Securosis

Research

Oracle Patches Java. Again.

What’s the over/under on this one working? Mac users – this means XProtect won’t block it in your web browser, so if you don’t want it active be careful. I actually feel bad for the team that has to clean Java up. I’d hate to be in that mess. Share:

Share:
Read Post

Apple blocks vulnerable Java plugin

Apple uses XProtect to block the Java browser plugin due to security concerns. Draconian, but a good move, I think. Still, they should have notified users better for the ones who need Java in the browser (whoever that may be). You can still manually enable it to run if you need to. This doesn’t block Java itself, just the browser plugin. If complaint levels stay low, it indicates how few people use Java in the browser, and will empower Apple to make similar moves in the future. Share:

Share:
Read Post

A New Kind of Commodity Hardware

I was driving down the road the other day when I passed what I thought was a shipping container on the back of an 18-wheel truck. When I noticed data and power ports on the side, I realized it was a giant data center processing module. Supercomputing on wheels. Four trucks with two modules per truck, rolling down the highway. Inside reside thousands of stripped down motherboards stacked with tons of memory, packed side by side. Some of these are even designed to be filled with dielectric fluid to keep them cool. If you have not seen these things up close and personal, check out the latest article on Microsoft’s new data center When Microsoft wants to quickly ramp up a new data center, it can move dirt, pour a foundation, and build one of the most boring buildings you’ve ever seen. Or it can load up a few of its custom-designed data center modules onto a truck and drop them on the site. One of the key concepts behind big data is the realization that sometimes it’s cheaper to move computing to the data, rather than moving data to the processors. In that way you use any computing power that’s logically nearby. And there is a similar trend with data centers – in this case physically adjust location to your needs. Raw processing power. Modular. Mobile. In the event that a data center site gets flooded by a hurricane, you back up the truck, plug in a generator, and you’re back on line. It can be much for enterprises to buy a crate of computing than to provision a traditional data center. Share:

Share:
Read Post

Pointing fingers is misleading (and stupid)

Everyone is all fired up that the APT is now targeting major media companies. Rich covered that in yesterday’s post, and now it seems the Wall Street Journal was also targeted by similar tactics The Wall Street Journal said its computer systems had been infiltrated by Chinese hackers for the apparent purpose of monitoring the newspaper’s China coverage. This is shocking why? Brazen, yes. Predictable, yes. Surprising? Not in the least. But that’s neither here nor there. What annoyed me about the NYT story was pointing the finger squarely and exclusively at Symantec. And their partner in slime, Mandiant, seemingly blaming the breach on the inability of their AV engine to catch the attacks. This is bush league and clear misdirection. I am not saying, in any way, that Symantec’s failure wasn’t the main cause of this breach. But I don’t know they were either. We don’t know the answers to a few fairly important questions, including what version of Symantec AV was running at the time of compromise? If they were using SEP 10 this result isn’t surprising. That product stunk and SYMC acknowledges that. It’s like blaming Microsoft for a breach because Windows XP got compromised. That would have been fine in 2003, but now? Come on, man! If the enterprise isn’t taking advantage of modern protection, how can they expect to defend against modern attacks? Before we can credibly place blame we need to know more. What operating system was in play? Was it fully patched? How was it configured? What other defenses were in place on the endpoints? The questions go on and on. We don’t know enough to point the finger. And if these devices weren’t taking advantage of the latest versions of pretty much everything, then the issue rests more on the NYT than on a security vendor. At least in my opinion. But what fun is that, right? It’s much easier to play into the same old story about how AV sucks. But no endpoint product is going to stop a 0day targeting crappy software (yes, Oracle and Adobe, I’m looking at you). Not 100% of the time anyway. And all the attackers needed to do was compromise one device, and then they owned the environment. OK, I’ll get off my soapbox now. Just to make sure we’re clear, I’m not saying Symantec is free of blame here. But I know there are a bunch of other folks who should have the finger of accountability pointing at them, starting with the NYT security team. Share:

Share:
Read Post

Twitter Hacked

Twitter announced this evening that some 250k user accounts were compromised. This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. Passwords and session tokens were reset to contain the problem. It is likely that personal information, including direct messages, were exposed. The post asks users to use strong passwords of at least 10 characters, and requests that they disable Java in the browser, which together provide a pretty fair indication of how the attacks were conducted. Disable Java in the browser – where have you heard that before? We will update this post as we learn more. Update by Rich: Adrian and I both posted this within minutes. Here is my comment: Also from the post: This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. Twitter has a hell of a good security team with some serious firepower, including Charlie Miller. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.