[SecurityRatty] tag: terrible

Chairman Tata Surprised by Tricky Terrorists

Sun, 30 Nov 2008 22:29:00 +0000

Chairman Rata Tata, whose company owns the Taj hotel in Mumbai, gave a frank and honest interview to CNN. I would imagine that the Tata Group's PR people and General Counsel are scrambling at the moment trying to do as much damage control as possible.

The sad part of this unfolding story is the feeling one gets that the terrible loss of life at the hotel may have been prevented or at least mitigated had proper security measures been implemented and if the security that had been in place prior to the attack had not been removed.

One eye witness who stayed at the hotel a week before the terrorist assault spoke about metal detectors and baggage being checked. The same witness then went on to say that those security measures had been removed within the last week, allowing people to enter without being checked.

The most surprising news to surface must be the Chairman's comments regarding the terrible event. Unbelievably, he actually said; "They knew what they were doing and they did not go through the front. All of our arrangements were on the front entrance".

Who is Tata's security advisor, a kitchen worker? Actually, he might have been better off if that were the case since the terrorists entered the hotel through the rear kitchen door. ANNOUNCEMENT TO ALL CHAIRMEN AND CEO's; Terrorists are Tricky. That is their job. They are watching your businesses and will do the opposite to what you expect.

In the case of the TAJ HOTEL, you made it easy for them. Did nobody in Mumbai ever stop to think that a bad person can go through the back door? It is one thing for a cafe in a pedestrian area to be attacked as anyone can walk right by or walk through the front and open fire, but how can a major landmark that attracts Western vistors drop their security measures AFTER they have received terrorist alert warnings that the hotel may be the target of terrorsit attacks?

I don't know if it was the case with the Taj Hotel, but cutting corners where security is concerned is common place in corporate culture. Security is often seen as a necessary evil and usually the first department to experience budgetary cutbacks. It is very difficult to convince some clients that nothing happening is really a good thing and that by cutting out security may open the door to evil.

This appears to have been the case with the Taj. There is no doubt that the terrorists had conducted hundreds of hours of surveillance in and around Mumbai. Was it a coincidence that the attack occurred the week after security measures had been removed? What might have been the result if security had remained tight (if you could call watching the front entrance and disregarding the back as "tight security")? Maybe the terrorists would have held back another month or two...maybe in that time they would have been detected...

One thing is for certain, places like the Taj Hotel have to get serious about security. Mr. Tata's claim that; "If I look at what we had...it could not have stopped what took place", must be replaced by more progressive, proactive thinking. If the Tata Group had spent an adequate amount of funding on ensuring that a strict security policy was in force - if only for the period in question - then they might not now be facing a 5 Billion Rupee reconstruction bill. Who knows how high the civil suits against the Taj will run when compensation and punitive costs are calculated.

Kudos though to Chairman Tata for at least recognizing that the Indian authorities may not be able to handle the situation on their own. "These attacks underscore the need for Law Enforcement to seek outside expertise for training, equipment and strategic operations", he said.

We agree Mr. Tata. We also hope that you will recognize the need for the Tata Group to seek similar outside expertise to assist you with your security planning and training.

Aussie govt: Don't criticize our (terrible) 'Net filters

Sat, 25 Oct 2008 12:00:01 +0000

Stephen Conroy, Australia's Minister For Broadband, Communications and the Digital Economy, gets called to task by an Australian newspaper for ignoring bad results from Internet filtering field tests and for attempting to stifle his critics.

Aussie govt: Don't criticize our (terrible) 'Net filters

Sat, 25 Oct 2008 12:00:01 +0000

The More Things Change, the More They Stay the Same

Fri, 10 Oct 2008 08:30:19 +0000

Guess the year:

Murderous organizations have increased in size and scope; they are more daring, they are served by the most terrible weapons offered by modern science, and the world is nowadays threatened by new forces which, if recklessly unchained, may some day wreck universal destruction. The Orsini bombs were mere children's toys compared with the later developments of infernal machines. Between 1858 and 1898 the dastardly science of destruction had made rapid and alarming strides...

No, that wasn't a typo. "Between 1858 and 1898...." This quote is from Major Arthur Griffith, Mysteries of Police and Crime, London, 1898, II, p. 469. It's quoted in: Walter Laqueur, A History of Terrorism, New Brunswick/London, Transaction Publishers, 2002.

Innovators, Imitators and Idiots

Tue, 07 Oct 2008 04:32:33 +0000

Charlie Rose interviews Warren Buffett:

Charlie Rose:
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage. We just lost sight of risk and leverage of what was appropriate?
Warren Buffett:
Yeah. Again, because it pays off for a while. You know, you can lose leverage, and it's the only way a smart guy can go broke. If you owe money, you can't pay them out. You just pay for everything, you do smart things, you eventually get very rich. If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero. But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball. I mean you know at midnight everything is going to turn to pumpkins and mice; right? But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12. I'll leave at two minutes to 12. But the trouble is, there are no clocks on the wall. And everybody thinks they're going to leave at two minutes to 12.

Its effectively the job of leadership to know when to take the punch bowl away and to have the credibility to do this. This is also the risk-reward balance that infosec must try to strike, part of the answer is differentiating risk and uncertainty. As our current financial situation shows, its a hard thing to pull off

Charlie Rose:
And should wise people have known better?
Warren Buffett:
People should always know better.
Charlie Rose:
Yeah.
Warren Buffett:
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich. You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it. And so you get what I call the natural progression, the three Is. The innovators, the imitators, and the idiots. And that's what happens. Everybody just kind of goes along. And you look kind of silly if you disagree. I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market. The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this. So it's very human. Now, with housing it's something even more dramatic than that, because most people aspire to own their own home. And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year. That's not true of an Internet stock. But it's true of a home. And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right. You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

And this is why its hard to pull off. There is a lot of human emotion and envy (*). I think the point Buffett raises about innovators, imitators and idiots is a useful one for infosec. We see all kinds of new projects and technologies that have risks and rewards associated with them, its helpful to categorize these under innovation (high risk but possible game changer), imitators (so called best practices), and idiots (sheep mode - blind risk acceptance). We can get some traction here to use these concepts to understand what to do when assessing say the architectural and oeprational risk of a system.

Finally, we should always spend some time to consider infosec decisions in a broader long term economic context and this is also true of our current financial crisis

Warren Buffett:
Oh, I think confidence will come back. I will tell you this. This country is going -- be living better ten years from now than it is now. It will be living better in 20 years from now than ten years from now. The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century. Now, we had the great depression, we had two world wars, we had the flu epidemic. You know, we had oil shock. You know, we had all these terrible things happen. But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something. So we've got a great system. And we've got more productive capacity now than we ever have. The American worker is more productive than he's ever been. We've got more people to do it. We've got all the ingredients for a sensational future. It's just that right now the athlete's on the floor. But we -- this is a super athlete.

Again, we want to look at risk events in a broader, long term context. In Buffett's words its - "be fearful when others are greedy and greedy when others are fearful." As the world panics and Jim Cramer is melting down on TV, Buffett is quietly writing checks with both hands, buying $3B of GE, $5B of Goldman, $6.5 of Wrigley/Mars and so on. Uncertainty is one thing, it could be 6 months it could be 5 years until this thing turns around, but risk is another - you hedge your risk with price and long term advantages, i.e. moats. People will still eat candy in a bad economy.

* Buffett's partner Charlie Munger calls envy the stupidest of the seven deadly sins, because only you feel bad, there is an upside to all the others. He said you can pay someone on Wall St $2 million a year and they will be perfectly happy until they find out someone across the hall is making $2.1 million and then they will be miserable. Which is an insane way tolive.

Sarah Palin's E-Mail

Wed, 24 Sep 2008 12:01:58 +0000

People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.
The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

Linksys WRT610N Review

Tue, 16 Sep 2008 05:27:41 +0000

My review of the Linksys WRT610N at Macworld: The router works quite well at handling Wi-Fi and other functions, but is terrible at working with Mac OS X, one of the advertised features of the product. The WRT610N is a revised design of the previous simultaneous dual-band (2.4/5 GHz) Draft N WRT600N model which had far worse problems.

Linksys addressed many of my concerns with that previous device. The 610N can mount a drive and share it via SMB and FTP, have two full-speed connections running over both bands without skipping a beat, and supports several methods of getting the one-click WPS (Wi-Fi Protected Setup) to work. Read the review for all the details, but I can't recommend this router to Mac users with any needs beyond basic networking; I'm perfectly happy to give it a full thumbs-up for Windows XP and Vista users, however.

WPS is a particular mess, by the way. Linksys has four somewhat distinct methods of using WPS to enable a password-free encrypted connection between a client and a base station: a button on the front that, when pressed, turns on WPS; and three modes (one of them similar to that button) accessible via their Web configuration software. One option is to get the base station to create a short PIN that's then entered on the client system as an out-of-band confirmation that there's no man in the middle.

Apple, by contrast, has a single way of joining a WPS-offering base station: it displays the network's name in bold. Select the network, and Mac OS X displays a key code that needs to be entered on the base station. But the WRT610N can't handle that option. If you put the WRT610N into a mode in which Apple can spot the device as offering a WPS handshake, you can't enter the code into the Linksys router!

This shows that there's still rough edges in the WPS protocol that two of the highest-selling makers of Wi-Fi gear can manage to not mesh up their respective options. (Apple declined to comment for my Macworld story; Linksys confirmed the lack of compatibility, but put the burden on Apple's doorstep.)

Senator Obama's security concerns

Fri, 29 Aug 2008 14:42:00 +0000

It appears as if the authorities in Colorado are trying to down play the reported assassination plot of Senator Obama. Question is; how real was it?

It would certainly appear that the suspects were preparing for something out of the ordinary as they were reported as having a bullet proof vest and a high powered rifle with telescopic scope in their possession when apprehended. The fact that one of the them was described by his cohort as a "white supremist" who did not believe that a man of color could be the President of the U.S.A. is surely telling.

These three criminals were caught in much the same manner as the domestic terrorist, Timothy McVeigh. A dilgent policeman was doing his duty and pulled over the first suspect on a traffic stop. Some may call that luck, but having been a former Law Enforcement officer, I look upon it as good Police work. Many others might have not noticed the one little sign that made that officer suspicious and prompted him to check out the driver of the van.

That is why security can never rest. Whether it is foiling a potential terrorist plot or finding a child who has been abducted, we must always remain vigilant. It is a shame that there are those who believe a man is inferior based upon the color of his skin. It is even more terrible to realize that such a person would be willing to kill another based on racial hatred.

Unfortunately, this is a sad fact of life and steps need to be taken to thwart those disturbed individuals. Was this latest episode a non-event or by dismissing it are we attempting to sweep the shame of racism under the carpet? I for one, don't think that we should take these warnings lightly. Afterall, it has been 45 years and people still debate the assassination of JFK. We still hear it being said that Lee Harvey Oswald was incapable of carrying out the killing himself.

I recently watched a documentary on the assassination of Robert Kennedy, produced on the 40th anniversary of his death. When interviewed, the brother of the asssassin claims that his brother was too nice a guy to do something so awful. The fact of the matter however, is that both Kennedys were brutally gunned down. I am sure it is something that nobody ever wants to see repeated.

Let us hope that whomever succeeds as President in November has a long and healthy Presidency and helps to allevitae the problems that have been piling up.

Hacking Mifare Transport Cards

Thu, 07 Aug 2008 02:07:02 +0000

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Here's the story. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. That chip, the "Mifare Classic" chip, is used in hundreds of other transport systems as well — Boston, Los Angeles, Brisbane, Oslo, Amsterdam, Taipei, Shanghai, Rio de Janeiro — and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world.

The security of Mifare Classic is terrible. This is not an exaggeration; it's kindergarten cryptography. Anyone with any security experience would be embarrassed to put his name to the design. NXP attempted to deal with this embarrassment by keeping the design secret.

The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. They demonstrated the attack by riding the Underground for free, and by breaking into a building. Their two papers (one is already online) will be published at two conferences this autumn.

The second paper is the one that NXP sued over. They called disclosure of the attack "irresponsible," warned that it will cause "immense damages," and claimed that it "will jeopardize the security of assets protected with systems incorporating the Mifare IC." The Dutch court would have none of it: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

Exactly right. More generally, the notion that secrecy supports security is inherently flawed. Whenever you see an organization claiming that design secrecy is necessary for security — in ID cards, in voting machines, in airport security — it invariably means that its security is lousy and it has no choice but to hide it. Any competent cryptographer would have designed Mifare's security with an open and public design.

Secrecy is fragile. Mifare's security was based on the belief that no one would discover how it worked; that's why NXP had to muzzle the Dutch researchers. But that's just wrong. Reverse-engineering isn't hard. Other researchers had already exposed Mifare's lousy security. A Chinese company even sells a compatible chip. Is there any doubt that the bad guys already know about this, or will soon enough?

Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for. NXP's security was so bad because customers didn't know how to evaluate security: either they don't know what questions to ask, or didn't know enough to distrust the marketing answers they were given. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.

It's unclear how this break will affect Transport for London. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card. But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale. TfL promises to turn off any cloned cards within 24 hours, but that will hurt the innocent victim who had his card cloned more than the thief.

The vulnerability is far more serious to the companies that use Mifare Classic as an access pass. It would be very interesting to know how NXP presented the system's security to them.

And while these attacks only pertain to the Mifare Classic chip, it makes me suspicious of the entire product line. NXP sells a more secure chip and has another on the way, but given the number of basic cryptography mistakes NXP made with Mifare Classic, one has to wonder whether the "more secure" versions will be sufficiently so.

This essay originally appeared in the Guardian.

Italians Use Soldiers to Prevent Crime

Tue, 05 Aug 2008 02:36:44 +0000

Interesting:

Soldiers were deployed throughout Italy on Monday to embassies, subway and railway stations, as part of broader government measures to fight violent crime here for which illegal immigrants are broadly blamed.
[...]

The conservative government of Silvio Berlusconi won elections in April while promising to crack down on petty crime and illegal immigrants. The new patrols of soldiers, who are not empowered to make arrests, do not seem aimed only at illegal immigrants, though the patrols were deployed to centers where illegal immigrants are housed.

“Security is something concrete,” Mr. La Russa said on Monday. The troops, he said, will be a “deterrent to criminals.”

That reminds me of one of my favorite logical fallacies: "We must do something. This is something. Therefore, we must do it." It does seem largely to be a demonstration of "doing something" by the Berlusconi government. The legitimate police, of course, think it's a terrible idea.

“You need to be specially trained to carry out some kinds of controls,” Nicola Tanzi, the secretary of a trade union that represents Italian police officers. “Soldiers just aren’t qualified.”
He also questioned whether the $93.6 million that will be spent for the extra deployment, called Operation Safe Streets, might not have been better used to increase the budgets for Italy’s police and military.