Entering Our Prime

Today is amazingly enough the fifth anniversary of Adam starting this blog. It’s amazing how fast time flies when things are chaotic. Seems like just yesterday Adam was doing the initial Star Wars posts. Appropriately enough the most recent in the category was just this past Saturday. Thank you to all of our readers for making the last 5 years so much chaos and so much fun.

The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know

John Viega recently published a new book: The Myths of Security: What the Computer Security Industry Doesn’t Want You to Know.
It’s a great read, especially if you are new to or are interested in the security industry as a whole. However, even if you are a long term security veteran, you will find it enjoyable.
The book is a series of essays addressing a range of topics from “The Cloud” to the state of the AV industry and everything in between. The essays aren’t long, but they are very thorough. This makes it easy to pick up the book become engaged and learn something quickly.
My only complaint is that the essays around privacy and anonymity. They weren’t nearly as deep as I was either hoping nor on par with the rest of the book. Despite this, the book is excellent and well worth reading. I highly encourage you to pick up a copy.

Dear $LOCALBANK That I Use

Keeping a database of all of your ATM PINs in a clear (or possibly encrypted but easily reversible) text database is not a good idea. I honestly can’t see any use value for this, especially when they won’t tell you what your PIN is even if you have multiple forms of government issued identification.
No thanks; No love

Identity Theft

Remember Identity Theft isn’t getting your credit card stolen, that’s fraud. Having the records that define who you are to an entire country and determine whether you can get a relatively high paying job get stolen. That’s identity theft…

Do Audit Failures Mean That Audit Fails In General?

Iang’s posts are, as a rule, really thought provoking, and his latest series is no exception.
In his most recent post, How many rotten apples will spoil the barrel, he asks:

So we are somewhere in-between the extremes. Some good, some bad. The question then further develops into whether the ones that are good are sufficiently valuable to overcome the ones that are bad. That is, one totally fraudulent result can be absorbed in a million good results. Or, if something is audited, even badly or with a percentage chance of bad results, some things should be improved, right?

This is a fascinating question. How do we measure how well Audit works? Are we, in fact, better off Auditing even with the issues we’ve recently faced? Or as Ian puts it:

How many is a few? One failed audit is not enough. But 10 might be, or 100, or 1% or 10%, it all depends. So we need to know some sort of threshold, past which, the barrel is worthless. Once we determine that some percentage of audits above the threshold are bad, all of them are dead, because confidence in the system fails and all audits become ignored by those that might have business in relying on them.

We clearly need someone with a Levitt-eque mindset who can come up with a creative way of solving this measurement problem we have on our hands…

Scalia: Just Because You Can Doesn’t Mean You Should

aka it’s not nearly as funny when you are the subject of the probe.
At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,”
Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on the Justice and this is what they found:

Professor Joel Reidenberg and his class now have a 15-page dossier on Scalia, including his home address, the value of his home, his home phone number, the movies he likes, his food preferences, his wife’s personal e-mail address, and “photos of his lovely grandchildren.”

So what we have here is yet another person discovering that while individual facts aren’t necessarily important, when you aggregate them together you have something quite valuable. Justice Scalia was understandably somewhat unamused

It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time. What can be said often should not be said. Prof. Reidenberg’s exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any.

Daniel Solove, over at Concurring Opions has provided more details and analysis as well as a follow up from Professor Reidenberg. Of note is the fact that this is a regular assignment in the professor’s class each year and the previous class had been told to use Dr. Reidenberg himself as the subject of the dossier.

Will The Real Adam Shostack Please Stand Up?

At one point during the RSA party hopping last week, Adam, Alex and I ended up at the Executive Women’s Forum event. I was feelng pretty punchy and decided that all three of us should have name tags that read “Adam Shostack”. If anyone asked, I just explained that we were promoting the new blog. Eventually I wandered off to another party and some other folks decided that this was a really good idea as well. By the time I got back to the W, there was a whole slew of Adam’s floating around. Those who subscribe to the “Pictures or It Didn’t Happen” school of thought can find all the evidence over on fickr photostream.

Welcome To The (New) Machine

If you can read this, you are now reading Emergent Chaos on its new server. We’ve also upgraded to the 4.x train of MovableType. Let us know what you think. We’re also considering a site redesign, so let us know any feature requests or design suggestions. Thanks!

Daily Show on Privacy

(h/t to Concurring Opinions)

Why Didn’t SOX Catch The Bank Failures?

