Securosis

Research

Socially engineering (trading) bots

It probably went unnoticed by most of the security community, but yet another Twitter hack this week exposed more flaws with high frequency trading systems. When someone took control of the Associated Press twitter account and injected a fake news announcement that bombs had exploded in the White House, many people (unsurprisingly) believed the tweet without attempting to verify. That a 140-character message sent the stock market down in a “flash crash” – 140 points in a matter of minutes. From CNN Money: One scary – and false – tweet, and the Dow quickly plunged 140 points, or roughly 1%. Many are pointing fingers at high speed trading by computers for the swift decline. The Dow quickly bounced back. The sharp sell-off highlights just how disruptive computer-driven high-frequency trading can be. The S&P 500 lost $121 billion of its value within minutes. High-speed computer trading accounts for roughly 50% of all trading. That’s down slightly from a few years ago, but traders on the ground say it feels more dominant. And mini flash crashes have become an all too familiar daily occurrence. Those of you who set limit orders on stocks at below-market prices, have been the unintended beneficiaries of some briefly well-priced stocks. A simple compromise of an outdated identity management system was leveraged for social engineering, which in turn triggered a domino effect across automated trading systems, which moved the whole stock market twice – the drop and the rebound. The perpetrators have not been identified so it is not clear whether it was just for the lulz but they certainly had an impact. The BATS exchange spokesperson who called this a non-issue is way off the mark – it is clear that both Twitter’s identity management and trading bot logic need serious reworking. Share:

Share:
Read Post

Friday Summary, April 26, 2013: Birthday Edition

On March 13th I received a birthday card. It was from my Dad. It was a nice card, it was clear he had put some thought into the card selection, and I was genuinely swayed by his thoughtful memento. On the Ides of March I received a birthday card from my grandmother. Another nice card and it was thoughtful that she remembered my birthday. Two weeks later a birthday gift arrived from my mother. Not for me, mind you, but for my wife. It was a beautiful gift, obviously expensive, and again a superbly wonderful gesture. We don’t get to keep in close contact, so I was both surprised and appreciative. April 1st a gift card arrived, this time for me, again from my mom. There is not much to this story unless you know a couple additional facts. First, all three of the aforementioned blood relatives live under the same roof. Second, my birthday is in April; this week, in fact. My wife’s is another month away. And they have not sent my wife a birthday gift in, well, at least 20 years. As it is with human nature, gifts and cards arriving on seemingly random dates makes you wonder what’s up. You question motivation. Are they OK? And for the first time I started to worry about my parents’ health and well-being. Were they forgetting the date? Did they know what date it was? Jokingly my wife has said ‘Happy Birthday’ to me each day since March 13th. To make a long story short, a phone call cleared up the situation and all is well. I think that my parents just happened to find gifts they liked and sent them, dates be damned. Which is what you do when you think the person will really like the gift and you can’t wait to give it to them. Given my profession – it’s certainly not a job – where segregation between work and … well, that’s the point. My life and my work are not separate. The two are fully merged. There is no such thing as a work day, and there is no such thing as a day off. I work weekends, I don’t really do vacations, but on the plus side I do try to make the best of every day. When I want to do something I do it, and adjust work/life accordingly. All of which makes me realize that the gifts and cards from my relatives were nice, but I was ambivalent. But the idea that a specific date did not matter struck me as profound. Why limit your ability to celebrate? In that spirit I decided, what the heck, my birthday would not be a single day. I decided I would declare the entire week birthday week, and decide to do one fun birthday related event every day. Birthday cake each and every day. Over-the-top dinner each night. One outing every day. One thing I have wanted to accomplish every day this week. And because work/life does not go away, each day I have averaged 4-5 hours of work, as evidenced by my writing this post, and why a couple of you got wine-infused replies to various email and phone calls last night (you know who you are). The experiment is thus far a success, and each day offered extra time away from the computer to have some fun. This is working so well that I will do it every year going forward. Happy Birthweek! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading post on Database Blocking. Favorite Securosis Posts Adrian Lane: How to Use the 2013 Verizon Data Breach Investigations Report. Rich has put a lot of thought into his analysis and offers a unique perspective. David Mortman: Big Data Security Jazz. Mike Rothman: CipherCloud Loses Argument with Internet. Rich: Teaching Updated Cloud Security Class at Black Hat USA. Jamie and I are working on added material to make the class truly worthy of Black Hat. Other Securosis Posts Incite 4/24/2013: F Perfect. Question everything, including the data. The CISO’s Guide to Advanced Attackers: Verify the Alert. Security Analytics with Big Data [New Series]. The CISO’s Guide to Advanced Attackers: Mining for Indicators. Token Vaults and Token Storage Tradeoffs. No news is just plain good: Friday Summary, April 18, 2013. Favorite Outside Posts David Mortman: Cryptography is a systems problem (or) ‘Should we deploy TLS’. Adrian Lane: Why You Should Overload WebSite Errors. Are you paying attention, developers? This is not security through obscurity – it’s about not handing data to adversaries so they can hack your site. James Arlen: How I Got Here: Chris Hoff. Mike Rothman: Sriacha hot sauce purveyor turns up the heat. Rich: Just How Did Apple “Journalism” Get This Bad? While Ian writes this specifically about Apple, it also applies to a lot of security writing. Project Quant Posts Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts PC owners have to watch 24 sources for fixes CISPA cybersecurity bill Privacy advocates warn about coming tsunami of surveillance cameras London already knows the result – cameras don’t deliver. Silicon Valley companies quietly try to kill Internet privacy bill Twitter has 2-factor authentication. Brad Arkin promoted to CSO of Adobe. Brad is as good as they get, this is great news for all of us. Blog Comment of the Week This week’s best comment goes to @VZDBIR, in response to How to Use the 2013 Verizon Data Breach Investigations Report. I am breaking with tradition this week to favorite a tweet: @VZDBIR: Sometimes it’s scary how @securosis gets all up in my brain. Those guys are smart. #Dbir https://t.co/kV995yrxUX I would bet that Twitter account, like the Associate Press, was hacked. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.