The Puchi Herald Reblog

A reblogging blog

Happy new insecure 2017: my resolutions and wishlist for new year

Happy new insecure 2017: my resolutions and wishlist for new year

Here we are, a new year comes and we, as cyber security expert, will keep warning the world about the deeply insecure world we are living.

And we will announce new technologies and new devastating scenarios related to new technologies. IoT and Cloud will rise their evil face while bad people will be lurking in the dark waiting to attack the innocent lamb crossing the road.

But, in all of this, the most of the damage will be still done by bad designed systems, by managers that does not understand what means living in a digital world, by politicians that understand cyber security issues only when they have something to gain, by entrepreneurs that still will invest in security as a disturbing side effect.

If I can make a wish for the new year is to see finally a different approach to information security, an approach that take into account that

1) to be secure you need well designed systems first and then cover it with some security geek technologies. If the design is crap all your security is crap no matter what you use on top

2) there is not security if your devices are not designed with security in mind, good code and code lifecycle is the best insurance, so if you buy the cheapest then do not cry … is your job to look for what you need and so yes is your fault if something goes wrong.

3) that finally companies, managers, entrepreneurs understand that security is within process, and not just a bunch of technologies put on top of something that you do not have the slightest idea what it is, you can’t protect what you don’t understand

4) that if people do not understand then people will not follow even the most basic rules, so training is not an optional, but the very basic. And to be sure the first that have to learn are the “CxO” which should get off the throne and start learning the world they crafted.

5) that if we keep thinking that IoT is wonderful but do not understand what IoT will bring in terms of cultural and technical problem we still will never understand what means putting security on this.

6) that if you hire an expert and then you don’t listen to himher then you are wasting hisher and your time. then do not blame the messenger.

7) that if you think that this complex field we call security can be covered by a junior that knows it all you are probably wrong unless the junior is a genious

8) that if you, security expert, think your counterpart has the slightest idea what you are talking about, you are probably wrong because you did not realize they do not understand what they does not know.

9) that all of this is part of the business, and therefore the business should took all this as one of its element, and not just a nasty annoying add on.

10) that next time someone talk about APT tells you the truth, the only way to stop an APT is to stop the attacker otherwise…. it would not be an APT

I know I know I am a but naive and still believe in fairy tales…

 

happy safe and secure 2017 to you all

security awarenesssecuritysecurity culture2017

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy new insecure 2017: my resolutions and wishlist for new year was originally published on The Puchi Herald Magazine

Industria 4.0. Rivoluzione culturale prima che tecnologica

Industria 4.0. Rivoluzione culturale prima che tecnologica

Industria 4.0. Rivoluzione culturale prima che tecnologica

c5d0ea88-fca7-496b-90d3-f8fae042e105-large
Siamo ormai abituati ad avere a che fare con espressioni linguistiche costituite da un nome e due numeri puntati il cui secondo è uno zero: tipo 2.0, 3.0, 4.0 eccetera. Messe in ordine ascendente, le cifre dovrebbero suggerire un’evoluzione, un passaggio verso una versione più avanzata (o aggiornata) di una data situazione o di un certo oggetto.
Fra le prime ad imporsi e più note non solo fra gli addetti ai lavori c’è sicuramente “web 2.0”. Si tratta di un fenomeno affascinante dal punto di vista ideale, che ha fatto cultura, che ha dato l’avvio a molte discussioni sul futuro delle nostre società ma che da un punto di vista tecnologico è sostanzialmente vuoto, privo di contenuti. Ciò che il web 2.0 portava come straordinaria novità era il cambio di approccio all’uso della rete, con il passaggio da un sistema in cui solo un numero limitato di content provider produceva e forniva contenuti, ad un’altra modalità che, invece, prevedeva e favoriva la nascita di una comunità sempre più allargata di utenti, ognuno dei quali in grado non solo di produrre ma anche di condividere – o mettere in rete – questi contenuti.
In un certo senso, l’Industria 4.0 non è differente dal sopra citato web 2.0: più che di rivoluzione tecnologica – il digitale non è certamente una novità di questi ultimissimi anni – si deve parlare di nuovo atteggiamento o rinnovato approccio alle modalità di fare industria, di produrre. Un atteggiamento con forti legami a questioni di ruolo e di procedura che coinvolge molto meno il personale tecnico e molto più figure chiave in azienda come il direttore finanziario o l’amministratore delegato. Personaggi che nell’ecosistema aziendale delineano le strategie e prendono le decisioni, scegliendo una direzione piuttosto che un’altra.

Operando in una compagnia che di Industria 4.0 fornisce il backbone, cioè l’informatica e quegli strumenti che servono a collegarsi, sono fermamente convinto di quanto, per un’azienda, sia importante avere un progetto. Ogni implementazione di software senza un’idea seria e strutturata alle spalle è assolutamente inutile, se non dannosa.
Ecco perché l’Industria 4.0 è innanzitutto la necessità o la capacità di definire all’interno dell’azienda, qualunque essa sia, qualunque sia l’impatto economico, un percorso di nuova gestione delle risorse. E qui si intende gestione e integrazione di tutte le risorse, da quelle energetiche a quelle produttive a quelle informatiche e così via.
L’Industria 4.0 è una bellissima idea grazie alla quale tutti gli oggetti e tutti i soggetti che fanno parte di un’impresa smettono di essere isolati e diventano interconnessi. E non solamente come connessione fisica o di comunicazione, ma come vera e propria questione di processo. In questo senso, l’interconnessione vuol dire che tutti gli oggetti – fra loro “uniti” – devono poter lavorare insieme per fornire un risultato.
Ovviamente per poter operare in modo congiunto e per garantire un risultato servono dispositivi e strumenti (hardware e software) in grado di ben funzionare, dai connettori per collegamenti, ai sensori per monitoraggio dati, ai sistemi di analisi big data e di qualità del dato, fino ai sistemi di sicurezza informatica. Elementi che pur importanti, non sono decisivi per arrivare a un risultato pieno. Ciò che viene prima del buon funzionamento degli strumenti è la capacità di integrare la tecnologia nei processi e questi – a loro volta – nella cultura aziendale. In altre parole, significa che l’impresa è preparata su come utilizzare al meglio (ovvero in modo funzionale e strategico all’attività dell’impresa stessa) ciò che le nuove tecnologia potranno generare.
Un esempio su tutti: la mole di dati che gli oggetti interconnessi producono rimane inutilizzata o sottoutilizzata a causa di scarse capacità di analisi.
L’Industria 4.0 è rivoluzionaria nel suo essere elemento di rottura rispetto al modello industriale consolidato. E questo discorso vale tanto per i grandi gruppi, dove ogni intervento ha ripercussioni maggiori (basti pensare agli interventi di efficientamento energetico) sia per le PMI.
In Italia, in particolare, è importante che la piccola e media impresa si doti degli strumenti culturali per capire dove intervenire per diventare o rimanere competitiva in un panorama mondiale di forte cambiamento. Ciò significa saper scegliere sia la soluzione più adatta alle proprie esigenze sia il sistema che meglio si sposa con i propri piani strategici di crescita. E le offerte non mancano: piattaforme di proprietà, servizi cloud, affiancamento di consulenti, affidamento in outsourcing. Ogni scelta ha vantaggi e svantaggi: l’importante è che anche in una piccola realtà imprenditoriale vi sia qualcuno che abbia una visione più ampia, a medio-lungo termine.
Come sarà, dunque, questo passaggio all’Industria 4.0? Probabilmente lento, a piccoli step sia per le ragioni culturali sopra citate, sia per motivazioni più squisitamente economiche, considerando i costi non indifferenti per l’adeguamento della produzione a ai nuovi standard.
Senza dubbio sarà inevitabile e prima si inizierà a pensare in modo nuovo, prima recupereremo come sistema-Paese competitività a livello globale.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Industria 4.0. Rivoluzione culturale prima che tecnologica was originally published on The Puchi Herald Magazine

Are we using a double standard in IT security?


chinatousaAre we using a double standard in IT security?

In the last years Cyber Security has raised as a major concern in any sector of our lives, from government to business and even at private and personal level. But I am wondering if there is a sort of double standard when we judge facts happening when they are related to cybersecurity.

Let’s make some example:

We all have read concerns rising form the rumoured new rules that china will impose to companies selling IT equipments in some sensitive sector like financial, western expert have raised all so of questions pointing out that this will damage western IT companies and claim this will be a protectionist move. So let us think a little bit about this. The new China rules are not clear right now, there are rumours that it will impose to release source code to the Chinese government and the same will impose back-door to the equipments.
The claimed reason is that it is to protect key assets in China, because government cannot trust vendors. The western answer is that this is pure speculation and a move to rise protectionist barriers against foreign IT competitors.
What is lacking in those analysis is that if those rules will be as rumours claims they will have a negative impacts on Chinese companies too.

In order to be able to sell their equipment abroad Chinese IT companies will have to, literally, duplicate their line products one for China and one for the rest of the world. Different codes will be a mandatory need to be able to sell their equipment outside the country, and they will find a competitive landscape that would be even more hostile than the one we have now, dramatically  rising costs.

At the same time is interesting to note how in some western countries, take USA as an example, the fact to be a Chinese company is enough to be banned from federal tenders just because they “could” contain back-doors used by Chinese government, companies like Huawei and ZTE are facing this sort of fate in USA. No proves or facts have to be presented, the suspect is enough. The Rogers committee voiced fears that the two companies were enabling Chinese state surveillance, although it acknowledged that it had obtained no real evidence that the firms had implanted their routers and other systems with surveillance devices. Nonetheless, it cited the failure of those companies to coöperate and urged US firms to avoid purchasing their products: “Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. US network providers and systems developers are strongly encouraged to seek other vendors for their projects. Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”
I wonder why nobody rise the protectionist flag in this case, probably because suspects are credible?
So while upon suspects of working for a government we are allowed to ban a company, in front of solid facts as

  • the NSA activities of espionage (see Edward Snowden revelations and Greenwald articles),
  • back-door implanted by companies upon state requests (think of the RSA BSAFE default crypto algorithm DUAL_EC_DRBG affair or the old FBI magic lantern trojan not detected by Norton and other antivirus)
  • Backdoors implanted modifying HWSW by NSA on major IT vendors intercepting the equipment before they reach the customers (ANT programs) without vendors agreement or knowledge see also:

https://nex.sx/blog/2015-01-27-everything-we-know-of-nsa-and-five-eyes-malware.html

http://blog.thinkst.com/p/if-nsa-has-been-hacking-everything-how.html

 

we consider it normal and trust USA equipment.

Still wondering why Chinese government do not trust western stuffs for key areas?

Another interesting example of dual behavior when talking about cyber-security is the well-known recent Sony pictures Hack. No doubt on the media has been done about the North Korean identity of the attackers, but a few solid facts (actually no one) have been presented to sustain it. On the other side Cyber-security experts have tried to rise some perplexity on this quick attribution. Sony has a long story of failed cyber security protections and successful hacks, I wrote on this since the first PSN network problem, but at those times nobody were pointing so easily to a suspect. So why media have identified this time the bad guys while cyber-security expert sill have concerns? Taia global was probably the first company to rise public concerns about this too quick attribution, followed by other serious sources, companies and researchers. If you read the news now doubts on North Korea attribution is widely accepted but in the public opinion the guilt is clear.

We could continue to show other examples, it’s common to find statistics showing that the major source of cyber attack is China, but forgetting to mentions what is the rate of attack that China face or a minimum explanation of why could there be so many sources to be used. May be if you visit China you would find out that mobile internet is so widely common that would not be a surprise to imagine how easy should be to install botnets here. Just walk on the street, you’ll see an incredible number of people walking and playing with their smart phone (there 4G connection are normal) and then using the computer at home. And where there are home users and bandwidth there  you have botnets.

We should probably change the dual standard mode and start to consider CyberSecurity as a worldwide complex problem that need neutral metric to be correctly evaluated otherwise we will base our decision on prejudices and not facts.

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

Are we using a double standard in IT security? was originally published on The Puchi Herald Magazine

After a few days in Shenzhen


OK

time sto say something about my first days here in Shenzhen. I passed a whole week now and I have a better vision. I have to admit I like this place, people is kind and the work environment here in Huawei is great.

The Hotel room is not the most luxurious (I’m at Elite Garden Hotel) but the overall impression is really positive, clean and good service, outside there is a lot of trees and it is a pleasure to walk around. Services like gym, swimming pool, areas to play basketball (not for me of course)…everything looks great.

Then the food, guys if you have ever been used to Italian company restaurant this will amaze you for quality and price. of course you have to like Chinese food, but believe me is great. From breakfast to dinner you have a great choiche of good affordable food.

And when you go to restaurants, or try the chinese wine…. is a great experience, believe me.

As I told before people is great, really kind and try to make you feel comfortable. I’ve been lucky enought to find a great group to work with.

I will have more time to explore and learn about this incredibly wonderful country, but as of today I have to say that China is worth the flight!

back soon

Antonio

 

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

After a few days in Shenzhen was originally published on The Puchi Herald Magazine

Pavia Shenzhen


Cathedral of Pavia.
Cathedral of Pavia. (Photo credit: Wikipedia)

Day one, getting ready .

I’m going to Shenzhen,  my first visit to china started with a tight schedule. Finally i got the visa this morning, as the ticket to flight. I went to chinese consulate by train from Pavia, thanks Cucciolina to drive me to Pavia station, to collect my passport with visa, then I used Uber for the first time to go to the airport. Good service, cheap and you can pay with paypal…..
Now at linate airport, checkin is still closed but the warn us that because of a private airplain that should be removed ther could be delay and cancellations. A private plain … that remind me bad things. But seems ok now, they just told us that the plane has been removed, may be it is just the udual italian bad parking attitude.
I miss my family when i travel, wish to share the experience with Cucciolina and Xiadani. Ok let me check if i can check in. See you later.

Posted from WordPress for Android

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

Pavia Shenzhen was originally published on The Puchi Herald Magazine

I have a New Job


Huawei Technology in Shenzhen, China
Huawei Technology in Shenzhen, China (Photo credit: Wikipedia)

It’s the truth, I signed for a new Job.

I’m now EBG Cyber Security Expert for Huawei Enterprise Business Group. Within the EBG Cyber Security and Information Security Department I will be responsible to build up Cyber Security brand and reputation and win the trust of the global market.

It has been an incredible start for an incredible journey.

My base will be splitted between Shenzhen and Milan so I will have to travel a bit. It is an exciting and Amazing new journey that I’m thrilled to start.

I will go to Shenzhen probably next week and it will be my first approach to China, a place that I always wanted to know better.

So I will let you know about my next adventure.

ciao

Antonio

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

I have a New Job was originally published on The Puchi Herald Magazine

%d bloggers like this: