Research

As I stated in the intro, Database Security Platform (DSP, to save us writing time and piss off the anti-acronym crowd) differs from DAM in a couple ways. Let’s jump right in with a definition of DSP, and then highlight the critical differences between DAM and DSP. Defining DSP Our old definition for Database Activity Monitoring has been modified as follows: Database Security Platforms, at a minimum, assess database security, capture and record all database activity in real time or near real time (including administrator activity); across multiple database types and platforms; and alert and block on policy violations. This distinguishes Database Security Platforms from Database Activity Monitoring in four key ways: Database security platforms support both relational and non-relational databases. All Database Security Platforms include security assessment capabilities. Database Security Platforms must have blocking capabilities, although they aren’t always used. Database Security Platforms often include additional protection features, such as masking or application security, which aren’t necessarily included in Database Activity Monitors. We are building a new definition due to the dramatic changes in the market. Almost no tools are limited to merely activity monitoring any more, and we see an incredible array of (different) major features being added to these products. They are truly becoming a platform for multiple database security functions, just as antivirus morphed into Endpoint Protection Platforms by adding everything from whitelisting to intrusion prevention and data loss prevention. Here is some additional detail: The ability to remotely audit all user permissions and configuration settings. Connecting to a remote database with user level credentials, scanning the configuration settings, then comparing captured data against an established baseline. This includes all external initialization files as well as all internal configuration settings, and may include additional vulnerability tests. The ability to independently monitor and audit all database activity including administrator activity, transactions, and data (SELECT) requests. For relational platforms this includes DML, DDL, DCL, and sometimes TCL activity. For non-relational systems this includes ownership, indexing, permissions and content changes. In all cases read access is recorded, along with the meta-data associated with the action (user identity, time, source IP, application, etc). The ability to store this activity securely outside the database. The ability to aggregate and correlate activity from multiple, heterogeneous Database Management Systems (DBMS). These tools work with multiple relational (e.g., Oracle, Microsoft, and IBM) and quasi-relational (ISAM, Terradata, and Document management) platforms. The ability to enforce separation of duties on database administrators. Auditing activity must include monitoring of DBA activity, and prevent database administrators from tampering with logs and activity records – or at least make it nearly impossible. The ability to protect data and databases – both alerting on policy violations and taking preventative measure to prevent database attacks. Tools don’t just record activity – they provide real-time monitoring, analysis, and rule-based response. For example, you can create a rule that masks query results when a remote SELECT command on a credit card column returns more than one row. The ability to collect activity and data from multiple sources. DSP collects events from the network, OS layer, internal database structures, memory scanning, and native audit layer support. Users can tailor deployments to their performance and compliance requirements, and collect data from sources best for their requirements. DAM tools have traditionally offered event aggregation but DSP requires correlation capabilities as well. DSP is, in essence, a superset of DAM applied to a broader range of database types and platforms. Let’s cover the highlights in more detail: Databases: It’s no longer only about big relational platforms with highly structured data – but now also in non-relational platforms. Unstructured data repositories, document management systems, quasi-relational storage structures, and tagged-index files are being covered. So the number of query languages being analyzed continues to grow. Assessment: “Database Vulnerability Assessment” is offered by nearly every Database Activity Monitoring vendor, but it is seldom sold separately. These assessment scans are similar to general platform assessment scanners but focus on databases – leveraging database credentials to scan internal structures and metadata. The tools have evolved to scan not only for known vulnerabilities and security best practices, but to include a full scan of user accounts and permissions. Assessment is the most basic preventative security measure and a core database protection feature. Blocking: Every database security platform provider can alert on suspicious activity, and the majority can block suspect activity. Blocking is a common customer requirement – it is only applied to a very small fraction of databases, but has nonetheless become a must-have feature. Blocking requires the agent or security platform to be deployed ‘inline’ in order to intercept and block incoming requests before they execute. Protection: Over and above blocking, we see traditional monitoring products evolving protection capabilities focused more on data and less on database containers. While Web Application Firewalls to protect from SQL injection attacks have been bundled with DAM for some time, we now also see several types of query result filtering. One of the most interesting aspects of this evolution is how few architectural changes are needed to provide these new capabilities. DSP still looks a lot like DAM, but functions quite differently. We will get into architecture later in this series. Next we will go into detail on the features that define DSP and illustrate how they all work together. Share:

