Research

We’ve got people flying in from other states and I’m even getting a haircut! Tonight at 6pm at Furio in Scottsdale we’re reviving that most noble of institutions- security geeks hanging out, drinking, and lying about their l33t skilz. CitySec meetups are informal gatherings of anyone interested in security. We hang out, drink, and talk amongst ourselves. No presentations, no speakers; just a chance for local people to connect. You don’t need to be a full-time security geek to show up (that means you Tom, don’t make me taunt you). Happy Hour runs until 7 and that’s when they serve the normal food (gets a little Scottsdale-snobby after that). Drinks run all night, and the first round is on Securosis. Cya there, and email or IM me if you want my cell number in case you get lost… Share:

Bruce Schneier is one of the more venerated figures in the information security world, and rightfully so. But reading his article in Wired today, I think he might want to stick to encryption. (I know and like Bruce, so this isn’t a personal attack.) Bruce has long bragged that he runs a totally open home wireless network. He considers it a kind of “pay it forward” charity. I love open WiFi and don’t have a problem with free access. Someday I might even open up part of my own network, although it’s probably not worth it considering where I live. Bruce breaks the potential security risks down into two categories: Somebody abusing his network for illegal activity- spam, file sharing, attacking other systems, and so on. Connecting to his network and attacking his home systems. He evaluates these risks as acceptable: Odds are a bad guy will use one of the five open, anonymous coffee shops down the street rather than parking in front of his house for (probably) hours on end. By saying that he instantly guarantees that some prankster will park their VW van out front and spam everyone from “Bruce Schneier’s House”. Perhaps not, but he does accurately outline the potential legal risks. In his own words, “I’m also unmoved by those who say I’m putting my own data at risk, because hackers might park in front of my house, log on to my open network and eavesdrop on my internet traffic or break into my computers. This is true, but my computers are much more at risk when I use them on wireless networks in airports, coffee shops and other public places. If I configure my computer to be secure regardless of the network it’s on, then it simply doesn’t matter. And if my computer isn’t secure on a public network, securing my own network isn’t going to reduce my risk very much.” While these risks might be acceptable to Bruce, I don’t recommend them for anyone else, including myself. Depending on population density, your risk of abuse of an open network may be higher. I could open part of my network in my current location without much worry, but I’ve previously lived in places where the pedophile living below me would take advantage of an open network. That’s not an exaggeration- for most of the time I lived in a particular condo in Boulder the person below me was known for risky activity. Never convicted, but concerning enough I sure as hell wouldn’t want him on my network. The risk of the RIAA going after you might also be higher if you live someplace with enough close neighbors that it’s worth someone’s effort to use your network to mask their activity. It’s a low risk for me where I am now, but has been high in the past. Very few people have the skills to secure their home network to the same degree as Bruce. I also suspect his network wouldn’t withstand a penetration test by a determined attacker. My home network is very secure; all systems are patched, firewalls turned on, and trust relationships are minimal. That said, I know I could crack it. I don’t encrypt all traffic (wireless is all WPA2 though) and I have some open file shares. Why? Because it’s “secure enough” for my home, and anything that leaves the walls and connects through the public Internet is totally locked down. In some cases, thanks to my consumer devices, I’m limited in the amount of security I can apply. I wouldn’t make a big deal out of this, but Bruce is a role model to those interested in security. I can guarantee at least a few people will open up their networks to emulate Bruce, and be the worse for wear because of it. He also mentions the risk of violating his ISP’s terms of service: Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn’t a big risk either. The worst that will happen to you is that you’ll have to find a new ISP. To give the press quote, if Bruce is doing this himself it looks like he has appropriately evaluated his personal risks and they are within his personal tolerance. If he’s recommending this to others, that’s just plain stupid. I’ve thought about opening my own access up via a separate, segregated segment, but it’s not worth the effort since almost no one around me would need it. Don’t follow Bruce’s example- he’s an industry pundit making a point. If you want to open up your wireless network, and are comfortable violating the terms of agreement with your ISP, please use a well-segregated open access point. Don’t just let anyone wander around and see what’s on your TiVo (since all TiVos have an open web server you can’t lock down without hacking, it ain’t that unusual a risk). Oh, and the Chuck Norris thing? Share:

I hate it when Farnum scoops me on my own presentation. On January 22nd I’m giving a live webcast on DLP. The topic is Demystifying Data Loss Prevention, and I’ll be covering everything from defining DLP, through the top features to look for, to running the selection process. The webcast is sponsored by Websense, but is my usual objective content. You can register for it here. I believe there will be live Q&A; if not I’ll set up a side-channel chat room for questions. There is more disinformation and weirdness regarding DLP than in any other market I’ve covered. This is your chance to stop by, hear what I think, and ask questions without having to hop on an airplane or pay my ridiculously high consulting rates. Share:

Updated : Forgot to list the date, it’s January 25th. Update 2 : Fixed stupid mistake in mailto link. Bad ex-web programmer. Bad! I must be the [edited] of webcasting or something. Considering I get paid for these you could probably use another word, but this is a family friendly blog. ZDNet has opened registration for my webcast on database security. As mentioned before, this one is designed to walk the line between DBAs and security admins- taking 5 key recommendations and giving actionable advice for each audience. It’s sponsored by Oracle. Since I want to make sure this one is really on target, if you are either a DBA interested in security, or a security admin interested in databases, drop me a line and I’ll send you a draft for review. I have a couple people taking a look already, but I’d like some input from people dealing with day to day operational issues. Just email me at rmogull@securosis.com. Here’s the full description of the event: The spotlight on database security and increasing demands for regulatory compliance require DBAs and security professionals to work more closely than ever before – both integrating and separating job duties. Security and database teams are being challenged to learn at least SOME of the skills of each other’s domains while applying these principles practically to achieve compliance and keep out the bad (and even some not-so-bad) guys. Join us for this informative eSeminar with useful information for both database and security professionals, where long-time database security industry expert Rich Mogull will highlight the top five recommendations for database security and compliance in this new year. Featured topics will include: Segregation of Duties for DBA and Security Pro alike Database Vulnerability Configuration Management Auditing and Activity Monitoring See how your resolutions for ‘08 compare with our experts – and bring your questions for the Q&A session following the presentation. Register now to ensure your spot at this important event. < p style=”text-align:right;font-size:10px;”>Technorati Tags: Database Security, Oracle, Separation of Duties, Webcast Share: