ceterum censeo Microsoft esse delendam.

Windows 7 is not compatible with anything before Vista.  (I refused to have Vista in the house, so I have no idea about whether Win7 and Vista are compatible.)  If your artsy friends are bugging you to get a Mac, or your geek friends are bugging you to get Linux, and you have been limping along with Windows XP, and are now desperately in need of a new computer (all of which applied to me), then go along with whichever set of friends will give you the most help, and switch.  It’ll be easier than trying to figure out how to make Windows 7 work the way you’ve been used to.

That’s an overstatement, of course, but not much of a one.

First off, you’ll have to throw out all your previous software.  I tend to stick with computers for too long, and with software for too long.  At least, that would be the position of software vendors.  I figure a) if it ain’t broke don’t fix it, and b) why should I have to spend a lot of time learning the mixed up new interface that some idiot down in marketing thought would be kewl, and try to find the functions that I need down where they have buried them.  (Often I find that the stuff I really need is completely gone.)

Think I’m kidding?

I use Firefox.  No particular problem there.  Except that Mozilla wanted me to install 5.0.1, after I’ve been used to 3.6.18 for a while.  And I only then realized that I had no idea how to move the bookmarks over to my new system.  I have no idea where Firefox puts them.  Now, under the previous versions of Firefox, it was pretty good about using any sets of settings you might have lying around, including old bookmarks files.  Now it’s gotten fussy.  Of course, now Firefox has a new Sync feature.  That’ll probably help in future, but it’s not much use right now. (Yes, I’m reading up on how to use it in the old version, and, yes, I’ll probably be able to get everything across.  Eventually.)  (And, besides, all of this is Mozilla’s fault, and I know you are eager for me to get on with the Microsoft bashing.)

So, Firefox works (wonder of wonders).  I use a mail program called Pegasus, which, with a little care and attention on installation, also works.

I also use Netscape 4.8.  (Actually Communicator 4.8, but …)  Yes, I know, old tech.  But, it is a very safe browser, especially with JavaScript turned off, and, as a malware researcher, I have occasion to look at some pretty dangerous places.  Also, it uses the old bookmark.htm file, which is really handy for managing and transfering my collection of bookmarks.  The installer will not run in Win7.

(Yes, I researched the problem, and, yes, somebody mentioned SeaMonkey.  Interface is very similar, I grant you, but I can’t find out where they keep the bookmarks.)

(Also, Windows 7 initially choked big time trying to run the installation.)

My wife likes the simplicity (and I like the safety) of Eudora.  Version 1.5.2.  Doesn’t run.

For both programs I have tried the “Troubleshoot compatibility” option.  I bought, and paid extra for, Windows 7 Pro specifically because it was “compatible” with WinXP.  I tried the “recommended” settings, which supposedly ran in-or-as WinXPSP2.  I tried the manual troubleshooting, telling it that the programs ran just fine under Win95/98/NT/2K/XP and/or 2003.  They didn’t run under any compatibility mode.

And, of course, don’t even bother to try and run any DOS or other command-line utilities.  (Even using “Run as administrator.”)

(Using utilities that mess with internals is one area where you don’t expect compatibility.  So I was surprised, and very pleased, to note that the Frhed hex editor works just fine under Win7, particularly after all the other problems I had.)

Some of these problems can be overcome, or worked around, using Windows Virtual PC XP Mode.  More on the trials of that, later

Ceterum censeo Microsoft esse delendam.

OK, I’ve thumped on Macs for a while now, so I guess it’s time to give Microsoft some bad words.

(I said a lot of bad words during this process …)

I bought the new computers back before Christmas, and it’s only now (well, last week, about seven months after I bought them) that I’m getting the new desktop set up.  Partly it’s been one darn thing after another, but partly it’s been a bit of anxiety.  And the anxiety was justified.

This will take a couple of postings to get through …

Looks like a nice one:

The Hacker’s Choice announced a security problem
with Vodafone’s Mobile Phone Network today.

An attacker can listen to any UK Vodafone customer’s phone call.

An attacker can exploit a vulnerability in 3G/UMTS/WCDMA – the latest and most secure mobile phone standard in use today.

The technical details are available at http://wiki.thc.org/vodafone.

News article:
http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.

Security wanted to open up my suitcase and look at the bag of chargers, USB sticks, etc, and was concerned about the laser pointers.  He decided they were pens, and I didn’t disabuse him of the notion.  Why disturb the tranquility of his ignorance?

BKEISCPR.RVW   20101023

“Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00
%E   C. Warren Axelrod Warren.Axelrod@usccu.us
%E   Jennifer L. Bayuk www.bayuk.com
%E   Daniel Schutzer Dan.Schutzer@fstc.org
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-190-9 1-59693-190-6
%I   Artech House/Horizon
%O   U$99.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1596931906/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   231 p.
%T   “Enterprise Information Security and Privacy”

The authors of this collection of papers were told to examine and challenge current and traditional approaches to information security and suggest alternatives overcoming noted deficiencies.

Part one looks at history and trends.  Chapter one traces privacy attitudes and legislation in the United States over the past century, and suggests that privacy and information security are related.  Data protection should be supported by a defined, multi-factor, holistic security system, says chapter two.  (As the editorial comment notes, this is hardly surprisng news to security professionals.)  Security faces pressure from operational concerns, and chapter three states that security departments that help the business rather than hindering (in other words, planning security properly) are more likely to succeed.  Chapter four notes that information classification based solely upon confidentiality concerns is limited, but the suggested structure still relates only to that aspect.  The article singularly fails to examine any possible form of multilateral classification scheme, incorporating integrity and availability issues.  Chapter five delves into human factors, which are vitally important to security, but limits the discussion to privacy, which is already pretty human.

That piece finishes off with some examination of risk, although it doesn’t say much about human factors in risk, but I suppose makes a nice lead in to the fact that part two is concerned with risk.  Donn Parker makes his usual contrarian argument against risk-based security in chapter six.  The author of chapter seven notes this objection, but claims that it is only applicable if you fail to account for all the proper factors (totally missing Parker’s point that you can never know all the factors).  A hodge-podge of legal topics goes into chapter eight, but the emphasis (if there is any) seems to be on new “compliance” standards such as the Payment Card Industry Data Security Standard (PCI-DSS or just PCI).  Chapter nine takes a brief and focussed look at the most important changes in the telecommunications arena.

Part three turns to specific idustries: finance, energy, transportation, and academia.  Chapter ten lists US financial regulations, and then offers vague suggestions of new regulations.  A number of questions about the security of enegery providers or infrastructure are raised in chapter eleven, but there are few answers.  In terms of transport, chapter twelve mentions SCADA (Supervisory Control And Data Aquisition) systems and alarm sensors.  Chapter thirteen doesn’t really appear to examine academia: the “case studies” may be formal, but are really just reports of malware similar to those in the general user population.

If the authors were supposed to present new ideas for security, they have failed.  There is nothing wrong with any of the pieces contained in the book, but they are simply “more of the same.”

copyright, Robert M. Slade   2011     BKEISCPR.RVW   20101023

A few days ago, I noted a very silly news story about someone getting hit with a computer virus. Well, maybe the administrators don’t know all that much about malware, and maybe a smaller local paper reporter didn’t know all that much about it, either.

But now the story has been taken up by a company that makes security software. A “Microsoft Gold Certified Partner,” according to their Website. A company that makes antivirus software. And their story is just as silly, or even worse.

They say the local admin “stated that, the virus is classified as harmful and they are being quite alert.” I suppose that is all well and good, but then they immediately say that, “[a]ccording to him, the anti-virus firms were not able to recognize it …” So, AV firms don’t know what it is, but it is classified as harmful? Oh, but not to worry, “the good part is that it doesn’t seem to do extensive harm.” So, it’s harmful, but it’s not harmful. Well, of course it’s not harmful. It only “collects information and details, such as bank accounts and passwords …” No possible problem there. (Oh, and, even though nobody knows what it is, it’s Qakbot.)

Right, then. Would you be willing to buy AV software from a firm that can make these kind of mistakes in a simple news story?

I really don’t know who is more ignorant here, the city authorities “protecting” the computers, or the journalist writing up the story …

If you know anything about the technology, this is howlingly funny (or, it would be, if it weren’t so sadly representative …)

“Officials at Nanaimo city hall are desperately working to find out how a virus attacked their computer system Wednesday afternoon.”

(Oh, oh!  Pick me!  I can tell you!  You didn’t tell people NOT TO CLICK ON RANDOM ATTACHMENTS THEY GET IN STRANGE EMAIL MESSAGES AND SUPPOSED E-CARDS!!!)

“Per Kristensen, director of information and technology, said he was shocked by how quickly the virus infected the system.

“The first time anyone anywhere in the world noticed this new virus was on [March 15] and then it hit us on the 16th,” he said Thursday.”

(How many new viruses are “created” every day, these days?)

“People can be assured that all their information is secure. Protection of their personal information is a priority. The city’s system won’t be turned on until we are confident we have this solved,” he said.

(Ummm, how are you going to clean up the computers if they are turned off?)

“Kristensen said the virus is so new, it has no signature that security devices can recognize.”

(Let me guess: a certain antivirus in a yellow box couldn’t recognize it, so you figure that nobody can, right?)

“We’ve got multiple levels of protection and firewalls, but nothing recognizes this.”

(Yeah, firewalls do a GREAT job against viruses …)

“We may have to shut down throughout the weekend and we won’t put the system back up until we know we have this under control. And right now, we don’t know how long that will be.”

(Based on this, I’m not holding my breath …)

By now people are starting to hear that RSA has been hit with an attack.  Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general.  But I’d like to opine about a few points.

First, we, in the profession of information security, are still not taking malware seriously enough.  Oh, sure, most people are running antivirus software.  But we don’t really study and understand the topic.  Malware gets extremely short shrift in any general security textbook.  Sometimes it isn’t mentioned at all.  Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth.  (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.)  Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment.  It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.

Second, we aren’t taking security awareness seriously enough.  These types of attacks rely primarily on social engineering and malware.  Security awareness works marvelously well as a protection against both.  RSA is a security corporation: they’ve got all kinds of smart people who know about security.  But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines.  For a number of years I have been promoting the idea that corporations should be providing security awareness training.  Not just to their employees, but to the general public.  For free.  I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security.  In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.

(Third, I really hate that “APT” term.  “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on.  Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for "lying"] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself.  It’s so last millennium.  But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)

As an emergency services volunteer, I’ve been looking for stories about how the Japanese have been handling displacements, evacuations, and those left homeless following the quake and tsunami.  Oddly, despite having all kinds of video and pictures coming from various areas of Japan, these stories seem to be missing (possibly pushed out of the news-stream by boats running over cars, and a steaming reactor).

Yesterday I started to see a few, some noting that the Japanese culture of calm acceptance was contributing to orderly lines and a lack of panic.  (And then saw some reports that a lack of action by the government was starting to wear on the calm acceptance.  Six days after the quake, food and water aren’t getting through to areas which are only as far apart as Ottawa is from Toronto, or Boston from Baltimore.)

So I was intrigued to find, this morning, this report of someone running counter to his own culture.

(And, once again, I’ll take the opportunity to promote the idea that all security professionals should consider getting training as emergency services volunteers.  You’ll know what to do in or for an emergency, you’ll be a help intead of a drain, and, in the meantime, you can probably apply it to BCP, and get CPE credits for your training.)