Monthly Archive

Yesterday, the subway system in Oslo was put out of order by way of a low-tech sabotage.

10s of thousands of commuters where delayed for hours - all due to a person throwing a bicycle directly on the electrical power tracks at Majorstua station.

What makes this interesting?

Two things IMO.

• It does not take high-tech attacks to bring high-tech to a halt. From this we can learn that you need to consider also low-level, low-tech incidents when you do your risk assessment and planning
• The crisis respond team acted quickly and efficiently - using a well prepared contingency plan - reducing the impact on business, and reducing the delays for the travelers. From this we learn that having a crisis team and a contingency plan is key to success.

Denmark embarks on a new mission to publish sarcasm. In 2006, Danish and Norwegian newpapers published a series of drawings depicting Mohammed in cartoons. The result was buring embassies and riots.

Now, Danish newspaper have reprinted one of the cartoons, and Denmark is evacuating, or considering evacuation of their embassies in North Africa, the Middle East, Pakistan and Afghanistan.

More over at CNN.

Earlier this week, I received a new wall post on my Facebook profile. Now, I do not use Facebook a lot – I mainly maintain a small network to test and research this trend – so receiving a wall post was kinda fun.

Except – this particular post was written in English, by a Norwegian. Further, the message pointed to a service I had a very hard time imagining that my contact would be promoting.

Yes, yes, I know, I am a bit too paranoid!

Anyway, I contacted my friend, and as I suspected, she had not posted this – or the 150 other messages posted to her contacts. I started to poke around a bit, and pretty soon she admitted that she had experienced other strange episodes lately.

One of the other signs where that when on MSN, MSN would disconnect her, stating that she where being loged on using a different computer. Unlike some of us, she only had one computer she used for this.

I started to suspect that a key logger or other spyware had infected her computer, and made sure that she changed her log on details (username and passwords) on all the services she uses – and that she did so from a different computer.

The next step now is to reformat and reinstall the OS and applications – just to make sure that any software that may have been hidden is gone for good. Did I mention I am paranoid?

I also told her to go to the police – not because I think they can do anything about this event – but to make sure the event ends up in the statistics.

She may have picked up the key logger while browsing the net. She might have got it through a download – or by an email from a friend. Or by a large number of other means available to hackers. She might also have left her credentials while using her friends computer.

It does not really matter in this case. What does matter is her statement when I started to ask about the spam message on Facebook:

“I received reactions from my other contacts too – and I told them I had not done it. I thought it was just a system error, and wasted no more time considering it”.

(Emphasized by me)

And here we have the base of the challenge – normal users are not able to tell a threat from an error. Heck, sometimes us pro’s have problems with the very same challenge! And as threats evolve, and gets better at hiding, the harder it gets to know for sure.

I remember reading about this a while back – how all the errors in IT-systems have taught users that when unexpected things happen, it is just an error. Just restart and get on with it. (Please provide link if you know the story – I am unable to find it…).

And the result today is that when you do not understand what is going on with the computer, you just write it off as a “system error”, and get’s back on to what you where doing.

We spend a large amount of time to teach users how to deal with security. But if we are not able to teach them the difference between a system error and a plain security threat – how can we ever expect to succeed?

 

Following the arrest of Roberto Preatoni last year, there has been numerous speculations about the WabiSabiLabi project (where exploits are sold to the highest bidder - a kind of QXL for hackers). 

As Roberto is a professional, he and his team has spent time considering the risks and benefits of keeping him as the public figure of the project. After careful considerations, they have decided that the benefits are greater than the risks, and Roberto stays.

This is a normal process for any company in crisis. I am not a fan of WabiSabiLabi - although I do hear the arguments - but I am a fan of people being professional. Thus, I welcome Roberto back into the public light! 

Children tend to be extremely adoptive and great learners. They are innovative and they dare to try. Their whole being seems to be based on one thing only – to try out new stuff. Thus, there is no chock to any parents out there that most children outdo their parents when it comes to using computers – on- and offline.

The interest children (of all ages) put forward sometimes also turns in a bad direction. Children use Facebook and similar services to ditch out negative comments of classmates and friends. Comments like “You look like shit on that picture” may easily be perceived just a negative as a blow in the stomach out in the courtyard.

The question arises – what can we as parents do to avoid this? Three things come to mind:

1. Avoid all exposure to the ‘net and computers. Doable? Probably, but will be tough. Smart? Sure, if you want your kids to be left outside. Desirable? Not unless you enjoy sticking your head in the sand.
2. Leave the kids do whateva. Doable? Sure, just look the other way. Smart? Sure – just don’t act surprises when the police, child molesters and other visitors knocks on your front door. Desirable? Not if you care.
3. Be an active part of the experience. Doable? Might be hard, but absolutely! Smart? Obviously – it will require some investment in time on your part, but you will learn a lot of computers and the ‘net in general, you will learn a lot about your kid(s), and you may be able to share your opinions and common sense. Desirable? Well, if you need ME to answer for you, you may want to review the two other options…

 

So how can you take active part in the experience? In the workshops I run for parents, I make the parents come up a few simple rules. Usually these rules follow these lines:

1. Take active part – by asking questions and being interested. Try to follow the use of technology – even though it seems abstract and difficult. Some possible means:
1. weekly/monthly meeting to discuss what is going on
2. Contracts – kids love contracts – add some control, and make sure you include incentives!
2. Dare to ask questions if you do not understand what is going on. Also involve other parents.
1. “Do you know the real names of your friends on MSN?” This question gives you an idea if your kid chats with friends, and may help you determine that “Jon” really is a 45-year old child molester in your neighboring county.
2. How do you use “x” (insert Facebook, MSN, MySpace, or whatever you wonder about)? This question may help you understand what is going on, and how these tools are used – in positive and negative ways.
3. Do you know if anyone at your school/class/group has received any negative comments/mails/threats? This question may help you determine if harassment is taking place.
3. Take control. Make sure you and your kid understand that there are some rules, and that those rules are to be followed.
4. Allow for privacy. Make sure your kid (and yourself) realizes that although you need to have a certain control, he/she has rights to privacy. Thus, build a relationship based on trust. (See point 1.b above).
5. Encourage your kids to actively use the technology. Even if you do not understand it all (I know I don’t), you may still help your kid get the most of the ‘net by encouraging the use. Learn a few basic rules, like source control (i.e. the higher the number of sources on the ‘net, the higher the likeliness of the accuracy of the information), and that nothing is certain even if it says so on the Internet.
6. Be aware of privacy rights, copyright notices and user licenses. Many services are free in monetary terms, but you have to give up some rights (information, use of images etc).
7. Not only Gold is glimmering. Particularly true for younger kids – but the ads gets better every day. The point is to teach your kid to be critical, and not click on everything that seems cool/nice/shiny etc. Many security threats are installed simply by a click.
8. Keep updated. Make sure that your computer, your software and yourself is updated at regular intervals. Your computer and software have patches – very often automatic updates that you only need to enable. To update yourself, take active part. Spend some time every week to read and study the technology, discuss with other parents and teachers.
9. Use the technology – make sure to install and use the security software necessary. Firewalls, Antivirus, Antispam and similar tools are the bare minimum.
10. Enjoy! Have fun! This may seem opposite to the other rules – but if you are not having fun, what is the point?

 

Please contact the author with your comments – and feel free to add your own ideas and rules.

A quick link for you today! 

Security Coin (a blogger - not cash) gives some very appropriate comments on the anti-phishing e-mail encryption tool from Voltage!  

I have not tested the secure email solution from Voltage, so I have to take the Random Infosec Guy on his words about the solution.