Go buy Take Control of Your Passwords

Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords. Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read some sections. Seriously, it is extremely pragmatic and informative. Share:

Read Post

Bit9 Details Breach

Bit9 released more details of how they were hacked. The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding. More security vendors should be open and disclose with at least this level of detail. Especially since we know many of you cover up incidents. When we are eventually breached, I will strive to disclose all the technical details. I gave Bit9 some crap when the breach first happened (due to some of their earlier marketing), but I can’t fault how they are now opening up. Share:

Read Post

Looky here. Adaptive Authentication works…

It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months: Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made. If a sign-in is deemed suspicious or risky for some reason–maybe it’s coming from a country oceans away from your last sign-in–we ask some simple questions about your account. Yeah, man. Not that a targeted attacker won’t have those answers based on some rudimentary recon. Obviously there are ways to beat this approach, but for run-of-the-mill attackers, more challenging authentication provides enough of a bar to get them looking elsewhere. Remember, these folks chase the path of least resistance, and there are tons of cloud-based email services to chase that don’t perform this kind of sophisticated analytics on authentication requests. And amazingly enough, it works. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011. Good on Google. Maybe they are evil, but at least they are trying to improve security. Share:

Read Post

About the Security Blogger’s Meetup

Seven years ago I had recently started blogging and emailed a few other bloggers to see if we should get together at the RSA Conference. Some of these people I knew, many I didn’t, and I thought it would be fun to have face to face arguments with a beer in hand, instead of behind a keyboard (with a beer in hand). Very very quickly we received offers to sponsor, and we turned it into an actual invite-only event organized by myself, Martin McKeay, and Alan Shimel, with Jennifer Leggio doing, literally, all the hard work. This year I’m missing the event (and the Securosis Disaster Recovery Breakfast tomorrow morning) since my wife is about to have a baby. Maybe; these things seem somewhat unpredictable. A lot has changed about the Meetup. The RSA Conference itself is an official sponsor thanks to Jeanne Friedman. There is a waiting list for sponsors. And the number of attendees is now hitting a couple hundred, not the few dozen of that first year when we hopped cabs to a dodgy part of town for a nice dinner. We have entertainment, an effectively unlimited beverage budget, and the Social Security Awards. What hasn’t changed is what this event is all about, and based on feedback we are getting, a lot of people miss the point. The SBM is by security bloggers for security bloggers. This isn’t merely another RSA event that anyone can get into if they know the right person. The only people admitted, to the best of our ability to manage, are bloggers. No plus-ones, no friends, no marketing managers (even if they manage your blog). It doesn’t matter if you do a lot for the blogger community – you need to be a member of the community. That means someone who writes (or podcasts) and is a subject matter/technical expert (and yes, we use that term loosely) and contributes to the security community dialog. Your ticket is your name on a byline of a security blog (not a security company blog, depending on the content). Look, those of us running this thing for the past 7 years are volunteers. We do our best, and that means we sometimes make mistakes. But this isn’t run by a company or even the sponsors – it’s run by the handful of people who started it out of nowhere. We are going to make some changes next year. A bigger venue, some changes in sponsorship, and maybe a few other tweaks (like letting spouses in, which we can’t do this year due to capacity). But the one thing that won’t change is who this event is for, and why we hold it. It is the Security Blogger’s Meetup, and those words pretty clearly define the event. You can get into a lot of RSA parties based on who you know, but this one is based on what you do, and the choice is yours. Share:

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.