I've had a discussion at the office about who is responsible for a certain activity. And as expected, the junior colleagues got into a discussion of who is more and who is less responsible for the activity. The Information Technology Infrastructure Library (ITIL) defines two distinct roles: 

• Responsible and
  
• Accountable
  

If you open Websters dictionary (www.websters.com) and look up the adjective "responsible" you get the following description: answerable or accountable, as for something within one's power, control, or management
If you do the same for "accountable" here is what you get: subject to the obligation to report, explain, or justify something; responsible; answerable.

It is a common sense to assume that "accountable" and "responsible" are synonyms. But both in Management and IT their meaning differs slightly and that makes all the difference:

Accountable is the PERSON (singular) who answers for the entire set of results in a performed activity or process.

Responsible are the PERSON or PERSONS (singular or plural) who answers for the quality of a subset of tasks performed within an activity or a process.

So, there can be many responsible persons for the proper performance of a process, but should ALWAYS be only ONE person accountable for the entire process. 

Bonus Question

Q: When something does not get done right, who gets blamed. The Accountable or the Responsible:

A: The Accountable has the task to identify which Responsible is failing his job and take measures to fix the problem. In the long run however, if the problem is not fixed and the entire process fails, the Accountable will be called to answer.

The Management Skills Blog has an excellent example on accountability versus responsibility

Related posts

System Management - When do the IT Admins Screw Up?

San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible

Talkback and comments are most welcome

A lot of Disaster Recovery procedures are considered failed simply because they took longer then originally planned and documented. And a lot of these procedures take longer not because of poor equipment or incompetence. On the contrary, they take longer because the responsible people are focusing primarily on the effort to fix the problem. Here is a practical example:

On Tuesday my iPhone failed. And since its warranty is long gone i decided to fix it myself. I finally got it fixed at Wednesday night.

In my zeal to repair it, I forgot the first rule of business continuity - recover functionality within acceptable time frame. And for iPhone, just for any other mobile phone, the main functionality is TELEPHONY!!! I was unavailable for the most part of Tuesday and during parts of business hours on Wednesday.

In the end, the problem was solved, and my iPhone is working again. But then all missed calls came raining down, and that kicked me back into reality, and gave me a real perspective of what I needed to do: find a low end replacement phone instead of meddling with low-level format, firmware flashing and DFU modes. That way, I would have been contactable, and be under much less pressure to quickly fix my iPhone.

In perspective, the same behavior can be seen in many organizations during IT disaster recovery. Disaster recovery is organized and coordinate by IT people - mostly very capable engineers. And yet, a large number of Disaster Recovery actions are delayed by the effort of these good engineers focusing primarily on fixing the engineering problem - not fixing the business problem.

In a Disaster Recovery situation, the timer of recovery is known as Recovery Time Objective (RTO). That is the time interval starting from the moment ot disaster in which operation must be recovered to limited but essential functionality.

A good DR manager - regardless of his position and education does his work with a stopwatch. The time he can allow the engineers to try to fix the problem does not have a formal name so let's call it Fixing Time. It is the time difference between RTO and the tested time required to activate the Disaster Recovery systems.
Once this Fixing Time passes, Disaster Recovery preparations must start. If the problem gets fixed before completion of DR system activation, all is well. If not, RTO has been met. Oh, and the engineers can relax from the urgency pressure and work on fixing the original problem for as long as it takes

Back to my iPhone example - what was my timing? A phone RTO should be the recharge time - 2 hours. Getting a replacement phone is a walk to the store and buying the cheapest prepaid model or borrowing a spare form a friend - 30 minutes. So I needed to keep my cool, and try to fix the problem for only 1.5 hours before looking for an alternative. After that, I could have spent a week on the iPhone - no pressure to fix it fast.

Related posts

3 Rules to Prevent Backup Headaches
Business Continuity Analysis - Communication During Power Failure
Example Business Continuity Plan for Brick&Mortar Business
Business Continuity Plan for Blogs
Example Business Continuity Plan For Online Business

Talkback and comments are most welcome

Last week Amazon announced it's new cloud computing service - The Amazon’s Elastic Block Store (EBS) . It's a remote storage service, with excellent storage/cost ratio which is even advertised as replacement for large storage systems of the enterprise. Naturally, the ever controversy seeking journalists hurried to declare time of death to the enterprise data center and included this view:

Though most businesses are quite comfortable in using external utility
services for electricity, water, and Internet access — and we even use banks to
hold and pool our money with others “off site” — we are still largely unready to
move computing off-premises, no matter what the advantages

It is correct that certain elements are used as external utilities, but let's compare services from a realistic point of view

• Electricity as a service - because everyone is entirely dependent on electricity, the grid itself is designed to be resilient, have fast fail over time, survive major catastrophic events at power plants or within the grid, and even re-route additional supplies from other countries if need be, at horrible costs but it does work! Oh, and for the simple case of a grid glitch, we'll spend a $500 on a UPS and another $5000 on a diesel generator and we're all set!
• Data storage as a service - For data storage services, information is needed here and now - exactly like electricity. If we are to outsource our cloud information storage to a provider, that may be well and good as long as it works. However in the information security world, there are three key concepts. Our cloud data storage must guarantee commensurate levels of
• Confidentiality - in cloud computing location is an ambiguous concept. So data will exist on different storage elements, at different physical locations, will traverse millions of miles of physical networks not related to or in any way responsible to the customer, as long as it's there. Who will guarantee that confidentiality is maintained? Oh, and I forgot - you ACCESS the data via the Internet. Whenever a confidentiality breach does occur it can always be blamed on your Internet connectivity and breach of security at the access provider, not the storage service provider
• Integrity - will probably be maintained, since there are very simple ways of doing comparison and keeping a small subset of control information with each set of data - as long as fragments don't get lost, in which case we have a problem of...
• Availability - in cloud computing information is everywhere, and gets collected and presented at the user's request. If for any reason this data cannot be reconstructed and verified it is lost. And again, the access to the information is through the Internet - which is not service with guaranteed availability, since it depends on international mesh network controlled by a multitude of independent entities. Unless you spend top dollar on dedicated data links nobody will sign a strong SLA for Internet access - it's impossible to achieve.

But why don't we have a local backup, just like the UPS? Of course we can, it's known as an enterprise data center!

While there are strides made in the right direction of cloud computing it's current level of usability is restricted by the "best effort" concept of the entire network on all sides. So the users of cloud computing are the ones that find it acceptable to:

• have delays in access to information
• have some data lost and
• information leakage will not make a significant impact.
  

In the meantime, the enterprise data centers are still humming strong

Related posts

Datacenter Physical Security Blueprint

3 Rules to Prevent Backup Headaches

Talkback and comments are most welcome

According to this announcement from yesterday, Fedora servers were compromised.

Here is a scary part of the announcement:

One of the compromised Fedora servers was a system used for signing
Fedora packages

That particular server had very little to do with Internet, and should have been properly isolated, even on a completely separate network from Internet accessible servers.

So, the readers should be careful with the current Fedora distro and packages download and install. I would wait for the next official release.

This event goes to show that large companies, regardless of industry can make poor security choices. And because large companies with high profile are a great publicity target, these poor choices are easily found by hackers

Anyway, respect to RedHat for the announcement. A lot of companies will simply sweep such an event under the rug.

Related posts
Portrait of Hackers

Talkback and comments are most welcome

The Computer Forensic Investigation Competition is closed, and here are the results

What was there to be found:

• Tshark sniffer - part of the wireshark suite in /moodle/enrol/paypal/db
• NetCat tool for backdoor creation - renamed as MyTool.exe - in /moodle/auth/ldap
• An MP3 of Sergio Mendes & Brasil 66 - Mas Que Nada renamed as html document - in /moodle/auth/imap
• A TrueCrypt rescue disk ISO renamed as MyDoc.doc in /moodle/lib/geoip/Documents/
• OSSTMM Penetration Testing Methodology with penetration details in deleted file osstmm.en.2.1.pdf in /moodle/enrol

Finding the above was suffucient to win the competition. Alternatively, instead of OSSTMM you could find the below two items

• A decoy metasploit developers guide pdf in /moodle/lib/geoip/Documents - actually, that document has nothing to do with direct hacking unless you discover the
• metasploit framework remnants of a deleted metasploit framework in /moodle/lib/geoip/Documents
  

Who did the investigation (in chronological order of reporting the findings - earliest first)

• Lawrence Woodman - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
• Tareq Saade - Found 4 incriminating pieces of evidence. Missed the real penetration tutorial and focused on the dummy - Metasploit.
• Bobby Bradshaw - Found 3 incriminating pieces of evidence. Missed both and the dummy penetration testing documents (Metasploit and OSSTMM) and missed the Truecrypt Recovery CD Iso
• Daniele Murrau - Found all incriminating evidence. The utilized toolset is Autopsy as part of Helix distribution
• Lesky D.S. Anatias - Found all incriminating evidence. The utilized tollset is PyFlag and Sleuthkit
  

Other Participants - did not qualify for final review because they did not send details of methodology nor findings (no particular order)

• Phil (no last name) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings
• snizzsnuzzlr (obvious nickname) - reported finding 5 pieces of evidence, but did not send methodology used nor details of findings
• Fender Bender (obvious nickname) - reported finding 3 pieces of evidence, but did not send methodology used nor details of findings
• Sniffer (obvious nickname) - reported finding 2 pieces of evidence, but did not send methodology used nor details of findings

And the winner is - Daniele Murrau

Here are his conclusions and methodology as a downloadable PDF

We are also naming two honorary mentions

• For speed - Lawrence Woodman, who produced a nearly full analysis in a tremenduosly short time, but most probably missed the OSSTMM and the metasploit remnants because he was in a hurry
• For thoroughness - Lesky D.S. Anatias, who discovered ALL evidence, including the metasploit remnants

Related posts
Competition - Computer Forensic Investigation
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Talckback and comments are most welcome

What is the next big privacy issue? Image Search. But not the current image search, which actually searches through the file names and meta data, but actual, pattern matching image search.

The issue of pattern matching between images regardless of perspective and color has been an academic issue for a long time, and has found application in OCR systems, fingerprint identification and some high cost expert systems. For the enthusiasts, here is a good article on the math behind image search Bayesian geometric hashing and pose clustering .

While the technology has been in research for more then 20 years, the current trend is turning towards image and video search, not for academic reasons - but for profit. Paul Murphy did a critique on the current state of search and the golden opportunities .

Yes, matching an uploaded image to a database of images and videos and returning similar items is a very valuable and profitable technology - just imagine the amount of commercials that can be targeted in such a way!

So it is safe to say that with the current advances in processing power, storage and network bandwidth, image search will happen, quite fast. It will probably deliver a lot of benefits apart from profits for the search engines, like

• Pattern matching for obscure symbols or painting styles across many publications and museums
• Searching for your lost brother on the Internet by uploading his child image
• Even in kidnapping cases, for searching across the vast data sets of video surveillance in hotels, train and bus stations, airports, etc..
  

But it will also enable a huge amount of privacy breaches and dangerous situations, like:

• Jealous girlfriend/boyfriend may use the search to sift through MySpace and YouTube videos of parties looking for possible indiscretions of the partner
• Sexual deviants may use the online video and image archives to search for their preferred type of targets
• Criminals will be able to look for a multitude of photos and blueprints of a possible target (a local bank building) by having only several photos and a sketched schematic of the publicly accessible part of the building
• Identity theft attackers to find actual persons the target is working with or being familiar with, to prepare a better attack
  

We are becoming a very networked world, with direct and online access to ever vaster set of information.
So just be prepared to tell the truth to your wife when you come home from work, because soon she'll be able to Google you at the local bar with friends instead of a late night at the office


Related posts
Internet Social Engineering - Avoid Con Tricks
8 Tips for Securing from the Security expert
Risk of losing backup media - real example
8 Steps to Better Securing Your Job Application

Talkback and comments are most welcome

With the price reduction and the improvement in technology, the mobile devices are the next big communication platform. But also, they are the next big hacker target.

The history

Starting with WinCE, Linux and Symbian the trend of "computer-like" mobile phones just started. Yes, these platforms had their flaws and security problems. But at the time of their appearance there were two mitigating factors to an all-out attack or exploit

• The devices had only voice and very low speed data capabilities at high prices - very few people used their devices as more then an electronic address book, and surfing the web was out of the question given their technical capabilities and data transfer prices
• The devices high price prevented most people from owning them - again, this reduced the attack deployment and spreading capability so an attack vector on them was easily quenched.

The present

Enter iPhone, or as many users called it, the "Jesus Phone". Suddenly, everyone wants one, and Apple has happily sold more then 10 million units worldwide.

Oh, and the business ideas of Steve Jobs to lock the iPhone helped to develop a very powerful user and hacker community, suddenly information on exploiting techniques were shared between enthusiasts.

To fight on the market, everyone and their mother produced an iPhone killer - both in interface and in functionalities.

With hot spots and unlimited data plans all over the place, people are using these devices to read their e-mail, surf the web, even download and upload files.

Does anybody see a resemblance to a laptop?

The future

Enter Android - smart phones will become cheaper! The open platform concept ditches the "Security by obscurity" element, so now a lot of people will have a look into the vulnerabilities of smart phones.

In the war for customers, the providers will offer more and more hot spots and cheaper data plans.

At the moment, I'm turning off my iPone wireless, since it cannot reach a hot spot. In a year, probably my data plan will be such that i don't care whether I'm online or offline. So I'll be online! And there will be millions of users like me, and all of them can become potential targets for hacker attacks.

The effort to solution

One should expect that security becomes a great part of platform development. Android security is already lacking and they are trying to fix it .

But it's not only the android that should be treated as such. Windows Mobile, Symbian, Darwin... ALL should treat terminal (mobile device) security as a crucial part of the platform development.

This goes for the manufacturers that will be using these platforms to create their handsets - at the end of the day, nobody will say that Android was hacked, instead, Nokia, Motorola or HTC will be hacked.

And so far this element of security has been often forgotten or ignored by the manufacturers

So, in summary, I'm expecting your mobile phone to be hacked in the next year. I'll revisit the topic then, to lament on the past

Talkback and comments are most welcome

Today, Christopher Dawson has a post at ZDnet titled Don’t downgrade me to XP!. His take on the Vista subject is that we should bite the bullet and go with Vista, since XP is already 7 years old, so installing it on new equipment and running it for 4 years will bring it to an age of 11 years - way too much in an industry where anything older then 4 years is ancient!

But turning back to reality, let's analyze who might benefit of using Vista instead of XP

First the proposed benefits: Apparently, Vista has

• better security
• better application support
• is more modern and far easier to use.

The users have already said their part:

• Vista and XP are on par at security, the only remaining benefit being that XP support is ending.
• Application support in vista is lacking, and a lot of drivers were funky even 1 year after Vista was released
• The interface although modern, is a huge resource hog, and hampers a lot of users
  

So, who will benefit from Vista?

• Not the corporate users - corporations are riddled with legacy applications, have very stringent procedures for upgrade and are generally very careful when adopting anything. In such an environment, implementing Vista will require
• additional training for the users
• significant testing to verify that all corporate applications are working
• big chunk of change to bring all available hardware up to Vista hardware requirements
• Not the power users - power users have specific applications they use and they expect that the apps run as fast and as smooth as possible. Installing Vista will very probably:
• reduce performance of their application
• possibly hamper operation of their application
• make them re-learn part of their computer use - which takes time that they can use much more productively
• Not the gamers - Unless insisting on DirectX10, XP still delivers a better performance bang for the same buck of hardware, which is very important for gamers, since they are on the road of draining every last frame per second from their hardware. Some of the older readers will remember installing special memory managers to take maximum advantage of ALL computer resources. Users like this DON'T WANT a resource hog like Vista

In summary, although XP is 7 years old, Vista hasn't delivered any significant improvements which would justify it's use. XP still delivers much better productivity

So the only ones that will take up Vista are the ones that really don't mind productivity changes:

• Newbies - anyone just starting out in computing, so they don't have any specifications and expectations to meet, nor are particularly oriented towards any specific application.
• Testers - the people that must have it, in order to prove that their product works with Vista
• Technology enthusiasts - the people that want and need to have the latest and greatest product, whether to learn it or to show off.
• Low power computer users - any users that use most basic computer functions like word processing, simple spreadsheets, e-mail and calendar and web surfing.

The above list translates to home users and Quality Assurance and parts of R&D departments. Sorry Christopher, but even after 7 years of use, XP still looks much better then Vista.

Reality check: We WILL Move to Vista once XP support has ended and the next major flaw is found. But, in the meantime, I just got a new laptop...Where the hell is my XP Install CD?

Talkback and comments are most welcome

Telephony costs are one of the main targets of cost cutting in many large companies. In this effort, the companies are turning to alternative voice providers, who offer much cheaper calls and more flexible services. But, these new operators are using new technologies and are relatively new on the market, so the buyer should approach the alternative telephony service with care and apply proper Service Level Agreement.

What we are used to?
In a traditional telephony, the voice reliability is taken for granted, and all equipment is designed to offer very high availability. Also, capacity is not an issue, since each incoming circuit to a switch is dedicated, and the switching capacity of the Telco Switch is calculated via well known formulae (Erlang models) to provide switching of all initiated calls.

PSTN availability was measured at 99.99% (maximum of 4 minute outage per month, or a total of 52 minutes outage per year!) in 1993 and that number is closing to 99.994%. Compared to this, classical IP data services are struggling with passing the "two point five nines" (99.5%) which is equivalent to 3.6 hours outage per month or nearly 2 days per year.

For all medium to large businesses (especially in operating a retail business) telephony is a "default" service, one that must ALWAYS work, one that is really taken for granted.

The potential challenges with an alternative voice provider
When a company decides to use the services of an alternative telephony provider several issues may appear. The alternative telephony provider may bypass the ILEC operator (Incumbent Local Exchange Carrier) to minimize costs, and quite often, they may arrive at your premises via a data link to attach to the company's PBX. Once we walk into the realm of data transfer, things get much different:

1. The data link is terminated on a lower reliability active equipment (usually router or L3 switch) - To mimimize costs, this device will not be of a too high class, and it's hardware reliability will be around 98-99%
2. The data link can be prone to faults on a physical level - alternative telephony operators are not too big on infrastructure protection and want fast deployment, so it can happen that the operator's cable is strung on power lines, placed in central heating ducts under the city, or in extreme examples, are even illegally dug-in in soft ground areas (parks, recreation tracks, green patches) where they are unmarked and easily fall victims to any other construction or renovation activity.
3. Data links are by default based on best effort technologies - so IP data packet drops, retransmissions and delays can occur.

All this translates to a whole new ballgame in terms of controlling the services offered by your alternative voice service provider.

Establishing proper criteria for service quality

So in order to properly manage the alternativ voice services, one must define what criteria should be measured.

1. Keep the good old data SLA - this is to control the overall data link quality, which is easiest to measure
2. Establish measurement on Established, Failed and Dropped calls - via the router infrastructure connecting you to the alternative telephony provider. This measurement will be enabled through vendor specific router functions, most often through syslog event analysis.
3. Define the guaranteed volume of simultaneous calls that the provider will deliver - measure the delivered volume of calls in terms of comparing the values of established, failed and dropped calls from point 2.
4. Define and Apply penalties both on overall link quality (point 1) since it will affect all calls, and on volume of realised calls (points 2 and 3) since they relate to actual ability to use the service as contracted.
   

Related Posts
9 Things to watch out for in an SLA
5 SLA Nonsense Examples - Always Read the Fine Print

Talkback and comments are most welcome

The main purpose of IT within a company is to provide IT services to the business. This means that the responsibility for availability, response time, and service quality rests mostly on the shoulders of IT admins.

In most cases IT personnel understand the burden they bear very well, and are extremely careful in their daily activities. But if certain processes and IT culture are not in place in an organization, system admins can cause disruptions.

Here are the conditions with real life examples under which an IT admin can screw up:

1. Lack of Proper Testing and Contingency Planning 1 - A corrective update batch process was run on the CRM system. The admin started the process at 9 PM without to complete overnight and left it without supervision. The process ran until 5 AM, when it failed and the database began rollback. The rollback took another 8 hours, incapacitating the companies CRM until noon the following business day.
2. Lack of Proper Testing and Contingency Planning 2 - During database maintenance, several large tables were moved directly to archive and recreated as empty ones manually. The system ran well for 5 days, after which each operation became very slow or could not be performed at all. A simple analysis concluded that the during the archive and recreation process, the indexes were not recreated on the newly created tables, thus forcing the database to do a full table scan for every operation. Since the tables were empty, this did not become an immediate problem.
3. Lack of Coordination and Communication - A clustered mail server exhibited errors in mailbox processing. Two administrators were called in to remedy the problem. The first administrator initiated a mailbox rebuild process. 10 minutes later, the second admin instructed the cluster to fail-over the mail server resources on the other server. The rebuild process crashed and corrupted the entire mailbox pool, which had to be restored from backup. All received emails after the backup were lost.
4. Not following procedures - The corporate web server sent an alert of low disk space, so a system admin searched the disk for items to delete. He found a folder "Copy of wwwroot" and assumed that it is a copy of the web server root directory. He deleted the folder and all sub folders thus creating free space. 5 minutes later, the manager called to report that their corporate web site is down. Another admin assisted web development in placing a new version of the portal the previous day, and they placed it in "Copy of wwwroot". Luckily, the old version was still available a temporary version of the portal went up in 10 minutes.
5. Direct training or testing on live environment - A newly hired administrator was given access to administrative passwords. Since his new job would require to administer routers, after work he decided to try some router commands. He chose to connected to a router whose IP address was commonly mentioned, logged on and started typing basic commands, specifically the 'show' command set. He also used the abbreviated version of 'show' - 'sh'. He got braver and entered an interface configuration, and typed 'sh' again, and pressed enter. The router complied and did not return anything. What the admin didn't know was that at interface level 'sh' means 'shutdown'. The Internet link of the company was down for 2 hours until a senior admin brought the interface back up.

Related Posts

8 Golden Rules of Change Management

Talkback and comments are most welcome

Batch processing is most often overlooked during any security analysis. The main reason is that batch processing operates on millions upon millions of records at a time, and does that at a very fast rate. The second reason is that batch processing usually functions as a 'black box' with little input or intervention of the users, so it is easily forgotten by Security Officers.
But batch processing programs can contain a very dangerous covert code which if not investigated would go unnoticed for years

Example scenario

One of the largest batch processing systems in the world are telecoms billing systems. As an introduction, here is the generic process of billing in a Telco environment

1. The call data is recorded by the Telco switches in specific records called Call Detail Records (CDRs). They can be sent online to billing but in most cases for speed and redundancy are simply saved in files
2. The CDR files are then transferred to a Mediation System.
3. The Mediation System is a conversion program that knows how to read the file formats of each switch manufacturer and version (Nokia, Siemens, Ericsson, Nortel...) and to convert the information in each CDR into a consistent and unified record format for all calls in the network.
4. The converted unified CDR records are written to the central billing database.
5. The billing software reads through the CDR records in the billing database, identifies each originating phone number and his owner and applier tariffs and discounts to the call.

Steps 3 and 5 are usually batch processing programs, that run at least once a month, but is usually run every week or every fortnight, to distribute the overall processing onto smaller chunks.

A programmer or engineer with malicious intent can insert a covert process in either the mediation or billing processes which can:

1. Modify CDR's to reduce his or other costs or transfer costs to other owner