Research

I was in Chicago this week for the Tech Target ISD event giving a presentation on Information Centric Security. Like most of the people who flew in from other parts of the country for this event, we were so focused on the election and getting out to vote before we flew in, that we completely missed the fact that Obama would be speaking about a mile from the Hyatt Regency at McCormick Place. Most of us simply forgot that this was Obama’s home, and that Grant Park would be the likely place for any speeches that were to be given. Dave Mortman was kind enough to show Adam Dodge, Andy the IT Guy, and myself around, and take us to dinner at the Russian Tea Room off Adams street. When we were done with dinner around 8:30, we wandered over to Michigan Avenue for some people watching. The crowd was just starting to build, with thousands of people walking down the street to the entrances of Grant Park. While early, there was no doubt about the outcome for the attendees at this point. The most amazing thing was the sense of energy and genuine elation in the crowd as they walked down the street. Not the wild frenzy you get in New York when the Yankees win a pendant, but more a feeling of relief and joy than anything else. We booked it back to the Hyatt and watched the election results, and Obama’s subsequent speech, on television before calling it a night. I am very glad that I got a chance to be there, albeit on the periphery, as the mood & energy of that crowd was something I have never experienced before. All in all a very nice trip, and hats off to the Tech Target team for putting on such a well run, professional event. The only downside of the whole week was my Southwest flight having to make an unscheduled stop due to running out of fuel(!!!!), and having to present opposite Captain Virtualization on Wednesday morning. Oh, one minor point of interest. While I was at the Hyatt, I noticed that the hotel has a new revenue model: Tel-evator. This is a little marketing device television that they are putting into the elevators to deliver targeted marketing to conference attendees while they take the ride to and from their rooms. Being a security guy, as well as someone who gets annoyed at marketing messages constantly shoved at me, I was thinking “how could I hack this”. In the one minute ride I got as far as determining these little devices are nothing more than laptops running Windows Vista, with content being pushed over the 802.11 wireless connection, before I had to go to the conference. That night when returning to my room, I saw that someone else had the same idea. The ‘Tel-evator’ was now at an MS-DOS prompt, running a script, before rebooting into Vista. Beaten to the punch I guess. If you were the one who hacked the system, shoot me an email and let me know what you found. It was a relatively quiet week on the security front, with no major disasters or announcements. And from what I hear, Comrade Mogull is alive and well. Webcasts, Podcasts, and Conferences: Rich is giving a presentation at a conference in Moscow this week. I was in Chicago at the TechTarget ISD event giving a presentation on the Information Centric Security Lifecycle. Favorite Securosis Posts: Rich: Somehow he manges to work scales, skeletons and Barbie into this discussion on the effect of publicly available personal information, in the future of privacy and politics post. Adrian: It’s long, but there is plenty of food for thought in the DAM: Event Collection Options post. Favorite Outside Posts: Adrian: The original reports of Mike Rothman being MIA, and subsequent rumored sighting of him at a Jimmy Buffet concert walking around in a giant foam parrot suit are unfounded. Eyewitness accounts place him in Chicago this week at the ISD conference. While the parrot suit might have been more flattering than the eIQ polo shirt he was seen wearing, Mike’s health and well being are no longer in doubt. Rich: No reason to dance around it; browser security is pretty bad. Jeremiah discusses a rational and pragmatic approach to addressing Browser Security issues from both the outside and the inside. Top News: Obviously the big news this week is Obama winning the election, and his process of filling out his staff and devising an economic plan to turn the economy around. The economy is still plunging, and despite falling oil prices, we are seeing stocks continue to fall. Craigslist comes of age. Interesting piece on Express Scripts receiving an extortion threat from unknown parties who breached their database. Just ran across this article on CNET about WPA being cracked. Don’t know if this is legit yet. [Pepper adds: Check out Glenn Fleishman’s analysis at Ars Technica] Blog Comment of the Week: Tod on the Felon Database post: “You know that Felonspy.com is a joke, right? More specifically, it’s almost certainly political satire of the sex offender databases.” I do now, Tod- I do now. Share:

Most of you probably have a friend like mine, someone who forward you every joke, video and picture they find amusing to their friends list. Sometimes humorous, I still look through all of the emails. Buried in the daily offering was the following link for a site called FelonSpy that I found somewhat fascinating. It was kind of like a reality TV show; insipid, but just different enough I had to check it out. First thing I have to mention is that the data is bogus. Click the ‘Search’ button a few times in a row with the same address and you will see that the graphs are random. I have felons appearing and then disappearing on raw BLM land down the road from me. And if you change the address often enough, you will see the same names and crimes appear over and over in different states. Whatever the real case is, this explanation is bull$!^#, and makes me believe that the entire site is bogus. Still, if the data was real, do you think this is a valuable tool? Would it help you with safety and security? Being someone who had a recent event that has changed my approach to personal safety, this sort of thing is on my mind. Part of me thinks that this type of education helps people plan ahead and react to threats around them. But once it became obvious the data was bogus, I started thinking about people I knew in my area that had criminal backgrounds; the startling discovery that half of the people I know who have criminal backgrounds are some of the nicest and most trustworthy people I know in the area! Some I don’t trust, most I do, which is a slightly better percentage than when I meet random strangers in public. It seems to me this type of technology blindly creates a virtual scarlet letter of sorts, and is an unreliable indicator of good or bad. It probably does not help anyone be more secure- instead listing events that feed paranoia and fear, but still inadequate to make any sort of valid assessment. Share:

‘During several recent briefings, chats with customers, and discussions with existing clients, the topic of data collections methods for Database Activity Monitoring has come up. While Rich provided a good overview for the general buyer of DAM products his white paper, he did not go into great depth. I was nonetheless surprised that some people I was discussing the pros and cons of various platforms with, were unaware of the breadth of data collection options available. More shocking was a technical briefing with a vendor in the DAM space who did not appear to be aware of the limitations of their own technology choices … or at least they would not admit to it. Regardless, I thought it might be beneficial to examine the available options in a little greater detail, and talk about some of the pros and cons here. Database Audit Logs Summary: Database Audit Logs are, much like they sound, a log of database events that have already happened. The stream of data is typically sent to one or more files created by the database platform, and may reside at the operating system level or may be contained within the database itself. These audit logs contain a mixture of system resource recordings, transactional events, user events, system events, and other data definitions that are not available from other sources. The audit logs are a superset of activity. Logging can be implemented through an agent, or can be queried from the database using normal communication protocols. Strengths: Best source for accurate data, and the best at ascertaining the state of both data and the database. Breadth of information captured is by far the most complete: all statements are captured, along with trigger and stored procedure execution, batch jobs, system events, and other resource based data. Logs can capture many system events and DML statements that are not always visible through other collection methods. This should be considered one of the two essential methods of data collection for any DAM solution. Weaknesses: On some platforms the bind variables are not available, meaning that some of the query parameters are not stored with the original query, limiting the value of statement collection. This can be overcome by cross-referencing the transaction logs or, in some cases, the system tables for this information, but at a cost. Select statements are not available, and from a security standpoint, this is a major problem. Performance of the logging function itself can be prohibitive. Older versions of all the database platforms that offered native auditing did so at a very high cost in disk and CPU utilization- upwards of 50% on some platforms. While this has been mitigated to a more manageable percentage, if not properly set up, or if too much information is requested from high transaction rate machines, overhead can still creep over 15% unless carefully deployed. Not all system events are available. Network Monitoring Summary: This type of monitoring offers a way to collect SQL statements sent to the database. By monitoring the subnet, network mirror ports or TAPS, statements intended for a database platform can be ‘sniffed’ directly from the network. This method will capture the original statement, the parameters, and the returned status code, as well as any data that was returned as part of the query operation. Typically an appliance-based solution. Strengths: No performance impact to the database host, combined with the ability to collecting SQL statements. On legacy hardware, or where service level agreements prohibit any additional load being placed upon the database server, this is an excellent option. Simple and efficient method of