Since Rich is vacationing working hard at a security conference in Mexico, I figure I would write this week’s Friday Summary. I am pretty jazzed about some upcoming white papers I’ll be writing on securing data and applications at scale, understanding and selecting masking technologies, and why log management is not dead! And I am having a good time researching and writing the DAM 2.0 DSP series as well. I originally intended to write about our research agenda but changed my mind. Frankly, I have spring fever. Spring fever, you ask, in the first week of February? Yep. It’s 74 degrees here and sunny. WTF? Punxsutawney Phil weighed in with his opinion, and after burning his retinas, it looks like we are going to have another six weeks of winter. I sure hope so! Another six weeks of this type of weather would be awesome. I have been on the phone with dozens of people around the country, from Boston to San Diego, and they are all experiencing fantastic weather. Even Gunnar reports highs of 48 degrees in Minnesota. I guess the cold air jet stream has been staying north of the border. For me this means my peach trees are blooming. Blooming! On freakin’ January 30th! See for yourself: And I know some of you may not care, but the warm weather means my backyard garden is almost complete. Following up on my post last October, in just a couple short months the Vegetable Fortress is built! Overbuilt? Beauty is in the eye of the beholder. I may put some solar powered laser turrets on it. You never know when Al-Qaeda might train gophers with tig welders to attack my squash. And if the DHS threat level spikes I will have a detachment of Araucana commando chickens to beat back the attack. The price of vegetables is eternal vigilance – and $3.95 for GMO free seeds. Now call in sick and go outside to enjoy the nice weather! You’ll be glad you did. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Our Research Page with every freakin’ white paper we’ve done in the last three years. Rich, Adrian, and Shimmy discuss NoSQL Security with Couchbase and Mongo founders. Other Securosis Posts Bridging the Mobile Security Gap: Operational Consistency. Malware Analysis Quant: Take the Survey (and win fancy prizes!) Incite 2/1/2012: Bored to Tears. Implementing DLP: Integration, Part 1. Understanding and Selecting Database Security Platforms. Bridging the Mobile Security Gap: The Need for Context. Implementing and Managing a Data Loss Prevention (DLP) Solution: Index of Posts. Implementing DLP: Final Deployment Preparations. Malware Analysis Quant: Phase 1 – The Process [Check out the paper!] Favorite Outside Posts Mike Rothman: Mr. Waledac: The Peter North of Spamming. Krebs could have written this post in Swahili and it would still be my favorite outside link. Anyone that can pull off a Peter North mention in the title of a post gets my weekly vote. And it’s even a good post! Krebs digs into the intrigue of the Russian Spam Mafia. David Mortman: BSides/RSA Conference Dust Up. And the resolution. Beneficial discussion. Rich: Firewalls and SSL: More Profitable than Facebook. Gunnar’s got a great point: Firewalls, AV, and SSL sell – and very little money gets spent on innovative products. Adrian Lane: Fascinating look at Netflix’s Ephemeral Volatile Caching in the cloud. Not security related, but a good presentation of what’s possible with cloud content distribution. Project Quant Posts Malware Analysis Quant: Monitoring for Reinfection. Malware Analysis Quant: Remediate. Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Research Reports and Presentations Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Top News and Posts Paget Demonstrates Wireless Credit Card Theft. Carrier IQ Concerns. WPA2 Vulnerability Analysis. Symantec patches pcAnywhere, says it’s safe. Secure Virtual Storage – the AWS way. Missed this in last week’s summary. Low Orbit Ion Cannon DDoS Analysis. Not new, but newsworthy. Android Malware Infection. Android can be a more powerful platform as you can run more powerful apps on it. This is made possible by a lax security model. That’s the tradeoff. Google to Censor Blogger Blogs on a ‘Per Country Basis’. The tradeoff is either Google blogs get banned on a ‘Per Country Basis’ or Google bans select blogs. Revenue trumps ethics every time. Blog Comment of the Week None this week. Share:

We love the Totally Transparent Research process. Times like this – where we hit upon new trends, discover unexpected customer uses cases, or discover something going on behind the scenes – are when our open model really shows its value. We started a Database Activity Monitoring 2.0 series last October and suddenly halted because our research showed that platform evolution has changed from convergence to independent visions of database security, with customer requirements splintering. These changes are so significant that we need to publicly discuss them so can you understand why we are suddenly making a significant departure from the way we describe a solution we have been talking about for the past 6+ years. Especially since Rich, back in his Gartner days, coined the term “Database Activity Monitoring” in the first place. What’s going on behind the scenes should help you understand how these fundamental changes alter the technical makeup of products and require new vocabulary to describe what we see. With that, welcome to the reboot of DAM 2.0. We renamed this series Understanding and Selecting Database Security Platforms to reflect massive changes in products and the market. We will fully define why this is the case as we progress through this series, but for now suffice it to say that the market has simply expanded beyond the bounds of the Database Activity Monitoring definition. DAM is now only a subset of the Database Security Platform market. For once this isn’t some analyst firm making up a new term to snag some headlines – as we go through the functions and features you’ll see that real products on the market today go far beyond mere monitoring. The technology trends, different bundles of security products, and use cases we will present, are best reflected by the term “Database Security Platform”, which most accurately reflects the state of the market today. This series will consist of 6 distinct parts, some of which appeared in our original Database Activity Monitoring paper. Defining DSP: Our longstanding definition for DAM is broad enough to include many of the changes, but will be slightly updated to incorporate the addition of new data collection and analysis options. Ultimately the core definition does not change much, as we took into account two anticipated trends when we initially created it, but a couple subtle changes encompass a lot more real estate in the data center. Available Features: Different products enter the DSP market from different angles, so we think it best to list out all the possible major features. We will break these out into core components vs. additional features to help focus on the important ones. Data Collection: The minimum feature set for DAM included database queries, database events, configuration data, audit trails, and permission management for several years. The continuing progression of new data and event sources, from both relational and non-relational data sources, extends the reach of the security platform to include many new application types. We will discuss the implications in detail. Policy Enforcement: The addition of hybrid data and database security protection bundled into a single product. Masking, redaction, dynamically altered query results, and even tokenization build on existing blocking and connection reset options to offer better granularity of security controls. We will discuss the technologies and how they are bundled to solve different problems. Platforms: The platform bundles, and these different combinations of capabilities, best demonstrate the change from DAM to DSP. There are bundles that focus on data security, compliance policy administration, application security, and database operations. We will spend time discussing these different visions and how they are being positioned for customers. Use Cases & Market Drivers: The confluence of what companies are looking to secure mirrors adoption of new platforms, such as collaboration platforms (SharePoint), cloud resources, and unstructured data repositories. Compliance, operations management, performance monitoring, and data security requirements follow the adoption of these new platforms; which has driven the adaptation and evolution of DAM into DSP. We will examine these use cases and how the DSP platforms are positioned to address demand. A huge proportion of the original paper was influenced by the user and vendor communities (I can confirm this – I commented on every post during development, a year before I joined Securosis – Adrian). As with that first version, we strongly encourage user and vendor participation during this series. It does change the resulting paper, for the better, and really helps the community understand what’s great and what needs improvement. All pertinent comments will be open for public review, including any discussion on Twitter, which we will reflect here. We think you will enjoy this series, so we look forward to your participation! Next up: Defining DSP! Share:

This is the Securosis Friday Summary. For those of you who don’t know this is where Rich and I vent. When I started working with Rich I used to loathe writing this intro; now it’s therapeutic. It gives me a chance to talk about whatever is on my mind that I think people might find interesting. Sure, most Friday posts talk about security, but not always. If such things bother you – as one reader mentioned last week – search within the page for ‘Summary’ to avoid our ramblings. Security Burnout? Breach Apathy? Repetitive task depression? Been there, done that, got the T-shirt to prove it? If you have been in security long enough, you will go though some security industry induced negative mental states. It happens to everyone on the security treadmill – it’s the security professionals’ version of the marathon runners’ wall. A tired, disinterested, day-to-day grind of SOSDD. I know I’ve had it – twice in fact. As an IT admin reviewing the same log files over and over again, and also from writing about security breaches caused by the same old SQL injection attacks. Rich, James Arlen, and I got into a conversation about this over dinner the other night. Rich and I have achieved a quiet inner peace with the ups and downs of security, mainly because our work lets us do more of what we like and less of the daily grind that folks in IT security deal with on a daily basis. Usually during my career, with vacations frowned upon for startup executives, conferences were a source of inspiration. Actually, they still are. Presentations like Errata security’s malicious iPhone and Jackpotting Automated Tellers can renew my interest and fascination with the profession. I go back to work with new energy and new ideas on what I can do to make things better. Somewhere down the line, though reality always settles back in. As with life in general, I try not to get too worked up about this profession, but to find the pieces that fascinate me and delve into those technologies, leaving the rest of the stuff behind. On Monday during the RSA Security Conference, Mike, Rich, David Mortman, and I will be helping with the ‘e10+’ event. The idea of this session is to provide advanced discussions for security pros who have been in the field over 10 years. We talk about some of the complex organizational problems security folks deal with, and share different strategies for addressing problems. Of course there is no shortage of interesting problems, and there are some heavily experienced – and opinionated – people in the room, so the discussion gets lively. It’s not on the agenda, but it dawned on me that dealing with security burnout – both causes and reactions – would actually be a good topic for that event. How to put the fun back in security. I hope our talks will do just that. Rich has some great ideas on consumerization and risk (yeah, I know – who thought risk could be interesting?) that I expect to spark some lively debate. Usually during RSA I am too busy worrying about my presentation or meeting with people to see much new stuff, but this year I am looking forward to the event. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich, Adrian, and Shimmy discuss NoSQL Security with Couchbase and Mongo founders. Adrian, Jamie, and Rich on the NetSec Podcast. Other Securosis Posts Our Research Page with every freakin’ white paper we’ve done in the last three years. Implementing DLP: Getting Started. Incite 1/25/2011: Prized Possessions. Bridging the Mobile Security Gap: Staring down Network Anarchy (new series). Implementing and Managing a DLP Solution. The 2012 Disaster Recovery Breakfast. Baby Steps toward the New School. Favorite Outside Posts Mike Rothman: Executive could learn a lot from Supernanny. Kevin hits it on the head here, just as Wendy did last week. Without even enforcement of the rules you’re lost. Unless you are Steven Seagal (and you’re not), no one is Above the Law. Dave Lewis: How to close your Google account. Lots of blowback due to Google’s new privacy policy – here’s how you can protest. Adrian Lane: Implementation of MITM Attack on HDCP-Secured Links. Fascinating examination of an HDMI encryption attack – in real time – for fair use. It’s a bit on the technical side but does get to the heart of why DRM and closed systems stifle innovation. Rich: Pete Lindstrom’s take on recent SCADA vulnerability disclosures. I disagree with Pete a lot. It’s hit absurd levels in the past on a mailing list we are both on. And while I don’t agree with his characterizations of vulnerability research justifications, I do agree that for some things – especially SCADA – we need to think differently about disclosure. David Mortman: Google+ Failed Because of Real Names. Project Quant Posts Malware Analysis Quant: Monitoring for Reinfection. Malware Analysis Quant: Remediate. Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Research Reports and Presentations Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. And it case you missed it: Our Research Page with every freakin’ white paper we’ve done in the last three years. Top News and Posts Kill pcAnywhere Right Now! We the People: Populist Protest Kills SOPA (Again). The spam tag cloud: Keeping you up to date on what’s important in life! Trojan Trouble-ticket system. Say what you will about malware authors, but they’re usually highly adept at software development tools and techniques. Defacement frenzy via our friends at LiquidMatrix. O2 leaking mobile numbers to web sites Symantec acquires LiveOffice. Norton Source Code Stolen in 2006. Blog Comment of the Week No comments this week. We need to start writing better posts! Share:

A flaw in the Oracle database has been disclosed, whereby the Oracle System Change Number (SCN) – a feature that helps synchronize database events – outgrows its defined limits. The SCN is an ever-increasing sequence number used to determine the ‘age’ of data. It is incremented automatically by 16k per second to provide a time reference, and again each time data is ‘committed’ (written to disk). This enables transactions to be referenced to the second, and ordered within each second. As you might imagine, this is a very large number, with a maximum value and a maximum increase per day. If the SCN passes its maximum value the database completely stops. The new discovery concerns the SCN. I’ll get more into the scope of the problem in a second, but first some important background. When I started learning about database internals – how they were architected and the design of core services – data integrity was the number one design goal. Period! Performance, efficiency, and query execution paths were important, but actually getting the right data back from your queries was the essential requirement. That concept seems antiquated today, but storing and then retrieving correct data from a relational system was not a certainty in the beginning. Power outages, improper thread handling, locking, and transactional sequencing issues have all resulted in database corruption. We got transactions processed in the wrong order, calculations on stale data, and transactions simply lost. This resulted in nightmares for DBAs who had to determine what went wrong and reconstruct the database. If this hits an accounting system suddenly nothing adds up in the general ledger and the entire company is in a panic at the end of the quarter. We can normally take data consistency for granted today, thanks to all the work that went into relational database design and solving those reliability problems in the early years. One of the basic tools embedded into relational platforms to solve data consistency issues is the sequence generator. It’s an engine that generates a sequence of numbers used to order and arrange events. Sequence numbers provide a mechanism for synchronization, and help provide data consistency within a single database and across many databases. Oracle created the SCN many years ago for this purpose, and it’s literally a core capability, upon which many critical database functions rely. As an example, every database read operation – looking at stored data – compares the current SCN with the SCN of the data stored on disk to ensure data was not changed by another process during the query. This ensures that each operation in a multi-threaded database reads accurate data. The SCN plays a roll in the consistency checks when databases are brought online and is core to database recovery in the event of corruption. In a nutshell, every data block in a database is tied to the SCN! Now back to the bug: This flaw was discovered as a result of a backup and recovery feature abnormally advancing the SCN by a few billion or even a few trillion. For most firms this will never be an issue, as the number is simply too large for a few extra billion to matter. But for large organizations who have designed their databases to synchronize using common SCNs the possibility of failure is real – and the impact would be catastrophic. At this time Oracle has both patched the flaw during recovery where the number is erroneously advanced and changed the database to double the SCN range. Just as importantly, the provided the patch quickly. The patch appears to fix the bug and with the increased SCN range we assume this problem will never occur in a normal setting. The odds are infinitesimally small. What has people worried is that attackers could leverage this into a denial of service attack and disable a database – or possibly every linked database in a cluster – for an extended period. There are a couple known ways to exploit the vulnerability so patch your systems as soon as possible. What worries me even more is, with this focus on the SCN, that researchers might discover new ways to attack inter-database SCN synchronization and corrupt data. It’s purely speculative on my part, but this capability was designed before developers worried much about security, so I would not be surprised if we see an exploit in the coming months. A couple closing comments: The InfoWorld article that broke news of this flaw is excellent. It’s lengthy but thorough, so I encourage you to read it. Second, if your environment relies on inter-database SCN you need to do two things: level set security across all participating databases, and start looking at a migration plan to reduce or eliminate the inter-database dependency to mitigate risk. For most firms I know that rely on the SCN, the best bet will be to tighten security, as the rewrite costs to leverage another synchronization method would be prohibitive. Finally, Oracle assigned a risk score of 5.5 to CVE-2012-0082. Does that sound accurate to you? Once again Oracle’s risk scores do a poor job of describing risk to your systems, so take a closer look at your exposure and decide for yourself. Share:

You’ve probably noticed we have not been doing a lot of blogging lately. Sorry about that – we’ll start back up with a bang very soon. This will be a very exciting year for Securosis – we have a bunch of projects in the pipe. I’ll be launching a re-start of the Database Activity Monitoring 2.0 series now that we have finally settled on the terminology and done sufficient research on the trends to actually convey what’s going on. Mike and I want to cover some Log Management topics, and I have a data masking research project underway as well. All that is over and above new developments with the Securosis Nexus, the Cloud Security Alliance Training, and our RSA Guide – so Q1 will be very busy and we will be writing a lot. I’ll publish my Q2 research agenda in the coming weeks, so if you have anything you want to talk about at RSA we can go into detail then. And I wanted to comment on a ton of great posts I have seen, but alas… On a personal note, during the Christmas break I was wandering the local mall, when I saw this guy with a mountain bike. It’s cool! It’s got carbon fiber, big-azz shocks, and hydraulic disk brakes. He let me pick it up and it’s like 20 lbs. 20 lbs is less than a tire from my old bike! So I was fascinated. I had to have one. I did some looking on the Internet and decided to visit the last couple bike shops still in business in my area. I found a bike I like, they threw some pedals on it, and I headed out. I got on the bike and the first thing that ran through my mind was “FREEDOM! I can go anywhere. And I should!” Weird. Freedom. I felt like a kid with my first new bike – which would prove prophetic as I crashed it 4 times a few days later, just as I did with my first bike at age four. That was a weird sensation. It’s not like I don’t have freedom, and I have owned cars since I was sixteen, so I can pretty much go anywhere I want. But this was different. I went back into the shop, and the guy asked me how I liked it. “Beautiful” I said, and bought it. I got home, saddleed up, and headed straight out into the desert. I just pointed the bike in a direction I had never gone, over a hill I had never seen the other side of, and started pedaling. Open desert. Cactus, coyotes, and boulders be dammed! And it was awesome. Of course there are practical downsides to this freedom – other than plucking thorns out of my skin with tweezers and bathing road rash in betadine. I have over 10k hours on a BMX bike as a kid, and 5k hours on road bikes, so I considered myself an expert rider. Wrong! This is a totally difference experience. I am a novice, as proven emphatically by the four crahes on my second ride. Well, ‘crashed’ is not quite correct – technically the bike and I just swapped places, with the bike taking me for a short ride. And as with a new pair of shoes, you should make sure everything is broken in and comfortable before you go pushing the envelope. I found out – about 2 milliseconds after I needed to bail out – that my new snap-in pedals were much too tight. Jumping simply meant the bike followed me, turning the tables, so it was – ahem – in the driver’s seat. And I learned that mountain bikes have a variable stall speed: when pedaling furiously uphill in low gear you don’t actually have sufficient momentum to go over boulders like a badass – instead you can quickly find yourself going backwards. It’s a thought-provoking experience. Regardless, I am hooked. And now Christmas break is over and I am back at work. But like a little kid I keep looking out the window, wishing I could play with my new Christmas toy instead of talking to this vendor about a product of questionable quality, with its suspect value proposition. “Please tell me more about how you stop APT in a totally new way nobody has ever thought of before.” sigh On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted in Sandhill Channels. Rich’s guest post on Trustworthy Computing. Mike and Jack Daniel on Continuous Monitoring. Securosis Posts Checking out a bootable Windows TPM thumb drive. Incite 1/11/2012: Spoilsport. Social Security Blogger Awards: Voting Open! Network-based Malware Detection: Where to Detect the Bad Stuff? Favorite Outside Posts Mike Rothman: Costco’s Value Chain. Of course it’s Gunnar who points out a great perspective on understanding your company’s value and sticking to that, using an example from Costco. Even if it’s hard. Even if it costs money in the short term. Rich: Nick Selby on how we need to stop blaming the victims. I’m not going to defend Stratfor’s massive mistakes, but we need to stop acting like a room full of a-holes, blaming the victims of crimes for being stupid… especially because we will all be eventual victims. And for the record, good luck using my 20-character random Stratfor password. Adrian Lane: Apple iWallet Security? Leverage “what you have” security – provided you don’t leave it in your hotel room! Dave Mortman: AES on the iPhone isn’t broken by Default. Project Quant Posts Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Malware Analysis Quant: Confirm Infection. Malware Analysis Quant: Process Map (Draft 1). Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM?. Fact-Based Network Security: Metrics and the Pursuit of

Aspartame is toxic, so they renamed it AsparSweet(tm) to confuse consumers. GMAC was fined for mistreating customers and accused of violating state laws, so they renamed themselves Ally. Slumping sales of high fructose corn syrup, a substance many feel contributes to obesity and reduced brain function, inspired the new name “corn sugar”. Euro bonds are now “stability bonds”. Corn-fed stockyard beef can now be labelled ‘Organic’. And that is that whole weird discussion on whether pizza is legally a vegetable or not. How can you generate better sales in a consumer hostile market? Change names and contribute to politicians who will help you get favorable legislation, that’s how! Like magic, lobbying and marketing help you get your way. In this week’s big news we have the Stop Online Piracy Act. Yes, SOPA is a new consumer-hostile effort to prop up an old economic model. And as we witnessed for the last decade with RIAA and the MPAA, entrenched businesses want the authority to shut down web sites simply on the strength of their accusation of infringement on their IP – without having to actually prove their case. We know full well that a lot of piracy goes on – and for that they have my sympathy. We here at Securosis get it – our content is often repurposed without consent. But – as you can see here – there are other ways to deal with this. As I have written dozens of times, there are economic models that curtail piracy – without resorting to DRM, root-kitting customer PCs, or throwing due process out the window. The Internet is about exchange of information through a myriad of (social) interfaces for the public good. It has created fantastic revenue opportunities for millions, and is an invaluable tool for research and education. One downside is content theft. I am all for content owners protecting their content – I just want it to be done without undermining the whole Internet. SOPA is the antithesis – its sponsors are perfectly willing to wreck the Internet to ensure nobody uses it to copy their wares. It’s the same old crap the RIAA has been pulling for a decade, in a new wrapper. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian on Top Down data security Mike on Cloud Security in Datacenter Terms Securosis Posts New White Paper Published: Applied Network Security Analysis. Incite 12/14/2011: Family Matters. Pontification Alert: Upcoming webcast appearances. Tokenization Guidance White Paper Available. Friday Summary, December 9, 2011. Favorite Outside Posts Mike Rothman: It Won’t Be Easy for Iran to Dissect, Copy US Drone. It’s good to see someone is thinking about the reality of reverse engineering. But I suspect Iran would only have to consult your friendly neighborhood APT to get the schematics for a drone (or any of our other military devices). Adrian Lane: Deconstructing the Black Hole Exploit Kit. A thorough look at an exploit kit – very interesting stuff! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Top News and Posts Why Iran’s capture of US drone will shake CIA. Nomination for the biggest personal washer (Individual) Poll Results for: Thursday, December 15, 2011. sIFR3 Remote Code Execution. Native webcam access in a browser using JavaScript & HTML5. Congress Authorizes Pentagon to Wage Internet War. Carrier IQ Explains Secret Monitoring Software to FTC, FCC. Security updates for Windows and Java–with a Duqu Trojan patch–via Krebs. Blog Comment of the Week No comments this week. Guess we need to post more stuff! Share:

We are pleased to announce the availability of our latest white paper: Tokenization Guidance: How to Reduce PCI Compliance Costs. It discusses the dos and don’ts of replacing credit card data with tokens, to improve security while reducing PCI DSS auditing costs. Our primary goal was to help merchants understand how to employ tokenization to reduce PCI scope, as well as the costs of Payment Card Industry Data Security Standard audits. When we read the PCI supplement on tokenization guidelines we were shocked that it failed to provide concrete answers to the target audience’s most-asked question: How can I reduce audit scope? It felt like the paper was designed to lull us to sleep – it would raise topics we were interested in, but then ramble on without answers. But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers. We are very happy that Elavon, Liaison, Prime Factors, and Protegrity have sponsored this white paper! We could not spend the hours of research required for a project like this without help from sponsors, and we are grateful for their support. You can get a copy of the paper from our sponsors, from our Research Library, or directly: TokenGuidance-Securosis-Final2.pdf Index of Posts Tokenization Guidance (new series) Tokenization Guidance: PCI Supplement Highlights Tokenization Guidance: Merchant Advice Tokenization Guidance: Audit Advice Share:

As Rich announced, we are shaking up the Friday Summary a bit. We will still talk about what we are up to. And we’ll share some of our personal – possibly security related – stories in the Summary. But we will focus on fewer stories with more analysis of interesting news items. Honestly, we’ll likely sneak in security news as well – it just depends on whether we see interesting stuff. Story of the week: DNSCrypt The big news this week is the ‘preview’ release of DNSCrypt from the OpenDNS group. As its name implies, DNSCrypt is a tool to encrypt Domain Name Service lookups to avoid evesdropping and deter Man-in-the-Middle (MitM) attacks and tampering. Note that this is not DNSSEC, which was designed to enable users to detect tampering, and to authenticate DNS DNS answers. DNSSEC was not designed to encrypt DNS requests, which leaving requests unprotected from monitoring by ISPs and other parties; DNSCrypt fills this gap by encrypting requests and responses. I understand from the press release that this is currently a Mac OS X only package, so Windows and Linux users will have to wait. The installer is dead simple and the configurations settings are conveniently placed into the ‘Other’ section of System Preferences. And I can tell you this is one of the few End User Licensing Agreements I have ever read because, in a very Securosis-like style, there is no lawyer BS included. Took about a minute to download and another to install, and no restarts were required. I ran OpenDNS with DNSCrypt enabled, both over SSL on port 443 and without, and did not notice any performance difference. The packets appear to be encrypted as advertised – but they could be using a ROT13 cipher for all I know, given the minute I spent looking at the stream. I have not, and probably will not, review the source code – I assume there are better qualified people with more free time on their hands (i.e., those not filling the Nexus with great new content) who will. And I look forward to hearing what the community thinks about the implementation, as I think this will be a highly sought-after addition for those interested in security and privacy. The key takeaway here is that DNS requests should be safe from spying and MitM, provided someone cannot impersonate the DNS service. There is a small but real chance of this. For average users this is a very real advance in security and privacy! If you’re an IT manager you should check it out and see how well it performs for you. There may be issues – it is an early release product after all – but this dead-simple tool enhances security. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading post on Work and Play in Security. Adrian’s DR post on DAM. Rich quoted on Carrier IQ. Don’t tell Rich, but somebody thinks he’s an ‘influencer’. Securosis Posts Incite 12/6/11: Stinky. Friday Summary: Big Changes and Carrier IQ. Favorite Outside Posts Mike Rothman: Best Job Description Ever. This is how security folks should think about their jobs. Kudos to Quicken Loans for making their philosophy on security very clear, before applicants start the hiring process. It doesn’t hurt that their ideas are right on the money. (h/t Alex Hutton) Adrian Lane: Ask Slashdot: To Hack or Not To Hack. How many times have I said that in the ‘landgrab’ for mobile payments, security is left on the roadside, thumb in the air? You don’t have to guess too hard who this is! Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Sripathi Krishnan, in response to last week’s Friday Summary. Rich, I have been a lurker on your blog for a long time now. I am a developer by profession, and security is a small but important part of what I do. Consequently, I do not spend much time on twitter or other ‘new media’ to stay up to date on this field. Friday Summary and the Incite give me a great perspective and insight on this field. ‘Read these two columns, and you will not miss anything significant’ has been my attitude. I would definitely miss the random list of articles. Please don’t exclude that. I know you have been complaining that people don’t leave comments. I am guilty of that. Hopefully, this comment of mine can influence you to not change the Friday summary too much. Thanks for the great work! And thank you for the great feedback! Share:

The San Francisco Chronicle ran an interesting story about a small payment processing firm that is trying to disintermediate credit card companies. But they are doing it the old fashioned way – cutting out the middleman and going direct to banks to move money for them. Dwolla is a start-up payment processor providing person-to-person payment via mobile and social media outlets. Their hook is providing payment at a substantially reduced reduced commission – just twenty-five cents ($0.25) per transaction. Compare that to credit card companies that charge a flat 3%, or PayPal, who changes thirty cents per transaction in addition to 2.9% (less 2.2% for volume sellers). Dwolla’s offering can be viewed as similar to PayPal’s or an ATM transaction, but ATM fees have escalated into the $3-10 range. With mobile payment in its infancy, this space is a greenfield for startups and established players to redefine what’s possible. Credit card companies have been talking up the benefits of mobile payments for years as an easier and more pleasurable shopping experience – but today many of their solutions have not yet been delivered to the market. The promised benefit to merchants is rather nebulous growth in “customer loyalty” and data on purchasing history. Cold hard cash would be preferable, which is why I think many small merchants are going to like Dwolla’s offering. When it comes down to it 3% may not sound like much, but it’s a lot of money for many merchants struggling to be competitive. Popular sentiment doesn’t hurt either, especially in light of consumer dissatisfaction with credit card companies (despite overall credit card use going up), and many halting use of cards because they make spending too easy. As far as security goes, not much information is available on Dwolla’s security model for establishing user identity. What’s described sounds similar to existing models based on a combination device (phone) verification, a password, and location-based services. But it’s not their security model that interests me – it’s that this is one of the first upstarts I have seen really breaking the old mold of how payments are done, and it looks promisingly disruptive. The concept is not new, but it’s one of the first times someone has pulled off the direct-to-bank model and demonstrated a new concept of what mobile payments can be. For banks willing to take some risk on the security and legality of person-to-person or mobile payments, Dwolla offers both a new revenue model and a means to strengthen customer relationships. Keep in mind that many banks offer credit cards expressly to be foremost in the consumer’s mind when looking for auto or home loans – loans being the principal source of bank revenue. While that sounds like a no-brainer, I can tell you from personal experience that most banks won’t touch this concept with a 20’ pole because of the risk to their banking charters in this heavily regulated sector. But the market usually rewards efficiency, and if someone can offer convenient payment services at a reduced cost they are likely to win market share in a hurry. Dwolla sounds like they have a recipe for success. Share: