Someone, something going by the handle @mahanarfmhul3 (a.k.a Mahana Cox) sent me the following message on Twitter:
As of this writing, @mahanarfmhul3 began emitting tweets about two hours ago with a frequency of 1 tweet every 3~5 minutes. The account totals 26 tweets. 19 of them are of the same kind I received:
While the remaining 7 look harmless ; most probably to thwart Twitter’s algorithms for detecting SPAM and phishing attempts. 5 of these “innocuous” tweets are written in English while 2 are in Spanish:
I highlighted a tweet apparently addressed to someone called AdamWeitner. Except that Adam Weitner is not following “Mahana Cox”. And the tweet is not addressed properly to him since the @ sign is not used as a prefix.
Now let’s look into the phony link I received: tinyurl(dot)com/6v5g4wz. Since it’s a TinyURL shortened link, we can preview it by prefixing the URL with preview:
Now that we have the URL behind the shortened link, we can dig a bit further. whois tells us that the domain is very fresh as it was created on Dec 4, 2011 through GoDaddy.
Tim Rains, Director of Trustworthy Computing Communications at Microsoft, has published an interesting post on TechNet pertaining to the IT consumerization wave that is hitting enterprises at full force and the difficulties these companies face to deal with it.
The following excerpt, cited by Tim, is a telltale sign of enterprises groping for answers on how to address these consumer-grade devices in the corporate network (emphasis added):
our survey shows that the adoption of tablets and smartphones ranked second-highest on the list of technology challenges perceived as most significant, with more than half of respondents listing it as a difficult or very difficult challenge.
The vast majority of respondents try to tackle the issue from a security policy and awareness perspectives. 3rd comes encryption as many CISOs and CSOs try to concentrate on the data rather than on the equipment.
By approaching the problem from a data-centric point of view, they aim to isolate and protect corporate data stored on BYO devices. Sadly a well-known fact of information security is that whoever controls the device controls the data. Building a castle in uncharted territory is an ill-advised strategy.
I am not saying that data-centric approaches are useless. I am saying that they are not sufficient and must be complemented by a threat-centric approach as championed by Richard Beijtlich.
We should be monitoring what goes in and out of these devices and beef up our incident response capability to act swiftly in case of data exfiltration and other significant threats to brand image, business data and intellectual property etc.
What Forrester Research purports as a new era of computing has been here for years but they were blinded by their strong Microsoft/PC inclinations.
They seem to take notice. At last. But in their haste to make this old movement look new, they invented yet another term for what has already been coined BYOD (Bring Your Own Device).
Now, we are told, Mac users should be called HEROes:
“HERO,” it turns out, is a Forrester acronym for Highly Empowered and Resourceful Operatives — “the 17% of information workers who use new technologies and find innovative ways to be more productive and serve customers more effectively.”
Stop rubbing your eyes out of utter disbelief. You aren’t dreaming. HEROes. Highly Empowered and Resourceful Operatives.
We will never stop getting surprised at how imaginative marketoids are.
Les Mc Cann playing Love for Sale from the 1969 album Much Les. Got it on LP in near mint condition from the awesome Betino’s Record Shop in downtown Paris.
I enjoy reading The New York Times on the iPad much more than on any other device or browser. The NYT iPad application is very well designed and offer the much-touted ‘immersive’ experience many iPad users talk about.
‘Immersive’ applications are nothing new. This is what we may call full-screen apps without resorting to Gartner-like buzzwords. And full-screen applications have existed for a long time. However, the iPad takes them to the next level as Windows decoration, scroll bars, notifications coming from other applications like the dreaded “you have a new message” pop-up and everything else that may cross your focus line is taken away.
When I can’t use my iPad and instead sit in front of my ‘traditional’ workhorse of a laptop I’ve been struggling to find a way that would mimic as much as possible the NYT experience on the Apple tablet.
Let me step aside for a moment as I want you to note how the tables are being turned and how I use ‘traditional’ as an adjective when thinking about my almost last generation MacBook Pro laptop. Apple and, possibly, others are creating a whole new way of computing. Look at the upcoming Windows 8 operating system and you won’t fail to notice how serious Microsoft is about the tablet approach (let’s hope they get it right this time). As a result, I am growing unhappy lugging around 3.5 Kg worth of hardware, dealing with window placement, turning off as much notifications as possible and so on. I have to fight for my right to focus on the task at hand. Computing is a means to an end.
Anyway, back to the main track. I’ve been frequently using Google Chrome for more than a year now and I am satisfied with it. Performance is snappy, security is satisfactorily addressed and useful extensions are out there. Which brings me back to the main topic. The NYT have created a wonderful extension for Chrome that does mimic the iPad application as you can see.
Simple, streamlined and efficient. Isn’t that beautiful design? That’s computing at our service and not the other way around. And hopefully we’ll see more of it in the next years.
Cert-IST is a French CERT dedicated to the Industrial, Services and Tertiary sectors. They organize a yearly annual forum. Last year’s edition was mildly interesting. The most interesting presentation IMHO was given by a security professional working for Sanofi-Aventis about how they conducted their security awareness programs. In comparison, it would be an understatement to call this year’s edition an interesting conference as most presentations were really thrilling.
First of all, let me apologize to my non-French speaking readers as all the presentations were made in French. This year’s theme was “Security and Modernity: a Challenge for the Enterprise?” and questioned the numerous technologies and trends from the standpoint of security professionals, be it the Cloud™, the smartphone invasion, the traction that the BYOD (Bring Your Own Device) movement is gaining in the enterprise, social networks, or APT attacks.
There have been quite a number of very interesting presentations such as:
Keynote “Security and Modernity” by Antoine GARAPON, Judge: CISOs continue to view Information Systems as a territory to defend while attackers act as sea pirates. They view the Internet not as land but as a body of water where they can sail, looking for preys. It is necessary that we, security professionals, look for a middle ground and get out of the “forbid everything not absolutely necessary” mindset. Otherwise, we won’t be able to cope with the challenges that we are facing (think new technologies).
National Strategy for Cyber Defense by Patrick PAILLOUX, General Manager, ANSSI: very interesting feedback on the French Ministry of Finance’s attack and the resources ANSSI allocated for incident response. The attacks were not sophisticated but their perpetrators had important means and were highly organized. Mr. PAILLOUX insisted on the necessity of having a CERT-like capability or at least some sort of incident response in every company to help cope with the new threat landscape.
Securing Mobile Devices for Enterprise Usage by Jean-Marie MELE, Security Engineer, France Telecom Orange: very good presentation on the technical and legal issues pertaining to BYOD (Bring Your Own Device). In France, a personal device is the property of its user even if it is used in a professional context. As such, it cannot be audited or submitted to a pentest without the consent of its owner. A number of Android vulnerabilities were also cited. It is necessary to follow such trends and adapt to them or risk being completely bypassed.
Cloud Computing: Legal Questions by Jean-Marie JOB, Attorney: excellent presentation on the legal aspects of Cloud Computing. Who is responsible of data processing (and thus must make sure that personal data is processed according to the French law)? What are the important points to keep in mind before moving to the Cloud? What happens if personal data is handled outside of the EU?
There have been a lot of discussions involving APT (Advanced Persistent Threat) attacks. Many abuse this term to define any sufficiently advanced attack, no matter the motives of the attacker and as long as the attacked party is a high profile company or any organization that can get the information security community’s attention.
Please note that depending on whom you ask, sufficiently advanced is a widely fuzzy qualifier and must not be considered as a valid definition given the bias that is introduced, voluntarily or not, by the involved parties.
the key is that the attacker is dedicated to maintaining a persistent capability to extract data.
Another good and far more complete definition of APT has been proposed by Richard Beijtlich in early 2010. Richard now works for MANDIANT, a company that seems to have an extensive experience in dealing with such attacks.
A few days ago, I’ve received a wonderful record from The Numero Group, one of my favorite labels. It’s called Light: On The South Side and it features a 2 LP gatefold vinyl and a 132 page hard back book.
The 2 LPs are a compilation of 17 tracks of the kind of funky Chicago blues that was played in Chicago’s South Side clubs in 1975-77 and the hard back book features some incredible pictures taken by Michael L. Abramson, a white guy in that massively black neighborhood. The pictures show the crowd, not the artists, that haunted those joints back in the day. There were some incredible cats and ladies in those places. The music is captured in a ‘raw’ fashion. You could hear a hiss now and then, some background noise and other details that makes you travel back in time without living the comfort of your sofa.
While most of the selection is very good, a few tracks stand out such as Andrew Brown’s You Made Me Suffer:
Such is the power of music and pictures. Together they can create the necessary conditions to make history real and restitute a long-gone atmosphere.
