Simple tips for getting a job in #infosec

With the global financial crisis many people have been looking for stability. I on the other hand have worked mainly as a contractor in the past four years so have had a great deal of experience in finding new roles. Many roles have been really interesting and rewarding, generally lasting between 6 months and 1.5 years. I have been lucky enough to only ever have a maximum of two weeks between roles. These are some practical tips and lessons learnt for finding a job in security that have worked for me. 

Top 3 reasons why fighting small battles is losing us the war


Are you sure you are a security guy? A friend and colleague working in anti-fraud has asked me a number of times on a recent project. The answer is no I am not. Not your typical one anyway. I think sometimes I am more of a business guy trapped in the body of a work prevention officer. I care about viability, the bottom line and time to market. I spam people with the latest developments in the industry. I am also a tech geek trapped in the body of InfoSec guy. I think web sockets, noSQL, node.js, coffee script is cool; not worry immediately about security hazards they bring. I believe most things that benefit the business can be done securely enough to mitigate the risks to a level the business would accept. For these reasons, I have become increasingly frustrated with the InfoSec industry and security in large companies in general. If we stopped crying wolf at the small stuff, there is a better chance we could have some real influence on the big issues.

Apple bringing secure email to the masses with iOS 5

One of my worst ever projects was implementing PGP email encryption. Considering I have only worked in large financial services companies, that is saying something. I have reflected on the lessons learnt from this project before, but I felt that PGP was fundamentally flawed. When Apple iOS 5 was unveiled, there was a small feature that no one talked about. It was hidden among the sparkling jewels of notifications, free messaging and just works synchronization. That feature was S/MIME email encryption support. Now S/MIME is not new, however Apple is uniquely positioned with their ecosystem and user-centric design to solve the fundamental problems and bring secure email to the masses.

Written for

Google+ because I hate being put in a box

No one talks in my Facebook groups. People talk too much on my Twitter feed. These are my two biggest problems on social networks at the moment. I'm pretty sure this only impacts me though. I have been playing around with Google plus for a few days now and interestingly I think it could solve both problems. I also have some suggestions that would improve the service for me at least.

I was hacked @MTGOX #bitcoin – 3 reasons I am not worried

I have been violated. It is a sobering experience. Username, email, hashed password available on the Internet in a prime database for script kiddies Lulzsec et al. I now have some sympathy for RSA. Actually, hang on a sec. No I don’t. I actually did what I preached. Read on for three simple strategies that game me comfort after having my details compromised as part of the MTGOX bitcoin hack.

Agile != security

I am going to fail. Agile and security just do not mix, especially secure at source. Agile is all about rapid development, everyone in a room with brown paper plastered across the wall, product backlogs building up while developers code feverishly on today's priorities. Security works well in a structured environment. We influence through control points and project gates. Oh, you are writing requirements? Let me provide you some from security. Design stage? A threat model and design review. Build we will mostly ignore but test is our Coup de grâce. The pen test is the height of security skill where your lovely creations will be decimated! But how do I apply this magnificence to agile when I am called a CHICKEN and thrown out of the room?

7 ways to exploit psychology to sell security

I have felt the bitter taste of defeat many times. That feeling in a meeting, on a call at a presentation when you feel the tide turning against you. All the logical arguments that seemed so persuasive ten minutes ago have evaporated and all you have is another meeting or a working group to explore options. The security improvements that were so badly needed rejected once more. @J4vv4d from Quantainia writes for a new years resolution "If you’ve heard me talk about security but still don’t think it’s important. That’s my fault not yours". So why not use some techniques from psychology to help?

The suprising security model for NFC payments


One of my new years resolutions was to learn more about NFC security. Not because I disagree completely with people saying it is over-hyped but since Chip and pin was added to credit and debit cards, NFC is one of the most interesting innovations in payments, at least in the west (Japan has been using NFC for years). NFC presents some really interesting security challenges so I have been reading a lot of research papers and buying coffee for a number of experts. What I have discovered so far really surprised me.

What does Sony need to rebuild confidence after #sonyhack ?

Was debating with a few security collegues whether this massive 77 Million + data breech would actually hurt Sony on the bottom line and discussing TJX as a good example where actually as a retail organization the impact may not be that large nor that permanent.

Apple Google #locationgate: breaches EU Data Protection Directive

The story over the last week has been the royal wedding Apple and Google collecting location information including GPS and closest cell phone towers on their iOs and Android devices and transmitting these back to big brother. In the case of Apple the file containing this information was stored un-encrypted on the device, backed-up also in the clear to any machine the device was synchronised with and  contained far more historic location information that was required. At least Apple annonimized and sent this information every 12 hours (reducing real time tracking ability) and technically did ask for "permission" because everyone reads through those privacy and terms and conditions policies. Google asked for permission in a little bit less opaque way but transmits location information back in near real time. Microsoft has also joined the party admitting they collect location data but do not store it on the device. Symbian or WebOS anyone for a complete set?

Federated authentication: security that makes you money

Federated authentication: using the same login details across multiple organizations and services; it is one of the few security technologies that can actually be revenue generating for end-user (non security vendor) businesses. There seems to be so many reasons to adopt it, but it is still a hard sell and does not have widespread implementation. However we maybe reaching a tipping point where this may all change.

Agile: Most security guys are useless

The return of king Larry to his rightful throne at Google with his nerds engineers rule edict and Jason Fried of 37 Signals talking about the culture of a flat company got me thinking whether in an Agile development world are most security guys useless? The short rationale is that in Agile and really any lean, successful company, you want "everyone to touch the product". Security guys need to code, those that don't (the majority) are not required. But is this the whole story...

RSA APT hack - blogger tells all

So an RSA employee released a blog post with some more details of the "Advanced Persistent Threat" attack that involved the theft of information related to SecurID. RSA should be praised for this, as I like many others, had been disappointed with them for less than responsible disclosure. Although this post does not provide details of what was stolen (maybe they don't know?) that would enable smaller organizations and individuals without direct contact with RSA to perform a risk assessment, it does at least provide opportunities for lessons learnt. It also raises questions on why a security company did not have appropriate controls to mitigate these risks.

Risk assessment: a glimpse of the future

I believe a great risk assessment gives you a glimpse of the future. It gives you more control, more certainty; trust is good, control is better. If you are like me and on occasion have a niggle in the back of your mind about the security of your company or a new project going live, a risk assessment is the way to get that peace of mind. If you like to be confident that you have thought through the all the issues and angles, this is an exercise you should do regularly. When you need to decide on anything security related and you need to know is this the right decision, you need to first answer the question of what is the risk? If you need to know am I getting  value from this security investment? This is why you need to do a risk assessment.

RSA and SCADA: two ends of the disclosure spectrum

In the last week we have seen what I feel is two ends of the disclosure spectrum for security. The RSA SecurID incident with such a high level statement on one end (called "corporate spin" by Schneier) and 34 vulnerabilities and proof of concept code on SCADA systems on the other; disclosed by a researcher without following responsible disclosure principles. Both are far from ideal and badly in need of improvement.

Feeding an offline reading habit


Ever since I got an iPhone 4 with the retina display I have been hooked on keeping up with my favourite tech and security blogs on the move. Yes I’m one of those annoying zombies you see reading on their phone while walking, standing in line, on the train etc. It has enabled me to make better use of this time and keep entertained. However one of the major problems  is that I live in London and most of my reading is done on the one hour commute to and from work on the tube (underground subway). The tube has no Internet access so I have had to find some offline ways to feed my habit. These are some of the best ways I have found to read and share what I like:

Mitigating OWASP top 10 without any code

We have been taught in the last 10 years that application security is what is important, that software must be coded securely and that infrastructure was becoming less and less relevant. So why is it then that when I am writing a security view for a recent project, the majority of my web application security threats are mitigated via the infrastructure?

Google+ - many ways to do identity?

Update 2011/06/28 :

Looks like Google+ finally launched if only to a select group of invites:

Analysis of security identity implications of circles as more information comes out. Having it baked in should make a lot of difference. Lessons look learned with Instagram type filters for photo sharing and a mobile application built from the start.

Lets just hope it doesn't take a Wave time timeframe to launch to everyone.

Exciting news today with Google circles to be announced at SXSW and then disappointingly not. Lets hope that Google can learn the lessons of Wave about not stretching the hype for too long before the launch and not screwing up privacy. Lets also hope they can deliver something that is truly engaging and delivers the vision of law 5 in the laws of identity where others have failed:
5. Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers
Facebook groups has yet to solve this problem and Zuckerberg's quote "Having two identities for yourself is an example of a lack of integrity” may suggest they will never get it and don't see that as a problem.

More analysis as details on Google Circles is released. Until then, this deck outlining what is possible the vision behind Google circles is well worth reading:

The videos are well done:

DDOS protection strategies

Distributed Denial of Service (DDOS) has drawn attention lately with incidents ranging from Anonymous taking down the Visa and Mastercard sites as retribution for cutting donations to Wikileaks, to Wordpress being attacked by the Chinese. A talk at the DC4420 meetup in London described DDOS as the modern political protest, comparable to a crowd protesting on Oxford street. The protest means that some people cannot go shopping, and there is media attention drawn to the cause; Paypal goes down for a few hours, the techblogs, Twitter and eventually old media play a similar role. In addition, the few million the site loses to downtime means that they may think twice about bowing to pressure so quickly from a US senator. Regardless of motives, if you operate a major website today, especially one where every minute of downtime has an impact to the bottom line, DDOS protection is something you have to think about.

