Friday Summary - August 14, 2009By Adrian Lane
Rich and I have been really surprised at the quality of the resumes we have been getting for the intern and associate analyst roles. We are going to cut off submissions some time next week, so send one along if you are interested. The tough part comes in the selection process. Rich is already planning out the training, cooperative research, and how to set everything up. I have been working with Rich for a year now and we are having fun, and I am pretty sure you will learn a lot as well as have a good time doing it. I look forward to working with whomever as any of the people who have sent over their credentials are going to be good.
The last couple days have been kind of a waste work-wise. Office cleanup, RSA submissions, changes to my browsing security, and driving around the world to help my wife’s business have put a damper on research and blog writing. Rich tried to warn me that RSA submissions were a pain, even sending me the off-line submission requirements document so I could prepare in advance. And I did, only to find both the online forms were different, so I ended up rewriting all three submissions.
The office cleanup was the most shocking thing of my week. Throwing out or donating phones, fax, answering machines, laser printers, and filing cabinets made me think how much the home office has changed. I used to say in 1999 that the Internet had really changed things, but it has continued its impact unabated. I don’t have a land line any longer. I talk to people on the computer more than on the cell phone. There is not a watch on my wrist, a calendar hanging on the wall or a phone book in the closet. I don’t go to the library. I get the majority of my news & research through the computer. I use Google Maps every day, and while I still own paper maps, they’re just for places I cannot find online. My music arrives through the computer. I have not rented a DVD in five years. I don’t watch much television; instead that leisure time has gone to surfing the Internet. Books? Airline tickets? Hotels? Movie theaters? Are you kidding me? Almost everything I buy outside of grocery and basic hardware I buy through online vendors. When I shut off the computer because of lightning storms, it’s just like the ‘Over Logging’ episode of South Park where the internet is gone … minus the Japanese porn.
The Kaminsky & Matasano hacks made Rich and me a little worried. Rich immediately started a review of all our internal systems and we have re-segmented the network and are making a bunch of other changes. It’s probably overkill for a two-person shop, but we think it needs to be that way. That also prompted the change in how I use browsers and virtual machines, as I am in the process of following Rich’s model (more articles to come discussing specifics) and having 4 different browsers, each dedicated to a specific task, and a couple virtual partitions for general browsing and research. And the entire ‘1Password’ migration is taking much more time than I thought.
Anyway, I look forward to getting back to blogging next week as I am rather excited about the database assessment series. This is one of my favorite topics and I am having to pare down my research notes considerably to make it fit into reasonably succinct blog posts. Plus Rich has another project to launch that should be a lot of fun as well.
And now for the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich and Quine (Zach Lanier) host Episode 162 of The Network Security Podcast.
- Rich’s Open Letter to Robert Carr, CEO of Heartland Payment Systems kicked off a series of responses: Threatpost Reprint with added content, Michael Farnum at Computerworld, and Alex Howard at TechTarget.
- Rich was quoted on CA entering the cloud computing market at IDG.
- Project Quant was referred to in a Computerworld UK post by Amrit Williams.
- Rich wrote an article on iPhone 3GS encryption problems at TidBITS.
- Rich wrote up the iPhone SMS attack for Macworld.
Favorite Securosis Posts
- Rich: Adrian’s start on the database assessment series.
- Adrian: Rich’s biting analysis of Robert Carr’s comments on the Heartland data breach.
Other Securosis Posts
- It’s Thursday the 13th – Update Adobe Flash Day
- Not All Design Flaws Are “Features”
- Database Encryption, Part 7: Wrapping Up.
Project Quant Posts
Favorite Outside Posts
- Adrian: Like an itch you can’t scratch, I struggle for ways to describe why GRC is a clumsy way to think about security and compliance. Dave Mortman to the rescure with his post on GRC: Why We’re Doing It Wrong. Thanks Dave!
- Rich: Larry Walsh reveals the real truth of security reputations and breaches.
Top News and Posts
- Fortinet plans an IPO.
- Bank of America and Citi warn of a merchant breach in Massachusetts.
- Adobe vulnerabilities and patch management are hitting critical mass.
- Bill Brenner’s interview with Heartland’s CEO. Brandon Williams, Mike Rothman, Andy the IT Guy, and the New School’s Adam Shostack respond.
- Interview with our very good friend, and network engineering master, JJ
- Mike Dahn on personal responsibility in security.
- USAA now takes deposits via the iPhone. I’ve tested this, and it works great.
- Voting machine attacks are proven to be practical under real world conditions.
- Ryan and Dancho cover Apple’s Mac OS X Patch.
- Microsoft releases several security patches.
- Rafal Los on the Wordpress Admin Password Reset vulnerability.
- NSSLabs Malware and Phishing report.
Blog Comment of the Week
This week’s best comment comes from Jeff Allen in response to Rich’s post An Open Letter to Robert Carr, CEO of Heartland Payment Systems :
Very interesting take, Rich. I heard Mr. Carr present their story at the Gartner IT Security Summit last month, and I have to say, despite everything I know about PCI, I was compelled by his argument that PCI and Heartland’s QSA let him down. I think it’s easy to get caught up in his argument when the reality is, as you point out, that this breach was outside of the scope of what the QSA was looking for in the first place.
I see the disconnect caused by the differences between two perspectives: I think it’s easy to look down from the top and say, “I don’t like spending money to comply with this reg, but at least we will know we’re secure”. Unfortunately, the folks on the ground supporting the audit are thinking something very different a lot of the time. They are thinking, “how do we get this auditor out of here as quickly as possible with as few new ‘to-do items’ at the end as possible.” With the guys in the trenches looking at pass/fail grading, it’s unlikely that they will communicate that they got a D+ (pass) on their audit. Meanwhile, the guys upstairs see “pass” and they think “we got an A”. Lots of room for holes between those two views.
Still, I really admire Carr for getting out and telling his story and for the way he’s leading his company out of this morass. Besides, how many other CEOs would agree to take the stage at that show?