Yes, honeypots are new again

The Washington Post sort-of covers honeypots, but mixes in national security issues. But one paragraph is out of place, because the article doesn’t really cover strike-back: Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire – hackers who identify data as bogus may be all the more determined to target the company trying to con them. TL;DR: good guys are baiting systems with data, not just standing up honeypots. Then they can alert any time anyone touches the bait – there are a bunch of ways to do this. We talked a little about this last year. And yep, we are implementing it ourselves in a few places – no special security products needed. Don’t ask us where. Share:

Read Post

SSLpocalypse, part XXII

For the short version, read Rob Graham at Errata Security. Google detected someone attempting a man in the middle attack using a certificate issued in Turkey. TURKTRUST issued two subsidiary Certificate Authority certs which allowed whoever had them to sign any certificate they wanted, for any domain they wanted. Yes, this is how SSL works and it’s a big mess (I talked about it a little in 2011). Google likely detected this using DNS Pinning. Every version of Chrome checks any Google certificate against a list of legitimate Google certificates, which they build into Chrome itself. If there’s a mismatch, Chrome detects and can report it. Nice, eh? That’s why Rob says don’t mess with Google. You try to MitM any of their domains, and if any users run Chrome they are likely to find out. Everyone else (who can) should do this. Share:

Read Post

Responses to AV articles

Technewsdaily has an interesting follow up to yesterday’s NYT article on AV effectiveness, as we covered. I agree that using VirusTotal isn’t the best approach – far from it. But I have also heard AV-Test doesn’t use good criteria. I like the NSS Labs methodology myself, which shows higher numbers than Imperva, but much lower than most other tests. Their consumer report is free. and they also offer a companion report. But consumer products are often more different from enterprise versions than you might expect, and the tests weren’t against 0-day like the Imperva ones. These reports by NSS tested effectiveness against exploits using known vulnerabilities, rather than Imperva’s test of signature recognition of new virus variants. Apples and oranges, but I am generally more interested in exploit prevention than signature recognition. Share:

Read Post

Karmic Career Advancement

Levelling up in the real world. When you are looking out for the welfare of your organization instead of focusing on what you can get for yourself, that’s when you’ll be given the chance to do more and own more. Wendy provides some hard-earned career guidance on promotions. She presents a great list on what won’t get you promoted and what you shouldn’t do. Wendy talks about the hazards of being irreplaceable, but ultimately gets back to the real secret. It’s not about you. Yeah, it’s about karma, if you believe in that kind of stuff. Do the right thing for your organization without worrying much about how it will impact your pay or title, and good things will happen. Maybe not within that specific organization, as sometimes you’ll need to switch horses if there is nowhere to move. But the point is the same. Work consistently. Stop climbing over people on your way to the top. The big jobs can be overrated. But ultimately it’s about doing the right stuff, consistently. I talked about that in yesterday’s Incite. But I will mention one key aspect of career planning. Be careful what you wish for. Don’t be ashamed if your boss’s job is not interesting to you. That’s okay. What’s not okay is to accept a promotion or added responsibility that will make you unhappy. You’ll suck at the new job. You will become the problem. You’ll be moved out. That’s the anti-promotion. So if you like what you do, then do that. Live your life without regret. Share:

Read Post

Friday Summary: January 3, 2013

2013?!? WTF?!?! I have this time dilation theory of aging. The older you get, the smaller a as a fraction of your existence each year is, so the shorter it feels. I don’t like it. Anyway, another year down, another at bat. We had a hell of a good year for the company (I’d give a growth number, but we make fun of all the other private companies for doing that), and other than illness I can’t complain about my personal year. A few weeks ago we finished up our Securosis 2013 planning, and things are looking really interesting. A lot has changed since I started this blog company, and we try to evolve with the times. The biggest change you are likely to notice is the pace and nature of our blogging. We are trying to do more linked-list style posts, which include a link or three and some short exposition. The idea is to push more of them out daily, instead of saving everything up for the Incite and Summary. This won’t affect our bigger posts – we’ll still do those – but we realized that when we are busy or working on big projects we fall back to little more than the monster posts that build research projects, and less of the lighter daily posts. We realized you don’t need 1,000 words on everything we cover, and a few sentences can cover lots of it. Some days you might see 10 posts, others you might see none – it all depends on what we are up to. This is an experiment, and we definitely need your feedback. A ton of you are on our daily email list (more than I thought) and since those compile all our posts, that mail might make a good once-a-day every morning – you can sign up. We are also now tweeting all blog content at the @securosis account, and only pushing bigger stuff through our personal accounts. Personally, I realized the blogs I tend to read daily are mostly composed of shorter posts highlighting interesting things I can dig into if I want, and we want to bring more of that flavor to We are also looking at playing more with short video and maybe even audio content, but we are holding off on other changes while we work out the blog posting and pacing first. Finally, we have a ton more coming up this year. The Nexus launch is going to happen, for real, and we learned a ton in the beta test, which has driven many adjustments. It’s definitely time to ship that puppy. We are also looking at providing more end-user advisory services, but we don’t want to hire any sales execs so that will all be opportunistic. Additionally, our agendas are firming up nicely, and you will hear more on that soon. We weirdly think we can pull all this off with our little cadre of folks. Silly us. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading Post on Database Threats and Countermeasures. Rich’s excellent TidBITS post on Apple’s Security Efforts in 2012. Adrian’s Dark Reading post on Big Data Security Recommendations. Favorite Securosis Posts Mike Rothman: Best Post of 2012: Inflection. As we enter 2013, I wanted to point to probably the best piece we did in 2012, at least IMO. That’s Rich’s Inflection post. Things are always changing, and if you don’t see the change coming you can get steamrollered. Read this. Then read it again. And see whether you’ll see 2013 from the undercarriage of the bus that’s about to run you over. Or not. Mike Rothman: The CloudSec Chicken or the DevOps Egg. I had a very similar conversation regarding the impact of SDN on network security this week. It’s hard to balance being ahead of the market and showing so-called thought leadership against building something the market won’t like. Most of the network security players are waiting for VMWare to define the interfaces and interactions before they commit to much of anything. Adrian Lane: Can we effectively monitor big data?. Yes, it’s my post, but I think DAM needs re-engineering to accommodate big data. Other Securosis Posts Yes, honeypots are new again. SSLpocalypse, part XXII. Responses to AV articles. Karmic Career Advancement. Incite 1/2/13: Consistent Variety. Threatpost: What Have We Learned in 2012. The New York Times on Antivirus. Favorite Outside Posts Adrian Lane: A Pickpocket’s Tale. The use of diversion and control of the subject’s attention is the key ingredient. Fascinating story. Mike Rothman: How to Live Without Regret in 2013. It’s a new year. Folks take time to reset. But are you moving in the right direction? Interesting food for thought here… Mike Rothman: Why Collect Full Content Data? Rich: Stephen Haywood on SSH issues. With PoC code, while still debunking the hype. Excellent. James Arlen: The process myth. Incredibly useful way of thinking about process for Infosec folks. Research Reports and Presentations Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Pragmatic WAF Management: Giving Web Apps a Fighting Chance. Understanding and Selecting Data Masking Solutions. Top News and Posts Does Your Alarm Have a Default Duress Code? How PCI Standards Will Really Die. Enhancing Certificate Security. Dell acquires Credant Technologies. Cloudpassage adds file integrity monitoring for cloud servers. Someone totally should have patented that FIM stuff. Blog Comment of the Week This week’s best comment goes to our friend Jack Daniels, in response to The New York Times on Antivirus. Amazing, next the NYT will discover newspapers are largely obsolete, too. Or maybe we’ll have to read that new flash on an anti-virus company’s blog to even things up. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.