About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

13 October 2012

Movie: Haywire

It is a spy/action thriller featuring some top notch actors in Michael Fassbender, Ewan McGregor, Michael Douglas and Antonio Banderas, about on a female mercenary who is framed by her employer. It's a nice story, with a fairly realistic story (no amazing gadgets, people get hurt it fights) but nothing spectacular.

Movie: Father of Invention

It has been a while since I have watched a movie featuring Kevin Spacey. The movie features a successful inventor (who makes money from infomercials) who has just got out of prison. It is partly a story about his search to reclaim his mojo as a inventor; but ultimately it becomes a feel good soppy movie about family values. The brilliance of Usual Suspects this ain't.

For the Lack of a Conductor

The Heathrow connect from London made a surprising, last minute cancelation and stopped the station before the airport. At this point there were three options, take the next train, take the bus or take a taxi. The latter two options wouldn't be supported by the train company; and the last minute change was very perplexing.

It was particularly perplexing that the options were not communicated by the train drivers or the station; but rather by a young apprentice of the train company who had just got off and similarly inconvenienced. Apparently, the cause of the delay - the lack of a conductor to check tickets; apparently a requirement for all Heathrow trains. And even more alarming - this is not an irregular occurrence; but something that is quite frequent (the missing conductor and thus the cancelation of a train). Apparently, this is most frequent on early morning trains to and from Heathrow.

So, if you don't have 30 minutes to spare waiting for the next train (and are willing to pay double); get the express. The affliction of missing conductors apparently does not affect the express.

11 October 2012

Hacking Virtual Worlds

Jason Hart had a brilliant talk on different techniques to hack virtual worlds. His key message was, as virtualization had taken off, the CIA principles for security have been completely ignored and many of the old vulnerabilities have not only resurfaced; they are even easier to exploit.

Not all of the talk was specifically focused on cloud. Using a Pineapple he showed how easy it is to intercept and decode passwords (even when they are encrypted). After that, accessing systems, virtual or not, is not a big issue.

But his attack techniques on virtualization platforms were the most illuminating - from accessing VMWare's vCenter via cracking the MD5 password; to exploiting the fact that robot.txt files aren't respected in public cloud services (and thus susceptible to google hacking).

It was not a failure of technology (although the Pineapple did exploit protocol weaknesses), but failure to follow basic principles.

Active Defense

Another buzzword at the conference is Active Defense. Introduced by Francis deSouza in his keynote on day 1, it is based on the idea that wars are not only won by defending, but also by attacking and eliminating threats. The concept is off course controversial and the legal, technical and ethical challenges have been raised by a number of latter speakers.

This morning, Josh Corman raised the idea of resurrecting Letters of Marque as a means of regulating active defense. I am not convinced that this approach will solve the legal and ethical challenges.

Letters of Marque, were granted by European monarchs to sanction specific pirates and allow them to carry out their piracy (usually as long as it was not in their backyard). Effectively, it was state sanctioned criminals; and the idea to enable Letters of Marque for cyber attacks will open a Pandora's box.

Josh Corman's HD Moore's Law

Since yesterday's keynote by Josh Corman, HD Moore's Law has become some sort of a mantra by the other speakers at the conference.

It's a brilliant argument; instead of focusing on compliance as a minimum baseline, the minimum baseline should be, can you get compromised by default/basic settings of Metasploit? The ease of use of Metasploit and since its widely available, it makes it an easily exploited attack vector. It also aligns to the US RSA Conference talk on metrics that commented that the basic metric of security is "hackability", or how easy is it to hack you.

10 October 2012

Live RAT Dissection

Uri Fleyder (RSA) and Uri Rivner (Biocatch)'s presentation yesterday on the use of remote administration tools, coupled with "man in the browser" attacks is probably the most alarming threat exploitation I have seen recently. 

The attack first exploits browser vulnerabilities through drive-by-downloads to infect the target machine. I suppose a drive-by-download is not even necessary - other vectors could also be exploited. Once the target machine is infected, the attacker can make use of a remote administration tool (RAT) to carry out an attack using the target machine. Through the use of "man in the browser" attack, the attacker intercepts browser activities, such as banking (or e-commerce or any other activity), and thus can not only capture data in realtime but can also take control over the browser and show false messages (such as longer login times, false redirections etc). 

The beauty of this attack, is that the attack is completely out of the target user's machine, and tokens are actually also compromised in this attack (through the use of redirections). And there are very few countermeasures ...

09 October 2012

RSA Conference Europe: Day 1 Keynotes

There was an overall theme to the first three keynotes - a need to change the security models from (perimeter) defense based to "intelligence based" model. Art Coviello (Chairman, RSA) introduced the theme, with a focus on changing security to be more agile, contextual, risk based and the need to share and analyse information on scale.

Tom Heisner (President, RSA) followed expanding the themes, with an insightful comment on the Moore's law equivalence in security; the cost of attacks have reduced while the complexity of attacks have increased. Both speakers were hugely critical of compliance based regulatory regimes which are sometimes contradictory, and often provide a false sense of security.

Francis deSouza (Symantec) followed the theme with a focus on the need to be more "militaristic" in IT security. His argument was that you can't win a battle on purely defense, and security strategies and solutions need to consider the whole campaign and not just point vectors. In this regard, defense mechanisms also need to be "great" and not just good to be effective.

Adrienne Hall (Microsoft GM for trustworthy computing) focused mainly on cloud adoption, though was a bit out of sync on the earlier theme. Hugh Thompson, was also out of sync, but did raise a different perspective - security solutions currently are a "one size fits all" solution, and are not catered for individuals, so are either too complex or too simple; and are basically both ineffective. To create a security profile that is really personalized will be difficult, but would be a very interesting approach in becoming more secure.

Chill Man

I caught the slower train from Heathrow to Paddington, which stops at a few local stations along the way. It was surprisingly quick to clear immigrations (last experience at Heathrow, over an hour, yesterday 5 minutes), so I had some time before I could check in to my hotel.

The first stop after Heathrow, two heavily tattooed men dressed in tatty clothes got on, and hung by the door. Shortly thereafter, the conductor came through checking tickets, which these men didn't have. I was quite surprised, as were the two men, on the conductor's reaction. After a hushed (but still audible) chat on why they didn't have tickets, the conductor simply asked the two men to take a seat and relax. The men were so startled, that the conductor had to repeat himself, "chill man".

I am not sure why this small incident should stick in my mind ... are these instances of understanding officialdom so rare?

07 October 2012

Symphonic Rocks 2012

The second year in Jo'burg wasn't as well attended, with a number of free seats. Carnival City, as a venue probably contributes to that, but the crowd did seem a lot more diverse than last year. The combination of the 65 piece Cape Town Pops Orchestra and leading SA pop/rock artists is not only great music, but as Ard Matthews put it so eloquently, a great way to preserve a dying art, an contribute to enhancing our culture.

After a short overture, aKing started the proceedings in rocking style with two of their popular radio hits. It was a good start, though the next singer ChianoSky, didn't continue the momentum. Her dance hits for well with the orchestration, but her squeaky voice just irritated me.

A noticably slimmer Zolani Mahola (of Freshlyground fame) was the best performer of the first half, getting great applause and support from the crowd, and there was even dancing in the stands! Freshlyground's music lends itself to orchestration, and I think it would be great if they released a full album backed by an orchestra!

Van Coke Cartel's Afrikaans metal worked with the orchestra, although at times the electric guitar riffs did overpower the orchestra. They kept the energy going, into the next act, Toya Delazy, whose dance pop hits were more well suited for the orchestra.

Ed Matthews confessed to being a "soppy rocker", and belted out two of his solo love ballads followed by the classic "What he means", which seemed to get the whole audience singing. Tumi & The Volume closed the first half, though I found his voice to be overpowered by the instruments.

The second half started with a medley of theme songs from James Bond franchise (cleverly following a Heineken ad featuring Daniel Craig); which got a rousing applause from the audience. Andy Mac, the organizer behind Symphonic Rocks was next with his band Macstanley. Andy makes a good MC (better than the actual MC) and did a good job in introducing everyone on the stage (and the credit for being the head honcho). I haven't really been a fan of Macstanley (or Flat Stanley in their previous incarnation) and they were certainly blown away by the acts that followed.

Fokofpolisiekar should make a symphonic Afrikaans metal album. More than anyone else in the show, their ballads were perfectly pitched with the orchestra and was a truly amazing result. Their standard, "Hemel op die Plateland"was amazing with the symphony and got everyone headbanging.

Multi SAMA winner Zahara was next, and the success of the show was evident in how all the headbangers just switched to jiving along. She has an amazing voice, and it was a great to see her perform live.

Mi Casa played an interesting set, where there didn't seem to be any break between the songs (as would be expected from a electro-dance group). The trumpet playing of Mo-T was impressive, and fitted well into the arrangements.

Ed Rowland, the lead singer of Collective Soul was the last performer. I have seen Collective Soul before, but I am not really acquainted with their music. It was a great performance and a fitting end to the show.

As a final comment, perhaps future shows should consider reducing the number of artists in favor of giving them longer sets. And move the show closer!