Research

With Rich pretty much out of commission this week and my very last minute preparation for Source Boston underway, this week’s post with be a short one. Plus I need to install the current Mac OS X patches and reboot all of the computers in the house. That little bouncing icon is finally going to get it’s way. On that note, has anyone out there ever looked at the viability of polluting the Apple downloads? Every time I click one of these I am always uncertain why I trust it or how I could verify the contents if I really wanted to. But at the moment, that sounds like too much work to investigate. Perhaps I should simply remain happy and ignorant of the process. Webcasts, Podcasts, Outside Writing, and Conferences: Nothing. Nada. We have been oddly absent. Favorite Securosis Posts: Rich: Pass. (No, his favorite post this week is, of course, The Nugget Has Landed.) Adrian: While it is really too long to be a blog post, My Perspective on Data Security and the US Government is my favorite of the week. Favorite Outside Posts: Adrian: Thank goodness Mike Rothman wrote this, with typical humor and eloquence, to capture the essence of the recent Visa press releases and associated Network World article. We are all trying to decipher what exactly they are telling us, and speculating that there is a lot they are not telling us. No way I could have been this fair and even-handed. Rich: Pass. Top News and Posts: What? Greeks invade Malta? Oh, sorry, no, just a Trojan on a Server. In what is probably a non-news event, Cisco launched email security delivered as SaaS. Most of their major competitors are hosted or a service, but not both, so technically this is an advantage. My feeling is it provides the right migration path for current customers, but the real question is will they care? Is this really compelling enough for new customers to adopt? Firefox security patches available. Gmail CSRF attack: How big of a threat, really? More stock worries. Twitter Security Hole. Again? Wow. The largest financial institution in the world is now a penny stock. One of the funniest commentaries on “financial news” I have seen in a long time. Everywhere I go on line, there seems to be huge buzz being generated for Beatles Rock Band. Blog Comment of the Week from Stiennon: One question: Is she a Parrot Head? Congrats Rich and Sharon! She will be … we have tickets to go next weekend! Share:

Yesterday morning I read the article on The Tech Herald about the demonstration of a CSRF flaw for ‘Change Password’ in Google Mail. While the vulnerability report has been known for some time, this is the first public proof of concept I am aware of. “An attacker can create a page that includes requests to the “Change Password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker,” the ISecAuditors advisory adds. The Google response? “We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site. We haven’t received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.” Uh, maybe, maybe not. Last I checked, people still visit malicious sites either willingly or by being fooled into it. Now take just a handful of the most common passwords and try them against 300 million accounts and see what happens. How does that game go? Rock beats scissors, scissors beat paper, and weaponized exploit beats corporate rhetoric? I think that’s it. Share:

I am going to be in Boston Tuesday through Friday at the Source Boston event that runs March 11th through the 13th. I am presenting on Encryption and Enterprise Data Security on Thursday afternoon right after Jeremiah Grossman. This is my first Source Boston event, so I am looking forward to it. Let me know if you are going to be in town! I imagine that things will be fairly quiet on the blog next week. With Riley conducting an aggressive sleep deprivation campaign against Rich, I don’t think we are going to see or hear much from him, but I will continue to post on what I hear from the conference. Share:

Via Slashdot, I just ran across Didier Stevens post on how to automate the JBIG2decode vulnerability in PDF documents. There is a video on the site where he runs through three scenarios to exercise the vulnerability – Manually starting up Reader, viewing a thumbnail PDF, and then automatic execution by simply visiting the page with the malicious document through Windows Explorer Shell Extensions, and shows you the results in the debugger. It’s worth the view. When you install Adobe Acrobat Reader, a Column Handler Shell Extension is installed. A column handler is a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author. I also ran across another technical analysis here. As you don’t need to do anything other that drop onto an infected site, this is a pretty serious issue. There is supposed to be a patch available later this month. The more I look at this, the more I think it may be a good idea to disable Reader until there is a patch. There are some instructions on how to do this on the PC Mag site, and some additional information you might find helpful as well. Share:

A couple days ago I posted some thoughts on Data Security and the US Government, how I perceive the role of Cybersecurity, and what I suspected would be a difficult challenge as the Cybersecurity team was set up at cross-purposes with the intelligence community. Today the Wall Street Journal released an article on the resignation of National Cybersecurity Chief Rod Beckstrom. In a case of “even a blind squirrel occasionally finds a nut”, my estimate of internal conflict appears to already be going on. In his resignation letter, Mr. Beckstrom stated that the “NSA currently dominates most national cyber efforts” and “The intelligence culture is very different than a network operations or security culture”. The WSJ focuses on privacy and separation of power issues with additional comments from Mr. Beckstrom: “the threats to our democratic process … if all top level network security and monitoring are handled by any one organization”. The resignation letter has a different feel and focus, pointing out that there was a general lack of support for the NCSC, and the specific ways Beckstrom feels his organizations was subjugated. If you have interest in this subject, you will want to read his resignation letter, as it contains more information. It also lists a couple methods by which the NSA can subtly (sneakily?) affect the effectiveness of Cybersecurity efforts that I did not mention in my post. Quite frankly I am surprised that the National Cybersecurity Center could somehow manage to only get 5 fully funded days of operation, but if true, this demonstrates the challenges faced by NCSC. This could get ugly unless both sides understand that each organization can benefit the other, and realize the goals and agendas do not necessarily need to be at the expense of each other. Concessions have to be made, otherwise this is an expensive and ugly turf war and the entire security problem- which is quickly becoming a US government security problem- continues to fester. Share:

During the recent podcast I did with Rich, I made a couple throw-away comments about the selection of Melissa Hathaway as cybersecurity advisor. A lot of ideas went into those comments and a few articles that I have read that brought to the fore several issues I have had ideas rolling around in my head for the last couple of years. In fact I have written this post a couple of times over the last year and deleted it because I thought it would be perceived as too political. My goal is not political commentary rather trying to provide perspective about the evolution of data security, but sometimes the two are linked so tightly together it is difficult to fully separate. The subject I want to discuss is the general state of basic underlying security of our electronic infrastructure, and the role that the government plays in Cyber Security. What got me going on this subject yet again was several articles that I ran across in the last month. The first was an article referenced by Bruce Schneier’s blog on The Register that talks about the NSA’s attempt to eavesdrop on Skype, which I am not sure they confirmed but highly believable. The second is the appointment of Melissa Hathaway, and while it is only being hinted at in this piece by USA Today, her comments indicate efforts at odds with other US intelligence organizations. The final article that urged me to rewrite this post was the following piece on Wired’s Threat Level Blog that the NSA wants to oversee cybersecurity. There is a strange push and pull going on here, because part of our government wants our entire electronic infrastructure to be both secure and private. They recognize the the Internet is a huge global marketplace for science and commerce, and is often leveraged by public entities as well, therefore it is in our best interest to have it secured to protect citizens & organizations alike. This is echoed in Hathaway’s comments. Conceptually this would reduce fraud globally, which costs companies billions of dollars every year. On the other side of the coin, strong electronic security makes intelligence gathering through eavesdropping difficult to impossible, and often requires secondary assistance to gather (insider cooperation, back doors in code and devices, cracking, etc) the same information, only at a higher cost. So what’s the problem? Good security on communications and infrastructure worldwide makes intelligence gather much, much harder. The people I have spoken with who have worked for or with US & British Intelligence organizations all share the same view that a secure communications infrastructure is facing stiff challenges from within our own government. A few years ago, Mr. Stephen Squires, who is/was at the time Chief Scientist for HP, spoke at Stanford Luncheon I attended about the evolution of computer security in the US. In a nutshell, he felt that cryptography would have solved most of the issues of privacy and security we have today, and today’s vendors with their point solutions were less than Band-Aids on gunshot wounds. Encryption could have easily been built into routers, phone switches, Ethernet cards and the like to ensure safe data transmission. Encryption could have been built into business applications to offer considerably higher security for data in motions and data at rest. He went on to say this was “discouraged” in various direct and indirect ways by our own government. He cited many examples of influence; the way bids are done, project specifications, funding, public-private partnerships, and most notably, US export controls on cryptography. A decade ago this was a common topic most of the crypto guys I have had the pleasure of meeting, and they were mostly frustrated by the US’s unwillingness to have all data and communications encrypted and secured. For those of you not familiar with what I am talking about, in the mid-90s, you could obtain cryptographic algorithms in papers and textbooks, but if you shipped encryption technology, you were going to be brought up on charges for illegal disbursement of munitions. When I got my first real job involving security, I had to be careful that I did not accidentally include a foreign national on the “CC:” line of an email that included the Blowfish variant we were working on as I could have been arrested. It’s code, for &!^@ sake! But the US Government was quite serious about this and has hindered the deployment of some security technologies on national infrastructure as well as allowing exportation, and have done little to lead in an area where they are in a perfect position to set an example for private industry. I am not sure what degree the majority of security professionals out there understand how rabid our government intelligence agencies are about encryption, but many historians view US victory in WW2 was due in large part to breaking the Japanese encryption codes, as well as the British efforts to reconstruct the Enigma cipher. While these are nice historical references, few are aware of more recent cases with the British in Falklands war and governments in the middle east were breached by the ability to break or bypass cryptography. This lesson is not lost on the Intelligence community, and who I would expect nothing less than to look for any advantage they can get. What is good for business security is considered bad for our spies. The concept from the governmental perspective was the benefits that the US Intelligence Services derive from lax security and encryption was a huge competitive advantage, so impediments into quality encryption technologies being widely available was to be discouraged. And when I have this discussion with people, they are usually thinking about Echelon, or the PROMIS variants that perform data analysis, but just two angles of using intelligence. We read all the time about Chinese or Russians breaking into US Government computers; is there some compelling reason to think this is not going on in the other direction? Another way to think about

Off-topic post … My wife is constantly reading about the banks and lending institutions, and likes to read to me every gory detail she learns. Occasionally I do listen. About a month ago she made the comment “If the banks do go under, we’ll have to go back to cash. That will be strange.” I thought about it for a while and I realized just how true that was. I seldom carry cash. I do a lot of my shopping on the Internet. Can’t really do that with cash very well. I used the credit card for everything … even the occasional Starbucks triple-shot-Hoff-inspired-venti-iced-coffee-with-splenda-shaken-not-stirred gets a credit card swipe. Then my wife says “Let’s see if we can go for a month without spending on the credit card. Just cash!” Being the contrarian that I am, I decided “What the heck, let’s try it.” We failed miserably. The whole thing about spending cash is you have to go somewhere and get cash before you can spend cash. An important small step. We had a minor medical emergency and we were not about to slow down and get cash first. When you take enough out to cover expenses, the bank teller’s get weird and antsy like you are doing something wrong. Trying our best, by the end of the month, we looked at the results, and we were only 60% credit card, 40% cash by dollar amount. But overall, our spending and it was down quite a bit. While we hear about how much easier psychologically it is to spend money when it’s not cash, I see just how true that is. Either you reel yourself in because you are not sure you have enough cash on you, or you feel a little more attached to the money that the concept of money and hold back on some purchases that are not necessary. So we are going to try it again this month, and we think we can reverse this to 60% cash, 40% CC. I have never been mugged. I have never had my wallet stolen, and I am not really worried about carrying some cash around. I have had fraudulent charges on my credit card, more than a dozen times, and I am constantly worried about my bill having bogus charges. I usually state that the reason I use credit cards so much is that I have reduced risk. Lost or stolen, I am only liable for $50.00. Airline tickets and hotels are a nightmare without a credit card. And I would never buy something on line without the ability to shield myself from bogus merchants. But my perspective has changed that, given most common situations, cash has a lower risk than credit and changed my behavior in a positive way. It’s been an interesting experiment, and I think we are going to keep doing it for a while. Share:

Securosis has expanded. Just got an email from Rich: “Say hello to Riley Marie Mogull. 6lbs 15oz. Sharon made it without meds- she’s my hero” Rich, on the other hand, needed sedation. Help me congratulate Rich and Sharon on the arrival of their first child! Share:

It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around. On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems. On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news. I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands! Rolling into the weekend I am focused on the positive, so here it is, the week in review: Favorite Securosis Posts: Rich: A Very Revealing Statement by the PCI Council. Adrian: Thinking positive, Netezza buying Tizor is good for all parties. Favorite Outside Posts: Adrian: SEC Investigating the Heartland breach. Rich: Microsoft confirms Zero-Day. Top News and Posts: PCI Council announced ranked security and milestones Top Ten Web Hacking Techniques 2008, now official! More happy news: Flowers for Pirate Bay Witness’ Wife. Fuzzing for Fun & Profit on CGISecurity. Kindle 2 looks awesome. Comments here and here. Why we have spring training: Adobe “swings and misses” with PDF vuln. Virtualization: Disruptive Technologies and Security In GM’s continuing effort to go out of business no matter how much money is thrown at them: it also wanted to account for a possible tilt toward sales of bigger vehicles if gas prices remained at current levels in coming years.” Wow. With leadership like that, who needs enemies. Blog Comment of the Week: Allen Barronov on Will This Be The Next PCI Requirement Addition: If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose. On a serious note: DLP is very reactive. One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal. Proactive is to analyse the entire PCI process from start to end and secure it accordingly. A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function – there may be pain but the gadgets still get made/gathered/fixed/etc. A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA). I really like DLP but it is not a cure for bad network design. I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips. “You know what else everyone likes? Parfaits.” Donkey in Shrek. Now, I am off for some more stealth photography. Share:

While both Rich and I predicted this would happen, I admit I am still slightly surprised: Netezza has acquired Tizor for $3.1M in cash. Netezza press release here, and While I do not see a press release issued from either vendor xconomy has the story here. Surprising in the sense that I would not have expected a data warehousing vendor to acquire a database monitoring & auditing company. My guess is it’s the auto-discovery features that most interest them. But like many companies that provide data management and analysis, Netezza may be finding that their customers are asking for security and even compliance facilities around the data they manage. In that case, this move could really pay off. I am certain that they were hoping for more, but $3M in cash is a pretty good return for their investors given the current market conditions and competitiveness in the DAM market. While it is my personal opinion, I have never considered the Tizor technology a class leading product. It took them a very long time to adapt the network monitoring appliance into a competitive product that met market demand. Their audit offering was not endorsed by companies I know who have evaluated the technology. They had some smart people over there, but like many of the DAM competitors, they have struggled to understand the customer buying center and have lacked the laser focus vision of some of the vendors like Guardium have demonstrated . But they have made consistent upgrades to the product and the auto-discovery option last year was a very smart move. All in all, Netezza is getting value, and the Tizor investors about $3M more than they would have gotten a few months from now. I have to admit that my timing of these events has been wrong … I thought that this transaction would have happened at/by the end of last year, and I am waiting for more still. But the DAM vendors who are not profitable have a huge problem that move to quickly and you kill your value. Move too slowly and you are out of business. Sometimes the due diligence process takes a while. Check back later as I will update the post as I hear more, of if Rich weighs in on this subject. Share: