Expiring Passwords

Image Credit: Louise Docker / Flickr (CC:by)Today there was a question pitched by one of the guys at work as to why we bother having such things as a password expiry / enforced change. My answer (in true Rob fashion), rambled a little (ok, a lot) but I’ve consolidated it below and made it generic to suit anyone facing the same line of questioning…

The reason passwords are set to expire, is it limits the exposure of compromised credentials. Continue reading “Expiring Passwords”

Authenticating Users – The Struggle to Raise the Bar

Photo Credit: Ibrahim Asad / Flickr (CC: by)Interesting quote from an article that I was reading this morning:

“When creating a patient portal that provides access to electronic health records, healthcare organizations must educate patients about the need for authenticating their identities, says Sharp HealthCare CIO Bill Spooner. […] Spooner notes that some patients have complained that the authentication method for its patient portal is cumbersome.”

It’s not the fault of the user, they’ve not been educated as to why the bar should be higher (and they don’t necessarily understand the potential consequence of a low bar). It’s not the fault of the business, after all things have been “good enough so far” so why spend money changing something that doesn’t look like it’s broken?

It’s (almost) nice to know there are others struggling with the balance between usability, user acceptance, funding and the changing landscape of threat.

Interesting developments in the connectivity world…

Photo Credit: Gloria Garcia / Flickr (CC: by-nc-nd)The Australian Government has just dropped the ban hammer on Chinese Telecommunications equipment company Huawei and it’s going to be interesting to see how this plays out across the Tasman here in New Zealand…

Given the traditional “copy our West Island cousins” approach versus the “but they’re part of a free trade agreement” view of China (as of 30 minutes ago, the Prime Minister was still comfortable) – Government backed Kordia has an agreement with Huawei Marine for additional cable connectivity to the intertubes  however, that cable touches down in Sydney so is the connectivity now off the table?

Huawei already has a foot in the door through agreements with Enable Networks in Christchurch and the middle of the North Island


The sky is NOT falling (is it?)

The Summary Version:

The impending Android Malware Apocalypse is overrated, over-hyped and overused to sell more apps and extend control onto mobile devices. That said, it is a perception widely pushed by the media who copy and paste vendor news releases thus the public are beginning to accept the threat as being real. My opinion is that the available attack vectors are currently quite limited and nowhere near as bad as the industry press and mobile vendors are making out. You can’t blame them for pushing the stories though, one group makes its money getting eyeballs to articles, the other by selling cures to the risks…

What we can do as an industry is limited by the overall reluctance for users to double check what they are doing, coupled with the difficult situation created when differentiating device/product or service in a low-margin, rapidly evolving market.

Continue reading “The sky is NOT falling (is it?)”

The best exploits are old exploits

Image Credit: "Old school" from Clothesline - NZ Clothing and Design (BUY THE TSHIRT)Last week I had a really interesting meeting with one of the Security Advisors from Microsoft prior to the release of their Security Intelligence Report (SIR) – Volume 11.

While we were specifically discussing different things in this meeting, one of the side conversations came back to the issues surrounding legacy software and it’s ongoing support and there’s some really interesting numbers making up the latest analysis of exploits being leveraged against the systems Microsoft monitor in creating these reports.

While “zero-day” vulnerabilities are the things making the news (at least in the industry press), they accounted for less than 1% of malicious activity.

One of the more worrying stats for me was the leveraging of exploits where updates were available. Around 6% of incidents were exploiting issues for which a vendor had already released an update to fix. Further to this, 3.2% of the overall incidents were for issues resolved more than a year ago! The reality is, people are simply not updating their software and I’m really not sure where the problem sits.

Given the author of the study is Microsoft, it’s safe to assume that the measurements are against Windows based systems – these systems have had Operating System and Application updates built in to it’s default operation for many, many years now – however I still come across machines ‘in the wild’ with update indicators sitting right next to the system clock on the task bar, simply begging to be clicked so that the machine can be updated. The patches are set to download by default, they come from very well distributed file caches so the downloads are as fast as possible – so why are they not being applied? This phenomenon is not isolated to home PCs where the owner may not know why (or how) these patches should be applied, it’s also apparent in managed environments such as corporates and schools.

Before anyone starts to feel too comfortable because *you* have your operating system all up to date, it’s not just the base system which is under attack. Even as far back as 2009, these SIR reports were demonstrating that;

“Around 90 percent of vulnerabilities during the second half of last year were in applications…” – DarkReading / Microsoft SIR, April 2009

And that trend (though, perhaps not that percentage) continues today. In fact, it is the applications which users are loading on to their systems which are bringing with them the vulnerabilities from which the malicious are launching their attacks. We see this in the additional functionality vendors are inserting into base operating systems on phones, we see it in application software which destroys the myth that certain platforms are invulnerable. even to the point where helpdesk staff representing the company were specifically prohibited from assisting customers (a position they later reversed).

So – what does one do in the face of these threats? Do we rely on the background downloading and patching of our systems, or do we take an active stance in protecting our machines, choosing what and when to apply updates – just in case “something weird” happens?

But, gentle reader, the greatest threat to the integrity of your system is not it’s operating system, it it not the applications you have installed, it is something even harder to ‘update’, something that will not be ‘patched’ on a regular basis from a central source… the greatest threat, the threat responsible for almost 45% of the attacks analysed in this latest Microsoft SIR – is you and I. We of the “between the keyboard and the chair”, us of the “Layer 8 in the OSI model”, the wet-ware, the users. But trying to resolve that threat vector is fodder for perhaps another article at another time.

NetHui 2011 – Day 1: Digital Citizenship – 21st Century Parenting

21st Century Parenting – Challenges and Solutions

Lee Chisholm, Operations manager, NetSafe

This was an obvious choice as a session for me to attend, and it opened with an attention grabbing quote…

“Three times as many smart phones every minute are activated than there are babies being born” – Hans Vestberg, CEO of Ericsson

This quote sets the stage for the overwhelming influx of technologies into our lives and especially the lives of our children. The problem is, parents are being fed these lines time and again to the point where many throw in the towel and give up trying to stay current with what their children are doing.

Even more worrisome than the parents giving up, is the parents abdicating the responsibility of teaching and modelling these skills to schools. Schools do not have the resources to do this stuff alone

Continue reading “NetHui 2011 – Day 1: Digital Citizenship – 21st Century Parenting”

NetHui 2011 – Day 1: Innovation & Emerging Issues – Privacy Issues

Privacy Issues for business in the new digital age

Marie Shroff (Privacy Commissioner)

This session started with a fizz and a whimper, I think based more on the usual audience for the Privacy Commission than the subject matter itself. I did enjoy the comics though 🙂

  • Customers are starting to take an ACTUAL interest in their privacy (~80-90% are concerned or ‘very concerned’)
  • Media starting to pick up on these stories as the articles drive interest
  • Bigger companies are starting to see the moral and ethical necessity to adopt privacy
  • Expectation of future tweaking suggestions for privacy act
  • “Value your CIO as your would your CFO”
  • Despite the cloud context, people are expecting the same flexibility and control over their data as when it was locally domicilled

The discussion that followed was interesting

Continue reading “NetHui 2011 – Day 1: Innovation & Emerging Issues – Privacy Issues”

NetHui 2011 – Day 1: Globalisation, the Internet and the Law – The Internet as a Revolutionary Tool

Session Lead by: Brian Calhoun, Independent Consultant and co-chair of NZRise Inc

 “I see a gradual slide toward corporate and government control…by control I mean content”

The session started with a discussion of TOR / BitCoin / BitTorrent – all created specifically to circumvent control systems that were already in existence. The question then posed to the room was:

“How long before our government moves to block/disable these things? […] What is your bottom line? How pissed off do you need to get before you take action?”

Continue reading “NetHui 2011 – Day 1: Globalisation, the Internet and the Law – The Internet as a Revolutionary Tool”

NetHui 2011 – Day 1: Digital Citizenship – Cyber-Bullying

Digital Citizenship – Combating Cyber-bullying & Harassment

Stream led by: John Fenaughty (NetSafe)

Perhaps the most notable example of standing up against bullying of recent times is that of 16-year old Australian Casey Haynes story (YouTube “Fat Kid takes on Bully”) a video that went viral both online and via traditional prime time media.

When asked, 33.2% of youth surveyed reported they had experienced some form of cyber-bullying in the past year and 52.9% of those had found it distressing.

That’s 17.6% of New Zealand youth surveyed having experienced ‘distressing cyber-bullying’ in the past year – it’s an offensive statistic for anyone wishing to better the environment in which we work, entertain and educate ourselves.
Continue reading “NetHui 2011 – Day 1: Digital Citizenship – Cyber-Bullying”

NetHui 2011 – Day 1: Digital Citizenship – Cyber-Safety

Digital Citizenship – Cybersafety

Stream led by: Martin Cocker (NetSafe) – NetHui Digital Citizenship Forum

Martin started off the session by outlining there things are in New Zealand, as well as providing a context for the terminology which would follow. In this regard, Digital Citizens were defined as those using technologies to have:

  • Greater productivity (via use of technology)
  • A better education experience
  • Connections with e-government
  • The responsibility to “Balance” the digital society
    • Politically, we can vote out non-performers
    • Commercially, we can only influence via our adoption and usage of technologies.
    • We can’t vote for everyone (politically) but we can influence via usage and adoption

Continue reading “NetHui 2011 – Day 1: Digital Citizenship – Cyber-Safety”