IT Security folk have to fight off attackers and vandals and the careless and ignorant. We also have to fight vendors. Maybe fight isn't the right word. It all depends on your perspective.
Vendor Call
We vendors have what you need.
Just taste, you'll understand.
You think vendors just care about greed?
No, we're trying giving you a hand.
No one can solve the world's troubles,
Isolated and on your own.
You need friends though the crashes and bubbles,
For when the bad guys are looking to pwn.
My product can save you from evil!
My product can show ROI!
My product could defeat the devil
And stop an APT spy!
UTM, PCI, and IDS!
A+, CISA, ISC2!
SOX, ISO, and IDS!
We cooked a full acronym stew.
We've got webinars, glossies, a PowerPoint slide.
We can send you evangelists and experts.
Let's talk! Let's chat! Please, let us inside!
Let us know everywhere it hurts.
We'll buy you some lunch, bring a T-shirt or two.
We've got pens and foam balls to spare.
Every promise we make is totally true.
You'll be relieved, without a care.
You cringe when we send you an email.
You ignore our voice messages.
But it's not just about making a sale
And removing your budget's vestiges.
Honest and true, our product is good.
Just give us a chance to show it.
We're solution providers! We're misunderstood!
It's your business, we wouldn't want to blow it!
Wednesday, October 19, 2011
Thursday, July 21, 2011
Mandatory Notification
In the last decade, state legislatures around the US created mandatory notification laws for security incidents involving specific personally identifiable information, such as Social Security Numbers, drivers license numbers, or financial account information. Usually, these laws mandated that anyone who knows to have lost such information must publicly notify their attorneys general as well as those affected by the data breach. Creating a severe liability for not notifying people when there are data breaches helped stir up new information security efforts, certainly within higher ed at least. Even so, we see news stories left and right of websites and other data stores being compromised.
The question of whether or not to notify when there is a potential data breach is a complex one. At least in New York State, notifications have to happen after an investigation is complete, but not until that investigation is done. For the unscrupulous, these details can be used to delay notifications. Also, notifications only have to happen if there is a reasonable chance that data was lost. What "reasonable" means is up for interpretation, and people can weasel their way out of notifications by interpreting the facts in certain ways.
Mandatory Notification
It used to be
My infosec diary
Was something just for me.
'Till my blasted state
Had to go and create
A notification-type mandate.
Now every one little sin,
Every hack of /bin,
requires Public Relations' spin.
So I have to decide:
Should I show or hide
When bad guys get inside?
And if they post a file,
Or our homepage defile,
Or pollute our Twitter with bile,
We'll blame the hacker!
Be a victim, not a slacker!
Fault will lie with the evil attacker.
It's not that we failed,
Or through open gates that they sailed
In the end we will have prevailed.
The question of whether or not to notify when there is a potential data breach is a complex one. At least in New York State, notifications have to happen after an investigation is complete, but not until that investigation is done. For the unscrupulous, these details can be used to delay notifications. Also, notifications only have to happen if there is a reasonable chance that data was lost. What "reasonable" means is up for interpretation, and people can weasel their way out of notifications by interpreting the facts in certain ways.
Mandatory Notification
It used to be
My infosec diary
Was something just for me.
'Till my blasted state
Had to go and create
A notification-type mandate.
Now every one little sin,
Every hack of /bin,
requires Public Relations' spin.
So I have to decide:
Should I show or hide
When bad guys get inside?
And if they post a file,
Or our homepage defile,
Or pollute our Twitter with bile,
We'll blame the hacker!
Be a victim, not a slacker!
Fault will lie with the evil attacker.
It's not that we failed,
Or through open gates that they sailed
In the end we will have prevailed.
Saturday, June 25, 2011
Haiku for compromised websites
Web sites compromised:
Stars falling from the heavens,
Their whispers made loud.
Looking to sting true,
SQL injections fly.
Angry summer bees.
A weed will wither
When denied air and water.
Store data offline.
Stars falling from the heavens,
Their whispers made loud.
Looking to sting true,
SQL injections fly.
Angry summer bees.
A weed will wither
When denied air and water.
Store data offline.
Monday, June 20, 2011
I couldn't find me without having you
We InfoSec types have been spending lots of time of late catching up to the exploits (and use of exploits) of various hacking groups. These bad, bad people have been hacking websites and services, extracting the logins and passwords for thousands of users, and posting them to the net for all to see. Of course, since password reuse is so common, other bad guys come along, take these logins, and use them to send spam and malware through accounts that might use the same login and passwords as the compromised accounts.
The logic behind the activity is complex, and most users who are affected by it all don't seem to care. They care that their online selves have been violated. They care that these attacks lead to identity theft.
We, as the InfoSec community, have tried to educate people to have better account management practices, such as using complex passwords and not reusing logins. Often this advice falls on deaf ears. There have been many studies as to why this is the case, and not all the blame falls on the end user. That said, an ounce of prevention would be a huge help in the cases of the Sony breach and the other recent website breaches.
And yet we still hear the users singing a sad song...
I Couldn't Find Me Without Having You
I'm lost, I don't know what to do
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
I signed up for Sony's gaming net
Bosses to kill, achievements to get.
But now someone who I've never met
Logged in as me, filling me with regret.
Not only have they my gamer tag
They're causing my credit card to sag
I wish I could blame them for the lag
As I blame them for the creditor's nag.
I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
So I look to the net and search for my name.
I find that lulzsec is playing a game.
So what if my logins are all the same?
Who'd want my ID, I haven't got fame!
And an Anonymous group has entered the fray.
They seem to hack sites each and every day.
Now my login and passwords are on display.
If I ever forget them, I will know the way:
I'm lost, I don't know what to do.
Can't find the words, don't have a clue
But Google, you're there, you're always true.
I couldn't find me without having you!
They're on my laptop, they're in my iPod.
All my tech toys seem to act rather odd.
I've lost all control, upon my ego they've trod.
It's a matter of time before they hack my poor bod.
I hear your advice, you say what to do.
But I cannot recall more than a password or two!
And you want it complex, even with symbols too?
You're asking too much, your rules make me boo!
I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
The logic behind the activity is complex, and most users who are affected by it all don't seem to care. They care that their online selves have been violated. They care that these attacks lead to identity theft.
We, as the InfoSec community, have tried to educate people to have better account management practices, such as using complex passwords and not reusing logins. Often this advice falls on deaf ears. There have been many studies as to why this is the case, and not all the blame falls on the end user. That said, an ounce of prevention would be a huge help in the cases of the Sony breach and the other recent website breaches.
And yet we still hear the users singing a sad song...
I Couldn't Find Me Without Having You
I'm lost, I don't know what to do
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
I signed up for Sony's gaming net
Bosses to kill, achievements to get.
But now someone who I've never met
Logged in as me, filling me with regret.
Not only have they my gamer tag
They're causing my credit card to sag
I wish I could blame them for the lag
As I blame them for the creditor's nag.
I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
So I look to the net and search for my name.
I find that lulzsec is playing a game.
So what if my logins are all the same?
Who'd want my ID, I haven't got fame!
And an Anonymous group has entered the fray.
They seem to hack sites each and every day.
Now my login and passwords are on display.
If I ever forget them, I will know the way:
I'm lost, I don't know what to do.
Can't find the words, don't have a clue
But Google, you're there, you're always true.
I couldn't find me without having you!
They're on my laptop, they're in my iPod.
All my tech toys seem to act rather odd.
I've lost all control, upon my ego they've trod.
It's a matter of time before they hack my poor bod.
I hear your advice, you say what to do.
But I cannot recall more than a password or two!
And you want it complex, even with symbols too?
You're asking too much, your rules make me boo!
I'm lost, I don't know what to do.
Can't find the words, don't have a clue.
But Google, you're there, you're always true.
I couldn't find me without having you!
Friday, June 17, 2011
The Question of Bitcoin
I've been watching this one closely. The question of Bitcoin is being considered more frequently and publicly by economists, politicians, technologists, and more and more users.
To me, from my layperson point of view, economies are one part math, one part sociology, one part psychology, and many parts luck. Bitcoin seems to be behind the 8-Ball on all of those factors. It will be interesting to see how it all works out.
Bitcoin, Bitcoin,
What are we to do?
They wanted a revolution,
Created a new solution.
An economy built for me and you.
But me and you have bills to pay.
And mining coins won't be a way
To pay a mortgage,
Settle a loan,
Buy an apple,
Recharge a phone.
But if you wanted some crazy drugs,
Or asked a hooker for more than hugs,
Or wanted to purchase endangered pets,
Or wanted to place some baseball bets,
My Uncle couldn't track me.
That's happy freedom, baby!
No, wait, it's not about that.
Open source is where it's at!
Power to the people!
Down with the State!
We can engineer any problem.
Algorithms are great!
It's peer-to-peer
It's in The Cloud
Not valued by fiat,
Sourced by the crowd.
The crowd that's learning to game the system.
Mine the coins in someone's browser
While they're streaming Doogie Howser.
Hack a computer, a server or two,
Those stolen cycles are free to you.
Or find a way to steal a wallet.
If unencrypted, "wide open" you'd call it.
All investment has some risk
Those on the ground floor hold most of it.
But is that risk worth the gain?
Is this new system really sane?
To me, from my layperson point of view, economies are one part math, one part sociology, one part psychology, and many parts luck. Bitcoin seems to be behind the 8-Ball on all of those factors. It will be interesting to see how it all works out.
Bitcoin, Bitcoin,
What are we to do?
They wanted a revolution,
Created a new solution.
An economy built for me and you.
But me and you have bills to pay.
And mining coins won't be a way
To pay a mortgage,
Settle a loan,
Buy an apple,
Recharge a phone.
But if you wanted some crazy drugs,
Or asked a hooker for more than hugs,
Or wanted to purchase endangered pets,
Or wanted to place some baseball bets,
My Uncle couldn't track me.
That's happy freedom, baby!
No, wait, it's not about that.
Open source is where it's at!
Power to the people!
Down with the State!
We can engineer any problem.
Algorithms are great!
It's peer-to-peer
It's in The Cloud
Not valued by fiat,
Sourced by the crowd.
The crowd that's learning to game the system.
Mine the coins in someone's browser
While they're streaming Doogie Howser.
Hack a computer, a server or two,
Those stolen cycles are free to you.
Or find a way to steal a wallet.
If unencrypted, "wide open" you'd call it.
All investment has some risk
Those on the ground floor hold most of it.
But is that risk worth the gain?
Is this new system really sane?
Wednesday, June 15, 2011
I Sing of Spam
I sing of spam,
Not meat like ham.
It comes in bits
And gives us fits
So much comes in,
flooding our bin.
We cannot read
the stuff we need
It's not all fun,
games to be won.
There are bad guys,
criminal lies.
It's about cash,
money, your stash.
They want to trick,
Just have to click.
Or choose "Reply".
Let your words fly
Tell them your name,
You are to blame.
Credit card lost,
Drugs for low cost.
4-1-9 scams,
All come from spams.
Should we give up?
One string, two cup?
Filter or read?
It's help we need.
Not meat like ham.
It comes in bits
And gives us fits
So much comes in,
flooding our bin.
We cannot read
the stuff we need
It's not all fun,
games to be won.
There are bad guys,
criminal lies.
It's about cash,
money, your stash.
They want to trick,
Just have to click.
Or choose "Reply".
Let your words fly
Tell them your name,
You are to blame.
Credit card lost,
Drugs for low cost.
4-1-9 scams,
All come from spams.
Should we give up?
One string, two cup?
Filter or read?
It's help we need.
Thursday, May 5, 2011
Passwords in the Clouds
Considering the recent news of the Cloud-based password storage site LastPass getting hacked this week, the idea of storing one's passwords in the Cloud becomes more obviously a bad one. Inspired by some conversation about it, I offer a haiku.
One should consider
Do the clouds high in the sky
Have all my passwords?
Should the cold rain fall
Will all of my credentials
Shower down to Earth?
If they did scatter
From the storm's harsh, brutal gale,
Who would become me?
One should consider
Do the clouds high in the sky
Have all my passwords?
Should the cold rain fall
Will all of my credentials
Shower down to Earth?
If they did scatter
From the storm's harsh, brutal gale,
Who would become me?
Victory!
I won the aforementioned haiku contest with this haiku:
Losing your cell phone
Is worse than losing your keys
My thumbs get so bored
Another step toward being the poet laureate of the higher ed infosec community.
Losing your cell phone
Is worse than losing your keys
My thumbs get so bored
Another step toward being the poet laureate of the higher ed infosec community.
Monday, April 25, 2011
Life in the Mobile World Haiku
My entries to this Haiku contest:
http://www.educause.edu/Mobile+Sprint/MobileComputingA5DaySprint/Contests/227381
Losing your cell phone
Is worse than losing your keys.
My thumbs get so bored.
Any time or place
The world at our fingertips.
Data on the wind.
Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."
"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".
http://www.educause.edu/Mobile+Sprint/MobileComputingA5DaySprint/Contests/227381
Losing your cell phone
Is worse than losing your keys.
My thumbs get so bored.
Any time or place
The world at our fingertips.
Data on the wind.
Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."
"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".
Wednesday, April 20, 2011
InfoSec Haiku
Data breach occurred
Like wind through a closed screen door.
Notification.
Birds softly singing
Sad songs of un-patched systems.
SysComps like leaf buds.
Summer rains come hard
Like spam through email servers.
An endless torrent.
Like wind through a closed screen door.
Notification.
Birds softly singing
Sad songs of un-patched systems.
SysComps like leaf buds.
Summer rains come hard
Like spam through email servers.
An endless torrent.
Subscribe to:
Posts (Atom)