Ivan Scalise è fra i maggiori esperti italiani di ingegneria sociale e protezione di dati sensibili a livello aziendale. Voce autorevole fra le non molte davvero credibili nel panorama nazionale, ha accettato di rilasciare un’approfondita intervista in cui cercheremo di analizzare, con la massima semplicità, particolari situazioni che potrebbero sfiorare, o colpire direttamente, ciascuno di noi. Proveremo inoltre ad offrire un quadro generale di molteplici aspetti del mondo dell’ Information Technology , della sicurezza informatica, della protezione della nostra privacy.
Quanto davvero siamo al sicuro mentre navighiamo su internet, quando parliamo al telefono, quando camminiamo per strada? Di cosa ci si dovrebbe realmente preoccupare, e quali aspetti invece sarebbero da considerarsi come decisamente sopravvalutati? Risulterebbe infine più pericolosa una precisa, e magari conosciuta, minaccia informatica, oppure un abile e preparato interlocutore in grado di carpire informazioni anche solamente grazie ad una banale conversazione? Proveremo a fornire una valida e comprensibile risposta a tutte queste domande.
Per capire al meglio di cosa si occupi esattamente Ivan Scalise, consigliamo ovviamente un'accurata Visit the official site: Ivan Scalise - The Unconventional Security Specialist .
We come to us, Ivan: So, social engineering, in the art of change analyze and disrupt human weaknesses even before technological ones. 'S incredibly easy to be able to voluntarily disclose personal and sensitive data of many people simply trying to sell an encyclopedia on the street, or through un'intervista telefonica. A livello aziendale siamo messi un po' meglio? Vi è consapevolezza degli effettivi rischi?
Nella gente, cosiddetta comune, manca una cultura della privacy , poiché la vocina che si chiede: “ ma che fine faranno i miei dati?” c'è, però la domanda, vuoi per la fretta, vuoi per il "tanto non importa" , viene accantonata a favore dello zuccherino che ti offre l'interlocutore. Nelle aziende noi troviamo la stessa gente che fa la raccolta punti al supermercato, o che immette i propri dati personali su un sito per avere in cambio un gadget. Abbiamo quindi persone che sono portate to write something and see it as unimportant, in exchange for something else, which is useful or pleasant. In general, the policy we followed the standard warn the employee and require that for any reason not to give some information. But standards are something only a fixed and linear, which suggests, but does not get to the bottom, which is not disclosed details. A policy will tell me not to reveal the password, but will never list all the ways that an attacker can use to get to the password without my noticing. So we can say that yes, we are being a bit 'better, but lack training. From the receptionist to the president, in a company, no clearly has a very simple concept: is not a question of intelligence .
When we talk about social engineering attacks, we speak of human weaknesses, as you rightly said, and not treason intelligence. We are all more or less curious, romantic, friendly, polite, lazy, reckless, etc. ... The solution lies in understanding how and when to be everything and accept the fact that they are vulnerable from the outset. The security experts are the first to put in your pc objects of dubious provenance, like a nice usb / cd or a strange " perhaps forgotten by some employees " . Yet they know engineering sociale, ne hanno letto, si sono appassionati, magari hanno seguito anche uno dei tanti corsi che ne parlava... Ma basta un momento, una singola distrazione o un eccesso di superbia ( " tanto io e la mia configurazione siamo a prova di bomba” ) e puff hai aperto una falla senza accorgertene.
Il fattore umano è come sempre l'anello debole della catena. Non sarebbe preferibile investire prima sulle persone e poi sulle tecnologie?
In fact, until the modern information age and of 'computerization , who led a company cared more about the skill and proficiency of its employees rather than the technological tools he used. Then came the first outbreaks of viruses, hackers danger, the inglorious fall of so many giants such as Yahoo or eBay, and companies are now racing for cover, fully entrusting their safety to the Goliath of computing. These, of course, earn by selling their own hardware and software solutions, and the culture of safety was based on the products they buy and that the employees had knowledge of the products marketed. Could never tell that much depends on who manages security systems (besides the one used) because otherwise the race for continuous updates would stop in a hurry and would no longer made sense things like: " ours is the more secure software in the world " or " designing technology solutions for your safety ". Unfortunately, since then, things have not changed much. Goliath I have bought / bribed with David partnerships, certifications, awards, while at the same time, distributed and were approved best practices ad hoc or influence the media to muzzle those who did notice the enormous idiocies that were preaching.
