Securosis

Research

Off topic: Cycling is the new golf

From the Economist: TRADITIONALLY, business associates would get to know each other over a round of golf. But road cycling is fast catching up as the preferred way of networking for the modern professional. A growing number of corporate-sponsored charity bike rides and city cycle clubs are providing an ideal opportunity to talk shop with like-minded colleagues and clients while discussing different bike frames and tricky headwinds. Many believe cycling is better than golf for building lasting working relationships, or landing a new job, because it is less competitive. Oh, biking is definitely competitive, but not as directly competitive. Anyway, call this one wishful thinking on my part – I would rather ride than golf any day. Then again I have only ridden once in a business context, and it blew away every other team building/networking/whatever exercise in my entire professional history. Share:

Share:
Read Post

Malware string in iOS app interesting, but probably not a risk

From Macworld: iOS app contains potential malware: The app Simply Find It, a $2 game from Simply Game, seems harmless enough. But if you run Bitdefender Virus Scanner–a free app in the Mac App Store–it will warn you about the presence of a Trojan horse within the app. A reader tipped Macworld off to the presence of the malware, and we confirmed it. I looked into this for the article, and aside from blowing up my schedule today it was pretty interesting. Bitdefender found a string which calls an iframe pointing to a malicious site in our favorite top-level domain (.cn). The string was embedded in an MP3 file packaged within the app. The short version is that despite my best attempts I could not get anything to happen, and even when the MP3 file plays in the (really bad) app it never tries to connect to the malicious URL in question. Maybe it is doing something really sneaky, but probably not. At this point people better at this than me are probably digging into the file, but my best guess is that a cheap developer snagged a free music file from someplace, and the file contained a limited exploit attempt to trick MP3 players into accessing the payload’s URL when they read the ID3 tag. Maybe it targets an in-browser music player. The app developer included this MP3 file but the app’s player code isn’t vulnerable to the MP3’s, so exploit nothing bad happens. It’s interesting, and could easily slip by Apple’s vetting if there is no way the URL could trigger. Maybe we will hear more when people perform deeper analysis and report back, but I doubt it. I suspect the only thing exploited today was my to do list. Share:

Share:
Read Post

Getting Logstalgic

Good tip here in a post from the Chief Monkey about a new open source log visualization tool called Logstalgia. It basically shows web access logs visualized as a pong game. So all of you folks in my age bracket will really appreciate it. Here is the description from the project page: Logstalgia is a website traffic visualization that replays or streams web-server access logs as a pong-like battle between the web server and an never ending torrent of requests. Requests appear as colored balls (the same color as the host) which travel across the screen to arrive at the requested location. Successful requests are hit by the paddle while unsuccessful ones (eg 404 – File Not Found) are missed and pass through. The paths of requests are summarized within the available space by identifying common path prefixes. Related paths are grouped together under headings. For instance, by default paths ending in png, gif or jpg are grouped under the heading Images. Paths that don’t match any of the specified groups are lumped together under a Miscellaneous section. So how do you use it? Basically figuring out if you have an issue is about seeing weird patterns. This pong looking visualization is definitely interesting. For example, if you are getting hammered by a small set of IP addresses, then that will be pretty easy to see using the tool. If your site is dropping a lot of traffic, then you’ll see that too. Check out the video. Not only does it have cool music, but your mind should be racing in terms of how you’d use the tool in your day to day troubleshooting. Does it provide a smoking gun? Nope. But it gives you a way to visualize sessions in an interesting way, and the price is right. Good tip Chief. Thanks. Share:

Share:
Read Post

Friday Summary: May 3, 2013

I was weirdly interested in Paul Miller’s year off the Internet. Paul is a writer for The Verge, and they actually paid him to keep writing (offline) through the year instead of kicking him to the curb like most publications would have. Spoiler: in retrospect the entire thing was a mix of isolating and asinine. And now I’m supposed to tell you how it solved all my problems. I’m supposed to be enlightened. I’m supposed to be more “real,” now. More perfect. But instead it’s 8PM and I just woke up. I slept all day, woke with eight voicemails on my phone from friends and coworkers. I went to my coffee shop to consume dinner, the Knicks game, my two newspapers, and a copy of The New Yorker. And now I’m watching Toy Story while I glance occasionally at the blinking cursor in this text document, willing it to write itself, willing it to generate the epiphanies my life has failed to produce. I didn’t want to meet this Paul at the tail end of my yearlong journey. Paul is still just as happy or miserable as he was a year ago, except now he doesn’t know who Honey Boo Boo is. Or maybe he does because, without the Internet, he probably watched entirely too much bad cable television. Or local news. Technology doesn’t move backwards. At least not until we blow the planet up, create a life-eliminating disease, the robots convert us to fuel, or the nanobots ingest every organic molecule and turn the planet into grey goo (pick one – maybe two). The Internet is here to stay, and disconnecting is more likely to make you less happy because you would lose one of the few communications channels that works in our distributed society. As Paul learned, the Internet is merely an enabler. If you’re lazy and procrastinate, it isn’t like you need the Internet for that. If you get too wrapped up in Facebook or Twitter, odds are you were the same way with memos and water coolers – and could be again. The Internet does allow some people to bypass certain psychological and social limitations around face to face interaction, but the Internet isn’t what actually made them assholes in the first place. But yes, the Internet can most definitely exacerbate certain behaviors, it weakens social herd immunity, and it enables nut jobs to congregate more freely. I have personally found great value in moderating my Internet consumption, but I’m not so foolish as to think its total elimination would buy my anything. Especially because I now have kids, I try to make sure they know I’m focused on them and not a screen in my hand. Mostly it’s a matter of not letting myself get caught up in a bunch of garbage that doesn’t matter (especially on Twitter), obsessing over the news, or spending countless hours reading things that really don’t affect my life or improve my education. It’s all a balance. I’m far from perfect, but I suppose my extreme lack of leisure time makes it easier for me to focus. So I am proud to announce, much to your relief (yeah, right), that I am not leaving Twitter, Facebook, email, or the Internet in general. On the other hand, I reserve the right to check them when I want, not respond to every email, and not apologize for missing that blog post. The Internet is a big part of my life, but my life is much more than the Internet. –Rich On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in Macworld on an iOS app which includes a malware string. Favorite Securosis Posts Mike Rothman: Twitter security for media companies. These are good tips for every company, but more urgent for media companies given the recent Twitter hacks. This is a big deal for companies that provide shared access to corporate Twitter accounts. At some point we would like to see Twitter support federation (perhaps as a subscription service) so companies can define who can do what with their account, and enforce those entitlements. Details, details. (Editor’s note – Twitter supports OAuth, so it does allow this -Rich) Adrian Lane: Trailblazing Equality. Rich: Socially engineering (trading) bots. Other Securosis Posts Off topic: Cycling is the new golf. Malware string in iOS app interesting, but probably not a risk. Getting Logstalgic. Security Analytics with Big Data: Use Cases. Gaming the pirates – literally. Google Glass Has Already Been Hacked By Jailbreakers. Security Funding via Tin Cup. IaaS Encryption: External Key Manager Deployment and Feature Options. IaaS Encryption: Encrypting Entire Volumes. Favorite Outside Posts Mike Rothman: 102 hours in pursuit of Marathon suspects. Unbelievable story detailing the hunt for the Boston Marathon suspects. Really great reporting to produce a full account. Adrian Lane: It’s time for a Chief API Officer. While I don’t think a development trend warrants its own C-level executive, the importance of APIs to development is hard to overstate. David Mortman: Cryptography is a systems problem (or) ‘Should we deploy TLS’. Rich: One security equation to rule them all. I would like to see the formal proof but this looks accurate. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts McAfee Patents Technology to Detect and Block Pirated Content. Sound like a bad idea to anyone else? Pirates hate piracy (when it happens to them). How long before we see Greenheart’s data on Pastebin? Syrian Electronic Army Hijacks Guardian Twitter Accounts. Army? It’s probably three guys living in the Bronx. Samsung Delays Android Security Software. Blue For The Pineapple. Step by step tutorial on turing the Fon AccessPoint into a stealthy WiFi hijacker. Defense contractor pwned by

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.