Friday

Friday Summary- January 23, 2009

By Rich

Warning- today's introduction includes my political views.

History

Whatever your political persuasion, there's no denying the magnitude of this week. While we are far from eliminating racism and bias in this country, or the world at large, we passed an incredibly significant milestone in civil rights. My (pregnant) wife and I were sitting on the couch, watching a replay of President Obama's speech, when she turned to me and said, "you know, our child will never know a world where we didn't have a black president".

Change

One thing I think we here in the US forget is just how much we change with the transition to each new administration, especially when control changes hands between parties. We see it as the usual continuity of progress, but it's very different to the outside world. In my travels to other countries I'm amazed at their amazement at just how quickly we, as a nation, flip and flop. In the matter of a day our approach to foreign policy completely changes- never mind domestic affairs. We have an ability to completely remake ourselves to the world. It's a hell of a strategic advantage, when you really think about it.

In a matter of 3 days we're seeing some of the most material change since the days of Nixon. Our government is reopening, restoring ethical boundaries, and reintroducing itself to the world.

Faith

When Bush was elected in 2000 I was fairly depressed. He seemed so lacking in capacity I couldn't understand his victory. Then, after 9/11, I felt like I was living in a different country. An angry country, that no longer respected diversity of belief or tolerance. A country where abuse of power and disdain for facts and transparency became the rule of our executive branch, if not (immediately) the rule of law.

I was in Moscow during the election and was elated when Obama won, despite the almost surreal experience of being in a rival nation. When I watched the inauguration I felt, for the first time in many years, that I again lived in the country I thought I grew up in- my faith restored.

Talking with my friends of all political persuasions, it's clear that this is also a transition of values. Transparency is back; something sorely lacking from both the public and private sector for far longer than Bush was in office. Accountability and sacrifice are creeping their heads over the wall. And lurking along the edges of the dark clouds above us is self sacrifice and unity of purpose. I'm excited. I'm excited more about what this mean to our daily and professional lives than just our governance. Will my hopes be dashed by reality? Probably, but I'd rather plunge in head first than cower at home, shopping off Amazon.

Oh- and there was like this really huge security breach this week, some worm is running rampant and taking over all our computers, and some idiots keep downloading pirated software with a Mac trojan.

Here is the week's security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

• Martin and I talk a bit about all sorts of things- including Obama's tech agenda, on The Network Security Podcast. I seem to run off on 3 separate rants.
• I wrote up the Heartland data breach for Dark Reading.
• I did a few interviews on the breach, including the MIT Technology Review, SearchSecurity, and SC Magazine.

Favorite Securosis Posts:

• Rich: My Heartland post, because it got Slashdotted.
• Adrian: Perhaps it is the contrarian in me, but my favorite post is The Business Justification for Data Security. There is a lot of information here.

Favorite Outside Posts:

• Adrian: Hoff's ruminating on Cloud security of Core services. The series of posts has been interesting. I follow many of these blog posts made on dozens of different web sites, but only for the occasionally humorous debate. Not because I care about the nuts and bolts of how Cloud computing will work, how we define it, or where it is going. The CIO in me loves the thought of minimal risk for trying & adopting software and services. I am interested in the flexibility of adoption. I do not need to perform rigorous evaluations of hardware, software, and environmental considerations- just determine how it meets my business needs, how easy is it to use, and does the pricing model work for me. After a while if I don't like it, I switch. Stickiness is no longer an investment issue, but a contract issue. And I am only afraid of these services not being in my core if I run out of choices in the vendor community. I know there are a lot more things I do need to consider, and I cannot assume 100% divestiture of responsibilities for compliance and whatnot, but wow, the perception of risk reduction in platform selection drops so much that I am likely to jump forward without a full understanding of other risks I may inherit because of these percieved benefits. Not that it's ideal, but it is likely.
• Rich: Sharon on Wwll the Real PII Stand Up? He raises a great issue that there are a bunch of definitions of PII in different contexts, and an increasingly complex regulatory environment with multiple standards.

Top News and Posts:

• Barack Obama's inauguration stopped all activity at Securosis as Adrian came over to watch for a couple hours. His speech is worth a reread even if you watched it live.
• A lot of trusted websites are serving malware.
• The NSA spied on everyone. Except you, of course- you're too boring.
• Conficker worm bad. I thought you Windows users figured out that patching thing? Actually, I highly suspect the infection numbers are inflated.

Blog Comment of the Week:

We didn't post much, but the comments were great this week. Merchantgrl on the Heartland Breach post:

They were breached a while ago and they just happened to pick that day to finally announce it?

Several people have brought up the Trustwave audit of April 2008. To be compliant, they need 'REGULAR' testing. https://www.pcisecuritystandards.org/securitystandards/pcidss.shtml

Requirement 11: Regularly test security systems and processes. What was there schedule for testing? audits?

Rafal is right- the financial implications are huge. Given the magnitude, and the lack of information being released on their new 2008breach.com site, it makes you wonder.

–Rich

Friday Summary: The 2008 Finale- 12-19-2008

By Rich

This will be our last Friday Summary for 2008. This afternoon Adrian and I are off to The Office for our Securosis Annual Staff Festivus Party (sorry Chris, but we can drunk dial you if that makes you feel included).

2008 has been an incredibly wild ride. When it started I was just a solo consultant that wasn’t even calling myself an analyst anymore, and wasn’t certain where I wanted to take things. In January I ran a half marathon on a bad knee that mysteriously felt better after the race, but in February I went in for shoulder surgery that I’m still struggling to recover from. Over the summer, Adrian joined Securosis and we moved firmly back into the analyst column. As the year closes we’ve published a ton of free content, multiple vendor-neutral whitepapers, spoken at everything from RSA, to SOURCE Boston, to DefCon, and a few TechTarget and MISTI events (including a show in Moscow), given over a dozen webcasts, and, to be honest, had a heck of a lot of fun in the process. We’ve written articles for everyone from Macworld to Dark Reading, been interviewed by… well, pretty much everyone else, and enjoyed more than a few frothy beverages with our industry friends. For two skinny guys (and a part-time editor/UNIX guru, also skinny) running a small company we really couldn’t have asked for more. We’ve decided to give back, and we’ll announce more on that next week.

And 2009 is looking even crazier. In February we’ll be adding a new staff member, the exact date, gender, length, and weight are still undetermined (if he or she is over 8 lbs, my wife might kill me). We’re also completely redesigning our website as we continue to expand things a bit. This site started as just my personal blog, and as we keep pumping out content it isn’t nearly as well suited as it was at the beginning. The blog won’t change, but we’re going to make content more accessible and start loading up new kinds of materials- like videos of our conference presentations.

We’re also really going to push forward with the ideas of totally transparent and open research. We’re not idiots, and we don’t intend on competing with Gartner, Forrester, and the other large firms, but we still love what we do and think there’s plenty of room for us little guys (and our combined weight is pretty low, not that that’s relevant). We have more flexibility than they do, and you can expect no bullshit research that’s focused on in-depth, practical advice to help you with specific projects. We already have two programs planned- Pragmatic PCI, and Pragmatic Database Security (we’ll have to charge for those, since we have to keep the dogs, cats, and other little ones fed). Finally, we have some new media, social media, and community stuff in the works.

Okay- I realize that all sounded like marketing junk, but I think we’re allowed to be excited about what we’ve done, and what we have planned, from time to time. We are incredibly thankful for the opportunities and support you’ve all given us. And as a preview, here’s the official premier of our new logo (it will look better on the new site template): Have a wonderful holiday season. We’ll be reducing our posting volume a bit over the holidays, but stay tuned for the end of our web application series and a few other treats.

Here is the week’s security summary:

Webcasts, Podcasts, Outside Writing, and Conferences:

• The Network Security Podcast is a little shorter this week as we finish off the year. As an aside, Martin and I would like to apologize for our recent audio difficulties. We narrowed it down to a bad sound card on Martin’s side, and are changing our recording process for higher quality (we’ll be moving to double-ended recording).
• Via NetworkWorld, I gave a webcast for Oracle on Database Security for Security Professionals. It targets security pros who may be new to databases, and the replay is available here.
• I talked with Forbes about antivirus scanners.
• I debunked some FUD by Bit9 on automatic software updates in enterprises for LinuxInsider. IT departments can turn them off, so I don’t see what the problem is.
• Adrian talked database security with eWeek.
• Adrian on log management for internetnews.com.
• Someone named Adrian Lane is into otters. It’s the UK, so probably a different guy, but we’ll take all the press we can get.

Favorite Securosis Posts:

• Rich: Part 6 of our Building a Web Application Security Program. We really want to get this series (and the eventual paper) right, so any feedback, comments, and (especially) criticisms are very much appreciated.
• Adrian: While my practical experience has come to the same set of conclusions, finding meaning is groups of anonymous statistical patterns to justify database security is a black art I don’t care to dabble in.

Favorite Outside Posts:

{Adrian editorial}- I have been following the series of posts between Alan Shimmel and Andy the IT Guy (links below). They are touching on the very heart of the sales process and common friction between the IT gatekeeper and the salesman. But I thought they both danced around the key point. The sales guy is doing his job by pushing as hard as he can to get the deal done without pissing everyone off to the point the organization gets fed up and will no longer work with you. A good sales guy knows there is always a deal if they can overcome objections (price, support, consultative assistance, etc) because they would not be talking if the need was not there. However buyers buy from people they know, like, and trust, and trampling the gatekeeper is a good way to make enemies. Alan’s comment “Try putting yourself in the other’s shoes to better understand what is involved. Common courtesy and respect would be a good place to start” cuts both ways. Seems to me the sales guy failed to build proper relations before making the ‘hail-Mary’ sales pitch. -Adrian

• Adrian: Humorous series of posts between Shimmel and Andy the IT Guy.
• Rich: Layer 8 on planning your security for 2009. Really great practical advice.

Top News and Posts:

• Looks like automakers will get a bail-out after all.
• Microsoft’s out-of-cycle IE patch.
• Practical advice on dealing with botnets … even if your legal team disavows any such possibility.
• RIAA is finally killing off their incredibly stupid strategy of suing individual file sharers.
• Jeremiah on web application security and history. He’s going to out-analyst us if he keeps this up. Come on Jer, we need to feed our kids too!
• Microsoft releases their Anti-XSS library for .Net. This is a far bigger deal than I think most people realize, and hasn’t been picked up by the press yet.
• My friends, for $20 you could have owned a former McCain campaign Blackberry… with all the contacts. Joe the Plumber’s phone must be ringing off the hook!

Blog Comment of the Week:

EB on Part 6 of our Building a Web Application Security Program:
One piece I thought I would mention under your “Penetration Testing” subheading (which you may have been implying) is the risk of linking vulnerabilities. For example, while one SQL injection flaw may not reveal sensitive information (PII, cc#), it could reveal usernames, password hints, or a list of database tables that may seem trivial at the time; however, as the penetration test continues, and more ‘tidbits’ of information are discovered, it could lead to retrieval of sensitive information. For example, retrieving a list of user accounts and noting that the application requires weak passwords could lead to a valid, authenticated user session by the penetration tester. Another example is vulnerability retrieves a spreadsheet of employees’ last 4 digits of their SSN which can also be used to reset a user’s password on the application. The examples can go on and on…

Linking of vulnerabilities and the ability to assess the application as a whole is a quality that companies should ensure, if a third-party is engaged, will perform.

–Rich

Friday Summary: Happy Halloween!

By Rich

Man, I love Halloween; it is the ultimate hacker holiday. When else do we have an excuse to build home animatronics, scare the pants off people, and pretend to be someone else (outside of a penetration test)? Last year I built something I called "The Hanging Man" using a microcontroller, some windshield wiper motors, wireless sensors, my (basic) home automation system, and streaming audio. When trick or treaters walked up to the house it would trigger a sensor, black out the front of the house, spotlight a hooded pirate hanging from a gallows, push out some audio of a screaming guy, drop him 15 feet so he was right over the visitors, and then slowly hoist him back up for the next group.

This year Adrian and I were pretty slammed so I not only didn't build anything new, I barely managed to pull the old stuff out. Heck, both of us have big parties, but due to overlapping travel we can't even make it to each other's events. But next year... next year I have plans. Diabolical plans...

It was a relatively quiet week on the security front, with no major disasters or announcements. On the election front we're already hearing reports of various voting machine failures, and some states are looking at pulling them altogether. Personally, I stick with mail in ballots. This year election day will be a bit surreal since I'll be in Moscow for a speaking engagement, and likely won't stay up to see who won (or whose lawyers start attacking first). While I'm in Moscow, Adrian will be speaking on the Information Centric Security Lifecycle in Chicago for the Information Security Magazine/TechTarget Information Security Decisions conference. I'm a bit sad I won't be up there to see everyone, but it was impossible to turn down a trip to Moscow.

So don't forget to vote, please don't hack the vote, and hopefully I won't be kidnapped by the Russian Mafia next week...

Webcasts, Podcasts, and Conferences:

• The Network Security Podcast, Episode 125. David Mortman joins us to talk about his new gig at Debix and a recent study they released on identity theft and children.
• I posted a pre-release draft of my next Dark Reading column The Security Pro's Guide to Thriving in a Down Economy up on the Hackers for Charity Informer site. This is a subscription site many of us are supporting with exclusive and early content to help generate funds for HFC. And by posting, I helped feed a child in an underdeveloped country for a month...

Favorite Securosis Posts:

• Rich: The Five Stage of Cloud Computing Grief. Seriously, this cloud stuff is getting over the top.
• Adrian: Seems that the people behind Arizona proposition 200 should be hauled in front of the FTC for misleading advertising; this is the most grotesque example I have seen on a state ballot measure.

Favorite Outside Posts:

• Adrian: The Hoff has been on a roll lately, but the post that caught my attention was his discussion of the security and compliance shell game of avoidance through SaaS and 'Cloud' services. I mean, it doesn't count if my sensitive data is in the cloud, right?
• Rich: Martin asks a simple and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer words, but you get the point).

Top News:

• What a shock, there's a worm taking advantage of last week's RPC flaw in Microsoft Windows.
• ICANN is going after a fraud-supporting domain name registrar in Estonia. Heck, I think we should go after criminal hosts more often.
• Maryland and Virginia are dropping electronic voting and going back to paper.
• Amrit on the 10th anniversary of the Digital Millennium Copyright Act. The DMCA has done more to stifle our rights than to actually protect content. On the positive side, the DMCA has actually somewhat helped website operators and hosts by offering some protection when they host infringing materials, since they have to respond to takedown notices, but aren't otherwise penalized.
• A Facebook worm uses Google to get around Facebook security. Most of these sites are a mess because preventing user generated content from abusing other users is a very hard problem. Even when they bother to try.
• More voting machine idiocy. And here. Look folks, it isn't like we don't know how to manage these things. Walk into any casino and you'll see highly secure interactive systems. Can you imagine how much fun Vegas would be if they treated the slots like we treat voting machines?

Blog Comment of the Week:

Dryden on The Five Stages of Cloud Computing Grief:

My version:

Denial: We can"t secure the cloud.

Anger: Why the f&*k is my CIO telling me to secure the cloud?

Bargaining: Can you please just tell me how you think we can secure the cloud?Depression: They"re deploying the cloud.Acceptance: We can"t secure the cloud.

Disclaimer: "Cloud" can be replace with virtually (pun intended) any technology.

See you all in 2 weeks...

–Rich