July, 2008

According to Simon Dumenco over at Wired, Facebook is too creepy to offer business value. I certainly agree that there are aspects of Facebook that might be creepy, but I do not think that alone is the main reason to not use Facebook in a business environment.

A couple of his comments are good, though:

"The ease with which Facebook can be used to broadcast your whereabouts adds a particularly disturbing dimension for executives who would surround themselves with security in real life but are lulled into complacency by Facebook's tidy veneer. Last year, the British military sent a directive to its army units to avoid revealing their service connections online—"Be particularly careful if you are on Facebook, MySpace, or Friends Reunited"—fearing that, yes, Al Qaeda could use them to track prey. Your business competitors might not be terrorists per se, but Facebook can be useful for anyone trying to poach your M.V.P.’s."

I think this point is valuable to Twitter, Plaxo and LinkedIn too - they all love the Status update these days.

Another point, made by David Weinberger is particularly interesting:

"Younger people violate older people's idea of proper behavior when it comes to privacy,"

Now, is this a challenge for the younger people, or for the older ones? Who needs to adopt? The Young? The Old? The Wise? Or heaven forbid - me?

----

More on Facebook:

• Facebook open to ID-theft
• Howto use Facebook to gather Intelligence, Part 1
• Howto use Facebook to gather intelligence, part 2
• Facebook exploited

If you are in need of root password to the LiveCD *nix distro you just downloaded, this resource may be of help for you.

I know I need them from time to time, and usually when I do, I miss a "one-stop-shop" like this one :)

Thank you Benny!

I have created a LinkedIn group called NorSec. The group targets security professionals in the Nordic, with particular focus on Norway.

The group is not publicly available. To be accepted you will comply with the following:

• Located in Norway (or the Nordics)
• Currently working within the security industry

The benefits of joining the group are:

• Join and meet other security professionals
• Develop a forum for discussions
• Find job opportunities
• Find candidates
• Get answers

Please note - if you are not located in the area, or not in the security industry, you will not be accepted as a member of this group. There are other groups available for you!

To apply: http://www.linkedin.com/e/gis/111057/40E1791B6B9D

You may consider letting me know about your request using the contact form or my e-mail.

I have been asked to take a look at Deep Packet Capturing - a technology used to capture and store network packets. The keyword here is Capturing. The point is to capture and store networking traffic for (possible) later analysis and modeling.

One of the suppliers is Solera Networks, which offers appliances to capture and store information on your network at high speed - up to 10Gbit/s.


Why do you want this kind of tool?

So far, you have a Deep Packet Inspection tool, you save and analyze logs, and you also monitor your network. Then, one day, the police knocks on your door (or heaven forbid - the Media). Your logs and day-to-day analysis will only take you, and the police so far. You may pick up some irregularities from the past, but most likely you will not be able to rebuild and document the actual data stream. You end up with poorly documented speculations.

With a Deep Packet Capturing device, chances are that you would be able to not only figure out what when, who and what was done - but you would also be able to replay the sequence, re-analyze it, and most importantly document the whole process. In addition, you would be able to develop and test new rules for finding irregularities - without having to risk your day-to-day network flow. When your new rules are designed and tested, your can implement them.


Compliance

Compliance is still an important buzzword around the security space. One of the compliance issues requires you to save quite large amounts of data - usually from solutions and technology not designed to give you easy access to the very same data. A Deep Packet Capturing device may be an easy and cheap way to comply with such regulations.

If you are an ISP or VoIP service provider in the US, you also need to comply with CALEA. To capture and monitor VOIP data may be a challenge, and Solera Networks claim their CALEA Appliance is a low cost solution tackling this very challenge.


Virtualization

Another buzzword these days is Virtualization. Now, virtualization itself is not without risk, but considering the upside of fewer physical devices, lower power consumption and easier (at least in theory) administration, I think virtualization is here to stay. It just makes business sense.

Thus, I like the fact that some of the Solera Network devices are also available as VMWare Virtual Appliances. This also means I can easily test run these devices in my lab, if I so desire.

I like new technology and new ideas. With the low cost of storage these days, a Deep Packet Capturing device makes perfect sense to me.

It is summer in my part of the world. Sun is shining for a few hours, then rain is cooling everything back down. And when the refreshment is over, sun warms and invites us all to go to the beach and enjoy.

It surely is hard to work under these conditions!

Late last week (I was away the computer all week - only occationaly checking mail on my cellphone...puh, I am hot...), my ears picked up a heated discussion on the radio. IKT-Norge (the organization for ICT in Norway) was extremely conserned (sorry, Norwegian text) about the fact that the Swedish government decided to allow surveillance of all the internet traffic in the Swedish backbones.

IKT-Norway claimed that this would become an extreme security threat to Norway (almost all the backbones in Norway are connected through Sweden - thus most of the Internet traffic to and from Norway is routed through Sweden). And this guy Hallstein Bjerke at IKT-Norge said things like the Swedish surveillance team might pick up sensitive and secure data from the Norwegian DoD, as well as from Norwegian multinationals and oil companies.

I say: Duh - time to wake up. If you think your members are NOT evaluating risk, and taking the propper precautions when communicting over the Internet, I think you have in the wrong place.

One of the examples was that  Sweden (one of two potential suppliers of new Jet-Fighters to the Norwegian Airforce) are now able to surveille and read all communications the Norwegian DoD have with the competitor Jet Fighter supplier - just by reading the emails.

HELLO!!! Do you REALLY think that the Norwegian DoD would email such information JUST LIKE THAT? Do you REALLY think that the DoD have NO CLUE WHAT SO EVER about the e-mail communication protocol? And that they have made NO precautions? The DoD in the US MADE the Internet back in the days. Norway was one of the very first countries OUTSIDE of the US to join the Internet in 1972.

What planet are you on, really?

Another example was the Oil company Statoil Hydro in Norway, and how the Swedish now may tap into all the e-mail communication they send and use.

I happen to know a fair bit of how such organizations think about security. Some think they are a bit too paranoid. Companies like this one is successful due to their ability to measure and counter risks. Further, they are technology driven, and have a very clear understanding of both their core business and values, and ICT - both from a maintenance and developement point of view, AND from a security/Risk point of view.

These companies would not use Internet to send and recieve ANY (valuable) information unless they previously weighted the risks involved, and put in place counter measurements (alternative communication tools like SatPhone, encryption, snail mail and personal delivery).

These companies ARE NOT STUPID.

The third example is about surveillance of the Norwegian Governments communication with the EC. I am the first to admit that I do not know much about professional politicians. But I do find it hard to believe that there are no training; or common security awareness in the government. Yes, we do see that they post their traveling itineraries on public websites from time to time, but I am pretty sure that not even politicians would be using e-mail and other non-secure communication channels when they are discussing matter of national security. I may be wrong, of course - they are politicians after all.

The only good thing about the action taken from IKT-Norge is the fact that now more people know that:

1. Sweden has a legal manner to tap into ALL communication on the Internet (that passes through their network), thus they no longer need to hide their surveillance (the way most other countries does it),

2. regular people may (or may not) have gotten a better idea of how EASY it is to use the Internet to gather information.

Still, somehow I've got the gutfeeling that the regular users do not see the relevancy of this. After all, most act like "I have nothing to hide!", and thus allow the legal AND the illegal surveillance teams to gather extremely attractive profiles.

For companies - yes, people in Norway are naïve (in a good way, always thinking the best of people), but most companies and business people do realize that the world is smaller, and that precautions are needed.

We may be naïve - but we are not stupid.