Password stolen: an ounce of prevention

My response to a HARO question: Recent hacks potentially compromised the passwords of hundreds of thousands of users on popular websites, a real problem since people seldom maintain unique passwords. This story looks at what you should do when your password is potentially compromised, outlining good password hygiene.

Why advertise your Facebook site?

If you do not learn from history:

Data classification: start with the end in mind

My response to a HARO question:  To be read by IT managers at SMB's: tips for setting up a data classification system that assigns levels of sensitivity to data. What do they need to know to get started and what tools will they need to invest in? What are the costs involved and what are the benefits and pitfalls?

Apple succeeds where security failed with web developers

Interesting article today some malware with the linkbait title "The mother of all Android malware has arrived". It involves the malware writer downloading over 50 free applications from the Android appstore, adding a trojan to them, repackaging them and releasing them for download. Aided by the fact they were existing applications, it is reported there were between 50,000-200,000 downloads in over 4 days (it took Google that long to shut down the malware spreading applications). The trojan used a root exploit and allowed stealing of data as well as opening up a back-door for download of further malware.

There is some really good discussion on comparison of the Apple vs. Google approaches to their respective appstores on Hacker News. What struck me the most though was how Apple's review process appears to have succeeded where security professionals have failed for years with developers.

Why is it cloud everything now?

< rant > I'm getting really annoyed at the use of "cloud" for everything these days. By far the most ridiculous has to be the Microsoft advertisements with the tag line "to the cloud". In the beginning cloud computing had a definition and a point. Now it has been bastardised to an extent that we should relegate it to marketing gibberish.

Balancing security and employee productivity

My response to a HARO question: Finding the right balance between IT security and employee productivity can be tricky. You want to ensure your company and its data are secure, but you also don’t want policies and protections that prevent employees from being able to easily do their jobs. How do you find the right balance? What are the most important issues to consider? How can you tell if your enterprise security is off balance?

Demise of Blockbuster, Borders and Google?

The collapse and subsequent bankruptcy of Blockbuster and Borders recently got me thinking about how swiftly the online world has become a critical factor for survival. Both these companies were a long time coming so it hardly should be a surprise but still thinking back only 5 years or so when Borders opened a massive store in Lygon street in Melbourne Australia. Even back then we thought it was the height of arrogance but for different reasons*. Similarly Blockbuster was at least a weekly event, during my second year of Uni boredom meant five videos from the local Blockbuster. It is one thing to realize intellectually companies are being born and dying at an exponential rate, it is another to experience the death of  these giants that seemed bluechips only years ago.

Open source security - angels fear to tread?

Simon Philipps from Computerworld has a short post on why open source is good for security. He highlights two old security vulnerabilities, one that was fixed as soon as it was discovered by the open source community. The second in a closed code remained outstanding since 2002 until the community got involved to fix it. It makes sense, security through obscurity is a fallacy, many hands makes light work and plenty of other cliché's. Why would you not use as much open source software as possible? Management likes the price and now you're saying it's more secure? I'll take two!

You will still lose data so is DLP worthwhile?

Today I was reading an article titled: Data Leak Prevention Bypass which got me thinking about all the data loss vectors which I had considered when making the business case for DLP in the past. The author has an interesting project of a device that uses the keyboard USB interface to bypass protection of removable media control. The wrong message to take from this is that DLP is not worthwhile because it can be bypassed

Analysing Aberdeen Group Application Security Study

I had a comment on my post early security engagement in projects - critical or a waste providing a link to a study. It asked for my thoughts on a December 2010 Aberdeen Group study titled "Security and the Software Development Lifecycle: Secure at the Source". The study has a headline: "Top Performers Invest More Annually in Their Application Security Initiatives, but Realize a Higher Return by Identifying and Remediating More Vulnerabilities Prior to Deployment". The key conclusion is that companies practising security at the source saw "a very strong 4.0-times return on their annual investment". I was asked. so here are my thoughts:

Early security engagement - critical or waste?

An axiom of information security is that early engagement in projects and the Software Development Lifecycle (SDL) will produce more secure systems. As I quite enjoy challenging axioms, here goes.

Payments revolution in next two years?

There are some really interesting developments occurring in the world of online and off-line payments. In less than two years time the way we pay for things and even whether we even need to carry a wallet full of cash and plastic could be in question. This could also have some interesting security implications.

Obama Cyber ID = bad idea

Flick: laverrue
Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said it's "the absolute perfect spot in the U.S. government" to centralize efforts toward creating an "identity ecosystem" for the Internet.

This is such a bad idea and will never work, and these are some of the reasons:


Written by