Friday Summary - August 7, 2009By Adrian Lane
My apologies for getting the Friday Summary out late this week. Needless to say, I’m still catching up from the insanity of Black Hat and DefCon (the workload, not an extended hangover or anything).
We’d like to thank our friends Ryan and Dennis at Threatpost for co-sponsoring this year’s Disaster Recovery Breakfast. We had about 115 people show up and socialize over the course of 3 hours. This is something we definitely plan on continuing at future events. The evening parties are fun, but I’ve noticed most of them (at all conferences) are at swanky clubs with the music blasted higher than concert levels. Sure, that might be fun if I wasn’t married and the gender ration were more balanced, but it isn’t overly conducive to networking and conversation.
This is also a big week for us because we announced our intern and Contributing Analyst programs. There are a lot of smart people out there we want to work with who we can’t (yet) afford to hire full time, and we’re hoping this will help us resolve that while engaging more with the community. Based on the early applications, it’s going to be hard to narrow it down to the 1-2 people we are looking for this round. Interestingly enough we also saw applicants from some unexpected sources (including some from other countries), and we’re working on some ideas to pull more people in using more creative methods. If you are interested, we plan on taking resumes for another week or so and will then start the interview process.
If you missed it, we finally released the complete Project Quant Version 1.0 Report and Survey Results. This has been a heck of a lot of work, and we really need your feedback to revise the model and improve it.
Finally, I’m sad to say we had to turn on comment moderation a couple weeks ago, and I’m not sure when we’ll be able to turn it off. The spambots are pretty advanced these days, and we were getting 1-3 a day that blast through our other defenses. Since we’ve disabled HTML in posts I don’t mind the occasional entry appearing as a comment on a post, but I don’t like how they get blasted via email to anyone who has previously commented on the post. The choice was moderation or disabling email, and I went with moderation. We will still approve any posts that aren’t spam, even if they are critical of us or our work.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich Mogull and Lisa Phifer article “Encrypt it or Else”.
- Adrian was quoted in “Identity Theft”, on the Massachusetts Data Protection Law by Alexander B. Howard.
- Rich was quoted in a Dark Reading article on database security.
- Rich was quoted in a Computerworld article on IAM in cloud computing.
- Next week, Rich will be presenting in a webinar on the SANS Consensus Audit Guidelines.
Favorite Securosis Posts
- Rich: Size Doesn’t Matter.
- Adrian: Data Labeling is Not the Same as DRM/ERM. Don’t forget to read down to my comment at the end.
Other Securosis Posts
- The Network Security Podcast, Episode 161
- McAfee Acquires MX Logic
- Mini Black Hat/Defcon 17 recap
- The Securosis Intern and Contributing Analyst Programs
Project Quant Posts
Favorite Outside Posts
- Adrian: How could it be anything other than “Hey hey, I Wanna Be A Security Rockstar by Chris ‘Funkadelic’ Hoff. It’s like he was there, man!
- Rich: Jack Daniel is starting to post some of the Security B-Sides content. I really wish I could have been there, but since I work the event, I wasn’t able to leave Black Hat. The good news is they’ll be doing this in San Francisco around RSA, and I plan on being there.
Top News and Posts
- Get ready for Badge Hacking!
- RSnake and Inferno release two new browser hacks.
- First prosecution for allegedly stealing a domain name.
- You know, Twitter being under attack is one of those events that brings security to the forefront of the general public’s consciousness, in many ways better than some obscure data breach.
- Feds concerned with having their RFIDs scanned, and pictures taken, at DefCon. There is nothing at all to prevent anyone from doing this on the street, and it’s a good reminder of RFID issues.
- Fake ATM at DefCon. I wonder if the bad guys knew 8000 raving paranoids would be circling that ATM?
- Melissa Hathaway steps down as cybersecurity head. I almost don’t know how to react – the turnover for that job is ridiculous, and I hope someone in charge gets a clue. The Guerilla CISO has a great post on this.
- Adobe has a very serious problem. It is one of the biggest targets, and consistently rates as one of the worst patching experiences. They respond far too slowly to security issues, and this is one of the best vectors for attack. I no longer use or allow Adobe Reader on any of my systems, and minimize my use of Flash thanks to NoScript.
Blog Comment of the Week
This week’s best comment comes from Bernhard in response to the Project Quant: Create and Test Deployment Package post:
I guess I’m mosty relying on the vendor’s packaging, being it opatch, yum, or msi. So, I’m mostly not repackaging things, and the tool to apply the patch is also very much set.
In my experience it is pretty hard to sort out which patches/patchsets to install. This includes the very important subtask of figuring out the order in which patches need to be applied.
Having said that, a proper QA (before rollout), change management (including approval) and production verification (after rollout) is of course a must-have.