Monthly Archive

I just came by this post today, claiming that an Israeli reserve officer found top secret documents on the Israeli Tzahal-net. How he came by them? By searching for Top Secret. Duh.

If this is not bad enough, when the Israeli officer sent a complaint, all he got in return was "Yes, we know of this problem". A year later, the same officer did the same search, and found a new batch of Top Secret classified documents.

The first time should have been enough!

What can we learn from this? People are lazy. They tend to spend less time thinking than doing. Add to that lack of understanding and knowledge, and you soon have a disaster at hand.

Awareness training will help. Teaching the psychology of information management will help. Good systems and methods surely help. But if there are no incentives to follow the rules, people will avoid them if it is easier to do so. 

In cases like this, it is important to statue examples of bad behaviors, and make it hurt if you catch someone breaking the rules. 

 

It may not look like it, but I am having a high level of activities going on currently. I just came back from a training in Germany, and now I am in a week-long workshop. Thus, there is not a lot of time to update the blog.  I apologize to my readers, and will get back to it shortly!

Today I recieved another update on the current situation in Lebanon, one year after the July war in 2006. Let us ensure that we do all we can to reduce terrorism. 

--------------------------------------------------

 

Security Report

Lebanon’s internal political negotiations have failed numerous times to reach an agreement over key issues such as the formation of a new government and its agenda, the disarmament of Hezbollah and the election of a new President in Fall 2007-2008, due to unwillingness of parties to compromise. Moreover, sudden security incidents such as explosions or targeted political assassinations of loyalists have increased mistrust between both negotiating parties, leading to the present deadlock.

 

There are many indications of the presence of Al-Qaeda or its offspring terrorist organizations in Lebanon. At least this is what has revealed the recent arrest of a “sleeping cell” in Bar Elias in the “Beqaa” area, while planning for major terrorist attacks.

 

The recorded testimonies of Fateh El-Islam members, captured by the Lebanese Army, and of different Arab nationalities (mainly Saudi, Syrian and Palestinian) revealed the following: Islamic extremist groups have been generously funded and trained outside Lebanon, have succeeded in a terrorist attacks on civilian buses in “Ain Alak” last January, and were still organizing and planning more terrorist crimes and assassinations of politicians in the coming months.

 

The ability of the Lebanese intelligence to abort these plans and of the Lebanese security forces to prevent these attacks is at present the biggest test the Lebanese Government faces. It is true that attacks of organized terrorist groups such as Al-Qaeda have been difficult to prevent even in militarily and technologically advanced countries such as the USA and the UK. However, the big question is whether Lebanon’s Siniora Government, with the assistance of its western allies, be able to face these terrorists in the same way as the Pervez Mecharraf government is doing in Pakistan, the other option being a failure to internal chaos fed by the Shiite-Sunni historic schism such as in Iraq?

 

Different intelligence sources expect more security incidents in an attempt to increasingly destabilize the Lebanese Government, the Statehood components of which are not far of a “Failed State.” In addition to the events in North Lebanon, members of the Spanish UNIFIL troops were killed a few weeks ago by a terrorist attack indicating that security is still violated in South Lebanon despite international presence. Nevertheless, the political decision of the Spanish government to remain its UNIFIL troops and the decision of other countries to keep their missions in Lebanon represent defiance to terrorist cells, which have warned in the words of “Al-Zawahiri” the Western and pro-Israeli “crusaders” in Lebanon, an easy targeted country where religious and sectarian differences form a prosperous battle field. At present, all local political and security factors indicate that more terrorist attacks are very likely to take place during this critical period, at least until September 2007 before the election of a new Lebanese President. For these reasons, local politicians, especially anti-Syrian MPs and ministers, were advised and have chosen to reside outside Lebanon during this period.

 

Despite a heavy diplomatic activity and a close follow-up at the local political level by foreign diplomatic missions, those continue to warn their nationals against unnecessary travel to Lebanon due to the unstable and unpredictable situation that could suddenly deteriorate in any area that have been so far spared of the violent attacks.

 

The Government of Lebanon is heavily relying on the assistance and expertise of Interpol and security services of friendly countries in counter-terrorism.

 

 

13/07/2007

 

 

It is Friday. Time for a laugh. As I am traveling this weekend, the following video seems appropriate.

The dialogs are in French (no, not the French used by the English speaking public), but even if you do not understand what they say, you get the idea.

Enjoy! I hope I do not get into a situation like this on my trips!

 

Source: http://www.aniboom.com/Player.aspx?v=1906

I am off to Germany for giving a training. I will be back monday.

I wish you all a happy weekend!  

Rob Newby, an Englishman in Spain, and one of my valued sources and bloggers, has a track record of miss believing the statistics from the security industry claiming 72% of threats are from the inside.

Now he do get statistical evidence too - there is no longer only something he believes - as Walter Conway came to his rescue with statistics from the past 7 years. And the numbers are interesting, but not surprising IMO. However, they are great to show in the face of your next security salesperson who tries to bullsh*t you to get an order.

The report from Walter is available for download. Robs comments and insights are invaluable. Enjoy!

Arieanna over at Laptop Security blog brought my attention to the InfoWorld Zero Day Security blog.  The reason? The posting of how to spot a spy!

The list in itself is not new, nor is the trade. Similar lists and warnings exists for the corporate world too. And I believe these are important, as the world is not as ethical as we would love it to be. Personal profit and status is found to be key for many, and if this can be achieved by selling off some information. That is easily done without much afterthought.  

So lists like these needs attention, and should be a part of the awareness training internally. One challenge is of course that distributing lists like this also makes it easier for the spy to counter the discovery. After all, if you are making a profit of selling off information, you are stupid to show it off in public. And the dangerous spies are all but stupid.

Another important point is to understanding the human mind. Let's assume you are a senior manager in a R&D energy company. You have access to important information about new products and ventures. Then, out of the blue, you are laid off or moved from your job to another part of the company. Against your will. It is very easy to bring with you the information you have. It is probably also very tempting. Especially if the information have value - to the press, to competitors, to the government or to customers.  

Somehow, many organizations seems to forget that moving around resources without their consent establishes unhappiness. And unhappy employees - at all levels - are a well known risk.

My advice is to establish or refurbish routines regarding employment. Also make sure that the HR department is able to create and cater a positive flow in the corporation. Understand the emotions involved when people are moved around without understanding why. If in doubt, ask for advice from specialists in change.

Most importantly - know your industry - some industries are more easy targets than others.  

Ravi Char made an excellent post where he discusses the impact of Information security on a company. He uses the Maslow hierarchy as a model, and adds the layers of security required.

The nice thing about this model is the visualization of the requirements of each level. You will not be able to reach the top of the pyramid unless you fulfill each previous steps.

His model looks like this:

 

 

Ravi gives a nice explanation of each required step. He uses examples to relate the descriptions to companies and stages. I like it.

I see a lot of different companies in all stages. What I notice is that most companies of a certain age and size do have security, but at the management level, they are on the first step - "Don't care for security". This is where I focus. To get managers to understand, care and use security.

 

 

Many website owners and companies do not spend enough time considering security. Things is slowly getting better, but not in the speed required to counter fraud and identity theft.

Gnucitizen made a clear post regarding how password recovery works (warning - it gets quite technical towards the end). It is a great explanation of the 4 different automatic password recovery/resetting methods, including pros and cons. The second part of the post also gives the interested a step-by-step description of how to automate the testing process.

If you still do not get the message - consider this:

You are able to automate testing in order to counter hackers. It is easy, and takes very little knowledge and effort, thus it is not very expensive. You may or may not choose to do it. One thing is certain, though - hackers and ID-thieves allready do this. As they have done for years. 

Your choice is simple: either test and alter your code as required, or wait until you are loosing data. Not a hard choice, is it?  

It is friday. Time for a laugh. I picked this YouTube up on Mitchell Ashley's blog.

Ever wondered about the new airport security? Wonder no more. The Homeland dep. have more questions than answers, and they only employ the cream-de-la-cream as their security staff. As I've said before, the airport security only serves as a security show-off, and I believe it actually makes it less safe to travel as everyone - and I mean everyone - gets annoyed and angry.

Time for your weekend laugh. Now you know why there are long lines at the airport!

 

 

YouTube link: http://www.youtube.com/watch?v=ykzqFz_nHZE

This post most likely will upset a few readers. If you are easy to upset, please do not read it. You have been warned.

-------------------------------------------------------- 

One thing about not being American is the fact that I can view their behavior from the outside. And one of the things I do have a hard time accepting is their praise of God. Everything seems to evolve around a hypocritical praise of the Lord. 

Combine this praise with their focus on anti-terrorism, and self-heroism. What do you get? A war on religion.

I am not a fan of terrorism. Just as I am no fan of war. But I do not think that praising the Lord is a good way to fight religious terrorism, or Muslims. I think that only serves to fuel the fire. 

I strongly believe that the best way to fight terrorism and violence is by education, by respect and by developing common ground. And of course time. Change takes time, and it is often felt hard for the involved parties.

The challenge we face in fighting terrorism is not easy to overcome. It only takes one party to spoil the process - as we have seen in the Israel vs. Palestinian case over the years. If one prime minister decides that the proposed outcome is not in their best interest, they decide to build a wall. There seems to be little interest in compromises and "best-for-all" solutions.

And when the US targets the terrorists around the world, with "and God bless America!", I must admit I take offense.  I do not believe in that God. I am not American. And I certainly do not think a God who tells a believer "not to kill" should be blessing a warfare. And most importantly - I know that if I was a terrorist in a Muslim country, I would use that blessing as a proof that the enemy's only wish is to get away with all Muslims (as well as other opposing religions). 

What happens then when America is blessed and no Muslims are available as a threat? Will Europe be the next target? Or will the power of China become to much of a threat? 

I suggest we start develop an educational program which encompasses all major religions, and political power. We should ensure the distribution of this not only in the Middle east and other terrorist habitats, but it should be included in our education as well. Only when we all know, understand and respect our differences will we be able to control and countermeasure terrorism, warfare and unfair political games. 

This is no quick fix - with easy to show results. This will take time - generations. We need to teach our children respect for each other, for themselves and for the unknown.

Including respecting the "God bless America" that currently wipes across the world.  As well as respecting the fact that modernization is required also in religions like Muslims. Going back to Sharia laws is not progress - that is pure regress.