World of Warcraft: Does the Internet have controllable Borders?

World of Warcraft is an online game played by millions of players around the globe since Blizzard launched it in 2004. All you need is a computer, internet connection and a subscription, you play in a fantasy virtual world long with hundreds of other players at the same. This game is fun and highly social, but very addictive with typical players logging hundreds of hours play over a span of years. Players regard their online accounts and characters as very 'precious' due to the number of hours building character skills and abilities, and time acquiring in-game items.

Last week (22nd Aug 2012) Iranian players started to complain on a Blizzard forum that they couldn't access the World of Warcraft servers, unless they went through a proxy server outside of their country.  After many more complaints from Iranian players and several days had past, Blizzard explained they had to take action to block all Iranian World of Warcraft players to due the US's economic sanctions against the country.

What we can tell you is that United States trade restrictions and economic sanction laws prohibit Blizzard from doing business with residents of certain nations, including Iran. Several of you have seen and cited the text in the Terms of Use which relates to these government-imposed sanctions. This week, Blizzard tightened up its procedures to ensure compliance with these laws, and players connecting from the affected nations are restricted from access to Blizzard games and services. - Blizzard

Another report claims that Iranian government may have had Warcraft blocked due to it's promotion of "superstition and mythology", either way a lot of Iranian players were peeved.

What does this ban tell us?
Attempting to impose physical world rules against the Internet, which is a virtual world, is an imposition which is always doomed to failure. Iranian World of Warcraft gamers are still playing World of Warcraft today despite this ban, the first player making the complaint on the forum managed to circumnavigate the Iranian barred access to the World of Warcraft game servers by accessing the servers via Internet proxy server.

In the World of Information Security, we operate increasingly more in the virtual than the physical, more so as outsourcing to the cloud is coming to the fore. You may have your server surrounded by waves of attack dogs and under 50 feet of steel enforced concrete within a bunker, but interconnectivity to the server brings it and it's data into the virtual world, where different thinking about threats and different counter measures are required. 

RSA Conference Europe 2012 Keynote Line-up

The Premier League Champions of Information Security Conferences, RSA Conference Europe 2012 is just less than two months away. The keynote line-up has been confirmed and it is looking finger licking good with an Advanced Persistent Threat (APT) flavour to it.

• Jimmy Donal Wales, Founder of Wikipedia
• Art. Coviello (RSA) Intelligence-Driven Security: The New Model
• Francis deSouza (Symantec) The Art of Cyber War: Know Thy Enemy, Know Thyself
• Adrienne Hall (Microsoft) Risks and Rewards in Cloud Adoption
• Herbert 'Hugh' Thompson Securing the Human: Our Industry’s Greatest Challenge
• Philippe Courtot (Qualys) Big Data: Big Threat or Big Opportunity for Security?
• Bruce Schneier (BT) Trust, Security, and Society
• Joshua Corman "Are We Getting Better?" Why We Don't Know. What We Can Do About It.
• Misha Glenny The Struggle for Control of the Internet

I always recommend information security professionals, whether new to the profession or industry veterans, attend the #RSA conference. Unlike the majority of security conferences it is not sales focused but educationally focused, so the conference is crammed with countless sessions presented by the best speakers which instil new security thinking and knowledge. The RSA conference is not just a fantastic educational opportunity, it's friendly atmosphere provides the ideal platform to network with peers and world experts, so you can really find out what's happening behind the scenes in the industry, which can be a real eye opener.

Me at RSA Conference Europe 2008

I have presented and attended the RSA Conference Europe for many years and plan to be there this year.  If you are attending and want to talk security over a beer or two, and meet a few of the individuals on the above list, just tweet me @securityexpert during the conference week (9th to 11th October 2012). 

Security is a Contraceptive, but Ribbed!

During a recent conference presentation, I heard a speaker proclaim 'IT Security is a Contraceptive, it does nothing to improve performance', much to the amusement of the audience.

I completely disagree with that statement and regard it as an uninformed viewpoint by those who generally do IT and IT Security poorly, as in my experience I have seen how good IT security practises can have many positive effects on business performance. 

Consider one of the holy information security trinity (CIA Triad), "availability", which is all about "business availability", and tied to business performance.  When comes to availability security measures is very much part of the performance equation, the threat of malware and denial of service attacks should be assessed along with the threat of power outages and hardware failure. For example business critical web services which has not been built with a capacity to withstand denial of service attacks can cause business performance problems much worst than any random IT hardware failure or freak weather incident.

I have witnessed on countless occasions business IT department reluctantly introduce 'Change Control' against critical IT infrastructural to meet information security regulation. Every time this resulted in major shifts in stabilising the IT infrastructure, previously the business had just accepted it was normal practice for IT infrastructure to be unreliable like British trains. This IT stabilisation led to improved overall business performance, efficiency gains and ultimately more profits. 

But the final business benefit to performance is completely invisible, it is very hard to measure and can be near impossible to demonstrate to board members, that is the avoidance of data breaches. A data breach can have a serious negative impact on business performance, with breach investigations and remediation actions hitting hard on human resources across the business, especially within management. Breaches hit the margins too, can incur many short term costs hurting business budgets and projects, from large fines to drop in share prices, contract cancellations and contract penalties, and the loss of new business due to reputational damage.

So IT Security may well be a Contraceptive, but remember it is ribbed to increase performance.

The Hotel with Assumed Security

It is fair to say most people will automatically place a certain amount of trust in hotel they never have visited before, especially those hotels with a decent star rating. Sure you might read a few reviews on the internet about the quality of the services and standard of the facilities at the hotel, but you would have the hotel complete a self costumed questionnaire before you booked. The type of security a hotel has is rarely considered by guests, instead most would blindly trust the hotel provides adequate enough security which protects their possessions, and themselves. Yet making assumptions that someone else's values will be the same as yours is a dangerous thought of complacency. Think about how a hotel's physical security measures up to your home security, and now consider the additional threats staying at a hotel has compared to your home.

This week I checked into a Best Western Hotel in the North East of England. The receptionist duly handed me a room key and I went up to my designated room on the third floor, opened the door and I saw someone else's stuff scattered across the hotel room. I was then it dawned on me that I had misheard my room number due to the thick local accent of the receptionist, so I shut the door and used the same room key to open the correct room door just down the corridor. But how come my room key opened another person's hotel room door?

I inspected the key and my room's door lock, you didn't have to be a master locksmith to see they were very poor and outdated (see pics). So I called the hotel management, who initially had their doubts, that is until I used my room key to instantly open half dozen other hotel room doors, including rooms on different floors of the hotel.

My Room Key

Could I have been given a master key in error? Well I quickly dispelled this thought when I encountered a colleague who had just checked in, I grasped his key I used it open a bunch more hotel room doors!

I'm a 'White Hat' kind of person, so as will as informing the local management of the hotel, I informed the management at the hotel chain about this serious security issue. Just imagine what a bad guy could have stolen if he figured it out? Certainly very concerning for ladies staying alone at such a hotel.

The lesson here is implicitly trusting and making security assumptions with third parties is a dangerous game to play. The reason why a hotel doesn't match up to your home security is because the hotel does not share the same values as you. In business the same applies with third parties you trust to press and store your data. The problem with the hotel room locks will have been there for years, the hotel staff and management may well have known about the problem, or at least understood the locks were substandard and needed replacing, yet they have done nothing to resolve it, as it is not their possessions and persons at risk.

Video: Opening my Hotel Room Door with another Room key

Footnote
I have written to both the local hotel manager and hotel chain director about this issue, they both have  acknowledged the issue and stated they urgency intend to resolve it, however at time of this posting the door locks have not been replaced.

Olympic Games Security has lessons for Airport Security

The London 2012 Olympics Games were a tremendous success, I know I thoroughly enjoyed the games, and as a Brit I was extremely impressed, moved and inspired by the performances of Team GB, and how well the games were organised.

Not being jingoistic, but what a Fantastic Olympics Games

I was fortunate enough to attend a few London 2012 events, I can report from the spectator's point of view, the security checks were pretty much on par with what you would expect from passing through airport security, except the staff asking you to remove belts and place loose change into clear plastic bags before being walked through metal detectors and being searched, were way, way more friendlier and civil.

Thorough Security with Tiny Queues & Friendly Service

Such was the organisation and capacity of the security check points, I witness no queues, this despite tens of thousands of fans passing through at a similar time.  Definitely lessons here for airport security. Why is it paying passengers at airports are treated like prisoners by security staff and security processes, the Olympic security checks proves it doesn't have to and shouldn't be that way.

Plan B!

Cyber-warfare rumbles on with Gauss

Hot on the heals of Stuxnet, Duqu and Flame comes another highly sophisticated "nation state" sponsored malware dubbed "Gauss".  Analysts at Kaspersky Labs de-engineering Gauss are saying it shares many elements of the same source code of the Stuxnet Worm and Flame, therefore have concluded it could only have been made by the same people, and given this new malware's specific purpose, underlines the link to another state sponsored cyber attack within the middle east.

I posted who was behind Flame in flame-culprit-fingered, no doubt it's the same folk behind Gauss.

At present Gauss is specifically targeting financial users in Lebanon, stealing web browser history, browser passwords and host system configuration details. However the main purpose of Gauss appears to be that it steals account credentials from specific Lebanese online banks, and from PayPal and CitiBank, probably to monitor and collect details from financial transactions rather than steal money like traditional criminally focused malware. Like Flame, Gauss is very stealthy in nature and has the ability to delete itself once the malware has completed it's seemingly recognisance task.

For more info on Gauss visit http://www.kaspersky.com/Gauss_A_New_Complex_Cyber_Threat

94.5% of Business Overlook Third Party Data Security

egress, specialists in data security and have their very own email and data encryption software, surveyed businesses about data security and have provided the following snapshot of their survey results to share on this blog.

You need to Love yourself before you can Love Others
This survey echoes the same old information security issues, businesses do not fully grasp and value the confidential information to which they process and store. This leads to a lack of expertise, capability and will to protect such data adequately within the business. It is not surprising then to learn such business are blindly trusting third parties to which they share their most important data, to protect their data sufficiently. They say you need to love yourself before you can love others, same applies to information security and assuring third parties protect business data properly.

Mars Curiosity Communication Security

Curiosity successfully landed on Mars today, and an amazing feat of engineering, many congratulations to all the engineers and scientists involved at NASA for what could prove to be one of the most ground breaking space missions in human history.

Curiosity is the latest, biggest and most sophisticated NASA rover to make it to the read planet, and like it's predecessors is controlled from the Jet Propulsion Laboratory (JPL) in California. NASA JPL sends instructions and receiving communications to the Curiosity Rover using either X band (radio waves), and also by relaying communication through one of the two spacecraft in orbit around Mars, the Mars Reconnaissance Orbiter and the Odyssey Orbiter, using UHF Electra-Lite. NASA JPL use the Deep Space Network (DSN), a series of large antenna dishes across the Earth, to send and receive these communications directly with Curiosity and with the two spacecraft in martian orbit.

The availability of the communication channel to the Curiosity Rover are critical to the £1.6billion mission, hence the resilience with the communication channels.

Curiosity on Mars; it's wheels & shadow, & Sharp Mountain

Data Rates
The data rates directly from Earth to Curiosity goes between 500bps 32kbps, remember the very early days of connecting to the Internet with a telephone modem?  While the data rate relayed via the Mars Reconnaissance Orbiter is can be as high as 2Mbps, basic broadband speed. The data rate to the Odyssey orbiter is between 128kbps to 259kbps, think ISDN for this one. However there will be considerable and changing latency (lag) given the distance between Earth and Mars, which are both in motion.

Encrypted Comms? Not likely
Well I don't know whether the communications to the Curiosity rover are encrypted or not, and I'm trying to find out. But I very doubt if the communications would be encrypted given 'availability' to communicate with the rover is much more critical than any risks from potential threats to communication's confidentiality. By encrypting communications it presents increased risk to the rovers communications availability, should something go wrong with the rover comms, the encryption could be a mission killer. While threat wise against confidentiality; firstly nothing secret is being sent (so they tell us), and it's not as though hackers seeking to take control would have access to arrays of the largest communications antennas on earth, nor is it likely other nation states with the capability would have any motive to disrupt the mission. So NASA would have got their risk assessment right if encryption wasn't used in my view.

If any science boffins would like to shed more light with Curiosity communications and their security, please post a comment, I would be interested to learn more.

Implicit Trust of The Cloud & Third Parties

I find 'Implicit trust' fascinating to observe, equally within business information security and within society. 'Implicit trust" can be defined as having no doubts or reservations, being unquestioning.  For example most people implicitly trust their doctor, just because the doctor wears a white coat, exudes authority and has 'Dr' in front of their name. No one ever asks the doctor to validate their medical credentials. Perhaps we should.

Implicit trust can be lost and gained, a decade ago most people would implicitly trust bankers, having someone from the banking profession witnessing legal documents and signing passport applications would be seen as a highly thought of and credible witnesses within society, not so these days, and we all know why.

Police is another profession which has very interesting polarisations to observe, implicitly trusted by some and implicitlydistrusted by others.

Then there is paradox of politicians, nearly everyone distrusts politicians while at the same time trusting them to run the country.

In the world of information security, businesses which implicitly trust third parties with their information is a hallmark of either complacency or lack of an ability or expertise to properly vet and question. Trust must not be implicitly made but must be earned based on prior vetting and building a trusted relationship through experience. Just because your cloud service provider wears the doctors white coat of Amazon, Google or Microsoft, does not mean they should be implicitly trusted with your business's information and critical IT services.