now understand that if a certain culture makes me understand that the systems are unique and will protect themselves, I do not care much that I place the employee on that system or around it. From here there is the bad habit of not continuously seek lofty figures and not to exploit their staff. Many managers prefer someone who can do a bit 'of everything, rather than a team of specialists. They prefer employees who are cheap, maybe even recyclable through contracts or outsourcing project abstract, rather than employees of quality with which establish a strong bond of membership. The environment, the air we breathe in a company is a question that should be treated seriously, while many of us play or we speculated on in a superficial way. There are many employees and managers who feel threatened by a climate of hatred and / or envy that you create around them. The safety and the fate of a company, depend on the validity of employees and how much they love these to that company, how they feel comforted and at ease. Some foreign corporations treat these issues, while we we not care a lot. The nice thing is that they are issues that the foreign subsidiaries in Italian and also treat people like me is often just called to verify this. It's like if I say: "spend a few days X in the branch and see if they are administering right " ..." see if our appointed by Italian relations in an appropriate manner ' and usually after my visit him alongside someone from the headquarters.
Today it seems that managers and entrepreneurs have forgotten the importance of interpersonal relationships and continue to throw money on the latest security placebo (as I call it) that the proposed vendor or transform the site into a central biometric . So, while you feel safe, protected by machines, will continue to be a small employee, with a small contract, with a great desire to make him pay favoring a competitor.
The Italian business landscape, with particular reference to companies that interact directly with the public, then banks, insurance, simple municipal offices, could be considered average, safe and organized, or are still too many things that should not be best?
The security of an empire from the bottom part and, in companies of any type and size, low is always the place most exposed and vulnerable. As explained above, there is a lack of attention to employees, and the same recruitment methods seem unruly. In all areas have become popular tide of temporary workers and hundreds of small Ltd which, if surveyed, offering employees stock now ready for a new job and selected directly by the same srl So we figure how the system programmer, webmaster or the teacher-receptionist designers working on projects in which they should not approach or a month working company X and the month after working for a direct competitor. What's more, there are also those who need to "learn" provided by Vattelapesca Ltd mean people who follow courses in Office, Linux, and is Quelchevuoitu apprenticeship in big companies or in government. We find apprentices and temporary workers persino nelle sale di monitoraggio delle sedi bancarie. Eh si, hai capito bene, la sicurezza del tuo conto in banca e delle tue transazioni non dipendono da un super esperto col mantello rosso, ma da un ragazzo un po' arruffato che, sbattuto qua e là da anni, ora si ritrova in quella posizione per qualche mese. E non parliamo poi di appalti, subappalti e raccomandazioni (referenze, pardon) varie presenti nel settore pubblico. O, ancora, dei messi che portano qua e là documenti riservatissimi, magari delle procure, come ad esempio i fax che comunicano trasmissioni di tabulati telefonici o informazioni sulle indagini in corso. O ancora dei call-center "in affitto", che oltre a rappresentare una facile via, agli occhi di un esterno, per guadagnarsi direct access to confidential databases are a wealth of information available to boys who earn less than € 600 per month. If you had a privileged access to a database and if someone will release information to € 50, taking into account that you are making a precarious somersaults between rent and bills would not accept?
someone explain where is the security when you use this method? How can a person dissatisfied, or hired temporarily, or paid, to meet those requirements which are not to disturb the fragile balance of internal security company? At present, it is possible to violate any company, public or private, Italian, in maniera più o meno semplice, ma pur sempre semplice. Questo vuol dire che nessuno dei dati dei lettori è potenzialmente al sicuro.
Il mio non è sterile allarmismo, anche perché alla fine si campa lo stesso , ma un invito a richiedere una maggiore sicurezza alle vostre banche, ai vostri comuni, ai vostri ospedali ecc... Bisognerebbe interessarsi ed essere informati, perché i servizi vengono pagati da tutti noi, quindi il minimo che ci si aspetta è che siano efficienti, sicuri e gestiti da personale all'altezza del proprio compito.
Il cyber crime, in tutti i suoi molteplici aspetti, può essere ritenuto il business criminale più in ascesa del momento e con i più elevati margini di futura diffusione?
La diffusione dei crimini perpetuati attraverso la rete si basa su una serie di fattori:
1. Il numero sempre crescente di navigatori novizi, quindi l'aumento delle potenziali vittime o vettori.
2. Il crescente bisogno di far soldi in qualche modo e subito .
3. La diffusione del know-how tecnico, anche di livello medio-alto, preconfezionato.
5. La radicata illusione di non poter essere scoperti.
Quindi diciamo che i fattori sono gli stessi che accomunano tante altre tipologie di crimini, con la differenza che un cyber criminale può riuscire a colpire centinaia di migliaia di sistemi grazie ad un unico fendente, oppure rubare qualche migliaio di numeri e codici di carte di credito in meno di un'ora. In più ha uno scudo psicologico, quella barriera che si chiama monitor , barriera che gli fa credere to avoid detection (of course in combination with other precautions), and then spurs him to continue until he gets caught (if operating in the same State, are always caught ). Then there's the black market malware, which I think should be a distinction between what appears in newspapers, in part fueled by some antivirus programs (not I told companies), with prices to suit all budgets, and the most hidden feeding the undergrowth of industrial espionage, government, and terrorism. And it is the latter that deserves greater attention, since it is not only borders on the black market but in a real organized crime, widespread through cells operating in different countries, with a lot of blackmail, extortion, money laundering, espionage, trafficking and so on ...
Both business grow and continue to grow exponentially, there is no one medication to stop all evil, as one of the reasons there is also a sense of malaise that involves criminal who is not or who does not feel that. It may seem a pessimistic view, I know, but I simply said that cyber crime can not cease to exist, something different from saying that there could be adequately protected. Why can protect themselves adequately, the important thing is to understand by whom.
The cyber criminal is in some cases better prepared than those it is supposed to hunt him down, or is it simply a form of underestimation of the problem of who should monitor?
Neither one nor the other. The preparation of most criminals is now quite weak, because the desire to learn this until a decade ago, has given way to want to overdo it, the desire to act now. So in recent years, for the first time, computer scientists with the badge and the pay of corporate information can easily counter those with the bandana. For example, I know forenser and ethical (but would rather legal because of ethical nothing ... uhmm often there is little legal , to be picky), mediocre, which can easily track down those pirates who becomes the protagonist of vandalism, online fraud or small acts of espionage.
The difficulties of the police are basically two: to be in the minority and to have limits of investigation. In fact, cases of computer crimes are more and more, while the members of households are destined to fight a very small number. Furthermore, the organization through the cells present in most allows countries to disseminate the evidence. So the cyber cop is no longer in front of the pirate attack in Milan that the servers of a company of Palermo, but it has to do with a figure that Italy sends the order to attack a cell site in Estonia American whose servers are located in Tunisia. You will understand that in international letters rogatory and lack of permits in those countries who do not see piracy as a crime to spend months and relentlessly tracks begin to dissolve.
Law enforcement should be put in a position to do the work flash so that these traces do not have time to dissolve. At the same time you can not protect the privacy breach by making a police state. It 's too easy to access any data and can control everything about everyone in advance or on each suspect. The privacy of citizens is so named because and private citizens of . So I think that every measure taken to protect it, should be screened and approved by the city itself. Also because the criminal knows how to circumvent such controls and you end up spying only people (and companies) honest.
To return to the question, our leaders need to constantly update equipment, better training and a partial reorganization. Then, of course, if you start to turn a blind eye on the girls to better concentrate on real criminals, would be a good step forward, let alone jump.
We deal mainly with protection and prevention. Has it ever occurred to intervene when the oxen had fled miles from fence?
Yes, but unfortunately, in these cases, my experience has never been requested hot, or when the oxen were nearby. At a time when the company realizes that it suffered un danneggiamento o di essersi fatta sfuggire qualche informazione riservata, per risparmiare e andare sul sicuro , fa due cose:
1. Chiama una società di sicurezza informatica, che magari propone la soluzione di marca .
2 . Ingaggia un investigatore privato.
Ti ricordo che nel mio lavoro la sicurezza informatica mi sfiora di striscio, come sfiora di striscio ciò di cui mi occupo, ma sai com'è... vanno sul sicuro , come anticipato. A questo punto i lavori durano una o più settimane, ma anche mesi se ci si affida completamente all'agenzia investigativa. Finiti i lavori, si presentano nuovamente diversi scenari:
1. Erano dilettanti e sono stati scoperti.
2. Erano professionisti, non sono stati scoperti, ma si finge il contrario e si inventa un caso ad hoc (cosa molto semplice per una società di sicurezza informatica non monitorata).
3. Erano professionisti ma niente da fare, si consiglia di rivolgersi altrove.
A seguito degli scenari 2 e
Arrivati a questo punto, se la fuga di informazioni rischia di danneggiare gravemente l'azienda, questa decide di ingaggiare un professionista, specializzato nel campo del controspionaggio e dell' ingegneria sociale, che cercherà di recuperare il recuperabile senza promettere miracoli. Oppure si rivolge alle Forze dell'Ordine e la cosa finirà regolarmente sui giornali. L'aspetto più negativo di tali vicende è che, dopo questo tipo di incident i, la strategia delle aziende non cambia: " staremo più attenti" , dicono... "arrivederci" , rispondo :)
Quanto conta, nella tua professione, essere creativi, indipendenti, flessibili?
Sono esigenze che stanno al cardine della professione stessa. Il bello, e per certi versi brutto, di questo lavoro è che si fa solo ed esclusivamente con la testa. Non devono esserci preoccupazioni, imposizioni, limiti o quant'altro. Non è come portare avanti un classico progetto o un'azienda, non è come nessun'altra professione. Non voglio insinuare che sia più difficile di altre, è solo molto diversa dalle altre. Quando devi organizzare una 360 ° protection can not overlook any detail, and at the same time you must be a constant source of new ideas and new solutions. The mind must be clear, you only have that job for the head and you take it below at all hours. There is no fixed office hours or work location area code (even for reasons of confidentiality).
independence then played a prominent role that unfortunately not all companies evaluate properly. Being independent means making choices targeted to the welfare and protection of customer and nobody else. Do not wear frills corporate or partnership arrangements, are more objective and not subjection external pressures. We may summarize as follows: work unconventional solutions to unconventional .
Security and confidentiality of personal and sensitive data stored on our PC, we always talk and only flaws in browsers, viruses and Trojans that can steal information and send them in remote, hostile Web sites .. . Those who use the birth date as a password for home banking? Superficiality and lack of knowledge of the risks?
You always think the pirate as a recognizable person, far from our environment and interested in large sums of money, certainly not a little that the majority of the population is on the account. It is this wrong perception of risk to cause problems. The robbers threatened the common prison organizing stealing minimum pensions and scams that steal every single one cheated 50/100 €. Not to mention the old banking scams in which employees disloyal to escape any account only a few dollars, which when put together becomes a large sum. The same thing happens on the web today, and we can also see it on online auction sites, where every day are born, forums, complaints of people cheated even just for 20 €. Or, I can bring up hundreds of cases in which they seized the PG of MMORPG or their assets, so chiedere un vero e proprio riscatto per riavere tutto indietro.
Quindi se tu usi delle password semplici, o se hai PC e connessione senza alcuna protezione, cosa ti fa credere che il vicino, il conoscente o il collega di lavoro non provino ad entrare nel tuo conto per ingrassare il proprio? Perché, quando inviti gente a casa, non lasci 500 euro in bella vista? Perché evidentemente sai bene che la tentazione è forte. Ecco, la stessa percezione che non ci fa lasciare incustoditi dei soldi in casa, dovrebbe spingerci a badare di più anche ai conti, alle transazioni online e ai metodi che usiamo per proteggerci.
To what extent are moderately secure browser? How many vulnerabilities, they may be defined as critical, then they are actually found in practice in the normal course of browsing the Web and use e-mail?
depends on the use made of it, the secure browser does not exist and the many vulnerabilities affect randomly, so if you want to be among the lucky extracts is best to take seriously any critical vulnerability. Until some time ago I would have said that the best idea would be to not use popular browser and view the post directly to the browser, but now even this suggestion is obsolete. Unfortunately, being secure means to adopt the restrictions, is inevitable. We all want to fully enjoy the potential of a browser or an e-mail software and strive each day that the PC is protected is a pain in the ass for anyone ... But it should be done.
Any Web page can be considered also from a potentially breakable amateur apply, or you really need a wide expertise? The small standard amateur site, housed in a typical webfarm, which in strength can offer, whether or not to be considered a target appetibile?
Bisogna vedere com'è realizzato il sito. Se è un sito in HTML, senza l'ombra di un qualsiasi script, a grandi linee, cede solo con un DoS o per colpa di una password d'accesso troppo semplice. Per chi invece adotta linguaggi avanzati, script, forum, chat etc... è inevitabile trovarsi prima o poi il sito defacciato, anche perché magari il proprietario ha altro da fare piuttosto che curarsi delle potenziali vulnerabilità legate al suo sito o delle 0 day.
Il lamerozzo della Domenica che si mettesse a dar fastidio al prossimo, in concreto, che danno potrebbe causare e quali conseguenze rischierebbe di dover affrontare?
Anche qui dipende. Se il prossimo non ha spacciato tutta la sua vita (vera) in giro per il web e se mantiene un profilo di sicurezza medio, nessun danno. Altrimenti si va' dalla lite col partner a quella col datore di lavoro, dalla sbirciatina alle email a quella sui conti. Qualora poi il prossimo si mettesse d'impegno, il lamerozzo della Domenica passerebbe tanti guai e se ci sono altri che hanno dato una mano si potrebbe persino parlare di associazione a delinquere. Che per quanto possa far ridere come ipotesi di reato, quando arriva l'avviso della procura si smette subito.
Viruses and similar years ago were filled with devastating codes (probably lethal for inherent weaknesses OE) just to damage and perhaps to demonstrate just how widespread it was good programmers, now seems to favor viral elements almost silent, studied their to violate the privacy and maybe get the data of our credit card. It was better when it was worse?
If force you to format immediately or if I force myself to constant reboots because I try to fry the CPU
Nobody does anything for nothing, including damages. Even the attempts to develop DDoS are not motivated only by political and ethical reasons but serve to identify or confirm a crew. Just as ethical no longer limited to e-mails that alert the administrator of the presence of a particular flaw, but they want friezes and thanks (maybe even a balanced one), otherwise leave and defamation claims. There are more groups that are actually used it for network security, today everybody wants something, instead of money.
A high-profile business level, one can encounter in codes designed specifically for force or reduce their knees a given operating environment, perhaps mission critical?
course, is why we continually invest large sums of money in technological shields do not make sense unless you first invested twice as hard to prepare and enhance staff. The walls that keep away the information more valuable than they are worth the costs addressed by a malicious code to use for the occasion, not only technology but also human. Industrial espionage, one seriously, there are no systems impenetrable. Companies should understand that 80% of the resources committed to stay safe, the waste would be safe from figures low profile and low-middle. Suffice 1 / 5 of what they spend today in technological measures (eg, firewall hardware Israeli) and related services (a good penetration test of those expensive, maybe even automatic rather than manual), to be safe from these figures.
not forget that almost all the Hardware companies do not care or do not know what's really in the hardware they buy. There are several vulnerabilities that allow you to penetrate a system without affecting the operating system or application, and how they are evolving in parallel, hardware and software, will soon be much easier to talk directly with the machine. But this is one of the many aspects that you treat only the criminals.
user-based approach to the world of IT is often fearful and mutilating compared to the immense possibilities. To drive a car requires a license, and also unprepared for the guide there are still many to use a PC and surf the Web do not need anything (we omit the picturesque little thing by the name of the European Computer Driving Licence), unless you want to do it. Good and evil, who could be considered a step above the average, it is done alone . When will a solid foundation for the teaching of proper computer culture in our country? Maybe in 20 years?
E 'for some time that foreign languages \u200b\u200bbe taught in school, yet it still continues to learn mainly through travel abroad or through the Internet. Indeed, until a few years ago you were also forced to study by himself as software and video games were mainly in English. The computer is recent, the average age of ministers, which could create a suitable program more than 55 years, say that you, your calculation is correct, perhaps in 20 years s'insegnerà something valuable and, among 10 others, it we will see the fruits. In short, is how to prepare your trip to another planet, maybe in 30 years time we arrive.
Mine is just a joke, there really is a shortage of programs suited to a valid teaching of the use of PCs in schools (and not just this sic). Yet ours is the era of computerization, the era of the Web and the forthcoming interoperability between an infinite number of means. There would only need to be taught che riguardi il corretto uso del PC ma anche di un'educazione che parli della cultura che in pochi anni ci ha portati a dover digitare www per non essere fuori dal mondo. E pensare che solo una decina di anni orsono era chi parlava insistentemente di internet ad essere visto come un alienato... :)
Non nascondiamoci: per certi versi noi italiani siamo una popolazione che si porta dietro un bagaglio culturale assai modesto, con tutti gli annessi e connessi, e probabilmente impreparati a sfruttare appieno le vaste possibilità attuali. Anche in questo caso, come vedi il futuro?
La colpa non è di un Paese che sta andando alla malora ma dell'età media degli abitanti del nostro Paese. Siamo tra i più vecchi al mondo, ed è normale che un Paese popolato e gestito da gente di una certa età si ritrovi a non essere competitivo quando si parla di informatica e nuove tecnologie. Fino agli anni '90 abbiamo sfornato diverse innovazioni, poi ci siamo fermati a quegli anni lì, le innovazioni made in Italy sono diventate sempre meno, mentre gli altri Paesi avanzano. Abbiamo (s)venduto tutte quelle aziende che facevano innovazione, ci siamo permessi di far volare all'estero i migliori creativi, lì dove c'erano italiani che gestivano le tecnologie ora ci sono stranieri. E' ovvio che se non mantieni le menti più geniali e se permetti on other countries to come here and suck resources, then these evolve and you become master of boy.
For the future, I do not know, I have no crystal ball. Of course it would not be nice to find young people today think they know better and loose at the helm in a few decades. Innovation has driven the need for careful evaluation. In recent years, for example, speaks of the use of VoIP in the ministries. E 'is an example of reckless innovation because anyone who has studied the functioning of VoIP has followed the structural limits and do not recommend it for high level applications. You know, every mistake is now replies: "is the market" e allora sembra sia arrivato il momento di valutare i nostri esperti di mercato, perché non è normale conoscerlo tanto bene per poi interpretare sempre il ruolo di chi raccoglie la saponetta nelle docce.
Proprio parlando di ciò che eventualmente ci riserverebbe il domani, i sistemi operativi odierni, sempre più tecnologicamente avanzati e sempre meno complicati da utilizzare, potrebbero essere il futuro cardine di una società basata sul controllo globale, un Grande Fratello alla Orwell in piena regola? Carnivore, Magic Lantern, Palladium, Echelon , cosa c'è di vero?
Here we find the discourse on the culture to which I referred. If people learn that privacy is something serious and that it is important to give signals from digital rebels , you can proceed peacefully to sabotage any type of control. Any software or technology can never compete with the fantasy of a human being, and will always be bypassing them in advance.
The Big Brother is already there, you can discuss how to use it, but one can not deny its existence. The masses are already conditioned by the media and those who do not feel influenced, however, is influenced by the media and people, children, specially structured to reduce the potential dissidents. The cameras are everywhere. We are losing control over hardware functions of all units we have at home, more and more connected and less trackable. Purchases are filed, as banking, phone calls, text messages, our movements with us if we have a cell phone or GPS device, our place by train or plane. If you go in the U.S. we do not have that you do not just focus marchino and if you had the misfortune to sit on the plane next to a suspected terrorist (or friend of the friend of the uncle of an alleged terrorist), you end up blacklisted without without knowing it and be able to get out. The traceability of users and all that they will be increasingly in the hands of the user. The means of the track will serve in some way, you'll find them useful, the limits of reason in the 'here and now whenever you realize that by accessing a given system or using a program, your privacy will be canceled. "Now I need and I do, then closes forever" , we drugged by the comforts and those who are interested in this monitor is well aware of the masses. Will no longer serve liberticidal laws, just a bit 'of simple and healthy social engineering. Remember the saying before? I give you 'a little something nice and / or helpful, and you you will use it, because it is your nature to try to push you.
Returning to the speech that concerns governments, in Italy is experiencing the mysterious OSEMINTI , with France and Spain. A report of our government regarding this project there was ... Why? Because we know how these things always from the others? (In this case Spain)
Both for the safety of products, both in terms of quality: open source or proprietary software?
In general, the one that pleases those who have to use it. The product that is more familiar. Members and employees, in everyday life, are lazy, then a new product would reduce productivity or complicate the resolution of any problems. The future will bring all on open interoperability, so it seems useless to deepen the conversation just to get into argument with someone.
Anitvirus, antitrojan, anti-spyware: they serve to you? They can be handy to the novice user, who already fight with the Windows Notepad, let alone when it comes to set up a protection program, or perhaps only serve those who use the PC knows well and is able to defend himself priori, and then actually going to lose their hypothetical utility?
Even whoever fights with Notepad and should strive to install scanning software and at least 3-4 malware protection. There are hundreds of similar programs for every need and every type of user, from novice to the most experienced. When you have a car, you get bored having to get gas, change oil, check tires, water etc ... But you know you have to do it. The same applies to the PC. I understand that time is not enough, there are other interests, etc. ... But if it begins immediately to lose a bit 'of time on these things in less than 5 years, many are not even able to make or receive calls. Because the factor of safety management will be (indeed already is) there, too, come nei lettori mp3, nelle console, nelle tv, ovunque. Non bisogna essere dei nerd per gestire la sicurezza di un personal computer, basta applicarsi qualche minuto al giorno.
I produttori, d'altro canto, potrebbero creare dei sistemi ad hoc per chi non ha voglia o non ha tempo di dedicarsi a queste faccende. Ma alla fine sarebbero dei giocattoli e quanti lavorerebbero su un giocattolo?
La maggioranza delle infezioni virali di ampia diffusione si propaga in linea di massima entro 48 ore dal primo caso, cioè nel tempo che intercorre fra paziente zero , iniziale propagazione dell'epidemia, reaction of anti-virus vendors release signatures and definition, updating those signatures by the user. Meanwhile, the omelet is done: the virus can make you a false sense of security, arrive via e-mail a file called cliccamiquisonotuttanuda.jpeg.exe , antivirus says it's okay, it is unwise to turn tap tap, and goodnight. Solutions? Learning to make better use of the brain?
But no, I do not feel offended by those who may fall. As the years go phishing techniques are becoming increasingly sophisticated. Check your e-mail is a routine operation, so all are distracted and less focused on the potential dangers entailed. Just a little effort 'the first week and make routine tasks including: trash directly to the e-mail in English (unless you have contacts who could write in that language), discard those from unknown senders, do not spread the 'email address anywhere to see the correct file extension, to worry (much) if a colleague sends an email that says "want to see me naked?" , avoid clicking on links provided in e-mail and typing in the bar always at hand, not to find out how are the prices of Viagra and, in general, to stop whenever you notice something strange. For companies it is more complex, because some of the points mentioned above can not follow them, then force must have a good game-plan to restore everything in a hurry if they were to break down defenses.
What are the services to avoid spam, because that is completely unnecessary and, indeed, can damage the relationship of the company or user who uses it. How many times do we happen to look into your SPAM folder, and note messages that are not spam? Imagine what happens to people who every day receives hundreds or who have one of those anti-spam service that does not use an appropriate folder but delete mail directly.
Hacker, Cracker, Lamer ... Let's do some 'clarity, although it would not be the first time?
Hacker the good, the bad cracker, the moron lamer. And 'that's what everyone wants to hear, this is the socially accepted stereotype. Actually it would be better to distinguish hackers black and white hat , because the term 'hacker hides a passion, a way of life and well-defined ethics. Hacker is any person in his life, continues to ask questions, to investigate, to go beyond the conventional function of any object in front of him. I talk like this: "I'm better than you because I'm a good kid" leave them to those who have serious problems of self-esteem. In short:
The black hat hackers is that imposes its rules and ethics. One who puts the interest in next to a lower level than their personal interests.
The white hat hacker is as it is described in general. That is what ethics that strives above all for the good of others and for the free flow of information.
Cracker stands for "criminal hackers." 's the classic hacker who, unlike the black hat, does not hide behind any ethical fictitious.
The lamer is the hole by the back door around . It 's the person who is interested in certain subjects but did not want to waste time studying above. Typically uses stuff written by others, or they surrounded the simplest actions and enhanced by tricking the victim to have done something. Short, cute characters.
Then there would also be the 'old-school hacker , which has much in common with the white hat but that does not agree with the current bad habit of movement. And 'the hacker clean, the hacker genuine what he really likes to disassemble, replace, alter, circumvent any system. The hacker who, after having completed the hack wants to show everyone how to do so and not because care system but because they love it, it is right and just. It 's like the child that breaks a toy and then the door in front of his mother very happy, as if to say "are seen as good? I understand how he is" .
In our country, and your operating environment (or more generally speaking of information security), how many people think are really prepared and reliable, technically and humanly?
few, but so few that I can think of one person. Unfortunately in this business a few posts bother themselves and their customers in the first place to ask, indirectly, to remove them. If you want to have (quickly) a good number of major customers and live well, you're brought to set aside everything they have fought as a teenager and even embrace the reality ( "We suck the motivation and altruism out of the really talented people, and turn into the business Them whores "). This is a problem shared by many professions, not just those that are centered on information security, with the difference that in this type of work, the invasiveness the next is much higher than in others. I, and someone else, we are fortunate not to have to be in a hurry, so there is the luxury of accepting or not a given task. But not everyone can enjoy this luxury, because the cost of living is high and the sacrifices to be made to remain true to themselves are many. With all that in the years ahead will trigger the event Telecom / Pirelli ,'ll start to give much more importance to those posts for not having legal troubles, then it is good that those who have only recently started its journey in the swamps of security our local, a little string 'teeth and wait for the right moment without seeking easy shortcuts or other mezzucci.
Finally, something in particular on which to focus our attention in the near future?
VoIP , WiMAX and 4G the three technologies that will be here in the next 5 years will do much to discuss. Especially the first two, described by all as a boon technology, are actually vulnerable to a series of attacks that go directly to penetrate the roots of these technologies, thus making it unnecessary encryption or other protections. But the current business models do not provide a firm rejection of this that takes a lot of money in the coffers. So, as usual:
1. We will adopt these technologies.
2. We will talk about economic security by offering solutions .
3. When they become indispensable, it will force the hand very expensive advertising solutions.
4. Will begin the countdown for the next innovation.
For the 4G but do not yet know with certainty that all standards will be adopted when it is widespread in Europe, but as for the first two: business is business and we can already imagine. In addition, the 4G will be hereinafter also all those who are still gaps in the third-generation telephony and the growth of technological knowledge by the attackers will test the privacy of all of us.
Another boon to pirates all over the world is (will be) all that has (have) to do with W b 2.0 . From the simple manipulation of the masses through a small little 'good social engineering to make it unusable for hours or days, a whole series of sister sites. I am convinced that we are about to relive another February 7, 2000 (Yahoo collapsed, wheel eBay, CNN, and other giants) and is therefore the right time to ensure that the sicurezza non sia nuovamente un vangelo.
Ivan Scalise intervistato da Federico Vitali aka Vitoz
Letture suggerite da Ivan Scalise per chi desiderasse approfondire alcuni argomenti trattati:
Il vero nome, di Vernor Vinge. Casa Editrice Nord.
Un avvincente thriller informatico che quando fu pubblicato, nel 1981, venne considerato fantascienza. E' un libro che mi piace molto perché, al contrario di altri racconti simili, is very "hot", there are terminologies cold. There is no "cyberspace," but the 'other plane "refers to the magical world and leaving easily read despite being written 26 years ago, still retains the predictions about what will happen in the near future.
hackers, digital rebel, Paul Mastrolilli. Editori Laterza.
tells the story of two New York famous hacker, El Zorro and Emmanuel Goldstein, in a fictionalized but without distorting too much reality. Useful for those who want to start to experience the true hacker culture, what you do on the street and not in magazines or movies.
Profile Hacker, Raoul Church and Silvio Ciappi. Apogee.
survey, by observers, the world of hackers and criminal hackers to try to give the reader a complete picture of a topic rarely discussed but always thorough. Beyond the broad categorizations that extrapolates Raoul, I think it useful to read it to eliminate some stereotypes, much more annoying, which pollute and damage the shape of the hackers.
The Art of Deception, Kevin D. Mitnick. Feltrinelli.
Through a series of short stories, Kevin tells the world how easy it is to get hold of sensitive information through the use of strategies of social engineering at all complicated, but damn effective. I think this book is useful to all those who a matter of social intelligence, or who are not aware of how easy it is to carry out an attack starting with the staff considered "less important".
Intercept the world, Patrick R. Keefe. Einaudi.
The best book ever written on Echelon, useful to anyone who thinks they are all nonsense and that the systems have some kind of limits. Side effects: may increase the level of paranoia.
exclusive Interview for Tech Italy and vitoz.blogspot.com . All rights reserved. The publication on different Web sites and / or any other means of dissemination is prohibited unless specific approval of the author.
