Trust

Click the banner for the site map of NoticeBored.com, the information security awareness service

Trust

A good proportion of Bruce Schneier’s writing revolves around the issue of trust. Both Secrets and Lies (~$13 from Amazon) and Beyond Fear (~$17 from Amazon) are well-written, thought-provoking books, and recommended reading for anyone interested in the topic. They may be challenging reads but, with Bruce’s knack of simplifying complex issues for a lay audience, you don’t need to be an information security geek to comprehend and enjoy Schneier!

How far should an organization trust its employees to act in its best interests? The Times and Washington Post provided news coverage of the situation that led French bank Société Générale to lose at least $7 billion due to an employee who (allegedly) exceeded his authority. Richard Bejtlich, writing in his TaoSecurity blog, provides a different perspective on the incident.

To the man in the street, a bank manager represents the very epitome of trust. Who would even entertain the thought that the bank manager might be stealing your savings, but in one Australian bank, this is exactly what happened. A Commonwealth Bank manager who, being a trusted insider, presumably had wide -ranging access to the bank systems, routinely stayed behind at the branch to transfer funds illegally from client accounts to an account he they used to fund an on-line gambling spree. He admitted stealing nearly Aus$19m (US$13m). Ironically, his name is Mr. Faithfull.

Hoax-Slayer Newsletter delivers a potted selection of news on email hoaxes and current Internet scams, computer security and anti-spam information, PC tips etc.

Site Advisor is a free browser extension from McAfee that automatically checks websites you visit against its database and warns you about potentially unsafe sites. Similarly, a cool free browser extension (for Internet Exploder and Firefox) automatically checks websites you visit against its database, and warns you of potentially unsafe sites with a red button.

In this classic 1984 paper, Ken Thompson (one of the creators of UNIX) describes the essence of how one might code, say, a C compiler in C. In the process, he demonstrates how straightforward it would be to incorporate a Trojan horse/trapdoor facility into the finished compiler that would be extremely difficult to identify, even by analyzing the compiler source code. This risk is clearly important in “trusted” computer systems used for defense, but represents a fundamental problem with all systems. Even writing your own compiler from scratch cannot guarantee to avoid the issue since microcode within the CPU could potentially contain trapdoors. It’s enough to make you paranoid (paranoid? Who’s paranoid? Who say’s I’m paranoid??).

Security patching is a tough issue and the cause of several vulnerabilities and exploits. If you or your colleagues receive an email from Microsoft notifying of the availability of a new security patch, how many will just click on the link and feel relieved as the “patch” is applied automatically? ... the Win32.Swen worm, for example, used a spoofed Microsoft security patch message to fool recipients into running the malicious code. Several previous worms and viruses have spread by emails between individuals who know and, to some extent, trust each other simply by finding entries in users’ email address books. There’s even an issue with legitimate patches: do you trust your vendor’s ability not to deliver a patch that will inadvertently damage your system or break your applications? Patching will be covered in a future NoticeBored issue, but this month it’s worth spreading the word that vendors do not send patches by email, but hackers do.

Trust

Related NoticeBored links collections