Iang recently indicted the entire audit industry with “Two Scary Words: Sarbanes-Oxley”. I’ve excerpted several chunks below:

Let’s check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?
No. Not one, not even a single one!
Yet, the basic failures in the financial crisis are so blatant that surely, even by accident at least one audit should have picked up at least one pending failure, and fixed it? No, not one, known to date. At least, as far as I know, and we should probably wait a few years before writing the final judgment.


Can we pronounce the financial audit as bankrupt by its own measures? In theory, the audit should have picked up these failures, all of them. Consider this case-in-point, to prove that the theory works: the enhanced audit required on public listing did in fact pick up the Refco fraud that led quickly to its failure, and the near-failure of Bawag, a big bank in Austria that participated in the fraud. (The sorry fool who found the fraud was fired for his troubles, and only later did his reports filter out and cause questions that ultimately forced the fatal result.)
The audit theory works, then, in some sense or other. Manifestly, audits didn’t work for the financial crisis. And, they so didn’t work after that so-huge rewrite called Sarbanes-Oxley, that we can conclude that mere improvement is completely off the agenda

The thing about SOX is that while it is hugely in-depth as audit requirements go, it is also incredibly narrow in it’s breath in terms of how it is implemented by companies and how it is audited. Auditors are so busy ensuring that someone isn’t cooking the books that they don’t look for people deluding themselves or who don’t understand their own inputs or whether or not the source data for the models was reasonable. This is why Refco was identified and the bank failures were not. And if there this is an actual failure of SOX this is it. Not that it didn’t catch the bank failures but that it was never designed to do so in the first place. If all you are worried about is nails, all you look for is hammers.

Rethinking Risk

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

I Was On NPR, An Unmasking of Sorts

Okay so for a long time now, I’ve been blogging as Arthur. It all started as an excuse to blog without the company I worked for at the time having to worry about anything I said being a reflection on them. Almost three years ago they were acquired by Oracle and I have long since moved on to other pastures. Many of you already know who I am and since I really want to share the story below, I am no longer to going to hide who Arthur really is. Listen to the audio linked below if the picture hasn’t already given me away completely.
On Monday I went to early vote. Well, I live in Columbus, OH where there was a big push to vote early. Since I was driving to Chicago the next day to speak at Information Security Decisions, I figured I’d knock it out a day early and get it over with. What I didn’t expect was that I would be standing on line for four hours to cast my ballot.
What I also didn’t expect was to be interviewed by Neal Conan on Talk of the Nation. So there I was, three and half hours into my wait, when I was approached by Mandy Trimble of WOSU, the local NPR affiliate. Anyways, to make a long story short (I know, too late!), I ended up on the air nationwide talking about how to pass time in line at the polls. My bit is about 4:00 minutes in.

Information Warfare

As long as I have been lecturing on security I have used the “Threat Hierarchy” that lists threats in ascending order of seriousness. It goes like this:
1. Exploratory hacking
2. Vandalism
3. Hactivism
4. Cyber crime
5. Information Warfare
It turns out that this hierarchy is also a predictive time line. Obviously we are well in to the era of cyber crime- have been for about two years.
But what about information warfare? When are we going to see that? Well folks, we are engaged in Information Warfare. Alan Sipress’ article in the Washington Post today is a must read. It details the ongoing attacks against the Commerce Department bureau in charge of licencing exporters to China. The attacks emanate from China. Put these recent attacks together with the “industrial scale” attacks of Titan Rain, and the targeted attacks against Sandia Labs, and you have what looks like information warfare to me.
My contention: China has been waging war with the United States and other western countries for years. The first shot fired was in May of 2001 during the so-called “hacker war” between the US and China that culminated in the release of Code Red, the IIS targeting worm that dibilitated thousands of servers in the US.
This is a very one sided war. The US has lost *all* of the battles with hardly a retaliatory shot fired. Government facilities are very poorly prepared to fight this war and the private sector cannot expect any protection whatsoever. My advise is to look to your own defense. As you invest in security think beyond viruses, worms, and Russian identity thieves. Think about massive state sponsored attacks targeting your information, your infrastructure and your people.

Compliance for auditors?

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees.
Auditors provide a critical function. In many cases they are part of the security solution. But with the glare of public disclosure the practices around performing an audit need to be tightened up. I posted what I think would be basic best practises for auditing auditor laptops here. I will also be posting it to the IT-Harvest Data Protection Weekly which goes out every Monday morning. It’s free btw, and you can sign up by clicking here:

I am reminded of the problems faced by IRS auditors. Those guys are paranoid. There are 20,000 of them running around with laptops that VPN back into the IRS mainframes where they have access to EVERYTHING on corporate finances. Imagine how worried they are about someone sniffing their passwords or installing spyware or doing a man in the middle attack.