collecting failed login activity. Solid, albeit niche applicability. Weaknesses: Misses console activity, specifically privileged user activity, against the database. As this is almost always a security and compliance requirement, this is a fundamental failing of this data collection method. Sniffers are typically blind to encrypted sessions, although this is still a seldom used feature within most enterprises, and not typically a limiting factor. Misses scheduled jobs that originate in the database. To save disk space, most do not collect the returned data, and some products do a poor job of matching failed status codes to triggering SQL statements. “You don’t know what you don’t know”, meaning that in cases where network traffic is missed, mis-read or dropped, there is no record of the activity. This contrasts with native database auditing where some of the information may be missing, but the activity itself will always be recorded. OS / Protocol Stack Monitoring Summary: This is available via agent software that captures statements sent to the databases, and the corresponding responses. The agents are deployed either in the network protocol stack, or embedded into the operating system to capture communications to and from the database. They see an external SQL query sent to the database, along with the associated parameters. These implementations tend to be reliable, and low-overhead, with good visibility into database activity. This should be considered a basic requirement for any DAM solution. Strengths: This is a low-impact way of capturing SQL statements and parameters sent to the database. What’s more, depending upon how they are implemented, agents may also see all console activity, thus addressing the primary weakness of network monitoring and a typical compliance requirement. They tend to, but do not always, see encrypted sessions as they are ‘above’ the encryption layer. Weaknesses: In rare cases, activity that occurs through management or OS interfaces is not collected, as the port and/or communication protocol varies and may not be monitored or understood by the agent. System Tables Summary: All database platforms store their configuration and state information within database structures. These structures are rich in information about who is using the database, permissions, resource usage, and other metadata. This monitoring can be implemented as an agent, or the information can be collected by a remote query. Strengths: For assessment, and for cross referencing status and user information in conjunction with other forms of monitoring. Weaknesses: Lacks much of the transactional information typically needed.

‘This story has it all … theft of State Department data, forged credit cards, multi-government branch conspiracy, and murdered suspects. Sounds like an afternoon soap opera more than a Stolen Passport Data story from the Washington Post: … On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law. Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications – and that four of the names on the passport applications matched the names on four of the credit cards … But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe … The passport applicant database, given the type, quality and quantity of data contained therein, is like winning the identity theft lottery. The State Department has some ‘splainin to do! Share:

‘Rich forwarded me the RSA Wireless Security Survey for 2008 that was just released this morning. The cities that they scanned were Paris, London & New York. Public hotspots — designed to allow anyone with a wireless device to access the Internet on a pay-as-you-go or pre-paid basis — continue to grow in prevalence across all three cities, and in each case the growth of available hotspots accelerated significantly in 2008 compared with development in the preceding year. Paris saw the largest jump, with numbers increasing by over 300% and comfortably outstripping the comparative growth in New York City (44%) and London (34%). However, New York City remains the leader in regards to its concentration of hotspots. At 15%, New York City is well clear of London where just 5% of wireless access points were found to be hotspots. In Paris, hotspots represented 6% of all the access points we located. It is interesting to compare the year over year changes, and to see what kind of encryption is being employed. It’s certainly worth a review, and a little vendor hype is to be expected, but there are two things that worry me about survey’s like this. First, the public perception that if the connection is encrypted that all is safe. Unless there is a shred secret or some other type of protection, most of these systems are vulnerable to man-in-the-middle attacks. Second is that the rogue hotspots are difficult to detect, which is the de-facto method for wireless man-in-the-middle. If your an IT manager, you have very little way to assess risk from this report, so just assume wireless hotspots are compromised and that you need to deploy a system to thwart these attacks on externally accessible corporate WiFi. And as an end users, if you think you are safe just because you have established an encrypted connection at Starbucks, think again. The guy in the tiny corner apartment overlooking the store makes his living by sniffing personal information and passwords. Share:

I was asked about the recent post by Pete Finnigan regarding the APEX vulnerability that he discovered, was part of the recent Oracle CPU, and Pete elaborated upon in a recent post. Pete is one of the best in the business at Oracle security, so when he lists something as a vulnerability, people usually react. The question was why had I recommended applying the new Oracle CPU under normal patch cycles when this looked like a reasonably serious vulnerability. Why wait? You don’t need to wait, but if you are vulnerable to this attack, you probably have bigger issues that should have been addressed already. Specifically: Don’t leave development tools and accounts/environments on production databases, especially those that serve web content. Don’t leave development schemas and associated users/grants/roles on production database servers. This just adds to the complexity and potential overlooked security holes. Occasionally run checks for weak passwords. There are free tools available for most of the common database platforms like Oracle Password Checker, SQL Ping, Scuba and others (just be careful where you download them from), there are vendors that offer this for sale as part of their assessment suite (Fortinet, Application Security), or you can write your own. Some look for a small subset of known default passwords, so I recommend using one where you can edit the dictionary to adjust as you see fit. At least a couple of times a year, review the database accounts to see if there are accounts that should not be there, or if accounts that have execute privileges that should not. Once again, I believe there are free tools, vendor tools as well as scripts that are available from database user groups that will accomplish this task and can be customized to suit your needs. APEX is a handy development tool, but if you are a DBA or a security professional, reading Oracle’s description should make the hair on the back of your neck stand up: “APEX is operated from a web browser and allows people with limited programming experience to develop professional applications.” A powerful tool in the hands of inexperienced programmers sounds like handing out loaded guns. Patch if you think you are susceptible to this vulnerability, but for self-preservations sake, run some assessments to catch this class of vulnerability and not just this issue. Share:

I missed including this in the Friday summary. The Electronic Frontier Foundation is challenging the legality of telecom’s being granted immunity in their participation of NSA’s warrant-less spying on US citizens, claiming the executive branch of the government has overstepped it’s authority. Indirectly they will open the entire program up for scrutiny as well. EFF Senior Staff Attorney Kevin Bankston: “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Atto ey General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.” Seems to have a point. This is going to be a very interesting and very important fight for personal privacy, as well as an interesting inspection of the close relationship between industry and sections of our government. And this case will be argued in a political climate that has less 9-11 fear and more annoyance with corporations misbehavior, so I think that EFF will have traction and we will be seeing this in the headlines for some time. Share:

What did you think of the new MacBook? I think they are nice, I don’t want a new one bad enough to upgrade. I bought my MacBook last month knowing full well that they were going to release the new models on the 14th of this month, but the advancements would not be enough for me to wait. Most of the articles & analysis I read were a little harsh, with much of the focus on the price drop, or lack of drop, when I was focused on usability. Maybe they are right, and with the economic slowdown the price reduction is not enough to capture larger appeal and Apple will get hammered. Still, I think this is a nice advancement. I had seen the leaked photos of the Aluminum case and that looked a lot nicer and more durable that the plastic one; when you travel as much as I do, that seems to be a very nice upgrade. And as it has proven to be with my aluminum desktop cases, I am sure that the heat loss through the case itself will be valuable in keeping the machine cooler with faster processors that we will be made available in the future. If you have ever over-clocked machines before, you know how much Aluminum cases help dissipate heat and improve the lifespan of electronic components. The biggest problem I have with my MacBook is the mediocre video quality. It’s not just that the graphics card in the current model is under-powered, rather the color, contrast and sharpness it is just ‘Blah’! The new LED backlit display should solve much f this problem. Yeah, the graphics engine is a big boost as well, but really, what hard core gamer is going to use a laptop for a first person shooter? I thought not. I am going to call the Mini-display port a wash. Why? It will be awesome when attached to the new 24 inch monitor, no doubt about that. But how many MacBook owners are going to buy a $900.00 Monitor? If the analysts are complaining the price $999.00 point is too high for the MacBook, doubling the price makes this option miss the target buyer. Nice technology, perhaps not appropriate for the current generation of buyers. Personally I am glad that the BluRay player was not included in the new MB. This, in my opinion, is the current generation of Laserdisc players. Yes it offers better performance, but few want it. Did you see that only some 8 million Blu-Ray disks have been sold this year? They have sold almost that many Blu-Ray players if you take into account the current generation of Playstations; this is a dismal adoption rate. And if you are like me, I would rather have video on demand as it seems like a more dynamic & efficient way to get movies and television. And I am not lugging around Blu-Ray player that will probably be obsolete within months. All of which is in line with Apple’s strategy (http://www.apple.com/appletv/whatson/movies.html). That takes us to my one disappointment: Firewire. This is how I will hook up my Drobo. This is how I hook up my camera. This is how I update the maps on my Garmin. It’s fast. It’s nice to have the option. Sure I can get adaptor cables and use USB, but I would have preferred a dedicated port. Removing this was probably not such a good idea, and I wonder if we will see its return in future models. All in all, I think the MacBook made three steps forward and one back; couple that with a price drop and I say that is pretty darn good! Share:

Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably should not be surprised given we typically launched our PR tours with my previous employers this time of year, but even Rich has been a little surprised with the volume of discussions. We have been in full swing with a packed calendar during the last couple of weeks and it shows no sign of letting up through November. If I am a little slow returning your email in the morning that is why. And I got to admit it is more interesting being on the receiving end of the equation that delivering the same information 100 times. The breadth of technologies and companies is very exciting, for me at least, and as a result I am digging deep into a number of technologies I have not had a chance to play with while working for a vendor. I have been seeing a lot of solid advancements from several companies, so that makes the calls interesting as well. I have to further comment on the comments last week that the OS X Server Wiki/Blog software we switched to internally has been great for us. For a small team like us the ability to collaborate and keep information centrally has been an great convenience as we can work independently yet still catch up on what the other is doing by scanning the internal blog and wiki. Easy to use and still more functions than we really need at this point. Highly recommended! The Drobo Rich ordered looks very, very cool … yes, I am jealous. Given the number of photos I have been taking I think I am going to order one as well. Going to hook it up between the iMacs via Firewire. I will keep you posted. On a personal note I was watching IronMan last night on DVD. Great movie. But how many of you saw the movie trailer with Samuel L Jackson at the end? No? Surprised the heck out of me that after the credits have finished, there is a little teaser was where no one … practically no one, would see it. Pretty cool! Oh, and Rich may have seen two coyotes in the park near his house, but I have discovered a ‘family’ of Tarantula’s living on my back porch. We were having drinks on the patio when this 7 inch fuzzy spider cruises by us a few nights ago. Last night a couple smaller ones were climbing the wall about 10 feet off the ground as if gravity simply did not apply to them. They are fascinating to watch. Webcasts, Podcasts, and Conferences: Nada this week for me. Favorite Securosis Posts: Rich: Your WPA-PSK Wireless Network is at Risk … If You Are An Idiot. Processing capacity is cheap and plentiful, and this is a new use for idle resources, but nothing more. Weak passwords are weak passwords. Adrian: Real life three stooges star in ‘Credit Card Craziness’. Favorite Outside Posts: Adrian: Over on the Network Security Blog, Martin has an excellent post on a topic that should get far more attention than it does: Why Is Your Company Storing Credit Card Numbers? Rich: Hoff continues to be ahead of the curve on developments in the Virtualization Security space, as well as coverage on the VMWare acquisition of BlueLane. VMWare may not have hired the Hoff, but they seem to be taking his advice. Top News: The Obama-McCain debate was Wednesday night. High definition television was not kind to John McCain. Stocks continue to fluctuate, with a nice early week rally as many investors ‘double-down’ on the firms they have confidence in. Oracle released their big fall patch update. BEA users take note! Did you hear? We are at risk of entering a recession! Really, I could not make this stuff up! Blog Comment of the Week: Jim Hietala’s comment on My “Will Database Security Vendors Disappear” post: I don’t know that database security market all that well, but it strikes me that all of the points you made can be applied to every individual security segment, including NAC, endpoint security, DLP, e-mail security, and on and on. Certainly the trust one applies to all, breadth of function in most cases applies, and too many choices I think does as well. Doesn”t bode well for the health of the security start-up market in the next couple of years   No Securosis company meeting this week, so I am off for a little recon work. More on this later. Share:

Rich and I got into a conversation Friday about database security, and the fate of vendors in this subsegment, in light of recent financial developments. Is it possible that this entire database security sub-market could vanish? Somewhat startled by the thought, we started going down the list of names, guessing who would be acquired, who was profitable, and who will probably not make it through the current economic downturn without additional investment- it seems plausible that the majority of today’s companies may disappear. It’s not just that the companies’ revenue numbers are slowing with orders being pushed out, but the safety blanket of ready capital is gone, and the vendors must survive a profitability ‘sanity check’ for the duration of the capital market slowdown. And that becomes even harder with other factors at play, specifically: Trust. The days of established companies trusting the viability of small security startups are gone. Most enterprises are asking startups for audited financials to demonstrate their viability, because they want to know their vendors will be around for a year or two. Most start-ups’ quarterly numbers hinge on landing enterprise clients, with focused sale and development efforts to land larger clients. Startup firms don’t keep 24 months of cash lying around as it is considered wasteful in the eyes of the venture firms that back them, and they need to use their money to execute on the business plan. As most startups have financials that make public company CFOs gasp for breath, this is not a happy development for their sales teams or their VCs alike. Breadth of function. Enterprises are looking to solve business problems, and those business problems are not defined as database security issues. Enterprises customers have trended towards purchase of suites that provide breadth of functions, which can be mixed and matched as needed for security and compliance. The individual functions may not be best of breed, but the customer tends to get pieces that are good enough, and at a better price. Database security offers a lot of value, but if the market driver is compliance, most of vendors offer too small a piece to assure compliance themselves. Too many choices. I do this every day, and have been for almost 5 years. It is difficult to keep up with all the vendors- much less the changes to their offerings and how they work- and get an idea of how customers perceive these products. Someone who is looking at securing their databases, or seeking alternative IT controls, will be bombarded with claims and offerings from a myriad of vendors offering slightly different ways of solving the same security problems. For example, since 2004 (or their more recent inception) I have been tracking these companies on a regular basis: Application Security Inc. Lumigent Imperva Guardium Tizor Secu o Sentrigo NGS Embarcadero (Ambeo) Symantec Quest IPLocks And to a much lesser extent: Phulaxis Idera DBi (Database Brothers) Nitro Security (RippleTech) SoftTree Technologies Chakra (Korea) Performance Insight (Japan) For DB security product vendors, there are just too many for a $70-80M market subsegment, with too large a percentage of the revenue siphoned off by ancillary technologies. Granted, this is just my list, which I used to track for new development; and granted, some of these firms do not make the majority of their revenue through sales of database security products. But keep in mind there are a dozen or so IDS/SIM vendors that have dabbled in database security, as well as the database vendors’ log analysis products such as Oracle’s Audit Vault and IBM’s AME, further diluting the pool. There have been services companies and policy management companies who all have claimed to secure the database to one extent or another. Log file analytics, activity monitoring, assessment, penetration tests, transactional monitoring, encryption, access control, and various other nifty offerings are popping up all the time. In fact we have seen dozens of companies who jump into the space as an opportunistic sortie, and leave quickly once they realize revenue and growth are short of expectations. But when you boil it down, there are too many vendors with too little differentiation, lacking implicit recognition by customers that they solve compliance issues. Database security has never been its own market. On the positive side it has been a growing segment since 2002, and has kept pace almost dollar for dollar with the DLP market, just lagging about a year behind. But the evolutionary cycle coincides with a very nasty economic downturn , which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act. Rich will give his take tomorrow, but although both of us believe strongly in the value of these products, we are concerned that the combination of market forces and economic conditions will really hurt the entire segment. Share: