Friday Summary- October 2, 2009By Rich
I hate to admit it, but I have a bad habit of dropping administrative tasks or business development to focus on the research. It’s kind of like programmer days – I loved coding, but hated debugging or documentation. But eventually I realize I haven’t invoiced for a quarter, or forgot to tell prospects we have stuff they can pay for. Those are the nights I don’t sleep very well.
Thus I’ve spent a fair bit of time this week catching up on things. I still have more invoices to push out, and spent a lot of time editing materials for our next papers, and my contributions to the next version of the Cloud Security Alliance Guidance report. I even updated our retainer programs for users, vendors, and investors. Not that I’ve sent it to anyone – I sort of hate getting intrusive sales calls, so I assume I’m annoying someone if I mention they can pay me for stuff. Probably not the best trait for an entrepreneur.
Thus I’m looking forward to a little downtime next week as my wife and I head off for vacation. It starts tonight at a black tie charity event at the Phoenix Zoo (first time I’ll be in a penguin suit in something like 10 years). Then, on Monday, we head to Puerto Vallarta for a 5 day vacation we won in a raffle at… the Phoenix Zoo. It’s our first time away from the baby since we had her, so odds are instead of hanging out at the beach or diving we’ll be sleeping about 20 hours a day.
We’ll see how that goes.
And with that, on to the Friday Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian starts a new series on database security over at Dark Reading with a post on SQL Injection.
- Rich and Martin on the Network Security Podcast, Episode 168.
Favorite Securosis Posts
- Rich: Our intern kicks off his analyst career with a post on “realistic security”.
- David Meier: IDM: It’s A Process
- David Mortman and Adrian: Rich’s post on tokenization. And honestly, we did not place that strawman in the audience.
Other Securosis Posts
Favorite Outside Posts
- Adrian: On the Mozilla Security Blog: A Glimpse Into the Future of Browser Security. Cutting edge? I dunno, but interesting.
- Rich: Jack Daniel on the Massachusetts privacy law mess. This is why I never get excited about a coming law until it’s been passed, there’s an enforcement mechanism, and it’s being enforced.
- Meier: Wireless Network Modded to See Through Walls - This brings a whole new level of fun to the Arduino platform.
- Mortman: Not about Security, but come on, homemade ketchup!
Top News and Posts
- Slashdot links to a bunch of articles on the rise of cybercrime against business banking accounts (usually by compromising the company’s computer, and grabbing their online username/password). Much of the investigative reporting is being done by Brian Krebs at the Washington Post.
- Competing statistics on phishing. Odds are they’re all wrong, but it’s fun to watch.
- Judges orders deactivation of a Gmail account after a bank accidentally sends it confidential information. Yet another judge shows a complete lack of understanding of technology.
- Brian Krebs (again) with the story of how a money mule was recruited. I don’t understand how this person could possibly believe it was legitimate work.
- Microsoft releases their free Security Essentials antivirus.
- New malware rewrites bank statements on the fly. This is pretty creative.
- BreakingPoint on Cisco being a weak link in national infrastructure security.
- Researchers break secure data storage system. Absolutely no one is surprised.
- Using BeEF for client exploitation via XSS.
- New NIST guidance on smart grid security.
- Wi-Fi Security Paint. But it just doesn’t have the cachet of aluminum foil.
- Payroll Firm Breached
- Does it really matter if we call it Enterprise UTM or UTM or Bunch-O-Security-Stuff in a Box? Seriously, cross $200M per year in revenue, and does anyone care?
- WTF? Bloggers Cause Wisconsin Tourism Federation to Change Name. (Just because it’s my home state –Meier).
Blog Comment of the Week
This week’s best comment comes from Slavik in response to SQL Injection Prevention:
Hi Adrian, good stuff.
I just wanted to point out that the fact that you use stored procedures (or packages) is not in itself a protection against SQL injection. It’s enough to briefly glance at the many examples on milw0rm to see how even Oracle with their supplied built-in packages can make mistakes and be vulnerable to SQL injections that will allow an attacker to completely control the database. I agree that if you use only static queries then you’re safe inside the procedure but it does not make your web application safe (especially with databases that support multiple commands in the same call like SQL server batches). Of course, if you use dynamic queries, it’s even worse. Unfortunately, there are times when dynamic queries are necessary and it makes the code very difficult to write securely.
The most important advice regarding SQL injection I would give developers is to use bind variables (parametrized queries) in their applications. There are many frameworks out there that encourage such usage and developers should utilize them.