Testing post from Wildfire!

January 16, 2014 at 4:19 pm | Posted in Uncategorized | Leave a comment

Testing post from Wildfire!

Life After Google Reader

March 28, 2013 at 11:52 pm | Posted in Research, Social Networks, Uncategorized | Leave a comment
Tags: , , , , ,

News gathering onlineI’ve used Google Reader to marshal news feeds from blogs and other web sites for a long time now.  I described my strategy in a blog post  almost 2 years ago.  Now, it seems, Google is going to kill Reader, leaving me (and a very large number of other users) to find an alternative tool.

I get that if a service is free then you have no comeback.  I also know there are other tools that could be used instead.  My beef is that a service I’d set up and which has been serving me well for a long time is now going away, without warning and without any apparent logic behind the decision.

This post on O’Reilly Radar makes a good point – certainly one I needed to think long and hard about.  Om Malik’s brief post on the demise of Google Reader raises a good point:  If we can’t trust Google to keep successful applications around, why should we bother trying them out?

So, with Reader due to cease in July, it was time to look for a replacement.  The first breakthrough was finding this post on the blog page for Feedly.  The blog explained that migrating from Reader doesn’t have to be a pain, because:

  • If you log into Feedly with your Google account, then Feedly automatically synchronises with your Google Reader feeds.
  • So, when Reader shuts down in July, Feedly just takes over – no further action required!

There’s also free apps for IOS (separate versions for iPhone and iPad) and Android, allowing me to move away from the trusty but slightly clunky Feeds app that I’ve been using to read items offline.

So far, so good.  Now, I like to be able to share items that particularly interest me with my contacts on Twitter, LinkedIn and (very occasionally) Facebook and I’ve been doing that using my favourite integration platform IFTTT.  This relies on the fact that IFTTT has connections (they call them channels) for both Google Reader (my source) and each of my targets (Twitter, LinkedIn and Facebook).  The Google Reader channel lets me trigger an action any time I star an item in Reader and then lets me use elements in the post to my targets (blog name, title, URL).  Sadly there’s currently no channel on IFTTT for Feedly, though I made sure I submitted a request for one.

So the next step was to find an intermediate platform.  The Feedly equivalent to Google Reader’s star action is called “save for later”.  Investigating the settings in Feedly I found that you can configure the s”save for later” function to post items to Pocket,  which does have an IFTTT channel.  So, now I can rewrite my IFTTT publishing rules to use Pocket and anything I bookmark (save for later) in Feedly will appear on Twitter, LinkedIn and (if I choose) Facebook.  Result!

As a bonus, I found that for anywhere I can email a link (say in a tweet), I can send that email to Pocket and the page the URL points to will be added to my queue in Pocket as well.

You Can’t Patch People

December 29, 2012 at 5:06 pm | Posted in Data Protection, Endpoint Security, Human Factors in Security | Leave a comment
Tags: , , , ,

In a recent blog post, Bruce Schneier highlighted how a commercially available and low-cost  (around £200) forensics tool is capable of cracking passwords for common commercial whole disk encryption products.

As I mentioned in a previous post, use of PGP Desktop to encrypt all laptop disks  is compulsory at IBM and is enforced through our end-user computing standards.

The default power management configuration for laptops often just suspends the laptop when the lid is closed or when ‘sleep’ button is pressed. unless the laptop user selects ‘hibernate’ the disk drives are not encrypted. standards dictate that laptop configuration should be changed to hibernate in these circumstances, but how many users actually make the necessary changes?

The comprehensive help documents provided by IBM for configuring the whole disk encryption software step the user through making a ‘rescue disk’ to allow recovery in the event of a lost encryption password. So, how many users take any precautions to protect that?

Going back to the potential attack against whole disk encryption, it relies on the attacker being able to recover the encryption key from memory dumps or hibernation files, after the disk has been decrypted. Of course, if the laptop is always left safe (ie. powered down or at least hibernating) then that attack vector isn’t available. However, how many users leave their laptop unattended and logged in when they believe the environment is ‘safe’? And, how many leave their laptop unattended before the hibernation process has completed?

The common thread through all of this is that if users are careless, they can inadvertently cancel out any benefits from technical countermeasures. It’s simple enough to describe the exact behaviour that will prevent this. In Public sector security, we call this Security Operating Procedures, or SyOPs for short.

It’s usual to define the IT security risk management process as starting with risk assessment to select the right security controls, followed by incident management to deal with residual risk, invoking crisis management and BCP when required, to recover from the most severe incidents. I strongly believe that SyOP production and security awareness training for end users must form part of the risk management process and must be in place before a service is activated to ensure that the security controls operate as designed and to defend against the sort of attack described here.

As I said in the title, users are the one part of the system that can’t be patched to remove vulnerabilities.  It’s vitally important to explain the importance of what we ask them to do and then to reinforce that through adherence to mandatory written instructions, in order to establish the ‘habit’.

testing post from Wildfire!

December 13, 2012 at 11:32 pm | Posted in Uncategorized | Leave a comment

testing post from Wildfire!

New Direction – Exploring the Internet of Things

November 17, 2012 at 9:30 am | Posted in Internet of Things | Leave a comment
Tags: , , , , , ,

The Internet of Things is not a new notion.  It’s been proposed in differing forms over a period of more than 10 years.  The IoT links uniquely identifiable physical objects (things) to their virtual representations online, which can contain or link to additional  information on identity, status, location or any other business, social or privately relevant information.

The intention is to provide access to accurate and appropriate information in the right quantity and condition, at the right time and place and at the right price.

IBM’s strategic Smarter Planet initiative, currently featuring in a mainstream UK TV advertising campaign, has been in place for a number of years.  During the course of 2012, ny work as an IBMer has taken me into the world of Smarter Planet and in particular, into the field of Smart Grid and Smart Meters.

Influenced by working with a team of experts, particularly Dr Andy Stanford-Clark (IBM’s UK CTO for Smarter Energy), I set out to investigate the possibilities of the IoT for myself, determined to be able to talk to the myriad devices I use daily and to have them talk back to me.

As a gauge of what can be achieved, I looked into the monitoring and automation that Andy had built into his own home on the Isle of Wight.

In this TEDX talk, Andy describes how his experimenting moved from the personal to the local to the regional and how he believes that the Internet of Things will evolve as a global system of systems, interconnecting regional smart grids.

To start with though, let’s talk about some of the attributes of the Internet of Things:

Pervasive Computing

The IoT is based on the premise of pervasive computing.  This means machine to machine communication (m2m) between potentially trillions of devices.  These don’t have to be just new “smart” devices.  The availability of small, simple and low-cost components means that legacy devices can be connected as well.  Each devices then exhibits three key characteristics:

  1. Instrumented: Sensors are provided to monitor the device operation and collect key data
  2. Interconnected: The device has a means of communicating with other devices, or through a hub to deliver its data and receive requests or commands;
  3. Intelligent:  The device has sufficient memory, storage and processing power to forward the data to an intelligent back end, where it’s analysed to form a world view.

The ready availability of low-cost compute nodes, such as arduino and nanode and more recently the  Raspberry Pi makes it simple to get started with adding these capabilities to existing devices.

Big Data

The consequence of these pervasive computing capabilities is inevitably an explosion in the amount of data available.  This explosion can be described in terms of:

  1. Volume:  The amount of data accumulated either from a single device or multiple devices of the same type (accumulation);
  2. Variety:  The types of data made available, structured and unstructured, including voice, video and other rich data types;
  3. Velocity:  The rate at which events are received by the hub or the subscriber.

Big data can be as much a hindrance as a help, unless we keep in mind a couple of key design principles:

  1. Device data needs to be filtered to make it relevant – a change in inside temperature of 0.1deg isn’t significant, a drop of outside temperature to < 4degC is.
  2. Just like any well designed metric, the event the device generates must be actionable by the person viewing it.
  3. The utility of data (big or otherwise) increases exponentially, as it is enriched through aggregation with data from other devices or sensors.
  4. The collection, filtering, aggregation and analysis of data needs to be focussed on supporting a specific human decision.

Communications

  1. From devices and sensors into local networks, using a simple, small footprint subscribe and publish messaging protocol such as MQ Telemetry Transport (MQTT)
  2. Allow the network to communicate with the outside world through a microblogging service, such as Twitter

Over a series of posts, I will describe my adventures on the IoT, experimenting at the personal level with these components, to:

  • Monitor power usage within my own house
  • Connect devices within the house, through the MQTT messaging protocol
  • Contribute data to community sensor projects

15 Minutes

August 15, 2011 at 11:25 pm | Posted in Cloud Security, Cyber Security, Data Protection, Security Governance | 2 Comments
Tags: , , , , , , ,

According to Andy Warhol, everyone gets 15 minutes of fame.  If you’re a security consultant, maybe that 15 minutes is the chance you get, face to face with  the CEO of your customer, to convince them to focus on security.

The other day I found myself in conversation with a couple of senior execs from a large and well-known security vendor.  During the discussion, they made the point that oftentimes a security health check or investigation means presenting bad news.  The CISO is not always going to be overjoyed by what you have to report, so you need to present your conclusions direct to the decision maker.

So, this was the challenge – how are you going to get the CEO’s attention and a commitment to action, all in just 15 minutes?  Clearly, there’s no use talking about operational security – that’s the CISO’s patch.  So, I mused, frame the discussion in terms of Governance, Risk and Compliance (GRC).  Most organisations of any size are now quite adept at security compliance.  Faced with a plethora of legislation, regulation and contract schedules and armed with a bewildering array of control frameworks and certification schemes, IT security teams spend most of their time looking backwards at what already happened.  Beyond that, the Business grants authority to the CISO and his team to implement sufficient controls to enforce the corporate IT security policy.  Governance is about monitoring how that decision-making process is working.  Finally, the real objective looking forward should be to deploy adequate security to meet the business risk.  That ought to be something the CEO cares about.

OK, so now we have a context, but what are the big issues in security for the business?  I came up with a Top 3 (you may well disagree):

  1. Consumerisation:  Like it or not, staff are going to use their own devices (smart phones, tablets, home computers) in the course of their work.  Of course, these devices are outside the control of the IT department, so how do you enforce security policies?  What happens if the device is lost?  Can you do a remote wipe (which will include the owner’s data as well as the company data)?  This loss of control of physical assets and their configuration provides a toehold in the network for an attacker.
  2. Advanced Persistent Threats:  The business may find itself under attack from an APT, armed with a wide range of skills and resources and focused on a long-term (months or even years) objective.  Even if the IT Security team detects ATP activity, this may only be a fleeting glimpse of what’s actually happening The business may well have no idea why it is being targetted.  All the while, the APT will be syphoning off vast amounts of data, maybe sensitive business information, maybe intellectual property, but also maybe personal information belonging to the business’s clients or employees.
  3. Cloud Services:  I wrote in a previously post about the threats to security governance posed by cloud services.  In many organisations, business units are adopting cloud services without the advice and support of their IT security specialists.  The resulting agreements often provide little or no oversight as to how the provider will assure the security of critical or sensitive data and can place the business’ legal and/or regulatory compliance status in jeopardy.

All of these conspire to present a real and growing threat to the personal and sensitive information, stored by virtually every organisation these days. But, how to persuade the CEO that these threats are real?   The challenge is to come up with a set of “world-class” questions – they don’t require an answer at the time, rather they should make our CEO reflect on what matters to the long-term health of the business.  By coincidence, fellow IBMer Marc van Zadelhoff recently described his set of questions for the CISO in a blog post for the IBM Institute of Advanced Security.  His candidate questions are rather more technical than what I had in mind, but that really reflects the dilemma of how to engage with the Business at a senior level.  So, I thought about it for a while and this is what I came up with:

  1. Where is your data stored right now?  Can you account for every copy?  If you’ve entrusted data to a 3rd party, are you sure you can get it back if you end the service?  Are you sure they’ll delete it when you tell them?
  2. Can you be sure that your sensitive data isn’t being exfiltrated  by an attacker?  If it was happening, would you know?
  3. If the worst were to happen and you become the target for a large-scale, highly public data breach, do you have a credible, tested crisis plan for dealing with it?  Can you withstand the reputational damage while you execute your plan?

So, that’s my list, all related to the need to protect critical and sensitive data.  How would your CEO answer?

London Riots – The Aftermath

August 9, 2011 at 2:58 pm | Posted in Uncategorized | Leave a comment
Tags: ,

Not my normal security-related subject matter, but I had to pull together some highlights (wrong word?) of the appalling events in London over the past few days.The sequence below, taken from Twitter and Flickr and assembled in Storify (http://www.storify.com), show clearly that the vast majority of people in the UK are sickened by the mindless violence and sheer greed of the criminals who did this. The story also shows (to me at least) that when it comes down to it, the people of the UK, and particularly Londoners, will always rise above attempts to terrorise them and just get on with sorting things out.

Something we can all do to help.  Publish the banner on your website or your blog or retweet the post.  Let people know, so they can turn out to help with getting things back to normal.

For me, this picture sums up the violence of the whole thing.  This morning’s television news showed footage of a 150 year old family run furniture store ablaze.  Why?  What did that achieve?

But, as bad as things get, people act with kindness and show their appreciation to the police..

And then this morning, I can only echo Professor Brian Cox on Twitter (above).  it really does restore your faith in human nature.

People turned out in droves, responding to a spontaneous campaign to clean up the devastation left by the rioters.

#riotcleanup pictures on PicFog

riotcleanup pictures

Check out this site for more pictures of the clean up operation around London.

Now something else we can all do to help.  Look at the pictures from the Met Police.  If you know any of these clowns, tell the police.  They need to be stopped before someone gets seriously hurt.

Do I know you?

May 15, 2011 at 12:10 am | Posted in Human Factors in Security | 2 Comments
Tags: , , ,

“What the middle-aged Tory minister said to the young blonde Labour MP in a lift”

The Times 13 May 2011


It’s been a pretty hectic time for me work-wise recently – you may have noticed from the tumbleweed blowing through this blog in recent weeks!  But, after a concerted push to get some deliverables out, I finally found myself working from home today, with a little less pressure than normal.  So, I decided to set myself up for the day with an early morning trip to my favourite coffee shop, for a cappuccino (skinny, of course!) and a chance to read the newspaper in peace.

So it was that I found myself reading in the Times about a minor spat between two Members of Parliament.  In a nutshell, a senior (male) MP challenged a young woman he encountered in a restricted area, on the basis that “”Well, I thought you looked too young to be an MP”.  He challenged her to produce her pass, which she did.  Awkward.  Now, I don’t intend to defend the MP’s possibly boorish manner (after all, it seems he has form when it comes to acerbic remarks).  Equally, it seems at least possible that the younger (newly elected) MP might have been less than cooperative, when challenged.  So all in all, a storm in a tea-cup, but it reminded me of a serious point.

Must we wear photo passes?

Regular readers will know that I work for IBM where, in common with all technology based organisations and many large organisations of all types, it’s mandatory for all staff to have a pass to gain access to and move around the company sites.  These access passes form a key component of physical access control systems and even, in more advanced deployments, provide strong authentication for access to computer systems.  They also generally display a photo of the owner and their name.  The idea is that the most basic element of physical security is for those in a restricted area to be aware of who should be present and who shouldn’t.

In modern organisations, staff often visit their “home” office only infrequently.  Equally, the number of staff in any one location is often very large.  As I wrote in a previous post,  Dunbar’s Number suggests that we have difficulty keeping track of a circle of acquaintances numbering more than (say) 150.  This is, in large part, the reason behind photographic ID.  I’m sure IBM is not alone in insisting that these badges are worn in plain sight by all staff at all times.

They also help in avoiding embarrassing situations like the newspaper story, with which I opened.  “Tailgating” is frowned upon at card operated doors and clearly visible photo ID makes it easier for security staff to detect.  It’s everyone’s responsibility – and should be drummed into new staff through security awareness training –  to be aware of who is in the area and to confirm their right to be there.  We also have to be prepared to challenge anyone not displaying the correct pass, though hopefully showing a little more tact than the Tory MP.


CESG Launches Commercial Product Assurance

April 2, 2011 at 12:35 am | Posted in Security Product Testing | Leave a comment
Tags: , , , , ,

I’m a regular reader (and subscriber) to Phil Stewart’s Excelgate Blog here on WordPress, since I met Phil through the UK Chapter of ISSA.  In his latest post, Phil describes the launch by CESG of the CPA: Commercial Product Assurance scheme.

Over the last 20 years or so, I’ve had a hand in the design and delivery of a wide variety of systems for handling Protectively Marked or otherwise sensitive data, from both the vendor side and the customer side.   In every case, it was easier to prove the required level of assurance to the Accreditor, when the solution was built on certified products.

However, the certification schemes available – principally the internationally supported Common Criteria (ISO 15408 – originally ITSEC in the UK) and the UK’s CESG Assisted Product Scheme (CAPS) for crypto products – are aimed mainly at the higher Impact Levels.  As a consequence, certification is a lengthy and expensive process for the vendor.  This commitment of cost and time must inevitably be passed on to the purchaser.  For systems handling data up to Impact Level 3 (or Protectively Marked as Restricted), the level of both functionality and assurance offered by CC or CAPS products is more than is needed and the cost often prohibitive.

Such systems form the bulk of deployments in the UK’s Public Sector and Critical National Infrastructure, so what has long been needed is a catalogue of commercial security products, approved for use at the lower Impact Levels.  The progress from the Claims Test Mark Scheme, piloted by CSIA and the Cabinet Office from 2004 to this new scheme is well documented in the Excelgate blog.  For me though, the most attractive attributes of the CPA scheme include:

  • CPA products are approved for use up to IL3 (CTM products may be used up to IL2);
  • The criteria for approval recognise that threat levels differ even at the same Impact Level and provide for a Foundation and Augmented level of approval for each product.  This allows a product to be awarded Foundation level approval (relatively) quickly, while evaluation continues for Augmented level.
  • The process will accept evidence generated for other certification schemes, greatly reducing both the time and the cost to vendors of the approval process.  Hopefully this will be reflected in a much wider range of security enabling products being submitted for approval.
  • A wide range of security characteristics have been defined against which products can be tested.  The scheme has established 3 tiers of priority for initial product testing, ensuring that the most commonly required security mitigations are served first.

What Next?

Details of the transition from the CCTM scheme to CPA were published by CESG in February 2011.  Acceptance of new products for CCTM evaluation will end in December 2011, with no product certificates remaining in force after December 2012.  The CPA scheme goes live this month (April 2011) and of course, it remains to be seen how it works in practice.  In my opinion, it will stand or fall by how well it succeeds in reducing the time and cost burden on vendors seeking approval.  Success in that will ensure a wider range of solutions with security adequate to meet the business risk will be available to public sector customers, removing the need to over engineer their solutions in order to achieve accreditation.  When that happens, everyone wins, not least the UK tax payer.

5 Steps to Time Management in the Cloud

February 13, 2011 at 12:45 am | Posted in Collaboration, Home Office, Remote Working | Leave a comment
Tags: , , , , , , , , , ,

How many times have you agreed to a meeting  (or conference call or webex) and then, when you got back online, found that it clashes with another commitment?  No?  Well, it’s happened to me often enough that I decided I need to do something about it.

Up until the time (nearly 2 years ago now) when I stepped out of the corporate world and into independent consulting, I was happy to manage my work commitments through Outlook and Exchange server, conveniently relayed to me wherever I was through Blackberry.

When I set up Identigrate UK, the Outlook calendar on my home desktop PC became the heart of my time management strategy.   Judicious use of categories allowed me to distinguish between business and domestic commitments, while allowing MrsV1951 to act as unpaid diary manager in my absence.  Fine for starters, but as I figured out how to run a consulting operation, so I needed to add some sophistication.

Step 1 – Add a laptop

The ability to work at a client site makes a decent laptop an essential item of kit for any consultant.  The problem is, how to maintain a single coherent diary across both desktop and laptop, with the ability to make changes to either.  The answer proved to be very simple and – like a lot of things these days – came from Google.  I already had a Google account and, though I didn’t (and still don’t) make much use of Gmail, I am a big fan of Google Reader.  It was a simple matter to add Google Calendar and to install and configure the free calendar sync application on each of the two machines.

I have both machines set to sync once per hour, so on average their Outlook Calendars are up to date within 30 minutes.

Step 2 – Sync to iPhone

My next acquisition – and destined to become a vital part of my travelling toolkit – was my iPhone.  Now, I could send and receive emails on the road, in much the same way as I used to do with Blackberry.  Initially, I chose to sync the iPhone calendar to my Outlook calendar when I connected to iTunes.  Of course, this meant remembering to do this before setting out on each trip.  I needed to do better than that.  Once again, the answer lay with Google Calendar.  The iPhone can be configured to sync to Google Calendar, by adding it as a new Microsoft Exchange account.  If the iPhone is configured for Push delivery, then it will sync whenever you start the calendar app.

So, now, I have calendars on the desktop, laptop and iPhone.  I can add, delete or modify entries on any one of those devices and within a short time (say 30 minutes), it’s propagated to the other two devices.

Step 3 – Lotus Notes

In May 2010, I joined IBM Global Business Services and found myself with yet another laptop and yet another calendar to include in my synchronisation scheme.  This time however, I had to find a way of dealing with Lotus Notes.  The solution came in the form of CompanionLink,the only paid-for commercial product in my strategy.  CompanionLink is actually a very versatile tool, which can sync events, contacts and to do lists between a wide range of applications and mobile devices.  The version I used, CompanionLink Express limits you to one from each category to sync.  Once installed, it runs in the system tray on the laptop and connects to sync (you choose either one-way or two-way) according to a pre-defined schedule.

This brings our running total to 3 PCs/laptops and one iPhone all synchronised through a single Google Calendar, still with a latency of around 30 minutes to propagate a new entry to all the devices.

Step 4 – Add travel destinations

I’m a long-time user of LinkedIn and in the past, have occasionally used the built-in TripIt application for travel planning.  It occurred to me that, whether I use TripIt (on LinkedIn or through its website) to plan the details of a trip or not, it might be a useful way of just recording my whereabouts geographically.

TripIt supports iCal as a mechanism for keeping a calendar up to date with travel plans.  This facility is available for all the components of my sync strategy, with the exception of Lotus Notes, where I would need to upgrade to v8.5 to get iCal support.  However, there’s a small catch in this plan.  Subscribing a device (with Outlook, Notes, Google Calendar or iPhone) to an iCal feed actually creates a separate calendar on that device.  Google Calendar and iPhone will happily display all calendars simultaneously on a single display, but Outlook only allows you to view two separate calendar panes side by side.

Notwithstanding the small problems over display, the effect is that I can quickly and easily publish my whereabouts in advance and show them as an all day event on the calendar.  I can do this from within LinkedIn, via the TripIt website or using the TripIt widget in the Lotus Notes sidebar.

Step 5 – Publishing a schedule online

So, now I have a (more or less) single consistent view of my diary across all the devices I use and that view will update everywhere as soon as I make a change.  The last challenge then is to make that information available to others.  Of course, I could just give access to my Google Calendar, but that contains a lot of detail about my activities, both business and personal.  The solution came from fellow IBMer Emily O’Byrne.  I noticed that Emily points people to Tungle.me to view her schedule.  Tungle.me publishes your availability in real-time to interested parties and allows them to schedule a meeting or call with you at a time when you’re free.  Tungle does this by syncing with your existing calendar and works for people inside and outside your organisation.  It can sync simultaneously with multiple calendars and you have control over how much detail to share.

So, you can check out my schedule on tungle.me, which uses Google Calendar to show times when I’m available and uses TripIt to show where I am on any day when I’m travelling.

Try it Yourself

Back in the 1980s, as PCs were becoming available for the first time, the Managing Director of a major British computer company was asked if he’d be using one of his company’s new PCs.  He replied that if his life ever became so complicated that he needed a computer to manage his time, he’d change his lifestyle.  Now though, for many of us, it’s hard to imagine not using PCs, laptops, smart phones and the web to plan our activities and track down those that we deal with.

I’m not saying what I’ve described is the only way to get a single synchronised view, nor even necessarily the best way.  But, I am saying it works for me.  Try it out yourself and let me know how you get on.  If you find a neater way of doing things, I’d really like to hear!

Next Page »

Blog at WordPress.com. | The Pool Theme.
Entries and comments feeds.

Follow

Get every new post delivered to your Inbox.

Join 279 other followers