Bandwidth the next layer of physical security?

The recently updated list of Top 500 Super Computers has got me thinking about the physical limits that are part of security. Most of us are pretty familiar with the physical aspects of security, the bricks and motar, locks, vaults, fortifications and such like that we have used over the last couple of millenia to protect our valuables.  In the last couple of decades we have added another physical restraint and that has been the power of computing.  As the world has evolved so that data is our most valuable asset we have relied on both applying physical security to our data as well as more high-tech protection such as cryptography.  Encrypting data is highly effective, that is if you have the computing horsepower to do it.  However if you have enough horsepower you can also decipher encrypted data without the keys.

So it is that whilst many of the machines on the Top 500 list have well defined uses in commerce or research it is also very likely that many of the machines, at least part time, will be used to crack codes just as the original Colossus machine at Bletchley Park was used to assist in the deciphering of German Enigma encoded transmissions during WWII.  Whilst the encoding used by the Enigma machine was strong for the 1940′s today it can be readily and quickly deciphered by a household PC.  As computers such as those in the Top 500 list become ever more powerful with thousands of cores linked with ever more complex interlinks we will struggle to encrypt things in ways that cannot be broken by the brute force methods that these monsters enable.  At some point the jump to quantum computing will occur and small cost effective devices will be able to decipher at near real time speeds encryption algorithms that are today considered too strong for practical use.  Before we get there we will need to find another physical constraint and I think it will be bandwidth.

Read more

Twitter for bot herders today and you and me tomorrow

I just spotted the latest reports on the use of Twitter as a command and control system for bots.  In this article from Dan at the Register there is a description of  TwitterNet Builder and how it can be quickly and simply used to build an interface that enables a Twitter account to be used to control bots on infected machines.  A useful technique in a time where the industry and law enforcement agencies are getting increasingly successful at cracking down on IRC based C&C networks.

No doubt the cyber-criminals use of Twitter will become refined whilst I will not for obvious reasons describe them here I can see how very simply it would be possible to build a mechanism using a combination of public and hard to detect private accounts that provide the resilience requirements of the bot herders.

However it has made me wonder what benign uses this could be put to.  Want to turn the lights on at home when you are travelling, one Tweet and it is done.  Need a secondary or tertiary factor for a password reset or secure transaction, tweet it.  The options could be endless.

The Running Shoes Analogy

There were two men being chased by a lion.  Suddenly one of them stops and buys a pair of running shoes.  The other runner asks him what he is doing, as he will never out run the lion.  The guy who has now put on the shoes says he knows that but it means he will out run the other runner leaving him to the lion.

This story was told by Adrian Seccombe the recently retired CISO of Eli Lilly during the Q&A session at a lecture I gave this afternoon at my old college in response to a question from one of the students who asked if we will ever win the battle against cybercrime.  Apparently I am in the business of making and selling running shoes!

Mobile Apps, Augmented Reality, Queues, Fresh Air and Encryption Acquisitions

or three days at Infosec Europe as it is also known.

Undoubtedly one of the best shows in a long time.  There was  very good buzz around the show and genuine interest and awareness in the current issues from the visitors.

The Symantec stand was especially busy.  Our UK marketing team did a great job on the event.  In conjunction with the exhibitors we created a very popular app for the iPhone, iPad and Blackberry (but unfortunately not all models) which received over 10,000 downloads placing it at #4 in the Apple Appstore business chart which is pretty impressive bearing in mind the show usually has around 12,500 visitors.  We also had our Augmented Reality game which was a massive draw through a combination of the prizes which included three iPads and the actual game itself which involved showing the back of a flyer about the size of a beer mat to a web cam mounted over our main presentation screen.  The AR software then recognised the shape on the flyer and in 3D animated a box that would grow out of the symbol and then open to reveal what they had won.  At times we had to have staff acting as queue managers as they were so long that we started to annoy competitors.

Annual shows like Infosec act like a set of lungs.  Contracting at times and expanding at others.  This was a year of expansion with small alvioli like stands opening up around the perimeters, all stocked with innovative solutions.  They help to create a real buzz as they actively market their attendance at the show and bring people in.  This inhaling is like the industry taking a breath of fresh air.

To round the show off at lunchtime on the last day Symantec announced the acquisition of PGP Corporation and Guardian Edge Technologies.  Whilst we are unable to have any formal contact with these organisations until the deal closes we did drop by the PGP stand on our way out just to acknowledge their presence and realised that from our happy band of brothers and sisters only one person was not themselves the result of an acquisition.

The real security issue with Twitter

I like Twitter.  I know it has it’s problems like broadcasting your location to all and sundry, which does results in some amusing tweets like this pair I spotted from Rich Mogull this morning

rmogull
Me. Wife. Local IPA. Beach. Dinner. Sunset. Did I mention Maui

rmogull
Don’t worry- we hve an alarm system, someone staying at our house, and am attack cat. She’s very cute.

but that is not what I am worried about.  What I am concerned about, and what with Mr Mogull being the informed security guy he is I cannot use something from his Twitter stream as an example.  So I will have to pick on a celebrity, say Stephen Fry.

stephenfry
I’m really not tweeting, book so achingly close to completion. But this is time sensitive so – http://tinyurl.com/y4avzcj – good cause x

Read more

Are the likes of Kaseya and Level Platforms going to become the new Distis?

I have been thinking about Remote Monitoring and Management (RMM) or what are also known as Managed Service Platform vendors quite a lot recently, players like Kaseya, Level Platforms, n-able etc.  What I have been considering is not their technology which is fascinating or what it is being used for but the fundamental business model that they are driving. I have realized that it possibly pays to look at them as you would Google, where instead of seeing the leaders in search you find the most powerful force in advertising.  When I look at these guys I now see the future of software and service distribution.
Read more