Research

Our schedules are already filling up for Black Hat this year, so if you want to meet please drop us a line. And for those who want a real schedule, [James Arlen put one together for easy import into your calendar].(https://www.google.com/calendar/ical/f9lvmur9pjc2r1oi7psi3li40s%40group.calendar.google.com/public/basic. Share:

Branden Williams is exactly right: 2013 is a pivotal year for PCI DSS. A new version of the guidance will hit later this year. So why is 2013 so important for PCI DSS? In this next revision (which will be released this year, enforced in 2015, and retired at the end of 2017) the standard has to play catch up. It’s notoriously been behind the times when it comes to the types of attacks that merchants face (albeit, most merchants don’t even follow PCI DSS well enough to see if compliance could prevent a breach), but now it’s way behind the times on the technologies that drive business. Enforced in 2015. Yeah, 2015. You know, things change pretty quickly in technology – especially for attackers. But the rub is that the size and disruption of infrastructure changes for the large retailers who control the PCI DSS mean they cannot update their stuff fast enough. So they only update the DSS on a 3-year cycle to allow time to implement the changes (and keep the ROC). Let’s be clear: attackers are not waiting for the new version of PCI to figure out ways to bust new technologies. Did you think they were waiting to figure out how to game mobile payments? Of course not – but no specific guidance will be in play for at least 2 years. Regardless of whether it’s too little, it’s definitely too late. So what to do? Protect your stuff, and put PCI (and the other regulatory mandates) into the box that it belongs. A low bar you need to go beyond if you want to protect your data. Photo credit: “Don’t let this happen to you! too little, too late order coal now!” originally uploaded by Keijo Knutas Share:

Normally by this time of year things slow down, people go on vacation, and we get to relax a bit, but not this year. At least not for me. It has been seven days a week here for a while, playing catch-up with all the freakin’ research projects going on. And I have wanted to comment on a ton of news items, but have not had the time. So this week’s summary consists of comments on a few headlines I have not had any other the chance to comment on. Here we go: All I can think about when I read these stories on NSA spying and Snowden news items: It is criminal for you, the public, to know our secrets. But it’s totally okay for us to spy on you. Nothing to worry about. Move along now. Love Square. Great product. Disruptive payment medium. But it has been reported they want to create a marketplace to compete with eBay, Amazon and – my interpretation, not something they have stated – craigslist. So let me ask you: Are they friggin’ nuts? Speaking of crazy, why would anyone claim HP is too late to enter the big data race? Has their tardiness in rolling out big data or big-data-like technologies hurt them in the SIEM space? No question. But general big data services is a very new market, and the race for leadership in packaged services has not even begun yet. Was I the only one shocked to learn RSA’s call for papers started this week? WTF? Didn’t I just get back from that conference? We are still a month away from Black Hat. It is currently 109F here in Phoenix, and all I want to do is find a cold beer and keep out of the heat. This just does not feel like the time to be thinking about presentation outlines… But if you want to present next February consider this a friendly reminder. For those three of you who have been emailing me about passwords and password managers because of my comments during the Key Management webcast last week, it’s okay. We will continue to use passwords here and there. I like password managers. Corporate and personal. I use them every day. But passwords will be replaced by tokens and identity certificates for Internet services because a) identity tokens allow us to do much more with identity and authorization than we can with passwords, and b) tokens remove the need to store password hashes on the server. Which is a another way of saying passwords can’t do what certificates do. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s white paper on 10 Common Database Vulnerabilities. Mike’s DR Post: The Slippery Slope Of Security Invisibility. Rich’s DR Post: Security Needs More Designers, Not Architects. Adrian’s Dark Reading post Database Configuration Standards. Adrian’s Key Management webcast. Rich’s Macworld article on Apple’s Security Strategy. It’s older, but I just saw Mike’s Security Myth-busting video and it’s funny. Favorite Securosis Posts Rich: Adrian on SQLi. He gets a little pedantic, but that’s what we love about him. Mike Rothman: Security Analytics with Big Data: Deployment Issues. Adrian did a fantastic job with this series. Read all the posts and learn about the future of SIEM… Adrian Lane: Top 10 Stupid Sales/Press/Analyst Presentation Tricks. We see stupid human tricks every week and I don’t think most companies understand how they or their slide decks are perceived. Other Securosis Posts Database Denial of Service [New Series]. API Gateways: Developer Tools. iOS 7 Adds Major Data Security Improvements. Incite 6/26/2013: Camp Rules. The Black Hole of DLP. Automation Awesomeness and Your Friday Summary (June 21, 2013). Full Disk Encryption (FDE) Advice from a Reader. Scamables. Talking Head Alert: Adrian on Key Management. How China Is Different. Microsoft Offers Six Figure Bounty for Bugs. Project Communications. Network-based Malware Detection 2.0: Deployment Considerations. Favorite Outside Posts Adrian Lane: Data Leakage In A Google World. People forget that Google is a powerful tool, which often finds data companies did not want exposed. It’s a tool to hack with, and yes, a tool to phish with. Chris Pepper: Solaris patching is broken because Oracle is dumb and irresponsible. Feh. Mike Rothman: Wences Casares: Teach Your Children to be Doers. Great post here by a start-up CEO about how to teach your kids to get things done. If only all those “entitlement kids” got a similar message from their parents. Dave Lewis: Opera Software Hit by ‘Infrastructure Attack’; Malware Signed with Stolen Cert Rich: TheStreet on Brian Krebs. I think it’s awesome that Brian is doing so well – he writes circles around everyone else on the cybercrime beat. Needless to say, we are fans of the low-overhead direct model. Seems to be working for us at least. Research Reports and Presentations Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Pragmatic Key Management for Data Encryption. The Endpoint Security Management Buyer’s Guide. Top News and Posts Oracles releases critical security update for Java, Apple follows suit. The DEA Seized Bitcoins In A Silk Road Drug Raid. Turkey seeks to tighten control over Twitter. Why Snowden Asked Visitors in Hong Kong to Refrigerate Their Phones. Snowden distributed encrypted copies of NSA docs around the world. Pentagon’s failed flash drive ban policy: A lesson for every CIO. U.S. Surveillance Is Not Aimed at Terrorists. Attackers sign malware using crypto certificate stolen from Opera Software. Software Flaw Threatens LG Android Smartphones. South Korean cyberattacks. Researcher nets $20K for finding serious Facebook flaw. Vast majority of malware attacks spawned from legit sites. More from Google’s Safe Browsing disclosures. Google Adds Malware and Phishing Data to Transparency Report. HP Confirms Backdoor In StoreOnce Backup Product Line. Blog Comment of the Week This week’s best comment goes to Guillaume, in response to iOS 7 Adds Major Data Security Improvements. The share sheet thing is pretty